Data Processing & Privacy Policy

1. Data Controller Identification

This policy outlines how the internal routing infrastructure of Samalanah Collection processes Personal Identifying Information (PII) acting as a Data Processor. The Data Controller responsible for the initiation of these data flows is:

2. Nature of Data Processing

Our infrastructure operates as a "dumb pipe" for transactional notifications. We process the following metadata strictly for the purpose of ensuring secure delivery to the end-user (MTA handshakes):

• Recipient Email Addresses.
• Delivery Timestamp Metrics.
• IP Addresses (for abuse prevention and rate-limiting).
• SMTP Bounce and Drop Webhook Payloads.

Zero-Payload Retention Policy:

The actual body content of the emails (e.g., specific items purchased, passwords) is encrypted in transit via TLS 1.3 and is never stored at rest on our servers post-delivery.

3. Data Retention Lifecycle

To comply with forensic requirements, assist in deliverability debugging, and satisfy legal discovery requests, SMTP routing logs and metadata are retained for a strict period of 30 days. After 30 days, all logs are cryptographically shredded and purged automatically. Operational backups are subject to the same 30-day lifecycle.

4. Sub-Processors & Data Transfer

We utilize Tier-1 cloud infrastructure providers (e.g., AWS, Mailgun) to ensure 99.99% uptime for critical alerts. All sub-processors are bound by strict Data Processing Agreements (DPAs) and standard contractual clauses ensuring data remains within the UK/EU privacy shield jurisdictions.

5. Your GDPR Rights

If you are an end-user receiving a transactional receipt or a "Subscribe & Save" alert from Samalanah Collection, you maintain the following rights under the GDPR:

• Right of Access (Article 15)
• Right to Erasure / "Right to be Forgotten" (Article 17)
• Right to Restriction of Processing (Article 18)

To exercise these rights, please contact our Data Protection Officer at privacy@samalanahcollection.com.