Privacy & Cookie Policy | SpaceVault Storage UAE
Your privacy matters to us. This policy explains what personal data SpaceVault Storage collects, why we collect it, how we use it, and the rights available to you under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) and other applicable regulations.

Who We Are

SpaceVault Storage ("SpaceVault", "we", "us", or "our") is a self-storage facility operator based in Dubai, United Arab Emirates. We operate storage facilities serving customers across all seven UAE Emirates — Dubai, Abu Dhabi, Sharjah, Ajman, Ras Al Khaimah, Fujairah, and Umm Al Quwain — and provide an online booking and customer management platform at spacevaultstorage.net.

SpaceVault Storage is the data controller responsible for the personal data you provide when using our website, booking system, customer portal, or communicating with us via email or WhatsApp.

For privacy enquiries, please contact our Data Protection Officer (DPO) at the details provided in Section 14.

Data We Collect

We collect information only to the extent necessary to deliver our services. The categories of personal data we process are:

2.1 Information You Provide Directly

CategoryData ElementsWhen Collected
IdentityFirst name, last nameAt account creation or booking
ContactEmail address, primary phone, secondary phone (optional)At account creation or booking
AddressAddress line 1 & 2, city, emirateDuring booking flow
Booking DetailsUnit size/type, storage duration, start & end dates, promo code used, description of goods storedWhen booking a storage unit
Account CredentialsEmail (username), hashed passwordAt registration
Financial RecordsInvoice history, payment status, VAT amounts, booking totalsDuring and after service delivery
CommunicationsMessages sent via contact or WhatsApp, condition-check notesOngoing service interaction

2.2 Information Collected Automatically

  • Log data: IP address, browser type, operating system, referral URL, pages visited, time stamps.
  • Device data: Screen resolution, device type (desktop/mobile/tablet).
  • Cookies and local storage: Session identifiers, preference tokens, analytics identifiers — see Section 9 for full details.

2.3 Information from Third Parties

  • Stripe: We receive payment confirmation events and tokenised card details via Stripe webhooks. We do not receive or store raw card numbers (see Section 6).
  • Meta / WhatsApp Business API: Delivery status and message logs from WhatsApp notification campaigns.

How We Use Your Data

PurposeDescriptionLegal Basis
Service DeliveryProcessing bookings, assigning units, managing access codes and QR entry, handling renewals and cancellationsContract performance
Account ManagementCreating and maintaining your customer account, enabling portal accessContract performance
Payment & InvoicingProcessing payments via Stripe, issuing UAE FTA-compliant VAT invoices, managing deposits and refundsContract performance / Legal obligation
CommunicationsSending booking confirmations, payment receipts, expiry reminders, overdue notices, renewal confirmations, and cancellation notices via email and WhatsAppContract performance / Legitimate interest
Legal ComplianceRetaining financial records per UAE Commercial Transactions Law; VAT record-keeping per Federal Tax Authority (FTA) requirements; responding to lawful authority requestsLegal obligation
Security & Fraud PreventionDetecting and preventing fraudulent bookings, protecting our platform and customersLegitimate interest
Service ImprovementAnalysing aggregated usage data to improve website performance and user experienceLegitimate interest
MarketingSending promotional offers, discounts, or service updates (only with your explicit consent)Consent

Legal Bases for Processing

Under the UAE PDPL and, where applicable, GDPR, we process your personal data on the following legal grounds:

  • Contractual Necessity: Processing required to enter into or perform a storage booking agreement with you.
  • Legal Obligation: Compliance with UAE tax law (FTA), anti-money laundering regulations, and other statutory requirements.
  • Legitimate Interests: Fraud prevention, platform security, internal analytics, and operational communications — provided these do not override your fundamental rights.
  • Consent: Marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Sharing & Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

5.1 Service Providers (Data Processors)

ProviderPurposeData SharedLocation
Stripe, Inc.Payment processing & fraud detectionPayment amount, email (for receipts), tokenised card dataUSA (SCCs / Privacy Shield)
Meta Platforms (WhatsApp Business API)Transactional notificationsPhone number, booking reference, notification contentUSA / Global
Hosting ProviderWebsite and database hostingAll data stored in our databaseUAE / GCC region
Email Service ProviderTransactional email deliveryEmail address, name, booking details in email bodyEU/USA

All third-party processors are bound by a Data Processing Agreement (DPA) and are required to process data only as instructed by us.

5.2 Legal Disclosures

We may disclose personal data when required by law, court order, or a competent UAE government authority (including the UAE Federal Tax Authority, law enforcement, or regulatory bodies), or to protect the rights, property, or safety of SpaceVault Storage, our customers, or others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the relevant successor entity. You will be notified in advance and given an opportunity to exercise your rights.

Payment Processing & PCI DSS Compliance

We never store, process, or transmit raw payment card data on our servers. All card payments are handled exclusively by Stripe, Inc., a PCI DSS Level 1 certified payment processor.

When you complete a payment, your card details are entered directly into Stripe's secure hosted fields (Stripe Elements). SpaceVault Storage receives only:

  • A tokenised payment method reference
  • Payment confirmation or failure events via Stripe's signed webhook
  • The last four digits of your card and its expiry date (for display in your customer portal)

All payment communications between your browser and Stripe are protected by TLS 1.2+ encryption. For details of Stripe's data practices, refer to stripe.com/privacy.

Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, and in accordance with applicable legal requirements:

Data CategoryRetention PeriodLegal Basis
Customer account dataDuration of account + 5 years after last activityLegitimate interest / Legal obligation
Booking records & agreements5 years from booking end dateUAE Commercial Transactions Law
VAT invoices & financial records5 years minimum (FTA requirement)UAE Federal Tax Authority Decree-Law No. 8 of 2017
Payment transaction logs5 years from transaction dateLegal obligation
Communication logs (email, WhatsApp)2 yearsLegitimate interest
Server & access logs90 daysLegitimate interest (security)
Marketing consent recordsUntil consent withdrawn + 3 yearsLegal obligation (proof of consent)

After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.

International Data Transfers

Your data is primarily stored and processed within the UAE. Where data is transferred to third-party processors outside the UAE (e.g., Stripe in the USA, Meta globally), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) meeting the requirements of UAE PDPL
  • Transfers only to countries with an adequacy decision or where the recipient provides equivalent protections

You may request a copy of the relevant transfer safeguards by contacting our DPO (see Section 14).

Cookie Policy

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device when you visit a website. We use cookies to make our site work correctly, remember your preferences, and (with your consent) to understand how visitors use our site.

9.1 What Cookies We Use

Strictly Necessary

Session & Auth Cookies

Required for user login, maintaining your session across pages, and preventing cross-site request forgery (CSRF). Cannot be disabled without breaking the site.

Strictly Necessary

WordPress Core Cookies

WordPress sets cookies such as wordpress_logged_in_*, wp-settings-*, and wordpress_test_cookie to manage your authenticated session and admin preferences.

Functional

Booking & Portal State

Local storage items used to persist your in-progress booking configuration (unit type, duration, promo code) so it is not lost if you navigate between pages.

Functional

Stripe Payment Cookies

Stripe uses cookies (__stripe_mid, __stripe_sid) for fraud detection and to maintain the integrity of your payment session.

Analytics

Analytics Cookies

Used (where enabled) to understand how visitors interact with our website — pages visited, referral sources, session duration. Collected in aggregated, anonymised form.

Functional

Elementor / Theme Cookies

Our page builder (Elementor) may set preference cookies to ensure consistent styling and responsive layout across sessions.

9.2 Cookie Reference Table

Cookie NameSet ByPurposeDurationType
wordpress_logged_in_*WordPressStores authenticated session identifierSession / 14 daysStrictly Necessary
wp_langWordPressStores preferred language1 yearFunctional
wordpress_test_cookieWordPressVerifies that cookies are enabledSessionStrictly Necessary
__stripe_midStripeFraud prevention — device fingerprint1 yearStrictly Necessary (payment)
__stripe_sidStripeFraud prevention — payment session30 minutesStrictly Necessary (payment)
cx_booking_draftSpaceVaultPersists in-progress booking (localStorage)SessionFunctional

9.3 Managing Cookies

You can control cookie settings through your browser. Most modern browsers allow you to view, block, or delete cookies. Please note that disabling strictly necessary cookies will impair the functionality of the site and prevent you from logging in or completing a booking.

Browser cookie guides:

Your Rights

Under the UAE PDPL and, where applicable, the GDPR, you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data where no longer necessary or where consent is withdrawn (subject to legal retention obligations).

Right to Restriction

Request that we restrict processing of your data in certain circumstances.

Right to Portability

Receive your personal data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Automated Decision-Making

Right not to be subject to solely automated decisions that produce significant legal effects on you.

Withdraw Consent

Withdraw marketing consent at any time via the unsubscribe link in any email or by contacting us directly.

To exercise any of these rights, please contact us at info@spacevaultstorage.net. We will respond within 30 days as required by UAE PDPL. We may ask you to verify your identity before fulfilling your request.

Children's Privacy

Our services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that data. If you believe we have collected data from a minor, please contact us at info@spacevaultstorage.net.

Security Measures

We implement industry-standard technical and organisational security measures to protect your personal data, including:

  • TLS 1.2+ encryption for all data transmitted between your browser and our servers.
  • Hashed passwords — passwords are never stored in plain text; we use strong cryptographic hashing.
  • Access controls — role-based permissions ensure staff members access only the data needed for their duties.
  • Stripe tokenisation — no raw payment card data is stored on our servers (see Section 6).
  • Webhook signature verification — all payment webhook events are verified using Stripe's HMAC signatures before processing.
  • Regular security audits and software updates to address known vulnerabilities.
  • Input validation and sanitisation to prevent injection attacks.

Despite these measures, no internet transmission or storage system is 100% secure. We encourage you to use a strong, unique password and to notify us immediately if you suspect any unauthorised activity on your account.

Changes to This Policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Notify registered customers via email at least 14 days before major changes take effect.
  • Where required by law, seek renewed consent.

We encourage you to review this policy periodically. Continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

Contact & Complaints

For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your personal data, please contact our Data Protection Officer:

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE's competent supervisory authority. In the UAE, data protection matters fall under the purview of the UAE Data Office established pursuant to UAE Federal Decree-Law No. 45 of 2021.