Privacy Policy - House Of Berber

Last updated: May 18, 2026

This Privacy Policy explains how House of Berber (“we”, “us”, “our”) collects, uses, shares, and protects your personal information when you visit houseofberber.com (the “Site”), make a purchase, or otherwise interact with our services.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. If you have any questions, contact us at [email protected].

1. Who We Are (Data Controller)

House of Berber is the data controller responsible for your personal information.

Registered address: Marrakech, Morocco
Email: [email protected]
Data Protection enquiries: [email protected]
Website: https://houseofberber.com

For EU/UK customers: we do not currently have an EU representative because we sell on an occasional basis. If our processing of EU residents’ data becomes regular and large-scale, we will appoint an EU representative and update this policy.

2. What Information We Collect

2.1 Information you provide directly

Account & order data: name, billing and shipping address, email address, phone number, and password (encrypted) when you create an account or place an order.
Payment information: processed by our payment partners (Stripe, PayPal). We do not store full card numbers on our servers.
Communication data: messages you send us through the contact form, email, or social media.
Newsletter signup: your email address if you subscribe to “Stay Inspired”.
Custom rug enquiries: preferences, room dimensions, and any details you share for bespoke commissions.

2.2 Information we collect automatically

Device data: IP address, browser type and version, operating system, language preference, time zone.
Usage data: pages visited, time spent, referring URL, search terms, products viewed, cart contents.
Cookies and similar technologies: see Section 6.

2.3 Sensitive personal information

We do not knowingly collect sensitive personal information (health data, biometric data, racial or ethnic origin, sexual orientation, political opinions, religious beliefs, trade union membership, or precise geolocation). Please do not submit sensitive personal information through our forms.

3. How We Use Your Information (and Our Legal Basis)

Under GDPR we must have a lawful basis for each processing activity. Here is how we use your information and why:

Purpose	Data used	Lawful basis (GDPR)
Process and fulfil your orders	Name, address, payment, order data	Performance of contract
Send order confirmations and shipping updates	Email, order data	Performance of contract
Provide customer support	Contact details, order history, messages	Performance of contract / legitimate interests
Newsletter and marketing emails	Email, preferences	Consent (opt-in)
Site analytics and improvement	Usage data, device data (often anonymised)	Legitimate interests / consent for non-essential cookies
Prevent fraud and protect the Site	IP address, device data, order patterns	Legitimate interests / legal obligation
Tax and accounting records	Order data, invoice data	Legal obligation
Respond to legal requests	Whatever is requested	Legal obligation

You can withdraw your consent for marketing emails at any time by clicking the unsubscribe link in any email we send, or by emailing us.

4. Who We Share Your Information With

We do not sell your personal information. We share data only with the third parties listed below, each of whom is contractually required to protect your data.

4.1 Service providers (data processors)

Stripe & PayPal — payment processing.
WooCommerce / Automattic — e-commerce platform and order management.
Mailchimp — newsletter delivery and marketing automation.
DHL Express and other carriers — order shipping and tracking.
Cloudflare — content delivery, security, and DDoS protection.
LiteSpeed — server-side caching and performance.
Google Analytics (Google Ireland Ltd / Google LLC) — site usage analytics. Configured with IP anonymisation where applicable.
Microsoft Clarity (Microsoft Corporation) — heatmaps, session recordings, and behavioural analytics. Sessions are anonymised and recordings exclude form input fields. Used to understand how visitors interact with the Site and improve the user experience. See Microsoft Privacy Statement.
Google Tag Manager (Google Ireland Ltd / Google LLC) — tag-management orchestration. Loads our analytics and advertising tags conditionally based on your cookie consent (Google Consent Mode v2). No data collection on its own; it is the loader for the Google services listed above and below.
Google Ads (Google Ireland Ltd / Google LLC) — advertising performance tracking and conversion measurement when you arrive from one of our ads. Sets cookies (_gcl_au, _gcl_aw, IDE) only after you grant marketing consent. See Google Privacy & Terms.
Google Site Kit (Google LLC, USA) — official WordPress plugin that connects our site to Google services (Analytics, Tag Manager, Ads, Search Console). It does not collect personal data on its own; it orchestrates the Google services listed above and respects the same consent rules.
CookieYes — cookie consent management.
Hosting provider — server hosting and backups.

4.2 Berber cooperatives (custom orders)

For custom rug commissions, we share your specifications (dimensions, motif preferences) with our partner cooperative in Morocco. We do not share your contact details, billing information, or address with cooperatives.

4.3 Legal disclosures

We may disclose your information if required by law, court order, or government regulation, or to protect our legal rights, your safety, or the safety of others.

4.4 Business transfers

If House of Berber is acquired, merged, or sells assets, your personal information may be transferred to the acquiring entity. You will be notified before this happens and given the opportunity to delete your data.

5. International Data Transfers

We are based in Morocco, and some of our service providers (Google, Stripe, Cloudflare, Mailchimp) are based in the United States or other countries outside the EEA and UK.

When we transfer personal data outside the EEA or UK, we rely on one or more of the following safeguards:

EU Standard Contractual Clauses (SCCs) approved by the European Commission;
UK International Data Transfer Addendum;
EU–US Data Privacy Framework certification (where the recipient is certified);
Adequacy decisions by the European Commission;
Your explicit consent after being informed of the risks.

You can request a copy of these safeguards by contacting us at [email protected].

6. Cookies and Tracking Technologies

6.1 What are cookies?

Cookies are small text files placed on your device when you visit a website. They help the site remember your preferences, keep you logged in, analyse usage, and (sometimes) show you ads.

6.2 Cookies we use

Essential cookies (always on): WooCommerce cart, session login, security tokens, cookie-consent state, CSRF protection. These cannot be disabled.
Functional cookies: remember your language, currency, and recent products. Loaded only with your consent.
Analytics cookies: Google Analytics (_ga, _ga_*; anonymised) and Microsoft Clarity (_clck, _clsk; sessions anonymised, sensitive form fields masked). Loaded only with your consent.
Marketing cookies: Google Ads conversion tracking (_gcl_au, _gcl_aw, IDE, test_cookie) used to measure the performance of our advertising campaigns. Loaded only with your explicit consent for marketing cookies.

6.3 Managing cookies

You can change your cookie preferences at any time via the “Cookie Preferences” link at the bottom of any page on our Site. You can also block cookies through your browser settings — but blocking essential cookies may break key functionality (you may not be able to add items to your cart or check out).

6.4 Do Not Track

Our Site honours the Global Privacy Control (GPC) signal. When we detect GPC, we treat it as an opt-out request for non-essential cookies and the sale/sharing of personal information under CCPA.

7. Your Rights

7.1 Rights for everyone

Regardless of where you live, you have the following rights regarding your personal data:

Right to access — request a copy of the personal data we hold about you.
Right to correct (rectification) — ask us to update inaccurate or incomplete data.
Right to delete (erasure) — ask us to delete your data, subject to legal retention obligations.
Right to withdraw consent — for any processing based on consent (e.g., marketing emails).
Right to object — to processing based on legitimate interests, including direct marketing.

7.2 Additional rights for EU/UK residents (GDPR)

Right to data portability — receive your data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller.
Right to restrict processing — limit how we use your data in certain circumstances.
Right to not be subject to automated decision-making — including profiling that produces legal effects. We do not currently use such automated decision-making.
Right to lodge a complaint with your local supervisory authority (in France, the CNIL; in the UK, the ICO; in Spain, the AEPD; etc.).

7.3 Additional rights for California residents (CCPA/CPRA)

Right to know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with.
Right to delete — request deletion of your personal information.
Right to correct — ask us to correct inaccurate personal information.
Right to opt-out of sale or sharing — we do not sell your personal information, but you have the right to opt out should that ever change.
Right to limit the use of sensitive personal information — we do not collect sensitive personal information.
Right to non-discrimination — we will not deny you services, charge different prices, or provide a lower quality of service because you exercised any of your CCPA rights.

California residents can submit a “Do Not Sell or Share My Personal Information” request by emailing [email protected] or by clicking the link in our footer.

7.4 How to exercise your rights

To exercise any of these rights, email us at [email protected] with:

Your name and the email address you used on our Site;
A description of your request (e.g., “Right to access”);
For deletion requests, confirmation that you understand the consequences (loss of account, order history).

We will verify your identity before processing the request to prevent unauthorised access to your data.

Response times:

GDPR: within 1 month (extendable to 3 months for complex requests, with notice).
CCPA: within 45 days (extendable to 90 days, with notice).

You can also submit a request through an authorised agent. We will verify the agent’s authority and your identity.

8. Data Retention

We retain your personal information only as long as necessary for the purposes described in this policy, or as required by law:

Data category	Retention period
Active account data	Until you delete your account
Inactive account data	3 years from last login, then deleted or anonymised
Order & invoice records	10 years (legal/tax obligation)
Customer support correspondence	3 years from last interaction
Newsletter subscription	Until you unsubscribe, plus 30 days
Analytics data (Google Analytics)	26 months, then anonymised
Cookie consent records	13 months from consent
Marketing preferences	Until withdrawn, plus 30 days

After these periods, your data is either permanently deleted or anonymised so it can no longer be linked to you.

9. How We Protect Your Information

We use commercially reasonable security measures to protect your personal information, including:

Encryption in transit via TLS 1.3 / HTTPS;
Encryption at rest for sensitive data;
Access controls — only authorised personnel can access your data on a need-to-know basis;
Cloudflare protection against DDoS attacks and bot traffic;
Regular backups stored encrypted;
Strong password requirements and account-lockout protection;
Two-factor authentication on administrative accounts.

No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

9.1 Data breach notification

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours (GDPR requirement);
Notify affected users without undue delay if the risk is high;
Notify California residents per CCPA timing requirements;
Provide guidance on protective steps you can take.

10. Children’s Privacy

Our Site is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we learn we have collected such data, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

For California residents under 16, we do not sell or share personal information about minors without affirmative authorisation as required by CCPA.

11. Third-Party Links

Our Site may contain links to third-party websites (Instagram, Pinterest, news outlets, partner cooperatives’ websites, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Marketing Communications

If you have subscribed to our newsletter, we may send you:

Style guides and design inspiration;
New arrival announcements;
Sale and event notifications;
Stories from our Berber cooperatives.

Every email contains a one-click unsubscribe link. You can also reply STOP, or email us, and we will remove you within 72 hours.

For transactional emails (order confirmations, shipping updates, password resets), there is no opt-out — these are required to fulfil our contract with you.

13. California Privacy Notice at Collection

For California residents, in accordance with CCPA/CPRA:

Categories of personal information collected in the past 12 months:

Identifiers (name, email, IP address)
Commercial information (purchase history, preferences)
Internet activity (pages viewed, clicks, search terms)
Geolocation (approximate, based on IP)
Inferences drawn from the above (preferences, predispositions)

Sources of collection:

Directly from you (order forms, contact forms, account creation)
Automatically (cookies, server logs)
From service providers (payment confirmations, shipping status)

Business purposes for collection:

Process orders and provide customer support
Operate, secure, and improve the Site
Comply with legal obligations
Marketing (with your consent)

Categories of third parties:

Payment processors
Shipping carriers
E-commerce platform (WooCommerce)
Analytics providers
Email marketing services
Hosting and security services

Sale or sharing:

We do not sell or share personal information for cross-context behavioural advertising, including information of consumers under 16. If this changes, we will update this notice and offer a clear opt-out mechanism.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

The “Last updated” date at the top of this page indicates when this policy was last revised. We will notify you of material changes by:

Posting a prominent notice on the Site;
Emailing registered customers (if the change materially affects you);
Requiring re-consent for new uses of your data that require consent.

We recommend reviewing this page periodically.

15. Contact Us

Questions, concerns, or requests about your privacy? We are here to help:

Email: [email protected]
Subject line: “Privacy Request — [your request type]”
Postal mail: House of Berber, Marrakech, Morocco

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

France: CNIL — www.cnil.fr
UK: ICO — ico.org.uk
Germany: BfDI — www.bfdi.bund.de
Other EU/EEA: see edpb.europa.eu
California, USA: California Attorney General — oag.ca.gov/privacy

Thank you for taking the time to understand how we treat your data. Your trust is the foundation of our work, and we take it seriously.

This Privacy Policy was last updated on May 18, 2026. Version 2.1.