Privacy Policy
PRIVACY POLICY
APM Monaco Middle East E-Commerce Website (ar.apm.mc)
Last updated: 2026 April 08
1. Introduction
APM respects the privacy of our consumers and visitors and recognizes the importance of protecting the data collected about them. We have established procedures that ensure your personal data is processed in a responsible manner in connection with your use of our web sites or APPs, your use of our connected products (if and when available), or when you visit our stores or visit our social media pages, in your jurisdiction. We respect your concerns about privacy and appreciate your trust and confidence in us.
This Privacy Policy explains when, how and why when it comes to processing your personal data in connection with us, and sets out your choices and rights in relation to that personal data.
This Privacy Policy applies to the Middle East regional website operated by APM Monaco Middle East Retail FZCO, with data protection governed by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), Federal Decree-Law No. 14 of 2023 on Commerce through Modern Means of Technology (E-Commerce Law), Federal Law No. 15 of 2020 on Consumer Protection (as amended), and other applicable UAE legislation, subject to mandatory local data protection laws in the user’s place of residence.
Please note that the availability of our Website and services may vary depending on your location, as APM MONACO operates different official websites for different regions.
2. Who controls your personal data?
The Data Controller is APM Monaco Middle East Retail FZCO (hereinafter referred to as: “APM Monaco” or “we”), a Private Freezone Limited Liability Company registered in Dubai CommerCity, Dubai Integrated Economic Zones Authority (DIEZ), United Arab Emirates, License No. 50683.
APM Monaco Middle East Retail FZCO acts as the Data Controller for the Middle East regional website (ar.apm.mc) and related services.
3. How we process your personal data
All our data processing activities are based on stringent ethical principles and legal requirements. This section provides more detail on the types of personal data we collect from you, purpose of processing, and retention periods for each type of personal data. Where applicable, it also identifies the legal basis under which we process your data under applicable data protection laws.
Personal data is processed in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and other mandatory local data protection laws where applicable. Unless otherwise required by law, such data will be retained only for as long as necessary to fulfill the relevant purpose and to comply with applicable legal or accounting obligations. Under the PDPL, the primary legal basis for processing is consent, unless another lawful basis applies (such as contract performance, legal obligation, or legitimate interest). The categories of data, purposes, retention periods and legal bases remain as set out below, unless otherwise required by applicable law.
|
Data |
Purpose |
Retention |
Legal Basis |
|
Registration data: name, email, password |
Customer account creation |
Until deactivation or 3 years inactivity |
Consent / Contract |
|
Addresses: name, phone, address, city, zip, country |
Delivery of goods and bills |
Until deactivation or 3 years inactivity |
Consent / Contract |
|
Location |
Nearby store locator |
Not retained |
Consent |
|
Order data: transaction no., purchase details, history, invoice, returns |
Order processing, returns |
3 years; invoice 5 years per UAE law |
Contract / Legitimate interest |
|
Payment card data: card no., expiry, CVV (deleted immediately) |
Payment processing |
Not retained by APM |
Consent / Contract |
|
Order notes, CS correspondence |
Gift messages, CS, after-sales |
Per retention schedule |
Contract / Legitimate interest |
|
Email, WhatsApp |
Newsletter, APM Wonderland Program, reviews |
Until withdrawal of consent |
Consent |
|
Behavioural web data: navigation, IP, user agent |
Analytics, advertising optimisation |
1 month |
Consent |
4. Cookie notice
A cookie is a very small text file that websites visited by the user, send to the user’s computer or mobile device. APM MONACO processes different types of cookies. You may manage your preferences via the cookie banner or your browser settings.
APM implements reasonable technical and organizational measures to ensure that non-essential cookies are not placed on the user’s device prior to obtaining consent.
Cookie processing is conducted in accordance with UAE law, including the PDPL and applicable E-Commerce Law requirements.
To understand the details of these types of cookies and the purposes for which they are used, please refer to our Cookie Policy.
5. With whom will your personal data be shared?
5.1 APM uses service providers who process your personal data on our behalf.
The services provided by third parties may include: authentication, hosting and maintenance services, analysis services, mail messaging services, delivery services, handling of payment transactions, payment providers, address and mail checks.
These third parties are our data processors and may only process personal data to the extent necessary in order to deliver their services. Our data processors are contractually obliged to treat such data in the strictest confidence. And we have signed "DPA" with the third parties.
5.2 Some of our data processors are situated outside the United Arab Emirates.
(a) APM Monaco may share personal information with its affiliated companies and service providers, including group entities located outside the UAE, such as in Monaco, Hong Kong SAR, the European Union, or other jurisdictions, for purposes including customer relationship management, IT support, analytics, accounting, and group-level business operations.
Cross-border transfers of personal data outside the UAE are conducted in accordance with the PDPL (Articles 22 and 23) and may occur:
- to countries approved by the UAE Data Office as providing adequate protection;
- to countries with which the UAE has bilateral or multilateral data protection agreements;
- where appropriate contractual safeguards are in place obliging the recipient to comply with PDPL standards;
- with your express consent, where none of the above mechanisms are available;
- where transfer is necessary for contract performance, legal proceedings, or public interest.
(b) For the performance of certain processing activities concerning your personal data as stated in this Privacy Policy, APM will transfer your personal data outside of the UAE to APM MONACO LIMITED, a company belonging to APM Group, with its registered office at 1/F, Hong Kong Diamond Exchange Building, 8-10 Duddell Street, Central, whose servers are located in Singapore, for customer relationship management purposes.
This includes the following data: Identity, address and contact details; Order-related data.
5.3 As a global company, APM MONACO LIMITED may further share such data to third-party recipients worldwide for business needs or after-sales services:
- Other companies of the APM Group will receive your Basic Data and Order Data for after sales services.
- Third parties service providers entrusted by APM group for technical services:
– Shopify Inc. (hosting, USA)
– Google Analytics (statistics, USA)
– Aftership: FedEx, DHL, Aramex, SMSA Express (logistics tracking)
– public bodies, exclusively to meet legal obligations
– financial institutions and professional account-keepers
– the payment service provider, the delivery service provider, the chat service provider
5.4 We may disclose your data to the extent that we are required to disclose or share your personal data in order to comply with legal obligations or directives of the court or other competent legal body, or to enforce or apply our privacy notice and other agreements; or to protect the rights, properties or security of APM or APM Group, our employees, consumers or others.
5.6 If we participate in dispute resolution through the UAE Ministry of Economy, Dubai Corporation for Consumer Protection, or DIFC Courts, we may disclose relevant personal data to such bodies as required for the resolution of the dispute.
5.7 Please note that the data you publish or disclose through your interaction with APM (e.g. personal data contained in images, stories, comments and videos that you submit) will become public data and may become available to visitors to the site as well as the public.
6. Security of your personal data
We are committed to maintaining the privacy and integrity of your Personal data no matter where it is stored or accessed. We protect your Personal data through the use of data security and access policies that limit unauthorized access to our systems, and technological protection measures.
6.1 Data Protection
(a) Take appropriate measures to protect data from unauthorized access, including:
- Save sensitive data on server instead of PC or USB drive.
- Lock PC screen when getting away from computer.
- Lock paper documents with appropriate locker.
- Printed documents must be taken away from printer immediately.
(b) Data operators should take responsibility for the data within his/her scope.
Assure accuracy of input data.
System configuration & data should be modified with associated approval. No arbitrary modifying allowed.
(c) Company staff should attend security awareness training every year.
6.2 System Access Control
(a) Strict purpose limitation: Only accessing data for which employee is authorized access.
(b) Do not share access privilege with others.
(c) Role-based models should be clearly defined and used for IT systems to grant access.
(d) End users should be granted access with the role that best matches and least privileged.
(e) Segregation of Duties (SoD) should be applied when granting multiple roles to user.
(f) Privilege access should be reviewed regularly.
6.3 data leakage prevention
(a) Employee is responsible for protecting company sensitive/confidential data & intellectual property against being leaked, either intentionally or unintentionally.
(b) Not exposing sensitive data to public via any unauthorized social media channel, including WeChat, What’s App, Weibo, Facebook, Twitter, etc.
6.4 Backup & Recovery
(q) Business data that should be backed up, including but not limited to: database, application configuration, source code, files, images, videos, etc.
(b) Data backup runs on daily basis and recorded.
(c) Incremental & full backup should be scheduled properly.
(e) At least have two backup copies, offline backup copy and off-site backup copy.
(f) Disaster Recovery Planning must be reviewed periodically and practiced, ensure the integrity and validity of backup copies.
(g) Perform Disaster Recovery test every year, provide detailed drill test report.
6.5 In the event of a data breach, we will notify the UAE Data Office and affected data subjects in accordance with Article 9 of the PDPL, at the time we become aware of any breach that is likely to prejudice the security or privacy of personal data. The notification will include details of the nature and cause of the breach, categories of data affected, and corrective measures taken.
7. Your rights
7.1 Data subject rights are exercised in accordance with the UAE PDPL and mandatory local data protection laws in the user’s location. You may exercise the following rights, subject to applicable law:
(a) Right of Access – Request access to the personal data we hold about you.
(b) Right to Rectification – Request to correct data that you believe is inaccurate or incomplete.
(c) Right to Restriction of Processing – Ask us to limit or restrict our use of your personal data.
(d) Right to Data Portability – Ask us to provide your personal data in a structured, machine-readable format.
(e) Withdrawal of Consent – Withdraw your consent to processing at any time.
(f) Right to Erasure – Request deletion of your personal data, subject to legal retention obligations.
(g) Right to Object to Processing – Object to processing of your personal data in certain circumstances, including for direct marketing purposes.
(h) Right regarding Automated Decision-Making – You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you.
(i) Right to Complaint
You have the right to lodge a complaint with the UAE Data Office or any other competent authority. For consumers in the UAE, complaints may also be directed to the Ministry of Economy, Consumer Protection Department.
7.2 If you wish to exercise your rights, please contact us as specified in the “Complaints and Contact” section below. We may ask you to confirm your identity before we process your request.
7.3 We will respond to your request within 1 month calendar.
8. Age restrictions and parental/guardian controls
The Platforms are not directed at anyone who we know to be a child in the relevant country of data collection (under age 18), nor do we collect any personal data from anyone who we know to be a child unless we have parental or guardian consent. Children should not use the Platforms and should not submit any personal data to us without parental or guardian consent.
Please contact us if you believe we have any personal data from any Child without such parental/guardian consent and acknowledgment so that we can promptly investigate and remove such personal data.
9. Complaints and Contact
If you are a resident in the UAE, you have the right to lodge a complaint with the UAE Data Office. You may also contact the Ministry of Economy, Consumer Protection Department, or the Dubai Corporation for Consumer Protection and Fair Trade.
If you have any questions or suggestions about the content of this Policy, or wish to exercise your rights or have other matters, you can contact Customer Service Center in customercare@apm.mc or contact Data Protection Officer in dpo@apm.mc by email. You can also write to the following address:
DATA PROTECTION OFFICER
APM Monaco Middle East Retail FZCO
Dubai CommerCity
Dubai, United Arab Emirates
10. Changes to this notice
APM regularly reviews our privacy notice to keep it up to date and compliant with privacy and data protection principles. This privacy notice may be changed from time to time to keep pace with new developments and opportunities relating to the Internet and to stay in line with relevant data protection legislation. Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, may be notified to you by email.
11. AI Agent Use & Data Processing Notice
To ensure transparency and protect user rights, we clarify that the use of any artificial intelligence agent (“AI Agent”) to access or interact with our website does not constitute automatic data collection or automated decision-making by our brand. AI Agents include, but are not limited to: Third‑party generative AI tools (e.g., ChatGPT, Perplexity, Claude), browser extensions, automated scripts, AI shopping assistants, and our brand’s own AI assistant.
11.1. Third‑party AI Agent activity is not treated as data collection by the brand
When you use a third‑party AI Agent to browse, analyze, summarize, select products, or place orders:
Such activity is treated as user‑initiated via the AI Agent acting on your behalf;
We only process standard technical logs (IP, device type, timestamp) and do not identify or track AI Agents;
Any collection, analysis, or generation performed by the AI Agent is not part of our data processing activities;
We are not responsible for how third‑party AI Agents collect or use your data.
11.2. Actions of our brand’s own AI Agent are user‑initiated, not “automatic collection”
When you interact with our official AI assistant (e.g., embedded chatbot or consultation tool):
- All content provided (messages, questions, preferences) is voluntary and user‑initiated;
- The AI assistant does not collect additional personal information beyond what you provide;
- Its data handling is fully governed by Privacy Policy;
- It does not autonomously extract, predict, or process unrelated personal data.
11.3. Errors or misinformation generated by AI Agents are not attributable to the brand
If an AI Agent produces incorrect, misleading, outdated, or incomplete information that results in:
- mistaken orders or incorrect personal details
- misinterpretation of our policies
- suggestions involving unauthorized sellers or invalid links
- inaccurate descriptions of our products
Such content does not represent our brand, and we are not liable for any resulting harm or loss.
11.4. Orders placed by an AI Agent are considered valid user actions
If an AI Agent submits an order on your behalf:
- The order is treated as a valid expression of your intent.
- It is fully subject to our Terms & Conditions and return/refund policies.
- You remain responsible for verifying all order details.
- We bear no liability for errors caused by automated tools.
11.5. You are responsible for ensuring your AI Agent complies with applicable laws and our policies
You must ensure that your AI Agent:
- Does not engage in unauthorized scraping
- Does not bypass or interfere with our security systems
- Does not input false, incomplete, or misleading information
We may restrict access or take protective action if AI Agent behavior threatens our systems, violates our terms, or infringes others’ rights.
Nothing in this section shall exclude or limit any rights of consumers that cannot be excluded or limited under applicable consumer protection law
12. Arabic Language Requirement
This Privacy Policy is published in English. An Arabic translation may be provided for your convenience. In the event of any discrepancy, the English version shall prevail, except where mandatory UAE law requires otherwise. Pursuant to Article 26 of the UAE Consumer Protection Law, consumer-facing data and contractual information must be available in Arabic.
