Privacy
Policy.

Foil My Car (“we”, “us”, “our”) is a car wrapping, paint protection film, ceramic coating and detailing studio operating from Warehouse #10, 64th Street, Dubai Investment Park 2, Dubai, UAE. For privacy questions, contact foilmycar.fca@gmail.com or +971 56 611 3969.

We are the data controller for the personal data we collect through this website and our studio operations.

We only collect data that's strictly needed to deliver the service:

• Booking & enquiry forms — name, email, phone number, vehicle make/model, the service you're asking about, and any notes you choose to send.
• Account data (admin only) — for studio team members: email, role, hashed password (bcrypt), session tokens.
• Gallery uploads — photos you allow us to publish of your vehicle (with your consent at booking).
• Technical data — IP address, browser type, pages viewed, referring URL. Collected via standard server logs and Google Analytics (where enabled). Used in aggregate only.
• Cookies — strictly necessary cookies for login session security (NextAuth.js: __Secure-authjs.session-token, __Host-authjs.csrf-token). No advertising or tracking cookies.

• To respond to enquiries, send quotes, and confirm bookings.
• To deliver the service you booked and contact you about it.
• To take and (with your consent) publish before/after photos of your build.
• To meet UAE legal record-keeping obligations (invoices, warranty claims).
• To improve the website (aggregated analytics — not tied to your identity).

We will never sell your data, share it with advertisers, or use it for marketing communications without your explicit opt-in.

• Contract — to provide the service you've booked.
• Consent — for publishing your vehicle photos in our portfolio. Withdrawable at any time by emailing us.
• Legitimate interest — to keep the website secure (rate-limiting, spam prevention).
• Legal obligation — to retain financial records as required by UAE Federal Tax Authority.

Your data is stored on infrastructure we operate in Mumbai, India (AWS ap-south-1 region):

• Postgres database — bookings, enquiries, gallery metadata.
• S3 bucket foil-my-car-uploads — gallery image files.
• Daily encrypted backups retained 30 days.

Cross-border transfer (UAE → India) is permitted under PDPL Art. 22 because India has equivalent data protection standards (Digital Personal Data Protection Act, 2023) and the data is processed under contract for service delivery.

• Enquiries that don't convert — 12 months, then anonymised.
• Bookings & invoices — 5 years (UAE FTA tax record requirement).
• Gallery photos — until you withdraw consent.
• Server logs — 30 days, then deleted.
• Marketing emails — until you unsubscribe (one-click in every email).

We only share with these third parties, all bound by data-processing agreements:

• Amazon Web Services (S3, EC2, CloudFront) — infrastructure.
• GoDaddy — domain registration only (no business data).
• Google — Search Console + Analytics (aggregated stats only).
• UAE legal authorities — when required by court order.

You can ask us, at any time, to:

• See what data we hold on you (right of access).
• Correct anything that's wrong (right to rectification).
• Delete your data (right to erasure) — subject to legal retention obligations.
• Export your data in a machine-readable format (right to portability).
• Object to specific processing (right to object).
• Withdraw consent for photo publication (right to withdraw consent).

Email foilmycar.fca@gmail.com and we'll respond within 30 days. If you're not satisfied with our response, you can complain to the UAE Data Office.

All traffic to and from this site is HTTPS only (TLS 1.2+). Passwords are hashed with bcrypt at cost factor 12. The admin panel is access-controlled and audited. The S3 uploads bucket has CORS limited to our own domains. We hold no payment card data on our servers — payment is taken at the studio via your bank's POS terminal.

This is a luxury car-services site. We don't knowingly collect data from anyone under 18. If you believe we have, email us and we'll delete it.

We'll post any material changes to this page and update the date at the top. For significant changes (e.g. new third-party processors), we'll notify affected users by email where applicable.