In short: we collect only what you send us through the contact form, plus a short-lived IP record we use to stop spam. We do not sell your data. We do not run advertising trackers.
Who we are
In short: BIOSAR is the brand behind this site, and we decide what happens with your data here.
BIOSAR is a global dermocosmetic brand formulated and manufactured in BIOSAR Laboratories. When this policy says "we," "us," or "BIOSAR," we mean the legal entity behind the brand. We are the controller of the personal data collected through this website.
The information we collect
In short: only what you send us through the contact form, plus a short-lived IP record we use to stop spam.
When you submit our contact form, we receive your name, email address, the country you select (optional), the topic you choose, and the message you write. If you came from a specific product page, the form may also include the product name so we can route your question.
We log your IP address briefly so we can rate-limit submissions and protect the form from spam and automated abuse. We do not run advertising trackers or behavioural profiling. We use Plausible and Vercel Analytics, both of which work without cookies and without identifying you.
How we use your information and why we are allowed to
In short: to reply to your message, to keep the site working, and to meet the rules that apply to us.
We use the contact-form details to read and reply to your enquiry, to route it to the right team member, and to keep a record of correspondence. Under the EU and UK GDPR our lawful basis is your consent and our legitimate interest in operating a contact channel. Under the Saudi Personal Data Protection Law our purpose is to respond to the request you submitted. We use IP logs to protect the form from abuse, on the basis of our legitimate interest in keeping the service available. We use aggregate analytics to understand which pages people read; the data is not linked to you.
How long we keep it
In short: contact messages stay with us up to 24 months unless we need them longer for a real reason.
We keep contact-form messages for up to 24 months after the last reply, then delete them. IP records used for rate-limiting are kept for at most 1 hour and automatically discarded. Aggregated analytics counts are retained without expiry because they no longer relate to any individual. If a message is part of an open distributor or pharmacy enquiry that becomes a business relationship, we may keep it for the duration of that relationship and for the periods our local tax and commercial laws require.
Who we share it with
In short: only the partners we work with to actually run the site, and only what they need.
We share the personal data we collect with the partners we work with to run this site:
- Resend — email delivery, US-based — sends our reply email and a confirmation email back to you.
- Sanity — content platform, EU-hosted — stores the body of your enquiry so our team can read and act on it.
- Vercel — hosting, US-based with EU edge — runs the site itself and provides cookieless analytics.
- Upstash — Redis, EU-hosted — stores short-lived rate-limit counters tied to a hashed IP.
- Plausible — analytics, EU-based — provides aggregate visit counts.
We do not sell your data. We do not share it with advertisers or data brokers. We will release information when a court order or a law of a country we operate in requires us to.
Where your data is processed
In short: most of your data stays in the EU; some flows to the US under standard EU safeguards.
The companies we work with operate in the EU, the United Kingdom, and the United States. When data moves outside the EU, the EEA, or the UK, we rely on the European Commission's Standard Contractual Clauses and, where relevant, the EU–US Data Privacy Framework. For visitors in Saudi Arabia, we transfer data to and from outside the Kingdom for the purposes named above; under the PDPL this is permitted because the transfer is necessary to provide a service you have asked for, and we apply contractual safeguards with each partner.
Cookies and tracking
In short: we use the absolute minimum and we describe each one in the cookie policy.
We use a tiny number of strictly necessary cookies and no advertising cookies. The full list is in our cookie policy.
Your rights
In short: you can ask us what we have, ask us to fix or delete it, or ask us to stop using it.
You have the right to ask us:
- what personal data we hold about you and to receive a copy
- to correct anything that is wrong
- to delete data we no longer have a reason to keep
- to limit how we use it
- to receive a portable copy you can send elsewhere
- to object to processing we do on the basis of legitimate interest
- to withdraw your consent at any time, without affecting anything we did before you withdrew it
If you are in Saudi Arabia, the PDPL gives you these rights and adds the right to be informed of how your data is used, the right to access it, and the right to have it destroyed when no longer needed. To exercise any right, email us at the address below. We will respond within 30 days. If you think we have mishandled your data you can complain to your local data protection authority — in the EU, your national supervisory authority; in Saudi Arabia, the Saudi Data and AI Authority (SDAIA).
Security
In short: encrypted in transit, access-controlled at rest, audited regularly.
Traffic to and from this site uses TLS encryption. The platforms we work with hold recognised security certifications and we limit internal access on a need-to-know basis. No system is perfectly safe; if a breach affects you we will tell you and the relevant regulator within the timeframes the law requires.
Children
In short: this site is not aimed at children under 16.
This site is not directed at children, and we do not knowingly collect data from anyone under 16. If you believe a child has sent us their data, contact us and we will delete it.
Changes to this policy
In short: if we change anything important, we will say so at the top of this page.
We may update this policy when our practices, the partners we work with, or the law change. We will refresh the "last updated" date at the top and, for material changes, we will flag the update on the homepage for at least 30 days.
How to contact us
In short: one address for everything privacy-related.
For any privacy question or to exercise your rights, email legal@biosarlabs.com. We aim to reply within five working days and to resolve formal requests within 30 days.