Your cart is empty Continue Shopping
Privacy Policy
Privacy Policy
Effective Date: March 1, 2026
Last Updated: March 13, 2026
Dilara Collection Ltd (“Dilara Collection,” “we,” “us,” or “our“) is committed to protecting and respecting your privacy. This Privacy Policy explains in detail how we collect, use, store, disclose, and protect your personal data when you visit our website at dilaracollection.com, interact with our showroom in Kigali, or engage with our services in any capacity.
This Policy is drafted in compliance with Law N° 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy (the “Data Protection Law“) of the Republic of Rwanda, and Article 23 of the Constitution of the Republic of Rwanda, which guarantees every person the right to privacy. We are also guided by internationally recognized data protection principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
1. Data Controller
The data controller responsible for your personal data is:
Dilara Collection Ltd
COOPERATIVE AU 2, AVENUE DU
Kigali, Rwanda
Email: hi@dilaracollection.com
Data Protection Officer: hi@dilaracollection.com
As the exclusive authorized dealer of Kelebek Mobilya Sanayi ve Ticaret A.Ş. (“Kelebek Furniture”) in Rwanda, we may share certain data with Kelebek Furniture in Turkey for order fulfillment purposes, as described in Section 8 below.
2. Personal Data We Collect
We collect and process the following categories of personal data, depending on your interaction with us:
2.1 Account and Identity Data
- Full name (first name and surname)
- Email address
- Phone number (including mobile number for Mobile Money transactions)
- Username and encrypted password
- Billing and shipping addresses
- Company name (if applicable)
2.2 Order and Transaction Data
- Products ordered, quantities, and specifications
- Order history, order status, and delivery tracking information
- Payment method selected (MTN Mobile Money, Airtel Money, bank transfer, or in-store payment)
- Transaction reference numbers and confirmation codes
- Invoice and receipt records
- Delivery preferences and special instructions
- Return and exchange records
Important: We do not store your Mobile Money PINs, bank account numbers, or credit/debit card details. All payment processing is handled by the respective payment service providers (MTN Rwanda, Airtel Rwanda, or your banking institution). We only retain transaction reference numbers for reconciliation and dispute resolution purposes.
2.3 Technical and Browsing Data
- IP address and approximate geolocation (country/city level)
- Browser type, version, and language settings
- Operating system and device type (desktop, mobile, tablet)
- Screen resolution and viewport dimensions
- Pages visited, time spent on pages, and navigation paths
- Referring website or search engine query
- Click patterns, scroll behavior, and interaction events
- Server access logs (timestamps, requested URLs, HTTP status codes)
2.4 Cookie and Tracking Data
- WooCommerce session cookies (cart contents, session identifiers)
- Authentication cookies (login state, user preferences)
- LiteSpeed Cache optimization cookies
- Analytics cookies (Google Analytics, if enabled)
- Marketing and advertising cookies (only with your explicit consent)
For comprehensive details on our cookie practices, please refer to our Cookie Policy.
2.5 Communication Data
- Messages submitted through our contact form
- Email correspondence
- Phone call records (date, time, and general subject — calls are not recorded)
- Live chat transcripts (if applicable)
- Product review content and ratings
- Wishlist items and product preferences
3. How We Use Your Personal Data
We process your personal data for the following purposes, each supported by an appropriate legal basis under Law N° 058/2021:
3.1 Contract Performance
- Processing and fulfilling your furniture orders
- Arranging delivery and assembly services within Kigali and across Rwanda
- Processing payments and issuing invoices and receipts
- Managing returns, exchanges, and warranty claims
- Providing after-sales customer support
- Managing your user account and order history
3.2 Legitimate Interest
- Improving our website functionality, performance, and user experience
- Analyzing browsing patterns and purchasing trends to optimize our product offerings
- Preventing fraud, unauthorized access, and security threats
- Conducting internal business analytics and reporting
- Maintaining and securing our IT infrastructure
- Training our staff to improve customer service
3.3 Consent
- Sending marketing emails, promotional offers, and newsletters (you may opt out at any time)
- Setting non-essential cookies (analytics and marketing cookies)
- Sharing your data with third-party marketing platforms
3.4 Legal Obligation
- Complying with Rwanda Revenue Authority (RRA) tax reporting and record-keeping requirements
- Responding to lawful requests from regulatory authorities and law enforcement
- Maintaining financial records as required by Rwandan accounting and commercial law
- Reporting data breaches to the National Cyber Security Authority (NCSA) as required by law
4. Payment Data Security
We take the security of your payment information extremely seriously. Our approach to payment data is as follows:
4.1 MTN Mobile Money
When you pay via MTN Mobile Money, the transaction is processed entirely through MTN Rwanda’s secure payment infrastructure. We receive only a transaction reference number and confirmation status. Your Mobile Money PIN and account balance are never accessible to us.
4.2 Airtel Money
Airtel Money payments are similarly processed through Airtel Rwanda’s secure platform. We retain only the transaction reference for reconciliation purposes.
4.3 Bank Transfer
For bank transfers, we provide our business bank account details. Your banking credentials remain with your financial institution. We verify receipt of payment through our banking records.
4.4 In-Store Payments
Payments made at our Kigali showroom (cash, Mobile Money, or card) are processed using secure point-of-sale systems. Receipts are issued for all transactions.
5. Children’s Privacy — Kelebek Kids
Our Kelebek Kids furniture collection is designed for children but is marketed to and purchased by parents, guardians, and family members. We recognize the particular sensitivity of children’s data and implement the following protections:
- We do not knowingly collect personal data from children under the age of 16 without verifiable consent from a parent or legal guardian, in accordance with Article 38 of Law N° 058/2021.
- Our website does not include features designed to attract or engage children directly (such as games, contests, or child-oriented interactive content).
- If a child under 16 creates an account or provides personal data without parental consent, we will promptly delete such data upon becoming aware of it.
- When parents or guardians provide a child’s name or details for delivery or personalization purposes, we process this data solely for order fulfillment and do not use it for marketing.
- We collect the minimum amount of data necessary for any transaction involving children’s products.
If you believe your child has provided personal data to us without your consent, please contact our Data Protection Officer immediately at hi@dilaracollection.com.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our specific retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 3 years after deletion request | Legitimate interest (dispute resolution) |
| Order and transaction data | 7 years from date of transaction | Rwanda tax and accounting law (RRA requirements) |
| Payment reference numbers | 7 years from date of transaction | Legal obligation (financial records) |
| Delivery records | 3 years from delivery date | Warranty and dispute resolution |
| Customer support communications | 3 years from last interaction | Service improvement and dispute resolution |
| Marketing consent records | Duration of consent + 1 year after withdrawal | Accountability and compliance evidence |
| Website analytics (aggregated) | 26 months | Legitimate interest (business improvement) |
| Server access logs | 12 months | Security and troubleshooting |
| Cookie data | Varies by cookie (see Cookie Policy) | As specified in Cookie Policy |
| Warranty claims | Duration of warranty + 2 years | Legal obligation and legitimate interest |
Upon expiration of the applicable retention period, personal data is securely deleted or anonymized so that it can no longer be associated with you.
7. Your Rights Under Law N° 058/2021
As a data subject, you have the following rights under the Data Protection Law:
7.1 Right of Access
You have the right to obtain confirmation as to whether we process your personal data, and if so, to access that data along with information about the purposes, categories, recipients, and retention periods.
7.2 Right to Rectification
You may request correction of inaccurate personal data or completion of incomplete data. We will respond within 30 days.
7.3 Right to Erasure
You may request deletion of your personal data where: (a) it is no longer necessary for the purpose it was collected; (b) you withdraw consent; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data was unlawfully processed. Note that we may retain certain data where required by law (e.g., tax records).
7.4 Right to Restrict Processing
You may request that we limit the processing of your data while we verify its accuracy or assess whether our legitimate interests override your rights.
7.5 Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON).
7.6 Right to Object
You have the right to object to processing based on legitimate interest, including profiling. You also have the absolute right to object to processing for direct marketing purposes.
7.7 Right Regarding Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect you. We do not currently engage in fully automated decision-making.
To exercise any of these rights, please contact our Data Protection Officer at hi@dilaracollection.com. We will respond to your request within 30 days. If the request is complex, we may extend this period by an additional 30 days, with prior notification to you.
8. Data Sharing and Third-Party Disclosure
We do not sell, rent, or trade your personal data to third parties. We may share your data with the following categories of recipients, solely for the purposes described:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Kelebek Mobilya (Turkey) | Order fulfillment, product sourcing, warranty processing | Order details, delivery address (no financial data) |
| Delivery partners (Rwanda) | Furniture delivery and assembly | Name, phone, delivery address |
| MTN Rwanda / Airtel Rwanda | Payment processing | Transaction amounts (PINs/credentials never shared) |
| Hosting provider (Hostinger) | Website hosting and infrastructure | Server logs, technical data |
| Google (Analytics) | Website performance analysis | Anonymized/pseudonymized browsing data |
| Rwanda Revenue Authority (RRA) | Tax compliance | Transaction records as required by law |
| Law enforcement / courts | Legal obligation | As required by valid legal process |
All third-party recipients are required to protect your data in accordance with applicable data protection laws and our contractual requirements.
9. International Data Transfers
In the course of our business operations, your personal data may be transferred to and processed in Turkey (by Kelebek Mobilya for order fulfillment and warranty purposes) and other countries where our service providers operate.
In accordance with Chapter V of Law N° 058/2021, we ensure that any international transfer of personal data is subject to appropriate safeguards, including:
- Contractual clauses requiring the recipient to maintain data protection standards equivalent to those under Rwandan law
- Assessment of the adequacy of the recipient country’s data protection framework
- Implementation of supplementary technical and organizational measures where necessary
- Ensuring that your rights as a data subject remain enforceable
10. Data Security
We implement robust technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: SSL/TLS encryption for all data transmitted between your browser and our website (HTTPS)
- Access controls: Role-based access restrictions ensuring only authorized personnel can access personal data
- Secure hosting: Our website is hosted on infrastructure with enterprise-grade security, firewalls, and intrusion detection
- Password security: User passwords are stored using one-way cryptographic hashing (bcrypt)
- Regular updates: Timely application of security patches to our CMS, plugins, and server software
- Backup procedures: Regular encrypted backups with secure off-site storage
- Staff training: Ongoing data protection awareness training for all employees who handle personal data
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the National Cyber Security Authority (NCSA) — Data Protection & Privacy Office within 72 hours of becoming aware of the breach, as required by Law N° 058/2021
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Document all data breaches, including the facts, effects, and remedial actions taken
- Implement measures to contain the breach and prevent recurrence
12. Cookies
We use cookies and similar technologies to enhance your browsing experience, analyze website traffic, and support our marketing efforts. For complete information about the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.
13. Third-Party Links
Our website may contain links to third-party websites, social media platforms, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party website you visit.
14. Right to Complain
If you believe that your data protection rights have been violated, or if you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with:
National Cyber Security Authority (NCSA)
Data Protection & Privacy Office
KN 4 Ave, Kigali, Rwanda
Website: www.ncsa.gov.rw
We encourage you to contact us first at hi@dilaracollection.com so that we may attempt to resolve your concern directly.
15. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Post a prominent notice on our website for a reasonable period
- Where required or appropriate, notify you by email
We encourage you to review this Privacy Policy periodically. Your continued use of our website after any changes constitutes your acceptance of the updated Policy.
16. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:
Data Protection Officer
Dilara Collection Ltd
COOPERATIVE AU 2, AVENUE DU
Kigali, Rwanda
Email: hi@dilaracollection.com
Website: dilaracollection.com
This Privacy Policy constitutes the complete statement of Dilara Collection Ltd’s data protection practices. It supersedes all prior privacy notices and communications regarding our handling of personal data.