Privacy Policy

Last updated: June 2026

Information We Collect

When you shop or create an account, we collect your name, email, phone number, shipping address, username, referral source, and order history. Payment data is processed securely by Paystack — we do not store full card numbers. We also collect search queries, product views, and cart activity to improve our service.

How We Use Your Data

• Process and fulfil orders
• Send order confirmations and delivery updates
• Provide customer support (including AI-assisted support)
• Improve our website and product offerings
• Send marketing emails (only with your consent)
• Analyse search trends and product popularity

Data Sharing

We share data only with service providers necessary to operate our business. We do not sell your personal information to third parties. Our service providers include:

• Paystack — payment processing (Nigeria/USA)
• Resend — email delivery (USA)
• Cloudflare — DNS, email routing, bot protection (global)
• Vercel — web hosting (Germany)
• Supabase — database hosting (Germany)
• Groq — AI-powered support assistant (USA) — your questions and order status may be processed by Groq to provide automated support responses
• Plausible — privacy-friendly, cookieless analytics (EU)

Some providers process data outside Malawi. By using our services you acknowledge that your data may be transferred to these countries in accordance with their privacy policies and the Malawi Data Protection Act 2024.

Your Rights

Under the Malawi Data Protection Act 2024, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your account and associated data
• Export your data in a machine-readable format
• Withdraw consent for marketing at any time
• Lodge a complaint with the Data Protection Commissioner

To exercise any of these rights, email support@iconicmalawi.com or use the account deletion option in your profile settings. We will respond within 30 days.

Data Retention

We retain your account data for as long as your account is active. Order records are retained for 7 years for financial and tax compliance, even after account deletion. Support ticket messages are retained for 24 months. Search query analytics are retained for 12 months. You may request earlier deletion of non-financial data.

Cookies

We use essential cookies for cart persistence, authentication, and analytics. Plausible analytics is cookieless and does not track individuals. You can control non-essential cookies through your browser settings.

Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Data Security

We use industry-standard security measures including encrypted database storage (AES-256), Row-Level Security on all database tables, HMAC-signed tokens, rate limiting, and bot protection (Cloudflare Turnstile). IP addresses are stored as salted HMAC hashes (not plaintext) for GDPR/DPA compliance.

Breach Notification

In the event of a personal data breach, we will notify the Malawi Data Protection Commissioner within 72 hours and affected data subjects without undue delay, in accordance with the Data Protection Act 2024.

Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after changes constitutes acceptance of the updated policy.

Contact

For privacy questions or requests, email support@iconicmalawi.com or call +265 995 554 449 during business hours (Mon–Sat, 9:00–17:00).