Privacy Policy

Tohfa (https://tohfa.af) is operated by a team based in Kabul, Afghanistan. Throughout this policy, “we” / “us” / “Tohfa” refers to the operator of tohfa.af.

Contact for privacy questions: [email protected].

We collect only what we need to deliver your gift and run the service.

• Order details— your name, contact (WhatsApp or email), recipient's name, recipient's address and phone number in Afghanistan, the items you ordered, and any personal message you wrote.
• Payment data — handled by Stripe. We never see, store, or transmit your card number. We receive a tokenised confirmation and the last four digits for receipt purposes.
• Custom requests — if you fill out the custom gift form, we store your name, contact, recipient city, description, and budget range.
• Analytics — first-party events (page views, add-to-cart, checkout clicks) are stored with a daily-rotated hash of your IP and User-Agent. Raw IP addresses are never stored. Cloudflare Web Analytics also runs as an independent cross-check.
• Error reports — if something breaks, Sentry captures the technical stack trace. Personal data is not intentionally included in error reports.

We use the data to:

• Prepare and deliver your order, and confirm delivery to you.
• Process your payment securely (via Stripe).
• Reply to your messages, custom requests, or support tickets.
• Understand how the site is used so we can improve it.
• Detect and prevent fraud or abuse of the service.
• Comply with applicable Afghan tax / commercial law.

Our legal bases are (a) contract — to fulfil your order, and (b) legitimate interest — for fraud prevention and product improvement.

We share data only with the providers we need to run the service:

• Stripe (payment processor — United States)
• Supabase (database hosting — currently self-hosted on our infrastructure)
• Cloudflare (content delivery and basic analytics)
• Sentry (error monitoring, EU region)

We do not sell your data. We do not share it with marketers or advertisers.

Order data is kept for as long as your order is active plus a reasonable period afterwards to handle disputes, refunds, and tax obligations. Analytics events are aggregated and the daily visitor-hash salt rotates every 24 hours — so individual events older than 24 hours cannot be re-linked to you.

Depending on where you live, you have rights to access, correct, export, or delete your personal data. To exercise any of these, email [email protected]with the subject line “Privacy Request” — we aim to respond within 30 days.

If you are in the EU / UK and believe we have mishandled your data, you have the right to complain to your local supervisory authority.

We use a small set of strictly-necessary and analytical cookies:

• Cart and language preferences— stored in your browser's localStorage so your basket survives a refresh. No third-party access.
• Admin authentication— only relevant if you're a Tohfa staff member.
• Cloudflare Web Analytics — uses cookieless measurement; no persistent identifiers are stored on your device.

We do not run third-party advertising or remarketing cookies.

Tohfa is not intended for children under 16. We do not knowingly collect data from anyone under that age.

We may update this policy as the service evolves. The updated date at the top of the page reflects the most recent change. Substantive changes will be communicated by email if we have your address.