img
imgimgShop

We care about your privacy

Your privacy is important to us at Untitled. We respect your privacy regarding any information we may collect from you across our website.

PRIVACY POLICY IN CONNECTION WITH THE PROCESSING OF PERSONAL DATA BY “Cupffee”Ltd.

The present Privacy Policy, relating to the processing of personal data by “Cupffee” Ltd., is designed to help you understand what personal data we collect, why we collect it and what we do with it. Please take the time to read this Privacy Policy carefully. We want you to be aware of how we use your information and the ways in which you can exercise your rights.

The present Privacy Policy applies to your personal data when you visit and/or use our Site: https://cupffee.me/ and/or e-store: https://shop.cupffee.me/ and/or https://cupffee.zohocommerce.eu/ (all three of which are collectively referred to below as "Cupffee.me’s online store" and/or "online store") or use our services through this website/ e-store and does not apply to other websites/ e-stores and/or services that we do not own or control.

When you use our services available at https://cupffee.me/ and/or https://shop.cupffee.me/ and/or https://cupffee.zohocommerce.eu/, you acknowledge that you have read and understood the present Privacy Policy in relation to the processing of personal data by “Cupffee” Ltd.

The company providing services to you as a Personal Data Controller is:

Name

“Cupffee” Ltd.

UIC/BULSTAT

203075711

Seat and registered address

city of Plocdic, 4002, Zapaden District, 45 Koprivshtitsa Blvd.

Correspondence address

city of Plovdiv, 4023, Trakiya District,  1 Asenovgradsko shose Blvd.

Phone number

+359 884 931 183

E-mail

[email protected]

Site

https://www.cupffee.me/

 

Person, responsible for the Protection of Personal Data:

______________________, address: city of Plovdiv, 4023, Trakiya District,  1 Asenovgradsko shose Blvd., email: ______________, phone number: ______________

 

 

“Cupffee” Ltd (Hereinafter referred to as “Controller” or “the Company”) operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of Europe from 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data (GDPR). We respect the right to privacy and work continuously to keep the data we process to a minimum and as secure as possible. However, in order for you to use our services and/or purchase the goods we offer, we must process certain personal data. By using any of our services and/or purchasing goods offered by us and/or registering an account, you acknowledge that you have read and understood the present Privacy Policy, relating to the processing of personal data by “Cupffee” Ltd.

Grounds for collecting, processing and storing your personal data

Article 1. The Controller collects and processes your personal data in connection with the use of the online store Cupffee.me and concluding contracts with the company on the grounds of art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular, the following grounds:

  1. Your explicit consent as a customer;
  2. Fulfillment of the obligations of the Controller under the contract with you;
  3. Compliance with legal obligations that apply to the Controller;
  4. For the purposes of the legitimate interests of the Controller or a third party.

Goals and principles in the collection, processing and storage of your personal data

Article 2. (1) We collect and process the personal data you provide to us in connection with the use of the online store Cupffee.me and concluding a contract with the company, including the following purposes:

  1. creating an account and providing full functionality when using the online store;
  2. individualization of a Party, regarding the contract;
  3. accounting purposes;
  4. statistical purposes;
  5. protection of the informational security;
  6. ensuring the enactment of the contract for the provision of the respective service;
  7. sending newsletters and emails with special offers upon your explicit request;
  8. sending promotional materials and product samples from other companies via “Cupffee” Ltd. with your explicit request;
  9. sending answers to inquiries made through the feedback form on our website.

(2) We adhere to the following principles when processing your personal data:

  1. legality, good faith and transparency;
  2. restriction of the processing purposes;
  3. relevance of the purposes of processing and minimisation of the amounts of the collected data;
  4. accuracy and relevance of the data;
  5. limitation of storage, needed to reach the objectives;
  6. integrity and confidentiality of the processing and ensuring an appropriate level of security of the personal data.

(3) When processing and storing personal data, the Controller may process and store personal data in order to protect the following legitimate interests:

  1. fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal bodies.

What types of personal data our company collects, processes and stores

 Article 3. (1) The company performs the following operations with the personal data provided by you as customers, for the following purposes:

 

  1. Registration of a customer in the e-store and fulfillment of a remote sales contract – The purpose of this operation is to create an account for the use of the e-store for the purchase of goods and provide contact information for the delivery of the said purchased goods. Registration and account creation in order to use the online store is not a mandatory step in providing the service and it is available to a large extent without creating an account through the option „Order as guest“ – Conclusion from the impact assessment: Based on the impact assessment carried out, the Person responsible for the Protection of Personal Data considers that the operation “User registration in the e-store and execution of a remote sales contract” is eligible for execution and provides sufficient guarantees to protect the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR;
  2. Sending an informational bulletin (newsletter) – The purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news and new features to customers who have stated that they wish to receive ones. Given the limited scope of the personal data collected, the Person responsible for the Protection of Personal Data considers that an impact assessment is not required.
  3. Exercising the right of withdrawal or making a complaint – the purpose of this operation is to administer the process of exercising the right of withdrawal or complaint by the customer for the goods in respect of which these rights may be exercised. Given the limited scope of the personal data collected, the Person responsible for the protection of Personal Data considers that an impact assessment is not required.
  4. Providing advertising materials and sampling by other companies through “Cupffee” Ltd. – The purpose of this operation is administration of the process of sending advertising materials and samples of products from other companies through “Cupffee” Ltd to customers who have stated that they wish to receive them. Given the limited scope of the personal data collected, the Person responsible for the Protection of Personal Data considers that an impact assessment is not required.
  5. Making inquiries through the website feedback form Cupffee.me - the purpose of this operation is to send a response to a request. Given the limited scope of the personal data collected, the Person responsible for the Protection of Personal Data considers that an impact assessment is not required.

(2) The Controller does not collect or process personal data relating to the following:

  1. revealing racialand/ or ethnic origin;
  2. revealing political, religious and/or philosophical beliefs, and/or union membership;
  3. genetic and/or biometric data, health data and/or data on sexual life and/or sexual orientation.

(3) Personal data is collected by the Controller from the persons to whom it relates. We only process and use data that our Customers have voluntarily provided to us. This means that it is the responsibility of each Customer not to provide data to third parties in breach of their data protection rights, as we have no practical ability to control whether Customers provide data to third parties with their knowledge and consent given in accordance with legal requirements. Therefore, any person is fully personally liable if they provide data to a third party without their knowledge or without obtaining their consent in complying with the requirements of applicable data protection legislation, including in respect of the names, telephone numbers and addresses of the recipients of goods provided to us by a Customer, as well as for the data of individuals representing customers - legal entities.

(4) The Controller does not perform automated decision making about data in his possession.

(5) We provide services and/or sales of goods and only allow our website/e-shop to be used by persons over the age of 16. If you are under the age of 16, you may only use our facilities and/or purchase goods from our online shop with the express consent of your parent or legal guardian. If we receive information that we have collected personal data from a person under the age of 16, we will delete it immediately unless we are legally obliged to retain such data. Please contact us if you believe that we have mistakenly or unknowingly collected information from a person under the age of 18.

Article 4. (1) The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:

  1. Your personal data (e-mail, name, phone number, address, etc.) and Economic identity data* - servicing bank, bank account number and/or bank card number and validity.

1.1. Purpose for which the data is collected: 1) Making contact with the user and sending information to them, 2) for the purpose of user registration in the online store;  3) for the purpose of requesting, receiving and fulfilling customer orders for the purchase of goods from our online store; 4) for negotiating with customers, potential customers and other contractors of the Company for the purpose of cooperation and provision of goods and services; 5) for customer service, responses to inquiries regarding goods, distribution, terms of purchase and delivery, complaints, etc. 6) for accounting services, including the issuance of invoices and confirmation of payment; 7) for the collection of receivables; 8) for the administration of and defence of legal claims and actions, as well as to send newsletters, emails with special offers, promotions, promo codes, news and new features, and sending a response to an inquiry through the form on our website.

* The economic identity data (servicing bank and bank account number) will be processed only in cases where the Customer has opted for the "Deferred Payment" option and should pay for the goods ordered by him through a direct bank transfer to the bank account of “Cupffee” Ltd.

In order to pay by bank card, you must follow the procedure for receiving payments by bank card, following the steps of the e-shop, by using the Mollie service integrated in the e-shop, according to the terms and conditions of Mollie.[1] 

1.2. Grounds for processing your personal data – By accepting the general terms and conditions and registering in the e-store or placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Controller and you on the basis of which we process your personal data – Art. 6, para. 1, p. (b) GDPR. Your data for sending a newsletter and emails, as well as for sending a response to an inquiry through the form on our website, are processed with your explicit consent – Art. 6, para. 1, p. (a) GDPR.

  1. Delivery data (name, phone number, address and other.)

2.1. Purpose for which the data is collected: 1) Fulfillment of obligations of the Controller under a contract for sale and delivery of purchased goods and 2) Sending of promotional materials and samples of products from other companies via „Cupffee“ Ltd. to customers who have stated that they wish to receive them.

2.2. Grounds for processing your personal data – By accepting the general terms and conditions and registering in the e-store or placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Controller and you on the basis of which we process your personal data – Art. 6, para. 1, p. (b) GDPR.

Your data for sending a newsletter and emails, as well as for sending a response to an inquiry through the form on our website, are processed with your explicit consent – Art. 6, para. 1, p. (a) GDPR.

  1. Data from your social media accounts (publicly available information from your accounts on Google+, Facebook, etc.)

3.1. Purpose for which the data is collected: 1) Making contact with the user and sending information to him and 2) for the purposes of user registration in the online store.

3.2. Grounds for processing your personal data – With the acceptance of the general conditions and registration in the e-store through a profile in a social network, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data – Art. 6, para. 1, p. (b) GDPR.

(2) In the event that you contact us for any reason in connection with an order placed by you through our website/e-shop, we will make a verification in order to identify you in order to establish with certainty that you are the person who has placed the relevant order that you wish to comment on, change, etc. In this regard, it will be necessary for you to provide some of your data indicated in the order. The verification data thus provided will not be recorded.

Duration of storage of your personal data

Article 5. (1) In cases where you have registered in our e-shop, we will process your personal data as long as your account exists and up to 5 (five) years after its deletion, or after the completion of procedures related to any disputes (the said period is related to the purpose of protecting the legal interests of the Controller in case of legal or administrative disputes with users of the online store). Data from accounting records and documents relating to orders placed will be kept for the relevant statutory period.

(2) In cases where you use our e-shop as a Guest, we will process your personal data for a period of up to 5 (five) years after the execution of your last order placed as a Guest or after the completion of procedures related to any disputes (the said period is related to the purpose of protecting the legal interests of the Controller in case of legal or administrative disputes with users of the online store). Data from accounting records and documents relating to orders placed will be kept for the relevant legal period.

(3) After the expiration of the aforementioned periods, the Controller shall take the necessary care to delete and destroy all your data without undue delay or to anonymize them (i.e. to put them in a form that does not reveal your identity).

(4) Your consent to receive newsletters, emails with special offers, promotions, promo codes, news and new features is voluntary and we will not refuse you our services if you have not subscribed to our newsletter. You may withdraw your consent to receive this information at any time.

Article 6. The Controller stores the personal data of the legal representatives of its business partners for the duration of the contract, for compliance with the legitimate interests and legal obligations of the Controller, and this duration may exceed the duration of the contract.

Transfer of your personal data for processing

Article 7. (1) The Controller may, at its discretion, transfer some or all of your personal data to personal data processors for the fulfillment of the processing purposes with which you have agreed, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) To provide quality services, we have engaged service providers - processors carefully selected according to their capacity to protect and process personal data. Without them, the implementation of our services would not be possible. We use only subcontractors - professionals in the relevant field, through whom we provide additional security for your data and to whom we provide only the information necessary for them to carry out their assigned activities, including:

1)    Courier service providers;

2)    Banks;

3)    IT and other software and hardware service providers;

4)    External accountants, auditors and legal advisors.

Where required by law, your personal data may be provided to competent government authorities and institutions such as the NRA, the Commision for Consumer Protection (CCP), the Commission for Personal Data Protection (CPDP), etc.

We do not provide your personal data to third parties without a legal or contractual basis, nor do we sell or otherwise distribute it.

(3) The Controller does not transfer your data to third countries. The Controller shall notify you in the event of an intention to transfer some or all of your personal data to third countries or international organisations. Where we need to make such transfers to third countries, we do so in accordance with the terms of this Privacy Notice, EU data protection rules, in particular the GDPR. This may include (i) transfers to Recipients located in countries, territories or part of certain sectors within such countries that are recognised as providing an adequate level of protection to the individuals concerned; (ii) transfers pursuant to data transfer agreements that incorporate standard contractual clauses approved by the EU Commission/Commissioner; or (iii) derogations for specific situations provided for in EU data protection legislation, etc.

Information we share

Article 8. We do not share information containing personal data with legal entities, organisations and individuals unless one of the following circumstances applies:

  1. With your consent - we will share information containing personal data with entities, organisations and individuals where we have your consent to do so;
  2. To perform certain services - with third party processors of personal data - as described above;
  3. Legal requirements - we will share information containing personal data with other entities, organisations or individuals if we have reason to believe that access, use, retention or disclosure of the information is reasonably necessary and/or required to:

a.     the purposes of a valid law, regulation, legal process or final court order;

b.    collection of amounts due;

c.     investigation of potential violations;

d.    detect, prevent or otherwise address fraud, technical or security problems;

e.     protect against harm to our rights, property or safety, our users or the public as required or permitted by law.

We may share your name with Mollie in connection with the payment service they provide to you. You can find their Privacy Policy at https://www.mollie.com/

Security measures

ArtIcle 9.  We have taken a wide range of technical and organisational measures to protect your personal data against loss or other forms of unlawful processing. Personal data is accessible only to those persons who need access to perform their work in connection with the provision of our services. These persons are trained and authorised accordingly. Our staff process personal data in accordance with the requirements of legality, confidentiality, ethics and appropriate use of data.

Your rights in the collection, processing and storage of your personal data 

Withdrawal of consent for the processing of your personal data

Article 10. (1) If you do not wish all or part of your personal data to continue to be processed by the Company for specific or for all purposes of processing, you can at any time withdraw your consent for processing by filling in the form in your profile or by written request.

(2) The Controller may ask you to verify your identity and the identity of the data subject.

(3) By withdrawing your consent to the processing of personal data, which is mandatory for creating and maintaining an account in the online store, your account will become inactive. Of course, you will be able to browse the online store and the products offered and place orders as a guest or create a new registration.

(4) If there is an order made by you that is in the process of processing, the earliest moment at which you can withdraw your consent for processing is upon successful completion of the order 

(5) You may at any time withdraw your consent to the processing of your personal data for the purposes of direct marketing.

(6) The withdrawal of the consent does not affect the legality of the processing of personal data, which the Controller has performed so far.

Right of access

Article 11. (1) You have the right to request and receive confirmation from the Controller whether personal data related to you is processed, and you can at any time see in your account, if you are a registered user, what data we process about you.

(2) You have the right to access the data related to you, as well as the information related to the collection, processing and storage of your personal data.

(3) Upon request, the Controller provides you with a copy of the processed personal data related to you in electronic or other appropriate form.

(4) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetitive or excessive requests.

Right of correction or completion

Article 12. You may correct or complete inaccurate or incomplete personal information relating to you directly through your account on the website or by making a request to the Controller.

Right of deletion (“to be forgotten”) 

Article 13. (1) You have the right to request from the Controller the deletion of part or all of the personal data related to you, and the Controller has the obligation to delete them without undue delay when any of the following reasons is present:

  1. personal data is no longer needed for the purposes for which is was collected or otherwise processed;
  2. You withdraw your consent on which the data processing is based and there is no other legal basis for the processing;
  3. You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legal grounds for processing to take precedence.;
  4. personal data has been processed illegally;
  5. personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State applicable to the Admin;
  6. personal data has been collected in connection with the provision of services for the information society.

(2) The Controller is not obliged to delete personal data if it is stores and processed:

  1. to exercise the right of freedom of expression and the right of access to information;
  2. to comply with a legal obligation requiring processing provided for in EU law or the law of the Member State applicable to the Controller or for the execution of a task in public interest or in the exercise of official powers conferred to him;
  3. for reasons of public interest in the field of public health;
  4. for archiving purposes in public interest, for scientific or historical research or for statistical purposes;
  5. for the establishment, exercise or defense of legal claims.

(3) In case of exercising your right to be forgotten, the Company will delete all your data, except for the following information:

  1. information that is needed to verify that your right to be forgotten has been exercised – e-mail, IP address;
  2. technical information about the operation of the online store, which information cannot be connected in any way with your personality;
  3. e-mail with which you registered in the online store.

(4) In order to exercise your right to be forgotten, you need to take the following steps:

  1. To apply through your profile in the online store or by e-mail;
  2. To submit a unique identification code to perform the action, which will be sent to you by email at the address associated with the registration in the online store;
  3. To identify yourself as the account holder. Identification is expressed in sending the request through the e-mail which is linked to the user, regarding the data whereof you are exercising the right to be forgotten 

(5) After verifying the identity of the person making the request and the person to whom the data relates in accordance with the above steps, we will delete all data that we process for you, in accordance with para. 3.

(6) If you have an order that is being processed, the earliest time you can request to be “forgotten” is when the order is successfully completed.

(7) By deleting your personal data, your account will become inactive. Of course, you will be able to browse the online store and the products offered and place orders as a guest or make a new registration.

(8) The Controller does not delete the data that they have a legal obligation to store, including for protection in connection with court claims against him or proof of his rights. 

Right of restriction

Article 14. You have the right to ask the Controller to restrict the processing of data related to you when:

  1. You challenge the accuracy of personal data for a period that allows the Controller to verify the accuracy of personal data;
  2. Processing is illegal, but you do not want the personal data to be deleted, only the use of it to be restricted;
  3. The Admin no longer needs your personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims.;
  4. You have objected to the processing, pending verification of whether the legal grounds of the Controller take precedence over your interests.

(2) In case of exercising your right of restriction, the Company will suspend the processing of your data, but will not remove the publications you have made in the online store.

Right of transferability

Article 15. (1) If you have given your consent for the processing of your personal data or the processing is necessary for the enactment of the contract with the Controller, or if your data is processed in an automated manner, you can, after identifying yourself with the Controller 

  1. to ask the Controller to provide you with your personal data in a readable format and to transfer it to another Controller;
  2. to ask the Controller to directly transfer your personal data to a Controller designated by you, when this is technically possible.

(2) You may at any time download or receive in machine-readable format the data stored and processed for you in connection with the use of the Controller’s services, directly through your account via the data export option or by e-mail request. 

Right to receive information

Article 16. You can ask the Controller to inform you about all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information if it is impossible or would require a disproportionate effort.

Right to object

Article 17. You may object at any time to the processing of personal data by the Controller related to him, including, if they are processed for profiling or direct marketing purposes. 

Unreasonableness and repetitiveness of claims

Article 18.  Please note that where your requests are manifestly unfounded or excessive, in particular because of their repetitiveness, we may:

1. charge a fee, taking into account the administrative costs of providing the information and/or communication or taking the action requested, or

2. refuse to act on the request.

We will use reasonable efforts to comply with your request within 30 (thirty) days of receiving your request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests.

Your rights in the event of a breach of the security of your personal data

Article 19. (1) If the Controller finds a breach of the security of your personal data, which may pose a high risk to your rights and freedoms, they shall notify you without undue delay of the breach, as well as of the measures that have been taken or are to be taken.

(2) The Controller is not required to notify you if:

  1. they have taken appropriate technical and organizational protection measures with regard to data affected by the security breach;
  2. they have subsequently taken steps to ensure that the breach does not pose a high risk to your rights;
  3. notifying you would require a disproportionate effort.

Article 20. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to send a complaint to the Personal Data Protection Commission on the following coordinates:

 

Name

Commission for Personal Data Protection

Seat and registered address

city of Sofia, 1592, 2 Prof. Tsvetan Lazarov Blvd.

Correspondence address

city of Sofia, 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone number

02 915 3 518

Site

www.cpdp.bg

 

Article 21. You can exercise all your rights regarding the protection of your personal data through the forms attached to the present Privacy Policy. or through the functionalities in your profile. Of course, these forms are optional and you can submit your requests in any form that contains a statement to that effect and identifies you as the data holder.

Article 22. The Company may amend the present Privacy Policy by posting a notice to that effect on its website.

The Privacy Policy was last amended on 14.02.2024.

Withdrawal form of consent for processing purposes – Annex № 1.

Request to be “forgotten” – to delete personal data related to me – Annex № 2.

Request for transferability of personal data – Annex № 3.

Request for data correction – Annex № 4.