1. GENERAL PROVISIONS

1.1. The privacy policy is a set of rules aimed at informing our Customers about all aspects of the process of obtaining, processing, and securing their personal data. We also explain the principles and purposes of data acquisition. These processes are carried out in accordance with applicable laws, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and the Act of 10 May 2018 on the protection of personal data.

1.2. We hope that this Privacy Policy will help you understand the information we collect in connection with the operation of the Store and how we process it.

1.3. If we refer to the User in the Privacy Policy, these provisions also apply to you.

 

2. DEFINITIONS

2.1. Administrator – Y Coffee, with its registered office at Goldenbridge Industrial State, Tyrconnell Rd, Inchicore, Dublin 8, D08 FP64, registered at the Companies Registration Office in Ireland, under the number: 742529.

2.2. Personal data – any information about an identified or identifiable natural person, determined directly or indirectly, in particular by an identifier such as an IP address, location data, internet identifier, and information collected through cookies and similar technologies.

2.3. Policy – this Privacy Policy.

2.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.5. Act – the Act of 10 May 2018 on the protection of personal data.

2.6. Online Store – the online store operated by the Administrator at www.ycoffee.ie

2.7. User – any natural person visiting the Online Store and using one or more services or functionalities described in the Policy.

2.8. Administrator of personal data – The Administrator of personal data is Y Coffee, with its registered office at Goldenbridge Industrial State, Tyrconnell Rd, Inchicore, Dublin 8, D08 FP64, registered at the Companies Registration Office in Ireland, under the number: 742529.

2.9. Personal Data Protection Officer – The Administrator has appointed a Personal Data Protection Officer who can be contacted in writing by email at sales@ycoffee.ie. The Data Protection Officer will be happy to assist you with any matters related to the protection of personal data, in particular by answering questions regarding the processing of your personal data.

 

3. PURPOSES AND LEGAL BASES OF PERSONAL DATA PROCESSING 

In accordance with the scope of its activities, the Administrator processes your personal data for various purposes, always in accordance with the law. Your data is processed in connection with the following categories of actions:

3.1. Browsing the online store.

3.1.1. Data of all entities using the Online Store (including IP address or other identifiers, and information collected through cookies or similar technologies) who are not registered Users (i.e., individuals without a profile in the Online Store) is processed by the Administrator for one or several of the following purposes:

3.1.1.1. Provision of electronic services regarding the provision of content to Users posted on the Online Store, providing offers from other entities within the Marketplace service, and providing contact forms – legal basis for processing: necessity for the performance of a contract (Article 6(1)(b) of the GDPR).

3.1.1.2. Processing of purchases made without registration in the Online Store – legal basis for processing: necessity for the performance of a contract (Article 6(1)(b) of the GDPR).

3.1.1.3. Handling of complaints – legal basis for processing: necessity for the performance of a contract (Article 6(1)(b) of the GDPR).

3.1.1.4. Analytical and statistical purposes – legal basis for processing: legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which consist of analyzing User behavior, activities, and preferences to improve the quality and adequacy of the functionalities and services provided.

3.1.1.5. Potential establishment and assertion of claims or defense against them – legal basis for processing: legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which consist of protecting their rights.

3.1.1.6. Marketing activities of the Administrator and other entities, particularly related to behavioral advertising – legal basis for processing: legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which consist of customizing the displayed advertising content – principles of personal data processing for marketing purposes are described in the “MARKETING” section.

3.1.2. User activity in the Online Store, including their personal data, is recorded in system logs (a dedicated computer system created to store a chronological record containing information about events and actions related to the information system used for providing services by the Administrator). The collected information in the logs is processed in connection with the provision of services by the Administrator. The Administrator also processes them for technical purposes, which specifically means that this data may be temporarily stored and processed to ensure the security and proper functioning of information systems, such as performing backup copies, testing changes in information systems, detecting anomalies, or protecting against abuses and attacks.

3.2. Registration in the Online Store. Users who register in the Online Store by creating a customer account are asked to provide the necessary data for creating and managing the account. To facilitate the ordering process, Users may provide additional data and give consent to their processing. Additional data can be changed or deleted at any time. Providing data marked as mandatory (email address and password) is required for the purpose of creating and managing an account, and failure to provide them results in the inability to create an account. Personal data provided to the Administrator is processed for one or several of the following purposes:

3.2.1. Provision of services related to the operation and management of the account in the Online Store – legal basis for processing: necessity for the performance of a contract (Article 6(1)(b) of the GDPR).

3.2.2. Analytical and statistical purposes – legal basis for processing: legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which consist of analyzing User behavior, activities, and preferences to improve the quality and adequacy of the functionalities and services provided.

3.2.3. Potential establishment and pursuit of claims or defense against them – legal basis for processing – legitimate interests of the Controller (Article 6(1)(f) of the GDPR), which consists of protecting its rights.

3.2.4. Marketing activities of the Controller and other entities, in particular sellers using the Marketplace service – rules for processing personal data for marketing purposes are described in the “MARKETING” section.

3.3. Contact form.

3.3.1. The Administrator’s online store provides the option to contact them using an electronic contact form. Using the form requires providing personal data necessary to contact the User and respond to their inquiry. The User may also provide other data to facilitate contact or handle the inquiry. Providing data marked as mandatory is required to accept and handle the inquiry, and failure to provide them will result in the inability to use the form. Providing non-required data is voluntary.

3.3.2. The personal data provided to the Administrator in the contact form are processed for one or several of the following purposes:

3.3.2.1. Identification of the sender and handling their inquiry sent through the provided form – legal basis for processing – necessity of processing for the performance of a service contract (Article 6(1)(b) of the GDPR).

3.3.2.2. Analytical and statistical purposes – legal basis for processing – legitimate interests of the Controller (Article 6(1)(f) of the GDPR), which consists of conducting statistics of inquiries submitted by Users through the online store to improve its functionality and the actions of the Administrator.

3.4. Placing an order.

3.4.1. Placing an order (purchase offer) by the User in the online store involves the processing of their personal data. Providing data marked as mandatory is voluntary but necessary for the fulfillment and delivery of the ordered goods, and failure to provide them will result in the inability to place an order. Providing other data is optional and does not affect the fulfillment of the order.

3.4.2. The personal data provided during the order placement in the online store are processed for one or several of the following purposes:

3.4.2.1. Fulfillment of the placed order – legal basis for processing: for mandatory data – necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR); for optionally provided data – consent (Article 6(1)(a) of the GDPR);

3.4.2.2. Fulfillment of legal obligations incumbent on the Controller, arising in particular from tax and accounting regulations – legal basis for processing – legal obligation (Article 6(1)(c) of the GDPR);

3.4.2.3. Analytical and statistical purposes – legal basis for processing – legitimate interests of the Controller (Article 6(1)(f) of the GDPR), which consists of conducting analyses of User behavior and activities, as well as their preferences, aiming to improve the quality and adequacy of the applied functionalities and services provided;

3.4.2.4. Potential establishment and pursuit of claims or defense against them – legal basis for processing – legitimate interests of the Controller (Article 6(1)(f) of the GDPR), which consists of protecting its rights;

3.5. Marketing.

3.5.1. The Administrator processes Users’ personal data for the purpose of conducting marketing activities, based on the legitimate interests of the Controller (Article 6(1)(f) of the GDPR). These activities may include, in particular:

3.5.1.1. Displaying non-personalized marketing content to the User (contextual advertising).

3.5.1.2. Displaying marketing content to the User based on their interests (behavioral advertising).

3.5.1.3. Sending email notifications about interesting offers or content, which may include commercial information in some cases.

3.5.1.4. Carrying out other activities related to direct marketing of goods and services (sending commercial information electronically and telemarketing activities).

3.5.2. In order to carry out marketing activities, the Administrator sometimes uses profiling. This means that through automated data processing, the Administrator assesses selected factors concerning individuals to analyze their behavior or make future forecasts. However, when performing this type of profiling, the Administrator does not apply any legal or significantly impactful effects on the User.

3.6. Contextual advertising. The Administrator processes Users’ personal data for marketing purposes related to directing contextual advertising to Users (i.e., advertising that is not tailored to the User’s preferences). The processing of personal data is carried out based on the legitimate interest of the Administrator (Art. 6(1)(f) of the GDPR).

3.7. Behavioral advertising. The Administrator processes Users’ personal data, including personal data collected through cookies and other similar technologies, for marketing purposes related to directing behavioral advertising to Users (i.e., advertising that is tailored to the User’s preferences). The processing of personal data also includes profiling Users. The use of the collected personal data through this technology for marketing purposes, particularly in promoting services and goods of third parties, is based on the legitimate interest of the administrator and only if the User has given consent to the use of cookies. Consent to the use of cookies can be expressed through appropriate browser configuration and can be withdrawn at any time, especially by clearing the cookie history and disabling cookie support in the browser settings. This consent can be withdrawn at any time.

3.8. Direct marketing. If the User has given consent to receive marketing information via email, SMS, and other electronic communication means, the User’s personal data will be processed for the purpose of sending such information. The basis for processing the data is the legitimate interest of the Administrator in sending marketing information within the scope of the User’s consent (direct marketing). The User has the right to object to the processing of data for direct marketing purposes, including profiling. The data will be stored for this purpose for the duration of the Administrator’s legitimate interest, unless the User objects to receiving marketing information.

3.9. Cookies and similar technology.

3.9.1. Cookies are small text files installed on the User’s device when browsing the Online Store. Cookies collect information that facilitates the use of the website, such as remembering the User’s visits to the Online Store and their actions.

3.9.2. The Administrator primarily uses cookies to provide electronic services to the User and improve the quality of these services. Therefore, the Administrator, as well as other entities providing analytical and statistical services on its behalf, use cookies by storing information or accessing information already stored on the User’s telecommunications end device (computer, phone, tablet, etc.). The cookies used for this purpose include:

3.9.2.1. User input cookies (session cookies) for the duration of the session.

3.9.1.2. Authentication cookies used for authentication services for the duration of the session.

3.9.1.3. Security cookies used to ensure security, such as detecting authentication abuses.

3.9.1.4. Session cookies of multimedia players (e.g., Flash player cookies) for the duration of the session.

3.9.1.5. Persistent cookies for user interface customization during the session or slightly longer.

3.9.1.6. Shopping cart cookies for remembering the cart contents during the session.

3.9.1.7. Cookies used for monitoring website traffic, i.e., data analytics cookies, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Online Store, to create statistics and reports on the functioning of the Online Store). Google does not use the collected data to identify the User or combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at the following link: https://www.google.com/intl/en/policies/privacy/partners.

3.9.3. The Administrator also uses cookies for marketing purposes, including behavioral advertising targeted at Users. To this end, the Administrator stores information or gains access to information already stored on the User’s telecommunications end device (computer, phone, tablet, etc.). The use of cookies and the personal data collected through them for marketing purposes, particularly in promoting services and goods of third parties, requires the User’s consent. This consent can be expressed through appropriate browser configuration and can be withdrawn at any time, especially by clearing cookie history and disabling cookie support in browser settings.

 

4. HOW LONG DO WE KEEP YOUR DATA?

4.1. In accordance with applicable law, we process your personal data for the time necessary to achieve the designated purpose. After this period, your personal data will be irreversibly deleted or destroyed.

4.2. In situations where we do not need to perform any other operations on your personal data other than storage (e.g., when we store order content for defense against claims), we additionally secure them until their permanent deletion or destruction — by pseudonymization. Pseudonymization involves encrypting personal data or a set of personal data in such a way that they cannot be read without an additional key, making such information completely useless to unauthorized persons.

4.3. Your personal data will be processed by the Administrator for the period necessary to achieve the purposes mentioned in the “Purposes and legal bases of personal data processing” section, e.g., until the provision of the newsletter service on your behalf is terminated, until the participation agreement in our loyalty program is terminated, until the completion of the complaint procedure, and after that period until the expiration of any claims or the expiration of data storage obligations under applicable law.

 

5. WHAT ARE YOUR RIGHTS REGARDING YOUR DATA?

5.1. Users whose data is processed have the following rights:

5.1.1. The right to information about personal data processing — based on this right, the Administrator provides information about the processing of personal data, including primarily the purposes and legal bases of processing, the scope of data held, recipients to whom the personal data is disclosed, and the planned period of their deletion.

5.1.2. The right to obtain a copy of the data — based on this right, the Administrator provides a copy of the processed data concerning the person making the request.

5.1.3. The right to rectification of data — based on this right, the Administrator removes any inconsistencies or errors regarding the processed personal data and complements or updates them if they are incomplete or have changed.

5.1.4. The right to erasure of data — based on this right, you can request the deletion of data that is no longer necessary for any of the purposes for which it was collected.

5.1.5. The right to restriction of processing — based on this right, the Administrator ceases processing operations on personal data, except for operations for which the person to whom the data relates has given consent, and their storage, in accordance with the adopted retention policies, or until the reasons for restricting the processing of data cease (e.g., a decision by the supervisory authority is issued allowing further data processing).

5.1.6. Right to data portability – based on this provision, to the extent that data is processed in connection with a concluded contract or with the individual’s consent, the Administrator shall provide the data supplied by the person concerned in a format that allows for computer reading. It is also possible to request the transfer of this data to another entity, provided that there are technical capabilities on the part of both the Administrator and the other entity.

5.1.7. Right to object to data processing for marketing purposes – the person whose data is concerned may object to the processing of personal data for marketing purposes at any time, without the need to justify such objection.

5.1.8. Right to object to other purposes of data processing – the person whose data is concerned may object to the processing of personal data based on the legitimate interests of the Administrator (e.g., for analytical or statistical purposes or for reasons related to property protection) at any time. Such objection should include a justification and is subject to evaluation by the Administrator.

5.2. A request concerning the exercise of the rights described above can be submitted by email to: sales@ycoffee.ie

5.3. The request should, to the extent possible, clearly indicate the subject of the request, including:

5.3.1. The requester’s identity.

5.3.2. The specific right described in point 7.1 that the person submitting the request wishes to exercise.

5.3.3. The purposes of processing to which the request relates (e.g., marketing purposes, analytical purposes, etc.).

5.4. If the Administrator is unable to determine the content of the request or identify the person submitting the request based on the submitted information, the Administrator will request additional information from the applicant.

5.5. A response to the request will be provided promptly, no later than one month from its receipt. If necessary, the Administrator will inform the applicant of the reasons for such an extension.

5.6. The response will be sent to the email address from which the request was submitted. In the case of requests sent by mail, it will be sent by registered letter to the address indicated by the applicant, unless the letter explicitly states a preference for receiving feedback via email (in such a case, the email address should be provided).

​

6. RIGHT TO WITHDRAW CONSENT

6.1. If the Administrator processes your personal data based on your consent, you can withdraw that consent at any time at your discretion.

6.2. To withdraw consent for the processing of your personal data, you can do so in one of the following ways:

6.2.1. Send an email directly to the Administrator at sales@ycoffee.ie.

6.2.2. Send an email to the Data Protection Officer at sales@ycoffee.ie.

6.2.3. Tick the appropriate box in the customer panel under the “account editing” tab.

6.2.4. Click the link provided at the end of the email message.

6.3. If the Administrator processes your personal data based on your consent, the withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal. In other words, until consent is withdrawn, the Administrator has the right to process your personal data, and withdrawing consent does not affect the lawfulness of the processing that occurred prior to the withdrawal.

 

7. RIGHT TO LODGE A COMPLAINT 

If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office.

 

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS

Your personal data is not transferred to Third Countries, i.e., outside the European Economic Area (EEA), or to international organizations.

 

9. FINAL PROVISIONS

9.1. Any matters not regulated by this Privacy Policy are subject to the provisions of the Act and the GDPR.

9.2. You will be notified of any changes made to this Privacy Policy via email.

9.3. If you have any questions regarding the privacy policy, please contact the Administrator in writing by email at: sales@ycoffee.ie.

9.4. If you wish to contact the Data Protection Officer appointed by the Administrator, you can do so in writing by email at: sales@ycoffee.ie. The Data Protection Officer will be happy to assist you with any matters related to the protection of personal data, particularly in providing answers to questions regarding the processing of your personal data.

9.5. This Privacy Policy is effective as of January 3, 2024.