The administrator of personal data responsible for their processing is:
AYA Coffee Sp. z o.o.
Zamkowa 18/165-086 Zielona Góra
NIP: 9292075511
hello@aya.coffee
Thank you for your interest in our online shop. Protecting your privacy is very important to us. Below you will find detailed information on how we handle your data.
1. Access data and hosting
You can visit our websites without providing any personal data. Each time you access a website, the server automatically saves only so-called server logs, e.g. the name of the requested file, your IP address, the date and time of access, the amount of data transferred and the Internet service provider making the request (so-called access logs) and documents the access to the website.
This data is analysed solely for the purpose of ensuring the proper functioning of our website and improving our offer. This serves to safeguard our legitimate interest in the optimal and proper presentation of our websites and our offer in accordance with Article 6(1)(f) of the GDPR. All access data is deleted within seven days of the end of your visit to the website.
Hosting
Website hosting and display services are partly provided on our behalf by our service providers as part of data processing. Unless otherwise stated in this privacy policy, all access data and data collected in the forms provided for this purpose on our website will be processed on their servers. If you have any questions about our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section ‘Our contact details and your rights’.
2. Collection and processing of data for the purpose of performing the contract
We collect personal data when you provide it to us by placing an order or contacting us (e.g. via the contact form or by email). Mandatory fields are marked as such because they relate to data that is necessary for the performance of the contract or for the processing of your enquiry. Without this data, we cannot complete your order or contact you. The data collected is determined by the forms in which it is collected.
We use the data you provide in accordance with Article 6(1)(b) of the GDPR for the purpose of fulfilling the contract and responding to your enquiries. Further information on the processing of your data, in particular with regard to the transfer of data to our service providers for the purpose of order processing, payment and shipping, can be found in the following sections of this privacy policy. After the contract has been fulfilled, the processing of your data will be restricted and, after the expiry of the storage periods required by tax regulations and the Accounting Act, the data will be deleted (Article 6(1)(c) of the GDPR), unless you expressly consent (Article 6(1)(a) of the GDPR) to the further use of this data for other purposes or we reserve the right to further use it in cases permitted by law, in which case we will inform you in this privacy policy.
Goods management system
We also use an external goods management system to process orders and fulfil contracts. Our service providers provide us with services in this area under a data processing agreement. If you have any questions about our service providers and the basis of our cooperation with them, please contact us. You will find our contact details under ‘Our contact details and your rights’.
3. Data transfer
In order to perform the contract (Article 6(1)(b) of the GDPR), we transfer your data to the shipping company selected by you during the ordering process, which has been commissioned to deliver the ordered products.
In order to fulfil the contract, we will pass on your data to the courier company responsible for delivery, if this is necessary for the delivery of the goods you have ordered. Depending on which payment service provider you select during the ordering process, we will pass on the payment data collected for this purpose to the credit institution handling the payment and, if applicable, to the payment service provider selected by us or by you. Some payment service providers collect data themselves if you create an account with them. In such cases, you must log in to the payment service provider with your access data when placing your order. The privacy policy of the respective payment service provider also applies in this case.
Some of our payment service providers and couriers are based in countries outside the European Union. Personal data is only transferred to these companies when necessary for the performance of the contract.
Transfer of data to a courier company
If you give us your express consent during or after placing your order, we will pass on your email address and telephone number to the selected courier company so that they can contact you before delivering your order to notify you or arrange delivery.
The above consent may be withdrawn at any time by sending us a message to our contact address indicated in the section ‘Our contact details and your rights’ or by sending a message directly to the courier company. Upon withdrawal of your consent, we will delete the data you have provided for this purpose, unless you expressly consent to the further use of your data for other purposes or unless we reserve the right to continue using the data in cases permitted by law, in which case we will inform you accordingly in this statement.
4. Data processing for payment purposes
In order to process payments in our online shop, we work with external service providers that handle online electronic payments and transfer your data to the payment service provider you select during the ordering process. This is done for the purpose of fulfilling the contract (Article 6(1)(b) of the GDPR).
Data processing for the purpose of preventing abuse and optimising payments
In some situations, we may provide our service providers with additional information that they may use together with the information necessary to process payments. These service providers then act on our behalf as processors and provide us with services in the area of fraud prevention and payment process optimisation (e.g. invoicing, analysis of disputed payments, accounting support). In accordance with Article 6(1)(f) of the GDPR, this serves to protect our legitimate interests in protecting against abuse and fraud and in the effective management of payments.
5. Marketing channels: email
Advertisement sent by email after subscribing to the newsletter
If you subscribe to our newsletter, we will use the data you provide us with for the purpose of sending you our newsletter regularly by email on the basis of your consent (Article 6(1)(a) of the GDPR). You can unsubscribe from the newsletter at any time by sending us a message to our contact address indicated in the section ‘Our contact details and your rights’ or by using the appropriate link provided in the newsletter. After you unsubscribe, we will delete your email address unless you expressly consent to the further use of your data for other purposes or we reserve the right to further use this data in cases permitted by law, in which case we will inform you accordingly in this privacy policy.
Sending a newsletter
The newsletter is sent as part of data processing on our behalf by an external service provider. If you have any questions about our service providers and the basis of our cooperation with them, please contact us. You will find the contact details under ‘Our contact details and your rights’.
Sending invitations to submit purchase reviews
If you have given your consent during or after placing your order (Article 6(1)(a) of the GDPR), we will use your email address to send you an electronic invitation to evaluate your purchase in our shop. The review/rating is submitted via the review system we use. You can withdraw your consent at any time by sending a message to our contact address indicated in the section ‘Our contact details and your rights’ or by using the appropriate link provided in the message inviting you to submit a review.
Requests for reviews may be sent on our behalf and at our request by an external service provider who provides us with services in this area. An appropriate level of data protection has been ensured within the framework of this cooperation. If you have any questions about the basis of our cooperation with this service provider, please contact us. You will find our contact details under ‘Our contact details and your rights’.
6. Cookies and similar technologies
General information
In order to make your visit to our website more attractive and to enable you to use its key functions, we use technological tools, including so-called cookies. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted after the end of your browser session, i.e. when you close your browser (so-called session cookies). Other cookies are stored on your end device and enable us to recognise your browser when you next visit the website (so-called persistent cookies). We use technologies that are absolutely necessary to ensure the proper and optimal use of the essential functions of our website (e.g. the shopping basket function). These technologies process data such as your IP address, the time of your visit to the website, information about your device and browser, as well as information about your use of our website (e.g. the contents of your shopping basket). This serves, in accordance with Article 6(1)(f) of the GDPR, to pursue our legitimate interest in the optimal presentation of our offer.
In addition, we also use technological tools to fulfil our legal obligations (e.g. to prove that we have obtained consent to process your personal data) and for web analytics and online marketing. Further information on this, including the relevant legal basis for data processing, can be found in the following sections of this privacy policy.
In the help menu of your web browser, you will find explanations on how to change your cookie settings. These are available under the following links: Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™
If you have given us your consent to use specific technological tools (Article 6(1)(a) of the GDPR), you may withdraw this consent at any time. To withdraw your consent, please contact us using the contact details provided in the section ‘Our contact details and your rights’.
7. Use of cookies and similar technological tools for web analytics and marketing purposes
If you have given your consent (Article 6(1)(a) of the GDPR), we use the cookies and other similar technological tools of external service providers listed below on our website. Once the purpose of processing has been fulfilled and the use of the respective technological tool has ended, the data collected through the use of these tools will be deleted. You may withdraw your consent at any time. Detailed information on how to withdraw your consent and your right to object can be found in the section ‘Cookies and similar technologies’. Further information can be found on the websites of the respective service providers. If you have any questions about our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section ‘Our contact details and your rights’.
Use of Google services
We use the following technological tools provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). Information collected automatically by Google technologies regarding the use of our website is usually transferred to a Google LLC server at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, and stored there. The European Commission has not issued a decision on the adequacy of data protection in the USA. Our cooperation is based on standard data protection clauses adopted by the European Commission. If your IP address is processed when using Google’s technological tools, it will be shortened before being stored on Google’s servers thanks to IP anonymisation. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there. Unless otherwise specified for individual Google technologies described in this privacy policy, data processing is carried out on the basis of a contract for joint personal data processing concluded with Google in accordance with Article 26 of the GDPR. For further information on data processing by Google, please refer to the privacy policy on Google’s website.
Google Analytics
We use Google Analytics, a web analytics tool from Google, to analyse the use of our website. This tool automatically processes your data (IP address, time spent on the website, device and browser information, and information about your use of our website) for this purpose and creates pseudonymous user profiles based on this data. Cookies may be used for this purpose. Your IP address is not generally linked to other data collected by Google. Data processing within Google Analytics is carried out on the basis of a data processing agreement with Google.
YouTube Video Plugin
In order to integrate third-party content using the YouTube video plugin, the following data is processed by Google when the video is played: IP address, time of visit, information about the user’s device and browser.
Use of Meta services, Meta Pixel
We use the Piksel Meta tool provided by Meta Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland (‘Facebook’). The scope of the Piksel Meta tool’s functionality that we use is indicated below. Pixel Meta automatically collects and stores data (your IP address, time of visit to the website, device and browser information, as well as information about your use of our website, e.g. visit to the website or registration for the newsletter). Based on this data, pseudonymised user profiles are then created.
For this purpose, when you visit our website, Piksel Meta stores a cookie on your device which, using a pseudonymised cookie ID, enables your browser to be automatically recognised when you visit other websites. Facebook will combine this information with other data from your Facebook account and use it to compile reports on website activity and to provide other services related to your use of websites, in particular for the purpose of personalising advertising. The information collected automatically by Facebook technologies about your use of our website is usually transferred to a server of Meta, Inc., 1601 Willow Road, Menlo Park, California 94025, USA, and stored there. The European Commission has not issued a decision on the adequacy of the level of data protection in the USA. To the extent that the transfer of data to the USA is within our responsibility, our cooperation is based on the European Commission’s standard data protection clauses. Further information on data processing by Facebook can be found in Facebook’s privacy policy.
Meta Analytics
As part of Meta Analytics, statistics on user activity on our website are compiled based on data collected using the Meta Pixel tool regarding your use of our website. Data processing by Facebook is carried out on the basis of a data processing agreement. Data analysis (statistics on website usage) serves to optimise and improve our website.
Meta Ads
Meta Ads enables us to advertise our website on Facebook and other platforms. We set the parameters for a given advertising campaign. Facebook is responsible for its accurate implementation, in particular for deciding whether to display a given advertisement to individual users. Unless otherwise specified for individual functions and tools, data processing is carried out on the basis of a joint personal data processing agreement in accordance with Article 26 of the GDPR. Joint responsibility is limited to the collection of data and its transfer to Meta Ireland. This does not include subsequent processing of the data by Meta Ireland.
Based on the pseudonymised Cookie ID stored by Facebook Pixel and the information collected about user activity on our website, we create personalised advertising using the Meta Pixel Remarketing function.
Other providers of analytical and marketing tools Use of the Vimeo Video Plugin
In order to integrate third-party content using the Vimeo video plugin, the following data is processed by Vimeo LLC, 555 West 18th Street, New York 10011, USA (‘Vimeo’) when the video is played: IP address, time of visit, information about the user’s device and browser.
Data processing is carried out in accordance with Article 26 of the GDPR on the basis of joint arrangements between the joint controllers.
The Vimeo Video Plugin automatically integrates the Google Analytics tool. For web analytics purposes, Google Analytics automatically processes data (your IP address, time spent on the website, device and browser information, as well as information about your use of our website) and creates pseudonymised user profiles using cookies. Google Analytics is a product of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). The information collected automatically by Google technologies about your use of our website is usually transferred to a Google server in the United States and stored there. If your IP address is processed within the scope of Google technologies, it will be shortened beforehand by activating IP anonymisation. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there. We have no influence on or access to the processing of data by Vimeo, including the settings for Google Analytics. The European Commission has not issued a decision on the adequacy of data protection in the USA. Our cooperation is based on the standard data protection clauses adopted by the European Commission.
Hotjar and Clarity
Tools are used to anonymously record user sessions in order to optimise the use of our online shop.
8. Integration with Trusted Shops Trustbadge
In order to display our Trusted Shops Quality Mark, as well as the collected customer reviews and the Trusted Shops offer available to buyers after placing an order, the Trustbadge from Trusted Shops is integrated into our website.
Integration with Trusted Shops Trustbadge serves to fulfil our legitimate interests (Art. 6(1)(f) GDPR) in optimising the marketing of our offer by enabling secure purchases. The Trustbadge (so-called trust badge) and the services advertised with it are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. The Trustbadge is made available to us as part of a CDN (Content Delivery Network). Trusted Shops GmbH uses the services of providers from the USA, among others, for this purpose. An adequate level of data protection is ensured. You can find more information about the data protection policy of Trusted Shops GmbH here.
When the Trustbadge is called up, the server automatically stores so-called server logs (log files) containing, for example, your IP address, the date and time of the call, the amount of data transferred and the Internet service provider making the request (access data/so-called server logs) and documents the call. Server logs are stored for the purpose of analysing security vulnerabilities and are automatically deleted no later than 90 days after their creation. Other personal data is only transferred to Trusted Shops GmbH if you voluntarily decide to use Trusted Shops products after placing an order in our shop or if you have already registered to use them. In such cases, the contractual agreement between you and Trusted Shops applies. For this purpose, personal data is automatically collected from the order data. Whether you, as a buyer, are already registered to use Trusted Shops products is automatically checked on the basis of a neutral parameter – your email address, which is encrypted using cryptographic one-way encryption. The email address is encrypted before transmission using a hash value in such a way that it cannot be decrypted by Trusted Shops. After the compliance check, the parameter is automatically deleted. The above is necessary to fulfil the purposes of our and Trusted Shops’ legitimate interests (Article 6(1)(f) of the GDPR) in providing services related to a specific order, i.e. buyer protection services (Trusted Shops guarantee) and purchase review services. Further information, including information about your rights, can be found in the Trusted Shops privacy policy available above and via the Trustbadge tool.
9. Social media
Social media plugins: Facebook, Instagram
Our website uses social media plugins (buttons). These plugins are available via an HTML link, which ensures that when you visit our website containing such plugins (buttons), no automatic, direct connection is established with the servers of the operator of the social media service in question. When you click on one of the buttons (plug-ins), a new window will open in your browser displaying the social media site where you can confirm your use of the button, e.g. ‘Like’ or ‘Share’.
Our activity on social media: Facebook, Instagram, YouTube
Our website uses social media plugins (buttons). These plugins are available via an HTML link, which ensures that when you visit our website containing such plugins (buttons), no automatic, direct connection is established with the servers of the operator of the social media service in question. When you click on one of the buttons (plug-ins), a new window will open in your browser displaying the social media site where you can confirm your use of the button, e.g. ‘Like’ or ‘Share’.
If you have given your consent to a social media platform (Article 6(1)(a) of the GDPR), your data will be automatically collected and stored for web analytics and marketing purposes when you visit our account/profile on the aforementioned social media platforms. Based on this data, pseudonymised user profiles are created. These may be used, for example, to place so-called personalised advertisements within and outside social networks that are likely to correspond to your interests. Cookies are usually used for this purpose.
Detailed information on the processing and use of your data by individual social media platforms, as well as information on your rights and privacy settings, and contact details for enquiries are described in the privacy policies of the individual social media platforms linked below. If you require assistance in this regard, please do not hesitate to contact us.
Facebook is a social networking service provided by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (‘Facebook Ireland’). Information about your activity and use of our Facebook fan page is automatically processed and usually transferred to a Facebook server in the United States and stored there. The European Commission has not issued a decision confirming an adequate level of data protection in the United States. Our cooperation is based on standard data protection clauses adopted by the European Commission. Data processing when visiting the Facebook fan page is carried out in accordance with Article 26 of the GDPR on the basis of joint agreements between the joint controllers, which are available here. Further information on the processing of your personal data when visiting our Facebook fan page (information on page statistics functions) is available here.
Instagram is a social networking service provided by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (‘Facebook Ireland’). Information about your activity and use of our fan page on Instagram is automatically processed and generally transferred to a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA, where it is stored. The European Commission has not issued a decision confirming an adequate level of data protection in the USA. Our cooperation is based on standard data protection clauses adopted by the European Commission. Data processing when visiting the fan page on Instagram is carried out in accordance with Article 26 of the GDPR on the basis of joint agreements between the joint controllers. Further information on the processing of your personal data when visiting the Facebook fan page (information on page statistics functions) is available here.
YouTube is a social media service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). Information about your activity and use of our YouTube profile is automatically processed and generally transferred to a Google LLC server at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, where it is stored. The European Commission has not issued a decision confirming an adequate level of data protection in the USA. Our cooperation is based on standard data protection clauses adopted by the European Commission.
10. Our contact details and your rights
Persons whose data is processed have the following rights:
- in accordance with Article 15 of the GDPR: the right to obtain information about the processing of data within the scope specified in this article;
- in accordance with Article 16 of the GDPR: the right to rectify your incorrect or incomplete personal data;
- in accordance with Article 17 of the GDPR: the so-called ‘right to be forgotten’, i.e. the right to have your personal data stored by us deleted, unless further processing is necessary:
- to exercise the right to freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest;
- for the establishment, exercise or defence of legal claims;
- in accordance with Article 18 of the GDPR: the right to restriction of processing of personal data, if:
- the accuracy of the personal data is contested by you;
- the processing is unlawful and you object to its erasure;
- we no longer need the personal data, but you need it to establish, exercise or defend your legal claims;
- you have objected to the processing pursuant to Article 21;
- in accordance with Article 20 of the GDPR: the right to receive the data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller;
- in accordance with Article 77 of the GDPR: the right to lodge a complaint with a supervisory authority (the President of the Personal Data Protection Office ‘UODO’).
If you have any questions regarding the collection, processing and use of your personal data, or if you wish to request information, rectification, restriction of processing or deletion of data, or if you wish to withdraw your consent or object to the use of certain data, please contact the data controller indicated at the beginning of this privacy policy directly.
Right to object
If we process personal data in the manner described in this privacy policy to protect our legitimate interests, you may object to the processing of your data for this purpose with future effect. If the processing is for direct marketing purposes, you may exercise your right to object at any time. If the processing takes place for other purposes, you have the right to object only on grounds relating to your particular situation.
After you exercise your right to object, we will not continue to process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.
The previous sentence does not apply if the data processing is carried out for direct marketing purposes. In this case, we will always cease further processing of your personal data after you have objected.