Privacy Policy
Last updated: 29 May 2026
About this policy
This Privacy Policy explains how Coffee Company collects, uses, and protects your personal data when you visit coffeecompanyroastery.gr, place an order, register for a seminar, or get in touch through our contact and wholesale forms. We take privacy seriously. This policy is written in plain language so you can understand exactly what we do with your data, why we do it, and what rights you have under the EU General Data Protection Regulation (GDPR) and Greek data-protection law.
Who is the data controller
The data controller responsible for your personal data is: COFFEE COMPANY ETERORRYTHMI ETAIREIA Merarchias Serron 52, 69100 Komotini, Rhodope, Greece ΑΦΜ: 801274754 ΓΕΜΗ: 153268411000 Email: coffeecompanyroastery@gmail.com If you have any questions about this policy or about how we handle your data, the easiest way to reach us is by email at the address above.
What data we collect
We only collect what we need to run the shop and serve you well. Depending on how you use the site, this may include: • Contact details — your name, email address, and phone number, taken from your order, contact form, wholesale form, or seminar booking. • Order data — the items you bought, quantities, totals, billing and shipping addresses, and your locale preference. • Payment metadata — the payment method used (card via Stripe or cash on delivery) and a Stripe reference. We never see or store your full card number; that information is handled exclusively by Stripe under PCI-DSS. • Invoicing details for B2B orders — company name, ΑΦΜ (VAT number), DOY (tax office), and company address. For Greek B2B customers, the ΑΦΜ is validated against the EU VIES database before invoicing. • Communications — the contents of messages you send through the contact form or the wholesale inquiry form. • Admin authentication data — for the small number of admin users who manage the shop, we store an email address and an authentication session via Supabase Auth. This does not apply to customers.
Our lawful basis for processing
Under Article 6 of the GDPR, we rely on the following lawful bases: • Performance of a contract — to take and fulfil your order, ship it, and handle any after-sales support. • Legal obligation — to meet our tax, accounting, and consumer-law obligations under Greek law, including retaining invoices and order records. • Legitimate interest — to prevent fraud, secure the site, validate Greek B2B VAT numbers through VIES, and respond to inquiries received through our forms. • Consent — for any future marketing communications. We do not currently send marketing emails; if that ever changes, we will ask for your consent first and you will be able to withdraw it at any time.
Why we use your data
We use your data only for the following purposes: • To process and ship your orders, including arranging delivery with our courier. • To send you order confirmations, shipping updates, and any service messages tied to your purchase. • To respond to questions you send through our contact and wholesale forms. • To issue invoices and keep the accounting records required by Greek tax law. • To detect and prevent fraud and abuse, and to keep the site secure. • To improve the shop based on aggregated, non-identifying information about how it is used.
Who we share data with
We do not sell your personal data. We share it only with the service providers we need to run the shop, each bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards: • Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA) — payment processing for card payments. Card details are sent directly to Stripe and never reach our servers. • Supabase, Inc. (USA, EU-region database hosting) — order data, customer contact information, and admin authentication. Our project runs in an EU region. • Resend (USA) — transactional email delivery (order confirmations, contact-form notifications, wholesale-inquiry notifications). • Speedex Courier (Greece) — shipping carrier. We share your name, delivery address, phone number, and order weight so the parcel can be delivered. • Render Services, Inc. (USA) — web hosting for the Next.js application. • VIES / European Commission (Belgium) — VAT number validation lookups for Greek B2B customers, run against the EU's public VAT registry. This is required by Greek tax law before issuing a B2B invoice. • Google Fonts (USA) — fonts (Playfair Display and Inter) are self-hosted at build time via the next/font tooling, so no personal data is sent to Google when you load the site. We do not use third-party analytics or marketing tools. There is no Google Analytics, no Meta Pixel, no advertising trackers.
How long we keep your data
• Order and invoicing records — retained for the period required by Greek tax law (currently 10 years for accounting documents under the Greek Tax Procedure Code). • Contact and wholesale form messages — retained for as long as needed to handle your request and any follow-up, and then deleted. • Stripe and Speedex retain their own records under their own retention policies, which you can find in their respective privacy notices. Where a shorter retention is possible without breaching a legal obligation, we apply it.
International data transfers
Some of our processors (Stripe, Resend, Render, and the US-based components of Supabase and Google Fonts) are based outside the European Economic Area. Where data is transferred outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) and any supplementary safeguards required by GDPR Chapter V. If you would like a copy of the safeguards in place for a specific processor, contact us at coffeecompanyroastery@gmail.com.
Cookies and local storage
We use only the essential cookies and browser storage needed for the site to work: • Cart state — so your basket survives a page refresh. • Locale preference — so the site remembers whether you prefer English or Greek. • Session — for the small number of admin users who need to sign in to manage the shop. We do not set analytics, advertising, or marketing cookies. Because we only rely on strictly necessary technical storage, no cookie consent banner is shown — under Greek and EU law, essential cookies do not require consent.
Your rights under GDPR
You have the following rights with respect to your personal data: • Access — ask us for a copy of the data we hold about you. • Rectification — ask us to correct inaccurate or incomplete data. • Erasure — ask us to delete your data, subject to the retention periods imposed by Greek tax law. • Restriction — ask us to limit how we use your data while a question about it is resolved. • Portability — ask for a machine-readable copy of the data you provided to us. • Objection — object to processing based on our legitimate interest. • Withdraw consent — where we relied on consent, withdraw it at any time. To exercise any of these rights, email us at coffeecompanyroastery@gmail.com. We will respond within 30 days. There is no charge for a standard request.
Right to lodge a complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Greek Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα): Kifisias Avenue 1-3, 11523 Athens, Greece www.dpa.gr Tel: +30 210 6475600 We would ask you to contact us first so we can try to put things right, but reaching out to the Authority is your right at any time.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our processors, or the law. When we do, we will update the "last updated" date at the top of this page. For material changes, we will make the update more prominent — for example, with a notice on the home page or by email to customers with a recent order.
Contact us
Questions, requests, or complaints about this policy or about your data? Email: coffeecompanyroastery@gmail.com Post: COFFEE COMPANY ETERORRYTHMI ETAIREIA, Merarchias Serron 52, 69100 Komotini, Rhodope, Greece