Last updated: 24 May 2026
Effective from: 24 May 2026
Privacy Policy — Bà Tú Coffee
Last updated: 9 June 2026 Effective from: 9 June 2026
This Privacy Policy explains how we process your personal data when you visit batucoffee.com, contact us, place an order, or submit a wholesale enquiry. The Policy has been prepared in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").
1. Who is the controller of your personal data
The controller of your personal data is:
Mai Company ul. Złota 75A/7, 00-819 Warsaw, Poland Tax ID (NIP): PL5243067521 E-mail: office@batucoffee.com
For any matter concerning this Privacy Policy or your personal data, please contact us at office@batucoffee.com.
We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 of the GDPR.
2. What data we process, for what purpose, on what legal basis and for how long
We only process the personal data we actually need, for the purposes set out below.
2.1 Contact form and e-mail correspondence
Data: name, e-mail address, subject, content of the message, and any other information you choose to share.
Purpose: responding to your enquiry and conducting correspondence with you.
Legal basis: Article 6(1)(f) of the GDPR — our legitimate interest in responding to people who contact us; where the enquiry concerns a potential purchase — also Article 6(1)(b) of the GDPR.
Retention period: for as long as necessary to handle the enquiry; no longer than the general limitation period for civil-law claims (6 years under the Polish Civil Code).
2.2 Orders placed in the online shop (batucoffee.com)
Data: name, delivery address, e-mail address, telephone number, order data (products, quantity, value), and the data required to issue an invoice. We do not process or store card payment data or BLIK data — see section 3.
Purpose: conclusion and performance of the sales contract, delivery of the order, complaints and returns handling, issuing accounting documents, and fulfilment of legal obligations.
Legal basis:
- Article 6(1)(b) of the GDPR — performance of the sales contract;
- Article 6(1)(c) of the GDPR — compliance with legal obligations.
Retention period:
- Invoice data: 5 years from the end of the year in which the tax obligation arose;
- Complaint-related data: up to 2 years from the date of delivery of the goods;
- Other order data: until the expiry of the limitation period for claims arising from the contract (no longer than 6 years).
2.3 Wholesale enquiries (B2B)
Data: name, e-mail address, company details, content of the conversation, and any other information shared during negotiations.
Purpose: responding to enquiries, preparing offers, and maintaining business relationships.
Legal basis: Article 6(1)(b) of the GDPR and/or Article 6(1)(f) of the GDPR.
Retention period: for the duration of the business relationship and the period needed to defend against claims (up to 6 years), and to fulfil tax and accounting obligations (5 years).
Tools: for internal handling of wholesale enquiries and non-invoiced sales records, we use Google Drive / Google Sheets — see section 3.
2.4 Analytics (PostHog)
We use PostHog to understand how visitors use our website. PostHog uses cookies and similar technologies and may process technical identifiers, including a randomly generated user identifier, IP address (which is typically truncated in EU configurations), browser and device information, the referral source, and the pages viewed.
Purpose: measuring and improving how the site performs.
Legal basis: Article 6(1)(a) of the GDPR — your consent given via the cookie banner. Analytics only runs after you give consent, which you may withdraw at any time (see section 6).
More information: https://posthog.com/privacy
2.5 Cookies and similar technologies
We use:
- Necessary cookies — required for the site to work (shopping cart, order processing, etc.). These do not require consent.
- Analytics cookies (PostHog) — used only after you have given consent, see section 2.4.
You can manage or withdraw your consent through the cookie banner on the site, or block cookies in your browser settings.
2.6 Social media (Instagram)
Our website contains a link to our Instagram profile (https://www.instagram.com/batu.coffee). When you click on it, you will be redirected to Instagram, which is operated by Meta Platforms Ireland Ltd. as a separate data controller. We do not control how Meta processes your data. Details: https://www.facebook.com/privacy/policy/
3. Recipients of data — with whom we share data
We share your personal data only with the recipients listed below and only to the extent necessary.
| Recipient | Function | Location and basis for transfer |
|---|---|---|
| Stripe (Stripe Payments Europe Ltd., Ireland / Stripe, Inc., USA) | Payment services provider | EU and USA (EU-U.S. Data Privacy Framework) |
| Apple Pay (Apple Distribution International Ltd., Ireland) | Payment method | EU/USA |
| BLIK (Polski Standard Płatności sp. z o.o.) | Payment method | Poland (EEA) |
| InPost (InPost S.A.) | Carrier | Poland (EEA) |
| DHL (DHL Parcel Polska Sp. z o.o.) | Carrier | EEA and destination country for international shipments |
| Replit (Replit, Inc., USA) | Website hosting | USA (Standard Contractual Clauses) |
| Resend (Resend, Inc., USA) | Transactional e-mail delivery | USA (EU-U.S. Data Privacy Framework) |
| PostHog (PostHog, Inc.) | Analytics service | EU (Frankfurt) or USA (Standard Contractual Clauses) |
| Google Drive / Google Workspace (Google Ireland Ltd.) | File storage, non-invoiced sales records | EEA and USA (EU-U.S. Data Privacy Framework) |
| Accounting office | Invoice data | Poland (EEA) |
| Competent public authorities | Data required by law | Poland (EEA) |
We do not sell your personal data to anyone.
4. Transfers outside the EEA
Some of our providers (Stripe, Replit, Resend, PostHog, Google) are based in the United States or may process data outside the EEA. In such cases, the transfer takes place on the basis of:
- EU-U.S. Data Privacy Framework — for providers certified under that programme (Stripe, Resend, Google), pursuant to Commission Implementing Decision (EU) 2023/1795;
- Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) of the GDPR — for the remaining providers (Replit, PostHog).
You may obtain a copy of the safeguards in place by contacting us at office@batucoffee.com.
5. Is providing data mandatory
Providing personal data is voluntary, but in certain cases it is necessary in order to use our services:
- To place an order — we require your name, delivery address, e-mail address and payment details;
- To receive a VAT invoice for your business — tax law requires the company name, address and tax ID;
- To receive a reply to the contact form — we require your e-mail address.
Without this data we will not be able to provide the relevant service.
6. Your rights
Under the GDPR you have the right to:
- Access your data and obtain a copy of it (Article 15);
- Rectification of inaccurate or incomplete data (Article 16);
- Erasure of your data (right to be forgotten) in the cases set out in Article 17;
- Restriction of processing in the cases set out in Article 18;
- Portability of data processed on the basis of consent or contract (Article 20);
- Object to processing based on legitimate interest (Article 21);
- Withdraw consent at any time (Article 7(3));
- Lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl.
To exercise your rights, contact us at office@batucoffee.com. We will respond within one month of receiving your request. Where the request is complex or where we receive a large number of requests, that period may be extended by a further two months, of which we will inform you (Article 12(3) of the GDPR).
7. Automated decision-making and profiling
We do not take decisions that produce legal effects concerning you or similarly significantly affect you, including by way of profiling, within the meaning of Article 22 of the GDPR.
8. Security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss or alteration, including encrypted transmission (HTTPS) and access controls for the systems in which personal data is stored. In the event of a data breach that may result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required by law, will also inform you.
9. Children
Our website and shop are not directed at persons under 16 years of age, and we do not knowingly process the personal data of children. If you believe that a child has provided us with their personal data, please contact us at office@batucoffee.com — we will delete the data.
10. Changes to the Privacy Policy
We may update this Privacy Policy, for example in connection with changes to our services or to applicable law. The current version is always available at this address. We will announce material changes on the website.
© 2026 BÀ TÚ COFFEE by Mai Company