This Privacy Policy explains how we process your personal data when you visit batucoffee.com, contact us, place an order, or make a wholesale inquiry. It is provided in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR).

The controller of your personal data is: Mai Company Złota 75A/7, 00-819 Warsaw, Poland VAT (NIP): PL5243067521 Email: office@batucoffee.com For any matter relating to this Privacy Policy or your personal data, please contact us at office@batucoffee.com. We have not appointed a Data Protection Officer, because we are not required to do so under Article 37 GDPR.

We only process personal data we actually need, for specific purposes set out below.

Data: name, email address, subject, message content, and any additional information you choose to provide. Purpose: to respond to your inquiry and handle our communication with you. Legal basis: Article 6(1)(f) GDPR — our legitimate interest in answering people who contact us; if your inquiry concerns a possible purchase, also Article 6(1)(b) GDPR — steps taken at your request prior to entering into a contract. Retention: for as long as needed to handle your inquiry and for a reasonable follow-up period; in any case no longer than is necessary, and not longer than the general civil claims limitation period under Polish law (6 years).

Data: first and last name, delivery address, email address, phone number, order details (products, quantity, value), and the data needed to issue an invoice (including, where applicable, company name, address, and VAT/NIP). Payment card or BLIK data is not processed by us — see section 3. Purpose: to conclude and perform the sales contract, deliver your order, handle complaints and returns, issue accounting documents, and meet legal obligations. Legal basis: • Article 6(1)(b) GDPR — performance of the sales contract; • Article 6(1)(c) GDPR — compliance with our legal obligations, in particular tax and accounting law and consumer protection law. Retention: • Data on invoices and other accounting documents: 5 years from the end of the calendar year in which the tax obligation arose; • Data needed to handle complaints and warranty claims: up to 2 years from delivery of the goods; • Other order data: until the general civil claims limitation period expires (typically 6 years).

Data: name, email address, company information, content of the conversation, and any further data you share with us during negotiations. Purpose: to respond to your inquiry, prepare and negotiate an offer, and manage the business relationship. Legal basis: Article 6(1)(b) GDPR (pre-contractual steps and contract performance) and/or Article 6(1)(f) GDPR — our legitimate interest in B2B communication. Retention: for the duration of the negotiations and the business relationship, and afterwards as needed to defend against claims (up to 6 years) and to meet tax/accounting obligations (5 years). Tools used: we use Notion and Google Drive for internal management of wholesale inquiries — see section 3.

We use PostHog to understand how visitors use our website. PostHog uses cookies and similar technologies and may process technical identifiers, including a randomly generated user identifier, IP address (which PostHog typically truncates in EU configurations), browser and device information, referrer, and pages viewed. Purpose: to measure and improve the website. Legal basis: Article 6(1)(a) GDPR — your consent, given via the cookie banner. We only start analytics tracking after you give consent, and you may withdraw it at any time (see section 6). More information: https://posthog.com/privacy

We use: • Essential cookies that are strictly necessary to operate the website (e.g. to remember your cookie choices, to keep your shopping cart, to allow checkout). These do not require consent. • Analytics cookies (PostHog) — set only with your consent, see section 2.4. You can manage or withdraw your consent at any time via the cookie banner on the site, and you can also block or delete cookies in your browser settings.

We link to our Instagram profile (https://www.instagram.com/batu.coffee). Clicking the link takes you to Instagram, which is operated by Meta Platforms Ireland Ltd. as a separate controller. We do not control how Meta processes your data on their platform. Please see Meta's privacy policy at https://www.facebook.com/privacy/policy/ for details.

We plan to sell our products separately on Allegro. If you place an order through Allegro, the controller of the data you provide on Allegro is Allegro sp. z o.o.; we receive only the data needed to fulfill the order placed there. Please refer to Allegro's own privacy policy for details.

We share your personal data only with the recipients listed below, and only to the extent necessary. • Stripe (Stripe Payments Europe Ltd., Ireland / Stripe, Inc., USA) — Payment service provider; EU and USA (EU-U.S. Data Privacy Framework and Standard Contractual Clauses) • Apple Pay (Apple Distribution International Ltd., Ireland) — Payment method; EU/USA • BLIK (Polski Standard Płatności sp. z o.o.) — Payment method; Poland (EEA) • InPost (InPost S.A.) — Shipping carrier; Poland (EEA) • DHL (DHL Parcel Polska Sp. z o.o.) — Shipping carrier; EEA and destination country for international shipments • Replit (Replit, Inc., USA) — Website hosting; USA (Standard Contractual Clauses) • Resend (Resend, Inc., USA) — Transactional email delivery; USA (Standard Contractual Clauses) • PostHog (PostHog, Inc.) — Analytics; EU (Frankfurt) or USA (Standard Contractual Clauses) • Notion (Notion Labs, Inc., USA) — Wholesale inquiry management; USA (Standard Contractual Clauses) • Google Drive / Google Workspace (Google Ireland Ltd.) — File storage; EEA and USA (Standard Contractual Clauses) • Our accountant / accounting office — Invoice data; Poland (EEA) • Competent public authorities — Data we are required to disclose by law; Poland (EEA) We do not sell your personal data to anyone.

Some of our providers (Stripe, Replit, Resend, Notion, Google) are based in the United States or process data outside the European Economic Area (EEA). Where this happens, transfers take place on the basis of the EU-U.S. Data Privacy Framework (where the provider is certified) and/or the Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR. You may request a copy of the safeguards in place by contacting us at office@batucoffee.com.

Providing personal data is voluntary, but in some cases it is necessary to use our services: • To place an order — name, delivery address, email, and payment data are required; • To receive a VAT invoice for a business — company name, address, and NIP are required by tax law; • To receive a reply via the contact form — your email is required. If you do not provide this data, we will not be able to perform the relevant service.

Under the GDPR, you have the right to: • Access your data and receive a copy (Art. 15); • Rectify inaccurate or incomplete data (Art. 16); • Erasure (‘right to be forgotten’) in the cases listed in Art. 17; • Restrict processing in the cases listed in Art. 18; • Data portability for data processed on the basis of consent or contract (Art. 20); • Object to processing based on legitimate interest (Art. 21); • Withdraw consent at any time, where processing is based on consent (Art. 7(3)); • Lodge a complaint with a supervisory authority — in Poland: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl. To exercise your rights, please contact us at office@batucoffee.com. We will respond within one month from receipt of your request.

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you within the meaning of Article 22 GDPR.

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, including encrypted transmission (HTTPS) and access controls to systems where personal data is stored. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours, and you where required by law.

Our website and shop are not directed at persons under the age of 16, and we do not knowingly process personal data of children. If you believe that a child has provided us with personal data, please contact us at office@batucoffee.com and we will delete it.

We may update this Privacy Policy from time to time, for example to reflect changes in our services or in applicable law. The current version is always available at this URL. Material changes will be communicated on the website.