Privacy Policy

Data controller: Baristica Coffee Roastery, a specialty coffee roastery based in Baku, Azerbaijan, operator of the website baristicaroastery.az.

Contact (general & privacy): [email protected]. For EU/UK privacy requests, you may use the same address and include “GDPR Request” in the subject line where helpful.

This Policy applies to personal data we process through the Baristica website and related services (the “Site”). It does not govern third-party websites, payment providers, or social networks we link to, which have their own policies. Our separate mobile application has its own privacy notice.

We collect information you provide, information generated when you use the Site, and limited technical data needed to run it.

3.1 Account and authentication — when you create or access an account we process your email address and password (passwords are hashed and stored by our authentication provider; we never store your raw password in readable form), session / access tokens that keep you signed in, and the name you provide at sign-up. We use Supabase for authentication and backend data storage.

3.2 Orders and fulfilment — when you place an order we collect the name on the account, your phone number, and your delivery or pickup address; the order items, sizes, amounts, and order status history; and the payment status and transaction references returned by our payment provider. We do not store full payment card numbers on our servers.

3.3 Support and communications — if you contact us by email or through a form on the Site, we process your contact details and the content of your message in order to respond.

3.4 Technical and security data — to operate, secure, and improve the Site we may process your IP address and approximate network information, browser and device type, and error or diagnostic logs from server requests. We use Vercel Web Analytics to count page views and understand which pages visitors reach. Vercel Web Analytics is a privacy-focused, cookie-less product and does not assign a persistent identifier; it processes IP-derived approximate location only to compute aggregate metrics. No third-party advertising trackers or cross-site fingerprinting tools are used on the Site.

We use personal data to:

• Create and secure accounts and authenticate users
• Show the catalogue, process orders, hand off payment, and arrange fulfilment
• Respond to enquiries and provide customer support
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with law, tax, and accounting obligations
• Improve the reliability and user experience of the Site

We do not sell your personal information. We use service providers (processors) to host data and deliver features, as described below.

Online payments are processed by our payment partner (E-point, or another provider disclosed at checkout). Payment details you enter are handled under that provider’s terms and privacy notice. We typically receive only confirmation of payment, transaction references, and amounts needed to complete your order and meet legal record-keeping obligations.

We share data with service providers strictly as needed to run the Site:

• Backend & authentication — Supabase (database, authentication, file storage)
• Hosting — our website hosting and content-delivery provider
• Payments — E-point or other disclosed payment processors
• Infrastructure — email delivery and telecommunications providers underlying the above

These providers may store or process data in the EU, the UK, the US, or other countries depending on their architecture. Where required, we use appropriate safeguards such as Standard Contractual Clauses. We may also disclose information if required by law, lawful request, or to protect rights, safety, and security.

Where GDPR or similar laws apply, we rely on one or more of the following:

• Contract — to provide the services you request (account, orders)
• Legitimate interests — to secure the Site, fix bugs, and communicate service messages, balanced against your rights
• Consent — where required; you may withdraw consent at any time
• Legal obligation — bookkeeping, tax, and regulatory compliance

We keep information as long as your account is active and for a reasonable period afterwards to resolve disputes, enforce agreements, and comply with law. Certain order and tax records may be retained longer where required.

We implement administrative, technical, and organisational measures appropriate to the risk, including HTTPS transport encryption for traffic between your browser and our servers, authenticated access to backend resources, and reliance on our providers’ security programmes. No method of storage or transmission is perfectly secure.

Depending on your location you may have rights to access, rectify, delete, restrict, object to, or port certain data, and to withdraw consent where processing is consent-based.

To exercise any of these rights — including deleting your account — email us at [email protected]. We may need to verify your identity before fulfilling a request. Some records may be retained where the law requires.

Children — the Site is not directed at children under 13 (or a higher age where local law requires). If you believe we have collected data from a child, contact us and we will take appropriate steps.

If you access the Site from outside the country where our providers process data, your information may be transferred across borders as described in Section 6.

We may update this Policy from time to time. We will post the updated version and revise the “Last updated” date. If changes are material, we will provide additional notice where appropriate.

Questions about this Policy: [email protected]. Address: Nigar Rafibeyli 12/14, Passage 1901, Baku, Azerbaijan. Phone: +994 51 433 30 03. Where applicable, you may also lodge a complaint with your local data-protection supervisory authority.