Privacy Policy & GDPR
Privacy Policy — Personal Data Protection (GDPR)
Last updated: May 1, 2026
1. Who we are
WMA ROASTERY SRL (hereinafter referred to as "Incognito Coffee", "we" or "the Operator") is the operator of your personal data collected through the website www.incognito-coffee.ro.
Headquarters: Strada Institutul Medico-Militar, Nr. 22, Sector 1, Bucharest
CUI: RO41953225 · Reg. Com.: J40/16203/2019
Email for GDPR inquiries: [email protected]
2. What data we collect
Depending on how you interact with our website, we process the following categories of data:
- Identification and contact data: first name, last name, email address, phone number.
- Shipping and billing data: postal address, city, county, postal code, country.
- Order data: products ordered, value, payment method, order history.
- Account data: email address, encrypted password, preferences (language, saved shipping address).
- Payment data: We DO NOT store bank card data. Payment is processed directly by our providers (Stripe, Shopify Payments).
- Technical data: IP address, browser type, operating system, pages visited, duration of visit, traffic source.
- Cookies and similar technologies: see chapter 7 below.
3. Purposes for which we process data
- Order processing: receiving, confirming, delivering and invoicing ordered products.
- Account management: creating and managing your account on the website, authentication, password recovery.
- Transactional communications: notifications related to orders, shipping, returns, complaints.
- Marketing (with consent): sending newsletters, promotions, product recommendations — only if you have given explicit consent.
- Website analysis and improvement: anonymized or pseudonymized usage statistics.
- Legal obligations: issuing invoices, keeping accounting documents, responding to requests from authorities.
- Fraud prevention: security checks for suspicious transactions.
4. Legal grounds for processing
We process your data based on the following legal grounds according to EU Regulation 2016/679 (GDPR):
- Contract performance (Art. 6 para. 1 lit. b GDPR) — for order processing, delivery, invoicing, account management.
- Your consent (Art. 6 para. 1 lit. a GDPR) — for marketing, newsletters, non-essential cookies.
- Legal obligation (Art. 6 para. 1 lit. c GDPR) — for accounting, ANAF, ANPC, ANSPDCP.
- Legitimate interest (Art. 6 para. 1 lit. f GDPR) — for service improvement, fraud prevention, website security.
5. To whom we transmit data
Your data may be transmitted to the following categories of recipients, only for the purposes mentioned:
- Payment service providers: Shopify Payments, Stripe — for online payment processing.
- Delivery providers: courier companies that deliver the order to the specified address.
- Hosting and platform providers: Shopify Inc. — the e-commerce platform on which the website runs.
- Transactional email providers: for sending confirmations, notifications and newsletters.
- Analytics services: Google Analytics, Meta Pixel — with anonymized or pseudonymized data.
- Accounting and authorities: internal/external accountant, ANAF, ANPC, courts of law, when required by law.
All providers we work with are contractually obliged to protect your data according to GDPR standards.
6. How long we keep data
- Order and invoice data: 10 years, according to the Romanian Fiscal Code.
- Account data: until your account is deleted by you or for 3 years from the last activity.
- Marketing data: until consent is withdrawn ("Unsubscribe" link in each email).
- Cookies: according to the duration specified in the cookie policy.
- Technical data / logs: maximum 12 months.
7. Cookies
We use cookies and similar technologies for:
- Strictly necessary cookies (session, shopping cart, authentication) — cannot be disabled.
- Performance cookies (Google Analytics, Shopify Analytics) — help us understand how the website is used.
- Marketing cookies (Meta Pixel, Google Ads) — for personalized ads outside the website.
On your first visit, a banner will be displayed where you can accept or reject non-essential cookies. You can change your preferences at any time from your browser's cookie settings.
8. Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — to know what data we have about you and to receive a copy of it.
- Right to rectification — to correct inaccurate data or complete incomplete data.
- Right to erasure ("right to be forgotten") — to request the deletion of data when it is no longer necessary for the original purpose.
- Right to restriction of processing — to request the suspension of processing under certain conditions.
- Right to data portability — to receive data in a structured format and transmit it to another operator.
- Right to object — to object to processing based on legitimate interest or direct marketing.
- Right to withdraw consent — at any time, for processing based on consent.
- Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro.
To exercise any of these rights, please write to us at [email protected]. We will respond within a maximum of 30 days from receiving the request.
9. Data security
We take technical and organizational measures to protect your data:
- Encrypted HTTPS connections throughout the website.
- Passwords stored encrypted (hashing).
- Restricted access to customer data — only authorized personnel.
- Providers (Shopify, Stripe) PCI-DSS certified for payment processing.
- Continuous monitoring and security updates.
10. Data transfer outside the EU
Some of our providers (e.g., Shopify, Google, Meta) may process data on servers in the US or other countries outside the European Economic Area. In these cases, the transfer is protected by Standard Contractual Clauses approved by the European Commission or by Data Privacy Framework certifications.
11. Minors
Our website is not intended for persons under 16 years of age. We do not knowingly collect data about minors. If you realize that a minor has provided personal data, please write to us and we will delete it immediately.
12. Changes to this policy
We may update this Privacy Policy periodically. The updated version will be published on this page with the date of the last modification mentioned at the top. In case of major changes affecting your rights, we will notify you by email or a visible notification on the website.
13. Contact
For any questions related to this policy or the processing of your data, you can contact us at:
Email: [email protected]
Address: Strada Institutul Medico-Militar, Nr. 22, Sector 1, Bucharest
Phone: 0725 390 236