Privacy Policy

Effective date: 20 October 2025
Website: healthcoffee.store (the “Site”)
Brand / Trading name: Health Coffee Store
Data Controller: Health Coffee Store
Contact (privacy): farrisfarhan47@gmail.com • +60 17-974 2325
Postal address: B-1-7, Starville Apartment, Jalan USJ 19/6, 47620 Subang Jaya, Selangor, Malaysia

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Site, place orders, or interact with us. It is designed to meet the requirements of GDPR/UK‑GDPR, California CPRA, Canada’s PIPEDA, and the Australian Privacy Act (APPs). Where local laws grant stronger protections, those prevail.

1) What this policy covers

  • Visitors, account holders and customers of the Site.
  • The processing we perform directly and through service providers (e.g., payments, shipping, analytics).
  • This policy does not cover third‑party websites or services that link to/from the Site.

2) Personal information we collect

We collect the minimum data needed to operate our store and services. Categories include:

Identity & contact – name, email, phone/WhatsApp, billing/shipping address.
Account data – username, password (hashed), preferences, saved addresses.
Order & transaction – products purchased, order IDs, amounts, currencies, invoices, delivery instructions.
Payment – tokenised card/payments info processed by payment providers; we do not store full card numbers.
Shipping – recipient name, address, contact for delivery; tracking numbers, carrier events.
Communications – messages, support tickets, reviews, survey responses.
Device/usage – IP address, browser, device type, pages visited, time on page, referring URLs, error logs.
Cookies/SDKs – identifiers used for site operation, analytics, preferences, and (if enabled) marketing/ads. See our Cookie Policy.

CPRA category mapping (examples): identifiers; customer records; commercial information; internet activity; geolocation (coarse, IP‑based); inferences (limited, if analytics/ads enabled); sensitive personal information (SPI) is not sought—if incidentally processed (e.g., precise geolocation, government ID for KYC) we restrict use and do not use SPI to infer characteristics.

3) Sources of data

  • You provide it directly (checkout, account creation, forms, support, reviews).
  • Collected automatically from your device via cookies and similar tech (see Cookie Policy).
  • From service providers (payments, shipping carriers) to complete orders and fraud prevention.
  • Publicly available sources to verify addresses or prevent abuse.

4) Why we use your information (purposes) and legal bases

We process personal information for these purposes and legal bases:

PurposeExamplesLegal basis (GDPR/UK‑GDPR)
Operate the Site & provide servicesaccount creation, checkout, order management, customer supportPerformance of a contract; Legitimate interests
Payments & fraud preventionprocess payments, verify identity, chargebacksPerformance of a contract; Legitimate interests; Legal obligation
Shipping & deliveryshare details with carriers, tracking updatesPerformance of a contract
Communicationsorder updates, support repliesPerformance of a contract; Legitimate interests
Marketing (opt‑in/opt‑out)newsletters, offersConsent (e.g., EU/CASL) or Legitimate interests with opt‑out
Analytics & site improvementmeasure traffic, fix errorsConsent where required (EU/UK); Legitimate interests elsewhere
Legal & compliancetax/audit records, responding to lawful requestsLegal obligation; Legitimate interests

5) Cookies and similar technologies

We use essential cookies for security and functionality and, with consent where required, analytics and advertising cookies. You can manage preferences at any time via “Cookie Settings.” See our Cookie Policy for details of cookie types, providers and durations.

6) Sharing your information

We share data only with service providers and partners who perform services on our behalf and under contract:

  • E‑commerce & hosting (e.g., WooCommerce/WordPress, hosting/CDN, backup).
  • Payments (e.g., card processors, PayPal or similar). We receive tokens/confirmations—not full card data.
  • Shipping & logistics (e.g., FedEx and comparable carriers), customs brokers, address verification.
  • Analytics/marketing (if enabled) (e.g., Google Analytics/Ads, Meta).
  • Customer communications (email service provider, chat/support tools).
  • Professional services (auditors, accountants, legal).
  • Authorities when required by law or to protect rights, safety, and prevent fraud.

We do not sell personal information for money. If we use advertising/analytics that constitutes a “share” under CPRA, you may opt out via the “Do Not Sell or Share My Personal Information” link and the Cookie Settings.

7) International data transfers

We are based in Malaysia and may process data in other countries. Where we transfer personal data from the EEA/UK to countries without an adequacy decision, we rely on appropriate safeguards (e.g., Standard Contractual Clauses, UK Addendum) plus supplementary measures as needed. Copies of relevant safeguards are available on request, subject to confidentiality.

8) Retention

We keep personal information only as long as necessary for the purposes above, including to comply with legal, tax and accounting requirements:

  • Orders, invoices & tax records: typically 7 years.
  • Account data: for the life of the account + reasonable backup/archival period.
  • Marketing contacts: until you unsubscribe or we prune inactive lists.
  • Cookies: per the durations shown in the Cookie Policy.
    We will securely delete or anonymise data when no longer needed.

9) Your choices

  • Marketing: You can unsubscribe using the link in our emails or by contacting us.
  • Cookies: Use the banner or Cookie Settings to accept/decline non‑essential cookies.
  • Account: Update your details in your account area or contact support.

10) Your privacy rights (summaries)

EEA/UK (GDPR/UK‑GDPR) – You may have the right to access, rectify, erase, restrict, object to processing, and data portability; to withdraw consent at any time; and to lodge a complaint with your Supervisory Authority. We usually respond within 1 month.

United States – California (CPRA) – California residents may request: access/know, correction, deletion, information about disclosures, and to opt out of sale/sharing and certain profiling. We do not use sensitive personal information for inferring characteristics. Response time: 45 days (extendable once by 45 days). You will not be discriminated against for exercising rights.

Canada (PIPEDA/CASL) – Rights include access and correction; consent for marketing emails/SMS is required (CASL). Unsubscribe at any time.

Australia (APPs) – You can request access and correction; complaints can be lodged with the OAIC if unresolved.

We do not currently appoint an EU or UK representative. If that changes, we will update this policy.

11) How to exercise your rights

Email farrisfarhan47@gmail.com with the subject “Privacy Request” and tell us which right you wish to exercise. We may need to verify your identity (e.g., email confirmation, order number, billing address). You may authorise an agent under applicable law. If we decline a request, we will explain why and how to appeal.

12) Security

We use administrative, technical and organisational measures appropriate to the risk, including TLS encryption in transit, role‑based access, backups, and staff confidentiality commitments. No method of transmission or storage is 100% secure.

13) Children

The Site is not directed to children under 13 (or under 16 in the EEA where consent is required). We do not knowingly collect data from children. If you believe a child has provided data, contact us to delete it.

14) Region‑specific disclosures

  • EU/UK: Our legal identity and contact details appear at the top of this policy; distance‑selling and withdrawal rights are explained in our Terms and Returns Policy.
  • US‑CA: See our “Do Not Sell or Share My Personal Information” and Privacy Rights pages for opt‑out and request mechanisms.
  • Canada: Our marketing complies with CASL; each message includes an unsubscribe link and our postal address.
  • Australia: This policy aligns with the APPs; see Section 15 for complaints.

15) Complaints

If you have concerns, contact us first at farrisfarhan47@gmail.com. You may also contact your local authority:

  • EEA: your national Supervisory Authority
  • UK: Information Commissioner’s Office (ICO)
  • Canada: Office of the Privacy Commissioner of Canada (OPC)
  • Australia: Office of the Australian Information Commissioner (OAIC)

16) Changes to this policy

We may update this policy from time to time. The “Effective date” shows when it last changed. Significant changes will be posted on the Site and, where appropriate, notified by email or banner.

17) Contact us

Email: farrisfarhan47@gmail.com
Phone/WhatsApp: +60 17-974 2325
Postal: B-1-7, Starville Apartment, Jalan USJ 19/6, 47620 Subang Jaya, Selangor, Malaysia