Legal

GDPR & Data Protection

Updated 28 January 2026

RoastWorksLviv.com LLC operates primarily in Ukraine and serves wholesale partners across Ukraine and, in some cases, in the European Union. Where we process the personal data of individuals located in the EU — for example, EU-based café operators who source our coffee — we do so in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page sets out our lawful bases for processing, your full rights as a data subject, and how to exercise those rights.

1. Data controller

The data controller responsible for your personal data is:

  • Entity: RoastWorksLviv.com LLC
  • Address: 14 Promyslova Street, Lviv 79020, Ukraine
  • Data protection contact: privacy@roastworkslviv.com

We do not have a formally appointed Data Protection Officer (DPO) as we do not engage in large-scale systematic monitoring of individuals or large-scale processing of special category data. However, our data protection contact handles all privacy queries and rights requests personally.

2. Lawful bases for processing

We rely on the following lawful bases under Article 6 of the GDPR when processing personal data:

  • Consent (Article 6(1)(a)): Where you have freely given, specific, informed and unambiguous consent to the processing of your personal data — for example, by submitting our contact form with the privacy checkbox ticked, or by accepting analytics cookies through our cookie banner. You may withdraw consent at any time; see Section 4 for how to do this.
  • Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party — for example, to fulfil a wholesale supply order, arrange delivery or issue an invoice — or to take pre-contractual steps at your request.
  • Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include operating and improving our website, preventing fraud, maintaining business security, and communicating with prospective partners about our products. We conduct a balancing test before relying on this basis.
  • Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject under Ukrainian or EU law, such as accounting, tax and anti-money laundering requirements.

3. Your rights under the GDPR

If you are located in the EU or your data is processed in circumstances covered by the GDPR, you have the following rights. These rights are not absolute and may be subject to exceptions or conditions in specific circumstances.

3.1 Right of access (Article 15)

You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data, the recipients, the retention period and your other rights.

3.2 Right to rectification (Article 16)

You have the right to have inaccurate personal data about you corrected without undue delay, and to have incomplete personal data completed, including by means of a supplementary statement.

3.3 Right to erasure / "right to be forgotten" (Article 17)

You have the right to request deletion of your personal data where: it is no longer necessary for the purpose for which it was collected; you withdraw consent and there is no other lawful basis; you object to processing based on legitimate interests and we have no overriding grounds; the data has been unlawfully processed; or erasure is required to comply with a legal obligation. This right does not apply where we are required to retain data by law.

3.4 Right to restriction of processing (Article 18)

You have the right to obtain restriction of processing in the following circumstances: you contest the accuracy of the data (for the period while we verify it); the processing is unlawful but you oppose erasure; we no longer need the data but you need it for the establishment, exercise or defence of legal claims; or you have objected to processing and we are verifying whether our legitimate grounds override yours.

3.5 Right to data portability (Article 20)

Where we process your data based on your consent or on a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format (such as CSV or JSON), and to transmit that data to another controller. You also have the right to have the data transmitted directly from us to another controller where technically feasible.

3.6 Right to object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing of your personal data based on our legitimate interests (Article 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for the establishment, exercise or defence of legal claims. Where personal data is processed for direct marketing purposes, you have an unconditional right to object at any time.

3.7 Right to withdraw consent (Article 7(3))

Where we process your data on the basis of your consent, you have the right to withdraw that consent at any time, without giving any reason. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, contact us at privacy@roastworkslviv.com or, for cookie consent specifically, update your preferences through your browser settings.

3.8 Rights related to automated decision-making and profiling (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you. We do not currently engage in automated decision-making of this nature, but we will inform you if this changes.

4. How to exercise your rights

To exercise any of the rights listed above, please send a written request to privacy@roastworkslviv.com. Include your full name, contact details and a clear description of the right you wish to exercise and the data it relates to. We may ask you to verify your identity before acting on your request.

We will respond within one calendar month of receipt of your request, as required by the GDPR. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you within the first month and explain the reason for the extension.

There is no charge for making a rights request. If requests are manifestly unfounded, excessive or repetitive, we may charge a reasonable administrative fee or refuse to act.

5. International data transfers

Where personal data is transferred from the EU or EEA to Ukraine or to third countries, we ensure that appropriate safeguards are in place. These may include:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission;
  • Transfer to countries the European Commission has determined to provide an adequate level of protection;
  • Other appropriate safeguards as permitted by the GDPR.

For transfers from Ukraine to third countries, we apply the data protection principles established under Ukrainian law and equivalent safeguards. You may request a copy of any transfer mechanisms we rely on by contacting privacy@roastworkslviv.com.

6. Data retention in the GDPR context

We retain personal data for the minimum period necessary for the purposes described in our Privacy Policy. Retention periods are:

  • Website enquiry data: up to 24 months after the enquiry, unless an ongoing commercial relationship develops.
  • Wholesale partner data: for the duration of the partnership and 7 years thereafter for statutory accounting purposes.
  • Marketing contact lists: until consent is withdrawn or, where based on legitimate interests, until you object.

After the applicable period, data is securely deleted or irreversibly anonymised.

7. Supervisory authorities

If you are located in the EU and believe that we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. A directory of EU supervisory authorities is available at edpb.europa.eu.

For individuals in Ukraine, oversight of personal data protection is provided by the Ukrainian Parliament Commissioner for Human Rights (Ombudsperson). You also retain the right to seek judicial remedy before a competent court if you consider that your rights have been infringed.

We encourage you to contact us first at privacy@roastworkslviv.com; we will always endeavour to resolve any concern promptly and fairly.

8. Security measures

We implement appropriate technical and organisational security measures proportionate to the risk presented by our processing activities. These include: encrypted connections (HTTPS/TLS) for all data transmitted to and from our website; restricted access controls so that only authorised personnel can access personal data; regular reviews of our security practices; and procedures for detecting, reporting and investigating personal data breaches. In the event of a breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by Article 34 of the GDPR.

9. Contact

For all data protection and GDPR-related enquiries, please contact: privacy@roastworkslviv.com. Postal address: RoastWorksLviv.com LLC, 14 Promyslova Street, Lviv 79020, Ukraine.