Privacy policy

Last updated: 4-3-2026

Identification details

In accordance with Spanish Law 34/2002 (LSSI-CE), we provide the following information:

Trade name: Costa Cheese
Owner: Milan Stolwijk (self-employed / autónomo)
NIE/NIF: Z3569469N
Address: Carrer Eduard Grieg 1, 03738 Jávea (Alicante), Spain
E-mail: privacy@costacheese.es

1. What personal data do we process?

We process the following categories of personal data, depending on your use of our website:

  • Identity data: surname, first name
  • Contact data: delivery address, billing address, e-mail address, telephone number
  • Order and payment data: ordered products, order number, payment method, payment status (the actual payment details, such as card numbers, are processed by our payment providers; we do not receive these in full)
  • Account data (if you create an account): login e-mail address, password (encrypted)
  • Communication: messages you send us by e-mail, WhatsApp (via services of Meta Platforms) or through the contact form
  • Technical and usage data (only with consent, except for strictly necessary cookies): IP address (anonymized where possible), browser type, pages visited, click behavior, via cookies and similar technologies

2. For what purposes and on what legal basis?

We process your data for the following purposes:

1. Order and delivery processing

  • Purposes: processing your order, handling payment, carrying out delivery, sending the invoice, customer service relating to your order.
  • Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and legal obligation for accounting/invoicing (Art. 6(1)(c) GDPR).

2. Customer service and returns

  • Purposes: if legally required, we may retain order data to ensure the traceability of food products.
  • Legal basis: legal obligation (Art. 6(1)(c) GDPR).

3. Improvement of our webshop and statistics

  • Purposes: analysing the use of the website in order to improve its operation, security and user experience (for example which pages are popular).
  • Legal basis: strictly necessary / functional cookies: our legitimate interest (Art. 6(1)(f) GDPR), analytical or marketing cookies: only on the basis of your consent (Art. 6(1)(a) GDPR).

4. Marketing (optional, if you use this)

  • Purposes: sending newsletters or offers by e-mail, only if you have signed up for them.
  • Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time via the unsubscribe link in every e-mail or by e-mailing us.

5. Food safety and traceability

  • Purposes: if legally required, we may retain order data to ensure the traceability of food products.
    Legal basis: legal obligation (Art. 6(1)(c) GDPR).

3. Cookies and similar technologies

Our website uses cookies and similar techniques.

  • Strictly necessary cookies: necessary for the proper functioning of the website (for example to remember your shopping cart). These are always placed.
  • Analytical cookies and marketing cookies: help us improve the website and show relevant offers. These are only placed if you give prior consent via our cookie banner.


When you first visit our website, we show a cookie banner that allows you to:

  • accept all cookies;
  • allow only necessary cookies;
  • set your preferences per type of cookie.

You can always adjust your cookie preferences later via your browser settings and/or via the cookie settings on our website. More information can be found in our separate Cookie Policy.

4. With whom do we share your data?

We do not sell your personal data to third parties. However, we do share your data with carefully selected service providers when this is necessary for our services:

• Shopify

For hosting our webshop and processing orders.
Shopify may process data outside the EU. These transfers take place in accordance with the GDPR and with appropriate safeguards, such as Standard Contractual Clauses (SCCs).

• Payment providers (e.g. Shopify Payments, iDEAL providers, credit card companies)

For securely processing payments. They only receive the data necessary for the payment.

• Delivery services (e.g. Correos, SEUR, DHL, …)

For delivering your order: name, address and possibly telephone number / e-mail for track & trace.

• IT and analytics tools (e.g. Google Analytics, provided this is with consent and in accordance with our Cookie Policy)

For website analysis and performance monitoring.

We conclude data processing agreements with these parties if they act as processors on our behalf. They may not use your data for their own purposes.

If personal data is transferred to countries outside the European Economic Area (EEA), we ensure appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

We use Google Analytics with IP anonymization and only after you have given your consent via the cookie banner.

5. Retention periods

We do not retain your personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is legally required or permitted.

 

  • Order and invoice data: at least 6 years in accordance with Spanish tax obligations (possibly longer if legally required).
  • Customer account data: as long as you have an active account. If you have your account deleted, we will delete or anonymize the data that is not subject to a legal retention obligation.
  • Correspondence (customer service): as long as necessary for handling your question or complaint, and for a reasonable period afterwards in connection with proof and follow-up.
  • Cookie and usage data: according to the periods described in the Cookie Policy, depending on the type of cookie.

6. Your rights

Under the GDPR, you have the following rights with regard to your personal data:

  • Right of access: you may request which personal data we process about you.
  • Right to rectification: you may have incorrect or incomplete data corrected.
  • Right to erasure: in certain cases, you may request deletion of your data (for example if the data is no longer necessary, or if you withdraw your consent).
  • Right to restriction of processing: in certain cases, you may request restriction of the processing of your data.
  • Right to object: you may object to processing based on our legitimate interest or to the use of your data for direct marketing.
  • Right to data portability: you may request to receive your data in a structured, commonly used and machine-readable format or to have it transferred to another party, insofar as technically possible.
  • Right to withdraw your consent: if processing is based on consent (e.g. marketing, non-essential cookies), you may withdraw that consent at any time. This does not have retroactive effect.

These rights are also known as the ARSULIPO rights under the GDPR.

You can exercise these rights by sending a request to: privacy@costacheese.es.
To prevent misuse, we may ask you to confirm your identity.

We try to handle your request as quickly as possible and at the latest within 1 month, unless the complexity of the request or the number of requests makes an extension necessary. In that case, we will inform you accordingly.

7. Complaints and supervisory authority

If you have questions or complaints about this privacy policy or the way in which we handle your data, you can first contact us via privacy@costacheese.es

In addition, you have the right to lodge a complaint with the competent data protection supervisory authority:

Agencia Española de Protección de Datos (AEPD)
Website: https://www.aepd.es

8. Changes to this privacy policy

We may amend this privacy policy from time to time, for example in the event of changes in legislation or changes in our services. The most recent version can always be found on our website. The date of the last amendment is stated at the top of this document.