This Privacy Policy explains how the Spraga group of companies (“Spraga”, “we”, “us” or “our”) collects and uses personal data when you visit and shop on our website and/or online stores for kombucha drinks located at spraga.de (the “Website”).

The data controller responsible for your personal data will be Spraga Portugal, Unipessoal LDA, company number 517303965, registered at Rua Artilharia 1, No. 63, 3, Lisbon 1250-038, Portugal.

In respect of personal data of representatives of legal-entity customers processed for our own business purposes, we act as an independent data controller within the meaning of applicable data protection laws.

If you have any questions about this Privacy Policy or how we handle your personal data, you can contact us using the contact details provided on the Website, or via the following email: [email protected]

This Privacy Policy applies to personal data we collect when you:

• browse our Website,
• create a customer account (individual or entity),
• place an order as a registered customer or as a guest,
• place an order on behalf of a legal entity you are a director/employee/agent/authorized representative in;
• sign up to receive marketing communications, or
• contact us for any reason (for example, with a question or complaint).

It does not apply to third-party websites or services that may be linked from our Websites (for example, payment providers’ pages or social media platforms). Those services have their own privacy policies.

1. 3.1. Data you provide to us

   (a) Customer accounts

   When you create a customer account on a Website, we collect:

   – first name and last name,

   – email address (personal or business),

   – password,

   – corporate contact details,

   – your position in the company you represent,

   – billing or invoicing details,

   – optionally, phone number (personal or business),

   – optionally, billing and/or delivery address,

   – optionally, VAT number (for business customers).

   (b) Orders and guest checkout

   When you place an order (as a registered customer or as a guest), we collect:

   – first name and last name,

   – your position, if you order on behalf of the company,

   – email address (personal or business),

   – phone number (personal or business),

   – billing address,

   – delivery address (if different),

   – VAT number (for business customers, where relevant),

   – order details (products purchased, quantities, prices, discounts, delivery method),

   – communication with you regarding the order (for example, order confirmation, delivery updates, queries and complaints).

   We use this information to process and deliver your order, manage payments, and handle returns, defects, or complaints.

   (c) Communications with us

   If you contact us (for example, by email or via a contact form), we collect:

   – your name,

   – your contact details (such as email address and, if provided, phone number – personal or business),

   – name of the company (for business clients),

   – your position, if you act on behalf of the company,

   – the content of your message and any other information you choose to provide.

   (d) Marketing preferences

   If you choose to receive our marketing emails and newsletters, we collect and store:

   – your name,

   – your position, if you act on behalf of the company,

   – your email address (personal or business),

   – information about your marketing preferences (for example, whether you have opted in, and if/when you unsubscribed).

   3.2. Data we collect automatically

   When you browse our Website, we may automatically collect certain information about your device and usage, for example:

   – IP address,

   – browser type and version,

   – operating system,

   – pages visited and time spent on each page,

   – referring website or source,

   – information about how you interact with the Website.

   We typically collect this information using cookies and similar technologies. Essential cookies are necessary for the Website to function (for example, to keep items in your basket). Non-essential cookies, such as those used for analytics or marketing, are used only where permitted by applicable law and your cookie preferences.

   For more details on how we use cookies, please see our Cookie Policy.

   3.3. Your data provided by a legal entity you represent

   We will at all times assume that a legal entity providing us with personal data of its employees/representatives is entitled to do so by law or by the data subjects. In case you learn that your information was shared by the entity you represent without your sufficient knowledge, please immediately notify us of the same.

1. Under the General Data Protection Regulation (EU) 2016/679 (GDPR), we must have a lawful basis for each use of your personal data. Depending on the context, we use one or more of the following legal bases: performance of a contract, compliance with legal obligations, our legitimate interests, and your consent.

   4.1 To create and manage your customer account

   We process your account data to:

   – register your or your company’s account,

   – allow you to log in and manage your details and orders,

   – provide customer support related to your account.

   Legal basis: performance of a contract (Article 6(1)(b) GDPR), because this processing is necessary to provide the account and related services you request. In some cases, our legitimate interest in operating an efficient e-commerce platform (Article 6(1)(f) GDPR) may also apply.

   4.2 To process and deliver your orders

   We process personal data provided in connection with an order (including guest orders) in order to:

   – accept and confirm your order,

   – process payment with our payment partners,

   – prepare and deliver products to the delivery address you specify,

   – communicate with you about your order (order confirmation, delivery updates, returns or complaints).

   Legal basis: performance of a contract (Article 6(1)(b) GDPR). Without this data we cannot complete your purchase.

   4.3 To comply with legal and regulatory obligations

   We keep certain records of your transactions and communications in order to:

   – comply with tax, accounting and corporate record-keeping obligations,

   – respond to requests from public authorities where we are legally required to do so,

   – comply with consumer protection and product safety laws.

   Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR), for example under applicable tax and accounting legislation in the country of the relevant Spraga Company.

   4.4 To manage our relationship with you and provide customer support

   We use your contact details and correspondence to:

   – respond to your questions and requests,

   – handle complaints and defective product claims,

   – notify you about changes to our terms or this Privacy Policy.

   Legal basis: performance of a contract (Article 6(1)(b) GDPR) and/or our legitimate interests in providing good customer service and protecting our legal position (Article 6(1)(f) GDPR).

   4.5 Marketing communications

   If you choose to receive marketing emails (for example, about new products, promotions or events), we will use your name and email address to send you such communications.

   Legal basis:

   – your consent (Article 6(1)(a) GDPR), or

   – our legitimate interests (Article 6(1)(f) GDPR) where permitted by applicable e-privacy rules (for example, “soft opt-in” for existing customers), provided you have not objected.

   You can withdraw consent or opt out of marketing at any time by clicking the “unsubscribe” link in our emails or by contacting us. This will not affect the lawfulness of processing carried out before you withdrew your consent.

   4.6 Website security, fraud prevention and analytics

   We may use automatically collected data (such as IP address and device information) to:

   – maintain the security and integrity of the Websites,

   – detect and prevent fraud or misuse of our services,

   – compile aggregated statistics and analytics to improve our Websites, products and services.

   Legal basis: our legitimate interests (Article 6(1)(f) GDPR) in ensuring the security of our Websites and improving our business operations.

We do not collect or store your full payment card details. When you pay for an order, you are redirected to (or an embedded frame connects you with) a secure payment provider (for example, Stripe, PayPal or another local provider). We send them only the data necessary to process the payment, such as:

• name (person, company),
• billing address,
• email,
• order total and order ID.

The payment provider may collect additional information directly from you and your device (such as card details, device identifiers or IP address) to process the transaction and for fraud prevention. Their use of your personal data is governed by their own privacy policy, which we encourage you to read carefully.

To deliver your order, we share the necessary delivery details with our logistics partners and courier companies operating in Germany and internationally, including:

• name;
• delivery address;
• phone number;
• email address (where needed for delivery updates);
• order reference.

This information is provided either:

• manually (for example, by inputting data into the courier’s web portal), or
• via an integration (for example, using APIs, CSV export or another secure electronic method).

We only share the data required for the courier to perform delivery and related tracking or notification services.

We keep personal data only for as long as necessary for the purposes for which it was collected and to comply with legal, accounting or reporting obligations.

In particular:

• Customer accounts: we retain your account data for as long as your account is active. If you ask us to delete your account (and all related login information, including Facebook Login), we will deactivate it and delete or anonymise personal data associated with the account, except for data that we must keep for legal or accounting purposes.

• Orders (including guest orders): we typically retain order information (including your contact and billing details) for a period of 10 years.

• Marketing data: we retain your marketing preferences and related personal data until you unsubscribe or object to receiving marketing communications. We may also keep a minimal record of your opt-out (for example, your email address and the fact you unsubscribed) to ensure we do not send you marketing in the future.

• Customer support correspondence: we retain correspondence and related data for as long as necessary to resolve your query or complaint, and for a reasonable period afterwards to protect our legal interests (typically up to the applicable statutory limitation period).

If we are subject to a legal claim, investigation or audit, we may need to retain data beyond the periods stated above for the duration of the matter and for any applicable limitation period.

We do not sell your personal data. We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this Privacy Policy:

• Service providers: IT hosting providers, e-commerce platform providers, email service providers, analytics tools, customer support tools, and professional advisers (for example, lawyers or accountants) who provide services to us under appropriate contracts.
• Payment providers: third-party payment processors who handle your payments and card details.
• Delivery and logistics partners: courier companies and fulfilment providers who deliver orders or handle returns.
• Group companies and business partners: other Spraga Companies where necessary for internal administration, reporting or to support our e-commerce operations.
• Public authorities and regulators: where we are legally obliged to do so (for example, to tax authorities, law enforcement, or data protection authorities) or where disclosure is necessary to protect our rights, customers, or others.

Where we use service providers to process personal data on our behalf, we ensure that they only process the data according to our instructions and under a written data processing agreement as required by the GDPR.

Some of our service providers or group companies may be located outside the European Economic Area (EEA), or may use servers located outside the EEA. If personal data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of data protection, we will ensure that appropriate safeguards are in place, such as:

• using standard contractual clauses approved by the European Commission, and/or
•  relying on another lawful transfer mechanism under the GDPR.

You can contact us using the details above if you would like more information about how we protect personal data in relation to international transfers.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These measures include, for example:

• using secure (HTTPS) connections for our Websites,
• restricting access to personal data to authorised staff and service providers on a need-to-know basis,
• using hashed passwords for customer accounts,
• maintaining appropriate backup and logging procedures,
• regularly reviewing our security policies and practices.

However, no system can be completely secure. While we do our best to protect your personal data, we cannot guarantee the security of information transmitted to or from the Websites over the internet.

Under the GDPR, you have a number of rights in relation to your personal data, subject to certain conditions and exemptions. In particular, you may have the right to:

• Access: request confirmation as to whether we process your personal data and obtain a copy of the personal data we hold about you.

• Rectification: request that we correct inaccurate or incomplete personal data about you.

• Erasure: request that we delete your personal data, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent (where applicable).

If you have used Facebook Login to access our services and wish to request the deletion of your personal data associated with your account, you may do so by sending a request to [email protected] with the email topic Facebook Login Erasure.

Upon receipt of a valid request, we will delete or anonymize your personal data associated with your Facebook account within a reasonable timeframe, unless retention is required by applicable law. You may also remove our application from your Facebook account settings at any time.

• Restriction: request that we restrict the processing of your personal data in certain circumstances (for example, while we are verifying the accuracy of your data or assessing an objection).

• Data portability: request to receive personal data that you have provided to us in a structured, commonly used and machine-readable format, and have it transferred to another controller, where the processing is based on your consent or on a contract and is carried out by automated means.

• Objection: object at any time to the processing of your personal data where the legal basis is our legitimate interests. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.

• Direct marketing: you have an absolute right to object at any time to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing. If you object, we will stop using your data for this purpose.

• Withdraw consent: where we rely on your consent to process personal data (for example, for certain types of marketing), you can withdraw your consent at any time. This does not affect the lawfulness of processing before you withdrew your consent.

To exercise any of these rights, please contact us using the contact details in Section 1. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights).

Representatives of legal-entity customers whose personal data we process are entitled to exercise their data protection rights directly with us in accordance with this Privacy Policy, irrespective of whether the contractual relationship is concluded with the legal entity.

If you have any questions or concerns about how we use your personal data, or if you wish to exercise your rights, please contact us using the contact details provided in Section 1 hereof.

We will respond to your request as soon as reasonably possible and in any event within the time limits set out in the GDPR.

If you are unhappy with how we have used your personal data, we would appreciate the chance to resolve your concerns in the first instance. Please contact us using the details above.

You also have the right to lodge a complaint with the data protection authority in Germany: the competent Datenschutzbehörde of your land – find your local authority here www.bfdi.bund.de/anschriften in Kontaktfinder menu (choose Landesbehörde and your land).

If you access our Website from outside of Germany or you are a national of another country, you can either address the above authority, or your home one. The details for other European supervisory authorities are available on the website of the European Data Protection Board (EDPB) at https://www.edpb.europa.eu/about-edpb/contact-us_en.

We may update this Privacy Policy from time to time, for example to reflect changes in the law, our practices or our Website. The most current version will always be available on the Website and will include the date it was last updated.

We encourage you to review this Privacy Policy periodically to stay informed about how we use your personal data.

Current version: 25.05.2026