Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40Fast shipping across Europe - free over €40
Popcha
··

Privacy Policy

Last updated: 28 May 2026

This policy explains what personal data Popcha collects when you use popcha.eu, why we collect it, how we use it, and what rights you have. We have kept it short and specific to what our site actually does, with no boilerplate.

Who we are

Popcha is a matcha tea retailer based in Vilnius, Lithuania. We are the controller of the personal data described in this policy. You can reach us at hello@popcha.eu for any privacy question or to exercise your rights.

What we collect, why, and on what legal basis

We collect personal data in three situations.

1. When you sign up for restock or launch notifications

If you submit the "Notify me" form on a product page or the launch-notification form on the cart page, we store:

  • your email address;
  • the product you asked to be notified about (if any) and the language you used the site in;
  • a hashed version of your IP address (one-way SHA-256, truncated to 32 characters) and your browser's user-agent string, used to detect abuse and prevent unlimited resubmission.

We use this only to send you the requested notification and to keep the form from being abused. Legal basis: your consent (GDPR Art. 6(1)(a)) for the email, and our legitimate interest in preventing abuse (Art. 6(1)(f)) for the hashed IP and user-agent.

2. When you buy something

When checkout is enabled and you place an order, our payment partner Stripe Payments Europe Ltd. (Dublin) collects your payment-card information directly: it never touches our servers. From Stripe we then receive and store:

  • your name, email, shipping address, billing address, and phone number;
  • the order details (products, quantities, amounts paid);
  • the Stripe payment IDs linking the order to the original transaction.

We use this to fulfil your order, send confirmation emails, handle returns or refunds, and meet tax and accounting obligations. Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).

3. When you simply browse the site

For every request, our hosting provider Vercel Inc. automatically gives us a two-letter country code derived from your IP address. We use this once on your first visit to suggest the appropriate language version of the site (German for visitors from Germany and Austria, Dutch for the Netherlands) and never store it.

We also set two first-party cookies in your browser:

  • NEXT_LOCALE: your language preference, kept for one year so we do not keep redirecting you. Contains only "en", "de", or "nl".
  • popcha_consent: your cookie and marketing preferences, kept for one year. Contains only the categories you accepted (both currently default to opt-out).

Neither cookie identifies you personally. Legal basis: legitimate interest (Art. 6(1)(f)) for the locale suggestion, and your consent (Art. 6(1)(a)) for any future analytics or marketing cookies (none are currently active).

Who else sees your data

We share personal data only with the processors we need to run the site:

  • Vercel Inc.: hosting and edge infrastructure. Receives standard request data (IP, request headers, pages accessed). Servers in the EU and US.
  • Stripe Payments Europe Ltd.: payment processing at checkout. Receives payment, billing, shipping, and contact details. Servers in the EU and US.
  • Resend (Resend, Inc., US, with EU sub-processor): delivery of transactional emails (restock and launch notifications, and order confirmations once checkout is live). Receives the recipient email address and the email content.
  • Cloudflare, Inc. (R2): image storage. No personal data sent. Global.
  • Postgres database, hosted in the EU. Stores all data described above.

We do not share your data with advertisers, data brokers, or marketing networks. We do not run analytics that send your data to third parties.

International transfers

Some of our processors (Vercel, Stripe, Cloudflare) operate globally and may process data on servers outside the European Economic Area. When that happens, transfers are protected by Standard Contractual Clauses approved by the European Commission, plus additional safeguards each processor publishes on its own privacy pages.

How long we keep your data

We keep personal data only as long as we need it for the purposes described above and to meet legal obligations: notably tax and accounting rules, which generally require us to retain transaction records for up to ten years. Notification-form emails are kept until launch is complete and for a reasonable period afterwards, then deleted on request or after the next data review.

Your rights

Under EU and UK data-protection law you have the right to:

  • Access your data: get a copy of what we hold about you.
  • Rectification: correct anything that is wrong.
  • Erasure ("right to be forgotten"), subject to legal retention obligations.
  • Restriction of processing in certain situations.
  • Portability: receive your data in a machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, for processing based on consent.

To exercise any of these rights, email hello@popcha.eu. We will respond within one month.

You also have the right to lodge a complaint with the data-protection authority in your country of residence. In Lithuania that is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt). A list of EU and EEA authorities is at edpb.europa.eu.

Children

popcha.eu is not intended for use by children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

Automated decisions and profiling

We do not make automated decisions that produce legal or similarly significant effects about you, and we do not profile you.

Changes to this policy

When we make material changes, we update the "Last updated" date at the top and, where appropriate, notify you by other means (e.g. a banner on the site, or by email if we have your address).

Contact

Popcha
hello@popcha.eu
Vilnius, Lithuania