Privacy policy

Last updated: 7 November 2025

1) Who is the controller

Data controller: Eulàlia Delgado Catalán (Cocolitos)
Address: C/ Lepant 270, Bajos, 08013, Barcelona (Spain)
Email: contact@cocolitos.eu

We have not appointed a Data Protection Officer. You can contact us at the above address for any privacy matter.

2) Scope of this policy

This policy applies to the use of cocolitos.eu and associated shops, as well as purchases and customer care made through the channels listed on the site (the “Services”).

3) Personal data we process

  • Identification and contact: name, surname, email, postal address, telephone (if you provide it).
  • Order and delivery: items purchased, amount, shipping/billing addresses, tracking and delivery status.
  • Customer care: messages and metadata required to handle queries, incidents and returns.
  • Billing and tax: Tax ID/VAT (where applicable), invoice and payment records.
  • Payments: transaction token/ID and anti-fraud attributes provided by payment processors. We do not store full card details.
  • Site usage: activity data and cookies/similar technologies (see Section 11).
  • Marketing (optional): your email and preferences when you voluntarily subscribe to our newsletter.
  • Consent preferences and logs: your choice in the cookie banner/manager (accepted/rejected categories), consent ID, timestamp and notice version, managed via our consent management platform (Consentmo GDPR Compliance).

4) Purposes and legal bases

  • Sell and deliver products (order handling, shipping, returns): performance of a contract.
  • Customer care (support and after-sales): performance of a contract or legitimate interests to respond to you.
  • Billing, accounting and legal compliance (fraud prevention, tax/commercial duties): legal obligation and legitimate interests.
  • Email marketing (newsletter, offers): consent, which you may withdraw at any time.
  • Analytics and personalisation (non-essential cookies): consent via the cookie banner/manager.
  • Consent management and cookie compliance (record of choices, blocking non-essential scripts): legal obligation (GDPR/ePrivacy) and legitimate interests for site security.
  • Site security (technical logs, abuse/fraud prevention): legitimate interests.

5) Who we share data with

  • Shopify (store platform and hosting).
  • Shopify Network Intelligence (if enabled): Shopify may securely process your interactions with our shop together with data from other Shopify merchants to provide enhanced services (e.g., performance improvements, personalisation, measurement and advertising optimisation, and fraud prevention). No other merchant can access your individual data. Legal basis: legitimate interests (security/anti-fraud and service improvement) and, for measurement/marketing, your consent via the cookie banner. More details in Shopify’s Consumer Privacy Policy.
  • Payment processors (e.g., Shopify Payments, PayPal, Apple Pay, Google Pay).
  • Logistics (carriers and fulfilment providers).
  • Email marketing (e.g., Mailchimp/Intuit) if you subscribe to the newsletter.
  • Technical support and tools (hosting/support; analytics/measurement only if you accept cookies).
  • Consent Management Platform (CMP): Consentmo GDPR Compliance, to display the banner, block non-essential tags until your choice, and keep a record of your preferences. It acts as our processor under our instructions.

Where appropriate, these third parties act as processors under contracts requiring them to protect your data. We only disclose data to other third parties where there is a legal basis (e.g., legal obligation or your consent).

6) Facebook & Instagram sales channel (Meta)

We have integrated the Facebook & Instagram by Meta channel to sync our catalogue and display products on Facebook/Instagram. This involves the following processing:

  • Catalogue and shop: we sync product data (titles, images, prices, stock) and handle orders that may originate on Meta. Legal basis: performance of a contract and pre-contractual steps.
  • Customer Data Sharing: we may enable Shopify’s customer data sharing at different levels (Standard, Enhanced, Maximum) combining the Pixel (browser) and Conversions API (server) for ad measurement and optimisation. Legal basis: consent for analytics/marketing cookies and legitimate interests for security and fraud prevention.
  • Advertising events: content views, add-to-basket, purchases and technical data (e.g., IP, user agent) and, at higher levels, hashed identifiers (email/phone if you provide them) for deduplication and better attribution.
  • Audiences and ads: we may use your preferences (if subscribed to marketing and you accepted cookies) to personalise ads or exclude you from campaigns; you can withdraw consent and manage your ad preferences in Meta.

You can manage advertising cookies in our cookie manager and your ad settings directly on Facebook and Instagram.

7) Relationship with Shopify, Meta and Consentmo

We use Shopify’s technology to run the store and integrate Meta’s channel. Shopify primarily acts as our processor; Meta processes data both as a platform provider (e.g., Shops/Commerce Manager) and, where applicable, as an independent controller for its own purposes (measurement, security and service improvement). We also use Consentmo GDPR Compliance as our consent management platform to display the cookie banner, block non-essential tags until your choice, and retain the consent log for compliance. Consentmo acts as a processor under our instructions.

Shopify Network Intelligence: we may have SNI enabled in our admin. If enabled, Shopify securely uses customer data from our shop, combined with its network data, to power Enhanced Services (e.g., Shopify Audiences, performance and personalisation improvements) as described in Shopify’s documentation. You can manage your cookie preferences under “Cookie Preferences”. See Shopify’s policy: link.

8) International transfers

Some providers (Shopify/Meta/Consentmo and their sub-processors) may process data outside the EEA. In such cases we apply valid transfer mechanisms (adequacy decisions, Standard Contractual Clauses and additional safeguards) to ensure an equivalent level of protection.

9) Retention periods

  • Orders and account: for the duration of the contractual relationship and, afterwards, as required to meet liabilities.
  • Billing/accounting: up to 6 years (commercial obligations) and 4 years (tax obligations), where applicable.
  • Customer care: up to 24 months from last interaction, unless incidents or warranties apply.
  • Marketing: until you withdraw consent or unsubscribe.
  • Consent logs (cookies): up to 24 months from your last preference update or as needed to evidence compliance.
  • Cookies: according to their purpose and lifetime (see Section 11).

11) Cookies and similar technologies

We use cookies and similar technologies (pixels, beacons) to operate the site and, if you agree, for analytics/measurement and marketing. You can accept/decline or manage categories via the banner or the “Cookie Preferences” link in the footer. You may withdraw consent at any time.

11.1 Consent management (Consentmo CMP)

We use Consentmo GDPR Compliance as our consent management platform (CMP). The CMP sets strictly necessary cookies to remember your choice and blocks non-essential scripts until you consent. We keep a record of your decision (categories, identifier, date and notice version) to evidence compliance. You can change or withdraw consent at any time from “Cookie Preferences”.

11.2 Types of cookies

  • Necessary (always on): site operation, security, basket and checkout. Legal basis: legitimate interests or contract performance.
  • Preferences: language/region. Legal basis: consent.
  • Analytics/measurement: site usage (e.g., pages visited). Legal basis: consent.
  • Marketing/advertising: ads and measurement (incl. Meta Pixel and Conversions API). Legal basis: consent.

11.3 Typical examples (may vary)

Cookie Purpose Duration Category
cart, cart_currency, cart_sig Maintain basket and shopping session Session / up to 2 weeks Necessary
_shopify_y / _shopify_s Basic shop analytics (Shopify Analytics) _shopify_y: up to 2 years / _shopify_s: 30 min Analytics (consent)
_orig_referrer / _landing_page Campaign attribution and landing pages Session / up to 2 weeks Analytics (consent)
_shopify_sa_t / _shopify_sa_p Shopify marketing/remarketing 1 min – 1 day Marketing (consent)
_gcl_au, _ga* Google Ads/Analytics (if active) 3 months – 2 years Analytics/Marketing (consent)
_fbp Meta/Facebook Pixel (if active) Up to 3 months Marketing (consent)

Note: the list may change due to Shopify/Meta updates or installed apps. The current information appears in the cookie banner/manager.

11.4 Shopify Network Intelligence and cookies

SNI may rely on browser signals (cookies/pixels) and server-side signals (Conversions API). Analytics/marketing cookies will only be set if you give your consent in the banner. You can change this at any time under “Cookie Preferences”.

11.5 Google Consent Mode v2 (if enabled)

We have integrated Google Consent Mode v2 so that Google tags (Analytics/Ads) respect your choice. If you decline measurement/marketing cookies, Google receives consent-mode signals that limit measurement and advertising to compatible forms. You can adjust your choice under “Cookie Preferences”.

12) Children

Our products are not directed at children. If you are under 14, please do not provide personal data without your parents’ or guardians’ permission. If we detect children’s data without such permission, we will delete it.

13) Security

We implement appropriate technical and organisational measures (e.g., TLS encryption, access controls, data minimisation and, where appropriate, pseudonymisation). No measure is perfect: please avoid sending sensitive information over unsecured channels.

14) Changes to this policy

We may update this policy to reflect legal changes, sales channels or our Services. We will publish the new version with its last updated date.

15) Contact

To exercise your rights or for privacy enquiries, email contact@cocolitos.eu or write to the postal address above.