Privacy Policy

This Privacy Policy explains how NNBC Holdings Limited, trading as Mnesic Coffee (“Mnesic Coffee”, “we”, “us” or “our”), collects, uses and protects your personal data.

NNBC Holdings Limited is a company registered in England and Wales under company number 11610961. Our registered office is:

8 Angola Road, Worthing, United Kingdom, BN14 8DT

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, we are the data controller of the personal data collected through mnesiccoffee.com, our website, and in connection with our shop and loyalty programme.

We collect only the personal data we need to operate our website, shop, mailing list and loyalty programme.

If you join our mailing list

We may collect:

• your email address;
• your name, if you choose to provide it; and
• a record of your consent, including the date, time and policy version shown at the point of sign-up.

If you create a loyalty account

We may collect:

• your email address;
• your name, if provided;
• your phone number, if provided;
• your password in hashed form through our authentication provider (we do not see or store your password in plain text);
• your loyalty points balance, tier status and loyalty transaction history; and
• any favourites or saved preferences you choose to store in your account.

When you use our website

We may automatically collect limited technical information, including:

• strictly necessary cookies used to sign you in and remember your theme preference; and
• server log information such as IP address, browser type, requested page and timestamp, retained for security, fraud prevention and debugging.

Please see our Cookies Policy for more detail.

In-store purchases

If you pay by card in-store, your payment details are processed by your bank and our payment provider. We do not receive or store your full card details. We receive only limited transaction information, such as an anonymised transaction reference.

Where you identify yourself as a loyalty member at the till, we record the purchase amount against your loyalty account so that points can be awarded.

Under UK GDPR, we must have a lawful basis for processing personal data. The legal bases we rely on are set out below.

To operate your loyalty account

We use your data to create and manage your account, award points, track tier status and process redemptions.

Legal basis: performance of a contract.

To send service-related communications

We may send operational emails such as email verification, password reset and reward or redemption notifications.

Legal basis: performance of a contract.

To send marketing communications

We may send news, offers, rewards and event updates only where you have chosen to opt in.

Legal basis: consent.

You may withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.

To operate, protect and improve the website

We use limited technical data and server logs to maintain site security, diagnose technical issues and support reliable operation of the website.

Legal basis: legitimate interests.

To keep financial and transaction records

We may retain certain information where required for tax, accounting and legal compliance.

Legal basis: legal obligation.

We keep data sharing to a minimum and only share personal data with service providers who help us operate our website and services. These providers act as our data processors and are contractually required to process personal data only on our instructions and to keep it secure.

Our current processors include:

Supabase

Used for database hosting, authentication and file storage.

Hosting location: EU / London region (eu-west-2)

Vercel

Used for website hosting and delivery.

Hosting model: global content delivery infrastructure, with primary processing in EU regions where applicable.

We do not sell, rent or trade your personal data.

We aim to keep personal data within the UK or EEA where possible. However, some of our service providers may route or process limited data outside the UK as part of their infrastructure.

Where this happens, we take steps to ensure appropriate safeguards are in place, including the use of recognised transfer mechanisms such as the UK International Data Transfer Agreement and, where relevant, the EU-US Data Privacy Framework.

We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, regulatory, accounting and security requirements.

Typical retention periods are as follows:

• Mailing list records: until you unsubscribe or ask us to remove you.
• Loyalty account information: for the life of your account and for up to 30 days after closure.
• Loyalty transactions and redemptions: 6 years after the end of the relevant tax year.
• Server logs: 30 days.
• Encrypted backups: rolling 30-day retention.

Where data is no longer required, it will be securely deleted or anonymised.

Under UK GDPR, you have the right to:

• request access to the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data, subject to legal retention obligations;
• request restriction of processing in certain circumstances;
• request transfer of your data in a machine-readable format where applicable;
• object to processing based on legitimate interests;
• withdraw consent at any time where processing is based on consent; and
• lodge a complaint with the Information Commissioner’s Office (“ICO”).

You can find further information about your rights on the ICO website.

To make a privacy-related request, please email info@mnesiccoffee.comwith “Data request” in the subject line.

To help us process your request efficiently, please contact us from the email address linked to your account and provide enough information for us to verify your identity. Where necessary, we may request additional information to protect your privacy and prevent unauthorised disclosure.

We will usually respond within one month. If your request is particularly complex, we may extend this by up to a further two months, in which case we will let you know.

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration and disclosure. These measures include:

• TLS encryption for website traffic and API requests;
• hashed password storage through our authentication provider;
• database access controls and row-level security policies;
• encrypted backups;
• access logging and authentication audit trails; and
• restricted administrative access on a role-based basis.

No system can be guaranteed to be completely secure. However, we take data security seriously and will respond promptly to any suspected security incident.

Where required by law, we will notify affected individuals and the ICO of a personal data breach.

We may update this Privacy Policy from time to time to reflect changes in our business, services, legal obligations or data practices.

If we make a material change, we will take reasonable steps to bring it to your attention, such as by posting a notice on the website or contacting registered users directly where appropriate.

The latest version will always be available on our website and will show the revised Last updated date.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

NNBC Holdings Limited
8 Angola Road, Worthing, United Kingdom, BN14 8DT

Email: info@mnesiccoffee.com