Privacy Policy

Last updated: March 2026

1. Who we are

KOCOA ("we", "us", "our") operates kocoa.nl and the innerTIDE brand. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch and EU privacy laws.

2. What data we collect

When you visit our website, place an order, or create an account, we may collect: name, email address, shipping and billing address, phone number, payment information (processed securely by our payment provider — we never store card details), and any information you provide when contacting us or submitting a wholesale inquiry.

3. User accounts

When you create an account, we store your name, email address, saved addresses, and order history. You can view, update, or delete your account data at any time from your account settings. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g. tax records).

4. How we use your data

We use your data to: process and fulfil orders, manage your account, provide customer support, send transactional emails (order confirmations, shipping updates), send marketing communications (only with your explicit consent), analyse website usage to improve our services, prevent fraud, and comply with legal obligations.

5. Cookies & tracking

We use cookies and similar technologies on our website. You can manage your preferences at any time via the cookie settings in the footer. We categorise cookies as follows:

Essential cookies

Required for the website to function (e.g. shopping cart, authentication, cookie consent preferences). These cannot be disabled.

Analytics cookies (opt-out)

Google Analytics 4 and Microsoft Clarity help us understand how visitors use our website, including page views, scroll depth, click heatmaps, and session recordings. This data is anonymised and used solely to improve the user experience. Active by default. You can disable these via cookie settings at any time.

Marketing cookies (opt-out)

Meta Pixel (Facebook/Instagram) allows us to measure the effectiveness of our advertising campaigns and show you relevant ads. Active by default. You can disable these via cookie settings at any time.

6. Third-party services

We share data with the following third-party processors, each bound by data processing agreements:

  • Mollie — payment processing (iDEAL, PayPal, Bancontact, credit cards)
  • Supabase — user authentication and account data storage (EU-hosted)
  • Google Analytics 4 — website analytics (anonymised, consent-based)
  • Microsoft Clarity — heatmaps and session recordings (anonymised, consent-based)
  • Meta Pixel — advertising measurement (consent-based)
  • Resend (via Amazon SES) — transactional and marketing emails

7. Data retention

We retain your personal data only as long as necessary: order data is kept for 7 years to comply with Dutch tax obligations, account data is kept until you delete your account, analytics data is automatically deleted after 14 months, and marketing data is removed when you withdraw consent.

8. International data transfers

Some of our third-party providers are based outside the EU/EEA (e.g. Google, Meta, Microsoft). Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

9. Your rights

Under the GDPR, you have the right to: access your personal data, correct inaccurate data, request deletion of your data, restrict or object to processing, data portability, and withdraw consent at any time. To exercise any of these rights, contact us at the address below. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

10. Contact

For any privacy-related questions or to exercise your rights, please contact us at privacy@kocoa.nl.