Great coffee, matched to how you actually brew /Free shipping for Roasters Club over threshold /Roasted to order · shipped worldwide · USD checkout /Brew Matcher — find your bag in 6 questions /Great coffee, matched to how you actually brew /Free shipping for Roasters Club over threshold /Roasted to order · shipped worldwide · USD checkout /Brew Matcher — find your bag in 6 questions /

Policy

Privacy Policy

Last updated: July 13, 2026

This Privacy Policy explains how Firstlight Coffee, a trading brand of ISLE OF ARRAN COFFEE COMPANY LTD(“we”, “us”, “our”), collects, uses, shares and protects your personal data when you visit islofarrcof.shop, place an order, join Roasters Club, use Brew Matcher, or contact us. We sell coffee and brewing goods only, in USD, and ship internationally.

We make no health, medical or treatment claims about our products. This policy is written to meet UK GDPR, EU GDPR and, where applicable, the California Consumer Privacy Act (CCPA/CPRA).

01Who is responsible for your data

The data controller is ISLE OF ARRAN COFFEE COMPANY LTD, a private limited company registered in Scotland, United Kingdom, trading as Firstlight Coffee.

Registered office: 8, The Brae, Lamlash, Isle Of Arran 8, The Brae Lamlash, KA27 8NA, Scotland. Contact for privacy matters: support@islofarrcof.shop or +44 7684700301.

02What we collect

  • Identity and contact data: name, email, phone, and delivery and billing address.
  • Order and account data: items purchased, order history, membership plan, and communications with support.
  • Payment-related data: billing details and the payment status returned by our payment processor. We do not receive or store your full card number, CVC or expiry.
  • Brew Matcher inputs: the brew method, roast, flavour, caffeine and occasion answers you provide to receive a recommendation.
  • Technical and usage data: IP address, device and browser type, and pages viewed, collected via cookies and similar technologies.
  • Marketing preferences: whether you have opted in to updates and new-arrival alerts.

03Collection sources and how we collect it

  • Directly from you when you order, check out, create an account, join membership, use Brew Matcher, or contact us.
  • Automatically from your device via cookies and analytics when you use the site.
  • From our processors, such as our payment processor confirming a payment result or our delivery carriers confirming tracking.

04Why we use it and our legal bases

  • To take and fulfil orders and deliver your coffee — legal basis: performance of a contract.
  • To process payments and prevent fraud — contract and legitimate interests.
  • To run Roasters Club membership and billing — contract.
  • To provide Brew Matcher recommendations — contract and legitimate interests.
  • To provide customer support and handle returns, refunds and disputes — contract and legal obligation.
  • To send service messages (order and dispatch updates) — contract; and marketing where you have consented — consent, which you can withdraw at any time.
  • To meet tax, accounting and consumer-law obligations — legal obligation.
  • To secure and improve the site — legitimate interests.

05Who we share it with

We share personal data only with processors that help us run the store:

  • Payment processing: Stripe, Inc. handles card payments. Stripe receives the data needed to process the transaction; we do not receive your full card number.
  • Hosting and delivery of the website: our cloud hosting provider (Vercel).
  • Database and account storage: our backend provider (Supabase).
  • Order delivery: postal and courier carriers, who receive the name and address needed to deliver your parcel and provide tracking.
  • Email and support messaging: our transactional email provider.
  • Bot and abuse protection: our security and anti-spam provider (e.g. Cloudflare).
  • Professional advisers and authorities where required by law.

We do not sell your personal data. We require every processor to protect your data and use it only on our instructions.

06Payment provider boundary

Card payments are processed by our PCI-compliant payment provider on their secure pages. Your full card number, expiry and security code are entered with the payment provider and are never transmitted to or stored by us. We receive only the result of the payment and limited billing details needed for order records, tax and fraud prevention.

07Delivery, order fulfilment, returns and billing data

  • shipping address and delivery address and contact details are shared with our carriers solely to deliver your order and provide tracking.
  • Order records (items, amounts, addresses and dates) are kept to fulfil the order, handle returns and refunds, and meet tax and accounting duties.
  • For returns and refunds of perishable food, we process the information needed to verify the issue and arrange a replacement or refund under our Refund & Returns Policy.
  • Billing data is used to take payment, issue receipts and respond to chargebacks or disputes.

08International transfers

We are based in the United Kingdom and ship worldwide, so your data may be processed outside your country, including in the United States and the European Economic Area, by our processors. Where data leaves the UK or EEA, we rely on adequacy decisions or Standard Contractual Clauses (with the UK Addendum where relevant) to protect it.

09How long we keep it

  • Order, billing and tax records: kept for up to seven years to meet accounting and tax obligations.
  • Account and membership data: kept while your account is active and for a reasonable period afterward.
  • Enquiry and lead data from our forms: kept for up to 24 months, then deleted or anonymised.
  • Marketing preferences: kept until you unsubscribe or object.
  • Cookies and analytics: retained per the durations set out in our Cookie Policy.

10How we protect it

We use encryption in transit (HTTPS), access controls, reputable processors and the payment-provider boundary above so we never hold full card data. No method of transmission or storage is completely secure, but we maintain appropriate technical and organisational measures and review them regularly.

11Your GDPR and CCPA rights

Under UK/EU GDPR you can request to:

  • Access a copy of your personal data.
  • Correct inaccurate or incomplete data.
  • Erase data where there is no continuing lawful reason to keep it.
  • Restrict or object to certain processing, including direct marketing.
  • Port your data to another provider.
  • Withdraw consent at any time where processing is based on consent.

If you are a California resident, you have the right to know, delete and correct your personal information, to opt out of any “sale” or “sharing” of personal information, and not to be discriminated against for exercising your rights.

To exercise any right, email support@islofarrcof.shop. You may also complain to your data protection authority; in the UK this is the Information Commissioner's Office (the UK supervisory authority).

12Do Not Sell or Share

We do not sell your personal information and we do not share it for cross-context behavioural advertising. If this ever changes we will update this policy and provide a clear opt-out mechanism. California residents may contact us at support@islofarrcof.shop to confirm their preferences.

13Cookies and analytics

We use strictly necessary cookies to run the cart and checkout, and limited analytics to understand and improve the site. You control non-essential cookies through our cookie banner and your browser settings. Full details are in our Cookie Policy.

14Automated decisions and children

Brew Matcher provides an automated coffee recommendation based on the answers you give. It has no legal or similarly significant effect — it is a taste suggestion you can accept or ignore, and you can always contact us for human help.

Our store is intended for adults. It is not directed at children under 13, and we do not knowingly collect their data. Customers aged 13–17 should only use the site with a parent or guardian's involvement. Coffee contains caffeine and is intended for adult consumption.

15Changes and how to contact us

We may update this policy from time to time; the “last updated” date above shows the latest version. For any privacy question or request, contact ISLE OF ARRAN COFFEE COMPANY LTD at support@islofarrcof.shop or +44 7684700301, or write to us at 8, The Brae, Lamlash, Isle Of Arran 8, The Brae Lamlash, KA27 8NA, Scotland.

Contact

ISLE OF ARRAN COFFEE COMPANY LTD (Firstlight Coffee)
8, The Brae, Lamlash, Isle Of Arran 8, The Brae Lamlash, KA27 8NA, Scotland
support@islofarrcof.shop · +44 7684700301

Governing law: England and Wales. See our other policies in the help centre.