Privacy policy

Privacy Notice
Version 1. Last updated: 27 January 2026.

This Privacy Notice applies where Lulu Limited (hereinafter referred to as “We”, “Us” or “Our”) is acting as a Data Controller with respect to Our Processing of Your Personal Data for the purpose(s) of processing and fulfilling customer orders placed through Our e-commerce website: www.lulucafe.com.mt (the “Website”).

Our Website is powered by Shopify Inc. ("Shopify"), which provides the e-commerce platform and related services. Shopify collects and processes certain Personal Data about Your access to and use of the Website in order to provide and improve the services. Information You submit through the Website will be transmitted to and shared with Shopify as well as third parties that may be located in countries other than where You reside. To learn more about how Shopify uses Your Personal Data and to exercise any rights You may have with respect to data processed by Shopify, You can visit Shopify's privacy policy at https://www.shopify.com/legal/privacy and Shopify's privacy portal.

Any Personal Data We Process is kept within Our own records in accordance with the relevant data protection and privacy laws to which We are subject including but not limited to the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta) and the subsidiary legislation issued thereto, as may be amended from time to time (hereinafter collectively referred to as the “Applicable Laws”).

References to “Data Controller”, “Data Subject”, “Personal Data”, and “Process”, “Processed”, “Processing” in this Privacy Notice have the meanings set out in, and will be interpreted in accordance with the Applicable Laws. “You” and “Your” refers to the Data Subject.

 

1.Data Controller Details

The Data Controller of your Personal Data is Lulu Limited.  We are committed to respecting your privacy.  If you wish to contact Us about Our privacy practices please feel free to do so by email at info@lulurestaurant.com. You may also wish to contact Us by telephone on +356 21384498.

Where Shopify Processes Your Personal Data for its own purposes (including to provide and improve its platform services and for enhanced features that incorporate data from Your interactions with Our Website and other merchants), Shopify acts as a separate Data Controller and is responsible for responding to Your requests to exercise Your rights over such processing. Please refer to Shopify's privacy policy for more information.

 

2. Personal Data

The term “Personal Data” refers to all personally identifiable information about you and includes all the information you provide to Us or information that is provided to Us by third parties, which can be identified with you personally.

The following are the Personal Data that We collect:

  1. Full name;
  2. Email address;
  3. Delivery address;
  4. Telephone/Mobile number;
  5. Payment information;
  6. Order history and preferences;
  7. IP address and cookies;
  8. Dietary / allergy information if you choose to provide this in order notes or when contacting us (e.g. glutenfree, nut allergy);
  9. Any other information voluntarily provided when placing an order or contacting Us;
  10. Device information including information about Your device, browser, network connection and other unique identifiers;
  11. Usage information including information regarding Your interaction with the Website, including how and when You interact with or navigate the Website;
  12. Transaction information including the items You view, put in Your cart, add to Your wishlist, or purchase, return, exchange or cancel and Your past transactions; and
  13. Account information including Your username, password, security questions, preferences and settings (if applicable).

We do not intentionally seek to collect special categories of data (such as health data) about you through our Website. If you choose to provide allergy or dietary information (e.g. “nut allergy”), We Process this information only to the extent necessary to prepare your order safely and in line with the legal bases available under Articles 6 and 9 GDPR.

 

3.Purposes of Processing 

The purposes of Processing for which Your Personal Data are intended include: (a) processing and fulfilling customer orders placed through Our Website, including creation of an account (where applicable), delivery of products, processing payments, communicating with You regarding Your order, and providing customer support; (b) tailoring and improving the Website and services, including remembering Your preferences and items You are interested in; (c) security and fraud prevention, including authenticating Your account, detecting and investigating possible fraudulent, illegal, unsafe or malicious activity, and securing Our services; and (d) complying with applicable legal obligations and responding to valid legal process. Additionally, to help protect, grow and improve Our business, We use certain Shopify enhanced features that incorporate data and information obtained from Your interactions with Our Website, along with other merchants and with Shopify. For these enhanced features, Shopify processes Your Personal Data in accordance with its own privacy policy.


From time to time we would also like to contact you about Our products and services, promotional offers, information relating to operations as well as information in relation to products and services provided by third parties offers and promotions (“Marketing”).

 

4. Legal Basis 

Our legal bases of Processing your Personal Data are:

  1. the performance of a contract to which You are party, namely the processing and fulfilment of Your order for products purchased through Our Website;
  2. Our legitimate interests in, for example, operating and improving Our e-commerce business, provided such interests are not overridden by Your fundamental rights and freedoms; and
  3. Your consent, where applicable, particularly in relation to Marketing communications, the use of cookies and similar technologies, and any other processing where consent is required by law.

We might also have to Process your Personal Data to comply with legal obligations imposed on Us.

 

5. Recipients

The recipients of Your Personal Data include: (a) Shopify and its service providers who process Personal Data on Our behalf; (b) vendors and other third parties who perform services on Our behalf (including IT management, payment processing, data analytics, customer support, cloud storage, fulfilment and shipping); (c) business and marketing partners to provide marketing services and advertise to You (where You have consented to such processing); (d) delivery or courier partners; (e) Our affiliates or otherwise within Our corporate group; and (f) third parties to whom disclosure may be required by law or in connection with a business transaction such as a merger, or to enforce any applicable terms of service or policies, and to protect or defend the Website, Our rights, and the rights of Our users or others.

Please note that Your Personal Data may be transferred to, stored and processed in countries outside the European Economic Area, including by Shopify and its service providers. Where We transfer Your Personal Data outside the European Economic Area, We will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, unless the data transfer is to a country that has been determined to provide an adequate level of protection.

 

6. Processing Requirement

The processing of your Personal Data is not a statutory requirement - it is a requirement in order for Us to process and fulfil Your order. If You do not provide the required Personal Data, We will not be able to process Your order or deliver the products You have purchased.

 

7. Automated Decision-Making and Profiling

Your Personal Data will not be used for any automated decision-making or profiling.


8. Data Retention Period

Your Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Thereafter, it shall be immediately and irrevocably erased unless We are required to retain your Personal Data to comply with a legal obligation, or to establish, exercise or defend any legal claim.

9. Your Rights

For as long as We retain your Personal Data, you have certain rights in relation to your Personal Data including:

  1. Right of access: you have the right to ascertain the Personal Data We hold about you and to receive a copy of such Personal Data;
  2. Right to complain: you have the right to lodge a complaint regarding the processing of your Personal Data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);
  3. Right to Erasure: in certain circumstances you may request that We delete the Personal Data that we hold about you;
  4. Right to Object: you have a right to object and request that We cease the processing of your Personal Data where We rely on Our, or a third party’s legitimate interest for processing your Personal Data;
  5. Right to Portability: you may request that We provide you with certain Personal Data which you have provided to Us in a structured, commonly used and machine-readable format (except where such Personal Data is provided to us in hand-written format, in which case such Personal Data will be provided to you, upon your request, in such hand-written form). Where technically feasible, you may also request that we transmit such Personal Data to a third party controller indicated by you;
  6. Right to Rectification: you have the right to update or correct any inaccurate Personal Data which We hold about you;
  7. Right to Restriction: you have the right to request that We stop using your Personal Data in certain circumstances, including if you believe that We are unlawfully processing your Personal Data or the Personal Data that We hold about you is inaccurate;
  8. Right to withdraw your consent: where Our processing is based on your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and
  9. Right to be informed of the source: where the Personal Data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your Personal Data originates.

Please note that your rights in relation to your Personal Data are not absolute and we may not be able to entertain such a request if we are prevented from doing so in terms of an applicable law.

You may exercise the rights indicated in this section by contacting Us at the details indicated above.

We may need to verify Your identity before We can process Your requests to exercise Your rights, as permitted or required under applicable law. In accordance with applicable laws, You may designate an authorized agent to make requests on Your behalf to exercise Your rights. Before accepting such a request from an agent, We will require that the agent provide proof You have authorized them to act on Your behalf, and We may need You to verify Your identity directly with Us.


10. Complaints

If you have any complaints regarding Our processing of your Personal Data, we kindly ask that you please attempt to resolve any issues you may have with us first by contacting Us at the contact details included above. However, please note that you always have a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).

 

11. Changes to this Privacy Notice

We may update this Privacy Notice from time to time, for example to reflect changes in our processing activities or legal obligations. We will publish the updated version on our Website with a new “last updated” date and, where appropriate, notify you by email or through the Website.