Related policies: Terms of Use, Cookie Policy, Code of Business Conduct.
1. Introduction
Trust is the currency of our business. At Saporina, we are committed to protecting not only the quality of our food but also the privacy of the people who interact with us.
This Privacy Policy explains how we collect, use, and protect your personal data when you visit our website, do business with us, or join our manufacturing network.
2. Data Controller
The entity responsible for the processing of your personal data is:
-
Identity Saporina
-
Data Protection Officer (DPO) Contact privacy@saporina.com
-
Address 10th of Ramadan City, Sharqia Governorate, Egypt
3. Data We Collect
We process different types of data depending on your relationship with us:
3.1 Browsing Data
What: IP addresses, URI addresses, time of requests, and device type.
Source: Collected automatically via cookies and server logs. See Section 6 (Cookies) for details.
3.2 Data You Provide
- Contact Forms: Name, email, phone number, and company name when you request a quote or product specification.
- Commercial Data: Billing details, tax IDs, and authorized signatories needed to execute contracts.
- Supply Chain Data: If you are a manufacturing partner, we collect professional data regarding your certifications, audits, and key personnel.
3.3 Whistleblowing Data
What: Data provided through our Responsible Channel (Ethics Reporting).
This data is treated with the highest level of confidentiality and separate security protocols.
4. Purpose and Legal Basis
We process your data for specific, legitimate reasons:
Service Provision
Managing orders, logistics, and customer support.
Supply Chain Compliance
Vetting manufacturing partners (audits, certifications) to ensure they meet Saporina standards.
Legal Compliance
Tax reporting, accounting, and anti-money laundering checks.
Marketing
Sending newsletters or product catalogs.
Website Security
Preventing fraud and cyber-attacks.
4.1 Multi-Jurisdictional Recognition
Where Saporina processes personal data of residents of jurisdictions other than the EU, the legal-basis catalogue above is read together with the corresponding domestic law:
Egypt — Personal Data Protection Law 151/2020
Saporina is established in Egypt and registered with the Personal Data Protection Center (PDPC). Articles 6, 12, and 19 of Law 151/2020 are read concurrently with GDPR Articles 6, 7, and 13. The Egyptian PDPC is the lead supervisory authority for first-party processing.
United Kingdom — UK GDPR & Data Protection Act 2018
Processing relating to UK residents is subject to the UK GDPR as retained and amended by the Data Protection Act 2018 (DPA). The UK Information Commissioner's Office (ICO) is the lead supervisory authority.
United States — CCPA / CPRA, Virginia VCDPA, Colorado CPA
California residents have rights under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) as amended by CPRA: right to know, delete, correct, opt-out of sale/sharing, limit sensitive-data use, and non-discrimination. Saporina honors the Global Privacy Control (GPC) as a valid opt-out signal under CCPA §1798.135.
Brazil — LGPD (Lei Geral de Proteção de Dados — 13.709/2018)
For Brazilian data subjects, Articles 7–11 LGPD legal bases are read in parallel with GDPR Article 6.
5. Data Sharing
Saporina does not sell your personal data. We only share data when necessary to run our global operations:
Service Providers
Third parties acting as Data Processors (e.g., IT hosting, cloud storage, marketing agencies). They are bound by strict confidentiality agreements.
Logistics Partners
We share shipping details with freight forwarders and customs brokers to deliver products.
Public Authorities
When required by law (e.g., tax authorities or judicial bodies).
International Transfers
We may process data outside the European Economic Area (EEA). In such cases, we ensure protection through Standard Contractual Clauses (SCCs) or adequacy decisions.
6. Cookies
Our website uses cookies — small text files stored on your device — to ensure functionality, improve your experience, and analyze usage patterns.
Strictly Necessary Cookies
Required for the website to function (e.g., session management, security). These cannot be disabled.
Analytics Cookies
Help us understand how visitors interact with our Site (e.g., pages visited, time on site). These are only set with your consent.
Managing Your Preferences
You can manage or withdraw your cookie consent at any time via the cookie banner on our Site, or by adjusting your browser settings. Note that disabling certain cookies may affect Site functionality.
7. Data Retention
We keep your data only as long as necessary:
-
Commercial/Tax Records: 10 years (statutory limitation).
-
Marketing Data: Until you withdraw your consent (unsubscribe).
-
Whistleblowing Reports: Kept only for the duration of the investigation and legal proceedings, then deleted.
8. Your Rights
Under the GDPR, you have the following rights over your data:
Right of Access
Ask if we are processing your data and request a copy.
Right to Rectification
Correct inaccurate information.
Right to Erasure
Request deletion when data is no longer needed.
Right to Restriction
Limit how we use your data.
Right to Object
Stop us from processing your data for marketing.
Right to Portability
Get your data in a structured, machine-readable format.
To exercise any of these rights, please email privacy@saporina.com.
We will respond to your request within 30 days. In complex cases, this may be extended to 90 days, and we will inform you of any extension.
Right to Lodge a Complaint
If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (supervisory authority) under Article 77 of the GDPR.
9. Security & Breach Notification
We implement robust technical and organizational measures appropriate to the risk of processing — including encryption in transit and at rest, role-based access controls, network segmentation, multi-factor authentication for privileged accounts, and regular penetration testing — to protect your data against unauthorized access, loss, or alteration.
9.1 Privacy by Design & by Default (Article 25 GDPR)
Data-protection requirements are embedded into every new system and process from the start. Default settings minimize data collection, retention, and accessibility. Where a new processing activity carries elevated risk to data subjects (e.g., large-scale profiling, special-category data, systematic monitoring), Saporina conducts a Data Protection Impact Assessment (DPIA) under Article 35 GDPR before deployment.
9.2 Personal Data Breach Notification (Articles 33 & 34 GDPR)
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, Saporina will:
- Notify the lead supervisory authority (Egyptian PDPC for first-party processing; the relevant EEA DPA for EU-resident data subjects; the ICO for UK residents) within 72 hours of becoming aware of the breach (Article 33).
- Where the breach is likely to result in a high risk to data subjects' rights and freedoms, communicate the breach directly to the affected individuals without undue delay, in clear and plain language (Article 34), unless one of the exceptions in Article 34(3) applies.
- Maintain an internal register of all breaches under Article 33(5), including the facts, effects, and remedial action taken, available for supervisory-authority inspection.
9.3 No Automated Decision-Making (Article 22 GDPR)
Saporina does not engage in solely automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Where Saporina deploys automated processes for fraud detection, supplier vetting, or marketing segmentation, every consequential decision is subject to meaningful human review.
9.4 Children's Data (Article 8 GDPR)
Our services target B2B buyers and adult consumers; we do not knowingly collect personal data from children under the age of 16 (or the lower national age-of-consent threshold where applicable, e.g., 13 in the United Kingdom and Spain, 14 in Italy and Austria). If we become aware that a child has submitted personal data without verifiable parental consent under Article 8(1), we will erase that data without undue delay. If you are a parent or guardian and believe your child has provided personal data, contact privacy@saporina.com.
10. Changes to this Policy
We may update this policy to reflect changes in our operations or legal requirements. When we make material changes, we will update the "Effective Date" at the top of this page.
The latest version of this policy will always be available on this page. We encourage you to review it periodically.
Where to Look Next
Different visitors have different reasons for reading this Privacy Policy. Use the guide below to jump to what's most relevant for you.
Data Subjects
For your full statutory rights and the supervisory-authority complaint pathway, see Section 8 — Your Rights. To exercise a right, email privacy@saporina.com.
Concerned About a Breach
For our 72-hour notification commitment under Articles 33 & 34 GDPR, see Section 9.2 — Personal Data Breach Notification.
B2B Buyers & Auditors
For our processor catalog and international-transfer mechanisms, see Section 5 — Data Sharing. For our multi-jurisdictional compliance map (GDPR / UK GDPR / CCPA / Egyptian PDP Law / LGPD), see Section 4.1 — Multi-Jurisdictional Recognition.
Parents & Guardians
For our position on children's data and the erasure pathway under Article 8 GDPR, see Section 9.4 — Children's Data.