Searching
Privacy Policy
Table of Contents
- Preamble
- Controller
- Contact Information of the Data Protection Officer
- Overview of Processing Operations
- Relevant Legal Bases
- Security Precautions
- Transmission of Personal Data
- International Data Transfers
- Erasure of Data
- Rights of Data Subjects
- Use of Cookies
- Business Services
- Providers and Services Used in the Course of Business
- Payment Procedure
- Provision of Online Services and Web Hosting
- Blogs and Publication Media
- Contact and Inquiry Management
- Job Application Process
- Cloud Services
- Newsletter and Electronic Communications
- Commercial Communication by E-Mail, Postal Mail, or Telephone
- Web Analysis, Monitoring and Optimization
- Online Marketing
- Profiles in Social Networks (Social Media)
- Plugins and Embedded Functions and Content
- Changes and Updates to the Privacy Policy
- Terminology and Definitions
Preamble
This Privacy Policy explains how we process your personal data — including the types of data we collect, the purposes for which we use it, and the scope of our processing activities. It applies to all of our services, websites, mobile applications, and external online presences, including our social media profiles (collectively referred to as the “online services”).
All terms used in this Privacy Policy are intended to be gender-neutral and inclusive.
Last updated: 29 July 2025
Controller
The following entity is responsible for the collection and processing of personal data on this website:
Company: URBUN Coffee GbR
Address: Stauffenbergstraße 65A, 64283 Darmstadt, Germany
Represented by: Muaadh Abo-Alrejal & Sameer Al-Qadasi
Email: hello@urbun-coffee.com
Legal Notice: https://urbun-coffee.com/privacy-policy/
Contact Information of the Data Protection Officer
We are not required to appoint a Data Protection Officer. For any questions or concerns regarding data protection, please contact us at privacy@urbun-coffee.com.
Overview of Processing Operations
The following table provides an overview of the categories of personal data we process, the purposes of processing, and the categories of data subjects affected:
| Categories of Processed Data | Purposes of Processing | Categories of Data Subjects |
|---|---|---|
| Inventory data | Provide contractual services, fulfill obligations | Customers, Business partners |
| Payment data | Process payments, fulfill contracts | Customers |
| Location data | Web analytics, conversion tracking, marketing | Users |
| Contact data | Contact requests, communication, marketing | Customers, Prospective customers, Users |
| Content data | Feedback, user profiles | Users, Customers |
| Contract data | Fulfill contracts, manage relationships | Customers, Business partners |
| Usage data | Analytics, targeting, usability optimization | Users |
| Meta, communication, process data | Security, IT infrastructure, performance | Users, Communication partners |
| Job applicant details | Recruitment, candidate evaluation | Job applicants |
| Contact information (Facebook) | Manage social media inquiries | Users, Prospective customers |
| Event data (Facebook) | Marketing, remarketing, analytics | Users |
Relevant Legal Bases
We process personal data based on the following GDPR legal bases, alongside applicable national data protection laws:
- Consent (Article 6(1)(a) GDPR): Processing with your explicit consent for specific purposes.
- Contract (Article 6(1)(b) GDPR): Processing necessary to fulfill a contract or pre-contractual requests.
- Legal Obligation (Article 6(1)(c) GDPR): Processing required to comply with legal or regulatory obligations.
- Legitimate Interests (Article 6(1)(f) GDPR): Processing carried out for our legitimate business interests, unless overridden by your fundamental rights or freedoms.
- Job Applications (Article 6(1)(b) GDPR): Processing necessary for pre-contractual or contractual purposes during recruitment. This may include processing special categories of data under Article 9 GDPR, where applicable.
In Germany, we also comply with the provisions of the Federal Data Protection Act (BDSG) and relevant state-specific data protection laws. For users in Switzerland, the Swiss Federal Act on Data Protection (DPA) applies alongside the GDPR.
Security Precautions
We implement appropriate technical and organizational measures to protect your personal data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to your rights and freedoms.
- Securing data confidentiality, integrity, and availability.
- Controlling physical and electronic access to personal data.
- Ensuring data subject rights, prompt erasure, and rapid incident response.
- Using TLS/SSL encryption (HTTPS) to protect data during transmission.
Transmission of Personal Data
We share personal data with third parties only when it is necessary and lawful — for example, to provide our services, fulfill contractual obligations, or comply with legal requirements. These third parties include:
- Service providers (e.g., IT support, hosting, analytics).
- Payment processors (e.g., PayPal, Stripe).
- Shipping partners (e.g., DHL).
- Email marketing and communication tools.
- Tax consultants and legal advisors to ensure regulatory compliance.
We ensure that all third-party partners are bound by legally compliant Data Processing Agreements (DPAs) and process personal data only as required for the intended purpose. URBUN Coffee GbR operates independently and does not share data within a corporate group.
International Data Transfers
When personal data is processed outside the European Union (EU) or European Economic Area (EEA), such transfers comply with the requirements of the General Data Protection Regulation (GDPR) to ensure an adequate level of data protection. We rely on the following safeguards and mechanisms:
- Adequacy Decisions (Article 45 GDPR): Transfers to countries recognized by the European Commission as providing adequate data protection.
- Standard Contractual Clauses (Article 46(2)(c) GDPR): Contractual agreements ensuring appropriate safeguards for international transfers.
- Explicit Consent or Contractual Necessity (Article 49(1) GDPR): Transfers made when necessary for contract performance or based on your explicit consent.
Some of our service providers are certified under the EU–US Data Privacy Framework (DPF). For more information, see the Data Privacy Framework program or the European Commission’s list of adequacy decisions.
Erasure of Data
We delete or restrict personal data as soon as its storage purpose no longer applies, or if you withdraw consent, unless retention is required by law (for example, tax, commercial, or contractual obligations).
Data subject to legal retention obligations will be restricted from processing and deleted once the mandatory retention period has expired. Restricted data will not be processed for any other purposes during that period.
Rights of Data Subjects
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right to Object: You have the right to object to the processing of your data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: You can revoke your consent to data processing at any time, with effect for the future.
- Right of Access: You may request confirmation as to whether your data is being processed and obtain a copy of the data along with details of its use.
- Right to Rectification: You can request correction of inaccurate or incomplete personal data.
- Right to Erasure: You can request deletion of your personal data, provided no legal retention obligations prevent this.
- Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller where technically feasible.
- Right to Complain: You may lodge a complaint with a competent data protection supervisory authority if you believe your data is being processed unlawfully.
Use of Cookies
We use cookies and similar technologies to store and retrieve information on your device for purposes such as functionality, security, and analytics. Consent is obtained prior to using non-essential cookies, while essential cookies are used strictly for the operation and delivery of our online services.
- Temporary Cookies (Session Cookies): Automatically deleted after you close your browser. Used for maintaining session functionality and security.
- Permanent Cookies (Persistent Cookies): Remain stored on your device for up to two years, for purposes such as remembering login status or enabling web analytics.
You can manage or delete cookies in your browser settings. You may also opt out of behavioral advertising through external platforms such as YourOnlineChoices (EU) or AboutAds (USA).
Service Used: Complianz (Cookie Consent Manager)
Provider: Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands
Website: https://complianz.io/
Privacy Policy: https://complianz.io/legal/privacy-statement/
Business Services
We process personal data of our customers, clients, and business partners to fulfill contracts, manage inquiries, and ensure smooth business operations. Data is retained only as long as necessary for the purpose of processing or in accordance with statutory retention periods (e.g., 4–10 years for tax and accounting obligations).
Processed Data: Inventory data, payment data, contact details, contract data, usage data, and meta data.
Purposes of Processing: Contract fulfillment, service provision, communication, security, and administrative management.
Legal Basis: Contract (Article 6(1)(b) GDPR), Legal Obligation (Article 6(1)(c) GDPR), and Legitimate Interests (Article 6(1)(f) GDPR).
Providers and Services Used in the Course of Business
We work with trusted third-party providers and platforms to deliver our services efficiently and securely. Each provider processes data in accordance with applicable privacy laws and their respective privacy policies.
- DHL (Shipping): Processes recipient name, address, and contact details.
Provider: Deutsche Post AG, Germany
Privacy Policy: https://www.dhl.com/global-en/home/footer/global-privacy-notice.html - Contact Form 7: Manages contact form submissions on our website.
Privacy Policy: https://contactform7.com/privacy-policy/ - Omnisend (Email Marketing): Sends transactional and marketing emails.
Provider: Omnisend, USA
Privacy Policy: https://www.omnisend.com/privacy/ - PayPal (Payment): Processes online payments.
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full - Stripe (Payment): Processes credit and debit card payments.
Provider: Stripe Payments Europe, Ltd., Ireland
Privacy Policy: https://stripe.com/privacy - Flexible Shipping (WP Desk): Calculates shipping rates dynamically during checkout.
Provider: WP Desk Sp. z o.o., Poland
Privacy Policy: https://wpdesk.net/privacy-policy/
Payment Procedure
We use trusted third-party payment providers to process financial transactions securely. These providers handle payment processing in compliance with applicable data protection laws and industry security standards (such as PCI DSS).
Data Processed:
- Personal details (e.g., name, billing address)
- Payment details (e.g., card number or payment method)
- Transaction data (e.g., amount, date, and reference ID)
Legal Basis: Contract (Article 6(1)(b) GDPR)
Payment Providers
We collaborate with secure and reputable payment providers to handle online transactions. All payment information is processed directly by these providers in accordance with their respective privacy policies.
- PayPal: Processes online payments via PayPal accounts or linked cards.
Website: https://www.paypal.com/
Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full - Stripe: Supports major payment methods including Apple Pay, Google Pay, Visa, and Mastercard.
Website: https://stripe.com/
Privacy Policy: https://stripe.com/privacy
Provision of Online Services and Web Hosting
We process user data to provide, maintain, and secure our online services. This includes the operation of our website, online shop, and related infrastructure necessary for reliable service delivery.
Processed Data: Usage data, meta data, content data, inventory data, payment data, and contact details.
Purposes of Processing: Service delivery, usability optimization, website security, and fulfillment of contractual obligations.
Legal Basis: Legitimate Interests (Article 6(1)(f) GDPR)
Services Used
- GTranslate: Provides multilingual website translations.
Website: https://gtranslate.io/
Privacy Policy: https://gtranslate.io/privacy-policy - Hostinger: Web hosting and server infrastructure provider.
Website: https://www.hostinger.com/
Privacy Policy: https://www.hostinger.com/legal/privacy-policy
Blogs and Publication Media
We process personal data related to our blog and other publication media to enable user interaction, manage comments, and maintain the security of our online content. This includes measures to prevent misuse and ensure smooth communication.
Processed Data: Inventory data, contact details, content data, usage data, and meta data.
Legal Basis: Legitimate Interests (Article 6(1)(f) GDPR)
Contact and Inquiry Management
We process personal data to respond to contact requests and manage communication with users, customers, or interested parties. This includes inquiries submitted via contact forms, email, telephone, or social media platforms.
Processed Data: Contact details (e.g., name, email address, phone number) and content data provided in the inquiry.
Legal Basis: Contract (Article 6(1)(b) GDPR) and Legitimate Interests (Article 6(1)(f) GDPR)
Job Application Process
We do not currently accept job applications through our website. If this changes in the future, the relevant information regarding data processing for applicants will be provided and updated in this section.
Cloud Services
We use cloud-based services for secure data storage, backup, and management. These services may process inventory data, contact details, content data, and usage data as part of our operational infrastructure.
Service Used: Google Cloud Storage
Website: https://cloud.google.com/
Privacy Policy: https://policies.google.com/privacy
Newsletter and Electronic Communications
We send newsletters and promotional updates only with your explicit consent, following a secure double opt-in process. You can unsubscribe at any time by using the link provided in each email or by contacting us directly. We retain data for up to three years after unsubscribing solely to demonstrate proof of consent in compliance with legal requirements.
Service Used: Omnisend
Privacy Policy: https://www.omnisend.com/privacy/
Commercial Communication
We may process personal data to send promotional communications via email, postal mail, or telephone. Such communications are conducted with your prior consent or within the limits of our legitimate business interests. You can withdraw your consent or object to receiving promotional communications at any time.
Legal Basis: Consent (Article 6(1)(a) GDPR) and Legitimate Interests (Article 6(1)(f) GDPR)
Web Analysis, Monitoring, and Optimization
We use web analytics tools to measure and evaluate visitor behavior, website performance, and engagement. Data is processed in pseudonymized form, with IP addresses anonymized or masked whenever possible.
Service Used: Google Analytics 4
Website: https://marketingplatform.google.com/about/analytics/
Privacy Policy: https://policies.google.com/privacy
Online Marketing
We process personal data for targeted advertising, performance measurement, and conversion tracking to improve the relevance of our marketing campaigns.
Services Used:
- Meta Pixel: Tracks ad interactions and conversions. Privacy Policy.
- Google Ads: Tracks ad performance and conversions. Privacy Policy.
Legal Basis: Consent (Article 6(1)(a) GDPR)
Profiles in Social Networks (Social Media)
We maintain profiles on social media platforms to engage with users, share updates, and build brand awareness. Data processed through these platforms is subject to each provider’s privacy policy and may include analytics or targeted advertising.
Platforms Used:
- Facebook: Privacy Policy
- Instagram: Privacy Policy
Plugins and Embedded Functions and Content
We use external plugins and embedded media to enhance the functionality and presentation of our website. These may process user interaction, usage, and meta data.
Service Used: YouTube (embedded videos)
Website: https://www.youtube.com/
Privacy Policy: https://policies.google.com/privacy
Changes and Updates to the Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. Please refer to this page periodically for the latest version.
Terminology and Definitions
- Personal Data: Information relating to an identifiable person (Article 4(1) GDPR).
- Controller: The entity determining the purposes and means of data processing (Article 4(7) GDPR).
- Processing: Any operation performed on personal data, such as collection, recording, organization, storage, or erasure (Article 4(2) GDPR).