Privacy Policy


 The present privacy notice (hereinafter “the Privacy Notice”) refers to the company “HOUSE OF BAGELS Private Company” (House of Bagels I.K.E.) with registered offices in Pallini, Attiki Prefecture (7a Ioannou Prodromou Street & Dervenakion Street Post Code 15351) (hereinafter “the Company” otherwise “We”) and the personal data that the Company processes during your visit to our website (“Website”) or our social media pages, such as Facebook, Twitter, LinkedIn and Instagram.

The Company is committed to protecting the confidentiality and privacy of the Personal Data and complies with the relevant provisions of the applicable European and Greek legislation (mainly EU General Data Protection Regulation 679/2016 – hereinafter “GDPR”, Greek laws 4624/2019, 3471/2006, as in force) and relevant decisions and other deeds of the competent supervisory authorities for the protection of individuals with relation to the processing of their personal data. 

We reserve the right to amend and update this Privacy Notice whenever necessary. If there are any changes to this Privacy Notice, we will upload the new document on the Website so that you are informed. Therefore, we recommend that you carefully read this Privacy Notice and check our Website periodically for any changes.

Please do not use our services if you are under 18 years old.



  • Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”) such as: identification information (name, surname, age, residence, family status etc), physical characteristics, education, employment (previous employment, work behavior etc), financial status (income, assets, financial behavior), interests, activities, habits.
  • Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data
  • Processor: a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller
  • Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Third Party: a natural or legal person, public authority, agency or other body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to Process Personal Data


Who is the Controller 

The Company is the Controller of the Personal Data who maintains and processes in the context of providing its services via the Website and the social media with confidentiality and respect towards your personal life, taking the appropriate technical and organizational measures for their further protection.


Principles upon which we rely 

The Company is committed to abide by the below principles that refer to the Personal Data Processing (article 5 GDPR):

  • Lawfulness, fairness and transparency: the Personal Data are processed lawfully, fairly and in a transparent manner in relation to the Data Subject
  • Purpose limitation: the Personal Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimization: the Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy/ Personal Data quality: the Personal Data must be accurate and, where necessary, kept up to date
  • Storage limitation: the Personal Data must be kept for no longer than is necessary or required under law for the purposes for which the Personal Data are processed
  • Integrity and Confidentiality: the Personal Data shall be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • Accountability: The Controller shall be responsible for, and be able to demonstrate compliance with, the above principles.


Collection of Personal Data 

In the context of the services that are provided on the Website and our social media pages, we collect information concerning you on the following occasions:

  • When you contact us directly through the Website or our social media pages in order to request information on our offered products
  • If you purchase products from us
  • If your Personal Data are transferred to us by companies, partners or other third parties
  • When we are in contact with you during the products’ delivery phase in order to be able to deliver the products to you
  • When you contact us directly through the Website or other channels (other websites or the press), where we may have posted for job openings, in order to submit to us your CV for a job application.

We also collect personal information occasionally from third parties which may lawfully transfer information regarding our customers or to whose records we may legally have access such as our external partners, organizations that are competent concerning fraud accreditation and prevention, legal advisors, public authorities (administrative, tax, judicial, regulatory, insurance institutions) or other legal entities of private / public law.

We process the Personal Data for the purposes that are identified in detail in this Privacy Notice.

You are kindly requested to help us maintain accurate information on you by notifying us for any changes on your Personal Data that you may have disclosed to us.


What kind of personal data do we process about you 

We will collect and further process, as described in this Privacy Notice, the following categories of Personal Data concerning you:

  • Contact details (such as name, surname, address, phone number, email address);
  • Information relating to your order(s) or any relevant request by using our contact details found in our Website and/or social media profiles and/or the order form found in the Website
  • Payment details (e.g. preferred way of payment)
  • User identification data (e.g. your IP address)
  • Customer history information (e.g. satisfaction rate, purchase information, transaction details, complaints)
  • Data referring to the applications / websites / social media (e.g. cookies)


Categories of data subjects 

In the context of the services that are provided on the Website and our social media pages, we collect information concerning the following categories of Data Subjects:

  • Website/our Social media visitors and users
  • Customers
  • Potential Customers
  • Suppliers
  • Natural persons acting in their capacity as employees, managers, or partners in a legal entity
  • Third parties that may relate to facts concerning the sale of our products
  • Our personnel


Which are the purposes and legal bases of the personal data processing  

We will process your Personal Data by applying one of the “legal bases” as defined in articles 6 par. 1 GDPR. The legal basis on which the Processing for each use of your Personal Data is based, is referred hereinbelow besides each processing purpose.

Sale of our products – to process the sale, apply the appropriate solution and administer purchases (Article 6 par. 1 subpar (b) GDPR)

We will use your personal information that you provide us with mainly in order to process your purchase order and offer to you our customer support. In this context, we act because of our contractual relationship (or any pre contractual requirements) by which you will purchase a product from us, and we will accommodate any related request you may have.

The disclosure of personal data that are necessary for the above purpose in the context of a sale of our products, consists of a contractual obligation and non-provision of such information will affect the proper execution of the contract and/or will render the contract non feasible.

Customer support – to address enquiries and provide support concerning our products (article 6 par 1 subpar (b) and (f) GDPR)

Promotional and Marketing actions – to respond to questions and to offer information on our news and products (article 6 par. 1 subpar (a) and (f) GDPR)

We will collect and use your contact details so we can also enlist you in our newsletter subscribers list. In this respect, we will maintain only your basic contact details (email address, social media profile) in order to send you information on our new products, events, actions or offers by relying on our legitimate interest to send newsletters to our customers.

In any event, we will do so until you send us an opt-out request by following the instructions that will be identified in the related communication with us, and as also described in this Privacy Notice. In case you choose to be delisted from any of our related services or communication, we will make all efforts to erase your personal information the earliest possible. However, in certain occasions we may require more time and/or information before we can process your request, for which necessity we will timely inform you in writing.

Please note that, if you unsubscribe from our newsletter subscribers list, you may still receive non-marketing emails from us, such as order confirmation emails, shipping confirmation emails, and communication concerning a transaction with us.

Pursuing our legitimate interests – for example to improve our products, prevent and detect fraudulent actions against us (article 6 par. 1 (f) GDPR)

We may use your information in order to pursue our legitimate interests and thus mainly to operate, evaluate and improve our business, such as, developing new products and services, enhancing and improving our services, managing our communications, analyzing our products and customer base, performing accounting, auditing and other internal functions, as well as, verify your identity, protect against, identify and prevent fraud and other unlawful activity, claims and other liabilities, comply with relevant industry standards, contractual obligations and our policies, but also to support, exercise or defend our legal rights, whether in court proceedings or in an administrative or out-of-court procedure.

Compliance with a legal obligation – to comply with our legal obligations towards the police, regulatory, tax, accounting, auditing, judicial authorities and offices (article 6 par. 1 subpar (c) GDPR) (e.g. for tax or accounting reasons).

Transmission of personal data, as identified above, constitutes a legal obligation that depends on the particular request.

Special Categories of Personal Data processing – pursuant to article 9 pars. 1 and 2 GDPR the processing of “special categories of personal data” (such as data concerning health) is permitted only on certain occasions defined by the law, including which is consent (article 9 par. 2 subpar. (a) GDPR).


How do we ensure the safety of the personal data

We ensure that we process Personal Data by adopting and applying policies and procedures that are consistent with the processing purposes. For example, we use the following security measures for the protection of the Personal Data against unlawful use or any other non-authorized processing:

  • Access to personal data is limited only to a certain number of authorized representatives for the specified purposes
  • Our personnel at the responsible departments are competent to administer your order, are bound by confidentiality obligation and have graded and limited access only to the information that is necessary for the performance of the service
  • In each case that we are required to store personal data of special categories, these are stored electronically in P/Cs with restricted access and in written form, in cupboards which are locked and where access is allowed only to authorized individuals
  • We select reliable partners who commit themselves in writing pursuant to article 28 par. 4 GDPR under same obligations in protecting personal data. We maintain our audit right on such partners pursuant to article 28 par. 3 subpar. (h) GDPR.
  • Our information technology systems that are used for the personal data processing are technically separated from other systems so to prevent non authorized access e.g. via hacking
  • In addition, access to the aforesaid systems is monitored on a permanent basis in order to be able from an early stage to trace and prevent any unlawful use.
  • Personal information that are collected, are stored in servers of restricted access which are controlled with access codes while the Company applies special technologies and processes so to strengthen the protection of such information against loss or misuse, unauthorized access, disclosure, alteration or destruction.

Although the Company makes all efforts to protect the said information, it cannot guarantee that the above technologies and procedures will not be contested ever and in any way. For this purpose, each Website visitor and user undertakes to notify us in case he/she become aware of any illegal, malicious, inappropriate, or unlawful use of the personal data relating in any way to the use of the Website.


For how long we store your personal data

We store the information that you provide through our Website or social media pages only for the time required by the respective processing purpose or by any other related permitted purpose.

In order to determine the retention period of your personal data, we use the following criteria:

  • When you purchase products, we will maintain the information for the whole duration of our contractual obligation
  • When you participate in an advertisement offer, we will maintain the information for the duration of that offer
  • When you contact us to submit an enquiry, we will maintain this information for the time necessary to address such enquiry
  • When you open an account, we maintain this information until you file an erasure request or after a “dormancy” period which may be set by the local regulations and guidelines
  • When you grant your consent for receiving direct promotional material, we will maintain your information until you submit us an erasure request of your account or withdrawal of your consent or after a “dormancy” period which may be set by the local regulations and guidelines

Any information which is no longer necessary is safely destroyed or anonymized.

We restrict access to your data only to individuals who are required to use them for the respective purpose.


 Who are the recipients of the personal data 

Any information provided by you through the Website will not be disclosed, except as provided in this Privacy Notice.

We may transmit personal data, that we collect, to third parties provided that such transmission is lawfully justified.

Moreover, in the context of a lawful transmission, the personal data may be disclosed to the below categories of recipients:

  • Our customers, whether individuals or entities who act as Controllers, in cases where we act as Processor
  • Our employees or partners who may process your data under our instructions
  • Collaborating enterprises acting within their competency
  • External partners who commit themselves in writing pursuant to article 28 par. 4 GDPR under same obligations in protecting personal data
  • Any competent supervisory authority as may be required under the applicable regulatory framework
  • Any competent public or judicial authority, to the extent required under law or court order.

The Company engages a numbers of service providers in the context of offering the aforementioned services. Examples of these service providers include entities that fulfil orders, or offer courier services or provide web hosting, analytics, and marketing services, advisors. Please note that third-party service providers have their own privacy policies, and your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located. 

We also reserve the right to transfer personal information we have about you in the event we sell or transfer (or contemplate the sale or transfer of) all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganisation, divestiture, dissolution or liquidation).


Where does the Processing take place 

We Process the personal data, as described herein, within the European Economic Area (EEA).

In case we are required to transfer any personal data outside EEA we shall ensure that the international rules on data transfers, including adoption of Standard Contractual Clauses, are duly applied. 

Data Breach

In case of occurrence of breach to the security and integrity of the information that we hold, which relates to personal data, the Company will, apart from the preemptive measures that have been adopted, take the following measures (pursuant to articles 33 -34 GDPR):

  • Examine and assess the procedures that are required for the confinement of the Data Breach
  • Assess the risk and impact of the Data Breach on the rights and freedoms of the Data Subjects
  • Make efforts to mitigate the damage caused or may be caused
  • Notify the competent authority within 72 hours from becoming aware of the Data Breach, if required
  • Evaluate the consequences of the Data Breach on privacy and take appropriate measures for the avoidance of repetition of the breach
  • Communicate the Data Breach incident to the related Data Subjects, if it is assessed that the Data Breach is likely to result in high risk to the rights and freedoms of natural persons


Your rights as Data Subject and how you may exercise them

In relation to your personal data and the Processing that we carry out, as described in this Privacy Notice, you are entitled to the following rights subject to the terms and limitations set in the applicable law:

  1. Right of Access: the right to be informed of the Processing of your personal data by us and right to request access to those data
  2. Right of Rectification: the right to request rectification or filling out of your data, if these are inaccurate or incomplete
  • Right of Erasure: the right to request the erasure of your data. We can satisfy this right if:
  • That data is no longer necessary for the purposes for which they were collected by us
  • If you withdraw your consent and there is no other legal ground for the processing apart from consent
  • If you exercise the right of objection (see below) and there are no imperative legal grounds for the processing
  • The data were unlawfully processed
  • The data must be erased for compliance with a legal obligation

We maintain the right the reject satisfaction of the above erasure request if the processing of the personal data is necessary for compliance with our legal obligation, for reasons of public interest or for the establishment, exercise, or defense of legal claims (article 17 par. 3 GDPR).

  1. Right of Restriction of Processing: the right to request the restriction of processing. For example, in case you contest the accuracy of your personal data, for the period necessary for us to verify the accuracy.
  2. Right to data portability: the right to receive your data in a structured, easily machine-readable format (e.g. USB) as well as to request that we transmit those data to another controller
  3. Right to Objection: the right to object at any time to the processing of your data, including to profiling, that we may carry out on the grounds of our legitimate interest, such as also when data are processed for direct marketing purposes
  • Consent Withdrawal: the right to revoke your previously given consent, where the processing is based on your consent

In case you exercise any right, the Company will examine carefully your request so to respond in writing within the deadline set by law i.e. within one month from receipt of the request (that may be prolonged for another two months considering the perplexity of the request or total number of requests) of the satisfaction of the request, or alternatively of the reasons that prevent us from satisfying such request (article 12 par. 3 GDPR).

You may exercise your rights at no cost by addressing a written request via email or at our stores as described in par. 15 below. Where a request is exercised in an excessive way (article 12 par. 5 GDPR) a reasonable fee may be charged.

In case you disagree with the processing of your information by us or our response to your request, you are entitled to file a request with the Personal Data Protection Authority.

You may exercise your respective rights by using the contact details mentioned hereinbelow.


Contact details of the data controller

For any matter concerning the processing of your personal data and exercise of the aforementioned rights, you may contact the Company by phone at 210 6664160, by email at or by post to the address: 7a Ioannou Prodromou Street & Dervenakion Street Post Code 15351 Palini

Contact details of the Greek Data Protection Authority





1-3 Kifisias Avenue, Post Code 115 23, Athens



Cookies are important for the effective operation of our website and for the improvement of your online experience.

Click at the option “Accept cookies” to continue or select “More Information” to see description in detail of the cookies and choose whether to accept certain cookies or not.

What are cookies?

Cookies small text files that contain browsing information and are stored in your computer webbrowser, when browsing our website These cookies may be cancelled at any time, and you may amend the functionalities of your browsing program to reject some or all cookies. You may find information on the acceptance, deactivation or new cookie notification at the help functionality in most browsing programs.

We use cookies to constantly improve the Website’s operation, to offer an effective browsing experience, as well as link to its pages.

Information that is produced from the cookies’ record in relation to the use by you of the Website (including your IP address) will be transmitted and stored at Google servers.

If you do not accept cookies, you may not be able to use certain functionalities of our Website.

For more information concerning cookies, please visit


Record Data & Remarketing

We may collect information send by your browsing program each time you visit our website. These record data may contain information such as your computer’s IP address, type, or edition of browsing program, the webpages you visit, time and date of your visit, time spent on such webpages and other statistic information.

In addition, we may use third party services, such as Google Analytics, that collect, monitor and analyze this kind of information in order to improve the functionality of our Website and of our services. These third party service providers apply their own privacy policies regarding the way they use this information and thus we recommend that you are properly informed of their content.

The Company uses remarketing services Google AdWords that is supplied by Google Inc.

Google also recommends installing the additional Google Analytics opt-out browser for your browser program. The Google Analytics opt-out browser tool offers visitors the option to prevent collection and use of their data by Google Analytics. For more information concerning Google privacy practices, please visit Google webpage



Leo’s House of Bagels

Authentic New York City Bagels
Baked in Greece