Privacy Notice
1. Introduction
This Privacy Notice describes how JAB Holding Company S.à r.l. (together with its subsidiaries and affiliates, “JAB”, “we”, “us”, or “our”) gathers and uses personal data about you when you (i) use, visit or otherwise interact this website or any other of JAB’s websites that link to this Privacy Notice; or (ii) you interact with us on behalf of one of our current or potential suppliers, vendors or partners. This Privacy Notice also describes how we protect and share this personal data and the rights you may have in relation to this personal data.
Where relevant, this Privacy Notice applies together with our Website Terms of Use and Cookies Policy.
Annex A provides additional information for residents of certain U.S. states that supplements the information provided throughout this Privacy Notice and sets out privacy rights relevant to residents of such states.
For the purposes of Data Protection Legislation (defined below), where relevant, the JAB entity to which the website relates or with which you or the entity you represent has a relationship acts as the data controller with respect to the personal data described in this Privacy Notice.
2. Commitment to Your Privacy
We value your right to privacy and strive to protect your personal data in accordance with the following laws, to the extent applicable to JAB:
- The EU General Data Protection Regulation (EU) 2016/679 (“EU GDPR”);
- The UK General Data Protection Regulation as incorporated into UK law (“UK GDPR”) and the UK Data Protection Act 2018;
- Applicable United States federal and state privacy laws, including, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and
- Other applicable data protection laws (collectively “Data Protection Legislation”).
This Privacy Notice explains:
- how we collect your personal data;
- how and for what purposes we use your personal data;
- to whom your personal data may be disclosed; and
- your rights in relation to the processing of your personal data.
We encourage you to read this Privacy Notice carefully.
Important Notice:
By using our website and by sharing your personal data with us, you acknowledge that your personal data will be processed as described in this Privacy Notice, and, where permitted by Data Protection Legislation, you consent to such processing.
3. Whose Personal Data Do We Collect?
In the context of providing our website and/or conducting business relationships with vendors, we may collect personal data relating to:
- visitors to our website;
- representatives of our vendors; and
- professional contacts.
4. How We Collect Personal Data
We may collect personal data in various ways, including:
4.1 Directly from You
For example, when you:
- visitors to our website;
- contact us via email or our website;
- send us an email; or
- otherwise interact with us in the context of our business activities.
4.2 From Third Parties
For example, from:
- our business partners; and
- other professional contacts.
4.3 From Within JAB and From Our Affiliates
4.4 Automatically
When you visit our website, certain technical data may be collected automatically via cookies and server logs.
5. Categories of Personal Data
Depending on how you interact with us, we will collect the following categories of personal data from or about you:
5.1 Identification and Contact Information
Your contact details: name, address, telephone number, office address, email address.
5.2 Website and Technical Data
Technical information about interactions with our website: IP address, browser type, device information, usage data and Apache access logs.
5.3 Business Relationship Data
Any personal data we may generate about you when we interact with you in connection with our business relationship. This includes information about our communications with you concerning services we are providing to or receiving from you.
6. How We Use Your Personal Data
The purposes for which we process your personal data, and our legal basis for doing so, are set out in the following table:
| Purpose | Data categories (as defined above) | Legal basis for processing |
|---|---|---|
| To communicate with you in the context of our (actual or prospective) business relationship and to respond to your queries or requests | Identification and contact information Business relationship data | Our legitimate interests in managing our website users and current and potential vendors, suppliers and partners and responding to queries from you. |
| To operate and improve our website, such as resolving technical issues, supporting the security of our website, analysing user trends, detecting fraud or other types of abuse, and gathering broad demographic information for aggregate use | Website and technical data | Our legitimate interests in operating and improving our website. |
| To obtain legal advice or to establish, exercise or defend legal rights and claims, including in conducting internal investigations | Any of the data described in this Privacy Notice | Our legitimate interests in obtaining legal advice in relation to, and establish, exercise or defend, our legal rights and obligations. |
| To comply with applicable laws, including responding to investigations or regulatory inquiries regarding our compliance with applicable laws | Any of the data described in this Privacy Notice | Our legal obligations to comply with applicable laws, and our legitimate interests in complying with those laws and cooperating with regulators. |
7. Disclosure of Personal Data
We may share your personal data, where necessary, with:
- service providers (e.g. IT service providers, central administration agents, registrars and transfer agents, marketing agencies);
- affiliated companies (including in connection with any corporate reorganization, merger, or other business transaction); and
- professional contacts.
Where appropriate, we implement contractual safeguards in accordance with Data Protection Legislation, including data processing agreements, to seek to ensure the protection and security of your personal data.
8. International Transfers
Recipients of your personal data may be located outside the European Economic Area (“EEA”) or the United Kingdom (“UK”) including in countries that may not provide the same level of data protection as the EEA and/or the UK (for example, the United States).
In such cases, we implement appropriate safeguards in accordance with applicable data protection legislation, including:
- transferring data to recipients participating in an approved adequacy framework (where applicable); or
- entering into the European Commission’s Standard Contractual Clauses and UK equivalent.
We do not rent or sell your personal data to third parties. If you would like to obtain more information on how we transfer your personal data outside of your jurisdiction, including about the safeguards we have in place, you can contact us using the contact details provided below.
9. Data Retention
We don’t process your personal data for longer than necessary to fulfill the purposes described in this Privacy Notice, defend legal claims or as required under applicable law. In particular, and without limitation to the foregoing, we have legal obligations, including obligations to financial services regulators, that may require us to retain your personal data for certain minimum time periods. We may also retain personal data to investigate or defend against potential legal claims in accordance with the limitation periods of jurisdictions where legal action may be brought. In general, this means that we hold your personal data for 7 years.
10. Security Measures
We implement appropriate administrative, technical, and organisational measures to ensure a level of security appropriate to the risks identified.
We protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Examples of measures include:
- servers protected by firewalls;
- regular updates of anti-virus and anti-spam systems;
- internal access controls for files;
- encryption of business data transferred to external networks;
- restricted physical access to facilities where data is stored.
We also take reasonable steps to ensure personal data remains accurate and up to date.
11. Your Rights
To the extent provided by Data Protection Legislation in your jurisdiction, you may have the right to:
- access your personal data;
- rectify inaccurate personal data;
- request erasure (“right to be forgotten”);
- request restriction of processing;
- object to processing;
- receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another organisation (data portability); and
- the right to withdraw your consent.
You can exercise or enquire about the rights applicable to you using the contact details in Section 14.
Depending on your circumstances you may also have the right to lodge a complaint with the Luxembourg Data Protection Authority (Commission nationale pour la protection des données – CNPD) at https://cnpd.public.lu, the UK Information Commissioner’s Office – ICO at https://ico.org.uk/, or with any other competent data protection authority in your country.
12. Cookies and Other Similar Technologies
When you visit our website, we may store information on your device in the form of cookies or similar technologies. Cookies are small text files sent by a web server to your browser and stored on your device.
Apart from the IP address, no personal data concerning the user is stored. We use session cookies and other cookies strictly necessary to provide services requested by you. You can find additional information on how we use cookies on our website in our Cookie Policy which forms part of this Website Privacy Notice.
Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google LLC (“Google”). Google Analytics uses cookies to analyse website usage.
Information generated by cookies is transmitted to Google servers in the United States. The data does not identify you personally. Your IP address is anonymised by truncation before storage.
Google uses this information to analyse website use, compile reports, and provide related services. Google may disclose this information to third parties where required by law or where third parties process the data on Google’s behalf.
To learn more about Google Analytics, please refer to www.google.com/policies/privacy/partners, and to opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout.
13. Information Related to Minors
JAB does not knowingly collect information directly from minors—persons under the age of 16, or another age of a minor as defined by law—other than when required to comply with the law or for safety or security reasons. If we learn that, despite these measures, a child under the age of 13 has submitted personally identifiable information to us through the website, we will take reasonable measures to delete such information from our records and to not use such information for any purpose (except where necessary to protect the safety of the child or others as required by law).
14. Contact and Changes
To contact our global data protection office or to exercise any of your data privacy rights, please email privacy [at] jabholco [dot] com.
This Privacy Notice was last updated February 2026 and supersedes any previously distributed Privacy Notice. From time to time, we may update this Privacy Notice and we encourage you to check this notice periodically to review these updates. However, we will take reasonable steps to notify you if this Notice changes materially.
Annex A: U.S. State Privacy Rights
Depending on your state of residence, you may have certain rights under U.S. state privacy laws with respect to personal data about you, subject to certain exceptions and limitations. This section applies to residents of such states and contains rights and disclosures required by law by supplementing the information provided above. Please contact privacy [at] jabholco [dot] com or submit a form to request this Privacy Notice in an alternative format.
Our Collection, Use, and Disclosure of Personal Data
Collection, Use, and Disclosure. In the preceding twelve (12) months, we collected, used and disclosed the following categories of personal data:
| Category | Examples | Categories of Recipients |
|---|---|---|
| Internet or other similar network activity | Use of our website and other online platforms (e.g., cookies, browsing history and/or search history), as well as information you provide to us when you correspond with us in relation to inquiries. | Our service providers, administrators, lenders, banks, auditors, law firms, governmental agencies or pursuant to legal process, self-regulatory organizations, consultants and other parties as necessary for the management of vendor relationships. |
| Geolocation data | IP address. | Our service providers, administrators, lenders, banks, auditors, law firms, governmental agencies or pursuant to legal process, self-regulatory organizations, consultants and other parties as necessary for the management of vendor relationships. |
| Identifiers | Name, contact details and address (including physical address, email address and Internet Protocol address), and other identification of vendor representatives. | Our service providers, administrators, lenders, banks, auditors, law firms, governmental agencies or pursuant to legal process, self-regulatory organizations, consultants and other parties as necessary for the management of vendor relationships. |
| Personal data categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | Telephone number for vendor representatives. | Our service providers, administrators, lenders, banks, auditors, law firms, governmental agencies or pursuant to legal process, self-regulatory organizations, consultants and other parties as necessary for the management of vendor relationships. |
| Professional or employment-related information | Place of employment, job title, and role of vendor representatives. | Our service providers, administrators, lenders, banks, auditors, law firms, governmental agencies or pursuant to legal process, self-regulatory organizations, consultants and other parties as necessary for the management of vendor relationships. |
We do not collect or use sensitive personal data for purposes that require us to offer a right to limit.
We do not share for the purpose of cross-context behavioral advertising or sell (as such terms are defined in the CCPA) any of the personal information we collect about you to third parties.
We collect personal data for the business or commercial purposes and from the sources set forth in the “How We Collect Personal Data” and “How We Use Your Personal Data” sections in the Privacy Notice above.
We retain the categories of personal data set forth in this Annex A as set forth in the “Data Retention” section in the Privacy Notice above.
Deidentified and Aggregated Information
We may use and share aggregated and deidentified information to the extent permitted by applicable law. When we use deidentified information, we maintain and use the information in deidentified form and do not attempt to reidentify it, except to check whether our deidentification processes satisfy the requirements of applicable law.
Privacy Rights
Depending on your state of residence, you may have certain rights with respect to your personal data, subject to certain exceptions and limitations:
- Deletion Rights: You may have the right to request that we delete the personal data that we retain, subject to certain exceptions.
- Know and Access Rights: You may have the right to request that we disclose to you certain information regarding our collection, use, and disclosure of personal data specific to you. Such information includes:
- The categories of personal data we collected about you;
- The categories of sources from which the personal data is collected;
- Our business or commercial purpose for collecting such personal data;
- Categories of third parties to whom we disclose the personal data; and
- The specific pieces of personal data we have collected about you.
- Correction Right: You may have the right to request that we correct any inaccuracies in the personal data that we retain, subject to certain exceptions.
- No Discrimination: We will not discriminate against you for exercising your rights under Data Protection Legislation, including by denying service, suggesting that you will receive, or charging, different rates for services or suggesting that you will receive, or providing, a different level or quality of service to you.
How to Submit a Request
You may submit a request by using one of the following methods:
- Email us: privacy [at] jabholco [dot] com
- Website: Submit a request through the Contact Us form.
We will contact you to confirm receipt of your request and request any additional information necessary to verify your request (including name and email address). We verify requests by matching information provided in connection with your request to information contained in our records.
Where permitted under applicable U.S. state privacy laws, you may designate an authorized agent to make a request on your behalf, provided that you provide a signed agreement verifying such authorized agent’s authority to make requests on your behalf, and we may verify such authorized person’s identity using the procedures above.