Privacy Notice

Privacy Notice

1. Introduction

This Privacy Notice will inform you as to how G.F. HOOKAH CYPRUS LTD and any affiliated and/or subsidiary companies thereof (referred to as ‘we’, ‘us’, ‘our’, ‘company’ or “”) process data, whether on individuals (including personal data in respect of individuals who are clients, intermediaries or other third parties which whom G.F. HOOKAH CYPRUS LTD interact with, or any individual who is connected to those parties) or otherwise, as well as when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

This Privacy Notice is mainly directed to natural persons who are either current or potential customers of G.F. HOOKAH CYPRUS LTD or are authorized representatives/agents or beneficial owners of legal entities or of natural persons who are current or potential clients of the company as well as to natural persons who had such a business relationship with the Company in the past.

Where the data held are on individuals, this document also sets out the rights of those individuals in respect of the said personal data.

2. Who we are

G.F. HOOKAH CYPRUS LTD ( was created in 2018 from a team of Hookah enthusiasts in order to provide products and services to any size of business and individuals throughout Cyprus as well as internationally. The company has become one of the most respected Hookah providers in Cyprus and Europe with clients throughout all the countries of European Union.

G.F. Hookah Cyprus Ltd is a leading online retailer of Hookah products and accessories, as well as tobacco and vape products. Currently is a representative of Khalil Maamoon, Old Nights, Al-Waha, Starbuzz and many more Products in Cyprus.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. 

If you have any questions about our privacy notice, including any requests to exercise your legal rights, please direct them to our DPO at in the first instance. 

3. The type of Personal Data we collect and process

The type of data we may collect, use, store and transfer include: 

  • Contact details (i.e. first, last names, postal/delivery addresses, billing addresses, email addresses and telephone/fax numbers).
  • Financial information, such as payment related information including bank account and payment card details are strictly kept by our Partner PayPal.
  • Transaction data including details about payments to and from you and other third parties with whom you intend to enter into a transaction.
  • Marketing and Communications data including your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Any other information you may provide to us.

4. HOW, WHY and on WHAT legal basis we collect and process Personal Data

How: The sources of data collected by us may include clients, intermediaries, data subjects directly, third parties connected to the Data Subject (for example, their employer or another service provider who provides services to the Data Subject) or open-source material.

We use different methods to collect data from and about you including:

  • Direct interactions. You may give us your Identity, Contact and Financial Data (as above described) by filling in forms or by corresponding with us by post, phone, email or otherwise.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources (i.e. the Department of Registrar of Companies and Official Receiver, the press, media and the Internet) which we lawfully obtain, and we are permitted to process.
  • The provision of data to one employee of G.F. HOOKAH CYPRUS LTD may result in that data being accessible by all other members of the Company.
  • Reasonable endeavours are made to ensure that data is only accessible by those with a need for access to fulfil the purposes set our below and above. 

Requests for access to be restricted in any particular manner should be made to  and will be considered and, where possible with reference to legal and regulatory obligations, actioned.

Why: We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract, we are about to enter or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to “Special Categories of Personal Data” or sending third party direct marketing communications to you via any of our communication channels. 

Legal Basis: We use Personal Data for several legitimate interests, including to provide and improve our services, administer our relationship with you and our business, for marketing and in order to exercise our rights and responsibilities. More detailed information about these legitimate interests is set out below.

  • to set up and administer your account, provide technical and customer support and training, verify your identity, and send important account, subscription and information about our services
  • to administer our relationship with you, our business and our third-party providers (e.g., to send invoices)
  • to personalize your experience with our services. We may sometimes share your Personal Data across our services so that we can make all the services we deliver to you more intuitive (e.g., rather than requiring you to enter the same data many times)
  • to contact you in relation to, and conduct, surveys or polls you choose to take part in and to analyze the data collected for market research purposes
  • for internal research and development purposes and to improve, test and enhance the features and functions of our Services
  • to provide you with marketing but only as permitted by law
  • to meet our internal and external audit requirements, including our information security obligations
  • to enforce our terms and conditions
  • to protect our rights, privacy, safety, networks, systems and property, or those of other persons
  • for the prevention, detection or investigation of a crime or other breach of law or requirement, loss prevention or fraud (hacking etc…)
  •  to comply with requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, including where they are outside your country of residence
  • in order to exercise our rights, and to defend ourselves from claims and to comply with laws and regulations that apply to us or third parties with whom we work
  • in order to participate in, or be the subject of, any sale, merger, acquisition, restructure, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings)

Where we rely on legitimate interests as a lawful ground for processing your Personal Data, we balance those interests against your interests, fundamental rights and freedoms. For more information on how this balancing exercise has been carried out, please contact our DPO 

5. Your obligation to provide us with your Personal Data

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you for the provision of services, additionally we may be prevented from complying with our legal obligations.

6. Consent requirement and your right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

7. Change on Purpose

  • We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
  • Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where it is required or permitted by law.

8. Sources and Recipients of Personal Data during the performance of our contractual and statutory obligations

In the course of the performance of our contractual and statutory obligations your personal data may be provided to various departments within the Company but also to other affiliated and/or subsidiary companies of the Company. Various service providers and suppliers may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with the Company by which they observe confidentiality and data protection according to the data protection law and GDPR.

It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorized under our contractual and statutory obligations or if you have given your consent. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.

The following is a list of potential recipients of data (in each case including respective employees, directors and officers):

  • Other professional advisers or providers of services acting as processors or joint controllers (including lawyers, legal consultants, banks or other financial institutions, auditors/accountants, financial or business advisors, Consultants in relation to any matter on which G.F. HOOKAH CYPRUS LTD is instructed) where disclosure to that provider of services is considered necessary to fulfil the purposes set out above
  • Any distributors / suppliers / sub-contractors, agents or service providers of G.F. HOOKAH CYPRUS LTD (including couriers etc.)
  • Third parties with whom G.F. HOOKAH CYPRUS LTD engages for the hosting of events or other marketing initiatives and including website and advertising agencies
  • Regulators or other governmental or supervisory bodies with a legal right to the material or a legitimate interest in any material
  • Any registrar of a public register where the data is to be included in a public or restricted access registry
  • Third parties to whom G.F. HOOKAH CYPRUS LTD may choose to sell, transfer, or merge parts of its business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
  • Share and stock investment and management companies
  • Debt collection agencies
  • Fraud prevention agencies
  • File storage companies, archiving and/or records management companies, cloud storage companies
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

9. Transfer of Personal Data to a third country or to an international organization

Many of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • The non-European Union country has Data Protection laws similar to the laws in the European Union and/or has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries; or
  • The recipient/service provider used has agreed through use specific contracts approved by the European Commission which give personal data the same protection it has in Europe and will seek to be reasonably satisfied that the third party has measures in place to protect data against unauthorized or accidental use, access, disclosure, damage, loss or destruction. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; or
  • We have obtained your explicit consent to proceed with the said transfer; or
  • If transferred to providers based in the United States of America, the transfer is made only subject to them being part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield; or
  • If the data transfer is required by a governmental authority and we are legally obliged to provide it (i.e. reporting obligation under Tax law) in which case the Commissioner of Personal Data Protection in Cyprus will be notified in advance of the transfer for confirmation.

Please Contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

10. How is Personal Data treated for marketing purposes?

  • Marketing purposes

We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising.


We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased [goods or services] from us [or if you provided us with your details when you entered a competition or registered for a promotion] and, in each case, you have not opted out of receiving that marketing.


You can ask us to stop sending you marketing messages at any time by sending an email to requesting to stop or by following the opt-out links on any marketing message sent to you or by contacting our DPO  at any time.

Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

11. Data Security

  • We have put in place measures to protect the security of your information. Details of these measures are available [upon request].
  • Third parties will only process your Personal Data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
  • We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. [Details of these measures may be obtained from our DPO at]
  • We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

12. Retention of Data Subjects’ Personal Data

  • We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. [Details of retention periods for different aspects of your Personal Data are available in our retention policy which is available from our DPO at
  • To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
  • In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a client, employee, worker or contractor of the company we will retain and securely destroy your Personal Data in accordance with [our data retention policy OR applicable laws and regulations].

13. Data Subjects’ data protection rights

  • Under certain circumstances, by law you have the right to:

(a)  Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

(b)  Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

(c)  Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).

(d)  Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.

(e)  Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.

(f)  Request the transfer of your Personal Data to another party.

  • These rights are not absolute and they do not always apply in all cases.
  • In response to a request, we will ask you to verify your identity if we need to, and to provide information that helps us to understand your request better. If we do not comply with your request, whether in whole or in part, we will explain why.
  • If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your personal data, or request that we transfer a copy of your Personal Data to another party, please contact our DPO at in writing.

14. Your duty to inform us of changes

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed is your Personal Data changes during your working relationship with us.

15. No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

16. Right to lodge a complaint

If you have exercised any or all of your data protection rights and still feel that your concerns have not been adequately addressed by our organisation you have theright to make a complaint at any time to the Office of the Commissioner of Personal Data Protection.

17. Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

18. Changes to this privacy notice

We reserve the right to update this privacy notice at any time and we will amend the revision date at the bottom of this page.

We encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your Personal Data.

Hooked on Hookah

HOOKAH CYPRUS (Age Verification)

You must be over 18 years old to visit this site. By clicking enter, I certify that I am over the age of 18 and will comply with the above statement.


Always enjoy responsibily.