Last updated: February 18, 2026
Data Controller: David López
Trading as: Koben Research
Location: Bilbao, Bizkaia, Spain
Contact email: [email protected]
Website: https://newsletter.kobenresearch.comIn accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR), Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD), and Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE), this Privacy Policy describes how Koben Research collects, processes, stores, and protects your personal data.
We collect the following categories of personal data:Data you provide directly:
Email address — when you subscribe to our newsletter (free or premium)
Name — if voluntarily provided in your subscriber profile
Payment data — credit/debit card number, billing address, and transaction details, processed exclusively by our payment processor Stripe, Inc. Koben Research does not store, access, or process your full payment card details at any time.
Data collected automatically:
IP address — collected during website visits and email interactions
Device and browser information — browser type, operating system, screen resolution
Usage and engagement data — email open rates, click-through rates, links clicked, time of interaction
Website navigation data — pages visited, time spent on pages, referral source
Cookies and similar technologies — as described in Section 8 of this policy
We process your personal data for the following purposes, each with its corresponding legal basis under Article 6 of the GDPR:a) Newsletter delivery and subscription management
Purpose: To send you our weekly analysis emails (free or premium content) and manage your subscription status.
Legal basis: Consent (Art. 6.1.a GDPR) — provided when you subscribe.b) Processing premium subscription payments
Purpose: To process and manage your paid subscription, including billing, invoicing, and payment confirmations.
Legal basis: Performance of a contract (Art. 6.1.b GDPR) — necessary to fulfill the premium subscription agreement.c) Sending operational and transactional communications
Purpose: To send welcome emails, subscription confirmations, payment receipts, password resets, service notifications, and other communications directly related to the functioning of your subscription.
Legal basis: Performance of a contract (Art. 6.1.b GDPR) and legitimate interest (Art. 6.1.f GDPR).d) Analytics and service improvement
Purpose: To analyze how subscribers interact with our emails and website in order to improve our content and service.
Legal basis: Legitimate interest (Art. 6.1.f GDPR) — our interest in understanding engagement to improve the service, balanced against your rights and freedoms.e) Compliance with legal obligations
Purpose: To comply with applicable tax, accounting, and regulatory obligations (including invoice generation and retention).
Legal basis: Legal obligation (Art. 6.1.c GDPR).We do not process your data for profiling or automated decision-making that produces legal effects concerning you.
Your personal data may be shared with the following third-party data processors, who act on our behalf under data processing agreements compliant with Article 28 of the GDPR:beehiiv, Inc.
Role: Newsletter platform and website hosting provider
Data processed: Email address, name, IP address, usage and engagement data, cookies
Location: United States
Safeguards: Standard Contractual Clauses (SCCs) pursuant to Article 46.2.c GDPR
Privacy policy: https://beehiiv.com/privacyStripe, Inc.
Role: Payment processor for premium subscriptions
Data processed: Payment card details, billing address, transaction records
Location: United States
Safeguards: Standard Contractual Clauses (SCCs) pursuant to Article 46.2.c GDPR; Stripe is additionally certified under PCI DSS Level 1
Privacy policy: https://stripe.com/privacyWe do not sell, rent, trade, or otherwise share your personal data with any third party for their own marketing or commercial purposes. We will only disclose your data to third parties where required by law or to comply with a legal obligation.
Your personal data may be transferred to and processed in the United States by our third-party processors (beehiiv and Stripe). These transfers are carried out in compliance with Chapter V of the GDPR, specifically:
Through Standard Contractual Clauses (SCCs) approved by the European Commission, as per Article 46.2.c GDPR
With appropriate supplementary measures to ensure an adequate level of data protection
You may request a copy of the safeguards in place by contacting us at the email address provided in Section 1.
We retain your personal data according to the following criteria:
Active subscription data (email, name, engagement data): Retained for as long as your subscription is active, whether free or premium.
Data after unsubscription: Upon unsubscribing, your data will be removed from our active mailing list. We may retain your email address in a suppression list to ensure we do not contact you again, unless you request complete deletion.
Payment and billing data: Retained for the minimum period required by Spanish tax and commercial law — currently 5 years from the last transaction, in accordance with Article 30 of the Spanish Commercial Code (Código de Comercio) and tax obligations under the General Tax Law (Ley 58/2003, General Tributaria).
Usage and analytics data: Retained in aggregated, anonymised form for up to 24 months after the end of your subscription.
You may request early deletion of your data at any time, subject to any legal retention obligations.
Under the GDPR (Articles 15–22) and the LOPD-GDD, you have the following rights:
Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether your personal data is being processed, and to access a copy of such data.
Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete data.
Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data ("right to be forgotten"), provided there is no legal obligation requiring its retention.
Right to restriction of processing (Art. 18 GDPR): You have the right to request the limitation of processing of your data under certain circumstances.
Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Art. 21 GDPR): You have the right to object to the processing of your data based on legitimate interest or for direct marketing purposes.
Right to withdraw consent (Art. 7.3 GDPR): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw your consent to receiving our newsletter by clicking the unsubscribe link in any email.
Right not to be subject to automated individual decision-making (Art. 22 GDPR): You have the right not to be subject to decisions based solely on automated processing that produces legal effects concerning you. Koben Research does not engage in such processing.
How to exercise your rights:You may exercise any of these rights by sending a request to [email protected], accompanied by a copy of your national ID document or equivalent identification. We will respond to your request within one month, which may be extended by a further two months where necessary, in accordance with Article 12.3 GDPR.Right to lodge a complaint:If you believe your rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency:Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: https://www.aepd.es
Phone: +34 901 100 099
Our website at newsletter.kobenresearch.com uses cookies — small text files stored on your device — to ensure the proper functioning of the site and to analyse usage.Types of cookies used:a) Strictly necessary cookies (exempt from consent)
Purpose: Essential for website functionality, including authentication (login sessions), security, and load balancing.
Provider: beehiiv
Duration: Session-based or up to 30 days
Legal basis: These cookies do not require consent as they are strictly necessary for the service you have requested (Article 22.2 LSSI-CE; Recital 32 GDPR).b) Analytics and performance cookies (require consent)
Purpose: To collect information about how visitors use our website, including pages visited, time spent, and interaction patterns. This data is used in aggregated form to improve our service.
Provider: beehiiv
Duration: Up to 12 months
Legal basis: Consent (Art. 6.1.a GDPR; Art. 22.2 LSSI-CE).Managing your cookie preferences:When you first visit our website, a cookie banner will be displayed allowing you to accept or reject non-essential cookies. You can change your preferences at any time by clearing your browser cookies and revisiting the site, at which point the cookie banner will reappear.You can also configure your browser to reject cookies or to alert you when cookies are being sent. Please note that disabling strictly necessary cookies may affect the functionality of the website, including your ability to log in.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Use of encrypted connections (HTTPS/TLS) across our website
Secure payment processing via Stripe (PCI DSS Level 1 certified)
Access controls limiting data access to the data controller only
Regular review of data processing activities and security measures
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately, and we will take steps to delete such data.
We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or the services we provide. Any material changes will be communicated to active subscribers via email prior to taking effect. The most current version of this policy will always be available at this page.We encourage you to review this Privacy Policy periodically.
This Privacy Policy is governed by the following legislation:
Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
Organic Law 3/2018, of December 5 — Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD)
Law 34/2002, of July 11 — Information Society Services and Electronic Commerce (LSSI-CE)