Privacy Policy

INTRODUCTION

A Mobilredfox Korlátolt Felelősségű Társaság (hereinafter: Data Controller) attaches great importance to respecting the right of information self-determination of its partners, customers and visitors. The Data Controller shall process personal data confidentially, in accordance with applicable European Union and national legislation and relevant data protection practices (established by the authority), and shall take all security and organisational measures to ensure the security, confidentiality, integrity and availability of the data.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) and the Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter: “Information Act”), the following information notice (hereinafter: “Notice”) is published in order to protect the personal data processed.

The Notice is effective from 01 February 2023until revoked in relation to the processing of personal data of data subjects concerned by the activities of the Data Controller.

The Data Controller reserves the right to unilaterally change this Notice at any time. If the Notice is amended in a way that could affect the processing of personal data of data subjects, the Data Controller will inform the data subjects thereof, in particular on its website or social media platforms, or in the newsletter for data subjects subscribed to the newsletter or by SMS message if they have provided a telephone number.

The Data Controller provides detailed information on the data processors used by the Data Controller and their activities concerning personal data in Annex 3 to this Notice.

Budapest, 1 February 2023.

THE DATA CONTROLLER

Name of the Data Controller: Mobilredfox Korlátolt Felelősségű Társaság

registered office: H-3300 Eger, Kistályai út 5.

tax number: 25540998-2-10

company registry number: 10-09-035724

e-mail address: info@mobilfox.hu

represented by: DILLER Kevin managing director

Request for quotation

Related its core business, the Data Controller processes personal data in connection with requests for quotations (first contact). Requests for quotations can be made primarily through the website of the Data Controller, as well as at its registered office, phone, e-mail contact details or via the social media platforms operated by it. The Data Controller only processes personal data necessary for the effective preparation of the offer. The Controller shall process the personal data it receives in connection with requests for quotations, irrespective of the channel through which they come to its knowledge, as follows:

Scope of the personal data processed:first and last name, title, e-mail address, telephone number and other personal data provided by the party requesting quotation.

Categories of data subjects:data subjects intending to establish a business relationship with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:preliminary consultation, request for quotation.

Legal basis for data processing:prior consultation, in the case of a request for quotation, on the basis of Article 6 (1) (b) of the GDPR, between the Data Controller and the data subject, prior to the conclusion of the contract, taking steps at the request of the data subject.

The legitimate interest of the Data Controller in processing the data of contact persons of legal persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Term of data processing:5 years after the existence of the contractual or business relationship or the data subject's capacity as a representative (general limitation period for the enforcement of rights). After the expiry of the general limitation period for the enforcement of rights or a longer retention period provided for by law, personal data, including contact details, will be erased immediately and irretrievably. An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:On the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Transfer of data:in the context of the processing set out in this section, the Data Controller will transfer data to its data processors (in particular Shopify), through which some personal data may be transferred to third countries (including in particular to the United States of America). Detailed information on the specific data transferred to each data processor, the details of the processing and the use of the legal bases allowed by Chapter V of the GDPR can be found in Annex No. 3 to this notice.

Data processing technique:the Data Controller shall process the personal data of the data subject manually (on paper) and electronically.

Profiling:the Data Controller shall not take any decision based solely on automated processing in relation to the data subject and shall not profile the data subject on the basis of the available personal data.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Warranty claim fulfilment

In connection with the products ordered as a result of its online product sales activities, and in the course of the provision of the so-called warranty claims under Chapter XXIV of the Civil Code, the Data Controller shall process personal data. The Data Controller shall only process the personal data necessary for performing the contract. The Controller shall process the personal data that it has accessed, as follows:

Scope of the personal data processed:For the purposes of performing the contract, the Data Controller shall process the following data of the natural person and sole entrepreneur contracted with it

surname and first name,
title,
surname and first name at birth,
place and date of birth,
mother’s name,
address,
ID card number,
driving licence number,
tax number,
sole entrepreneur’s registration number,
address of registered office, site, or home address,
address of the real estate affected by the contract,
telephone number,
e-mail address,
bank account number.

For the purposes of performing the contract and keeping contacts, the Data Controller shall process the following data of the contact person of the legal entity contracted with it

surname and first name,
title,
workplace,
position, job,
address of registered office, site, or home address,
address of the real estate affected by the contract,
telephone number,
e-mail address.

Categories of data subjects:data subjects intending to establish a business relationship with the Data Controller or already in a contractual relationship.

Source of the personal data processed:the data subject.

Purpose of processing:performance of the contract.

Legal basis for data processing:in the scope of concluding the agreement, contract, on the basis of Article 6 (1) (b) of the GDPR, the conclusion of the contract between the Data Controller and the data subject.

The legitimate interest of the Data Controller in processing the data of contact persons of legal persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Access:On the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Data transfer:personal data will not be transferred to third parties, unless otherwise provided for in the contract between the data subject and the Data Controller, or in the case of the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Data processing technique:the Data Controller shall process the personal data of the data subject manually (on paper) and electronically.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Handover declaration

The Data Controller shall process personal data in the context of the transfer of data in the course of its main activity as follows:

The scope of personal data processed:surname and first name, title, place and date of birth, mother's name, ID card number, driving licence number, e-mail address, telephone number, vehicle registration number, other vehicle data.

Categories of data subjects:data subjects in a contractual relationship with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:securing handover in the scope of the Data Controller’s main activity

Legal basis for data processing:in relation to the handover in the scope of the Data Controller’s main activity, on the basis of Article 6 (1) (b) of the GDPR, between the Data Controller and the data subject, prior to the conclusion of the contract, taking steps at the request of the data subject and the performance of the contract.

The legitimate interest of the Data Controller in processing the data of contact persons of legal persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Data processing technique:the Data Controller shall process the personal data of the data subject manually (on paper) and electronically.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Invoicing

The Data Controller shall process data in the context of invoicing in the course of its main activity as follows:

Scope of the personal data processed:surname and first name, title, address

Categories of data subjects:data subjects in a contractual relationship with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:invoicing in the scope of the Data Controller’s main activity.

Legal basis for data processing:in connection with invoicing in the scope of the Data Controller's main activity, performance of the Data Controller’s legal obligations under the applicable tax and accounting legislation, in particular the VAT Act, section 169 of the Accounting Act, pursuant to Article 6 (1) (c) of the GDPR.

The legitimate interest of the Data Controller in processing the data of contact persons of legal persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Term of data processingis 8 years from the date of invoicing, as well as the period specified in the current tax and accounting legislation in force, in particular the VAT Act, section 169 of the Accounting Act.

After the expiry of a longer retention period provided for by law, personal data, including contact details, will be erased immediately and irretrievably. An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:the employees engaged in invoicing, providing refunds on behalf of the Data Controller shall have access to the personal data processed in the context of the invoices issued.

Data transfer:personal data will be transferred to a third party (FALUS Tamás sole entrepreneur), who has been previously audited by the Data Controller, has a contractual relationship with the Data Controller and performs accounting, auditing and tax expert services for the Data Controller, and the Data Controller confirms the transfer of data to the third party in a data processing contract pursuant to Article 28 (3) of the GDPR. In the case of an enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law, data transfer may take place for the entities listed above. Detailed information on the specific data transferred to each data processor, the details of the processing and the use of the legal bases allowed by Chapter V of the GDPR can be found in Annex No. 3 to this notice.

Data processing technique:the Data Controller shall process the personal data of the data subject manually (on paper) and electronically.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Refund

The Data Controller shall process data in the context of providing refunds in the course of its main activity as follows:

Scope of the personal data processed:surname and first name, title, address, bank account number.

Categories of data subjects:data subjects in a contractual relationship with the Data Controller, who are entitled to refunds under the law.

Source of the personal data processed:the data subject.

Purpose of data processing:performing refunds in the scope of the Data Controller’s main activity.

Legal basis for data processing:in connection with providing refunds in the scope of the Data Controller's main activity, performance of the Data Controller’s legal obligations under the applicable tax and accounting legislation, in particular the VAT Act, Accounting Act, pursuant to Article 6 (1) (c) of the GDPR.

The legitimate interest of the Data Controller in processing the data of contact persons of legal persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Term of data processingis 8 years from the date of transfer, as well as the period specified in the current tax and accounting legislation in force, in particular the VAT Act, the Accounting Act.

Access:primarily the employees engaged in invoicing, refunds on behalf of the Data Controller shall have access to the personal data processed in the context of the invoices issued.

Data transfer:personal data will be transferred to a third party (KBOSS.hu Kft. – szamlazz.hu), who has been previously audited by the Data Controller, has a contractual relationship with the Data Controller and performs accounting, auditing and tax expert services for the Data Controller, and the Data Controller confirms the transfer of data to the third party in a data processing contract pursuant to Article 28 (3) of the GDPR. In the case of an enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law, data transfer may take place for the entities listed above. Detailed information on the specific data transferred to each data processor, the details of the processing and the use of the legal bases allowed by Chapter V of the GDPR can be found in Annex No. 3 to this notice.

Data processing technique:the Data Controller shall process the personal data of the data subject manually (on paper) and electronically.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Making and publishing video and audio recordings

In the course of its main activity, the Data Controller may make a mass recording and/or non-mass recording of images and/or sounds or a written summary. As a general rule, data processing is based on the data subject's explicit informed consent. The Data Controller shall only process the necessary personal data.

With the data subject's statement of consent, for the purpose of informing and promoting its services on its website: https://mobilfox.com/hu-hu/, and on the social media platforms operated by it and accessible from its website, the Data Controller may publish news, posts and image and/or sound recordings.

During the period of processing, the data subject may at any time request the erasure of such personal data and acknowledges that their removal may take place at any time at the unilateral decision of the Data Controller.

The Data Controller shall process the personal data that it has accessed, as follows:

Scope of the personal data processed:surname and first name, title, image recording, image and sound recording, place of residence.

Categories of data subjects:data subjects in a contractual relationship with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:publishing image and sound recording (video) in the scope of the Data Controller’s main activity.

Legal basis for data processing:on the basis of Article 6 (1) (a) of the GDPR, consent of the data subject, also with account to section 2:48 (1) of the Civil Code.

The legitimate interest of the Data Controller in processing the data of the contact persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Term of data processing:According to Article 5 (1) (e) of the GDPR, and subject to recital 39 of the GDPR, a controller may process data only for the time necessary to achieve the purpose of the processing. Following the investigation of a request by the data subject or his or her representative to the Data Controller to erase his or her personal data, if the request is justified, the data subject's personal data will be erased immediately and irretrievably. An exception to this is the mass recording of images and sound recordings – subject to Section 2:48 (2) of the Civil Code –, and the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed. The Data Controller has no control over the further dissemination of personal data on the Internet, and the Data Controller in particular warns the data subjects to this in the information notice relating to the consent to data processing.

Data processing technique:the Data Controller shall process the personal data of the data subject electronically.

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of withdrawing consent, access, rectification, erasure, restriction of processing and data portability.

Prize draws

The Data Controller may organise prize draws to promote its services.

The data subject may subscribe to the prize draw in electronic form on the website of the Data Controller or on the website and social media platform specified by the Data Controller in the Prize Draw Rules, subject to the condition of having read and accepted this privacy notice.

The Data Controller shall not be liable in any form whatsoever for any errors or damages resulting from incorrectly or falsely provided data, and the subscriber shall bear all resulting liability. The Data Controller shall delete subscriptions provided with incorrect or false data immediately upon becoming aware of them.

The Data Controller shall ensure that the data subject can unsubscribe from the prize draw at any time free of charge.

The Data Controller shall process the personal data that it has accessed, as follows:

Scope of the personal data processed:title, surname and first name, e-mail address, telephone number, address.

Categories of data subjects:the data subjects participating in the prize draw.

Source of the personal data processed:the data subject.

Purpose of data processing:proceeding with prize draw, lottery.

Legal basis for data processing:on the basis of Article 6 (1) (a) of the GDPR, consent of the data subject.

The legitimate interest of the Data Controller in processing the data of the contact persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Term of data processing:the Data Controller will process the data of the winning player for 5 years from the date of delivery of the prizes. The Data Controller will retain the data of players who participated but did not win in the prize draw for 30 days after the prize has been delivered, after which they will be deleted. Following the investigation of a request by the data subject or his or her representative to the Data Controller to erase his or her personal data (unsubscribing), if the request is justified, the data subject's personal data will be erased immediately and irretrievably. An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Data processing technique:the Data Controller shall process the personal data of the data subject electronically.

Sending Newsletter and SMS-newsletter

Based on the data subject’s prior, unambigous and explicit consent, the Data Controller will send to the data subject newsletters in the form of SMS and e-mails about its activities, the most important news, services, discounts and promotional offers.

The data subject may subscribe to the newsletter in electronic form on the website https://mobilfox.com/hu-hu/of the Data Controller or on the social media platform operated by the Data Controller, subject to the condition of having read and accepted this privacy notice.

The Data Controller shall ensure that the data subject can unsubscribe from the newsletters at any time free of charge.

The Data Controller shall process the personal data that it has accessed, as follows:

Scope of the personal data processed:title, surname and first name, e-mail address, telephone number, address.

Categories of data subjects:the data subjects subscribing to the newsletter.

Source of the personal data processed:the data subject.

Purpose of processing:sending newsletters.

Legal basis for data processing:on the basis of Article 6 (1) (a) of the GDPR, consent of the data subject indicated by ticking the checkbox of accepting the content of the privacy notice.

Term of data processing:following the investigation of a request by the data subject or his or her representative to the Data Controller to erase his or her personal data (unsubscribing), if the request is justified, the data subject's personal data will be erased immediately and irretrievably. An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Transfer of data:in the context of the processing set out in this section, the Data Controller will transfer data to its data processors (in particular Infobip and Klaviyo), through which some personal data may be transferred to third countries (including in particular to the United States of America). Detailed information on the specific data transferred to each data processor, the details of the processing and the use of the legal bases allowed by Chapter V of the GDPR can be found in Annex No. 3 to this notice.

Data processing technique:The Data Controller shall process the personal data of the data subject electronically.

Marketing and direct marketing activity

The Data Controller will send to the data subject information in the form of e-mails and telephone calls about its activities, the most important news, services, discounts and promotional offers.

The Data Controller shall process the personal data that it has accessed, as follows:

Scope of the personal data processed:title, surname and first name, e-mail address, telephone number, address of the relevant company’s registered office, site

Categories of data subjects:natural persons, legal persons, and business entities without legal personality, as well as representatives of non-governmental organisations in their capacity as natural persons, who had or may have (potential) direct or indirect (business) contact with the Data Controller in the course of carrying out the Data Controller's main activity, and whose registered office address is affected by the route of the event.

Source of the personal data processed:the Data Controller obtains the personal data from publicly available business information registers (e.g. E-business Register, Opten), and in many cases the data subject may be the source of the data, given that there is or has been any legal relationship between the Data Controller and the data subject.

Purpose of data processing:The purpose of direct marketing is for the Data Controller to reach potential customers directly and promote its products. The aim is to encourage contacts and sales, and to maintain and update the customer database for future marketing activities.

Legal basis for data processing:the legitimate interest of the Data Controller pursuant to Article 6 (1) (f) of the GDPR.

The legitimate interest of the Data Controller in processing the data of the contact persons in the course of enforcing rights or claims pursuant to Article 6 (1) (f) of the GDPR.

Recital 47 of the GDPR confirms that the legal basis of legitimate interest applies to processing for direct marketing purposes.

Term of data processing:the Data Controller shall process the personal data until the exercise of the right of objection of the data subjects, but not longer than5 years after the existence of the contractual or business relationship or the data subject's capacity as a representative (general limitation period for the enforcement of rights). An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed.

Data processing technique:The Data Controller shall process the personal data of the data subject electronically in the Gorgias system (client service helpdesk software).

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

In compliance with the obligation laid down in Article 21 (4) of the GDPR, the Data Controller shall draw the attention of the data subject, at the time of the first contact with the data subject, to the fact that, where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

Handling complaints

The Data Controller receives complaints in writing (on its website, by post or email) in connection with the performance of its main activity, the provision of services. In this context, the Data Controller shall process the personal data of the data subject as follows:

Scope of the personal data processed:the complainant's surname and first name, title, contact details (e-mail address, telephone number), address, other personal data provided by the complainant in connection with the complaint, case number, signature, and, if there is a contributing authorised representative, the surname, first name, title, date and place of birth and mother's name of the authorised representative.

Categories of data subjects:data subjects filing a complaint with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:investigating the complaint, providing remedies.

Legal basis for data processing:the legitimate interest of the Data Controller pursuant to Article 6 (1) (f) of the GDPR.

Term of data processing:providing remedy for the complaint, not longer than the term of enforcing the claim (general limitation period of 5 years). An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:on the part of the Data Controller, only employees who have access to the administrator interface used by the Data Controller have access to the personal data processed for the purpose of handling complains.

Transfer of data:in the context of the processing set out in this section, the Data Controller will transfer data to its data processors (in particular Gorgias), through which some personal data may be transferred to third countries (including in particular to the United States of America). Detailed information on the specific data transferred to each data processor, the details of the processing and the use of the legal bases allowed by Chapter V of the GDPR can be found in Annex No. 3 to this notice.

Data processing technique:the Data Controller shall process the personal data of the data subject electronically and manually (paper based) in the Gorgias system (client service helpdesk software).

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Requests, comments

The Data Controller receives requests, recommendations in writing (on its website, by post or email) in connection with the performance of its main activity, the continuous development of its services. In this context, the Data Controller shall process the personal data of the data subject as follows:

Scope of the personal data processed:the data subject's surname and first name, title, contact details (e-mail address, telephone number), address, other personal data provided by the data subject, signature.

Categories of data subjects:data subjects filing an opinion, recommendation, comment with the Data Controller.

Source of the personal data processed:the data subject.

Purpose of data processing:service development, maintaining contacts.

Legal basis for data processing:the legitimate interest of the Data Controller pursuant to Article 6 (1) (f) of the GDPR.

Term of data processing:general limitation period of 5 years. An exception to this is the enforcement of any legal action or claim by the court, public prosecutor's office, investigating authority, administrative offence authority, public administration authority, the National Authority for Data Protection and Freedom of Information or by other bodies authorised by the law.

Access:primarily Data Controller shall have access to the personal data processed.

Data processing technique:the Data Controller shall process the personal data of the data subject electronically and manually (paper based).

Data subjects' rights: in the context of data processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Application of cookies

In line with common practice, the Data Controller also uses cookies on its website. Cookies alone cannot be used to identify the user.

Cookies are short data files that the visited website places on the user's computer.

The purpose of cookies is to ensure the continuous operation of the given infocommunication, internet service, to make it easier, more convenient and to contribute to the further development of the website with anonymous statistics.

There are many types of cookies, but they generally fall into two broad categories: one is a temporary (strictly necessary) cookie, which the website places on the user's device only during a particular session (e.g. a single visit to the website); the other is a persistent cookie (e.g. a website language setting), which remains on the computer until the user deletes it. The Data Controller uses only temporary cookies on its website that are strictly necessary for its operation. They are valid only for the duration of the visit. The Data Controller receives automatically generated information about visitors to its website for the duration of the visit: the Internet Protocol (IP) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used.

You can check the type of cookies used by the Data Controller's website on the following website: https://www.cookieserve.com/

Setting the browser

Accepting or authorising the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent, but some features or services may not work properly without cookies. Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and offer you the choice each time.

The options are usually found in the “Options” or “Settings” menu of the browser, and it is recommended to use the “Help” menu of the browser to find the most suitable settings for the person concerned.

Scope of the personal data processed:the Internet Protocol (IP) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used.

Categories of data subjects:visitors of the Data Controller’s website.

Source of the personal data processed:the data subject.

Purpose of data processing:ensuring the highest possible quality of website visits.

Legal basis for data processing:consent of the data subject according to Article 6 (1) (a) of the GDPR.

Term of data processing:duration of the relevant visit.

Access:primarily Data Controller shall have access to the personal data processed.

Transfer of data:the personal data of the data subjects will not be transferred by the Data Controller.

Data processing technique:the Data Controller shall process the personal data of the data subject electronically.

Website

The Data Controller informs the data subjects that in order to measure the traffic of all the services and sub-sites of the internet site domain name operated by the Data Controller and to monitor the behaviour of its visitors, and to compile statistics, it uses Google Analytics, the relevant codes of which are integrated into its own site.

The programs referred to above place so-called cookies on the user's computer, which collect user data. Visitors to the website (Users) authorise the Data Controller to use Google Analytics.

They also consent to the monitoring and tracking of their user behavior and to the use of all services provided by the programs to the Data Controller.

In addition, the user has the possibility to opt out of future cookie recording and storage at any time.

Data subjects can find the privacy notice on the Google Analytics settings and use on the Google website. https://policies.google.com/privacy?hl=hu

According to Google, Google Analytics mainly uses first-party cookies to report on visitor interactions on its website. These cookies only record information that is not personally identifiable.

Browsers do not share own cookies between domains. For more information about cookies, please see the Google Ads and Privacy FAQ.

Google Analytics: The Data Controller uses Google Analytics primarily to generate statistics, including measuring the effectiveness of its website campaigns. By using the program, the Data Controller mainly obtains information about the number of visitors to the Website and the time spent on the Website.

The program recognises the visitor's IP address, so it can track whether the visitor is a returning or new visitor, and it can also track the path the visitor has taken on the Website and where they have accessed.

Scope of the personal data processed:IP address, clicks

Categories of data subjects:visitors of the Data Controller’s website.

Source of the personal data processed:the data subject.

Purpose of data processing:promoting the website and services of the Data Controller, measuring the number of visits.

Legal basis for data processing:consent of the data subject. Article 6 (1) (a) of the GDPR.

Term of data processing:30 days.

Access:Google shall have accessto the personal data processed.

Transfer of data:the personal data of the data subjects will not be transferred by the Data Controller.

Data processing technique:the Data Controller shall process the personal data electronically.

DATA SECURITY

The Data Controller and the processors are entitled to access the personal data of the data subject only to the extent necessary for the performance of their tasks.

The transmission of personal data is carried out by the Data Controller in a uniform, pre-audited and secure manner, by informing the data subject, avoiding redundant data transmission or data transmission through different registration platforms.

In order to ensure data security, the Data Controller shall assess and record all data processing activities it carries out.

On the basis of the records of processing activities, the Data Controller takes into account the conditions under which each processing is carried out and the risk factors that may cause harm or potential data breaches during processing. The assessment of risks should be based on the actual data processing activity that takes place. The purpose of the assessment is to determine the security rules and measures that will ensure an adequate level of protection of personal data appropriate to the performance of the Data Controller's activities.

The Data Controller shall implement appropriate technical and organisational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the GDPR, taking into account the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons. Including, among others, where appropriate:

the pseudonymisation and encryption of personal data;
securing the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
a procedure to regularly test, assess and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of processing.

In determining the appropriate level of security, explicit account should be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

The Data Controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the specific purpose of the processing are processed. This obligation relates to the amount of personal data collected, the extent to which it is processed, the duration of its storage and its availability. These measures should in particular ensure that personal data cannot, by default, be made available to an indeterminate number of persons without the intervention of the natural person.

In the event of damage or destruction of personal data, attempts should be made to replace the damaged data as far as possible from other available data sources. The fact that the data have been replaced shall be indicated in the data.

The Data Controller shall protect its internal network with multiple layers of firewall protection. In all cases, hardware firewalls (border protection devices) shall always be installed at the entry points to the public networks used. The Data Controller shall store the data redundantly, i.e. in multiple locations, to protect them from destruction, loss, damage or unlawful destruction due to malfunction of the IT device.

Internal networks are protected from external attacks with multi-layered, active, complex malware protection against harmful codes (e.g. virus protection).

The Data Controller shall take the utmost care to ensure that its IT tools and software continuously comply with the technological solutions generally accepted in the market.

RIGHTS OF THE DATA SUBJECT

It is important for the Data Controller that its processing complies with the requirements of fairness, lawfulness and transparency. The data subject may, in connection with the processing, at any time:

request information about the processing and access to the data processed concerning him or her,
request rectification or completion of incomplete data in the event of inaccurate data,
request the erasure of data processed on the basis of the data subject’s consent,
object against the processing of the data subject’s data,
request the restriction of data processing.

On the basis of a request for information, and unless it is restricted by a legitimate interest, the data subject may find out whether their personal data are being processed by the Data Controller and have the right to obtain information about the processing of their personal data, in particular

the purpose of processing,
the entitlement of processing, (legal basis),
when and for how long it processes their data (term),
what data it processes and provides a copy to the data subject,
the recipients of the personal data and the categories of recipients,
transfer to a third country or international organisation,
if not collected from the data subject, the source of the data,
the features of automated decision-making, if such is applied by the data controller,
the data subjects' rights in relation to data processing,
options for remedies.

The Data Controller shall respond to requests for information and access within one month at the latest. The Data Controller may charge a reasonable fee, based on administrative costs, for additional copies of personal data concerning the data subject that are requested.

In the case of a request for rectification (amendment) of data, the data subject shall substantiate the accuracy of the data requested to be amended and shall also certify the person who requests the amendment is authorised to do so. Only in this way can the Data Controller assess whether the new data is real and, if so, whether it can modify the old data.

If it is not clear whether the processed data is correct or accurate, the Data Controller shall not rectify the data, but only flag it, i.e. indicate that the data subject has objected to it, but it may not be incorrect. The data controller shall, without undue delay, rectify inaccurate personal data or supplement the data concerned by the request, after confirming the authenticity of the request. The Data Controller shall notify the data subject of the rectification or flagging.

In the event of a request for erasure or blocking of data, the data subject may request the erasure of their data, which means that the Data Controller shall erase data relating to the data subject without undue delay if:

the personal data have been unlawfully processed
the personal data are no longer necessary for the purposes for which they were processed,
where the processing was based on the data subject's consent and they have withdrawn it, and no other legal basis justifies the continued processing of the data,
the Data Controller is under a legal obligation to erase the data and has not yet done so.

The data subject may request the restriction of processing, which the data controller will comply with if one of the following conditions is met:

the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the data controller to verify the accuracy of the personal data,
the data processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use,
the data controller no longer needs the personal data for the purposes of the processing, but the data subject requests them for the establishment, exercise or defence of legal claims, i.e. against the data processing concerning them.

Where the data are subject to restriction, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State. The Data Controller shall inform the data subject in advance of the lifting of the restriction on data processing.

If the data subject considers that the data processing infringes the provisions of the GDPR or the Information Act, or holds that the way in which the Data Controller processes their personal data is injurious, we recommend to first contact the Data Controller with a complaint. All complaints will be investigated.

If, despite its complaint, the data subject still has a grievance about the way the Data Controller processes their data or wishes to contact the authorities directly, they can lodge a complaint with the National Authority for Data Protection and Freedom of Information. (address: H-1055 Budapest, Falk Miksa utca 9-11., mailing address: H-1363 Budapest, Pf.: 9. E-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu).

To protect their data, the data subject may turn to court, which will rule on the case out of turn. In this case, the data subject is free to choose whether to bring action before the regional court of their domicile (permanent address) or the regional court of their residence (temporary address) (http://birosag.hu/torvenyszekek).

The court of the place of your residence or stay can be found at the http://birosag.hu/ugyfelkapcsolati-portal/birosag-keresowebsite.

Annex No. 1: Applicable legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);

Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (Act CXII of 2011);

Act V of 2013 on the Civil Code (Civil Code);

Act CXXX of 2016 on the Civil Procedure (Act on Civil Procedure).

Act C of 2000 on Accounting (Accounting Act)

Act CXXVII of 2007 on VAT (VAT Act)

Annex No. 2: Terms related to the processing of personal data

data controller: the legal person who determines the purposes and means of the processing of personal data;
processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
transfer: making data available to a specified third party;
erasure: making data unrecognisable in such a way that it is no longer possible to recover it;
flagging: the marking of data with an identifier to distinguish it;
restriction of processing: the flagging of stored personal data for the purpose of restricting their future processing;
data destruction: the complete physical destruction of a data medium containing data;
data processor: a legal person who processes personal data on behalf of the data controller;
recipient: a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party;
data subject: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
third party: a natural or legal person, public authority, agency or any other body other than the data subject, the data controller, the data processor or the persons who, under the direct authority of the controller or processor, are authorised to process the personal data;
consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;
personal data: any information relating to the data subject;
objection: a statement by the data subject objecting to the processing of their personal data and requesting the cessation of the processing or the deletion of the processed data.

Annex No. 3: Identity and details of the data processors, the specific nature of their processing and the guarantees for the transfer of data

Certain data processors used by the Data Controller may be established in or transfer data to the United States of America.

The Data Controller draws attention to the following risksin connection with data transfers to the United States of America.

Equivalent protection: The United States of America does not have a comprehensive data protection framework equivalent to that existing in the European Union (including, in particular, the Charter of Fundamental Rights and the GPDR) at the time of entry into force of this notice, as defined by the so-called Schrems II decision of the Court of Justice of the European Union of 16 July 2020. This may result in data subjects' privacy rights not being adequately protected.

National security and prosecution of crimes: Some authorities in the United States of America have extensive surveillance powers which they can use to access personal data without appropriate legal safeguards.

Data security: A data processor operating in the United States may not have the same level of security measures as a data controller in Hungary, which increases the risk of a data integrity breach.

As the legal basis for the processing, the Data Controllerapplies Article 46 (2) (c) of the GDPR, subject to the provisions under recital 104 as well, according to which the transfer is permitted if the general data protection clauses adopted by the European Commission in accordance with the examination committee procedure referred to in Article 93 (2) are used.

As a risk mitigation measure, in order to protect the personal data of the data subjects, the Data Controller only uses data processors that undertake and ensure compliance with the data processing obligations set out in Article 28 of the GDPR or with which it has concluded a data processing contract in which the data processor has undertaken these obligations.

In this notice, the Data Controller describes to the data subjects the data processing safeguards that ensure the enforcement of the data processing commitments and data subject rights under the GDPR.

Shopify

Name of the data processor:Shopify International Ltd.,

Registered office:Haddington Road, 2nd Floor 1-2 Victoria Buildings, Dublin 4, D04 XN32, Ireland

Identifier, registry number:IE560279

Activity performed:web server service, webshop operation

Essential feature of the data transfer

Shopify is an e-commerce platform that allows its partners (including the Data Controller) to create and operate their own online shop. It allows business owners to sell their products and services online. It includes setting up the store, integrating payment systems, inventory management and customer support.

Through the Shopify interface, the Data Controller may collect data about customers, such as name, address, email address, telephone number and payment details, and may use cookies to obtain additional data to log and analyse time spent on the website and activity.

Safeguards of the data transfer

By using Shopify, the Data Controller applies the Shopify Terms of Service. The Shopify data processing commitments (Shopify Data Processing Addendum) are available as its annexes. These obligations ensure compliance with the data controller's obligations under Article 28 of the GDPR and correspond in content to the standard contractual clauses (Standard Contractual Clauses – second module: Transfers from the controller to the processor) drafted by the European Commission.

Features of the data transfer

Based on Shopify Privacy Policy, we draw your attention to the following special data processing processes and requirements that affect data subjects.

Automated risk and fraud scoring

Shopify uses automated decision-making to use its clients’ personal data to block certain transactions that appear to be fraudulent. Shopify risk and fraud screening may use certain personal data of data subjects for automated decision-making. Shopify does not generally engage in fully automated decision-making with respect to the personal data of data subjects. The only exception is Shopify's risk and fraud screening, where Shopify may automatically block a payment card number or IP address after a certain number of failed payment attempts. This has no significant legal impact on the data subjects, as the automatic blocking only lasts for a short period of time.

As part of providing the Services, Shopify transfers personal data to MaxMind, a fraud detection service that processes the personal data to provide the Data Controller with risk scores to help avoid fraudulent transactions. In this capacity, MaxMind acts as an independent data controller of the personal data it processes. More information about MaxMind's privacy practices can be found here: www.maxmind.com/en/privacy-policy.

Parental consent

The GDPR contains specific parental consent requirements for the processing of personal data of users under the age of 16. Under Article 8 of the GDPR, in the case of a child under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person with parental responsibility over the child.

Data transfer

Your personal data is controlled by Shopify International Ltd, a subsidiary of Shopify in Ireland. The data is then transferred by Shopify to other Shopify locations and service providers located in other regions, including Canada (where Shopify is established) and the United States. Personal data is sent outside Europe in accordance with European law.

Google Analytics

Name of the data processor:Google Ireland Limited

Registered office:Gordon House, Barrow Street, Dublin 4, Ireland

Identifier, registry number:368047

Activity provided:website analytics

Essential feature of the data transfer

Google Analytics is a web analytics service that helps website owners understand how their visitors use their site. The service places embedded code on the website that collects data about visitors' activity, such as the number of visits, the source of visitors, the pages visited by visitors, and the time spent on the website. The data can be viewed and analysed in the Google Analytics user interface, which allows website owners to better understand their visitors and better optimise their website according to their visitors' needs.

Safeguards of the data transfer

According to Google, Google Analytics mainly uses first-party cookies to report on visitor interactions on its website. These cookies only record information that is not personally identifiable (i.e. anonymised for GDPR purposes). Browsers do not share own cookies between domains. For more information about cookies, please see the Google Ads and Privacy FAQ. Data subjects can find the privacy notice on the Google Analytics settings and use on the Google website. https://policies.google.com/privacy?hl=hu

Legislation to protect user data, such as the General Data Protection Regulation in force in the European Economic Areaand other data protection laws that provide different rights to residents of certain US states, affect content publishers, application developers, website visitors and application users.

Also consult Google's Privacy Policyand Google's website for customers and partners:

https://support.google.com/analytics/answer/6004245?hl=hu#zippy=%2Cadatv%C3%A9delem-%C3%A9s-biztons%C3%A1g%2Caz-adatok-meg%C5%91rz%C3%A9si-t%C3%B6rl%C3%A9si-%C3%A9s-hordozhat%C3%B3s%C3%A1gi-be%C3%A1ll%C3%ADt%C3%A1sai%2Ca-google-analytics-%C3%A1ltal-gy%C5%B1jt%C3%B6tt-adatok%2Ca-google-analytics-az-%C3%A1ltal%C3%A1nos-adatv%C3%A9delmi-rendelet-gdpr-vonatkoz%C3%A1s%C3%A1ban

Klaviyo

Name of the data processor:Klaviyo Inc.

Registered office:125 Summer St Fl 6, Boston, Massachusetts, 02111, United States of America

Identifier, registry number:5210772

Activity provided:email marketing

Essential feature of the data transfer

Klaviyo is email marketing software that enables targeted communication with customers and analysis of customer data to improve customer experience. The software can be integrated with webshop systems (such as Shopify) and can send automated campaigns.

Safeguards of the data transfer

Klaviyo's privacy notice is available at the following link:

https://www.klaviyo.com/legal/privacy/privacy-notice#eu

Klaviyo ensures the exercise of the rights of the data subject (point 6) and, in this context, the possibility of contact at privacy@klaviyo.com.

Gorgias

Name of the data processor:Gorgias Inc.

Registered office:768 Harrison St, San Francisco, California, 94107, United States of America

Identifier, registry number:3976615

Activity provided:client service helpdesk software

Essential feature of the data transfer

Gorgias client service helpdesk software helps companies increase the efficiency and quality of client service. The app enables centralised communication with clients, automates answers to common questions and improves the handling of client complaints. The application supports email, chat and media messaging, and can be integrated with other systems such as customer databases and e-commerce platforms (e.g. Shopify).

Safeguards of the data transfer

Gorgias's privacy notice is available at the following link:

https://www.gorgias.com/privacy/privacy

Gorgias provides the following information in particular to data subjects who are European residents:

https://www.gorgias.com/privacy/gdpr

Infobip

Name of the service provider:Infobip Ltd.

Registered office:EC4V 6BW, Fifth Floor, 35-38 New Bridge Street, London, United Kingdom

Identifier, registry number:7085757

Activity provided:SMS direct marketing

Essential feature of the data transfer

Infobip's services include SMS, voice message, call, push notification, email, chatbot and RCS (Rich Communication Services) communication. Infobip aims to make it easier and more efficient for customers to communicate with clients and partners. The Data Controller uses Infobip's SMS direct marketing service.

Safeguards of the data transfer

Infobip's privacy notice is available at the following link:

https://www.infobip.com/policies/privacy-notice

Infobip applies to the data transfers theStandard Contractual Clauses, according to the following terms and conditions:

https://www.infobip.com/policies/data-transfer-agreement

Infobip employs a data protection officer, whose contact details are:

data-protection-officer@infobip.com

INFOBIP d.o.o., attn. Data Protection Officer, Istarska 157, 52 215 Vodnjan, Croatia.

FALUS Tamás sole entrepreneur

Name of the data processor:FALUS Tamás sole entrepreneur

Registered office:H-1133 Budapest, Pannónia u. 64. B. ép. 5 / 25, Hungary

Identifier, registry number:43659688

Activity provided:custom software development

Essential feature of the data transfer

Software development for refunds and returns.The basic operation of the system is that the client service representative looks up the order and uses the payment details to determine whether the payment was made by cash on delivery or through a payment service provider. In the case of a cash-on-delivery refund, the account number, the name of the recipient, the account holder's bank details and the amount to be refunded are entered in the system provided by the service provider.

Safeguards of the data transfer

A data processing agreement is in force between the data processor and FALUS Tamás sole entrepreneur to ensure compliance with Article 28 (3) of the GDPR.

szamlazz.hu

Name of the data processor:KBOSS.hu Kft.

Registered office:H-1031 Budapest, Záhony utca 7., Hungary

Identifier, registry number:01 09 303201

Activity provided:invoicing

Essential feature of the data transfer

Szamlazz.hu is an online invoicing software that helps businesses to create and manage their invoices. Users can create and print invoices and send them electronically to their customers. The program also supports the import of cash register data and the electronic archiving of invoices.

Safeguards of the data transfer

Szamlazz.hu privacy notice is available at the following link:

https://www.szamlazz.hu/adatvedelem/

As stated in the information notice, szamlazz.hu as a data processor ensures compliance with Article 28 (3) of the GDPR, in particular the following:

process personal data only on the basis of written instructions from the Data Controller, including the transfer of personal data to a third country or an international organisation, unless the processing is required by Union or Member State law applicable to the data processor, in which case the data processor shall notify the data controller of that legal requirement prior to processing, unless the notification of the data controller is prohibited by the relevant legislation on grounds of important public interest;
ensures that persons authorised to process personal data are bound by an obligation of confidentiality or are under an appropriate obligation of confidentiality based on law;
take the measures required under Article 32 of the GDPR;
respects the conditions referred to in Article 28 (2) and (4) of the GDPR concerning the use of an additional data processor;
assist the data controller, to the extent possible, by appropriate technical and organisational measures, taking into account the nature of the processing, in fulfilling its obligation to respond to requests relating to the exercise of the data subject's rights under chapter III;
assists the data controller in fulfilling its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the data processor;
delete or return at the data controller's discretion to the data controller all personal data and delete existing copies after the provision of the processing service, unless EU or Member State law requires the storage of personal data;
provide the data controller with all the information necessary to demonstrate compliance with the obligations laid down in this Article and to enable and facilitate audits, including on-site inspections, carried out by the data controller or by another auditor assigned by the data controller.