Privacy Policy

PRIVACY POLICY

of OM Education & Consulting Kft. regarding the website operated at https://www.bookbase.app/ , https://thegoal.co/ and the KönyvKlub / BookBase / The Goal Mobile Application

I. INTRODUCTORY PROVISIONS, PURPOSE AND SCOPE OF THE POLICY

OM Education & Consulting Kft (hereinafter: Data Controller/Company) informs data subjects through this privacy policy (hereinafter: Policy) about the data processing practices on the website operated at https://www.bookbase.app or https://thegoal.co or in the mobile application.

The Data Controller considers the processing of data provided by its natural person subscribers/visitors, in particular the processing of personal data, to be of paramount importance. Accordingly, it treats personal data confidentially and takes all necessary technical and organisational measures to ensure the security of data. In this regard, the Data Controller undertakes that the data processing set out in the Policy complies with the provisions of the applicable Hungarian and European Union legislation.

The Data Controller is entitled to change the Policy and its content at any time. The Data Controller shall publish the current version of the Policy on its website at the electronic address https://www.bookbase.app , https://thegoal.co prior to the entry into force of the change and shall inform data subjects thereof on its website. The Data Controller accepts the contents of the Policy as binding upon itself and shall comply with them when processing personal data.

The Data Controller welcomes any questions arising in connection with the Policy at the following e-mail address, or at the additional contact details provided in Section II:

hello@onlinemarketinges.com

The data processing activities of the Data Controller are primarily governed by the following legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Info Act)
• Act V of 2013 on the Civil Code (hereinafter: Civil Code)
• Act C of 2000 on accounting (hereinafter: Accounting Act)
• Act CLXIV of 2005 on trade (hereinafter: Trade Act)
• Act CLV of 1997 on consumer protection (hereinafter: Consumer Protection Act)
• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: E-Commerce Act)
• Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities (hereinafter: Advertising Act)
• Act CL of 2017 on the rules of taxation (hereinafter: Tax Procedure Act)
• Act CLIX of 2012 on postal services (hereinafter: Postal Act)
• Act CVIII of 2001 on electronic commerce services and information society services (E-Commerce Act)

Purpose of the Policy: It sets out the principles governing the processing of data of natural persons (data subjects) processed by the Data Controller, informs data subjects of their rights vis-à-vis the Data Controller in relation to their personal data, the manner of exercising such rights, the personal data processed by the website, the Data Controller’s contact details necessary for exercising rights, and the forms of legal remedy.

Temporal scope of the Policy: From 9 February 2026 until withdrawal or amendment of the Policy.

Personal scope of the Policy: The personal scope of the Policy extends to the Data Controller and all natural persons affected by the data processing of the Data Controller.

Material scope of the Policy: The material scope extends to all data processing activities of the Data Controller, regardless of whether they are electronic or paper-based.

Please carefully review the General Terms and Conditions (GTC) before subscribing on the website / in the mobile application. Before subscribing, the subscriber (data subject) must expressly accept the GTC and must consent to the data processing based on the information provided in the Privacy Policy (by ticking the appropriate checkboxes).

II. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER AND HOSTING SERVICE PROVIDER

DATA CONTROLLER: - Name: OM Education & Consulting Kft. - Registered seat: 3300 Eger, Koháry István utca 19, 1st floor, apt. 6 - Tax number: 28775704-2-10 - Company registration number: 10-09-038258 - Electronic contact: hello@onlinemarketinges.com

HOSTING SERVICE PROVIDER: - Company name: Amazon Web Services Inc. - Mailing address: 10 Terry Avenue North, Seattle, WA 98109-5210 - Electronic contact: https://aws.amazon.com/

III. DEFINITIONS

The definitions of key terms used in the Policy are set out below:

Data subject: any natural person who is identified or identifiable on the basis of any information.

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data subject rights: the right to information, the right of access to personal data, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to withdraw consent, the right to object including profiling, the right to lodge a complaint with a court or the Authority, the deadlines and procedural rules thereof, compensation, and non-material damages.

Data controller: a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processing (data processing): any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data transfer: making data accessible to a specified third party.

Data processor: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.

Data erasure: rendering data unrecognisable in such a way that its restoration — whether from a paper or electronic record-keeping system — is no longer possible.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Recipient: a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, regardless of whether it is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third country: any state that is not an EEA state.

Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent may be withdrawn at any time, free of charge and without any conditions.

Personal data breach (GDPR): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Subscriber: A natural or legal person who, following registration, pays the subscription fee for the service(s) provided by the Service Provider under a subscription model and uses the website and mobile application in full.

Website: The website operated by the Service Provider at the internet address https://www.bookbase.app , https://thegoal.co

Mobile Application: The mobile application named KönyvKlub / BookBase / The Goal, available for download from the App Store and Google Play.

Service: The entirety of service(s) provided electronically within a subscription system on the website / in the mobile application operated by the Service Provider, to which the Subscriber is entitled to access with the content and functionality corresponding to their subscription package during the existence of the subscription relationship.

IV. PRINCIPLES, LEGAL BASIS, AND DURATION OF DATA PROCESSING

The data processing principles respected and mandatorily applied by the Data Controller pursuant to the GDPR are as follows:

Principle of lawfulness, fairness, and transparency: personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

Principle of purpose limitation: personal data shall be collected only for specified, explicit, and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.

Principle of data minimisation: personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Principle of accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Principle of storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Principle of accountability: the controller shall be responsible for, and be able to demonstrate compliance with, the aforementioned principles.

Principle of necessity and proportionality: in essence, this corresponds to the principle of data minimisation.

Legal bases of processing under the GDPR

A given processing activity may have only one legal basis. Article 6(1) of the GDPR provides the possibility for selecting legal bases (listing the 6 possible legal bases); however, the listing does not imply a ranking among the legal bases. Following the order used in the GDPR, the 6 possible legal bases are described below, each illustrated with an example:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The Data Controller indicates the legal basis for each individual processing activity separately in Section V of the Policy.

Duration of processing

Similarly to the legal bases, the Data Controller also indicates the duration of each individual processing activity separately in the Policy, regardless of whether the processing is based on the data subject’s voluntary consent, performance of a contract, legally mandated processing, or legitimate interests.

V. THE DATA CONTROLLER CARRIES OUT THE FOLLOWING PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE OPERATION OF THE WEBSITE / MOBILE APPLICATION:

V.1. Registration on the website / in the mobile application

Full access to the website and the mobile application requires registration and subscription.

Legal basis of processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

Source of data: directly from the data subject.

Purpose of processing: secure login to the user account, identification, communication, access to the full service.

Consequence of failure to provide data: registration cannot be completed.

Recipients of personal data:

For the website, hosting service provider: - Company name: Amazon Web Services Inc. - Mailing address: 10 Terry Avenue North, Seattle, WA 98109-5210 - Electronic contact: https://aws.amazon.com/ - Purpose of registration: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

For the mobile application: - Company name: Google LLC - Mailing address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA - Electronic contact: https://about.google/company-info/contact-google/ - Purpose of registration: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

• Company name: Apple Inc.
• Mailing address: One Apple Park Way, Cupertino, CA 95014, USA
• Electronic contact: https://support.apple.com/contact
• Purpose of registration: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

Transfer to a third country: The data subject acknowledges and is aware in connection with the registration that they provide the personal data necessary for registration of their own volition and at their own responsibility, with the understanding that such data will be transferred to third countries. The transfer is safeguarded by the EU–US Data Privacy Framework, which complies with EU data protection regulations (GDPR).

Automated decision-making, profiling: The Company does not carry out such processing; data subjects are not scored or classified into different categories on the basis of any system, criteria, etc. during registration.

The data subject may withdraw their voluntary consent given in writing through the website for the personal data specified in this section and for the indicated purpose of processing at any time by sending a written statement to any of the Data Controller’s contact details indicated in Section II, or by deleting their user account as described above. Withdrawal of consent is free of charge and subject to no conditions; however, withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.

V/2. Issuing invoices in connection with subscriptions

The Data Controller issues invoices to subscribers on the website in connection with the sale of the services it provides. The Data Controller processes and stores the invoice in its invoicing system for the period prescribed by the applicable legislation.

Legal basis of processing: processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR, having regard to Section 169(2) of the Accounting Act).

Source of data: directly from the data subject.

Purpose of processing: issuing a document certifying the payment of the consideration for the service, fulfilment of the Data Controller’s accounting obligations.

Consequence of failure to provide data: the natural person purchasing the service cannot receive an invoice issued in their name.

Recipients of personal data:

Invoicing software: - Company name: Billingo Technologies Zártkörűen Működő Részvénytársaság - Mailing address: 1133 Budapest, Árbóc utca 6. - Electronic contact: hello@billingo.hu - Purpose of issuing invoices: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

Subscription-related technical data processing: - Company name: RevenueCat Inc. - Mailing address: 548 Market St #94496, San Francisco, CA 94104, USA - Electronic contact: https://www.revenue-inc.com/contact/ - Purpose of managing subscriptions: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR. The data transfer is safeguarded by the EU–US Data Privacy Framework, which complies with EU data protection regulations (GDPR).

Transfer to a third country: none

Automated decision-making, profiling: the Data Controller does not carry out such processing; data subjects are not scored or classified into different categories on the basis of any system, criteria, etc. during the invoicing process.

In the case of subscriptions made through the mobile application, we inform data subjects that Google LLC or Apple Inc. will directly issue the invoice, over which the Data Controller has no influence. In this case, the contract is concluded directly with the said companies, and their privacy policies shall apply.

V/3. Online bank card payment

The Data Controller provides online bank card payment for purchases on the website on the basis of a contract concluded with a third-party external service provider. The Data Controller processes the following data in relation to data subjects who make online bank card payments when subscribing on the website:

The Data Controller does not have access to the bank card data used during the online bank card payment and is not authorised to access it in accordance with the rules of the International Card Associations. Such card data is processed and stored by the payment service provider in a PCI DSS-certified environment.

Legal basis of processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

Source of data: directly from the data subject.

Purpose of processing: payment of the consideration for the service so that the full service becomes accessible to the Subscriber.

Consequence of failure to provide data: The full content of the Service will not become accessible, as the subscription cannot be completed.

Recipients of personal data:

For the website, hosting service provider: - Company name: Amazon Web Services Inc. - Mailing address: 10 Terry Avenue North, Seattle, WA 98109-5210 - Electronic contact: https://aws.amazon.com/ - Purpose of fulfilling the subscription: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

Payment service provider: - Company name: Stripe Inc. - Mailing address: 354 Oyster Point Blvd, South San Francisco, CA 94080, USA - Electronic contact: https://support.stripe.com/ - Purpose of fulfilling the subscription: processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

Transfer to a third country: The data subject acknowledges and is aware in connection with the subscription that they provide the personal data necessary for the subscription of their own volition and at their own responsibility, with the understanding that such data will be transferred to third countries. The transfer is safeguarded by the EU–US Data Privacy Framework, which complies with EU data protection regulations (GDPR).

Automated decision-making, profiling: The Company does not carry out such processing; data subjects are not scored or classified into different categories on the basis of any system, criteria, etc. during the online payment process.

In the case of subscriptions made through the mobile application, we inform data subjects that Google LLC or Apple Inc. directly processes the payment, over which the Data Controller has no influence. In this case, the contract is concluded directly with the said companies, and their privacy policies shall apply.

V/4. Marketing database, newsletter, advertising, marketing analytics

The Data Controller is entitled to send newsletters and other marketing content to data subjects who have expressly consented to the sending of marketing and advertising messages during or following registration by ticking a dedicated checkbox. The data subject may withdraw their previously given consent at any time, without any conditions, by sending a written statement to any of the available contact details or by clicking the “Unsubscribe” link usually found at the end of the newsletter, in accordance with the instructions therein. The newsletters sent by the Data Controller are general and uniform newsletters; the Data Controller does not carry out any profiling of data subjects in connection with the sending of newsletters.

In the mobile application, the data subject may enable the receipt of “push” notifications. If enabled, the Data Controller’s mobile application periodically sends “push” notifications to the data subject’s device. The receipt of “push” notifications may be disabled by the data subject at any time.

In our mobile application and on our website, we process certain data for marketing and analytical purposes in order to better understand the behaviour of our users and to improve the quality of our services. To this end, we use third-party service providers who process the data exclusively for the predetermined purposes, for example:

• measuring user activities in the application or on the website,
• analysing the performance of marketing campaigns,
• fraud prevention and security checks.

The types of data generally may include technical identifiers, browser and device data, and information related to activities performed in the application or on the website. Users have the right to access their data, request its deletion or restriction of processing, and to object to processing in accordance with the applicable legislation.

We do not carry out profiling on the basis of the data; we use them exclusively for statistical purposes to improve the user experience and process them anonymously.

Legal basis of processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

Source of data: directly from the data subject.

Purpose of processing: presenting the latest features of the Service, reminders, and sending other marketing materials that may be of interest to data subjects.

Consequence of failure to provide data: The data subject will not be directly informed about the latest features of the Service or other marketing materials.

Recipients of personal data:

E-mail campaigns, sending notifications: - Company name: Customer.io Inc. - Mailing address: 921 SW Washington St #820, Portland, OR 97205, USA - Electronic contact: https://customer.io/ - Purpose of sending marketing materials, push notifications, and conducting e-mail campaigns: processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the GDPR. The data transfer is safeguarded by the EU–US Data Privacy Framework, which complies with EU data protection regulations (GDPR).

Marketing analytics measurement: - Company name: Adjust GmbH - Mailing address: Saarbrücker Straße 37a, 10405 Berlin, Germany - Electronic contact: privacy@adjust.com - Purpose of measuring marketing campaigns and user behaviour: processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

Transfer to a third country: The data subject acknowledges and is aware in connection with subscribing to marketing and newsletters that they provide their data of their own volition and at their own responsibility, with the understanding that such data will be transferred to third countries.

Automated decision-making, profiling: The Company does not carry out such processing; data subjects are not scored or classified into different categories on the basis of any system, criteria, etc. for marketing purposes.

V/5. Data processing related to the Goals AI feature

The Goals AI feature is available on our website and in our mobile application, where you can easily access your personalised learning pathway at any time. When using it, you first describe your personal goal, for example “start a business” or “improve productivity.” The AI then asks 5–6 contextual questions to precisely understand your situation and needs. Based on your answers, the AI generates a personalised learning pathway with daily micro-tasks that help you achieve your goal step by step. We continuously monitor your progress so that the difficulty of the tasks and recommendations can always be optimally adjusted to your development.

The use of this feature is solely at the subscriber’s discretion; it is not mandatory to use, and if you have already started, you may disable it at any time.

Legal basis of processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

Source of data: directly from the data subject.

Purpose of processing: use of the Goals AI feature.

Consequence of failure to provide data: the Goals AI feature cannot be used.

Recipients of personal data:

For the website, hosting service provider: - Company name: Amazon Web Services Inc. - Mailing address: 10 Terry Avenue North, Seattle, WA 98109-5210 - Electronic contact: https://aws.amazon.com/ - Purpose of use of the Goals AI feature: processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

Owners of the artificial intelligence systems used by Goals AI: - Company name: OpenAI LLC - Mailing address: 3180 18th Street, San Francisco, CA 94110, USA - Electronic contact: https://help.openai.com/en/collections/3742473-chatgpt - Purpose of use of the Goals AI feature: processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

• Company name: Anthropic PBC
• Mailing address: 548 Market St, PMB 90375, San Francisco, CA 94104, USA
• Electronic contact: https://support.claude.com/en/
• Purpose of use of the Goals AI feature: processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

Transfer to a third country: The data subject, by using the Goals AI feature, acknowledges and is aware that they provide their data of their own volition and at their own responsibility, with the understanding that such data will be transferred to third countries. The Data Processing Agreements (DPA) undertaken by the above-mentioned companies ensure that data processing and data transfer comply with the requirements of the GDPR.

Automated decision-making, profiling: The artificial intelligence (AI) applied by the Data Controller carries out profiling for the purpose of achieving the data subject’s personal goals. The data subject, by using the Goals AI feature, acknowledges and expressly consents to this profiling. Consent may be withdrawn by the data subject at any time without any conditions. The Goals AI works exclusively from the answers provided, the significance of which is that it delineates the data subject’s goals and the means of achieving them as precisely as possible. As a consequence, the data subject will be aware of how to achieve their goals.

V/6. Information requests, complaints, quality objections (electronic form)

The Data Controller also makes it possible for data subjects interested in its products to request information on any matter not falling within the scope of requests for quotation, or to submit complaints. Information may be requested at the electronic e-mail address hello@onlinemarketinges.com.

Legal basis of processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

Source of data: directly from the data subject.

Purpose of processing: providing information (response) to the data subject and the communication necessary for this purpose.

Consequence of failure to provide data: the information request cannot be fulfilled.

Transfer to a third country: none.

Automated decision-making, profiling: the Data Controller does not carry out such processing; data subjects are not scored or classified into different categories on the basis of any system, criteria, etc. in connection with the above.

VI. DATA SECURITY, PERSONAL DATA BREACH

The Data Controller hereby informs data subjects that, pursuant to Article 32(1) of the GDPR and Recital (83) of the GDPR, it has taken and continuously takes all technically and organisationally feasible measures to ensure the protection of personal data in connection with the processing in compliance with the requirements of the GDPR and to minimise the risk of personal data breaches.

The Data Controller also continuously ensures, during the processing activities carried out for the purposes and on the legal bases listed in Section V, that the level of protection of data subjects’ data meets the level required by legislation.

In the event that a personal data breach occurs for any reason despite the Data Controller’s efforts regarding data security described in this section, the Data Controller shall take without delay the measures prescribed by law, in proportion to the severity of the incident.

In the event of a personal data breach, depending on its severity (where the data breach poses a high risk to the data subject), the Data Controller shall notify the data subjects without delay and shall submit the notification with the required content to the Authority within the prescribed 72 hours.

The employees and staff members of the Data Controller who process personal data may perform their tasks related to the processing of personal data only after signing a confidentiality statement.

VII. COOKIES MANAGEMENT

What is a COOKIE?

A COOKIE is a small file that websites store on the visitor’s (for the purposes of this chapter, this category includes anyone who visits the site for browsing purposes, businesses that register on the site, and customers as well) computer, smartphone, tablet (hereinafter: device), etc. Their use ensures that the service provider can display the website content with the content expected by the visitor (ensuring user experience), making the visitor’s browsing more efficient, as well as facilitating the display of content tailored to the visitor’s interests, or being necessary for language settings, and for the use (playback) of audio and video files. In addition, we share data about the visitor’s use of the website with our social media, advertising, and analytics partners, who may combine the data with other data provided by the visitor or collected from other services used by the visitor. By continuing to browse the website, the user consents to the use of cookies. Cookies have numerous functions and varying lifespans, and many types are known.

On this basis, we distinguish (without claiming to be exhaustive), for example:

1. Essential cookies help make websites usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

2. Through the anonymous collection and reporting of data, statistical cookies help the website owner understand how visitors interact with the website. The use of these cookies helps the Data Controller operating the website in developing, maintaining, and optimising the performance of the site’s system.

3. Preference cookies allow us to remember information that changes the behaviour or appearance of the website; examples include the visitor’s preferred language or the region in which they are located.

4. There are also cookies created by third parties, for example certain social media sites such as Facebook, which enable, for example, tracking the effectiveness of advertisements. By using these cookies, the Data Controller does not see the individual user’s personal data. This data is stored and processed by Facebook and may be linked to the data subject’s user account or used for its advertising purposes in accordance with Facebook’s data use policy. The data subject may allow Facebook and its partners to display advertisements on and off Facebook. Marketing cookies, which are used to track visitors’ website activity, may also be included here. The purpose is to publish relevant advertisements for individual users and to encourage activity, which makes websites even more valuable for content publishers and third-party advertisers.

Having regard to Section 155(4) of Act C of 2003 on electronic communications (Ehtv.) — “Data may be stored on or accessed from an electronic communications terminal of a subscriber or user only on the basis of clear and comprehensive information — including information on the purpose of the processing — and the consent of the relevant user or subscriber.” — if you do not wish to allow the placement of cookies, the Data Controller will not place cookies on your device. However, the restriction of cookies also means that the website content will not be available with the content and in the form desired by the visitor, but instead only in a “restricted mode,” and certain functions may not be available at all or only partially.

Cookies often store settings related to websites, such as the default language or location. When revisiting the website, the browser sends the cookies associated with the given website. This allows the website to provide personalised information.

By default, the collection and sending of cookie data is invisible to the user. However, it is possible to modify settings in browsers, as a result of which requests regarding the storage of cookies or their deletion upon closing the browser may be approved or rejected, among other things.

Your browser can also be set so that cookies can only be created with the visitor’s consent or rejected generally. However, it should be noted that without cookies, certain areas of the website may be used in a limited manner or may not be usable at all. Businesses have the option to control and, if necessary, prevent the use of cookies by configuring browsers in the following ways:

Microsoft Edge: 1. Select the ‘Settings’ menu item 2. Click on the ‘Cookies and site permissions’ tab 3. By clicking on ‘Manage and delete cookies and site data,’ you can set whether to allow cookie data.

Google Chrome: 1. Click on the Chrome menu and select the ‘Settings’ menu item on the browser toolbar 2. Click on the ‘Privacy and security’ menu item 3. Within this, by selecting the ‘Third-party cookies’ option, you have the possibility to allow or block cookies

Firefox: 1. Select the ‘Settings’ option 2. Click on the ‘Privacy and security’ panel 3. Next to the ‘Cookies and site data’ option, you have the possibility to make the desired settings

Opera: 1. Select the ‘Tools’ menu item and then the ‘Settings’ option 2. Click on the ‘Privacy and security’ panel 3. Under the Cookies section, make the desired settings

Safari: 1. Click on the ‘Safari’ (Tools) button, and then on ‘Preferences’ 2. Click on the ‘Privacy’ panel 3. Under Cookies and website data, make the desired settings

1. Use of Google Analytics

The website uses this freely available system, which shows users’ browsing habits, including, for example, where visitors clicked through from, how much time they spend on the website, and the geographical location from which they accessed the website. It can also be used to determine how visitors reach the website, to identify traffic sources (which browser), when visitors enter, where they arrive after entering, and what the bounce rate is on each page, etc. Various statistics are generated from this data. All of this is also achieved through the use of cookies by Google Inc., which operates the service. The data collected and statistical data generated are transferred to and stored on one of Google’s servers in the USA. With the activation of IP anonymisation on the website, Google truncates the user’s IP address within the member states of the European Union or other states party to the Agreement on the European Economic Area before transmission. The full IP address is transmitted to and truncated on Google’s server in the USA only in exceptional cases. Within the framework of Google Analytics, Google does not associate the IP address transmitted by the user’s browser with other Google data.

You may manage your consent settings in your browser at any time as described above or in accordance with the applicable guidance of the given browser regarding cookies, and you may also withdraw your consent with regard to the future.

2. Google Ads

This website uses the remarketing function of Google Inc. This function serves to display advertisements matching the interests of the website visitors within the Google advertising network. The browser of the person visiting the website stores so-called “cookies.” These are text files that, when stored on the computer, enable the visitor to be recognised when visiting websites belonging to the Google advertising network. On such pages, advertisements relating to content that the visitor has previously visited on websites using Google’s remarketing function may be displayed. During this process, Google does not — according to its own statement — collect any personal data.

The legal basis for this type of processing is your consent given pursuant to Article 6(1)(a) of the GDPR.

VIII. SCOPE OF RECIPIENTS

The Data Controller, in connection with the data processing activities carried out in relation to the operation of the website, specifies the recipients — i.e., the organisations and individuals to whom it discloses the personal data it processes — separately and in detail for each individual processing activity in Section V. For each recipient, the legal basis and purpose of the transfer of personal data are also indicated.

As set out in Section V, the Data Controller may also transfer personal data to countries outside the European Economic Area (EEA), including the United States of America, to the extent necessary for the provision of the service.

Transfers outside the EEA are carried out exclusively in compliance with the conditions laid down in the GDPR, with appropriate safeguards in place. The safeguards applied may include, in particular:

• EU–US Data Privacy Framework: for American data processors certified under this framework (in particular: Apple, Google, Stripe);
• Adequacy decisions: for third countries for which the European Commission has determined an adequate level of data protection.

In addition to the recipients listed in detail for the processing activities in Section V, the following authorities, organisations, and persons may also be additional recipients:

• Authorities and courts authorised to inspect the Data Controller and to oblige the Data Controller to provide data; purpose of data transfer: facilitating the work of authorities and organisations; legal basis of data transfer: compliance with a legal obligation;
• In the event of legal proceedings initiated against the data subject, courts, bailiffs, notaries, the data subject’s legal or contractual representative; purpose of data transfer: initiating legal proceedings, facilitating the exercise of the right of representation; legal basis of data transfer: compliance with a legal obligation.

IX. RIGHTS OF DATA SUBJECTS

The individual data subject rights:

Right to information: Articles 13 and 14 of the GDPR

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. the contact details of the data protection officer, where applicable;
3. the purposes of the intended processing of the personal data as well as the legal basis for the processing;
4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
5. the recipients or categories of recipients of the personal data, if any;
6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.

furthermore, the Data Controller must provide information about:

1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
3. where the processing is based on point (a) of Article 6(1) (data subject’s consent) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
4. the right to lodge a complaint with a supervisory authority;
5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The Data Controller does not carry out such activity.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information referred to above.

in addition, the Data Controller is subject to an obligation to provide information:

1. about the circumstances, effects, and measures taken to remedy a personal data breach (Article 34);
2. where data is transferred to recipients, about the legal basis, purpose, and recipient of the data transfer.

Right of access to personal data: Article 15 of the GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Upon the data subject’s request, the Data Controller shall provide a copy of the personal data undergoing processing free of charge, at the data subject’s request, by electronic or postal means. In the case of repeated requests on the same subject matter, the Data Controller is entitled to charge a reasonable fee or to refuse to act on the request. The right to information may be exercised in writing through the contact details indicated in Section II; verbal information may be provided following the verification of identity.

Right to rectification: Article 16 of the GDPR

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Where the data necessary for rectification are available to the Data Controller, the Data Controller shall carry out the rectification automatically, without a separate request to that effect.

Right to erasure: Article 17 of the GDPR

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
3. the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services.
7. However, the right to erasure (right to be forgotten) is not absolute and is therefore not applicable where processing is necessary:
8. for exercising the right of freedom of expression and information;
9. for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
10. for reasons of public interest in the area of public health;
11. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
12. for the establishment, exercise, or defence of legal claims.

The right to erasure is therefore not absolute, which in essence means the following limitations for the website:

For those processing activities where the legal basis is compliance with a legal obligation, e.g., issuing a document certifying payment for the purchased product, the duration of processing is eight years pursuant to Section 169(2) of the Accounting Act.

For processing activities based on the data subject’s voluntary consent, naturally no such limitations apply and erasure is not hindered.

If the Data Controller refuses a request for erasure, it shall do so in all cases in a written and reasoned response.

Right to restriction of processing (blocking): Article 18 of the GDPR

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; or
4. the data subject has objected to processing; the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

Right to data portability: Article 20 of the GDPR

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent and the processing is carried out by automated means.

However, the exercise of this right shall not adversely affect the rights and freedoms of others.

Right to object: Article 21 of the GDPR

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the following, including profiling:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Article 6(1)(e) of the GDPR.
2. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Article 6(1)(f) of the GDPR.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing. Where the data subject objects to the processing of personal data for direct marketing purposes, the Data Controller shall no longer process the personal data for such purposes.

Right to withdraw consent: Article 7 of the GDPR

The data subject shall have the right to withdraw their previously given voluntary consent at any time. For example, in the case of subscribing to newsletter and marketing messages. Naturally, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed of this before giving consent. We indicate this separately in Section V for each processing activity where the legal basis is voluntary consent.

Automated individual decision-making, including profiling: Article 22 of the GDPR

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This right shall not apply where the decision:

1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. is based on the data subject’s explicit consent.

Within the meaning of the GDPR, “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Enforcement of rights relating to personal data following the death of the data subject — Section 25 of the Info Act

In the case of processing activities falling under the GDPR, within five years following the death of the data subject, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, and the right to object that the deceased was entitled to during their lifetime may be exercised by a person authorised by the data subject in a public deed or a private document of full evidentiary force, filed with the controller by way of a declaration.

In the case of processing activities not falling under the GDPR, the exercisable rights include the right of access, the right to rectification, the right to erasure, and the right to restriction of processing.

If the data subject has not made a declaration as described above, the close relatives under the Civil Code may also exercise certain rights in the absence thereof, in respect of both GDPR and non-GDPR processing activities, within five years following the death of the data subject. The close relative who first exercises this entitlement shall be entitled to enforce the data subject’s rights.

X. LEGAL REMEDIES

As a guarantee of the enforcement of the data subject’s rights, the Data Controller shall examine the request submitted by the data subject within the shortest possible time, but no later than 30 days from its submission, decide on its merits, and notify the applicant of its decision in writing (by electronic means if the request was also submitted electronically) free of charge.

If the Company or the data subject natural person has any questions or requests regarding the processing of the personal data transferred, we ask that when exercising their rights to information, access, rectification, blocking, erasure, withdrawal of consent, or objection, they contact our Company directly at the contact details indicated in Section II.

If we grant the request, the Data Controller or the recipients or data processors acting on our behalf or at our instruction shall rectify, erase, or restrict the processing of the personal data. In the event the request is granted, we shall also notify those recipients to whom the data was previously transferred, in order for them to carry out the rectification, erasure, or restriction of processing in respect of their own processing activities.

If we were to refuse your request, we shall inform you thereof in writing without delay, communicating, in addition to the fact of the refusal, its legal and factual grounds, and your rights.

In the event of refusal of your request, the following legal remedies are available:

1. You may initiate an investigation by the Authority on the grounds that a violation of rights in connection with the processing of personal data has occurred or there is an imminent risk thereof.
2. You may request the Authority to conduct a data protection official proceeding if you believe that the controller, or the data processor engaged or acting on the controller’s instructions, has violated the provisions governing the processing of personal data as set out in legislation or in a binding legal act of the European Union.
3. The data subject may also turn to a court if they believe that the controller, or the data processor engaged or acting on the controller’s instructions, processes their personal data in breach of the provisions governing the processing of personal data as set out in legislation or in a binding legal act of the European Union. The data subject may also initiate proceedings before the tribunal competent according to their place of residence or place of stay.

If the court upholds the claim, it shall establish the fact of the infringement and oblige the Data Controller or the data processor acting on its instructions to:

1. cease the unlawful processing operation,
2. restore the lawfulness of the processing, or
3. adopt specified conduct to ensure the enforcement of the data subject’s rights,

and, where necessary, shall also rule on claims for damages and non-material damages.

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or the controller’s data processor for the damage suffered.

Each controller involved in the processing shall be liable for the damage caused by processing which infringes the GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the controller.

The controller or the controller’s data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:

Address: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, P.O. Box 9.

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

URL: http://naih.hu