Install our app 🪄 click on the icon in the top right of the address bar.

Privacy Policy

Created on 29 May, 2025 • 32 minutes read

Data Processing Information Notice

1. Identification of the Data Controller

The web store accessible at https://smartnevjegy.com is operated by

Smartmix Limited Liability Company

Abbreviated name: Smartmix Kft. Company registration number: 01-09-392960 Tax number: 27517183-2-43 Registered office: 1214 Budapest, Festő u. 31/b Place of business activity: 1213 Budapest, Festő u. 31/b Email address: info@smartnevjegy.hu Website: https://smartnevjegy.com

(hereinafter: Data Controller)

2. Legal Regulations Concerning Data Processing, Scope of this Notice

2.1. The Data Controller processes Users' data primarily based on the provisions of:

  1. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (The EU General Data Protection Regulation), (hereinafter: GDPR),
  2. Act CVIII of 2001 on electronic commerce services and certain issues related to information society services (Ekertv.)
  3. Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities (Grt.).

2.2. The scope of this notice applies to data processing carried out during the use of the https://smartnevjegy.com website (hereinafter: website), the use of services available there, and the fulfillment of orders placed in the web store.

2.3. For the purposes of this notice, User means: natural persons browsing the website, using the website's services, and ordering products from the Data Controller.

3. Legal Basis for Data Processing

3.1. The legal basis for data processing performed by the Data Controller is, for certain data processing activities, the User's consent according to Article 6(1)(a) of the GDPR, and for order-related data processing, Article 6(1)(b) of the GDPR, whereby data processing is necessary for the performance of a contract to which the User is party.

3.2. For data processing based on consent, the User gives their consent by checking the checkbox before the data processing declaration placed in the relevant locations. The User can read the data processing information notice at any time by clicking on the "Data Processing Information Notice" text appearing at the bottom of every page of the website, or by clicking on the link marked "Data Processing Information Notice" in the data processing declaration mentioned in this point, thereby ensuring the User's clear and detailed prior information by the Data Controller. By checking the checkbox before the data processing declaration, the User declares that they have read the data processing information notice and, with knowledge of its content, consent to the processing of their data as described in this notice.

3.3. In certain cases, law obligates the Data Controller to perform certain data processing operations, and legitimate interest may also be a legal basis for data processing. Users can read more about these below in the chapters about individual data processing activities.

4. Data Processing Related to Ensuring Information Technology Service Operation

4.1. The Data Controller uses cookies to operate the website and collect technical data about website visitors.

4.2. The Data Controller provides a separate information notice about data processing implemented through cookies: Data Processing Information Notice on Cookie Use.

5. Data Processing Related to Receiving and Responding to Messages

5.1. Scope of those affected by data processing: Users who send messages to the Data Controller using the messaging interface accessible from the website's "Contact" menu item, or by email using the email address(es) listed on the website.

5.2. Legal basis for data processing: User's consent based on Article 6(1)(a) of the GDPR.

The User is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5.3. Definition of the scope of processed data:

The User sending the message:

  1. name,
  2. email address,
  3. message subject,
  4. message content.

5.4. Purpose of data processing: Enabling message exchange with the Data Controller for the User.

Related services:

  1. writing messages on the website,
  2. receiving messages sent by email (using the email address(es) listed on the website),
  3. responding to messages arriving to the Data Controller through the above methods, which the Data Controller fulfills within 2 working days.

5.5. Duration of data processing: Lasts until the message is answered or the User's request is fulfilled. The Data Controller deletes data processed for this purpose after answering the message/fulfilling the request. If information exchange occurs through multiple related messages, the Data Controller deletes the data after the information exchange is completed or the request is fulfilled.

If the message exchange results in contract formation, and the message content is relevant to the contract, then the legal basis and duration of data processing follows what is described in point 10 (order-related data processing).

5.6. Method of data storage: In a separate data processing list in the Data Controller's IT system.

6. Data Processing Related to Chat Window Use

6.1. Scope of those affected by data processing: Users who send messages using the chat window found on the website.

6.2. Legal basis for data processing: User's consent based on Article 6(1)(a) of the GDPR.

The User is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.3. Definition of the scope of processed data:

The scope of data:

  1. name,
  2. email address,
  3. any additional data possibly communicated by the User in the message.

Regarding any additional, unnecessary data possibly communicated by the User in the message, the Data Controller only performs data processing necessarily in connection with the sent message content upon its receipt. When such unexpected personal data is communicated, the Data Controller does not store the unexpected personal data and immediately deletes it from its IT system.

6.4. Purpose of data processing: Enabling message exchange with the Data Controller for the User.

6.5. Duration of data processing: The Data Controller processes data until the purpose is achieved. Accordingly, for Users sending messages, the data processing duration lasts until the message is answered or the User's request is fulfilled. The Data Controller deletes data processed for this purpose after answering the message/fulfilling the request. If information exchange occurs through multiple related messages, the Data Controller deletes the data after the information exchange is completed or the request is fulfilled.

6.6. Method of data storage: In a separate data processing list in the Data Controller's IT system, until the end of the information exchange period.

6.7. Users can read about data processing implemented by the Messenger service provider Meta Platforms Ireland Ltd. during chat service use in the relevant data processing information notice of the provider: https://www.facebook.com/privacy/explanation/.

6.8. The Data Controller uses Meta Platforms Ireland Ltd. as a data processor in connection with chat window use. More about this can be read in Chapter 12.

7. Data Processing Related to Newsletter Sending

7.1. Those affected by data processing: Users who subscribe to the newsletter by entering their email address in the field next to "Subscribe and don't miss anything!" on the website, or by clicking the checkbox next to the newsletter subscription text during ordering.

7.2. Legal basis for data processing: User's consent based on Article 6(1)(a) of the GDPR and Sections 6(1) and (2) of the Grt. The User gives voluntary consent by checking the checkbox before the subscription declaration after filling out the newsletter subscription fields.

The User is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The newsletter service, in addition to sending useful information, also aims at direct business acquisition by the Data Controller. Users can subscribe to this service independently of using other services. Use of this service is voluntary, based on the User's decision made after appropriate information. If the User does not use the newsletter service, this does not disadvantage them regarding website use and use of additional services. The Data Controller does not set the use of its direct business acquisition service as a condition for using any of its other services.

7.3. Definition of the scope of processed data:

  1. name,
  2. email address,

7.4. Purpose of data processing: sending newsletters by the Data Controller to the User via email. Newsletter sending means sending information about the Data Controller's services, news and current events, attention-drawing offers, advertising content and sales-promoting content.

7.5. Duration of data processing: The Data Controller processes data processed for newsletter sending until the User withdraws their consent for this purpose (unsubscribes), or until data deletion upon the User's request.

7.6. Method of data storage: In a separate data processing list in the Data Controller's IT system.

8. Data Processing Related to Registration

8.1. Scope of those affected by data processing: Users registering on the website.

8.2. Legal basis for data processing: User's consent based on Article 6(1)(a) of the GDPR. The User gives voluntary consent by clicking the "Login / Registration" button, then clicking the "REGISTRATION" button, then filling out the appearing data form and checking the checkbox before the data processing declaration, and finally clicking the "Registration" button, or by clicking the checkbox next to the registration text during the ordering process.

The User is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.3. Definition of the scope of processed data: For registering users, data processing affects the scope of personal data and contact information to be filled out on the above-referenced registration form.

The scope of data:

  1. last name,
  2. first name,
  3. email address,
  4. billing address,
  5. shipping address,
  6. phone number,
  7. password.

The Data Controller's system stores passwords with encryption code, as a result of which the Data Controller does not learn the User's password.

8.4. Purpose of data processing: registration on the website, facilitating regular purchasing.

Related services:

  1. creating a personal account for the User,
  2. facilitating online product ordering by storing data necessary for order fulfillment, and enabling the User to independently modify this data,
  3. storing and making previous orders accessible to the User in the user account.

8.5. Duration of data processing: For registered Users, data processing duration lasts until deletion upon the registered User's request. Data processing may also cease with the User's deletion of registration, or the Data Controller's deletion of the User's registration. The User may delete their registration at any time, or request its deletion from the Data Controller, which request the Data Controller executes immediately, but at the latest within 10 working days of the request's arrival.

8.6. Method of data storage: In a separate data processing list in the Data Controller's IT system.

9. Data Processing Related to Social Registration

9.1. Scope of those affected by data processing: Users registering on the website with a profile existing on Facebook social media.

9.2. Legal basis for data processing: User's consent based on Article 6(1)(a) of the GDPR. In case of registration with a profile existing on Facebook social media, the User gives voluntary consent by activating the relevant buttons, then approving the warning text about data transfer.

The User is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.3. Definition of the scope of processed data: In case of registration with a profile existing on Facebook social media, the Data Controller takes over the following data from the User's social media profile:

  1. name,
  2. email address.

9.4. Purpose of data processing: simplifying the registration process on the website for Users with Facebook profiles, and facilitating regular purchasing through registration.

Related services:

  1. creating a personal account for the User,
  2. facilitating online product ordering by storing data necessary for order fulfillment, and enabling the User to independently modify this data,
  3. storing and making previous orders accessible to the User in the user account.

9.5. Duration of data processing: For registered Users, data processing duration lasts until deletion upon the registered User's request. Data processing may also cease with the User's deletion of registration, the User's deletion of the Facebook profile used for registration, or the Data Controller's deletion of the User's registration. The User may delete their registration at any time, or request its deletion from the Data Controller, which request the Data Controller executes immediately, but at the latest within 10 working days of the request's arrival.

9.6. Method of data storage: In a separate data processing list in the Data Controller's IT system.

9.7. Users can read about data processing implemented by the Facebook service provider Meta Platforms Ireland Ltd. during Facebook profile registration in the relevant data processing information notice: https://www.facebook.com/privacy/explanation

9.8. The Data Controller uses Meta Platforms Ireland Ltd. as a data processor in connection with social registration use. More about this can be read in Chapter 12.

10. Data Processing Related to Orders

10.1. Scope of those affected by data processing: Users placing orders on the website.

10.2. Legal basis for data processing: Article 6(1)(b) of the GDPR, whereby data processing is necessary for the performance of a contract to which the User is party.

10.3. Definition of the scope of processed data: Data processing affects the scope of the following personal data and contact information.

The User's:

  1. last name
  2. first name
  3. billing address
  4. shipping address
  5. phone number
  6. email address
  7. identification of ordered product(s)
  8. purchase price of ordered product(s)
  9. method of receipt/delivery
  10. payment method
  11. any other information necessary for order fulfillment possibly provided by the User when ordering
  12. order time
  13. payment time.

10.4. Purpose of data processing: Conclusion and fulfillment of the contract arising from the order.

10.5. Duration of data processing: The Data Controller processes the above data processed for order fulfillment for the time necessary to fulfill the document retention obligation arising from accounting law. This time is at least 8 years from invoice issuance according to accounting law, after which the Data Controller deletes the data within one year. This scope includes data appearing on invoices (name, address, data regarding ordered products and payment of their price), and in some cases additional data appearing in orders and confirmations as part of contractual documentation.

During delivery necessary for order fulfillment, processing of necessary data (name, shipping address, phone number) for this purpose lasts until delivery fulfillment. When forwarding data necessary for delivery fulfillment to the delivery company, the Data Controller applies data processing restrictions, whereby the delivery company may process forwarded data only to the extent and for the time necessary for delivery fulfillment.

However, the delivery company's legitimate interest may be to retain the above data or parts thereof for a certain time in case of possible complaints, claims, civil law disputes. However, this is already done as an independent Data Controller; Users can read more detailed information about this in the given provider's data processing information notice. Such service providers used by the Data Controller can be found in the "Use of Data Processor" chapter of this notice, where the accessibility of their website containing their data processing information notice is also indicated.

Any additional data processed during ordering – e.g., essential content messages between the User and Data Controller regarding the order – are processed by the Data Controller until 5 years from contract conclusion – the general limitation period applicable to civil law claims – expire.

10.6. Method of data storage: In a separate data processing list in the Data Controller's IT system, and data necessary for proper accounting on accounting documents to fulfill the document retention obligation prescribed by the accounting law.

11. Data Processing Related to Refunds

11.1. In case of monetary refund, if the User paid with an online bank card or other online payment service, the amount they paid is refunded through the payment service provider used. If the User paid by bank transfer or requests refund this way, the Data Controller transfers the amount back to them.

11.2. Scope of those affected by data processing: Users placing orders affected by monetary refund.

11.3. Legal basis for data processing: Fulfillment of legal obligation applicable to the Data Controller based on Article 6(1)(c) of the GDPR.

11.4. Scope of processed data:

  1. order identification number,
  2. amount to be refunded,
  3. legal title of refund,
  4. User's name,
  5. if the User paid by bank transfer or requests refund by transfer to their bank account, then the bank account number.

11.5. Purpose of data processing: in case of warranty right, withdrawal right, guarantee-related right exercise, fulfillment of obligations determined in Act V of 2013 on the Civil Code, or in Section 23(1) of Government Decree 45/2014 (II. 26.) on detailed rules of contracts between consumers and businesses, or in Sections 5(5), (6), and (7) of Government Decree 151/2003 (IX. 22.) on mandatory guarantee for certain durable consumer goods, depending on the legal title of refund.

11.6. Duration of data processing: Part of the above data processed for refund is processed by the Data Controller for the time necessary to fulfill the document retention obligation arising from accounting law. This time is at least 8 years from document issuance according to accounting law, after which the Data Controller deletes the data within one year. This scope primarily includes data appearing on documents (name, address, data regarding products affected by refund, refunded amount).

Any additional data processed during ordering that do not fall under the concept of accounting documents (e.g., essential content messages between the User and Data Controller regarding refund) are processed by the Data Controller until the limitation period for claims arising from the contractual relationship expires – which is basically 5 years from refund – expires. Interruption of limitation extends the data processing duration until the new time of limitation occurrence.

11.7. Method of data storage: In a separate data processing list in the Data Controller's IT system, and data necessary for proper accounting on accounting documents to fulfill the document retention obligation prescribed by accounting law.

12. Data Transfer

12.1. Scope of those affected by data transfer: Users choosing online payment method during ordering on the website, independently of using other services provided by the website.

12.2. Data transfer recipient:

Stripe Payments Europe Ltd. Stripe Payments Europe Limited C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin Website: www.stripe.com Email: info@stripe.com

as the provider of online bank card payment service available on the Data Controller's website.

12.3. Legal basis for data transfer: Recipient's legitimate interest based on Article 6(1)(f) of the GDPR.

The Recipient is obligated based on applicable laws to operate a fraud prevention and detection system in connection with providing payment services, and is entitled to process personal data necessary for this. The Recipient has established a system compliant with its legal obligation, for whose operation data transfer by the Data Controller is necessary. Accordingly, it is the Recipient's legitimate interest to be able to operate the fraud prevention and detection system to fulfill its legal obligation. Referenced legal provisions applicable to the Recipient:

  1. Section 165(5) of Act CCXXXVII of 2013 on credit institutions and financial enterprises,
  2. Point f) of Section 92/A(3) of Act CCXXXV of 2013 on certain payment service providers,
  3. Point v) of Section 14(1) of Act LXXXV of 2009 on providing payment services.

The legitimate interest of the Data Controller and Recipient is fraud prevention, ensuring proper operation of online payments. The proper operation of payment services is connected to the main revenue source of both organizations. Additionally, this is also in the User's interest, especially avoiding misuse of bank card data.

Data transfer enables filtering out fraud, detection and elimination of obstacles possibly arising during the payment process.

Data are transferred from the scope of User data processed during booking/ordering through electronic channels ensuring encrypted data traffic, exclusively to the Recipient and only when online bank card payment occurs, which the Recipient does not use for other purposes. From all this it follows that data transfer does not carry significant risk for the User and does not have additional perceptible effect on them.

Data transfer is necessary to achieve the purposes described here and is also suitable for making payment services more secure.

Considering the above and built-in guarantee measures, data transfer does not represent an unjustified level of intervention in Users' private life, therefore data transfer is a necessary and proportionate data processing operation.

Separate documentation was prepared about the balance of interests, about whose accessibility the User can inquire from the Data Controller.

12.4. Scope of transferred data:

  1. products placed in cart during purchase and purchase data appearing in cart (prices, costs),
  2. last name,
  3. first name,
  4. phone number,
  5. email address,
  6. address,
  7. unique transaction identifier.

Bank card data provided during payment are given by the User directly to the payment service provider, so they do not come into the Data Controller's possession.

12.5. Purpose of data transfer: Proper operation of payment service and technical execution of payment, confirmation of transactions, operation of fraud-monitoring system – fraud detection system supporting control of electronically initiated bank transactions – performed to protect users' interests, and providing customer service assistance to the User.

12.6. Users can obtain more detailed information about data processing implemented by Stripe Payments Europe Ltd., further circumstances of data processing – including its legal basis, purpose, exact scope of processed data, duration of data processing – at https://www.paypal.com/hu/webapps/mpp/ua/privacy-full, and also at https://paylike.hu/privacy/.

12.7. The Data Controller does not transfer data to third parties for business or marketing purposes.

12.8. Apart from the above case, the Data Controller only transfers data to authorities in case of legal obligation.

13. Use of Data Processor

The Data Controller uses the following business organizations as data processors.

13.1. Web Hosting Service Provider

13.1.1. Scope of those affected by data processing: Users visiting the website independently of using services provided by the website.

13.1.2. The Data Controller uses as data processor

Nethely Kft. 1115 Budapest, Halmi u. 29. tax number: 23358005-2-43.

as web hosting service provider (hereinafter: Data Processor).

13.1.3. Definition of scope of data affected by data processing: Data processing affects all data indicated in this notice.

13.1.4. Purpose of data processing: Ensuring the website's operation in information technology terms.

13.1.5. Duration of data processing: Matches the data processing durations indicated in this notice for data processing regulated according to data processing purposes affecting individual data scopes.

13.1.6. Nature of data processing: Data processing means exclusively providing storage space necessary for operating the website in information technology terms.

13.2. Data Processing Related to Newsletter Sending

13.2.1. Scope of those affected by data processing: Users subscribing to newsletter on the website independently of using other services provided by the website.

13.2.2. The Data Controller uses as data processor

Nethely Kft. 1115 Budapest, Halmi u. 29. tax number: 23358005-2-43.

as developer and maintainer of newsletter sending software used by the Data Controller (hereinafter: Data Processor).

13.2.3. Definition of scope of data affected by data processing: Data processing affects the name and email address of Users subscribing to newsletter.

13.2.4. Purpose of data processing: Ensuring the operation of software used by the Data Controller for newsletter sending in information technology terms, through data processing manifested in technical operations necessary for secure software operation.

13.2.5. Duration of data processing: Until the User withdraws their consent for newsletter sending (unsubscribes), or until data deletion upon the User's request.

13.2.6. Nature of data processing: Data processing means exclusively technical operations necessary for operating newsletter sending software in information technology terms.

13.3. Providing Chat Window Service

13.3.1. Scope of those affected by data processing: Affected persons indicated in this notice who contact the Data Controller using the chat window embedded in the website.

13.3.2. The Data Controller uses as data processor

Meta Platforms Ireland Ltd. (Facebook) Company registration number: 462932 Tax number: IE 9692928F Registered office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Business premises: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Postal address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Phone: +001 650 543 4800 Message: https://facebook.com/help/contact/540977946302970 Website: https://www.facebook.com/privacy/explanation

as the provider of chat window messaging application (hereinafter: Data Processor).

13.3.3. Definition of scope of data affected by data processing: primarily the affected person's name and email address and password, secondarily additional data sent by the Affected Person in chat messages.

13.3.4. Purpose of data processing: Providing storage space and software necessary for messaging application operation.

13.3.5. Duration of data processing: The Data Controller processes data until the purpose is achieved. Accordingly, for Users sending messages, data processing duration lasts until the message is answered or the User's request is fulfilled. The Data Controller deletes data processed for this purpose after answering the message/fulfilling the request. If information exchange occurs through multiple related messages, the Data Controller deletes the data after the information exchange is completed or the request is fulfilled.

13.3.6. Nature of data processing: Data processing occurs electronically, meaning provision of electronic storage space and messaging software.

13.4. Data Processing Related to Social Registration

13.4.1. Scope of those affected by data processing: Users registering on the website with profiles existing on Facebook social media.

13.4.2. The Data Controller uses as data processor

Meta Platforms Ireland Ltd. (Facebook) Company registration number: 462932 Tax number: IE 9692928F Registered office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Business premises: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Postal address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland Phone: +001 650 543 4800 Message: https://facebook.com/help/contact/540977946302970 Website: https://www.facebook.com/privacy/explanation

as developer and maintainer of the website used by the Data Controller for social registration (hereinafter: Data Processor).

13.4.3. Definition of scope of data affected by data processing: Data processing affects the name and email address of Users registering with profiles existing on Facebook social media.

13.4.4. Purpose of data processing: registration on the website, facilitating regular purchasing.

13.4.5. Duration of data processing: For registered Users, data processing duration lasts until deletion upon the registered User's request. Data processing may also cease with the User's deletion of registration, the User's deletion of the Facebook profile used for registration, or the Data Controller's deletion of the User's registration. The User may delete their registration at any time, or request its deletion from the Data Controller, which request the Data Controller executes immediately, but at the latest within 10 working days of the request's arrival.

13.4.6. Nature of data processing: Data processing occurs electronically and means exclusively user identification based on data transferred during the Facebook profile registration process and during subsequent logins with Facebook profile.

13.5. Data Processing Related to Product Delivery

13.5.1. Scope of those affected by data processing: Users placing orders in the web store.

13.5.2. The Data Controller uses as data processors

Magyar Posta Zártkörűen Működő Részvénytársaság Registered office: 1138 Budapest, Dunavirág utca 2-6. Phone: +36-1/767-8200 Email: ugyfelszolgalat@posta.hu Website: posta.hu

and

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. Registered office: 2351 Alsónémedi, GLS Európa u. 2. Phone: 06-29-88-67-00 Email: info@gls-hungary.com Website: https://gls-group.eu/HU/hu/home

and

FoxPost Zártkörűen Működő Részvénytársaság Registered office: 3200 Gyöngyös, Batsányi János utca 9. Phone: +36 1/999-0-369 Email: info@foxpost.hu Website: foxpost.hu

business organizations delivering ordered products to the address provided by the User during ordering (hereinafter: Data Processor).

13.5.3. Definition of scope of data affected by data processing: Data processing affects the following data of the User for the purpose of fulfilling the contract arising from the User's order (executing delivery):

  1. last name
  2. first name
  3. phone number
  4. shipping address.

13.5.4. Purpose of data processing: executing delivery of ordered products within the framework of fulfilling the contract arising from the User's order, by delivering to the address designated by the User, with phone consultation about the place and time of delivery if necessary.

13.5.5. Duration of data processing: lasts for the time necessary to fulfill delivery and handover.

13.5.6. Nature of data processing: Data processing means exclusively data processing operations necessary to fulfill delivery and handover.

13.6. Data Processing Related to Outsourced Logistics Service

13.6.1. Scope of those affected by data processing: Users ordering products on the website.

13.6.2. The Data Controller uses as data processor

Studio Present Kft. 6726 Szeged, Vedres u. 13. 1/2. smartpierre.hu Phone: +3615858500

business organization providing outsourced logistics service for ordered products (hereinafter: Data Processor).

13.6.3. Definition of scope of data affected by data processing: Data processing affects the following data of the User for the purpose of fulfilling the contract arising from the User's order:

The User's:

  1. last name
  2. first name
  3. billing address
  4. phone number
  5. email address
  6. shipping address
  7. identification of ordered product(s)
  8. purchase price of ordered product(s)
  9. method of receipt/delivery
  10. payment method
  11. any other information necessary for order fulfillment possibly provided by the User when ordering
  12. order time
  13. payment time.

13.6.4. Purpose of data processing: Conclusion and fulfillment of the contract arising from the order.

13.6.5. Duration of data processing: lasts for the time necessary to fulfill delivery and handover.

13.6.6. Nature of data processing: Data processing means exclusively data processing operations necessary to fulfill delivery and handover.

13.7. Data Processing Related to Accounting Service

13.7.1. Scope of those affected by data processing: Users placing orders.

13.7.2. The Data Controller uses as data processor

Auditron Korlátolt Felelősségű Társaság registered office: 1214 Budapest, Vénusz utca 7. fszt. 1. represented by: Kántor Dezső phone: +36 20 934 0350 email: dk@auditron.hu website: https://auditron.hu

business organization as the Data Controller's economic activity accountant (hereinafter: Data Processor).

13.7.3. Definition of scope of data affected by data processing: Data processing affects data appearing on documents containing the name and address of the User placing the order, identification of ordered item(s), purchase time and purchase price, shipping fee and any other fees.

13.7.4. Purpose of data processing: Fulfillment of accounting obligations prescribed by law regarding the Data Controller's economic activity through using the above Data Processor's service.

13.7.5. Duration of data processing: lasts at most for the time necessary to fulfill document retention obligation arising from accounting law – until deletion occurring in the year following the 8th year from invoice issuance.

13.7.6. Nature of data processing: data processing means exclusively operations necessary to fulfill and check accounting obligations, performed by the data processor through handling paper data carriers and digital data managed in software.

13.8. Data Processing Related to Invoice Generation

13.8.1. Scope of those affected by data processing: Users placing orders on the website independently of using other services provided by the website.

13.8.2. The Data Controller uses as data processor

Billingo Technologies Zrt. Registered office: 1133 Budapest, Árbóc utca 6. I. floor Company registration number: 01-10-140802, registered by the Metropolitan Court as commercial court Tax number: 27926309-2-41 Community tax number: HU27926309

business organization as developer and maintainer of invoicing software used by the Data Controller (hereinafter: Data Processor).

13.8.3. Definition of scope of data affected by data processing: Data processing affects documents containing the name and address of the user placing the order, identification of ordered item(s) and/or service(s), purchase time and purchase price, shipping fee and any other fees.

13.8.4. Purpose of data processing: Ensuring the operation of software used by the Data Controller for invoice issuance in information technology terms, through data processing manifested in technical operations necessary for secure software operation.

13.8.5. Duration of data processing: lasts for the time necessary to fulfill document retention obligation arising from accounting law – for 8 years from invoice issuance.

13.8.6. Nature of data processing: Data processing means exclusively technical operations necessary for operating software used for invoice issuance in information technology terms.

13.9. Data processing does not occur for other purposes.

13.10. The Data Controller does not use other data processors apart from the Data Processors indicated above and in the "Information Notice on Cookie Use" document.

14. User's Rights Related to Data Processing

14.1. Right of access: Upon the User's request, the Data Controller provides information about the User's data processed by them or processed by Data Processor commissioned by them or under their instruction, their source, purpose of data processing, legal basis, duration, name and address of Data Processor and activities related to data processing, circumstances of any data protection incident that occurred, its effects and measures taken to remedy it, and – in case of transfer of the affected person's personal data – the legal basis and recipient of data transfer. The Data Controller provides the information without undue delay, but at the latest within one month of receiving the request.

Within the framework of the right of access, the Data Controller makes available to the User a copy of personal data that are the subject of data processing, at the latest within one month of receiving the request. For additional copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs (according to point 15).

14.2. Right to data portability: The User is entitled to receive personal data concerning them, which they provided to the Data Controller, in a structured, commonly used, machine-readable format, and is entitled to transmit this data to another data controller without hindrance from the data controller to whom the personal data were provided, if:

a) the data processing is based on the User's consent or contract; and b) the data processing is carried out by automated means.

When exercising the right to data portability as described above, the User is entitled to request – if technically feasible – direct transmission of personal data between data controllers.

14.3. Right to rectification: The User may request rectification of their processed data, which the Data Controller fulfills without undue delay, but at the latest within one month of receiving the request. Taking into account the purpose of data processing, the User is entitled to request completion of incomplete personal data – including by means of providing a supplementary statement.

14.4. Right to restriction of processing: The Data Controller marks personal data processed by them for the purpose of restricting data processing. The User is entitled to request that the Data Controller restrict data processing if any of the following applies:

a) the User contests the accuracy of personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of personal data; b) the data processing is unlawful and the User opposes data deletion and instead requests restriction of their use; c) the Data Controller no longer needs personal data for data processing purposes, but the affected person requires them for the establishment, exercise or defense of legal claims; or d) the User has objected to data processing based on the Data Controller's legitimate interest; in this case, the restriction applies for the period until it is established whether the Data Controller's legitimate grounds override the affected person's legitimate grounds.

14.5. Right to erasure: The Data Controller erases personal data if:

a) the personal data are no longer necessary for the purpose for which they were collected or otherwise processed; b) the User withdraws consent on which data processing is based, and there is no other legal basis for data processing; c) the User objects to data processing and there is no overriding legitimate reason for data processing, or the User objects to data processing for direct marketing purposes; d) the personal data have been unlawfully processed; e) the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the data controller; f) the User requests deletion or objects to data processing, and personal data were collected in relation to offering information society services directly to children.

The Data Controller notifies the affected User and all data controllers to whom the data were previously transmitted about rectification, restriction and erasure. Notification may be omitted if it proves impossible or would require disproportionate effort. Upon request, the Data Controller informs the User about these recipients.

14.6. Right to object: The User is entitled to object at any time, on grounds relating to their particular situation, to processing of their personal data based on the Data Controller's legitimate interest. In this case, the data controller shall not process personal data further unless the data controller demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

15. Fulfillment of User Requests

15.1. The Data Controller provides information and measures according to point 14 free of charge. If the affected User's request is clearly unfounded or excessive – particularly because of its repetitive character – the Data Controller may, taking into account administrative costs of providing the requested information or taking the requested measure:

a) charge a reasonable fee, or b) refuse to act on the request.

15.2. The Data Controller informs the User about measures taken following the request without undue delay, but at the latest within one month of receiving the request, including issuing data copies. If necessary, taking into account the complexity of the request and number of requests, this deadline may be extended by a further two months. The Data Controller informs the User about the deadline extension, indicating reasons for delay, within one month of receiving the request. If the affected User submitted the request electronically, the Data Controller provides information electronically, unless the affected User requests otherwise.

15.3. If the Data Controller does not take action on the affected User's request, they inform the affected person without delay, but at the latest within one month of receiving the request, about reasons for inaction and that the affected User may lodge a complaint with the supervisory authority indicated in point 17, and may exercise their judicial remedy right as described there.

15.4. Users may submit their requests to the Data Controller in any way that enables their identification. Identifying the User submitting the request is necessary because the Data Controller can only fulfill requests to those entitled. If the Data Controller has reasonable doubts concerning the identity of the natural person submitting the request, they may request provision of additional information necessary to confirm the affected User's identity.

15.5. Users may send their requests by post to the Data Controller's address at 1213 Budapest, Festő u. 31/b., or by email to info@smartnevjegy.hu. The Data Controller only considers requests sent by email authentic if they are sent from the User's email address provided to and registered with the Data Controller; however, using another email address does not mean ignoring the request. For emails, the time of receipt should be considered the first working day following sending.

16. Data Protection, Data Security

16.1. Within the scope of its data processing and data processing activities, the Data Controller ensures data security, and through technical and organizational measures and internal procedural rules, ensures enforcement of legal regulations and other data and confidentiality protection rules. With appropriate measures, it protects processed data especially against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and inaccessibility resulting from changes in applied technology.

16.2. The Data Controller's IT system records data serving as basis for measuring traffic and mapping website usage habits in such a way from the beginning that they cannot be directly connected to any person.

16.3. Data processing occurs only for the purpose of achieving lawful purposes determined in this notice, to the extent necessary and proportionate, based on applicable legal regulations and recommendations, with appropriate security measures.

16.4. For this purpose, the Data Controller uses "https" scheme http protocol for website access, with which web communication can be encrypted and uniquely identified. In addition, in accordance with the above, the Data Controller stores processed data in data processing lists separated by data processing purpose, recorded in the form of encrypted data files, which can be accessed by the Data Controller's designated employees – performing tasks related to activities indicated in this notice – whose job responsibility is data protection and responsible processing in accordance with this notice and applicable legal regulations.

16.5. The Data Controller's system stores passwords with encryption code, as a result of which the Data Controller does not learn the User's password.

17. Legal Enforcement

Affected persons may exercise their legal enforcement possibilities before courts and may turn to the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information Address: 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, P.O. Box 9. Phone: +36 1 391 1400 Fax: +36 1 391 1410 Email: ugyfelszolgalat@naih.hu Website: http://www.naih.hu/

When choosing the court route, the lawsuit may also be initiated – at the affected User's choice – before the regional court according to the affected person's residence or place of stay, since lawsuit adjudication falls under regional court jurisdiction.

Effective Date: 2024.01.09.

Smartmix Kft.