Adatkezelési tájékoztató

GDPR

Valid: from February 18, 2025, until revoked.

Introduction

Yuva Kft. (7696 Hidas, Dózsa György Street 12, tax number: 13265302-2-02, company registration number: 0209069382) (hereinafter referred to as: Service Provider, Data Controller) hereby submits to the following regulations: In accordance with the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the European Parliament and the Council Regulation (EU) 2016/679 of 27 April 2016, we provide the following information. This data protection policy governs the data processing of the following websites/mobile applications: https://chimax.hu The data processing information is available at the following address: https://chimax.hu/adatvedelem Changes to this policy will come into effect upon publication at the above address. Data Controller and Contact Information Name: Yuva Kft. Headquarters: 7696 Hidas, Dózsa György Street 12 E-mail: yuva.iroda@gmail.com Phone: +36205820566

Conceptual Definitions

"Personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; "Data processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; "Data controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; "Data processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; "Recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; "Consent of the data subject": any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; "Data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; "Profiling": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Principles for Processing Personal Data

Personal data must be processed in a lawful, fair and transparent manner in relation to the data subject ("lawfulness, fairness and transparency"); collection must be for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) ("purpose limitation"); processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation"); must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"); storage must be in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the processing is for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation"); must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality"). The data controller is responsible for ensuring compliance with the above and must be able to demonstrate compliance ("accountability"). The data controller declares that its data processing complies with the principles outlined in this point.

Scope of Processed Data and Purpose of Data Processing

1. Data Collected: Contact Information: name, email address, message content. Technical Data: IP address, browser type, visit time (via cookies). Data Collected During Contests: name, email address, phone number, address (for prize delivery). 2. Scope of Data Subjects: All registered/purchasing users on the webshop. Neither the username nor the email address needs to contain personal data. 3. Duration of Data Processing, Deadline for Data Deletion: If any of the conditions in Article 17(1) of the GDPR are met, data will be kept until the data subject requests deletion. The data controller will inform the data subject electronically about any deletion of personal data provided by them, as per Article 19 of the GDPR. If the deletion request includes the email address provided by the data subject, the data controller will delete the email address after notification. However, accounting documents must be retained for 8 years as per Section 169(2) of Act C of 2000 on Accounting. Contractual data of the data subject can be deleted after the civil law statute of limitations expires upon the data subject's request. Accounting documents directly and indirectly supporting bookkeeping must be stored in a readable format for at least 8 years, in a way that allows retrieval based on bookkeeping records. 4. Possible Data Controllers and Recipients of Personal Data: Personal data may be processed by the data controller and authorized employees, respecting the above principles. 5. Rights of Data Subjects Regarding Data Processing: The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data from the data controller. The data subject has the right to data portability and to withdraw consent at any time. 6. How Data Subjects Can Exercise Their Rights: By post at 7696 Hidas, Dózsa György Street 12, By email at yuva.iroda@gmail.com, By phone at +36205820566. 7. Legal Basis for Data Processing: Article 6(1)(b) of the GDPR, Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce and Information Society Services (hereinafter referred to as the "Elker tv."): The service provider may process personal data necessary for providing the service. The service provider must choose and operate tools used in providing information society services so that personal data are processed only when necessary for the service and other purposes defined by this Act, but only to the extent and duration necessary. In the case of issuing invoices in compliance with accounting regulations, Article 6(1)(c) applies. For enforcing contractual claims, Section 6:22 of Act V of 2013 on the Civil Code applies, allowing a 5-year period. 6:22. § [Prescription] (1) Unless otherwise provided by this Act, claims prescribe in five years. (2) Prescription begins when the claim becomes due. (3) An agreement to modify the prescription period must be in writing. (4) An agreement excluding prescription is null and void. 8. Information: Data processing is necessary for contract fulfillment and offer submission. You are obliged to provide personal data so we can process your order. Failure to provide data results in the inability to process your order.

Use of Google Ads Conversion Tracking

The data controller uses the online advertising program called "Google Ads" and utilizes the Google conversion tracking service within its framework. Google conversion tracking is an analytical service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). When a user accesses a website via a Google ad, a cookie necessary for conversion tracking is placed on their computer. These cookies have limited validity and do not contain any personal data, so the user cannot be identified by them. When the user browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the user clicked on the ad. Each Google Ads customer receives a different cookie, so users cannot be tracked across the websites of Ads customers. The information obtained through conversion tracking cookies serves the purpose of creating conversion statistics for clients who have chosen conversion tracking. Clients can thus learn about the number of users who clicked on their ads and were redirected to pages tagged with a conversion tracking label. However, they do not gain access to information that could identify any user. If you do not wish to participate in conversion tracking, you can opt out by disabling the installation of cookies in your browser. After this, you will not be included in conversion tracking statistics. Based on Google Consent Mode v2, Google also uses two new types of cookies: ad_user_data and ad_personalization, which are based on user consent and relate to data use and sharing. The ad_user_data cookie is used for users to provide consent for Google to use their data for advertising purposes. The ad_personalization cookie regulates whether data can be used for personalizing ads (e.g., remarketing). The data controller ensures that appropriate consents are obtained and can be withdrawn through the cookie banner/panel. Withdrawing consent does not affect the lawfulness of data processing based on consent prior to withdrawal. For more information and Google's privacy statement, visit: https://policies.google.com/privacy

Use of Google Analytics

This website uses the Google Analytics application, which is a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies," text files that are stored on your computer, enabling the analysis of your use of the website. The information generated by cookies about your use of this website is usually transmitted to and stored on a Google server in the United States. With the activation of IP anonymization on this website, Google will truncate your IP address within the member states of the European Union or other parties to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet use. Within the scope of Google Analytics, your browser's transmitted IP address will not be associated with any other data held by Google. You can prevent the storage of cookies by adjusting your browser settings; however, please note that in this case, you may not be able to use all functions of this website fully. You can also prevent Google from collecting and processing the data generated by cookies (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, Direct Marketing Activities Based on Consent

1. Newsletter and Direct Marketing Activities Based on Consent Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities, the User may give prior and explicit consent to being contacted by the Service Provider at the contact details provided during registration with advertising offers and other communications. 2. Furthermore, the Client may consent to the Service Provider processing their personal data necessary for sending advertising offers, considering the provisions of this information. 3. The Service Provider does not send unsolicited advertising messages, and the User can unsubscribe from receiving offers without restriction or justification, free of charge. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking on the link in the message. 4. The fact of data collection, the scope of processed data, and the purpose of data processing: Personal Data: Name, email address. Purpose of Data Processing: Identification, enabling subscription to newsletters/promotional coupons. Legal Basis: Consent of the data subject, Article 6(1)(a), and Section 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities. Date of Subscription: Technical operation execution. IP Address at Subscription: Technical operation execution. 5. Scope of data subjects: All individuals subscribing to the newsletter. 6. Purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to inform about current information, products, promotions, new features, etc. 7. Duration of data processing, deadline for data deletion: Data processing continues until consent is withdrawn (unsubscribed, upon request for deletion by the data subject), or until the newsletter ceases to exist. 8. Possible data controllers and recipients of personal data: Personal data may be processed by the data controller and its sales and marketing employees, respecting the above principles. 9. Rights of data subjects regarding data processing: The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data from the data controller. The data subject has the right to object to the processing of their personal data and the right to data portability, as well as the right to withdraw consent at any time. 10. The data subject can exercise their rights regarding access to, deletion of, modification of, or restriction of processing of personal data, data portability, or objection through the following means: By post at 7696 Hidas, Dózsa György Street 12, By email at yuva.iroda@gmail.com, By phone at +36205820566. 11. The data subject can unsubscribe from the newsletter at any time, free of charge. 12. We inform you that: Data processing is based on your consent. You are required to provide personal data if you wish to receive a newsletter from us. Failure to provide data results in the inability to send you a newsletter. You can withdraw your consent at any time by unsubscribing. Withdrawing consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

Complaint Handling

1. Fact of Data Collection, Scope of Processed Data, and Purpose of Data Processing Personal Data: First and last name. Purpose: Identification, communication. Legal Basis: Article 6(1)(c) (relevant legal obligation: Section 17/A(7) of Act CLV of 1997 on Consumer Protection). Personal Data: Email address, phone number. Purpose: Communication. Legal Basis: Article 6(1)(c) (relevant legal obligation: Section 17/A(7) of Act CLV of 1997 on Consumer Protection). 2. Scope of Data Subjects: All individuals who purchase on the website and make quality complaints or file complaints. 3. Duration of Data Processing, Deadline for Data Deletion: The minutes, transcripts, and copies of responses regarding complaints must be retained for 3 years based on Section 17/A(7) of Act CLV of 1997 on Consumer Protection. 4. Possible Data Controllers and Recipients of Personal Data: Personal data may be processed by the data controller and authorized employees, respecting the above principles. 5. Rights of Data Subjects Regarding Data Processing: The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data from the data controller. The data subject has the right to data portability and to withdraw consent at any time. 6. How Data Subjects Can Exercise Their Rights: By post at 7696 Hidas, Dózsa György Street 12, By email at yuva.iroda@gmail.com, By phone at +36205820566. 7. Information: Providing personal data is based on a legal obligation. Processing personal data is a prerequisite for concluding a contract. You are required to provide personal data so we can handle your complaint. Failure to provide data results in the inability to process your complaint.

Recipients with Whom Personal Data Are Shared

Our company is located on the Wix.com platform. Wix.com provides us with the online platform that enables us to sell our products and services to you. Your data may be stored in Wix.com's data storage, databases, and general Wix.com applications. Your data is stored on secure servers behind a firewall.

Social Media and Meta Data

1. Fact of Data Collection, Scope of Processed Data Personal Data: Registered name on social media platforms like Twitter, Pinterest, YouTube, Instagram, TikTok, LinkedIn, and the user's public profile picture. Scope of Data Subjects: All individuals who have registered on these social media platforms and have "liked" the Service Provider's social media page or contacted the data controller through the platform. 2. Purpose of Data Processing The purpose of data processing is to share and promote certain content elements, products, or actions of the website on social media platforms. 3. Duration of Data Processing, Deadline for Data Deletion, Possible Data Controllers, and Rights of Data Subjects The data processing occurs on social media platforms, so the duration and method of data processing, as well as deletion and modification options, are governed by the rules of the respective social media platforms. The legal basis for data processing is the voluntary consent of the data subject to process their personal data on social media platforms. Facebook / Meta Joint Data Processing The data controller has a Facebook profile. Statistical data processing on the Facebook social media platform is a joint data processing activity between the data controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Details about the joint data processing agreement can be found in the Facebook Page Insights data processing supplement, available at: https://www.facebook.com/legal/terms/page_controller_addendum The data controller communicates via private messages on social media only if you contact us there. 1. Categories of Data Subjects Individuals who have registered on social media and "liked" the data controller's profile page. Individuals who contact the data controller via private messages on social media. 2. Purpose of Data Processing The purpose of data processing is to share and promote the data controller's activities and services on the Facebook social media platform. The data subject's data provided in private messages can be used by the data controller to respond to the message; otherwise, the data controller does not collect data from social media platforms. 3. Legal Basis for Data Processing Data processing is based on Article 6(1)(a) of the GDPR, with the legal basis being the consent of the data subject to process their personal data on the Facebook social media platform. 4. Scope of Processed Data Registered name of the data subject. Public profile picture of the user. Other public data shared by the data subject on social media. 5. Source of Processed Data The source of the processed data is the data subject. 6. Withdrawal of Consent You can withdraw your consent to data processing at any time by deleting your post or comment. Data processing occurs through social media platforms operated by third parties. If you withdraw your consent, the data controller will delete the conversation with you. Withdrawing consent does not affect the lawfulness of data processing based on consent prior to withdrawal. Access to, Deletion of, Modification of, or Restriction of Processing of Personal Data, Data Portability By post at 7696 Hidas, Dózsa György Street 12, By email at yuva.iroda@gmail.com, By phone at +36205820566. 7. Duration of Data Processing Until the data subject withdraws their consent. If there is a message exchange, for up to 2 years. 8. Transfer of Personal Data, Recipients, and Categories of Recipients The concept of a recipient is defined in Article 4(9) of the GDPR. The data controller only transfers personal data to state bodies, authorities (such as courts, prosecutors, investigative authorities, and public order authorities, and the National Authority for Data Protection and Freedom of Information) in exceptional cases and based on legal obligations. 9. Consequences of Failure to Provide Data If data is not provided, the data subject cannot be informed about the data controller's activities and services through the Facebook social media platform, nor can they send messages via Facebook Messenger. 10. Automated Decision-Making (Including Profiling) There is no automated decision-making, including profiling, during data processing. 11. Joint Data Processing Agreement with Facebook Ireland Ltd. The Page Insights feature displays aggregated data that shows how users interact with the Facebook page. Facebook Ireland Limited ("Facebook Ireland") and the data controller are joint data controllers for the processing of analytical data. The Page Insights supplement defines the responsibilities of Facebook and the data controller regarding the processing of analytical data. Facebook Ireland assumes primary responsibility under the GDPR for the processing of analytical data and ensures compliance with all relevant GDPR obligations. Facebook Ireland also makes the summary of the Page Insights supplement available to all data subjects. The data controller ensures that it has an appropriate legal basis for processing analytical data, identifies the page data controller, and complies with all other relevant legal obligations. Facebook Ireland is solely responsible for the processing of personal data related to the Page Insights feature, except for data covered by the Page Insights supplement. The Page Insights supplement does not grant the data controller the right to request personal data of Facebook users processed by Facebook Ireland, including page analytics data. The data controller cannot act on behalf of Facebook Ireland in responding to data protection inquiries.

Customer Relationships and Other Data Processing

If any questions arise or issues occur while using our services, the data subject can contact the data controller through the methods provided on the website (phone, email, social media, etc.). The data controller deletes emails, messages, and data provided via phone or Meta, along with the inquirer's name, email address, and any other voluntarily provided personal data, within two years from the date of data submission. For data processing activities not listed in this information, we provide information at the time of data collection. In exceptional cases of official inquiries or requests from other bodies authorized by law, the Service Provider is obligated to provide information, disclose data, transfer data, or make documents available. In these cases, the Service Provider provides personal data to the inquiring party—provided they have specified the precise purpose and scope of the data—only to the extent necessary to fulfill the purpose of the inquiry.

Rights of Data Subjects

1. Right of Access You have the right to obtain confirmation from the data controller as to whether or not personal data concerning you are being processed, and, if so, access to the personal data and the information listed in the regulation. 2. Right to Rectification You have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. 3. Right to Erasure You have the right to obtain from the data controller the erasure of personal data concerning you without undue delay, and the data controller shall have the obligation to erase personal data without undue delay where certain conditions apply. 4. Right to Be Forgotten If the data controller has made the personal data public and is obliged to erase it, the data controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by them of any links to, or copy or replication of, those personal data. 5. Right to Restriction of Processing You have the right to obtain from the data controller restriction of processing where one of the following applies: You contest the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead. The data controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims. You have objected to processing pending the verification whether the legitimate grounds of the data controller override your grounds. 6. Right to Data Portability You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided (...) 7. Right to Object In cases where the processing is based on legitimate interest or public authority, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions. 8. Objection to Direct Marketing If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 9. Automated Individual Decision-Making, Including Profiling You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The preceding paragraph does not apply if the decision: Is necessary for entering into, or performance of, a contract between you and the data controller; Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or Is based on your explicit consent.

Notification of the Data Subject in Case of a Personal Data Breach

Notification of the Data Subject in Case of a Personal Data Breach If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay. The information provided to the data subject shall be in clear and plain language and shall include the name and contact details of the data protection officer or other contact person from whom further information can be obtained; describe the nature of the personal data breach; describe the likely consequences of the personal data breach; describe the measures taken or proposed by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. The data subject shall not have to be informed if any of the following conditions are met: The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the affected personal data, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; The data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; It would involve disproportionate effort. In such cases, public communication or similar measures shall be used to inform the data subjects in an equally effective manner. If the data controller has not yet informed the data subject about the personal data breach, the supervisory authority, having considered whether the personal data breach is likely to result in a high risk, may instruct the data controller to inform the data subject. Notification of a Personal Data Breach to the Authority The data controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Mandatory Review in Case of Mandatory Data Processing If the law, local government decree, or a binding legal act of the European Union does not specify the duration of mandatory data processing or the need for periodic review of its necessity, the data controller shall review at least every three years from the start of data processing whether the processing of personal data is necessary for achieving the purpose of data processing. The circumstances and results of this review shall be documented by the data controller, and this documentation shall be retained for ten years following the review and made available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) upon request.

Opportunity to Lodge a Complaint

Complaint in Case of a Potential Violation by the Data Controller A complaint can be filed with the National Authority for Data Protection and Freedom of Information (NAIH) in case of a potential violation by the data controller: National Authority for Data Protection and Freedom of Information (NAIH) 1055 Budapest, Falk Miksa Street 9-11. Postal address: 1363 Budapest, PO Box 9. Phone: +36-1-391-1400 Fax: +36-1-391-1410 Email: ugyfelszolgalat@naih.hu

Conclusion

Preparation of the Information Notice In preparing this notice, we have taken into account the following laws: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC. Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter referred to as Infotv.). Act CVIII of 2001 on Certain Issues of Electronic Commerce and Information Society Services, particularly Section 13/A. Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Consumers. Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities, especially Section 6. Act XC of 2005 on the Freedom of Electronic Information. Act C of 2003 on Electronic Communications, specifically Section 155. Opinion No. 16/2011 on Best Practices for Behavioral Online Advertising by EASA/IAB. Recommendations of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information.