Privacy policy

PRIVACY POLICY

The date of the most recent update: November 24, 2025.

In all cases of dispute or discrepancy, the Hungarian version of these Privacy Policy shall prevail. As the webshop operates under Hungarian jurisdiction, the English translation is provided for informational purposes only.

Data Controller

Name: Mystique Karma Kft.
Registered seat: 1136 Budapest, Tátra utca 5/A minus 1, Door 2
Mailing address / complaints: 1136 Budapest, Tátra utca 5/A minus 1, Door 2
Email: sales@mystiquekarma.com
Phone number: +36 30 163 5747
Website: http://mystiquekarma.com

Hosting Provider

Name: Shopify International Limited
Mailing address: 2nd floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, DO4 XN32, Ireland
Email address: email@email.shopify.com

Description of Data Processing Related to Webshop Operation

This document contains all relevant information regarding data processing related to the operation of the webshop, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: GDPR) and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.).

Information on the Use of Cookies

What is a cookie?

The Data Controller uses cookies during visits to the website. A cookie is a packet of information consisting of letters and numbers, which is sent by our website to your browser in order to save certain settings, make the use of our website easier, and assist in collecting some relevant statistical information about our visitors.

Some of the cookies do not contain any personal data and are not suitable for identifying individual users, but some include a unique identifier — a secret, randomly generated number sequence — which your device stores and can be used for identification. The duration of each cookie is described in its corresponding section.

Legal Background and Basis of Cookie Use

We distinguish between three main types of cookies:

Essential cookies required for proper website operation
Statistical cookies
Marketing cookies

The legal basis for processing is:

Your consent according to Article 6(1)(a) of the GDPR (for statistical and marketing cookies),
And legitimate interest according to Article 6(1)(f) (for essential cookies necessary for operation).

Main Characteristics of Cookies Used by the Website

Essential cookies:

If you do not accept the use of these cookies, some functions may not be available to you.

_ab: Used to access the admin interface. Duration: 2 years.
_customer_account_shop_sessions: Used together with _secure_account_session_id to track user sessions for new customer accounts. Duration: 30 days.
_secure_session_id: Tracks the user session across multi-step checkout processes, and links order, payment, and shipping data. Duration: 24 hours.
_shopify_country: For stores where pricing is based on GeoIP-detected country, this cookie stores the detected country. [Further content follows.]
_shopify_m: Used to manage customer privacy settings. Duration: 1 year
_shopify_tm: Used to manage customer privacy settings. Duration: 30 minutes
_shopify_tw: Used to manage customer privacy settings. Duration: 2 weeks
_storefront_u: Facilitates updating customer account information. Duration: 1 minute
_tracking_consent: Stores the user's preferences if the merchant has privacy rules enabled for the visitor's region. Duration: 1 year
_cmp_a: Used to manage customer privacy settings. Duration: 1 day
c: Used in connection with payment. Duration: 1 year
cart: Used in connection with the shopping cart. Duration: 2 weeks
cart_currency: Set after checkout to ensure new carts use the same currency as the last checkout. Duration: 2 weeks
cart_sig: A hash of the contents of a cart, used to verify cart integrity and perform cart operations. Duration: 2 weeks
cart_ts: Used in connection with payment. Duration: 2 weeks
cart_ver: Used in connection with the shopping cart. Duration: 2 weeks
checkout: Used in connection with checkout. Duration: 4 weeks
checkout_token: Used in connection with checkout. Duration: 1 year
customer_account_locale: Used in connection with new customer accounts. Duration: 1 year
dynamic_checkout_shown_on_cart: Used in connection with checkout. Duration: 30 minutes
hide_shopify_pay_for_checkout: Used in connection with checkout. Duration: until session ends
keep_alive: Used in connection with customer localization. Duration: 2 weeks
master_device_id: Used in connection with merchant login. Duration: 2 years
previous_step: Used in connection with checkout. Duration: 1 year
discount_code: Used in connection with checkout. Duration: until session ends
remember_me: Used in connection with checkout. Duration: 1 year
secure_customer_sig: Used to identify a user after they sign into a store as a customer, so they do not need to log in again. Duration: 1 year
shopify_pay: Used in connection with checkout. Duration: 1 year
shopify_pay_redirect: Used in connection with checkout. Duration: 1 hour, 3 weeks, or 1 year depending on configuration
shop_pay_accelerated: Used in connection with checkout. Duration: 1 year
source_name: In combination with mobile apps, provides customized checkout behavior when viewing a store from a compatible mobile app. Duration: until session ends
storefront_digest: Stores a storefront password digest, allowing merchants to preview their storefront while it's password protected. Duration: 2 years
tracked_start_checkout: Used in connection with checkout. Duration: 1 year
checkout_session_lookup: Used in connection with checkout. Duration: 3 weeks
checkout_queue_token: Used in connection with payment. Duration: 1 year
checkout_queue_checkout_token: Used in connection with payment. Duration: 1 year
checkout_worker_session: Used in connection with payment. Duration: 3 days
checkout_session_token: Used in connection with payment. Duration: 3 weeks
checkout_session_token_: Used in connection with payment. Duration: 3 weeks
cookietest: Ensures proper system operation. Duration: 1 minute
order: Used on the order status page. Duration: 3 weeks
identity-state: Used in connection with customer authentication. Duration: 24 hours
identity_customer_account_number: Used in connection with customer authentication. Duration: 12 weeks
card_update_verification_id: Used in connection with payment. Duration: 20 minutes
customer_account_new_login: Used in connection with customer authentication. Duration: 20 minutes
customer_account_preview: Used in connection with customer authentication. Duration: 7 days
customer_payment_method: Used in connection with payment. Duration: 1 hour
customer_shop_pay_agreement: Used in connection with payment. Duration: 20 minutes
pay_update_intent_id: Used in connection with payment. Duration: 20 minutes
localization: Used in connection with payment. Duration: 2 weeks
profile_preview_token: Used in connection with payment. Duration: 5 minutes
login_with_shop_finalize: Used in connection with customer authentication. Duration: 5 minutes
preview_theme: Used in connection with the theme editor. Duration: until session ends
shopify-editor-unconfirmed-settings: Used in connection with the theme editor. Duration: 16 hours
wpm-test-cookie: Ensures proper system operation. Duration: until session ends

Cookies for Statistical Purposes:

_landing_page Tracking landing pages. Duration 2 weeks
_orig_referrer: Tracking landing pages. Duration: 2 weeks

Cookies for Marketing Purposes:

_s Shopify analytics. Duration: 30 minutes
_shopify_d Shopify analytics. Duration: Until end of session
_shopify_fs Shopify analytics. Duration: 30 minutes
_shopify_s Shopify analytics. Duration: 30 minutes
_shopify_sa_p Shopify analytics related to marketing and recommendations.
Duration: 30 minutes
_shopify_sa_t Shopify analytics related to marketing and recommendations.
Duration: 30 minutes
_shopify_y Shopify analytics. Duration: 1 year
_y Shopify analytics. Duration: 1 year
_shopify_ga Shopify and Google Analytics. Duration: Until end of session
customer_auth_provider Shopify analytics. Duration: Until end of session
customer_auth_session_created_at Shopify analytics. Duration: Until end of session
unique_interaction_id Shopify analytics. Duration: 10 minutes

Further Information on Cookie Deletion

Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Mozilla: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito

Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Chrome: https://support.google.com/chrome/answer/95647

Edge: https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies

Google Consent Mode v2

The Data Controller has integrated Google Consent Mode v2 on the website. Via the cookie panel, consent and refusal are managed in accordance with the new version. In addition to the previously used two flags (analytics_storage, ad_storage), Google now uses two additional flags:

ad_user_data: Allows user data to be sent to Google for advertising purposes
ad_personalization: Allows user data to be used for personalized advertising (e.g., remarketing)

These two switches control whether statistical or advertising cookies are permitted to be stored and accessed.

Data Processing for Contract Conclusion and Fulfillment

Several types of data processing may occur in connection with the conclusion and fulfillment of a contract. Please note: data processing related to complaint handling or warranty claims only takes place if you exercise your corresponding rights.

If you are only a visitor and do not make a purchase, only the marketing-related processing rules apply — and only if you give consent.

Contact Initiated by the User

If you contact us via email, contact form, or phone with questions regarding a product. This is optional — you may place orders directly without prior contact.

Processed data:

Email: sales@mystiquekarma.com
Phone: +36 30 163 5747

Duration of processing: Until the conclusion of the inquiry
Legal basis: Your voluntary consent provided by contacting the Data Controller
[GDPR Article 6 (1) point a)]

Order Processing

During order processing, the Data Controller performs data processing activities necessary for the fulfillment of the contract.

Data processed:
Name, address, phone number, email address, characteristics of the purchased goods, order number, date of purchase.

If you place an order in the webshop, the provision and processing of data is essential for fulfilling the contract.

Duration of data processing: 5 years, in accordance with the statute of limitations under civil law.
Legal basis: Fulfillment of contract [GDPR Article 6(1)(b)]

Issuing Invoices

This data processing activity is conducted for issuing lawful invoices and fulfilling accounting document retention obligations as required by law. According to Sections 169 (1)-(2) of the Accounting Act, business entities must retain accounting documents that directly and indirectly support accounting records.

Data processed:
Name, address, phone number, email address, characteristics of the purchased goods, order number, date of purchase.
Duration of data processing: 8 years, counted from the date of invoice issuance, in accordance with Section 169 (2) of the Accounting Act.
Legal basis: The issuance of an invoice is mandatory under Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, and retention is required under Section 169 (2) of Act C of 2000 on Accounting. [GDPR Article 6(1)(c)]

Use of the “Utánvét Ellenőr” Service (Risk Analysis and Order Verification) during Order Processing

To reduce abuse related to cash-on-delivery (COD) orders and to minimize the number of unclaimed parcels, the webshop uses the Utánvét Ellenőr service.
The service provider automatically analyses COD orders placed by customers and assigns a risk level to each. The purpose of the risk analysis is solely to assess whether the order can be fulfilled and to filter out fraudulent or invalid orders.

Scope of Data Processed

The service provider may receive and use the following data for risk analysis:

first name, last name
email address
phone number
billing and shipping address
order details (cart contents, order value, selected payment method)
IP address and technical metadata
previous order history (only if the customer has purchased from the webshop before)

Purpose of Data Processing

verifying the authenticity of cash-on-delivery orders
reducing the number of unclaimed parcels
preventing abuse and financial damage
protecting legal and business interests

Legal Basis for Data Processing

GDPR Article 6(1)(f) – legitimate interest of the data controller,
which is connected to the prevention of fraud and the reduction of financial losses.

Customers have the right to object to data processing based on legitimate interest; however, this may limit certain webshop functions (e.g., the availability of cash-on-delivery as a payment method).

Data Processor

Risk analysis is performed by the following data processor:

Name: Utánvét Ellenőr Kft.
Registered address: 8640 Fonyód, Szigligeti utca 10., Hungary
Telephone: +36 20 923 8883
Email: support@utanvet-ellenor.hu
Website: https://utanvet-ellenor.hu
Activity: automated risk analysis and verification of cash-on-delivery orders
Data processor status: processes customer data on behalf of and for the benefit of the Mystique Karma webshop

The data processor uses the received data exclusively for risk analysis purposes. The data is not sold, not transferred to third parties, and not used for its own purposes.

Data Retention Period

Utánvét Ellenőr stores customer data for the period specified in its own privacy policy, in accordance with GDPR requirements.
Mystique Karma stores order-related data for the duration required by applicable legal obligations (accounting and invoicing regulations).

Transfer of Data to Third Countries

The Utánvét Ellenőr service does not transfer data outside the European Union.

Data Processing Related to Product Delivery

The data processing activity is carried out for the delivery of the ordered product.

Data processed:
Name, address, phone number, email address, characteristics of the purchased goods, order number, date of purchase.
Duration of data processing: Until the ordered product is delivered.
Legal basis: Fulfillment of contract [GDPR Article 6(1)(b)]

Recipients and Data Processors for Product Delivery

Bridge Logistics Ltd.

Registered seat: 1118 Budapest, Pálinkás Antal utca 6. D building, Ground floor, Door 6
Website: https://bridgelog.hu/

The fulfillment service provider cooperates in the delivery of the ordered product under a contract with the Data Controller. It processes the received personal data in accordance with the privacy policy available on its website.

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

Registered seat: 2351 Alsónémedi, GLS Európa u. 2.
Phone: +36 29 88 67 00
Email: info@gls-hungary.com
Website: https://gls-group.eu/HU/hu/home

The courier service participates in the delivery of the product and handles personal data according to its own privacy policy.

Magyar Posta Zrt. (Hungarian Post Ltd.)

Address: 1138 Budapest, Dunavirág utca 2-6.
Phone: +36 1 767 8200
Email: ugyfelszolgalat@posta.hu
Website: https://posta.hu

The courier service assists in the delivery of the ordered product under a contract with the Data Controller. It handles personal data in accordance with its privacy policy available on its website.

Packeta (FoxPost) Hungary Kft.

Address: 1097 Budapest, Könyves Kálmán körút 12-14.
Phone: +36 1 400 8806
Website: https://www.packeta.hu/

The courier service assists in the delivery of the ordered product under a contract with the Data Controller. It handles personal data in accordance with its privacy policy available on its website.

Handling Warranty and Guarantee Claims

Warranty and guarantee claims must be managed in accordance with Government Decree 19/2014. (IV.29.) NGM, which specifies how such claims must be processed.

Processed Data

When managing warranty or guarantee claims, a report must be drawn up that includes:

a. Your name and address, and your declaration of consent for the data recorded in the report to be processed as required by law
b. The description and purchase price of the movable item sold under contract
c. The date of fulfillment of the contract
d. The date the defect was reported
e. A description of the defect
f. The right you wish to exercise under warranty or guarantee
g. The manner of resolving the claim, or the reason for rejection of the claim or right

If the purchased goods are returned to us, we must issue a receipt of acceptance, including:

a. Your name and address
b. Data required for identifying the item
c. The date of receipt
d. The date you may collect the repaired item

Duration of Data Processing

The business must retain the report related to the consumer’s warranty or guarantee claim for 3 years from the date of creation and present it to the supervisory authority upon request.

Legal Basis for Data Processing

The legal basis is compliance with legal obligations under Government Decree 19/2014. (IV.29.) NGM [Section 4(1) and Section 6(1)] in accordance with GDPR Article 6(1)(c).

Handling Consumer Protection Complaints

This data processing activity is necessary for managing consumer protection-related complaints. If you submit a complaint to us, providing and processing your data is essential.

Data processed: Your name, address, phone number, email address, details of the purchased product, order number, and date of purchase.
Duration of processing: 3 years, based on the Consumer Protection Act.
Legal basis: While submitting a complaint is your voluntary choice, if you do so, we are legally obligated to retain the complaint for 3 years under Section 17/A(7) of Act CLV of 1997 on Consumer Protection, in accordance with GDPR Article 6(1)(c).

Data Processed to Verify Consent

During registration, order placement, or newsletter subscription, our IT system stores metadata related to your consent to enable future proof.

Data processed: The timestamp of your consent and your IP address.
Duration of processing: Stored until the expiry of the limitation period following the end of the data processing activity.
Legal basis: Based on Article 7(1) of the GDPR. [GDPR Article 6(1)(c)]

Marketing-Related Data Processing

Newsletter Subscription

This data processing is conducted for sending newsletters.

Data processed: Your name, address, phone number, and email address.
Duration of processing: Until you withdraw your consent.
Legal basis: Your voluntary consent provided during newsletter subscription. [GDPR Article 6(1)(a)]

Personalized Advertising

This data processing aims to send or display marketing content that matches your interests.

Data processed: Your name, address, phone number, and email address.
Duration of processing: Until you withdraw your consent.
Legal basis: Your separate, voluntary consent given during data collection. [GDPR Article 6(1)(a)]

Remarketing

The remarketing activity uses cookies for retargeting purposes.

Data processed: Data defined in the cookie policy.
Duration of processing: The storage period of the respective cookie.
More information:

Google Cookie Policy: https://www.google.com/policies/technologies/types/
Google Analytics Policy: https://developers.google.com/analytics/devguides/

Sweepstakes

This data processing activity is carried out for the administration of sweepstakes.

Data processed: Your name, address, phone number, and email address.
Duration of processing: Data will be deleted after the end of the sweepstakes, except for the winner's data, which the Data Controller must retain for 8 years in accordance with accounting regulations.
Legal basis: Your voluntary consent provided when using the website. [GDPR Article 6(1)(a)]

Additional Data Processing

If the Data Controller intends to carry out additional data processing, it will provide prior information about the essential circumstances of the data processing (legal basis and purpose, categories of personal data processed, duration, etc.).

Recipients of Personal Data

Data Storage Provider

Data Processor: Shopify International Limited
Email: email@email.shopify.com
Address: 2nd floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, DO4 XN32, Ireland
Website: https://www.shopify.com

Shopify stores personal data under a contract with the Data Controller. It is not authorized to access personal data.

Newsletter Distribution

Data Processor: Klaviyo Inc
Address: 125 Summer Street, Floor 6, Boston, Massachusetts 02111, United States
Email: success@klaviyo.com
Website: https://www.klaviyo.com/

Klaviyo assists with the distribution of newsletters under a contract with the Data Controller. It processes the recipient’s name and email address to the extent necessary for sending newsletters.

Accounting Services

Data Processor: Berger Könyvelőiroda Kft.
Address: 1136 Budapest, Tátra utca 5a
Phone: +36 1 700 1414
Email: info@bergerkonyvelo.hu
Website: https://www.bergerkonyvelo.hu/

Berger Könyvelőiroda Kft. provides bookkeeping services under a written contract with the Data Controller. It processes the name and address of the data subject for accounting purposes and retains the data for the duration required by Section 169(2) of the Accounting Act, after which the data is deleted without delay.

Invoicing

Data Processor: Számlázz.hu (KBOSS.hu Kft.)
Address: 1031 Budapest, Záhony utca 7.
Website: https://www.szamlazz.hu

The Data Processor participates in the registration of accounting documents under a contract with the Data Controller. During this, it processes the data subject's name and address to the extent necessary for accounting records, in accordance with Section 169(2) of the Accounting Act. After this period, the data is deleted.

Online Payment Data Processing

Data Controller: Stripe Payments Europe Limited
Address: The One Building, 1 Grand Canal Street Lower, Dublin 2, Co Dublin, Ireland
Website: https://stripe.com

The payment service provider assists in executing online payments under a contract with the Data Controller. During the purchase process, personal data is transferred to the payment provider, which processes the billing name and address, order number, and date in accordance with its own privacy policy.

Purpose of data transfer: To provide the payment provider with transaction data necessary for completing the payment.
Legal basis for data transfer: Performance of a contract under GDPR Article 6(1)(b) – payment is part of the contract between the User and the Data Controller, and data transfer is required to execute the payment.

Your Rights Regarding Data Processing

During the period of data processing, the following rights apply under the GDPR:

Right to withdraw consent
Right of access to personal data and information about processing
Right to rectification
Right to restriction of processing
Right to erasure
Right to object
Right to data portability

To exercise your rights, you must be identified by the Data Controller. Therefore, personal data must be provided for identification (based only on data already held by the Controller). Complaints must be submitted within the specified timeframe and will be retained in the Controller’s email system for this purpose.

If you were a customer and wish to identify yourself for complaint or warranty handling, please provide your order ID. This helps us identify you as a buyer. Complaints related to data processing will be responded to within 30 days.

Right to Withdraw Consent

You may withdraw your consent to data processing at any time. In such cases, we will delete your data from our systems.
Please note: If you withdraw consent while your order has not yet been fulfilled, we may not be able to complete your order.

Right of Access to Personal Data

You have the right to receive confirmation from the Data Controller as to whether your personal data is being processed. If such data processing is taking place, you are entitled to:

Access your personal data and receive the following information:

The purposes of processing;
The categories of personal data concerned;
The recipients or categories of recipients to whom the personal data has been or will be disclosed;
The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
Your right to request from the Data Controller the rectification, erasure, or restriction of processing of personal data concerning you, and to object to such processing where based on legitimate interest;
The right to lodge a complaint with a supervisory authority;
Where the data is not collected from you, any available information as to its source;
The existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for you.

The purpose of exercising this right is to verify the lawfulness of the data processing. If requests are made repeatedly, the Data Controller may charge a reasonable fee for providing the requested information.

The Data Controller will ensure access by sending you the relevant information and a copy of your processed personal data via email after successful identification. If you have a registered account, you may access and review your personal data directly in your user profile. In your request, please indicate whether you are requesting access to your personal data or information about the processing.

Right to Rectification

You have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you.

Right to Restriction of Processing

You have the right to obtain restriction of processing from the Data Controller where one of the following applies:

You contest the accuracy of the personal data, in which case restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data. If the data can be verified immediately, no restriction will be applied.

Right to Restriction of Processing (continued)

You may request the restriction of processing in the following cases:

The processing is unlawful, but you oppose the deletion of the data for any reason (e.g., the data is important for asserting a legal claim), and instead request the restriction of its use;
The Controller no longer needs the personal data for the originally specified processing purpose, but you require them for legal claims (assertion, enforcement, or defense);
You have objected to the data processing, but the Controller may also have legitimate grounds; in this case, the data processing must be restricted until it is determined whether the Controller’s legitimate grounds override your rights.

If the processing is restricted, such personal data may, except for storage, only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or a Member State.

The Controller will notify you in advance (at least 3 working days before lifting the restriction) of the termination of the restriction.

Right to Erasure – Right to Be Forgotten

You have the right to request that the Controller erase your personal data without undue delay where one of the following grounds applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
You withdraw your consent and there is no other legal ground for the processing;
You object to the processing based on legitimate interest, and there are no overriding legitimate grounds;
The personal data has been unlawfully processed, as established following a complaint;
The personal data must be erased to comply with a legal obligation in Union or Member State law applicable to the Controller.

If the Controller has made your personal data public and is obliged to erase it, taking into account available technology and the cost of implementation, it shall take reasonable steps, including technical measures, to inform other data controllers that you have requested the erasure of links to, or copies or replications of, those personal data.

Exceptions to the Right to Erasure

Erasure is not applicable if processing is necessary for:

Exercising the right of freedom of expression and information;
Compliance with a legal obligation that requires processing by Union or Member State law (e.g., invoicing data that must be retained by law);
The performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
The establishment, exercise, or defense of legal claims.

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests. In this case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing, including profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

Right to Data Portability

If the processing is carried out by automated means or based on your voluntary consent, you have the right to receive the personal data you have provided to the Controller in a structured, commonly used, and machine-readable format (such as XML, JSON, or CSV). Where technically feasible, you may also request that this data be transmitted directly to another controller.

Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. In such cases, the Controller must take appropriate measures to safeguard your rights, freedoms, and legitimate interests, including at least the right to obtain human intervention, to express your point of view, and to contest the decision.

This rule does not apply if the decision:

Is necessary for entering into, or performance of, a contract between you and the Controller;
Is authorized by Union or Member State law which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests;
Is based on your explicit consent.

Data Protection Register (Historical)

Under the previous Hungarian Information Act (Infotv.), certain data processing activities had to be registered in the national data protection register. This obligation was abolished as of May 25, 2018.

Data Security Measures

The Data Controller declares that appropriate security measures have been implemented to protect personal data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or damage, and loss of accessibility due to changes in the applied technology. The Data Controller takes all reasonable steps, within the limits of its organizational and technical capabilities, to ensure that its Data Processors also implement appropriate data security measures when handling your personal data.

Legal Remedies

If you believe that the Data Controller has violated any legal provisions relating to data processing or has not fulfilled your request, you may initiate an investigation with the Hungarian National Authority for Data Protection and Freedom of Information (postal address: 1363 Budapest, Pf. 9.; email: ugyfelszolgalat@naih.hu; phone numbers: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391 1400) to eliminate the presumed unlawful data processing.

You are also informed that if your rights have been violated or the Data Controller has not fulfilled your request, you may file a civil lawsuit against the Data Controller in court.

Modification of the Privacy Policy

The Data Controller reserves the right to modify this privacy policy without affecting the purpose and legal basis of data processing. By using the website after the effective date of the modification, you accept the revised privacy policy.

If the Data Controller intends to process the collected data for purposes other than those for which they were collected, you will be informed of the new purpose of processing and the following information before such further processing begins:

The retention period of the personal data, or if not possible, the criteria used to determine that period;
Your rights to request access, rectification, erasure, or restriction of processing of your personal data, and to object to the processing in the case of processing based on legitimate interests, or to request the right to data portability where the processing is based on consent or contractual relationship;
In the case of consent-based processing, your right to withdraw consent at any time;
Your right to lodge a complaint with a supervisory authority;
Whether providing the personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether you are obliged to provide the data and the possible consequences of failure to provide such data;
The existence of automated decision-making (including profiling), and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Processing may begin only after this information is provided, and in the case of consent-based processing, after you have given your explicit consent.

Postal Delivery and Post Point Collection

Please note that Magyar Posta Zrt. (Hungarian Post) identifies recipients in accordance with its current privacy policy, and therefore may request your personal data at the time of delivery for home or post point pick-up.

The date of the most recent update: November 24, 2025.