Privacy Policy
Effective Date: April 14, 2025
Last Updated: April 14, 2025
1. Introduction and Scope
Welcome to Nyerővonal Online Store (hereinafter referred to as “the Store”, “we”, “us”, or “our”). We are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, process, store, and disclose your information when you visit our website, purchase products, or interact with our services (collectively, “Services”).
This policy has been prepared in compliance with the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Infotv.”).
We act as the Data Controller for the personal data we process through the Store. Our commitment is to be transparent about why we need your personal data and how we use it, ensuring it is processed lawfully, fairly, and securely.
Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this policy, please do not access or use our Services.
2. Data Controller Information
The entity responsible for the processing of your personal data (Data Controller) is:
Registered Address: Halásztelek, Mária u. 2, 2314 Hungary
Phone Number: +36 30 987 6543
If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise any of your data subject rights, please contact us using the details above.
3. Definitions
For the purposes of this Privacy Policy:
Personal Data: Means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (as defined in Article 4(1) GDPR).
Processing: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (as defined in Article 4(2) GDPR).
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (as defined in Article 4(7) GDPR). In this context, is the Data Controller.
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (as defined in Article 4(8) GDPR).
Data Subject: An identified or identifiable natural person whose personal data is processed by the Data Controller.
Consent: Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (as defined in Article 4(11) GDPR).
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Infotv.: Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
4. What Personal Data We Collect
We collect various types of personal data depending on your interaction with our Store. This may include:
Identity Data: First name, last name, username or similar identifier.
Contact Data: Billing address, delivery address, email address, telephone numbers.
Financial Data: Payment card details (typically processed directly by our secure third-party payment gateway providers; we may only store partial information like the last four digits and expiry date for verification and fraud prevention), bank account details (e.g., for processing refunds). We emphasize that full payment card details are generally not stored on our servers but are handled by PCI-DSS compliant payment processors.
Transaction Data: Details about payments to and from you, order history, products and services you have purchased, details of order fulfilment, returns, and refunds.
Technical Data: Internet protocol (IP) address, your login data (if applicable), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data: Your username and password (stored securely, e.g., hashed), purchase history, your interests, preferences, feedback, and survey responses.
Usage Data: Information about how you use our website and Services, including pages visited, time spent on pages, links clicked, and navigation paths.
Marketing and Communications Data: Your preferences in receiving marketing communications from us and our third parties (where applicable) and your communication preferences and history.
Cookie Data: Information collected via cookies and similar tracking technologies. Please see our separate Cookie Policy for detailed information.
We do not typically collect Special Categories of Personal Data (e.g., race, ethnicity, religion, health, sexual orientation, political opinions) unless you voluntarily provide it, and only with your explicit consent or if required by law.
5. Legal Basis for Processing Personal Data
We process your personal data only when we have a valid legal basis to do so under GDPR Article 6 and relevant provisions of Infotv. The primary legal bases we rely on are:
Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This includes:
Registering you as a new customer.
Processing and delivering your orders (including managing payments, shipping, handling returns).
Managing our relationship with you (e.g., providing customer support, sending order confirmations and updates).
Legal Obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject. This includes:
Compliance with Hungarian accounting and tax laws (e.g., Act C of 2000 on Accounting, Act CL of 2017 on the Rules of Taxation) regarding invoicing and record-keeping.
Responding to requests from regulatory or law enforcement authorities.
Handling complaints and legal claims.
Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. We ensure a balance test is conducted for processing under this basis. Our legitimate interests include:
Operating and improving our business and website (e.g., troubleshooting, data analysis, testing, system maintenance, security).
Preventing fraud and ensuring the security of our network and information systems.
Understanding customer behaviour and preferences to improve our products, services, and marketing (analytics).
Sending marketing communications about similar products or services to existing customers (subject to your right to object/opt-out).
Managing customer relationships beyond direct contract fulfilment.
Enforcing our terms and conditions or protecting our legal rights.
Consent (Art. 6(1)(a) GDPR): Where required, we will obtain your explicit consent before processing your personal data. This typically applies to:
Sending direct marketing communications via email or other channels if you are not an existing customer or if required by e-privacy rules.
Using non-essential cookies and tracking technologies (see Cookie Policy).
Processing special categories of data if ever necessary and applicable.
You have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
6. Purposes of Processing Your Personal Data
We use your personal data for the following specific purposes, linked to the legal bases mentioned above:
To register you as a new customer (Contract Performance)
To process, fulfil, and deliver your orders, including managing payments, fees, charges, and collecting money owed (Contract Performance)
To manage our relationship with you, including notifying you about changes to our terms or privacy policy, handling inquiries, complaints, and providing support (Contract Performance, Legitimate Interests)
To enable you to partake in promotions, competitions, or complete surveys (Consent or Legitimate Interests)
To administer, protect, and improve our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, hosting of data, security, fraud prevention) (Legitimate Interests, Legal Obligation)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve (Legitimate Interests, Consent for certain tracking)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (Legitimate Interests)
To make suggestions and recommendations to you about goods or services that may be of interest to you (Legitimate Interests, Consent where required)
To comply with legal and regulatory obligations (e.g., tax reporting, responding to authorities) (Legal Obligation)
To prevent and detect fraud (Legitimate Interests, Legal Obligation)
To establish, exercise or defend legal claims (Legitimate Interests)
7. Data Retention Period
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period, we consider:
The amount, nature, and sensitivity of the personal data.
The potential risk of harm from unauthorised use or disclosure.
The purposes for which we process your data and whether we can achieve those purposes through other means.
The applicable legal, regulatory, tax, accounting or other requirements.
For example:
Basic customer information (Identity, Contact, Profile) may be kept for the duration of the customer relationship and a reasonable period thereafter.
Transaction data must be kept for the period required by Hungarian tax and accounting laws (generally 5 years for accounting supporting documents under Act C of 2000, potentially longer for tax purposes under Act CL of 2017 – consult your legal advisor for specific Hungarian requirements).
Data processed solely based on consent will be retained until consent is withdrawn, unless another legal basis applies.
After the retention period expires, we will securely delete or anonymise your personal data so that it can no longer be associated with you (in which case we may use this anonymous data indefinitely for statistical purposes without further notice to you).
8. Data Sharing and Disclosure
We do not sell your personal data. We may have to share your personal data with the parties set out below for the purposes outlined in Section 6:
Service Providers (Data Processors): Third-party companies that provide services on our behalf, such as IT and system administration services, hosting providers, payment processing providers (e.g., Stripe, PayPal), shipping and courier companies, marketing and advertising agencies, data analytics providers, customer service software providers. These processors are contractually obligated to process your data only on our documented instructions, maintain confidentiality, and implement appropriate security measures according to GDPR Article 28.
Professional Advisers: Lawyers, bankers, auditors, and insurers based in Hungary or the EEA who provide consultancy, banking, legal, insurance, and accounting services, acting as processors or separate controllers depending on the context.
Regulatory and Law Enforcement Authorities: Tax authorities (e.g., NAV – National Tax and Customs Administration of Hungary), regulators, courts, and other authorities based in Hungary or the EEA who require reporting of processing activities in certain circumstances or based on a legal request.
Third Parties in Business Transactions: If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to the new owners as part of the transaction. We will ensure appropriate confidentiality obligations are in place.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers (processors) to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
9. International Data Transfers
Some of our external third-party service providers may be based outside the European Economic Area (EEA), or process data outside the EEA. If we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
The transfer is to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission (an “Adequacy Decision”).
We use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (Standard Contractual Clauses – SCCs).
For transfers to the US, providers might be certified under the EU-U.S. Data Privacy Framework (or its successor), provided it is recognized as adequate by the EU.
In specific situations, derogations under Article 49 GDPR may apply (e.g., explicit consent, necessary for contract performance).
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
10. Your Data Subject Rights
Under GDPR and Infotv., you have several rights regarding your personal data. Subject to certain legal conditions and exemptions, you have the right to:
Right of Access (Art. 15 GDPR): Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right to Rectification (Art. 16 GDPR): Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide.
Right to Erasure (‘Right to be Forgotten’) (Art. 17 GDPR): Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request (e.g., legal retention obligations).
Right to Restriction of Processing (Art. 18 GDPR): Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Right to Data Portability (Art. 20 GDPR): Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Right to Object (Art. 21 GDPR): Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the absolute right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Rights related to Automated Decision-Making and Profiling (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in such fully automated decision-making.
Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
How to Exercise Your Rights:
To exercise any of these rights, please contact us using the contact details provided in Section 2. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. Exercising these rights is generally free of charge, but we reserve the right to charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive, or refuse to comply with your request in these circumstances.
11. Data Security
We have implemented appropriate technical and organisational security measures designed to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. These measures include:
Secure servers and network infrastructure.
Encryption of data where appropriate (e.g., during transmission).
Access controls limiting access to personal data to employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
Regular security assessments and updates.
Procedures to deal with any suspected personal data breach. We will notify you and any applicable regulator (including the Hungarian NAIH) of a breach where we are legally required to do so.
While we strive to protect your personal data, please remember that no method of transmission over the Internet or method of electronic storage is 100% secure.
12. Cookies and Tracking Technologies
Our website uses cookies and similar technologies (e.g., web beacons, pixels) to distinguish you from other users, provide functionality, improve user experience, and analyse website traffic. For detailed information on the cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please refer to our separate Cookie Policy. We comply with applicable laws regarding consent for non-essential cookies (e.g., Act C of 2003 on Electronic Communications).
13. Children’s Privacy
Our Services are not intended for children under the age of 16 (or the applicable minimum age for data processing consent in Hungary, if different and parental consent is obtained), and we do not knowingly collect personal data from children under this age. If we become aware that we have inadvertently collected personal data from a child under the minimum age without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under the relevant age, please contact us.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the new policy on our website and updating the “Last Updated” date at the top of this policy. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Services after any changes constitutes your acceptance of the revised policy.
15. Contact Information and Complaints
If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, or if you wish to exercise your rights, please contact us at:
Address: Halásztelek, Mária u. 2, 2314 Hungary
Phone: +36 30 987 6543
Right to Lodge a Complaint with the Supervisory Authority:
You have the right to lodge a complaint at any time with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH), the supervisory authority for data protection issues in Hungary, or with the supervisory authority in your country of residence if you are within the EU.