Privacy Policy
Effective Date: 11th of February, 2026
Data Protection Notice for customers
Please note: as Beyond Trails & Tales Kft. is registered in Hungary, Data Protections are governed by Hungarian law. The Hungarian version constitutes the official and legally binding document. The English translation is provided for reference only and may not perfectly reflect legal nuances. The original Hungarian version is available to download here. (Adatkezelési Tájékoztató)
The protection of personal data is extremely important to us, therefore, in this Data Protection Notice we explain what personal data we process about you, for what purpose and on what legal basis. The Data Protection Notice also contains your rights.
1. Data controller's data
Data controller: Beyond Trails and Tales Kft.
Registered office: 1126 Budapest, Márvány utca 50. III. em. Door 3 Company registration number: 01-09-452025
Tax number: 32969768-2-43
Website: https://www.beyondtrailsandtales.com/ Email address: info@beyondtrailsandtales.com
2. General legal basis for data processing
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.)
• Act CXXVII of 2007 Act on Value Added Tax (VAT Act)
• Act C of 2000 on Accounting (Accounting Act)
• Act CL of 2017 on the Taxation System (Art.)
• Act CXIX of 1995 on the Management of Name and Address Data for the Purpose of Research and Direct Marketing (DM Act)
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Eker Act)
• Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities (Grt.)
• Government Decree 213/1996 (XII. 23.) on Travel Agency and Travel Agency Activities
• 472/2017 (XII. 28.) Government Decree on contracts for travel services, in particular for package travel and group travel
3. Definitions
Personal data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data include, in particular: name, address, place and date of birth, mother’s name.
Data processing: any operation or set of operations which is performed on personal data or on data files, whether or not by automated means, such as collection, recording, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the Controller or the specific criteria for the designation of the Controller may also be determined by Union or Member State law.
Data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Controller.
Recipient: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether or not a third party.
4. Principles
The Controller shall take into account the following principles when processing personal data, such that personal data:
a. must be processed lawfully and fairly and in a manner that is transparent to the Data Subject (lawfulness, fairness and transparency)
b. must be collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; in accordance with Article 89(1) of the GDPR, further
processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose (purpose limitation)
c. must be adequate and relevant in relation to the purposes for which the personal data are processed and limited to what is necessary (data economy)
d. they must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (accuracy)
e. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data are processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects (storage limitation)
f. processed in such a way that appropriate technical or organisational measures ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality)
g. the Data Controller is responsible for compliance with the above and must be able to demonstrate this compliance (accountability)
5. Data processing activity
a.) contact (website)
Purpose of data processing Contact, maintaining contact
Legal basis for data processing GDPR Article 6(1)(b): necessary for the performance of the contract or to take steps at the request of the Data Subject prior to entering into the contract
Categories of Data Subjects Interested Party
Scope of personal data Name, email address, intended destination, content of the message
Data retention period 1 year from the date of contact
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place
Recipients The list of Recipients is contained in Chapter 9 of this Data Processing Notice
Source of data The source of personal data is the interested party
Method and consequence of data provision The data must be provided. If you do not provide personal data, the Data Controller will not be able to contact you.
b.) contacting and maintaining contact by email
Purpose of data processing Contacting and maintaining contact by email
Legal basis for data processing GDPR Article 6(1)(b): necessary for the performance of the contract or taking steps at the request of the Data Subject prior to entering into the contract
Categories of Data Subjects Interested party, customer
Scope of personal data Name, email address, message content
Data retention period 1 year from the date of contact
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place Recipients The list of Recipients is contained in Chapter 9 of this Data Processing Notice Source of data The source of personal data is the interested party and the customer
Method and consequence of data provision The provision of data is required. If you do not provide personal data, the Data Controller cannot contact or maintain contact with you via email
c.) sending a newsletter
Purpose of data processing Sending informative newsletters
Legal basis for data processing GDPR Article 6(1)(a): consent
Categories of Data Subjects Newsletter subscriber
Scope of personal data Name, email address
Data retention period Until consent is withdrawn
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place
Recipients The list of recipients is contained in Chapter 9 of this Data Protection Notice
Source of data The source of personal data is the newsletter subscriber
Method and consequences of data provision The provision of data is voluntary. If you do not provide personal data, the Data Controller cannot send you a newsletter
d.) customer reviews
Purpose of data processing Displaying customer reviews on the website
Legal basis for data processing GDPR Article 6(1)(a): consent
Categories of data subjects Customer
Scope of personal data Name, content of the review
Data retention period Until withdrawal of consent
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place
Recipients The list of recipients is contained in Chapter 9 of this Data Protection Notice
Source of data The source of personal data is the customer
Method and consequences of data provision The provision of data is voluntary. If you do not provide personal data, the Data Controller cannot display your opinion
e.) appointment scheduling
Purpose of data processing Appointment scheduling by email for an online consultation
Legal basis for data processing Article 6(1)(b) of the GDPR: necessary for the performance of the contract or for taking steps at the request of the data subject prior to entering into the contract
Categories of Data Subjects Person booking the appointment
Scope of personal data Name, email address
Data retention period 1 year from the date of booking the appointment
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place Recipients The list of recipients is contained in Chapter 9 of this Data Protection Notice Source of data The source of personal data is the person booking the appointment
Method and consequence of data provision The provision of data is required. If you do not provide personal data, the Data Controller cannot provide you with an appointment
f.) holding an online consultation
Purpose of data processing Holding an online consultation
Legal basis for data processing GDPR Article 6 (1) b): necessary for the performance of the contract or to take steps at the request of the Data Subject prior to entering into the contract
Categories of Data Subjects Interested party, customer
Scope of personal data Name, email address, live image and audio recording The image and audio recording will not be recorded
Data retention period 1 year from the date of contact
Data transfer No data transfer pursuant to Articles 44-49 of the GDPR will take place Recipients The list of Recipients is contained in Chapter 9 of this Data Processing Notice Source of data The source of personal data is the interested party, customer
Method and consequence of data provision The provision of data is required. If you do not provide personal data, the Data Controller will not be able to consult with you.
g.) conclusion of a contract
Purpose of data processing Conclusion of a travel contract for a travel agency service
Legal basis for data processing GDPR Article 6 (1) (b): necessary for the performance of the contract or to take steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Data Subjects Customer
Scope of personal data In the case of a natural person: name, place and date of birth, mother's name, place of residence, person to be notified in the event of an emergency and their contact details, signature
In the case of a legal person: company name, representative, seat, tax number, registration number/company registration number, contact details, signature
Data retention period For 5 years from the performance or termination of the contract
Data transfer In accordance with Articles 44-49 of the GDPR. no data transfer takes place in accordance with Articles 1 and 2 of this Data Protection Notice
Recipients The list of Recipients is contained in Chapter 9 of this Data Protection Notice Source of data The source of personal data is the client
Method and consequence of data provision The data must be provided. If you do not provide personal data, the Data Controller cannot conclude a contract with you
h.) taking and using pictures and videos
Purpose of data processing Taking pictures or videos for the purpose of promoting the service and using them on the Data Controller's website, social media platforms and advertising platforms
Legal basis for data processing GDPR Article 6 (1) a): consent
Categories of Data Subjects Client
Scope of personal data Name, picture and video recording
Data retention period Until consent is withdrawn
Data transfer GDPR Articles 44-49. no data transfer takes place
Recipients The list of Recipients is contained in Chapter 9 of this Data Management Information
The Data Controller transfers data to social media platforms, which are contained in Chapter 7 of this Data Management Information
Source of data The source of personal data is the customer
Method and consequence of data provision The provision of data is voluntary. If you do not provide personal data, the Data Controller will not take or display any image or video recording of you
i.) purchase of a product
Purpose of data processing Purchase of products on the website
Legal basis for data processing GDPR Article 6 (1) b): necessary for the performance of the contract or to take steps at the request of the Data Subject prior to concluding the contract
Categories of Data Subjects Customer
Scope of personal data Name, email address
Data retention period Accounting Act. 8 years pursuant to Section 169 (1) and (2)
Data transfer Data transfer takes place in accordance with Articles 44-49 of the GDPR
Recipients The list of Recipients is included in Chapter 9 of this Data Protection Notice
Source of data The source of personal data is the customer
Method and consequence of data provision The data must be provided. If you do not provide personal data, you will not be able to purchase the products
j.) electronic delivery of the purchased product
Purpose of data processing Product delivery
Legal basis for data processing GDPR Article 6 (1) b): necessary for the performance of the contract or to take steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Data Subjects Customer, customer contact
Scope of personal data Name, email address
Data retention period 5 years from the performance or termination of the contract
Data transfer GDPR Articles 44-49. data transfer takes place in accordance with Articles 159(1)(c) of the GDPR
Recipients The list of Recipients is contained in Chapter 9 of this Data Protection Notice Source of data The source of personal data is the customer, the customer's contact person
Method and consequences of data provision The data must be provided. If you do not provide personal data, the Data Controller will not be able to deliver the product
k.) invoicing
Purpose of data processing Issuance of an invoice
Legal basis for data processing Article 6(1)(c): fulfillment of a legal obligation: Section 159(1) of the VAT Act
Categories of Data Subjects Customer
Scope of personal data Name, address, tax number (in the case of a corporate customer), email address
Data retention period According to Section 169(1) and (2) of the Accounting Act 8 years
Data transfer According to Articles 44-49 of the GDPR data transfer takes place in accordance with Articles
Recipients The list of Recipients is contained in Chapter 9 of this Data Management Information Source of data The source of personal data is the customer
Method and consequence of data provision The provision of data is mandatory. If you do not provide personal data, the Data Controller cannot fulfill its statutory invoicing obligation
l.) payment of the consideration for a service/product
Purpose of data processing Payment of the consideration for a service or product in the following forms:
• bank transfer
• online bank card payment
Legal basis for data processing GDPR Article 6 (1) b): necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Data Subjects Customer
Scope of personal data Name, service identifier, bank account number, transfer amount, transfer time and data necessary for online bank card payment
Data retention period According to Section 169 (1) and (2) of the Accounting Act 8 years
Data transfer GDPR Articles 44-49. data transfer takes place in accordance with the articles of the Data Protection Act
Recipients The list of Recipients is contained in Chapter 9 of this Data Protection Act Source of data The source of personal data is the customer
Method and consequences of data provision The data must be provided. If you do not provide personal data, the Data Controller cannot provide you with services
m.) contractual relationship
The Data Controller communicates with its contracted Partners (suppliers, customers) through the contact person specified in the contract and maintains a business relationship.
Purpose of data processing To maintain communication and cooperation in order to implement the contract between the Data Controller and the Partner as intended
Legal basis for data processing GDPR Article 6 (1) (f): legitimate interest
Categories of Data Subjects Employee of the Partner (individual entrepreneur, Ltd., Bt., Zrt.), person designated as contact person
Scope of personal data Name, position, telephone number, email address
Data retention period 5 years from the performance or termination of the contract Data transfer No data transfer pursuant to Articles 44-49 of the GDPR takes place Recipients The list of Recipients is contained in Chapter 9 of this Data Processing Notice Source of data The source of personal data is the partner's contact person
Method and consequence of data provision The provision of data is required. If you do not provide personal data, the Data Controller cannot coordinate with the Partner
n.) complaint handling
Purpose of data processing Handling of complaints related to any product or service
Legal basis for data processing Article 6 (1) (c) of the GDPR: fulfillment of a legal obligation: Act CLV of 1997 on consumer protection
Categories of Data Subjects Consumer
Scope of personal data Name, address, telephone number, email address, place, time, method of submitti ng the complaint, detailed description of the complaint, list of documents, records and other evidence presented by the consumer
Data retention period according to Section 17/A. (7) of the Hungarian Consumer Protection Act 3 years
Data transfer According to Articles 44-49 of the GDPR no data transfer takes place Recipients The Data Controller does not use Data Processors
Source of data The source of personal data is the consumer as the complainant
Method of data provision, consequences Data provision is required. If you do not provide the necessary data, the Data Controller may not be able to investigate your complaint
o.) communication on social media
Purpose of data processing Communication on social media
Legal basis for data processing GDPR Article 6(1)(a): consent
Categories of Data Subjects Social media user
Scope of personal data Name, public profile name and profile picture
Data retention period Data processing is carried out on social media, so the data processing information of the given social media is the governing document
Data transfer GDPR Articles 44-49. no data transfer takes place in accordance with Articles 1 and 2 of the GDPR
Recipients The Data Controller does not use a Data Processor
The Data Controller is considered a joint data controller together with the operator of the social network, which is included in Chapter 7
Source of data The source of personal data is the user of the social network
Method and consequences of data provision The provision of data is voluntary. If you do not provide personal data, the Data Controller cannot inform you about its current activities and services on social networks
p.) communication in a closed Facebook group
Purpose of data processing Communication in a closed Facebook group
Legal basis for data processing GDPR Article 6 (1) a): consent
Categories of Data Subjects User of the social network
Scope of personal data Name, public profile name and profile picture
Data retention period Data processing is carried out on social networks, so the data processing information of the given social network is the governing document
Data transfer GDPR Articles 44-49. no data transfer takes place in accordance with Articles 1 and 2 of the GDPR
Recipients The Data Controller does not use a Data Processor
The Data Controller, together with the operator of the social network, is considered a joint data controller, which is included in Chapter 7
Source of data The source of personal data is the user of the social network
Method of data provision, consequences Providing data is voluntary. If you do not provide personal data, you will not be able to communicate in the Data Controller's closed Facebook group.
6. Website data management
The Website uses cookies.
A cookie is a file that is placed on your computer when you visit a website. A cookie is a package of information that the server sends to the browser, and then with each request, the browser sends it back to the server with data content specified by the server. The purpose of this is to save the Internet setti ngs of the website you are visiting, so that if you visit the same website again from the same device, the site will remember the parameters you set.
A cookie has numerous functions. Cookies are most often used to personalize advertisements and services, and to analyze website traffic.
According to the currently applicable laws, cookies can only be stored on your device if this is absolutely necessary, i.e. essential for the operation of the website; these are called “necessary cookies”. Your consent is required for the use of all other types of cookies. You can view and adjust the cookies currently used on the website in a pop-up window when you enter the website.
Modern browsers allow you to change your cookie setti ngs. Some browsers automatically accept cookies by default, but this setti ng can also be changed so that you can prevent automatic
acceptance in the future. If you switch, the browser will offer you the option to set cookies every time.
Given that the purpose of cookies is to support and facilitate the usability and processes of the website, if you disable cookies, it cannot be guaranteed that you will be able to use all the functions of the website to their full extent. In this case, the website may work differently in your browser than intended. Further detailed information about cookie setti ngs for the following browsers:
• Google Chrome
• Firefox
• Microsoft Internet Explorer 11
• Microsoft Internet Explorer 10
• Microsoft Internet Explorer 9
• Microsoft Internet Explorer 8
• Microsoft Edge
• Safari
7. Social Media
The Data Controller is available on the following social media site(s).
The operator of the social network site is considered a joint Data Controller together with the Data Controller, information on data processing is available at the following links:
Social network site: Name of Data Controller: Data processing information available:
Facebook Meta Platforms Ireland Ltd. (registered office: Merrion Road, Dublin, Ireland) https://www.facebook.com/privacy/explanation
Instagram Meta Platforms Ireland Ltd. (registered office: Merrion Road, Dublin, Ireland) https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect
LinkedIn LinkedIn Ireland Unlimited Company (registered office: Wilton Plaza Wilton Place, Dublin 2 Ireland) https://www.linkedin.com/legal/privacy-policy
TikTok TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. https://www.tiktok.com/legal/page/eea/privacy-policy/hu
Pinterest Pinterest Europe Ltd. (registered office: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) https://policy.pinterest.com/hu/privacy-policy
Google Business Profile Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland) https://policies.google.com/privacy?hl=hu&fg=1
The Data Controller does not record or process personal data about the user of the given social network in its internal database and system.
8. Additional Data Controller, joint data processing
The Data Controller uses an additional independent Data Controller during data processing.
9. Recipients
a) Data Processors
The Data Controller uses a Data Processor during data processing.
The Data Processor does not make independent decisions, but acts solely in accordance with the contract concluded with the Data Controller and the instructions received. The Data Controller only uses a Data Processor that provides appropriate guarantees - in particular in terms of expertise, reliability and resources - that it will implement technical and organizational measures to ensure compliance with the requirements of the GDPR, including the security of data processing. The specific tasks and responsibilities of the Data Processor are regulated by the contract between the Data Controller and the Data Processor. After the data processing has been carried out on behalf of the Data Controller, the Data Processor will return or delete the personal data at the Data Controller's choice, unless EU or Member State law applicable to the Data Processor requires their storage.
Data processor(s):
• hosting and newsletter software: Squarespace Ireland Limited (registered office: Le Pole House, Ship Street Great, Dublin 8, Ireland)
• email system provider: Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)
• online meeting platform provider (Google Meet): Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)
• invoicing program: KBOSS.hu Kft. (registered office: 1031 Budapest, Záhony utca 7., company registration number: 01-09-303201)
• accountant: Exigopen Kft. (registered office: 2030 Érd, Platánfa utca 65., company registration number: 13-09-158753)
• document manager: Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)
• online assistant
b) Independent Data Controllers:
The Data Controller shall only transfer the personal data it processes to an authority, court or other state body in a manner and for a purpose specified in law.
Based on a legal obligation, the Data Controller shall transfer personal data to the following authorities:
• National Tax and Customs Office: pursuant to point 1 of Annex 10 to Act CXXVII of 2007 on Value Added Tax (VAT Act)
The Data Controller shall transfer personal data to the following legal entities as independent Data Controller(s):
• account-keeping bank: OTP Nyrt. (registered office: 1051 Budapest, Nádor utca 16., company registration number: 01-10-041585) Data processing information is available at the following link: https://www.otpbank.hu/portal/hu/adatvedelem
• financial and sales intermediary: Lemon Squeezy LLC. (registered office: 222 Main Street Suite 500, Salt Lake City, UT 84101, USA)
10. Access to data
The Data Controller's competent employees may access personal data to the extent necessary for the performance of their duties.
11. Data security measures
The Data Controller shall ensure that the personal data it processes is protected, among other things, against unauthorized access or unauthorized alteration, by means of appropriate IT, technical and personal measures.
12. Data Subject Rights and their Content
Data Subject Rights in relation to Data Processing
Data Subject Rights in relation to Data Processing
Content of Data Subject Rights in relation to Data Processing Right to Information
/GDPR Articles 13-14/
You have the right to be informed of the fact and purposes of data processing at the time your personal data are collected. The Data Controller shall also provide you with such additional information as is necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of the processing of your personal data. You must also be informed of the fact and consequences of profiling.
Right of access
/GDPR Article 15/
You have the right to request information as to whether your personal data is being processed and, if so, to obtain information on:
• what personal data of yours
• on what legal basis
• for what purpose of processing
• for how long it is being processed
• to whom, when, on what legal basis, access to which personal data has been granted or to whom your personal data has been transmitted
• from what source your personal data originate (unless you have provided them to the Data Controller)
• whether automated decision-making is used and its logic, including profiling.
Right to rectification
/GDPR Article 16/ You have the right to obtain from the Data Controller, at your request, the rectification of inaccurate personal data concerning you or the completion of incomplete personal data. Therefore, you may request that the Data Controller amend any of your personal data (for example, you may change your email address or other contact details at any time).
Right to erasure (‘right to be forgotten’)
/GDPR Article 17/ You have the right to obtain from the Controller the erasure of your personal data where one of the following grounds applies:
• your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• you withdraw your consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing
• you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2)
• your personal data have been unlawfully processed
• your personal data must be erased for compliance with a legal obligation to which the Controller is subject under Union or Member State law
• your personal data were collected pursuant to Article 8(1) in connection with the provision of information society services referred to in Article 18 of the GDPR.
Right to restriction
/GDPR Article 18/
You have the right to obtain from the Controller restriction of processing where one of the following grounds applies:
• You contest the accuracy of your personal data (in this case, the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data)
• The processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead
• The Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims
You have objected to processing pursuant to Article 21(1) (in this case, the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Controller override your legitimate grounds).
Right to data portability
/GDPR Article 20/ You have the right to receive the personal data concerning you, which you have provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to whom the personal data have been provided, where:
• the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) and
• the processing is carried out by automated means.
You have the right to request, where technically feasible, the direct transmission of your personal data between Controllers.
Right to object
/GDPR Article 21/ You have the right to object at any time to the processing of your personal data based on points (e) or (f) of Article 6(1), including profiling based on those provisions, on grounds relating to your particular situation. In such a case, the Controller shall no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling where it is related to direct marketing.
Right to withdraw consent
/GDPR Article 7(3)/ You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal. You must be informed of this before giving your consent. The withdrawal of consent must be made as easy as giving it.
13. Data Subject’s Remedies and their Content
Remedies Content of Remedies
Right to lodge a complaint with a Supervisory Authority
/GDPR Article 77/ You may lodge a complaint with the following Authority in the event of a violation of your right to the protection of your personal data:
National Data Protection and Freedom of Information Authority seat: 1055 Budapest, Falk Miksa utca 9-11.
mailing address: 1363 Budapest, Pf. 9.
telephone: +36 (1) 391-1400 email: ugyfelszolgalat@naih.hu website: www.naih.hu
Right to an effective judicial remedy against the Data Controller or the Data Processor (initiation of legal proceedings)
/GDPR Article 79/ You have the right to take legal action against the Data Controller or the Data Processor if you experience the unlawfulness of the processing of your personal data. The court shall proceed with the case as a matter of urgency. In this case, you are free to decide whether to file your claim with the court competent for your place of residence or stay. Contact details of the courts: www.birosag.hu/torvenyszekek.hu
14. Updating the Data Protection Notice
The Data Controller reserves the right to unilaterally amend this Data Protection Notice. This information may be amended in particular if necessary due to changes in legislation, data protection authority practice, business needs or other circumstances. At the request of the Data Subject, the Data Controller will send him a copy of the current information in the form agreed with him.
Budapest, January 25, 2026.