BICAPP Mobile Application and Website Privacy Notice

I. INTRODUCTION

This Data Processing and Privacy Notice (hereinafter: the “Privacy Notice”) is issued by Aktív Magyarország Fejlesztési Központ Nonprofit Korlátolt Felelősségű Társaság (hereinafter: the “Controller”) in relation to the BICAPP mobile application (hereinafter: the “Application”) operated by it and the related www.bicapp.hu website (hereinafter together with the Application: the “Platforms”). Its purpose is to set out the Controller’s data protection and data processing policy in accordance with the data protection and data processing principles laid down by law, in order to ensure that the rights of data subjects, in particular their right to the protection of personal data, are respected in the course of the automated processing and other handling of their personal data.

The Controller is committed to protecting the personal data of data subjects and considers it of paramount importance to respect their right to informational self-determination. The Controller treats personal data as confidential and takes all security, technical and organisational measures necessary to guarantee the security of the data; it is committed to protecting your personal data.

This Privacy Notice provides information, in relation to the Platforms, on the processing of personal data and on the rights of data subjects in connection with data processing, as well as the legal remedies available to them.

For the purposes of the data processing operations falling within the scope of this Privacy Notice, a data subject is any person who contacts the Controller, provides their data and, in doing so, consents to the processing of their data.

Only children aged 16 or over may give consent on their own behalf. In the case of persons under the age of 16, the consent of the parents or legal representative is required. In order to protect the rights and personal data of children using the Platform who have not yet reached the age of 16, registration on their behalf may only be carried out by the legal representative exercising parental responsibility. (Hereinafter the above persons together: “you”.)

1. Scope of the Privacy Notice

By accepting this Privacy Notice, its scope extends both to the legal representative performing the registration and to the child under the age of 16.

This Privacy Notice applies exclusively to those activities of the Controller in which personal data of natural persons are processed. The scope of this Privacy Notice covers the data processing operations carried out in connection with the Platforms.

This Privacy Notice does not apply to data which do not relate to natural persons (e.g. company data) or to data which cannot be linked to natural persons (e.g. statistical data, anonymised data).

This Privacy Notice applies solely to the data processing activities of the Controller. In the absence of an express stipulation to the contrary, its scope does not extend to services and data processing operations related to promotions, prize games, services, other campaigns or content published by third parties advertising on, or otherwise appearing on, the Platforms.

This Privacy Notice sets out in particular:

• What personal data we collect and process on the Platforms during registration and subsequently;
• For what purposes, on what grounds and for how long we use personal data;
• The sharing of personal data;
• The method of storing personal data and the security of data processing;
• Contact details;
• Cookies and tracking;
• Data protection rights;
• Data processing related to the exercise of data subject rights;
• Ensuring the rights of data subjects and handling their requests;
• Remedies.

2. Legislation

The principles of data processing are in line with the applicable data protection legislation, in particular the following:

• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.);
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR);
• Act V of 2013 on the Civil Code (hereinafter: Civil Code).

3. Definitions

• Data subject: Any identified or identifiable natural person based on any information, in particular users of the Platforms, regardless of whether they act on behalf of a legal person. Accordingly, they are entitled to the data subject rights set out in the GDPR and in the Infotv.
• Personal data: Any information relating to an identified or identifiable natural person (“data subject”) that is capable of identifying that person (for example name, address, contact details and other identifying information), as well as information relating to the use of the Platforms on the basis of which the data subject can be identified directly or indirectly. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data (for example collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction).
• Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Privacy Notice, the Controller is Aktív Magyarország Fejlesztési Központ Nonprofit Korlátolt Felelősségű Társaság (hereinafter: AMFK or the Controller), as well as any public, municipal or corporate entity with which AMFK enters into a legal relationship involving the processing of personal data.
• Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
• Processing activity by a processor: The performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and of the place of performance, provided that the technical task is carried out on the data.

II. DETAILS OF THE CONTROLLER

Name: Aktív Magyarország Fejlesztési Központ Nonprofit Korlátolt Felelősségű Társaság

Short company name: Aktív Magyarország Nonprofit Kft.

Registered office: H-1037 Budapest, Szépvölgyi út 39.

Postal address: H-1037 Budapest, Szépvölgyi út 39.

E-mail: adatkezeles@amfk.hu

1. Persons authorised to carry out data processing

The data may be accessed by the Controller and its employees as persons acting as data processors who, by virtue of their job responsibilities, are responsible for assisting in the performance of the Controller’s contractual and statutory obligations, have undertaken a duty of confidentiality and have been properly informed about the provisions of the GDPR. The Controller does not publish the data and does not disclose them to third parties.

In addition, in order to fulfil its contractual and statutory obligations, the Controller may use third-party service providers, who are likewise subject to confidentiality obligations and are required to fully comply with the GDPR.

The detailed list of the data processors involved in the operation of the Platforms is set out in the table in Section III.3.

2. Legal basis, method and purpose of processing

Data processing is carried out on the basis of the users’ voluntary declarations given on the basis of appropriate information, which declarations contain the users’ explicit consent to the use of the personal data they provide during registration.

The legal bases for processing are as follows:

• the data subject’s voluntary consent (Article 6(1)(a) GDPR);
• performance of a contract (Article 6(1)(b) GDPR), which is concluded upon acceptance of the Terms of Use;
• the legitimate interests of the Controller (Article 6(1)(f) GDPR); and
• compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR).

The user of the Platform gives their voluntary consent to the processing of the above-mentioned data by expressly accepting this Privacy Notice after having read it in advance – by ticking the relevant checkbox – and by using the Platforms, registering and voluntarily providing the data concerned.

In certain cases, the Controller processes the personal data of data subjects on the basis of legitimate interest. Such legitimate interests include, for example:

• improving the quality of the service;
• providing appropriate information to users;
• responding to user enquiries;
• ensuring customer service communication;
• preventing and investigating abuse and misuse; and
• maintaining the security of the service.

The Controller in all cases performs a balancing test in order to ensure that the rights of data subjects are not infringed and that the processing is proportionate and necessary.

In some cases, processing is necessary for the fulfilment of legal obligations to which the Controller is subject. Such cases may include, for example:

• fulfilling complaint-handling obligations;
• responding to requests from authorities or courts;
• investigating abuse or infringements; and
• resolving legal disputes.

These processing operations are based on the applicable legislation, in particular:

• Act CLV of 1997 on Consumer Protection;
• Act CL of 2017 on the Rules of Taxation (where applicable);
• Act C of 2000 on Accounting; and
• other relevant sector-specific or procedural rules.

Purposes of data processing for users of the Platforms

The Controller processes your personal data for the following purposes:

1. Creation and management of user accounts: processing your data is necessary for the performance and fulfilment of the Terms of Use applicable to the relevant Platforms, as a contract, and for enabling access to the functions of the Application.
2. Location sharing: you may share your location with members of your group, provided that they also enable location sharing. Location sharing stops automatically when you exit the relevant view.
3. Recommending hiking routes and route planning: registered users may recommend hiking routes to each other via the Platforms.
4. User statistics and past activities: you may save your past routes and create individual statistics from them, according to your choice.
5. Rating service providers and locations: you may rate individual service providers and locations.
6. Managing tour groups: you can create groups with acquaintances registered on the Platforms and/or join groups in order to organise cycling tours.
7. Contact and communication: the purpose of processing is to enable the Controller to handle and respond to your questions and enquiries.
8. Newsletters, notifications and marketing communication: the purpose of processing is to send you information about our services and activities; for this purpose, the Controller relies on your consent.

III. DETAILED PRIVACY NOTICE

1. What data do we collect and process on the Platforms during registration and subsequently?

The Controller’s data processing activities are based on voluntary consent, the Controller’s legitimate interests, the performance of a contract and/or statutory authorisation. In the case of processing based on voluntary consent, you may withdraw your consent at any stage of the processing and you may exercise your rights relating to the processing of your personal data, in particular the rights of access, rectification, restriction and erasure.

Where there is a statutory obligation, the processing, storage and transfer of certain data are required by law; in such cases you will be informed separately.

We may collect personal data about you when you use the Platforms, when you receive system messages, when you request e-mail notifications or when you contact us.

In particular, we may collect the following categories of personal data:

• Registration data: such as your name, identification data (e-mail address and password), Google ID, registration confirmation code.
• User profile: such as your username, e-mail address, saved user activities, user group, group membership identifier, date and time of visits to the Platform, log-ins, profile picture, user type (general/admin), language used, newsletter subscription status (where applicable), code and expiry date for password change, code and expiry date for e-mail address change.
• Route data: such as data relating to saved routes and saved route-planning activities.
• Location data: such as the user’s last geographical location and the time associated with the last geographical location.
• Service provider data: service provider’s name, e-mail address, telephone number (for browsing on the Website only), service provider rating.
• Device data: such as the type of device used by the user, the IP (Internet Protocol) address used when visiting the Platform, as well as cookie, local storage and session storage data.
• Communication data: such as your questions, enquiries, comments or any communication with you.

2. For what purposes, why and for how long do we use your personal data?

2.1. As a general rule, we process personal data for the purposes set out in Section II.2 above. If we collect personal data for any other purpose, we will inform you of the different legal basis or, in accordance with the applicable rules, request your prior written consent.

2.2. We may process your personal data for the purposes and on the legal bases described below:

3. Sharing of personal data

The Controller accesses your personal data on a “need-to-know” basis. Our service provider and other third parties may access your personal data as data processors, and courts, authorities and other official bodies may require us to disclose your personal data to them. We may transfer your personal data to third parties for the following reasons:

• To certain third parties: we may transfer your data to external advisers (such as lawyers) for the purpose of responding to legal claims. We may transfer your location data to bicycle-friendly service providers if you have given your prior consent to this. The Platforms use Google Maps services in order to display your location data visually, via Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google may transfer your data to the USA. Google’s privacy policy is available at the following link: https://policies.google.com/privacy?hl=en
• To service providers: in order to support our internal processes, we use IT services and systems provided by third parties.

  Data processor	Registered office	Activity
  BIG FISH Kft.	1066 Budapest, Nyugati tér 1-2.	Operation of the Website
  DigitalOcean, LLC	101 Avenue of the Americas, 10th Floor, New York, NY 10013 USA	Cloud service provider
  Mailjet SAS	13 B Rue de l'Aubrac 75012, Ile de France, France	E-mail delivery and management of marketing mailing lists
  Contabo GmbH	Aschauer Straße 32a, 81549 Munich, Germany	Hosting provider

• Authorities and other official bodies: to authorities and other official bodies, including supervisory authorities, on the basis of their requests and as required by law, or in order to protect our rights or the safety of our clients, staff or property.

Personal data may also be transferred to recipients located outside the European Economic Area (EEA). In such cases, by taking appropriate measures (such as the use of standard contractual clauses for data transfers), we ensure that personal data enjoy protection in line with the requirements of the GDPR.

By concluding appropriate data transfer agreements based on the Standard Contractual Clauses referred to in Article 46(5) GDPR (2010/87/EU and/or 2004/915/EC), or by implementing other appropriate safeguards, we ensure that recipients located outside the EEA provide an adequate level of protection for personal data and that appropriate technical and organisational security measures have been put in place in order to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and all other forms of unlawful processing.

4. Method of storing personal data and security of processing

The Controller performs electronic data processing and record-keeping by means of computer programs that comply with data security requirements. The software ensures that access to the data is purpose-bound and takes place under controlled conditions, and that only those persons may access the data who need it for the performance of their duties. The Controller protects its IT systems with firewalls and uses antivirus software. The Controller’s IT systems and other data storage locations are located at its registered office and at its data processors.

In selecting and operating the IT tools used for providing the services and for processing personal data, the Controller ensures that the data processed:

• are accessible to authorised persons (availability);
• are authentic and their authenticity can be verified (integrity of processing);
• remain unchanged and their integrity can be demonstrated (data integrity);
• are protected against unauthorised access (confidentiality of data).

The Controller protects the data, by means of appropriate measures, in particular against unauthorised access, alteration, transfer, disclosure, erasure or destruction, accidental destruction or damage, and against becoming inaccessible due to changes in the technology used.

To protect the electronically processed data sets in its various registers, the Controller uses appropriate technical solutions to ensure that stored data – unless permitted by law – cannot be directly linked and assigned to the data subject. Taking into account the state of the art, the Controller applies technical, organisational and administrative measures that provide a level of protection appropriate to the risks associated with data processing.

In the course of data processing, the Controller ensures:

• confidentiality: it protects information so that only those who are authorised may access it;
• integrity: it protects the accuracy and completeness of the information and of the processing method;
• availability: it ensures that, when an authorised user needs the information, they can actually access it and that the tools required for this are available.

Handling of data protection incidents

A data protection incident is any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If, in the Controller’s assessment, a personal data breach is likely to result in a high risk to your rights and freedoms, we will inform you of the personal data breach without undue delay.

5. Contact

If you wish to contact us, you may do so via the contact details provided in this Privacy Notice and on the Platforms.

6. Cookies and tracking

For the purpose of providing a customised service, the service provider places a small data file, a so-called cookie, on the user’s computer and reads it back during subsequent visits. If the browser returns a previously saved cookie, the service provider managing the cookie may link the user’s current visit to previous ones, but only with regard to its own content.

Purpose of processing: identification and differentiation of users, identification of users’ current sessions, storage of data entered during the session, prevention of data loss, identification and tracking of users.

Legal basis for processing: processing for statistical purposes, ensuring an appropriate user experience and the proper functioning of the Platforms (legitimate interest of the data subjects) and/or the data subject’s consent.

Scope of personal data processed: IP address.

The user can delete cookies from their own computer and can also disable their use in the browser. Depending on the browser, these settings are typically available under the Tools / Settings / Privacy / History / Custom settings menu.

Possible consequences of failure to provide data: some services and functions of the Platforms may not be available in full.

6.1. Google Analytics, Google AdWords

When viewing the website, the Google Analytics and Google AdWords programs are used to measure website traffic and to monitor visitor behaviour, to compile statistics and to evaluate the effectiveness of advertisements. These programs process, among others, the following data:

• IP address
• type of browser
• operating system
• system activity
• activity on the website (pages visited, interactions)

More detailed information on Google’s data processing is available at:

• Google: https://privacy.google.com/your-data.html

Legal basis for processing: the data subject’s consent pursuant to Article 6(1)(a) GDPR, which is given by visiting the website.

Duration of processing: from the time of viewing the website, for the period specified in the data protection notices of the above service providers.

7. Data protection rights

You may request information about the processing of your personal data and may request the rectification of your personal data, and – with the exception of mandatory processing – their erasure or withdrawal. You may also exercise your right to data portability and your right to object in the manner indicated at the time of data collection or via the Controller’s contact details set out above.

7.1. Right to information

The Controller shall take appropriate measures to provide data subjects with all the information referred to in Articles 13 and 14 GDPR and all notifications referred to in Articles 15–22 and 34 GDPR relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

The right to information may be exercised in writing via the contact details indicated in Section II. Upon your request – following verification of your identity – information may also be provided orally.

7.2. Right of access

You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and to the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• the envisaged period for which the personal data will be stored;
• the existence of the right to request rectification, erasure or restriction of processing and the right to object;
• the right to lodge a complaint with a supervisory authority;
• information as to the source of the data;
• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by you, the Controller may charge a reasonable fee based on administrative costs. At your request, the Controller shall provide the information in electronic form. The Controller shall provide the information within one month of receipt of the request at the latest.

7.3. Right to rectification

You have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.

7.4. Right to erasure (“right to be forgotten”)

You have the right to obtain from the Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw consent on which the processing is based and there is no other legal ground for the processing;
• you object to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
• the personal data have been collected in relation to the offer of information society services.

Erasure of data may not be requested where processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation requiring processing under Union or Member State law to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
• for reasons of public interest in the area of public health, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
• for the establishment, exercise or defence of legal claims.

7.5. Right to restriction of processing

At your request, the Controller will restrict processing where one of the following applies:

• you contest the accuracy of the personal data, in which case restriction applies for a period enabling the Controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
• you have objected to processing; in this case, restriction applies for a period until it is verified whether the Controller’s legitimate grounds override your legitimate grounds.

Where processing has been restricted, personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The Controller shall inform you in advance of the lifting of the restriction of processing.

7.6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

7.7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or where the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions.

In such a case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data are processed for the purposes of direct business and consumer relations, you have the right to object at any time to processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct business and consumer relations. Where you object to processing for direct business and consumer relation purposes, the personal data shall no longer be processed for such purposes.

7.8. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

This right shall not apply if the decision:

• is necessary for entering into, or performance of, a contract between you and the Controller;
• is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

7.9. Right to withdraw consent

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8. Data processing related to the exercise of data subject rights

The Controller ensures, in accordance with this Privacy Notice, that data subjects are able to exercise their constitutional rights and their rights arising from the Infotv. in relation to informational self-determination. To this end, standard forms are available to data subjects to facilitate the exercise of their rights, which can be accessed at the following links (in Hungarian):

Request for information on the processing of personal data: https://www.naih.hu/files/Tajekoztatas-kerese-szemelyes-adatok-kezeleser-l.pdf

Request for rectification of personal data: https://naih.hu/files/Szemelyes-adatok-helyesbitese.pdf

Request for erasure of personal data: https://www.naih.hu/files/Szemelyes-adatok-toerlese-iranti-kerelem.pdf

By submitting the completed form or exercising their rights in any other manner, the data subject, as appropriate, provides the Controller with the personal data necessary for the identification of the data subject and the enforcement of the right in question. These data include, in particular, the following:

1. In the case of a request for rectification of personal data:

   • name of the data subject;
   • additional data necessary for the identification of the data subject (for online data processing, e.g. e-mail address, username; in other cases, any other personal data processed by the Controller that are necessary for identification, such as address, date of birth, etc.);
   • the processed data which are the subject of the request;
   • the correct data;
   • the data subject’s signature.

    

2. In the case of a request for erasure of personal data:

   • name;
   • additional data necessary for the identification of the data subject;
   • data requested to be erased;
   • the data subject’s signature.

    

3. In the case of a request for information on the processing of personal data:

   • name;
   • additional data necessary for the identification of the data subject (for online data processing, e.g. e-mail address, username; in other cases, any other personal data processed by the Controller that are necessary for identification, such as address, date of birth, etc.);
   • the postal address to which the information is requested;
   • the data subject’s signature.

    

The personal data received are processed by the Controller separately and in a restricted manner, and are stored on paper only where the request itself is in paper form. Requests received electronically are stored electronically and will only be printed if this is required by document management rules. Where the request is received by post (on paper), data processing is carried out in line with the method of submission of the request: in the case of queries sent by letter to the postal address, the name provided by the enquirer and – where indicated on the envelope or in the letterhead – the sender data (name and address of the sender) are considered to be the personal data processed.

The purpose of processing is to ensure the exercise of data subjects’ rights; the legal basis is the relevant provisions of the Infotv. on the rights of data subjects and the exercise of those rights.

9. Ensuring the rights of the data subject and handling of data subject requests

The Controller informs you, as data subject, about the processing of your data at the time of first contact. You may submit your request to exercise your rights to the Controller via any of the contact details set out in Section II.

The Controller shall examine the request without undue delay, decide on whether it is to be granted and take the necessary measures. The Controller shall inform the data subject of the measures taken within one month. The information shall in all cases include either the measures taken by the Controller or the information requested by the data subject.

If the Controller refuses to grant the request (i.e. does not take the measures necessary to comply with the request), the information provided shall include the legal basis and the reasons for the refusal and the legal remedies available to the data subject.

The Controller shall provide the requested information and notices free of charge. Where your request is manifestly unfounded or – in particular because of its repetitive character – excessive, the Controller may, taking into account the administrative costs of providing the requested information or notice or of taking the requested action, charge a reasonable fee or refuse to act on the request.

The Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing carried out by it, unless this proves impossible or involves a disproportionate effort. At your request, the Controller shall inform you of those recipients.

If, due to the circumstances or method of submission of the request, it is not clear that the request originates from the data subject, the Controller may request the applicant to prove his/her entitlement or to submit the request in a manner that clearly establishes such entitlement.

10. Remedies

If you, as data subject, consider that your rights have been infringed, you may request that the Controller put an end to unlawful data processing and review the processing or the refusal of your request. The Controller shall in all cases investigate such complaints and inform the data subject of the outcome. Data subjects may submit their complaints via the contact details set out in Section II.

You may also lodge a complaint directly with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) at the following contact details:

• Address: H-1055 Budapest, Falk Miksa utca 9-11.
• Telephone: +36-1-391-1400
• E-mail: ugyfelszolgalat@naih.hu
• Website: www.naih.hu

If your rights have been infringed, you also have the right to bring the matter before a court. The action falls within the jurisdiction of the Budapest Metropolitan Court (Fővárosi Törvényszék) as the court having jurisdiction over the Controller’s registered office. The action may, at the data subject’s choice, also be brought before the tribunal court having jurisdiction over the data subject’s place of residence or habitual residence.

IV. FINAL PROVISIONS

For matters not regulated in this Privacy Notice, the provisions of the Infotv. in force at any given time and the other pieces of legislation specified in Section I.2 of this Notice shall apply.

Please note that we are entitled to unilaterally amend the provisions of this Privacy Notice within the framework of the applicable legislation. Any amendment shall take effect upon its publication on the Platforms, and by using the Platforms you accept the amended provisions.

Budapest, 1 September 2025

Aktív Magyarország Nonprofit Kft.
Controller