Oldal kiválasztása

Privacy Policy

Regarding the data processing related to the operation of Török Dávid Ev. and the website https://pretiumpoints.com/ (service)

Introduction

This Policy is provided in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) to inform about how Török Dávid Ev. and the service operated at https://pretiumpoints.com/ (hereinafter Data Controller) processes personal data of natural persons in connection with its activities described below. It explains what activities are carried out with the data, the rules followed during these activities, and provides insight into the measures taken to protect the data used. It also informs about the rights that data subjects have in order to protect their interests.

The Data Controller provides the mandatory information according to Article 13 of the GDPR to data subjects and interested parties as follows.

Identification data of the Data Controller: Name: Török Dávid Ev. Registration number: 52598177 Registered office: 3036 Gyöngyöstarján, Kossuth Lajos Street 59. Tax number: 69031063-1-30 Email address: info@pretiumpoints.com

Hosting provider: Tárhely.Eu Kft. Contact details of hosting provider: support@tarhely.eu ; +36 (1) 789 2 789 Hosting provider’s privacy policy: https://tarhely.eu/dokumentumok/adatvedelmi_szabalyzat.pdf

Principles of personal data processing

The Data Controller operates according to the following principles:

The principle of purpose limitation: showing for what purpose the Data Controller stores and uses personal data of natural persons during its activities. The principle of data minimization: the scope of processed data is appropriate to the purpose and limited to what is necessary. The principle of accuracy: inaccurate personal data are promptly corrected or deleted by the Data Controller to protect data subjects and ensure legal compliance. The Data Controller obtains personal data directly from the data subjects. It accepts as binding the tasks related to the protection of personal data processed in connection with its activities, by which it helps to demonstrate to Authorities, business partners, and affected clients that it complies with the Regulation, the Information Act, and other relevant legislation (principle of accountability).

Key laws governing the data processing activities:

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR, hereinafter: Regulation) Act CXII of 2011 on the right of informational self-determination and freedom of information Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities Act I of 2012 on the Labour Code Act CL of 2017 on the order of taxation Act C of 2000 on accounting

Definitions

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

Personal data: Any information relating to an identified or identifiable natural person, such as an identifier, name, number, location data, online identifier, or data concerning the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Special categories of data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data processed to uniquely identify a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

Data processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as well as access to the data, prevention of further use, creation of photographic, audio, or video recordings, and capturing physical characteristics suitable for identification (e.g., fingerprints or palm prints).

Data controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, makes and implements decisions regarding data processing, or instructs the data processor.

Data processor: The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data subject: An identified or identifiable natural person who can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Data transfer: Making personal data accessible to a specified third party. Data transfers to EEA member states or EU institutions shall be considered as transfers within Hungary.

Data deletion/erasure: Rendering data unrecognizable by content deletion or equivalent means.

Data breach: A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

EEA member state: A member state of the European Union or any other state party to the Agreement on the European Economic Area, as well as a state whose nationals enjoy equivalent status under international agreements related to the EEA.

Third country: Any country that is not an EEA member state.

NAIH: The National Authority for Data Protection and Freedom of Information, the supervisory authority under the GDPR in Hungary.

Cookie: A small data package stored on the visitor’s device via their web browser by a website. Their purposes may include website operation, statistical analysis, saving user preferences, or data collection for marketing or advertising.

Profiling: Automated processing of personal data to evaluate certain personal aspects of the data subject, such as interests or behavior, in order to infer conclusions.

Pseudonymization: Processing personal data so that it cannot be attributed to a specific individual without the use of additional information.

Data Processing Procedures

During our activities, any business partner, client, or user data we come to know in any manner or scope shall be handled in accordance with this Privacy Policy, the provisions of the GDPR, and applicable Hungarian laws.

Personal data received in connection with the fulfillment of our activities may be lawfully stored, organized within the limits of the law, and used to the necessary extent.

Data processing will be terminated immediately once the purpose has been fulfilled or ceased, or upon request of the data subject after consideration.

Details of data processing related to our activities, by purpose:

6.1 Contact via Website or Email

Data subjects: Users who contact us with the intention of communication
Purpose of data processing: Contact and information provision

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Email Address

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Phone Number

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Process of data processing:
If you provide your contact details via email, the website’s message form, or by phone call, we will use them for communication and to fulfill our service. Providing the above data is not mandatory, but without them we cannot contact you. You may withdraw your consent at any time without justification; this does not affect the lawfulness of previously carried out data processing. You may withdraw your consent by sending a request to the email address provided, which we will fulfill within 5 working days.

IMPORTANT! Please do not provide personal data in the free-text “message” field on the website form. We have no authorization to process unsolicited personal data submitted this way, and such data will be deleted immediately and permanently without further consideration.

6.2 Contact via Social Media Platforms

Data subjects: Natural persons who voluntarily contact the website operator via social media platforms (such as Facebook, Instagram, Reddit, TikTok), inquire, ask questions, or request information
Purpose of data processing: Contact and information provision

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Email Address

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Phone Number

GDPR Article 6(1)(a); Consent

Until withdrawal of consent, but no longer than 5 years

Process of data processing:
Data subjects voluntarily initiate contact on social media platforms for inquiry or information. The data provided during contact (e.g., name, message content, possibly phone number) is used exclusively to respond to the specific question or request. Communication takes place within the internal messaging systems of the respective platforms.

Social media platforms may also process these data according to their own privacy policies, over which we have no control.

Important note about data processing via social media platforms:
If you send a message via a social media platform (such as Facebook, Instagram, TikTok, YouTube, or Reddit), the provider of that platform also has access to the data you provide (e.g., your name or the content of your message). We cannot influence the data processing practices of these platform providers. If you request us to delete your data, we will do so within 5 working days, but the platform provider’s copy of the data may remain with them.

Privacy policy links of the social media platforms referred to:

 

6.3 Web Application Submissions
Data subjects: Interested parties who apply through the website and inquire about our services
Purpose of data processing: To record inquiries, contact interested parties for collaboration, track communication and cooperation process. Part of the data is also used for marketing purposes, especially for targeted ads (e.g., creating Facebook Custom Audiences).

Data Type

Legal Basis

Retention Period

Name

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Email Address

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Phone Number

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Company Name

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Message

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Requested Callback Time

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Process:
By filling and submitting the application form on the website, the data subject consents to the processing of the above data. The data is used to track cooperation, maintain contact, and for marketing purposes, including uploading primarily email addresses and phone numbers to platforms such as Facebook for targeted advertising (creating Custom Audiences).

Data transfers / processors:
We use the following data processors to handle the submitted data:

  • HubSpot Inc.
    Address: 25 First Street, Cambridge, MA 02141, USA
    HubSpot provides the CRM system and processes the data within it.
    Privacy Policy: https://legal.hubspot.com/privacy-policy
  • Meta Platforms Ireland Ltd.
    Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
    Data (e.g., email, phone number) may be uploaded to Facebook’s ad manager to deliver targeted ads.
    Privacy Policy: https://www.facebook.com/privacy/policy

We always strive for the highest level of data security and use data only for purposes consented to by the data subject.

6.4 Applications via Facebook Ads
Data subjects: Natural persons who apply through forms in Facebook ads expressing interest in our services
Purpose of data processing: To manage applicants’ data for contact purposes and cooperation; data is recorded in CRM and used for marketing (e.g., Facebook Custom Audiences).

Data Type

Legal Basis

Retention Period

Name

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Email Address

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Phone Number

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Company Name

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Message

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Requested Callback Time

GDPR Art. 6(1)(a); Consent

Until consent withdrawal, max 5 years

Process:
By filling out forms in Facebook ads, the data subject consents to being contacted and to the storage of their data in our CRM system (HubSpot). With consent, data may also be used for marketing purposes, including Facebook Custom Audience campaigns to deliver targeted ads to previously interested persons.

Data transfers / processors:

We take all reasonable technical and organizational measures to protect personal data during processing.

 

6.6 Invoice Management and Accounting
Data subjects: Partners, natural persons representing sole proprietors or companies
Purpose of data processing: Fulfillment of invoice retention obligations under the Accounting Act (Act C of 2000).

Data Type

Legal Basis

Retention Period

Name

GDPR Art. 6(1)(c) – Legal obligation; Accounting Act 169.§ (1)-(2)

8 years after the year of invoice issuance

Tax Number, Registered Address (sole proprietors)

GDPR Art. 6(1)(c); Accounting Act 169.§ (1)-(2)

8 years after the year of invoice issuance

Process:
Providing invoicing data is mandatory by law. Incomplete or incorrect data prevents invoice issuance. Records are stored electronically using the invoicing system operated by Billingo Zrt.

Data transfers / processors:

  • Billingo Zrt.
    Address: 1133 Budapest, Árbóc utca 6. III. em. 1.
    Company registration number: 01-10-140802
    Provides electronic invoicing system services.
    Privacy Policy: https://www.billingo.hu/adatkezelesi-tajekoztato
  • Nueva Könyvelő és Adótanácsadó Kft.
    Contact: iroda@nueva.hu, +36 70 607 0284
    Accounting service provider with access to invoicing system, processes data exclusively for accounting purposes.

6.7 Handling Complaints Related to Data Processing
Data subjects: Natural persons who feel their rights have been violated
Purpose of data processing: Identification, conducting procedure, and communication

Data Type

Legal Basis

Retention Period

Name

GDPR Art. 6(1)(c) – Legal obligation

3 years after case closure

Mother’s Name

GDPR Art. 6(1)(c) – Legal obligation

3 years after case closure

Email Address

GDPR Art. 6(1)(c) – Legal obligation

3 years after case closure

Phone Number

GDPR Art. 6(1)(c) – Legal obligation

3 years after case closure

Information about the contested data processing

GDPR Art. 6(1)(c) – Legal obligation

3 years after case closure

Process:
Any data subject may file a complaint if they believe their rights have been infringed. Providing the above data is mandatory for investigating the complaint and maintaining communication. Without this data, identification is impossible, and the procedure cannot proceed.

 

6.8 Handling Other Consumer Protection Complaints
Data subjects: Natural persons who submit consumer complaints to us
Purpose of data processing: Identification of the complaint, conducting the procedure, fulfilling the obligation to respond, and communication with the data subject

Data Type

Legal Basis

Retention Period

Name

GDPR Art. 6(1)(c) – Legal obligation; Consumer Protection Act CLV of 1997, §17/A (7)

5 years after case closure

Email Address

GDPR Art. 6(1)(c) – Legal obligation

5 years after case closure

Phone Number

GDPR Art. 6(1)(c) – Legal obligation

5 years after case closure

Complaint-related Information

GDPR Art. 6(1)(c) – Legal obligation

5 years after case closure

Process:
Certain personal data are required for identifying consumer complaints and performing legally mandated procedures. Providing these data is necessary for legal compliance. Without these, meaningful investigation or handling of the complaint is impossible. The data are stored electronically, primarily via email.

Data processors:
If an external service provider (e.g., customer support software or partner) is involved in complaint management, separate notification will be provided.

6.9 Use of Our Website
Data subjects: Anyone visiting the website https://pretiumpoints.com/
Purpose of data processing: Operation of the website and related data collection, remarketing

Data Type

Legal Basis

Retention Period

IP Address

Necessary cookies: GDPR Art. 6(1)(f) – Legitimate interest

Duration specified in Cookie Policy

Browser type and OS

Consent cookies: GDPR Art. 6(1)(a) – Consent

Duration specified in Cookie Policy

Time of visit

Consent or Legitimate interest depending on cookie type

Duration specified in Cookie Policy

Visited pages, clicks, scrolls, behavior

Consent or Legitimate interest depending on cookie type

Duration specified in Cookie Policy

Referrer (e.g., search engine or other website)

Consent or Legitimate interest depending on cookie type

Duration specified in Cookie Policy

Process:
Our website uses cookies — small data files stored on your device by your browser. Some cookies are essential for the website’s operation; others serve statistical or marketing purposes. Visitors are prompted upon first visit with a cookie consent interface to choose which cookies to allow. This choice can be changed anytime later. Rejecting cookies may limit certain website functionalities.

Detailed cookie information and management options are available here: Cookie Policy (Note: link placeholder—please update with actual URL if needed)

Data processors and partners:

Data Transfer and Disclosure

On occasion, in connection with our activities, we transfer personal data to third parties. Data transfer may be carried out both on paper and electronically, in both cases ensuring that the data is accessible exclusively to the designated recipient.

  • Paper-based transfer: personal handover or by mail, explicitly to the designated recipient.
  • Electronically (email): personal data does not appear in the body of the message. If necessary, personal data is sent as an attached Excel or compressed file, both protected by a unique password.

We do not transfer personal data to third countries or international organizations.

As a data controller, based on the legal grounds of “contract performance” or “compliance with legal obligations”, we transfer data – beyond the partners listed in point 6 – to the following entities acting as data processors or independent data controllers:

Bank partner: K&H Bank Zrt.
Privacy information: https://www.kh.hu/adatkezelesi-tajekoztato

Data Security

We ensure the security of personal data processed by us through technical and organizational measures, and established procedures.

Only those employees who need access to personal data to perform their duties have access to such data.

To ensure data security, we:

  • assess and consider potential risks during the design and operation of the IT system, striving for their continuous reduction;
  • monitor emerging threats and vulnerabilities (e.g., computer viruses, hacking attempts, denial-of-service attacks) to take timely action to avoid or mitigate them;
  • protect IT equipment and information handled on paper against unauthorized physical access and environmental hazards (e.g., water, fire, electrical surges);
  • monitor our IT system to detect potential problems or incidents;
  • select reliable service providers as a fundamental criterion.

To strengthen the data security of our website, we use an SSL certificate, which ensures encrypted data transmission, so that data provided by users or visitors remains secure. In addition, the website is protected by iThemes Security software, which continuously monitors the system security and prevents potential attacks, unauthorized accesses, and exploitation of security vulnerabilities.

Data Subject Rights according to GDPR Articles 15–20

The data subjects are entitled to the following rights concerning their personal data:

  • Right to information;
  • Right of access;
  • Right to rectification;
  • Right to erasure;
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object.

Rights can be exercised by contacting info@pretiumpoints.com.

The right of access entitles the data subject to receive confirmation as to whether personal data concerning them is being processed, and if so, to access such data and information on the purpose, legal basis, duration of processing, and possible data transfers.

Access requests will be fulfilled within a maximum of 14 days from receipt, generally free of charge.

If the request is repetitive, manifestly unfounded, or excessive, the controller may charge a reasonable administrative fee and extend the response deadline.

To prevent abuse, the controller reserves the right to verify the identity of the requester before disclosing data to ensure that personal data is provided only to authorized persons.

Under the right to rectification, inaccurate personal data will be corrected without delay, and incomplete data will be supplemented upon request.

Under the right to erasure, personal data will be deleted without undue delay if:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the consent on which processing is based has been withdrawn and no other legal basis for processing exists;
  • the personal data has been unlawfully processed;
  • there is a legal obligation to delete the personal data.

Personal data shall not be deleted if the processing is necessary for asserting, exercising, or defending legal claims.

Upon request, the use of personal data shall be restricted according to the right to restriction of processing; in this case, personal data may only be processed within a limited scope.

According to the right to data portability, if it does not infringe on the rights and freedoms of others, data will be provided in a structured, commonly used, and machine-readable format, or transferred directly to another data controller upon request.

According to the right to information, the data subject may request information about the processing of their personal data within the duration of the data processing. The controller shall provide clear and comprehensible information in writing within a maximum of 30 days after the request, including data processed, purposes, legal basis, duration, and if data transfer took place, the recipients and purpose of the data transfer.

The right to object shall be examined within the shortest possible time, but no later than 15 days from receipt of the objection. The controller shall make a decision and inform the data subject in writing about the decision. If a request for correction, restriction, or erasure cannot be granted, the controller shall inform the data subject in writing or electronically (if consented) within 30 days from receipt of the request, including factual and legal reasons for refusal.

Other Provisions Related to Data Processing

Termination of Data Processing

We delete all personal data

  • for which the purpose of data processing has ceased, or
  • for which the data subject’s consent is not available,
  • for which the data subject has withdrawn or prohibited the processing, or
  • for which there is no legal basis for processing.

Instead of deletion, we lock (restrict) personal data if the data subject requests it, or if the available information suggests that deletion would infringe on the legitimate interests of the data subject. Such locked personal data is processed exclusively as long as the data processing purpose excluding deletion exists.

Procedural Rules Related to Handling Data Protection Complaints

Procedure: We treat and handle all written comments reported to us by natural persons (data subjects) as complaints if they concern data protection and allege grievances related to our procedure or omission inconsistent with this Data Processing Information (hereinafter: complaint).

Complaints can be submitted electronically to the above email address or by mail to the correspondence address.

The complaint must include at least: the complainant’s name, address (email), phone number, date of the grievance, specific description of the complaint, complainant’s signature, and a statement that the complainant consents to the processing of the data contained in the complaint for the purposes of handling the complaint procedure simultaneously with signing. Without these data and declaration, the complaint investigation will be omitted, and the complainant will be notified in writing.

The complainant’s data are processed exclusively in connection with the complaint, are not disclosed to third parties except for statutory official or court inquiries, and are not used for business purposes.

The complaint will be investigated, and a justified, written response will be provided within 30 days of receipt, using the same means of submission (email or postal mail). If 30 days are insufficient, the complainant will be informed. In this case, a justified written response will be given within 3 months from the date of submission by the same means.

If the complaint investigation reveals that the complaint was factual and justified, we will inform the complainant simultaneously about the manner and extent of remedying the grievance.

If the complaint is rejected, a written notification will be provided explaining that the complainant may further turn to the National Authority for Data Protection and Freedom of Information (NAIH) or, in case of grievance, also to the Court.

NAIH supports enforcement of data subject rights by providing form letters: https://naih.hu/panaszuegyintezes-rendje.html

Complaint Submission:
NAIH; 1055 Budapest, Falk Miksa u. 9-11,
Email: ugyfelszolgalat@naih.hu
Tel.: +36 (1) 391 1400
Website: www.naih.hu

Data Protection Incident and Its Handling

Data protection incident: Any activity, intervention, or omission that results in unlawful processing of personal data, including unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction or damage.

Anyone noticing such an incident in connection with our activities should report it as soon as possible by email to: info@pretiumpoints.com.

As data controller, we record the report and immediately begin investigation. If the incident affects IT systems, we also notify service providers responsible for the affected databases.

To investigate and handle the incident, we collect all necessary information for identifying the incident, reducing potential damage, and taking further measures. We record, as far as possible:

  • time and place of the incident,
  • description, circumstances, and effects of the incident,
  • scope and number of compromised data,
  • data subjects affected by the compromised data.

In compliance with legal requirements, we notify the Authority (NAIH) within 72 hours.

Data Protection Officer

As the data controller does not process large volumes of personal data or special categories of data in connection with its core activities, we do not consider it necessary to appoint or employ a data protection officer, nor is it required by applicable law.

Note:
As data controller, we reserve the right to continuously update this Data Processing Information, including unilateral amendments reflecting legal changes. The currently effective information is available at the Data Controller.

Gyöngyöstarján, April 2025

Dávid Török, Sole Proprietor