Effective: From January 6, 2026, until further notice

I. INTRODUCTION AND INFORMATION ABOUT THE DATA CONTROLLER

The purpose of this Privacy Notice is to provide information regarding the food ordering services (breakfast and dinner delivery) available through the online store operated by Gábor Nagy, Sole Proprietor (hereinafter: Data Controller) in a transparent manner, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), as well as Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.).

The Data Controller is committed to protecting users' personal data and will do everything in its power to ensure that the data is processed securely, lawfully, and fairly.

Data Controller Information:

  • Contractor's Name: Gábor Nagy EV

  • Headquarters: 10 József Attila Street, 8258 Badacsonytomaj

  • Registration number: 61654653

  • Tax ID: 91655066-1-39

  • Email address: info@tanuhegyekreggelije.hu

  • Phone number: +36 20 533 61 16

  • Website: https://tanuhegyekreggelije.hu

II. PURPOSE AND LEGAL BASIS OF DATA PROCESSING, AND SCOPE OF THE DATA PROCESSED

When a purchase is made through the online store, the Data Controller processes the personal data of the Data Subject (Customer) for the following purposes and on the following legal grounds.

1. Fulfilling Orders Placed Through the Online Store and Maintaining Communication

The primary purpose of data processing is to record and confirm the order placed by the Customer, prepare the ordered meals (breakfast, dinner), and deliver them to the specified accommodation.

  • Scope of data processed:

    • Personal identification information: Full name (for contract purposes and identification).

    • Contact Information: Email address (confirmation, status updates), Phone number (delivery coordination, contact by courier).

    • Shipping Information: Accommodation location / Apartment name and address (place of performance).

  • Legal basis for data processing: Pursuant to Article 6(1)(b) of the GDPR, performance of a contractor taking steps at the request of the data subject prior to entering into a contract.

  • Duration of data processing: Until the end of the civil law statute of limitations (5 years from the date of the last transaction).

2. Compliance with Invoicing Requirements

The Data Controller will issue an accounting document (invoice) for the purchase in accordance with applicable laws.

  • Scope of processed data: Billing name, billing address (zip code, city, street, house number), tax ID number (for businesses).

  • Legal basis for data processing: Article 6(1)(c) of the GDPR, i.e., the fulfillment of a legal obligation applicable to the Data Controller, in accordance with Section 169(2) of Act C of 2000 on Accounting.

  • Duration of data processing: 8 years from the date the invoice was issued, in accordance with the provisions of the Accounting Act.

3. Processing Online Payments

In the case of online credit card payments, the payment transaction data is exchanged between the Data Controller’s system and the payment service provider’s system.

  • Scope of processed data: Transaction ID, amount, payment status. Note: The Data Controller does not have access to or store credit card information (card number, CVC code, expiration date); this information is handled directly by the financial service provider.

  • Legal basis for data processing: Article 6(1)(b) of the GDPR (performance of a contract).

  • Duration of data processing: Until the end of the civil law statute of limitations (5 years).

III. USE OF DATA PROCESSORS (DATA TRANSFER)

The Data Controller engages third-party service providers (data processors) to provide the service. Data processors act in accordance with the Data Controller’s instructions and may not use the data for their own purposes.

  1. Web Hosting Provider: Rackhost Zrt. (6722 Szeged, Tisza Lajos krt. 41.)

  2. Website operator: Venture CO Scribers Kft. (113 Tó Street, Őrbottyán, 2162)

  3. Online payment provider: Stripe Payments UK Ltd. (7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, United Kingdom)

IV. DATA SECURITY MEASURES

The Data Controller implements appropriate technical and organizational measures to ensure the protection of personal data against unauthorized access, alteration, disclosure, erasure, or destruction. Communication with the online store takes place via an encrypted channel (SSL/TLS protocol). Access to the data is restricted to those employees of the Data Controller whose job responsibilities include the fulfillment or administration of orders.

V. RIGHTS OF THE DATA SUBJECT AND MEANS OF ENFORCING THOSE RIGHTS

Under the GDPR, the Customer (Data Subject) has the following rights:

  1. Right of Access: You may request information regarding whether your personal data is being processed and, if so, what data we are processing.

  2. Right to Rectification: You may request that inaccurate personal data be corrected or that incomplete data be supplemented.

  3. Right to erasure (“right to be forgotten”): You may request the erasure of your data if the purpose of the data processing no longer applies or if there is no legal obligation requiring the continued storage of the data (e.g., in the case of invoices, the 8-year retention period is mandatory).

  4. Right to Restriction of Data Processing: You may request the restriction of data processing if you dispute the accuracy of the data or suspect that the data processing is unlawful.

  5. Right to data portability: You may request to receive your personal data in a structured, commonly used format.

Remedies: If the Customer believes that the Data Controller has violated their right to the protection of personal data, they may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) or pursue their claim through the courts.

  • National Authority for Data Protection and Freedom of Information (NAIH)

    • Address: 9-11 Falk Miksa Street, 1055 Budapest.

    • Mailing Address: 1363 Budapest, P.O. Box 9.

    • Email: ugyfelszolgalat@naih.hu

    • Website: www.naih.hu

VI. COOKIE POLICY

1. What are cookies?

This website uses cookies to ensure proper functioning, enhance the user experience, and for statistical and marketing purposes. Cookies are small data files that the website places on the visitor’s computer or mobile device. They do not cause any damage to the device and do not contain viruses.

2. Consent Management (Cookiebot)

Our website uses Cookiebot (Usercentrics A/S). When you first visit the site, a Cookiebot pop-up (banner) provides you with detailed information about cookies, allowing you to freely decide which categories to allow.

  • Visitors may modify or withdraw their consent at any time by clicking the “Cookie Settings” icon at the bottom of the website.

  • Data Transfer: To store consent status, we transfer data to the Cookiebot system (anonymized IP address, date and time of consent, browser data).

3. Categories of Cookies Used and Service Providers

We use cookies on this website that fall into the following categories:

A) Cookies that are essential for the website to function (Essential)

Without these, the website cannot function properly (e.g., saving the contents of the shopping cart, secure payment). The Visitor’s consent is not required for their use; the legal basis is the Data Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

  • Cookiebot: Stores the visitor's cookie settings (e.g., whether they have accepted marketing cookies), so there is no need to ask again every time they visit the site.

  • Stripe: Cookies used to ensure the security of online credit card payments (fraud prevention, transaction authentication).

  • Számlázz.hu: If you download an invoice or complete a payment through the Számlázz.hu system, the service provider may place session cookies to facilitate the technical processing of the transaction.

B) Statistical and Analytical Cookies (Statistics)

These help us understand how Visitors use the website (e.g., which pages they viewed, how much time they spent there). The data is processed in an anonymized form. They are activated only with your consent.

  • Google Analytics 4 (GA4): A service provided by Google Ireland Ltd.

    • Data Processed: IP address (anonymized), browser type, time of visit, subpages viewed.

    • Purpose: To measure website traffic and analyze user behavior in order to improve the service.

    • Expiration: The default data retention period is 2 or 14 months (depending on the settings).

C) Marketing and Targeting Cookies (Marketing)

The purpose of these is to display ads on other websites or social media platforms that match the Visitor’s interests. We use them only with your express consent.

  • Facebook Pixel (Meta Pixel): A service provided by Meta Platforms Ireland Ltd.

    • Purpose: To enable us to show relevant ads to website visitors on Facebook and Instagram (remarketing) and to measure the effectiveness of those ads.

    • Data Transfer: Pixel transmits data to Meta regarding which products the Visitor viewed or purchased.

  • Mailchimp: A service provided by The Rocket Science Group LLC (Intuit).

    • Purpose: If a Visitor subscribes to the newsletter (e.g., via a pop-up window), Mailchimp may use cookies to track the subscription process and ensure that the same pop-up window does not appear an excessive number of times.

4. Disabling Cookies in Your Browser

In addition to the Cookiebot interface, visitors can also disable or delete cookies in their own browser. Here are the setup guides for the most popular browsers:

  • Google Chrome

  • Firefox

  • Microsoft Edge

  • Safari

Please note that if the cookies required for the website to function , certain features of the online store (e.g., placing an order, making a payment) may not function properly.

Dated: Badacsonytomaj, January 6, 2026.