Privacy Policy

This Privacy Policy applies to visitors, registered users, customers, newsletter subscribers and users of contact forms of the website https://bitoattila.hu.

The purpose of this Privacy Policy is to clearly explain what personal data we process, for what purposes, on what legal basis, for how long, to whom we may disclose such data, and what rights data subjects have.

Data Controller

Name of the Data Controller: Bitó Attila Sole Proprietor

Registered address: 6800 Hódmezővásárhely, Jókai utca 188., Hungary

Tax number: 91861508-1-26

E-mail address: info@bitoattila.hu

Website: https://bitoattila.hu

Data Protection Officer: the Data Controller has not appointed a Data Protection Officer, as this is not required based on the current data processing activities. For data protection matters, the Data Controller can be contacted at the e-mail address above.

Categories of Personal Data and Purposes of Processing

Website Visit

When visiting the website, the hosting provider and the website system may process technical data, such as IP address, browser type, operating system, time of visit, visited pages and log files.

Purpose of processing: secure operation of the website, troubleshooting, prevention of abuse and ensuring IT security.

Legal basis: the legitimate interest of the Data Controller.

Retention period: technical log data are retained for a maximum of 180 days, unless longer retention is necessary due to a security incident, abuse or legal dispute.

Registration and User Account

The website may allow users to create a user account. During registration, the following data may be processed: name, username, e-mail address, password in encrypted form, billing data, order history and access rights to downloadable or purchased content.

Purpose of processing: creation and operation of user accounts, providing login access, access to purchased content and management of user permissions.

Legal basis: performance of a contract, or taking steps at the request of the data subject prior to entering into a contract.

Retention period: until the user account exists or until a deletion request is submitted. Billing and purchase data that must be retained by law are processed for the mandatory retention period, regardless of account deletion.

Online Purchase

The website may offer digital products, educational materials, downloadable content, subscriptions, membership access or other online services for purchase.

During purchase, the following data may be processed: name, company name, billing address, tax number, e-mail address, telephone number, details of the ordered product or service, order ID, payment status, billing data and transaction ID received from the payment service provider.

Purpose of processing: fulfilment of orders, provision of digital content or services, payment processing, issuing invoices, customer communication and handling warranty, guarantee or consumer protection claims.

Legal basis: performance of a contract, compliance with a legal obligation, and legitimate interest in enforcing claims arising from the contract.

Retention period: data necessary for the performance of the contract are processed until the contract is fulfilled and until the expiry of the applicable limitation period. Billing and accounting data are retained for the retention period required by applicable accounting and tax laws, typically for 8 years.

Payment

In the case of online payment, payment may be processed by an external payment service provider. The Data Controller does not directly access or store bank card data.

Payment service provider: PayPal.

Processed data: payment ID, transaction ID, payment status, payment date, order amount, payer’s name and e-mail address, if transmitted by the payment service provider.

Purpose of processing: payment processing, verification of payment, proof of order fulfilment and handling refunds.

Legal basis: performance of a contract and compliance with a legal obligation.

Invoicing

The Data Controller issues invoices for purchases. The data required for invoicing include: name, company name, billing address, tax number, e-mail address, order details, payment amount and payment date.

Purpose of processing: issuing invoices and fulfilling accounting and tax obligations.

Legal basis: compliance with a legal obligation.

Retention period: invoices and accounting documents are retained in accordance with applicable laws, typically for 8 years.

Invoicing service provider: KBOSS.hu Kft. / Számlázz.hu

Contact

When using a contact form, e-mail or other communication channel, we may process the data subject’s name, e-mail address, telephone number, message content and the date of sending the message.

Purpose of processing: responding to enquiries, preparing offers, communication and administration.

Legal basis: the consent of the data subject, taking steps prior to entering into a contract, and the legitimate interest of the Data Controller.

Retention period: messages are retained for a maximum of 5 years after the case is closed, unless longer retention is necessary due to a contract, invoicing obligation or legal dispute.

Newsletter and Marketing Communication

Newsletters are sent only on the basis of the data subject’s prior, voluntary consent. When subscribing to the newsletter, we may process the e-mail address, name, time of subscription, IP address and proof of consent.

Purpose of processing: sending newsletters, educational materials, offers and notifications about new content.

Legal basis: the consent of the data subject.

Retention period: until consent is withdrawn, i.e. until unsubscribing.

Users may unsubscribe from the newsletter by using the unsubscribe link at the bottom of each newsletter or by sending a request to the Data Controller’s e-mail address.

Comments

When submitting a comment, in addition to the data provided in the comment form, the commenter’s IP address and browser user agent string may be collected for spam filtering and website security purposes.

If the Gravatar service is used on the website, an anonymised string generated from the e-mail address may be transmitted to Gravatar to check whether a profile picture is associated with the e-mail address.

After approval of the comment, the content of the comment, the provided name and, where applicable, the profile picture may become publicly visible.

Legal basis: the consent of the data subject and the legitimate interest of the Data Controller.

Retention period: comments and their metadata are retained until deletion of the comment or until a deletion request is submitted by the data subject, unless further retention is necessary for legal or security reasons.

Media Uploads

If a registered user or author uploads images to the website, they should avoid uploading images that contain GPS location data or other personal data in EXIF metadata. Visitors of the website may download publicly available images and extract metadata from them.

Cookies

The website may use cookies. Cookies are small data files stored by the browser. Some cookies are essential for the operation of the website, while others may serve convenience, statistical or marketing purposes.

Essential Cookies

Essential cookies are necessary for the basic operation of the website, such as login, cart management, order process, security and session management.

Legal basis: the legitimate interest of the Data Controller and/or performance of a contract.

Convenience Cookies

If a user leaves a comment on the website, the provided name, e-mail address and website address may be stored in cookies for convenience, so that these fields do not have to be filled in again when leaving another comment. These cookies typically remain valid for one year.

Login Cookies

On the login page, the system may set a temporary cookie to check whether the browser accepts cookies. This cookie does not contain personal data and is deleted when the browser is closed.

When logging in, several cookies may be created to store login information and interface display settings. Login cookies typically remain valid for two days, or up to two weeks if the “Remember me” option is selected. Login cookies are removed when the user logs out.

Analytics and Marketing Cookies

Analytics or marketing cookies are used only on the basis of the data subject’s prior consent. These cookies may help measure website traffic, the performance of content, and may enable personalised offers or advertisements.

Possible service providers: Google Analytics / Meta Pixel

Legal basis: the consent of the data subject.

Consent may be withdrawn at any time through the cookie settings interface available on the website.

Embedded Content from Other Websites

The website may include embedded content from other websites, such as videos, images, social media posts, maps or articles. Embedded content behaves in the same way as if the data subject had directly visited the external website.

These external websites may collect data about the visitor, use cookies, apply third-party tracking codes and monitor user interaction with the embedded content, especially if the data subject is logged in to the relevant external service.

Data Transfers and Data Processors

The Data Controller transfers personal data to data processors only to the extent necessary for providing the service, complying with legal obligations, payment processing, invoicing, hosting, website operation, e-mail delivery, accounting or customer service tasks.

Data processors and external service providers:

  • hosting provider and system administration operator: Amper-Smart Kft.
  • domain and DNS provider: RackForest Kft.
  • website engine and plugins: WordPress, WooCommerce, Polylang and other installed plugins
  • payment service provider: PayPal
  • invoicing service provider: KBOSS.hu Kft. / Számlázz.hu
  • analytics service provider: Google Analytics
  • marketing service provider: Meta Pixel
  • e-mail service provider: self-operated mail system / server operated by Amper-Smart Kft.
  • accounting service provider: if the Data Controller uses an accounting service provider, billing and accounting data may be transferred to the extent necessary for performing accounting tasks
  • newsletter service provider: if the Data Controller uses an external newsletter service provider, subscription data may be transferred to the extent necessary for sending newsletters

Data processors may process personal data only according to the instructions of the Data Controller and only to the extent necessary.

Transfers to Third Countries

The Data Controller primarily processes personal data within the European Union and the European Economic Area. However, when certain external service providers are used, personal data may be transferred to third countries.

When using PayPal payment services, Google Analytics or Meta Pixel, personal data related to the operation of these services may be transferred outside the European Economic Area, in particular to the United States of America.

In the case of transfers to third countries, the Data Controller seeks to use service providers that apply appropriate legal safeguards in accordance with applicable data protection rules, such as adequacy decisions, standard contractual clauses or other appropriate data protection safeguards.

Automated Decision-Making and Profiling

The Data Controller does not apply automated decision-making that would produce legal effects concerning the data subject or similarly significantly affect them.

When marketing or analytics services are used, statistical or marketing-related profiling may occur, but only on the basis of the data subject’s consent.

Special Categories of Personal Data

The Data Controller does not request or process special categories of personal data, such as health data, data concerning religious or political beliefs, sexual orientation, racial or ethnic origin. Please do not provide such data when contacting us, commenting or registering.

Children’s Data

The services of the website are not specifically intended for children. Persons under the age of 16 may use services involving the provision of personal data only with the consent of a parent or legal guardian.

Data Security

The Data Controller protects personal data against unauthorised access, alteration, transmission, disclosure, deletion, damage or destruction by applying appropriate technical and organisational measures.

Such measures may include, in particular: HTTPS connection, secure password management, restriction of access rights, regular updates, backups, logging, firewall, antivirus protection and deletion of unnecessary data.

How Long Do We Retain Personal Data?

Personal data are retained only for as long as the purpose of processing exists, or for as long as required by law, contractual obligation, legitimate interest or the enforcement of legal claims.

  • visitor and technical log data: maximum 180 days;
  • user account data: until the account exists or until a deletion request is submitted;
  • order data: for the period necessary for contract performance and enforcement of legal claims;
  • billing data: typically 8 years, based on legal requirements;
  • contact messages: maximum 5 years after the case is closed;
  • newsletter subscription data: until consent is withdrawn;
  • comments: until deletion or request by the data subject, unless further retention is necessary for legal or security reasons.

Rights of Data Subjects

The data subject has the right to request information from the Data Controller regarding the processing of their personal data.

The data subject may request:

  • access to their personal data;
  • rectification of inaccurate personal data;
  • completion of incomplete data;
  • erasure of personal data, where the legal conditions are met;
  • restriction of processing;
  • data portability;
  • objection to processing based on legitimate interest;
  • withdrawal of consent where processing is based on consent.

The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The Data Controller responds to data subject requests without undue delay and no later than within one month. Where necessary, this period may be extended by a further two months, of which the Data Controller will inform the data subject.

Export and Deletion of Data

If the data subject has a registered user account, has submitted a comment, has made a purchase or has provided personal data in any other way, they may request the export or deletion of the personal data processed about them.

Deletion does not apply to data that the Data Controller is required or entitled to retain on the basis of a legal obligation, performance of a contract, enforcement of legal claims, accounting obligation, security reason or legitimate interest.

Legal Remedies

For data protection questions or requests, the data subject should primarily contact the Data Controller at the following e-mail address: info@bitoattila.hu.

If the data subject believes that the processing of their personal data is unlawful, they may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.

Hungarian National Authority for Data Protection and Freedom of Information
Registered office: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: 1363 Budapest, Pf. 9., Hungary
Telephone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu

The data subject may also turn to a court if they believe that the processing of their personal data is unlawful.

Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed.

The Data Controller investigates personal data breaches and, if the breach is likely to result in a risk to the rights and freedoms of natural persons, reports it to the supervisory authority in accordance with applicable rules. In the case of a high risk, the affected data subjects are also informed.

Amendment of this Privacy Policy

The Data Controller reserves the right to amend this Privacy Policy, in particular in the event of changes in law, introduction of a new service, new data processor, new payment method, new plugin or new purpose of processing.

The currently effective Privacy Policy is available on the website.

Effective from: 28 April 2026.