1. Name of the Data Controller

Company Name	Keleti Real Hospitality and Arts Service Limited Liability Company
Address	1182 Budapest, Üllői út 789.
Email	hello@madhousebudapest.hu

2. Purpose, Legal Basis, and Retention Period of Data Processing

Purpose of Data Processing	Processed Data	Legal Basis	Retention Period
Registration	Name, email address, billing address, billing name, shipping address, shipping name, phone number, date of birth, login details (username and password).	Consent of the data subject. [GDPR Article 6 (1)(a)]	Until the registration is active or until the consent is withdrawn (request for deletion).
Order Fulfillment	Name, email address, date of birth; order details (e.g., quantity of ordered products, payment information)	Performance of the contract [GDPR Article 6 (1)(b)]	For five years following the fulfillment, as the general limitation period under civil law.
Invoicing	Billing name, billing address, tax status	Compliance with a legal obligation [GDPR Article 6 (1)(c)]	Data is processed to meet tax (five years) and accounting (eight years) obligations.
Delivery	Shipping name, shipping address, email address, phone number	Consent of the data subject. [GDPR Article 6 (1)(a)]	Contracts are retained for five years following their termination, as the general limitation period under civil law.
Complaint Handling	Unique identifier of the complaint, consumer’s name, address, place and time of complaint, mode of complaint, list of documents and evidence submitted by the consumer, description of the complaint	Compliance with a legal obligation [GDPR Article 6 (1)(c)]	Complaints are retained for five years as per the Consumer Protection Act.
Marketing Communication	Personal data you provide when contacting us in connection with the webshop, such as via phone, email, or postal mail, or when communicating with us through social media.	Consent of the data subject. [GDPR Article 6 (1)(a)]	Until the consent is withdrawn.
Remarketing	Data processed by cookies as specified in the Cookie Policy.	Consent of the data subject. [GDPR Article 6 (1)(a)]	Detailed information can be found in the general data management information available here.

Note: Registration is not a prerequisite for purchasing in the webshop, but we are obliged to verify your age in any case.

Note: Withdrawal of consent does not affect the legality of data processing based on consent before its withdrawal.

3. Source and Scope of Processed Personal Data

The Data Controller does not process personal data that is not collected directly from the data subject.

4. Recipients and Categories of Recipients of Personal Data

For the provision of our services, it is essential to cooperate with other organizations, with whom we share certain data:

Service	Provider	Details
Technology Services	Netwerk Media Developer and Service Limited Liability Company	Responsible for the development and maintenance of our site, and operation of IT systems necessary for the website. Tax number: 22776721241, Company registration number: 01 09 943073.
Data Storage Services	Tárhely.eu Ltd.	Web hosting provider (1132 Budapest, Victor Hugo u. 18-22.).
Payment Processing	Barion Payment Ltd.	Online card payments are processed through Barion. Card data is not accessible to the merchant. Barion Payment Ltd. is supervised by the Hungarian National Bank, license number: H-EN-I-1064/2013.
Delivery Services	Magyar Posta Zrt.	Provides our delivery services.

We only share personal data with these organizations that are essential for their services.

Beyond this, laws or public authorities may require us to share personal data.

5. Data Security

The Data Controller ensures the security of the personal data processed, considering the state of the art, implementation costs, nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

The Data Controller takes technical and organizational measures and develops procedural rules to ensure the protection of processed data and prevent their destruction, unauthorized use, and unauthorized alteration.

Only the Data Controller and its employees, and the data processors it employs, may access the data according to their authorization levels, and data will not be shared with third parties not authorized to access it.

6. Rights of the Data Subject Regarding Data Processing

6.1 Deadlines

The Data Controller will fulfill the data subject’s request to exercise their rights within one month of receipt. The day of receipt is not included in the deadline.

If necessary, considering the complexity and number of requests, the Data Controller may extend this deadline by an additional two months. The data subject will be informed of the reasons for the delay within one month of receipt of the request.

6.2 Data Subject Rights

6.2.1 Right of Access

The data subject has the right to request information from the Data Controller about whether their personal data is being processed and, if so, to know:

What personal data is being processed, on what legal basis, for what purpose, and for how long;
To whom, when, under what legal basis, and which personal data has been made accessible or transferred;
The source of the personal data;
Whether the Data Controller uses automated decision-making, including profiling.

The Data Controller provides a copy of the personal data undergoing processing upon request. The first copy is free, and a reasonable fee may be charged for additional copies.

To ensure data security and the protection of the data subject’s rights, the Data Controller must verify the identity of the data subject and the person wishing to exercise the right of access.

6.2.2 Right to Rectification

The data subject can request the Data Controller to modify any of their personal data. If the data subject credibly proves the accuracy of the rectified data, the Data Controller will fulfill the request within one month and inform the data subject accordingly.

6.2.3 Right to Restriction of Processing

The data subject can request the Data Controller to restrict the processing of their personal data if:

The accuracy of the personal data is contested (the restriction applies for the period needed to verify the data’s accuracy);
The processing is unlawful, and the data subject opposes the erasure of the data and requests restriction instead;
The Data Controller no longer needs the personal data for processing, but the data subject requires it for legal claims; or
The data subject has objected to processing (the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the data subject).

6.2.4 Right to Object

The data subject does not have the right to object to processing if the processing is based on the legal basis described in this notice.

6.2.5 Right to Erasure

The data subject can request the Data Controller to delete their personal data without undue delay if there is no other legal basis for the processing.

6.2.6 Right to Data Portability

The data subject has the right to receive their personal data provided to the Data Controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance from the Data Controller.

7. Right to Legal Remedy

If the data subject believes that the Data Controller has violated their privacy rights, they can:

Lodge a complaint with the National Authority for Data Protection and Freedom of Information (Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Postal address: 1530 Budapest, Pf.: 5. Email: ugyfelszolgalat@naih.hu, Website: www.naih.hu); or
Take legal action to protect their data. They can choose to submit their case to the court competent for their residence (permanent address) or place of stay (temporary address), or to the court of jurisdiction based on the Authority’s headquarters. The court competent for residence or place of stay can be found at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso. The court of jurisdiction based on the Authority’s headquarters is the Metropolitan Court of Budapest.

PrivacyPolicy