Privacy policy

1. NAME OF THE DATA CONTROLLER

  • Data Controller: Best Beauty Kft. (hereinafter Data Controller)
  • Registered seat: H-2049 Diósd, Álmos fejedelem utca 15.
  • Site: H-1095 Budapest, Tinódi u. 1-3.
  • Company registration number: 07-09-025977
  • Tax number: 25285541-2-07
  • Website: www.boostificpro.com
  • Email: hello@boostificpro.com
  • Telephone: +36-70-610-4850

2. THE RELEVANT GENERAL LEGISLATION ON WHICH THE DATA PROCESSING IS BASED

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Act CXII of 2011 on the right to informational self-determination and on the freedom of information (Info Act)
  • Act V of 2013 on the Civil Code (Civil Code)
  • Act CXXVII of 2007 on value added tax (VAT Act)
  • Act C of 2000 on accounting (Accounting Act)
  • Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (Advertising Act)

3. DEFINITIONS

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data are in particular: name, address, date and place of birth, mother’s name.

Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor: means a natural or legal person, public authority, agency or other body which processes the personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party: natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory Authority: an independent public authority established in accordance with Article 51 of the GDPR, the Hungarian National Authority for Data Protection and Freedom of Information in Hungary.

4. PRINCIPLES

The Data Controller observes the following principles while processing data, therefore, the personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes (“purpose limitation”);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”);
  7. the controller shall be responsible for, and be able to demonstrate compliance (“accountability”).

5. LEGAL BASES OF PROCESSING

The Data Controller processes the personal data in a way that at least one of the following conditions applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

6. DATA PROCESSING ACTIVITIES

  • Data processing in relation to contractual relations

Personal data processed
Name, phone number, e-mail address of the contact person of the contractual partner

Purpose of data processing
Keeping contact with a contractual partner

Legal basis of data processing: Article 6(1) point b) of GDPR: performance of contract
Duration of data processing: 8 years under Subsection (1) of Section 169 of the Accounting Act

  • Data processing in relation to contacting

Personal data processed
Name, email address

Purpose of data processing
Contacting the interested party data subject

Legal basis of data processing: Article 6(1) point a) of GDPR: consent of the data subject
Duration of data processing: until withdrawal of consent

  • Data processing in relation to sending newsletters

Personal data processed
Name, email address

Purpose of data processing
Sending newsletters

Legal basis of data processing: Article 6(1) point a) of GDPR: consent of the data subject
Duration of data processing: until withdrawal of consent

  • Data processing in relation to webshop registration

Personal data processed
Name, email address, phone number

Purpose of data processing
Registration in webshop

Legal basis of data processing: Article 6(1) point b) of GDPR: performance of contract
Duration of data processing: 5 years under Section 6:22 of the Civil Code

  • Data processing in relation to attending trainings

Personal data processed
Name, email address, phone number

Purpose of data processing
Attending trainings

Legal basis of data processing: Article 6(1) point b) of GDPR: performance of contract
Duration of data processing: 5 years under Section 6:22 of the Civil Code 

  • Data processing in relation to product shipment

Personal data processed
Name, telephone number, email address, delivery address

Purpose of data processing
Delivery of product, performing contract

Legal basis of data processing: Article 6(1) point b) of GDPR: performance of contract
Duration of data processing: 5 years under Section 6:22 of the Civil Code

  • Data processing in relation to invoicing

Personal data processed
Name, address, tax number (in case of legal entity customers)

Purpose of data processing
Issuing invoices

Legal basis of data processing: Article 6(1) point c) of GDPR: fulfilment of legal obligations: Subsection (1) of Section 159 of the VAT Act
Duration of data processing: 8 years under Subsection (1) of Section 169 of the Accounting Act

7. ACCESS TO AND TRANSFER OF DATA

The personal data may be accessed by the employees of the Data Controller in order to carry out their duties.

The Data Controller uses a Data Processor during the processing of data. The Data Processors do not make independent decisions, they only have the right to act in compliance with their contract concluded with the Data Controller upon the instructions received. The Data Controller only uses Data Processors that implement appropriate technical and organizational measures to ensure a level of data security appropriate to the level of risk. The actual duties and liabilities of the Data Processor are set out in a contract between the Data Controller and the Data Processor.

The Data Controller uses the following Data Processors during the processing of data:

  • operation of website, development and system administrator: Best Beauty Kft. (registered set: H-2049 Diósd, Álmos fejedelem utca 15.)
  • server provider: Shopify Inc. Registered seat: Ottawa, 151 O'Connor Street, Ground Floor, Canada
  • courier services: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (Registered seat: H-2351 Alsónémedi, GLS Európa u. 2., company registration number: 13-09-111755), Dhl Express Magyarország Kft. (Registered seat: H-1185 Budapest, BUD International Airport airport building 302., company registration number: 01-09-060665),
  • online payment: Stripe (https://stripe.com/en-hu, Registered seat: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland), PayPal (https://www.paypal.com/lu/webapps/mpp/about, Registered seat: 22-24 Boulevard Royal L-2449 Luxembourg, Company registration number: R.C.S. Luxembourg B 118 349)
  • accounting: Pondera-2008 Kft. (Registered seat: 1225 Budapest, Angeli utca 6.; company registration number: 01-09-904852)
  • Preparation of ordered products and assembly of packages to be delivered: iLogistic Logistic and Service Limited Liability Company (registered office: 2051 Biatorbágy, Verebély László u. 2., company registration number: 13-09-185133)

The Data Controller provides any of the data processed to any authority, court or other public body only in a way and for the purpose set out in law. The Data Controller is required by law to transfer data to the following public authorities:

  • National Tax and Customs Authority

8. MEASURES TO ENSURE DATA SECURITY

The Data Controller stores the personal data on the servers of the server provider. The Data Controller takes appropriate IT, technical and personnel measures to ensure that the processed personal data are secured against, inter alia, unauthorized access or unauthorized alteration. For example, the access to data stored in the information technology system is logged, therefore it can always be checked who and when accessed and to what personal data.

9. RIGHTS IN CONNECTION WITH DATA PROCESSING

  • Right to request information

The data subject may request information from the Data Controller through the contact details set out in Clause 1, in writing, relating to

  • what personal data,
  • on what legal basis,
  • for what data processing purpose,
  • from what source,
  • for how long are processed,
  • to whom, when and under what legislation has the Data Controller granted access to his/her personal data or to whom his/her personal data have been transferred.

The Data Controller shall fulfil the request of the data subject within one month, by letter sent to the contact details provided by the data subject.

  • Right to rectification

The data subject may request the Data Controller through the contact details set out in Clause 1, in writing, to rectify any of his/her personal data (for example, he/she may change his/her email address or other contact details at any time). The Data Controller shall fulfil the request of the data subject within one month, by letter sent to the contact details provided by the data subject.

  • Right to erasure

The data subject may request the Data Controller through the contact details set out in Clause 1, in writing, to erase his/her personal data. The Data Controller may reject a request for erasure if the Data Controller is legally obliged to further store the personal data.  However, if there is no such a legal obligation, the Data Controller processes the request of the data subject within one months, the latest, and send to the contact details provided by the data subject.

  • Right to blocking (restriction of data processing)

The data subject may request the Data Controller through the contact details set out in Clause 1, in writing, to restrict the processing of his/her personal data (by clearly indicating the restricted nature of data processing and ensuring processing separated from other data). Restriction shall last as long as it is justified by the reason indicated by the data subject. Restriction may be requested if, for example, the data subject believes that any of his/her application has been unlawfully handled by the Data Controller, however, it is necessary for the initiated official or court proceedings that the Data Controller does not delete the application. In this case, the Data Controller shall further store the personal data (e.g., the application concerned) until the request of the authority or court and then it erases the data.

  • Right to object

The data subject may request the Data Controller through the contact details set out in Clause 1, in writing, to object against the processing of his/her personal data, if the Data Controller would transfer or use any personal data for the purposes of public opinion poll or scientific research. Accordingly, the data subject may object, for example, against the use of the personal data by the Data Controller for the purposes of scientific research without consent.

10. LEGAL ENFORCEMENT IN CONNECTION WITH DATA PROCESSING

  • The data subject may contact the Data Controller through the contact details set out in Clause 1 in connection with enforcement of his/her rights regarding the protection of personal data.
  • The data subject may contact the following Authority in the case of an infringement of the protection of his/her personal data:

National Authority for Data Protection and the Freedom of Information (NAIH)

address: Budapest, Szilágyi Erzsébet fasor 22c, H-1125

postal address: H-1530 Budapest, P.O. box: 5.

phone: +36 (1) 391-1400

website: www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

  • application for legal proceedings: if the data subject experiences that the processing of his/her personal data is unlawful, it may initiate legal proceedings against the Data Controller. The case belongs to the jurisdiction of tribunal courts. The proceedings may also be initiated, at the choice of the data subject, at the tribunal court having jurisdiction based on the location of the data subject’s residence (contact details for the tribunal courts are available via the following link: https://birosag.hu/torvenyszekek)

11. UPDATING AND AVAILABILITY OF THE PRIVACY NOTICE

The Controller maintains the right to unilaterally modify this Privacy Notice at any time. This Privacy Notice may be subject to modification in particular if so required by any modification to legislation, privacy authority practice, business needs or newly discovered security risk. Upon the request of the data subject, the Data Controller will send one copy of the current version of the privacy notice, in a form agreed with the data subject.

COOKIES

Newsletters, DM activities Name: Klaviyo Website: https://www.klaviyo.com/ e-mail: sales@klaviyo.com telephone: +44 800 358 4918

Personal data

Purpose of data processing

Name, email address

Identification, allowing subscription to newsletters.

Date of subscription

Performing a technical operation.

IP address at the time of subscription

Performing a technical operation.

Using Google Adwords conversion tracking

The Data Controller uses the online advertising program named “Google AdWords”, and also uses Google conversion tracking program within the framework of the above. Google conversion tracking is the analyzing service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). If a User reaches a website by a Google advertisement, a cookie required for conversion tracking is downloaded on the his/her computer. The validity of these cookies is restricted, and they do not contain any personal data, thus the User may not be identified thereby. If the User browses certain pages of a website and the cookie has not yet expired, then both Google and the data controller if the User clicked on the advertisement. Each Google AdWords customer gets a different cookie, therefore they cannot be tracked through the websites of AdWords’ customers. The information obtained by the conversion tracking cookies serve the purpose to prepare conversion statistics to AdWords’ customers choosing conversion tracking. The customers can obtain information in this way of the number of users clicking on their advertisement and redirected to a page with a conversion tracking tag. However, they have no access to information whereby any of the users may be identified. If you do not want to be involved in conversion tracking, you can refuse it by blocking the possibility to download cookies in your browser. After that you will not be involved in conversion tracking statistics. For further information and the privacy notice of Google, please visit the following website: www.google.de/policies/privacy/

 

Using Google Analytics application

This website uses Google Analytics application which is the web analytics service of Google Inc. (“Google”). Google Analytics uses so called “cookies”, text files, which are saved on your computer whereby supporting the analyses of the use of a website visited by the User. The information created by the cookies relating to the website used by the User are usually provided to and stored on one of Google’s servers in the US. By activating IP anonymization on the website, Google first shortens the User’s IP address within the Member States of the European Union or in other party to the Agreement on the European Economic Area. The full IP address is transferred to and shortened on Google’s server in the US only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage. Within Google Analytics, the IP address transferred by the User’s browser will not be merged with Google’s other data. Users can prevent the storage of cookies by appropriate setting of their browser, however, please note that in this case, not all features of this website may be fully functional. Users can also prevent the collection and processing of their data relating to the use of the website by the cookies (including IP address), by downloading and installing the browser plugin via the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Using Facebook conversion tracking

  1. The Data Controller uses the remarketing code of Facebook. With this respect, we provide the following information: cookie lifespan: 20 days; purpose of data processing: Personalizing Facebook advertisements; further information: http://hu-hu.facebook.com/help/cookies/

Cookie type

Legal basis of data processing

Duration of data processing

Scope of data processed

Session cookies

Subsection (3) of Section 13/A of Act CVIII of 2001 on certain issues of electronic commerce and information society services

Period until the end of the relevant visitor session

connect.sid

 

Cookie provider

Name of cookie

Purpose of cookie

Facebook

_fbp

This cookie allows you to see ads on Facebook that may be of more interest to you.

Facebook

_fbc

This cookie is generated when you land on a website by clicking on a Facebook ad.

Google

_ga

We use this cookie to distinguish between individual users by a generated numeric code.

Google

–gid

The cookie allows counting the visits and traffic sources of the website in order to measure and develop the performance of the website with the help of Google Analytics services.