PRIVACY POLICY

Data Controller
Name: Aura Perfume Limited Liability Company

Registered office: 1073 Budapest, Barcsay Street 14, 1st floor, door 4

Mailing address, complaint handling: 1073 Budapest, Barcsay Street 14, 1st floor, door 4

E-mail: info@aurabudapest.com

Phone number: +36 20 960 9240

Website: https://www.aurabudapest.com/

Hosting Service Provider
Name: Wix.com Ltd.

Mailing address: 40 Namal Tel Aviv St. Tel Aviv 6350671, Israel

E-mail address: support@wix.com

Description of Data Processing Conducted During the Operation of the Webshop
This document contains all relevant data processing information regarding the operation of the webshop, in accordance with the General Data Protection Regulation of the European Union No. 2016/679 (hereinafter: Regulation, GDPR) and Act CXII of 2011 (hereinafter: Infotv.).

Information Regarding the Use of Cookies
What is a cookie?

The Data Controller uses so-called cookies when visiting the website. A cookie is an information package consisting of letters and numbers that our website sends to your browser to save certain settings, facilitate the use of our website, and assist in collecting some relevant statistical information about our visitors.

Some cookies do not contain personal information and are not suitable for identifying individual users, while some contain an individual identifier - a secret, randomly generated sequence of numbers - which is stored on your device, making your identification possible. The duration of operation of each cookie is specified in its respective description.

Legal Background and Basis of Cookies:

Essentially, there are three types of cookies:

Essential cookies, which ensure the proper functioning of the website.
Statistical cookies.
Marketing cookies.

The legal basis for data processing regarding statistical and marketing cookies is your consent under Article 6(1)(a) of the Regulation, while for essential cookies, the legal basis is the legitimate interest of ensuring the website’s functionality under Article 6(1)(f) of the Regulation.

Main Characteristics of the Cookies Used by the Website:
Google Consent Mode v2
The Data Controller has integrated Google Consent Mode v2 into its website, enabling consent and rejection management through its cookie panel. Google Consent Mode v2, in addition to the previously used two flags (analytics_storage, ad_storage), now utilizes two additional flags for storing and reading statistical and advertising-related cookies:

ad_user_data: Any user data that can be sent to Google for advertising purposes.
ad_personalization: User data that can be used for personalized advertising purposes, such as remarketing.

These two toggles determine whether the storage and reading of statistical and advertising cookies are permitted.

Data Processed for Contract Conclusion and Performance
Various data processing cases may occur for contract conclusion and performance. Please note that data processing related to complaint handling and warranty administration only takes place if you exercise any of these rights.

If you do not make a purchase via the webshop and only browse, the provisions regarding marketing data processing may apply to you, provided you have given consent for marketing purposes.

Detailed Information on Data Processing for Contract Conclusion and Performance:

Issuance of an Invoice
The data processing process is carried out for issuing a legally compliant invoice and fulfilling the obligation to retain accounting records. According to Section 169 (1)-(2) of Act C of 2000 on Accounting, economic entities must retain accounting documents that directly or indirectly support accounting records.

Processed Data:
Name, address, email address, phone number.

Duration of Data Processing:
Invoices must be retained for 8 years from the date of issue, according to Section 169 (2) of the Accounting Act.

Legal Basis for Data Processing:
The issuance of an invoice is mandatory under Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, and the retention period is 8 years under Section 169 (2) of the Accounting Act [processing under Article 6(1)(c) of the Regulation].

Recipients and Data Processors of Data Processing Related to Goods Delivery

Recipient Name: Magyar Posta Private Limited Company
Recipient Address: 1138 Budapest, Dunavirág Street 2-6.
Recipient Phone Number: +36-1/767-8200
Recipient Email Address: ugyfelszolgalat@posta.hu
Recipient Website: posta.hu

The courier service cooperates with the Data Controller under a contract for the delivery of ordered goods. The courier service processes the received personal data in accordance with its data processing policy available on its website.

Recipient Name: GLS General Logistics Systems Hungary Package Logistics Ltd.
Recipient Address: 2351 Alsónémedi, GLS Europe St. 2.
Recipient Phone Number: +36 29 88 67 00
Recipient Email Address: info@gls-hungary.com
Recipient Website: https://gls-group.eu/HU/hu/home

Recipient Name: Packeta Hungary Ltd.
Recipient Address: 1044 Budapest, Ezred Street 2.
Recipient Phone Number: +36 1 400 8806
Recipient Email Address: info@packeta.hu
Recipient Website: packeta.hu

Further Data Processing
If the Data Controller intends to conduct additional data processing, it will provide prior information on the relevant circumstances of the processing (legal background and legal basis, purpose of data processing, scope of processed data, duration of data processing).

Recipients of Personal Data

Data Processing for Personal Data Storage
Data Processor Name: Wix.com Ltd.
Email Address: support@wix.com
Registered Office: 40 Namal Tel Aviv St. Tel Aviv 6350671, Israel
Website: wix.com

The Data Processor, under a contract with the Data Controller, is responsible for storing personal data. The Data Processor is not entitled to access the personal data.

Data Processing Related to Accounting
Data Processor Name: Optima Support Ltd.
Registered Office: 2626 Nagymaros, Katica Promenade 10387/3.
Phone Number: +36 20 298 2147
Email Address: info@optimasupport.com
Website: optimasupport.hu

The Data Processor cooperates with the Data Controller in the accounting of invoices under a written contract. In doing so, it processes the affected person’s name and address to the extent necessary for accounting records and retains them for the period specified in Section 169 (2) of the Accounting Act, after which they are immediately deleted.

Data Processing Related to Billing
Data Processor Name: Billingo Technologies Plc.
Registered Office: 1133 Budapest, Árbóc Street 6, 1st floor
Phone Number: +36 1 500 9491
Email Address: hello@billingo.hu
Website: billingo.hu

The Data Processor cooperates with the Data Controller in keeping accounting records under a contract. In doing so, it processes the affected person’s name and address to the extent necessary for accounting records and retains them for the period specified in Section 169 (2) of the Accounting Act, after which they are deleted.

Data Processing Related to Online Payment
Data Controller Name: Stripe, Inc.

Data Controller Email Address: support@stripe.com

Data Controller Website: stripe.com

The payment service provider cooperates with the Data Controller under a contract for the execution of online payments, during which data transfer takes place to the online payment service provider during the purchasing process. In this process, the online payment service provider processes the billing name and address of the concerned individual, the order number, and the time of purchase according to its own data processing policies.

Purpose of Data Transfer: To provide the online payment service provider with the transactional data necessary for processing the payment operation initiated by the customer.

Legal Basis for Data Transfer: According to Article 6(1)(b) of the Regulation, the performance of the contract between you and the Data Controller, which includes the payment by the customer, and in the case of online payments, the data transfer described in this section is necessary for the transaction.

Your Rights Regarding Data Processing
During the data processing period, you have the following rights according to the provisions of the Regulation:

The right to withdraw consent
The right to access personal data and information related to data processing
The right to rectification
The right to restriction of processing
The right to erasure
The right to object
The right to data portability

If you wish to exercise your rights, it involves your identification, and the Data Controller must necessarily communicate with you. Therefore, for identification purposes, providing personal data will be required (but only data that the Data Controller already processes about you). Additionally, your complaints related to data processing will be available in the Data Controller’s email inbox for the period specified in this notice.

If you are a customer and wish to be identified for complaint handling or warranty claims, please provide your order ID. This will allow us to identify you as a customer.

The Data Controller will respond to complaints related to data processing within a maximum of 30 days.

Right to Withdraw Consent
You have the right to withdraw your consent to data processing at any time. In such cases, we will delete the provided data from our systems. However, please note that if an order is not yet fulfilled, withdrawal may result in us being unable to complete the delivery to you.

Furthermore, if a purchase has already been completed, we cannot delete invoicing-related data due to accounting regulations. Additionally, if you have an outstanding balance with us, we may continue processing your data even if you withdraw your consent, based on our legitimate interest in debt collection.

Right to Access Personal Data
You have the right to receive confirmation from the Data Controller as to whether your personal data is being processed. If processing is ongoing, you have the right to:

Access the processed personal data
Be informed by the Data Controller about:
- The purposes of data processing
- The categories of personal data being processed
- Information about recipients or categories of recipients with whom the Data Controller has shared or will share the personal data
- The planned retention period of personal data, or if not possible, the criteria used to determine this period
- Your right to request rectification, erasure, or restriction of processing, and to object to processing based on legitimate interest
- The right to lodge a complaint with the supervisory authority
- If the data was not collected directly from you, all available information about its source
- The fact of automated decision-making (if applicable), including profiling, as well as meaningful information about the logic involved and the expected consequences of such processing for you.

The purpose of exercising this right may be to determine and verify the lawfulness of data processing. Therefore, if you request information multiple times, the Data Controller may charge a reasonable fee for fulfilling your request.

The Data Controller will provide access to your personal data by sending the processed personal data and information via email after identifying you. If you have a registered account, you can access your processed personal data by logging into your user account.

Please indicate in your request whether you wish to access your personal data or request information related to data processing.

Right to Rectification
You have the right to have inaccurate personal data concerning you corrected without undue delay.

Right to Restriction of Processing
You have the right to request the restriction of data processing if any of the following conditions apply:

You contest the accuracy of the personal data; in this case, the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data. If the accurate data can be determined immediately, restriction will not apply.
The data processing is unlawful, but you oppose the erasure of the data for any reason (e.g., because the data is important for asserting legal claims), and instead request the restriction of its use.
The Data Controller no longer needs the personal data for processing, but you require them for legal claims.
You have objected to processing, but the Data Controller’s legitimate interest may still justify processing. In this case, processing must be restricted until it is determined whether the Data Controller’s legitimate interests override yours.

If data processing is restricted, such personal data may only be processed (except for storage) with the consent of the affected individual, for the establishment, exercise, or defense of legal claims, for protecting the rights of another natural or legal person, or for important public interest reasons of the EU or a member state.

The Data Controller will notify you in advance (at least 3 business days before lifting the restriction) about the removal of the restriction.

Right to Erasure – Right to Be Forgotten
You have the right to have your personal data erased without undue delay if any of the following conditions apply:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
You withdraw consent, and there is no other legal basis for processing.
You object to processing based on legitimate interest, and there are no overriding legitimate grounds for processing.
The personal data was unlawfully processed, as determined based on a complaint.
The personal data must be erased to comply with a legal obligation under EU or national law applicable to the Data Controller.

If the Data Controller has made the processed personal data public and is required to erase it for any of the above reasons, it must take reasonable steps, including technical measures, to inform other data controllers processing the data that you have requested the deletion of links to, copies, or replications of this personal data.

Erasure does not apply if processing is necessary:

For exercising the right to freedom of expression and information.
To fulfill a legal obligation requiring processing under EU or member state law (e.g., invoice retention required by law).
For the establishment, exercise, or defense of legal claims (e.g., if the Data Controller has an outstanding claim against you).

Right to Object
You have the right to object at any time, for reasons related to your particular situation, to the processing of your personal data based on legitimate interest. In such cases, the Data Controller may no longer process the data unless it demonstrates compelling legitimate grounds for processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such purposes, including profiling related to direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for this purpose.

Right to Data Portability
If data processing is carried out by automated means or based on your voluntary consent, you have the right to receive the personal data you provided to the Data Controller in an XML, JSON, or CSV format. If technically feasible, you may request that the Data Controller transmit this data directly to another data controller.

Automated Decision-Making

You have the right not to be subject to a decision based solely on automated data processing (including profiling) that would have legal effects on you or similarly significantly affect you. In such cases, the Data Controller is obliged to take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, including at least the right to request human intervention from the Data Controller, express their point of view, and contest the decision.

The above does not apply if the decision:

Is necessary for entering into or performing a contract between you and the Data Controller;
Is authorized by Union or Member State law applicable to the Data Controller, which also lays down appropriate measures for safeguarding your rights, freedoms, and legitimate interests; or
Is based on your explicit consent.

Registration in the Data Protection Register

According to the provisions of the Information Act (Infotv.), the Data Controller was previously required to report certain data processing activities to the data protection register. However, this reporting obligation ceased to exist as of May 25, 2018.

Data Security Measures

The Data Controller declares that it has implemented appropriate security measures to protect personal data from unauthorized access, modification, transmission, disclosure, deletion, or destruction, as well as from accidental loss or damage and inaccessibility due to changes in the applied technology.

Within the limits of its organizational and technical capabilities, the Data Controller makes every effort to ensure that its Data Processors also implement adequate data security measures when handling your personal data.

Remedies

If you believe that the Data Controller has violated any statutory provision related to data processing or has not fulfilled any of your requests, you may initiate an investigation by the National Authority for Data Protection and Freedom of Information to remedy the alleged unlawful data processing (mailing address: 1363 Budapest, Pf. 9., email: ugyfelszolgalat@naih.hu, phone numbers: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391 1400).

Additionally, you are informed that in the event of a violation of data protection laws or if the Data Controller fails to comply with any of your requests, you have the right to initiate a civil lawsuit against the Data Controller in court.

Modification of the Data Processing Policy

The Data Controller reserves the right to modify this data processing policy in a way that does not affect the purpose and legal basis of data processing. By continuing to use the website after the modification takes effect, you accept the updated data processing policy.

If the Data Controller intends to process the collected data for purposes other than those for which they were collected, it will inform you of the purpose of the further data processing in advance and provide the following information:

The duration of the storage of personal data, or if this is not possible, the criteria used to determine that period;
Your right to request access to, rectification, deletion, or restriction of the processing of your personal data from the Data Controller and, in the case of data processing based on legitimate interest, the right to object to such processing; additionally, if data processing is based on consent or a contractual relationship, your right to data portability;
In the case of consent-based data processing, your right to withdraw consent at any time;
The right to lodge a complaint with a supervisory authority;
Whether providing personal data is a legal or contractual requirement or a necessary condition for concluding a contract, as well as whether you are obliged to provide the personal data and the potential consequences of failing to do so;
The fact that automated decision-making (if applied), including profiling, is being used, and at least in such cases, meaningful information about the logic involved and the expected significance and consequences of such data processing for you.

Data processing may only begin after this notification, and if the legal basis for processing is consent, you must explicitly give your consent in addition to receiving the information.