Privacy notice

PRIVACY NOTICE
about CraftUnique Kft.’s data processing activity of the given personal data at „craftunique.com” website

I. Privacy Notice

CRAFTUNIQUE Korlátolt Felelősségű Társaság (registered seat: Hungary, 1143 Budapest, Ilka street 50., Registration number: 01-09-909528, tax number: 14562372-2-42, represented by individually: Attila Horváth CEO), as Data Controller of personal data (hereinafter referred to as the: „Data Controller”) with the present notice informs Data Subjects about its data processing activity under the title of the notice, about measures being made in connection with the protection of personal data in possession of the Data Controller, and about the possibilities of the Data Subject to obtain redress.

The purpose of the privacy notice is to provide appropriate information for the Data Subjects about rights and obligations in connection with processing their personal data. Under the notice, circumstances of personal data processing become ascertainable for the Data Subjects, under which they are able to make a well-founded decision about giving their consent to data processing.

The Data Controller created its data processing principles considering the provisions of the law in effect, with special regard to the following:

- Act CXII. of 2011, on Informational Self-determination and Freedom of Information,
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
- Act. V. of 2013 on the Civil Code,
- Act XLVIII. of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities,
- Act CXXXVI. of 2007 on the Prevention and Impeding of Money Laundering and Terrorism Financing,
- Act C. of 2000 on Accounting,
- Act CVIII. of 2001 on certain issues of electronic commerce services and information society services.

1.1. Definitions

Definitions found in the present notice shall be interpreted by the following:
Data Controller: CRAFTUNIQUE Kft.
Data Subject: that person, whose personal data is being processed by the Data Controller.
Personal data: any information or data relating to the Data Subject; or any data from which the Data Subject can be identified, or conclusion to the Data Subject can be drawn.

1.2. Commitments of the Data Controller

a. Data Controller commits that all of its data processing activity meet the requirements of the provisions in the present privacy notice, national law in effect, and the legal acts of the European Union.

b. Data Controller commits that all of its data processing activity meet the requirements of the provisions in the present privacy notice, national law in effect, and the legal acts of the European Union. www.craftbot.com/privacy and at the www.craftbot.com/terms websites.

c. Data Controller is entitled to modify the Privacy notice without the consent of the Data Subject. In such case the Data Controller informs the Data Subject about the modification at www.craftbot.com website, at least 8 days prior to the date of effect. The Data Subject is considered to accept the amended Privacy notice by using the services of the Data Controller after date of effect.

1.2.1. Data Controller is committed to the protection of Data Subject’s personal data and attach great importance to the respect of Data Subject’s right to informational self-determination. Data Controller processes the Personal Data confidentially and takes all security, technical and organizational measures that guarantee the security of Personal Data. This Privacy Notice contains the Data Controller’s processing practices.

1.2.2. Data Controller’s data processing is based on the legal basises determined in the GDPR and its limited to it’s purpose.

1.2.3. Data Controller undertakes to inform the Data Subjects in a clear, unequivocal way prior to any recording, handling and processing of Personal Data, which includes information about the method, the purpose, and the principles of the processing.

1.2.4. If Data Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were obtained, the Data Controller provides the Data Subject with information on that other purpose and asks for prior consent to further processing, also provides an opportunity to the restriction of further processing.

II. Data Controller, Data of the Data Protection Officer

Name of the Data Controller:CRAFTUNIQUE Kft.
Registered seat and postal address:1143 Budapest, Ilka utca 50.
Registration authority:Commercial Court of the Capital Court
Registration number:Cg. 01-09-909528
Tax number:14562372-2-42
E-mail address:info@craftunique.com
Website:craftunique.com
On-call help desk number:+36 1 700 8060

Place and contact of the complaint handling service:
e-mail address:info@craftunique.com
On workdays between 10.00 a.m.- 16.00 p.m.

III. Legal base and purpose of the processing, the processed set of data, term of the processing, the ones, who are eligible to get to know the personal data

3.1. Legal base and purpose of the processing

Processing of the Data Controller under Article 6. Section 1. GDPR shall be based on the following legal bases:

1. voluntary consent of the Data Subject: Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. performance of contract: processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
3. compliance with legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
4. legitimate interest of the controller: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

3.1.1. At data processing which is based on voluntary consent of the Data Subject, he or she shall have the right to withdraw his or her consent at any time.

3.1.2. Legally incapacitated and limited capacitated minor shall not render service through the system of the Data Controller.

3.1.2 In certain case the processing, storage and transmission of the personal data is obligatory by law, about these cases we inform the Data Subjects.

3.1.3. We shall call the attention of those, who are reporting data to the Data Controller, that in case they are not reporting their own personal data, the Data Controller shall have the consent of the Data Subject.

3.2. Order without registration (online webstore service)

3.2.1. Purpose of the data processing:
Purpose of data processing is to provide the webstore service at the website, the performing of the order, the documentation of the purchase and the payment, and to perform account obligations.

3.2.2. Legal base of the data processing:
The performance of the contract, Article 6., Section 1., point b) GDPR.

3.2.3. Set of data under process:
The Data Subject is obligated to give these data: name, email address.

These data are optionally given by the Data Subject : telephone number, shipping address in case of delivery, in case of paying with bank card these data : name of the owner of the bank card, number of bank card, expiry date, CVC-code.

3.2.4. Erasure deadline of the data:
The deadline determined in the respectively applicable tax law and accounting law.

3.3. Data processing of the registered Data Subject without order

3.3.1. Purpose of the data processing:
During the prior registration a user account is created, which is secured by a password. After logging in, the Data Subject can curtail the procedure of purchase. Registration is only an opportunity for the Data Subject, it is not a precondition of purchase.

3.3.2. Legal base of the data processing:
Voluntary consent of the Data Subject, Article 6., Section 1., point a) GDPR.

3.3.3. Set of data under process:
The Data Subject is obligated to give these data: name, email address.
These data are optionally given by the Data Subject: year and month of birth, place of residence, occupation, hobby, short personal description

3.3.4. Erasure deadline of the data:
Data Controller is processing data until the use of the data for such purpose is prohibited by the Data Subject – by deleting his user account or in written form, sent to the Controller.

3.4. Data processing of the registered Data Subject in case of order

3.4.1. Purpose of the data processing:
To order through the webstore, the performing of the order, to perform payment and delivery.

3.4.2. Legal base of the data processing:
The performance of the contract, Article 6. Section 1., point b) GDPR.

3.4.3. Set of data under process:
The Data Subject is obligated to give these data: name, email address, invoice name and address
These data are optionally given by the Data Subject: telephone number, contact name, contact telephone number, delivery name, delivery telephone number and delivery address

3.4.3. Erasure deadline of the data:
The deadline determined in the respectively applicable tax law and accounting law.

3.5. Anonym Craftware downloader (not registrated Data Subject)

3.5.1. Purpose of the data processing:
Administration of the number of users of the website/software downloaders.

3.5.2. Legal basis of the data processing:
Voluntary consent of the Data Subject, Article 6., Section 1., point a) GDPR.

3.5.3. Set of data under process:
e-mail address

3.5.4. Erasure deadline of the data:
Data Controller is processing data until the use of the data for such purpose is prohibited by the Data Subject in written form sent to the Controller.

3.6. Invoicing

3.6.1. Purpose of the data processing:
To issue accounting documents in connection with purchase transactions, and keeping it until the deadline under law in effect.

3.6.2. Legal base of the data processing:
Compliance with legal obligation, Article 6., Section 1., point c) GDPR.

3.6.3. Set of data under process:
first and second name, invoicing address, date, content of the accounting document, tax number in case of invoice with VAT.

3.6.4. Erasure deadline of the data:
The deadline determined in the respectively applicable tax law and accounting law. In the event the Data Subject does not give the above mentioned data, the consequence is the failure of the purchase.

3.7. Electronical newsletter

3.7.1. Purpose of the data processing:
Sending email newsletters with advertisement to the interested ones.

3.7.2. Legal base of the data processing:
Voluntary consent of the Data Subject, Article 6., Section 1., point a) GDPR.

3.7.3. Set of data under process:
name, email address

3.7.4. Erasure deadline of the data:
Data Controller is processing data until the use of the data for such purpose is prohibited by the Data Subject by unsubscribe. Data Subject can unsubscribe with the unsubscribe link found at the bottom of the newsletter, or at the newsletter section of the website. Erasure of personal data is performed within 10 workdays after receiving the erasure request from the Data Subject.

3.8. Cookie

The Data Controller in order to perform purchase transaction and serve the clients customized, place a small data package (so called the « cookie ») at the computer of the Data Subject. The task of the cookie is to collect information about visitors and their devices; they remember the individual settings of the visitors, so that it can be used during online transactions, the visitor does not have to type data again; they make it easier to use the website and provide a quality user experience. If the web browser send back a previously saved cookie, it makes it possible for the Data Controller who handle the cookie to join the actual visit of the Data Subject, but only in connection with its own content.

During visiting the website, the Data Subject can give his consent to the use of the cookies on his computer and make the Data Controller access to them by clicking on the cookie warning button at the log in website.

3.8.1. Purpose of the data processing:
To identify and differentiate the Data Subjects, identify the actual work session of the users, to store the given data during actual work session, to prevent loss of data, to identify and monitor users.

3.8.2. Legal basis of the data processing:
Voluntary consent of the Data Subject, Article 6., Section 1., point a) GDPR.

3.8.3. Set of data under process:
identification number, date, and previously visited website

3.9. Other data processing

About those data processing, which are not indicated in the present privacy notice, we inform the Data Subject simultaneously with the recording of the data. We inform our customers, that the court, the prosecutor, the investigative authority, the offence authority, the public administration authority, the Hungarian National Authority for Data Protection and Freedom of Information and other bodies which are authorized by law may require certain data, information or documents from the Data Controller. Data Controller – when the authority indicated the purpose and the set of data properly – only deliver those personal data, which are essential to fulfil the request of the authority.

Data Controller does not check the given personal data. For the compliance of the data only the person is liable, who gives the data. Users are liable for the access of their email address, which is given to the Data Controller to contact the user. According to this, the user, who registrated the certain email address is the only responsible for the access to that email account. In case user does not report their own personal data, they shall provide the consent of the Data Subject.

The ones with any kind of employment relationship with the Data Controller, the courier company, which co-operates with the Data Controller in shipping the products (if shipping is required by the customer), the operator of the online payment system, and the Data Processors are entitled to get to know the given personal data.

3.10. Transmission of the personal data, the ones who are eligible to get to know the data

When the Data Subject order a service from the Data Controller, he or she consents to the transfer of his data to Data Controller’s following partners. Legal base for the transfer is the performance of the contract, Article 6., Section 1., point b) GDPR.

The Data Controller shall only transfer the personal data of the customer, which are essential to identify the person to the courier partner, who is shipping the ordered product in order to perform shipping and to contact with the customer in connection with the delivery. The purpose of data transfer is to make it possible for the partner of the Data Controller to deliver the ordered products to the Data Subject, as customer. Only those personal data are transferred to the courier partner, which are must be known by the partner to perform the delivery of product. Data Controller – to the request of the Data Subject – informs the Data Subject about its transferred personal data, to which courier partner was it transferred, and how can the Data Subject contact that certain partner.

Controller’s courier company partners:

DPD Hungária Kft.
Seat: 1158 Budapest, Késmárk utca 14/B
Company registration number: 01-09-888141.
Fax: (06 - 1) 501 – 6214
E-mail: dpd@dpd.hu
Web: www.dpd.hu

FedEx Trade Networks Transport & Brokerage (Hungary) Kft.
Seat: 2220 Vecsés, Airport City Logisztikai Park, Üllői út 807/B. C. ép.
Company registration number: 13 09 141990
Telefon: 06 40 980 980
E mail: hungary@ftn.fedex.com
Web: https://www.fedex.com/hu/

DHL Magyarország Kft.
Seat: 1088 Budapest, Rákóczi út 1-3.
Company registration number: 03-09-105032
Telefon: +36 1 2 45 45 45
Web: https://www.dhl.hu/hu

The Processor, as controller is entitled and obliged to transfer any available and legally stored personal data to the competent authorities if the law or a legally binding official decision requires the transmission. The Controller shall not be responsible for such transfer and for its consequences.

Other data transfers are exclusively based on the preliminary and properly informed consent of the Data Subject.

3.11. Data Subject’s rights

3.11.1. Right to information:
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Data Subject shall require information through contact details mentioned in the Article II. of this Privacy Notice. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.

3.11.2. Right of access by the Data Subject
The Data Subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the personal data will be stored
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- information about the source of the personal data;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

The request for information by e-mail shall be considered trustworthy only via the registered e-mail address of the Data Subject. The request for information must be sent to the following address: info@craftunique.com. If personal data are transferred to a third country or to an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, the information shall be provided in electronic form. The Data Controller provides the information within a maximum of one month from the date of receipt of the request.

3.11.3. Right to rectification
The Data Subject is entitled to obtain from the controller the rectification of inaccurate and completion of deficient personal data concerning him or her via the e-mail address of the Controller mentioned in Article II. of the Privacy Notice.
If the personal data is inaccurate, and the appropriate personal data is available, the Data Controller shall perform the rectification.

3.11.4. Right to erasure
The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in European Union or EU Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services
In case of erasure or modification of the personal data, the former data shall no longer be restored.
The erasure shall not be performed if the processing is necessary regarding to the following cases: there exists a legal obligation which requires processing by European Union or EU Member State law to which the Data Controller is subject; or the processing is necessary regarding to the establishment, exercise or defence of the Data Controller’s legal claims and interests.

3.11.5. Right to restriction of processing
The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the Data Subject.

3.11.6. Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

3.11.7. Right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing direct marketing purposes, the personal data shall no longer be processed for such purposes.

3.11.8. Automated individual decision-making, including profiling
The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Data Subject is not entitled to exercise the above right if the decision:
- is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;
- is authorised by European Union or EU Member State law to which the controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests; or
- is based on the Data Subject's explicit consent.

3.11.9 Right to withdraw
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

3.12. Possibilities for enforcement of claims:

3.12.1. With your questions and comments, please feel free to contact with the colleague of the Data Controller at info@craftunique.com e-mail address.

3.12.2. Right to judicial remedy: In case the Data Subject considers that his or her rights under GDPR have been infringed, each Data Subject has the right to an effective judicial remedy against the Data Controller. The court is dealing with such case with priority.

3.12.3. Proceeding of the data protection authority: Data Subject have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.

Name: Hungarian National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address cím: 1530 Budapest, Pf.: 5.
Telephone: 06.1.391.1400
Fax: 06.1.391.1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu