Politica sulla riservatezza
On the processing of customers’ personal data
Preamble
It is necessary to inform the data subject about the data processing prior to its commencement. Upon request, it is necessary to provide the data subject with the privacy policy in electronic or paper-based form. During the contracting process, if the data subject objects to the data processing after the conclusion of the contract, it may result in the termination of the contract.
Processing of customers’ personal data
In accordance with the provisions of Act CXII of 2011 on the right of informational self-determination and freedom of information, and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR), ATTRACT Kft. as data controller hereby informs its customers about the processing of personal data provided by customers during the contractual relationship between them.
The data controller
Name of the data controller: ATTRACT Kft.
Registered office of the data controller: 7622 Pécs, Siklósi út 1/1.
Tax number of the data Controller: 11777364-2-02
Company registration no. of the data Controller: 02-09-066227
Telephone number of the data Controller: +36 72 551 642
E-mail address of the data Controller: contact@nosiboo.com
Name of the data protection officer (if any): –
Contact details of the data protection officer: –
The data controller shall inform the data subjects that there has been no appointment of a data protection officer with the data controller in accordance with Article 37 of the GDPR. If you have any complaints, comments, or questions regarding the data processing, you may contact the data controller using any of the contact details specified in this section.
Scope of processed data, purpose, and legal basis of data processing
| Name of personal data | Purpose of data processing | Legal basis of data processing |
| Surname and first name, telephone number | Getting in touch, recalling the calling party, and answering their questions | Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (following the provision of voluntary, explicit, and prior informed information of the data subject) |
| Surname and first name, e-mail address | Getting in touch, reply to the e-mail sender | Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (following the provision of voluntary, explicit, and prior informed information of the data subject) |
| Surname and first name, invoicing, and delivery address | Conclusion of the sales contract, performance of the order, invoicing, and delivery (purchase without registration) and invoicing of repair fees for non-warranty repairs | Article 6 (1) (b) to (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council (performance of contractual and legal obligations), Article 169(c) of Act CXXVII of 2007 on value-added tax and Articles 167 (1) (a) – (j) and 169 (1) of Act C of 2000 on Accounting |
| Profile picture, comment, liking | Implementation of communication with visitors on the data controller’s own Facebook page | Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (following the provision of voluntary, explicit, and prior informed information of the data subject) |
| Surname and first name, e-mail address | eDM registration by ticking the relevant checkbox | Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (following the provision of voluntary, explicit, and prior informed information of the data subject) |
| Surname and first name, e-mail address, delivery address, telephone number | Customer service: performing all operations related to the order of the data subject (sales, marketing, technical coordination, logistics, accounting, etc.), return of the repaired device if necessary | Customer service is part of the contract concluded with the data subject, a service provided by the data controller, for the performance of which the data controller processes the personal data of the data subject for the performance of the contract, pursuant to Article 6 (1) (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council |
| Surname and first name, health insurance fund identification number | In order to perform the settlement to the health insurance fund in the case of a health insurance fund settlement during the purchase | Pursuant to Article 169 (e) of Act CXXVII of 2007 on value added tax and Article 6 (1) (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council, for the performance of the contract |
| Surname and first name, e-mail address | Completing a post-purchase marketing questionnaire for a discount coupon | Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (following the provision of voluntary, explicit, and prior informed information of the data subject) |
In addition to the above, also the employees of the data controller may have access to the personal data of the data subject to the extent and for the period necessary for the performance of their job tasks at work.
Facebook page
The data controller operates a Facebook page so that the data controller, as an entrepreneur, informs its followers about its activity from time to time. On the Facebook page, advertisements and prize game invitations related to the data controller as a business and to the offers of the data controller’s partners are also published.
In order to keep in touch with the followers, the data controller shall process with a consent the personal data generated on the Facebook page (surname, first name, profile picture, comment, if any), similarly to the contact by phone or e-mail, pursuant to Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Use of cookies on the website
Cookies are information packages consisting of letters and numbers that websites send to the user’s browser in order to:
- save certain settings,
- facilitate the use of the website and
- help the website operator – the data controller – to collect some information of statistical nature about visitors that is important thereto.
Cookies do not contain personal information and are not capable of identifying the user individually. Cookies often contain a unique identifier, a secret, randomly generated sequence of numbers stored on the device of the website’s visitor. Some cookies expire after the website is closed, while others are stored on the device of the website’s visitor for a longer period.
Users may prohibit all cookie-related activities and delete data files placed during their previous visits. The user’s browser provides instructions on how to do this.
When downloading parts of the website, the data controller automatically places small data files sometimes containing personal data of the visitor, on the visitor’s computer via Google Analytics, a visitor analytics software operated by Google Ireland Ltd (“Google”). The user will be notified of this when they first visit the site in accordance with the current legislation and the data controller asks for their consent.
The data files are necessary for the operation of certain functions of the website, the information is transferred to the operator. The users can refer to the table below for more information on the exact names of these data files (_ga, _gat, _gid). Google Analytics stores anonymously the IP number received by the browser; it cannot link it to the user. The data is kept for 2 years, which period starts again if a new event occurs in relation to the user.
By clicking on the links below the user can find out how to access the cookie management menu for the most frequently used browsers (Mozilla Firefox, Google Chrome, Internet Explorer):
Internet Explorer (Microsoft Edge)
Browser programs accept cookies by default, but the user can also choose a setting that refuses to accept cookies automatically or indicates their arrival.
For detailed information on the cookies used by the website, please refer to the attached table.
Cookies used on the website in detail
CATEGORY: Cookies necessary for operation
Cookies that are necessary for the operation of the website allow the visitor to use the website for its intended purpose (for example: page navigation or visiting secure parts of the website). The website cannot function properly without allowing the cookies required for the operation.
| DESCRIPTION | PROVIDER and TYPE | ROLE | DURATION |
| gdpr[cookies allowed] | en.nosiboo.eu HTTP | It verifies whether the visitor has ticked the checkbox related to the use of cookies. | 1 year |
| gdpr[cookies allowed] | en.nosiboo.eu HTTP | It verifies whether the visitor has ticked the checkbox related to the use of cookies. | 1 year |
| gdpr[consent] | en.nosiboo.eu HTTP | It verifies whether the visitor has ticked the checkbox related to the use of cookies. | 1 year |
| gdpr[consent] | en.nosiboo.eu HTTP | It verifies whether the visitor has ticked the checkbox related to the use of cookies. | 1 year |
| test_cookie | doubleclick.net HTTP | It verifies whether the visitor’s browser supports the use of cookies. | 1 year |
| __stripe_mid | en.nosiboo.eu HTTPS | It prevents fraud attempts on the Internet. | 298 days |
| _cs_c | en.nosiboo.eu HTTP | It stores user’s consent to the use of cookie (ConsentSquare). | 389 days |
| _cs_id | en.nosiboo.eu HTTP | It stores a unique user ID (ConsentSquare). | 389 days |
| language | en.nosiboo.eu HTTPS | It stores the language settings. | 26 days |
CATEGORY: Statistical cookies
Statistical cookies help the website operator understand the interactions of visitors by collecting anonymized data.
| DESCRIPTION | PROVIDER and TYPE | ROLE | DURATION |
| _dc_gtm_UA-# | en.nosiboo.eu HTTP | It verifies the loading of the Google Analytics script on sites associated with Google Tag Manager. | 1 day |
| _ga | en.nosiboo.eu HTTP | It registers a unique identifier, which we use to generate statistical data in order to find out how the visitor uses the website. | 2 years |
| _ga | nosiboo.eu HTTP | It registers a unique identifier, which we use to generate statistical data in order to find out how the visitor uses the website. | 2 years |
| _ga_# | nosiboo.eu HTTP | It registers a unique identifier, which we use to generate statistical data in order to find out how the visitor uses the website. | 2 years |
| _gid | en.nosiboo.eu HTTP | Google Analytics uses it to slow down the retrieval speed. | 1 day |
| _hjAbsoluteSessionInProgress | nosiboo.eu HTTP | HotJar uses it to detect the work phase of the first view to the user. This is a True/False signal set by the cookie. | 1 day |
| _hjFirstSeen | nosiboo.eu HTTP | It identifies the first session of the new user on the website, indicating whether Hotjar sees this user for the first time on the site or not. | 1 day |
| _hjid | en.nosiboo.eu HTML | HotJar uses it, which generates a random user ID for the visitor to the site. This ensures that the same user is assigned the same ID on subsequent visits to the same site. | Permanent |
| _hjid | en.nosiboo.eu HTTPS | It stores a unique user ID (Hotjar). | 359 days |
| _hjSessionUser_14 | en.nosiboo.eu HTTPS | It stores a unique user ID (Hotjar). | 359 days |
| _hjSessionUser_552450 | en.nosiboo.eu HTTPS | It stores a unique user ID (Hotjar). | 362 days |
| ajs_anonymous_id | en.nosiboo.eu HTTPS | It stores the settings of the user’s last visit (Atlassian Jira Servicedesk). | 359 days |
CATEGORY: Marketing cookiess
Marketing cookies collect information about the content read by the visitor. The purpose of cookies in this category is to allow the website operator to display relevant content and advertisements to the visitor, thereby enhancing the user experience on the website.
| DESCRIPTION | PROVIDER and TYPE | ROLE | DURATION |
| _fbp | nosiboo.eu HTTP | Facebook uses it to show ads that are relevant to the visitor. | 3 months |
| _gcl_au | nosiboo.eu HTTP | Google AdSense uses it to measure the effectiveness of ads. | 3 months |
| IDE | doubleklick.net HTTP | Google DoubleClick uses it and records how the visitor responds to the ads shown to them. Its purpose is to measure the effectiveness of advertisements. | 1 year |
| _BEAMER_FIRST_VISIT_ zeKLgqli17986 | en.nosiboo.eu HTTPS | It stores the user’s first interaction (Beamer). | 294 days |
| _BEAMER_USER_ID_ zeKLgqli17986 | en.nosiboo.eu HTTPS | It stores the date when the user last opened the news feed (Beamer). | 294 days |
| _clck | en.nosiboo.eu HTTP | It stores a unique user ID (Microsoft Clarity). | 325 days |
| _fbp | en.nosiboo.eu HTTP | It stores and tracks the user’s visits to websites (Facebook). | 359 days |
| _glc_au | en.nosiboo.eu HTTP | A Cookie used by Google Adsense to measure the effectiveness of ads. | 84 days |
| _uetvid | en.nosiboo.eu HTTP | It stores and tracks the user’s visits to websites (Bing Ads). | 387 days |
| guest | en.nosiboo.eu HTTP | It creates a guest ID for the user to identify themselves at the next visit. | 14 days |
| theme | en.nosiboo.eu HTTP | It stores the user’s screen settings. | 28 days |
| userReferer | en.nosiboo.eu HTTP | A cookie required to submit the form. | 14 days |
CATEGORY: Cookies under classification
Cookies under classification are data packages individually developed by the website operator.
| DESCRIPTION | PROVIDER and TYPE | ROLE | DURATION |
| display_nosiboo_sites | nosiboo.eu HTTP | It displays the relevant subdomain to the user depending on the user’s location (country). | 1 year |
| _gj | en.nosiboo.eu HTTPS | Under definition. | 256 days |
| _hjKB | en.nosiboo.eu HTTP | Under definition. | 359 days |
| _hjptid | en.nosiboo.eu HTTP | Under definition. | session |
| _scid | en.nosiboo.eu HTTP | Under definition. | 390 days |
| acq_homepage_ctas_starting _on_basic_assignment | en.nosiboo.eu HTTP | Under definition. | 54 days |
| ajs_user_id | en.nosiboo.eu HTTP | Under definition. | 359 days |
| CMSSESSID | en.nosiboo.eu HTTP | Under definition. | session |
| fs_uid | en.nosiboo.eu HTTPS | Under definition. | 256 days |
| jcm | en.nosiboo.eu HTTPS | Under definition. | 28 days |
| jcmc | en.nosiboo.eu HTTPS | Under definition. | 14 days |
| jotApi | en.nosiboo.eu HTTPS | Under definition. | 28 days |
| JOTFORM_SESSION | en.nosiboo.eu HTTPS | Under definition. | 12 days |
| jtuc | en.nosiboo.eu HTTPS | Under definition. | 14 days |
| limitAlignment | en.nosiboo.eu HTTPS | Under definition. | Session |
| OptanonAlertBoxClosed | en.nosiboo.eu HTTPS | Under definition. | 359 days |
| OptanonConsent | en.nosiboo.eu HTTPS | Under definition. | 359 days |
| savedUserLanguage | en.nosiboo.eu HTTPS | Under definition. | Session |
| template_uts | en.nosiboo.eu HTTPS | Under definition. | Session |
Withdrawal of consent
The data processing of the controller is based on consent (as defined above) for the following operations:
- contact by phone, form, or e-mail,
- subscribing to eDM (electronic direct marketing message),
- producing visitor statistics,
- managing comments and likes on the Facebook page.
The consent given by the data subject may be withdrawn at any time as simply as the consent had been given. In the case of contact, the data controller asks the data subject to request the deletion of their data by sending a short message to the e-mail address contact@nosiboo.com. Data processing prior to the withdrawal of consent is considered lawful.
Contractual and legal obligation
The data controller is legally obliged to issue an invoice for the service with a specific data content, so recording invoicing data and issuing the invoice is a legal obligation. If the data controller does not receive the legally required data from the data subject, it cannot perform the service undertaken. The legal basis for data processing is the compliance with the legal obligation of the data controller pursuant to Article 6 (1) (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 169(c) of Act CXXVII of 2007 on value-added tax and Articles 167 (1) (a) – (j) and 169 (1) of Act C of 2000 on Accounting.
The data controller draws the attention of the data subject to the fact that during the retention period of the receipts and documents related to the sales contract it cannot guarantee the data subject’s right to erasure.
Duration of data processing (time-limits for storing the data)
- Surname and first name, billing address: for companies, the current year + 8 years, which is fixed by law (Section 169, paragraph (1) of Act C of 2000 on Accounting).
- In the case of cookies from the website, until the cookie expires or until the user deletes it from their browser (24 months for GA traffic statistics).
- In the case of a Facebook page operated by the Controller, until the Data Subject’s consent is withdrawn (by clicking the “Like” button again).
- Unsubscribing from eDM: by clicking on the “Unsubscribe” button in the eDM, as simply as subscribing had been made.
Profiling during data processing
No profiling is involved during data processing.
Automated decision-making during data processing
No automatic decision-making is involved during data processing.
Source of the personal data processed
The personal data processed come directly from the data subject.
Other data processing
The data controller shall provide information about the data processing not listed in this Policy at the time of recording the data. The data controller shall inform the data subjects that the authorities and any organization authorized by the law may contact the data controller for information, communication or transmission of data or making documents available. However, even in this case, the controller may disclose personal data in the amount and only to the extent that is absolutely necessary to achieve the purpose of the request.
Data transfer takes place:
| Category | Company name, registered office, activity |
| Data processors (persons performing technical tasks related to data processing operations) | ERSTE Bank Hungary Nyrt. (Registered office: 1138 Budapest, Népfürdő utca 24-26.) – Account management Pintér-Audit Könyvvizsgáló Kft. (Registered office: 7634 Pécs, Kovács Béla utca 6.) – Accounting KBOSS.hu Kft. (Registered office: 1031 Budapest, Záhony utca 7/C) – szamlazz.hu account Shoprenter Kft. (Registered office: 4028 Debrecen, Kassai út 129.) – Webshop operation Réder & Réder Kft. (Registered office: 7624 Pécs, Jurisics Miklós utca 5. 3. em. 8) – Administrator and hosting services Digi Távközlési és Szolgáltató Kft. (Registered office: 1134 Budapest Váci út 35.) – Wired internet services MiniCRM Zrt. (Registered office: 1075 Budapest, Madách Imre út 13-14.) – Customer Relationship Management Software Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 / Microsoft Corporation, 15010 NE 36th Street, Microsoft Campus Building 92, Redmond, WA 98052) – MS Office365 provider Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Operation of the Facebook page of the data controller, receiving Messenger messages, implementation of targeted Facebook campaigns Google Ireland Limited (Legal Department Gordon House, Barrow Street, Dublin 4, Dublin, D04E5W5, Ireland) – Providing visitor statistics, implementation of targeted campaigns Hotjar Ltd (Dragonara Business Centre. 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141. Malta) – Providing visitor statistics The Rocket Science Group LLC (Atlanta, GA, 675 Ponce De Leon Ave NE #5000, United States of America – Sending eDm Yettel Magyarország Zrt. (Registered office: 2045 Törökbálint, Pannon út 1.) – Company phone fleet management Magyar Telekom Nyrt. (Registered office: 1097 Budapest, Könyves Kálmán krt. 36.) -Provision of fixed-line telephone services Jotform Inc. (Registered office: 4 Embarcadero Center, Suite 780, San Francisco CA 94111, USA) – Contact via form Tidio LLC (registered office: 160 Spear Streetm #1000 San Francisco, California 94105, USA) – The chatbot provider used on the website CIB Bank Zrt. (seat: 1024 Budapest, Petrezselyem utca 2-8., Hungary) – The provider of the card payment facility on the website Clicky Media Ltd. (The Hive, 47 Lever Street Manchester, M1 1FN, United Kingdom) – Preparation of visitor statistics TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) – TikTok site operation, implementation of targeted campaigns |
| Recipients (natural or legal person, public authority, agency, or any other body to which the personal data are disclosed) | GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (Registered office: 2351 Alsónémedi, Európa u. 2.) – Home delivery of parcels UPS Magyarország Szállítmányozó Kft. (Registered office: 2220 Vecsés, Lőrincz út 154. Airport City Logistics Park, Building G) – Home delivery of parcels B2C Europe (Netherlands) B.V. (Registered office: Zuiderzeelaan 80, Weesp 1382 JW, The Netherlands) – Parcel post for return shipments from EU Member States Magyar Posta Zrt. (seat: Budapest, Dunavirág utca 2-6., Hungary) – Package home delivery |
| Third (non-EU) countries | Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Operation of the Facebook page of the data controller, processing Messenger messages, implementation of targeted Facebook campaigns Google Ireland Limited (Legal Department Gordon House, Barrow Street, Dublin 4, Dublin, D04E5W5, Ireland) – Providing visitor statistics The Rocket Science Group LLC (Atlanta, GA, 675 Ponce De Leon Ave NE #5000, United States of America – Sending eDm Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 / Microsoft Corporation, 15010 NE 36th Street, Microsoft Campus Building 92, Redmond, WA 98052) – MS Office365 provider Jotform Inc. (Registered office: 4 Embarcadero Center, Suite 780, San Francisco CA 94111, USA) – Contact via form Tidio LLC (Registered office: 160 Spear Street #1000 San Francisco, California 94105, USA) – The chatbot provider used on the website |
Joint controllership takes place
| Category | Company name, registered seat, activity |
| Implementation of targeted marketing campaigns | Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Operation of the Facebook page of the data controller, implementation of targeted Facebook campaigns |
Access to data and data security measures
Restriction of access: The handling of documents containing personal data is subject to appropriate security measures and the circle of those entitled to access is restricted. Documentation containing personal data is stored in a structured system, separated from each other during company processes. Paper-based documents are stored in lockable offices. An alarm system is in place in the office for property and personnel security purposes.
Data security measures: A business mailing system is used during the data processing process. Cloud storage is ensured with user access rights management and password protection. Data transfer to data controllers takes place on this platform. The network is protected by antivirus and firewall. Backups are made at regular intervals. Personal data are stored in a structured system in the software used by the company. Central password and access rights management is performed.
The data controller shall choose the IT tools used by it in such a way that the processed data are accessible to those authorized to access them, their authenticity is ensured, their integrity is verifiable, and they are protected against unauthorized access.
The IT system and network of the data controller are both protected against computer assisted fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service. The data controller ensures security through server-level and application-level protection procedures.
Electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity or disclosure, modification of information. The data controller shall take all reasonable precautions to avoid such threats. It monitors the systems to record any security discrepancies and provide evidence for any security incidents. However, the Internet is known not to be 100% secure that the data subjects also know. The data controller shall not be liable for any damage caused by inevitable attacks despite the utmost care.
Rights of the Data Subject
Right to information – The data subject has the right to be informed about the processing of personal data before the start of the processing.
Right to rectification – The data subject has the right to request the rectification of their personal data, if the personal data stored with the controller are inaccurate and they can prove it.
Right of access – The data subject has the right to request from the data controller the personal data stored about them.
Right to data portability – The data subject has the right to request in a digital tabular form the personal data stored about them.
Right to review automated decision-making – The data subject has the right to request a manual review of all processing processes where the controller has applied automated decision-making having legal effect on the data subject.
Lodging complaint
The data subject has the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information.
Name: National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1063 Budapest, POB: 9.
E-mail: ugyfelszolgalat@naih.hu
Phone number: +36 (1) 391-1400
Fax number: +36 (1) 391-1410
Website: https://naih.hu
Judicial remedies
The provisions on judicial remedies are contained in Act CXII of 2011 on the right to informational self-determination and freedom of information.
If the data subject has objected to the processing, the data controller shall investigate the cause of objection within the shortest possible time, but within 15 days at the latest, adopt a decision as to its merits and shall notify the applicant in writing of its decision. If the data subject disagrees with the decision made by the data controller or the data controller fails to meet the above deadline, the data subject shall have the right to turn to court within 30 days following the decision or the last day of the deadline.
In case the rights of the data subject are violated, as well as in the above cases, the data subject may take legal action against the data controller. Such court proceedings shall be conducted under priority. The data subject, at their own discretion, may bring the action also before the court competent for their place of residence or stay. A party to the proceedings may also be a party who otherwise has no legal capacity to be a party to legal proceedings. The data protection authority may intervene in the legal proceeding in order to ensure the success of the data subject.
The controller is liable to compensate any damage caused to the data subject because of unlawful processing of their data or by any breach of data security requirements. If the controller infringes the data subject’s right to privacy by unlawfully processing their data or by breaching the data security requirements, the data subject may claim damages from the controller. The data controller shall be held liable to the data subject for any damage caused by the data processor and the data controller shall be liable to the data subject also for the damage caused in the event of infringement of personality rights by the data processor.
The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject’s personality rights was caused by an inevitable reason beyond the scope of data processing. The damage need not be reimbursed, and the damages shall not be claimed in case the damage, or the data breach suffered by the injured party caused by infringement of personality rights was a result of deliberate or grossly negligent conduct of the data subject.
Date and place of entry into force: Pécs, 13 May 2024