Privacy Policy
Privacy Policy of the Immocto.com Website
1.
Introduction
The operator of immocto.com, Studio Casa Korlátolt Felelősségű Társaság (Studio Casa Limited Liability Company), in its capacity as the Accommodation Provider and Data Controller, considers the protection and enforcement of the data processing rights of all natural persons concerned (hereinafter: ‘You’) to be of utmost importance. When handling, recording, processing, and transferring your personal data, we act in accordance with Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter: ‘Information Act’), REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), and other applicable data protection laws. The Data Controller specifies that, in this Privacy Policy, immocto.com also refers to the following subdomains: myimmocto.com, booking.immocto.com, and rent.immocto.com.
2.
Who is the Data Controller?
Name: Studio Casa Korlátolt Felelősségű Társaság (hereinafter: ‘Data Controller’)
Registered office (mailing address): H-1068 Budapest, Király utca 102.
Company registration number: 01-09-906350
Tax identification number: 14494635-2-42
Statistical code: 14494635-6832-113-01
E-mail address: info@immocto.com
Telephone number: +36 20 278 1822
3.
What are the basic principles and legal bases of Data Processing?
3.1 Principles of Data Processing
As stated in Section 4 of the Privacy Policy, we treat the personal data provided to us confidentially, comply with the principles of lawfulness, fairness, and transparency under the GDPR, process personal data for specified purposes in accordance with the principle of data minimisation, adhere to the principle of storage limitation, protect the confidentiality and integrity of personal data, and respect the principle of accuracy as set out in the GDPR.
3.2 Legal Bases for Data Processing
The legal bases for the data processing activities carried out by the Data Controller varies depending on the specific processing activity. The respective legal bases are defined in the list provided under Section 4.
4.
What processing operations are carried out by the Data Controller, for what purposes, what categories of data are processed, and for how long are they retained?
Type of data processing | Legal bases for data processing | Purpose of data processing | Scope of processed data | Duration of the processing | |
1 | Contacting the company, Requesting a quotation | Article 6(1)(a) of the GDPR, your explicit consent. | Recording your quotation request or any other messages You send us for the purpose of responding and maintaining contact. |
| For as long as necessary to fulfil the purpose of your contact inquiry or quotation request, but no longer than 6 months from the date of your inquiry. |
2 | Performance of the contract | Article 6(1)(b) of the GDPR, performance of the contract. | Performance of the contract concluded between the Data Controller and You. |
| The data shall be retained for five years following the termination of the contract, in compliance with the general limitation period under the Hungarian Civil Code. |
3 | Contact details specified in the contract | The legitimate interest of the Data Controller in accordance with Article 6(1)(f) of the GDPR. | Facilitating the performance of a contract concluded between the Data Controller and You, or facilitating the performance of a contract concluded between the Data Controller and a contracting partner in which You act as the contact person. |
| The data shall be retained for five years following the termination of the contract, in compliance with the general limitation period under the Hungarian Civil Code. |
4 | Accommodation reservation | Article 6(1)(b) of the GDPR, performance of the contract.
| Recording accommodation reservations on the Data Controller’s website, processing payments, and issuing and sending electronic invoices. |
| Data necessary for the accommodation reservation (Name, E-mail address, Telephone number, Reservation data) shall be retained for five years in accordance with the general limitation period of the Hungarian Civil Code. We retain invoicing data for eight years from the date of issuance of the invoice, in accordance with Paragraph (2) of Section 169 of Act C of 2000 on Accounting. |
5 | Complaint handling | Compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, in accordance with Section 17/A. of Act CLV of 1997 on Consumer Protection | Complaint investigation |
| Copies of records taken about the complaint and responses to written complaints shall be retained for three years in accordance with Paragraph (7) of Section 17/A. of Act CLV of 1997 on Consumer Protection. |
6 | Newsletter | Your explicit consent pursuant to Article 6(1)(a) of the GDPR. | Sending direct marketing messages (newsletters). |
| Until withdrawal of consent. |
Type of data processing | Legal bases for data processing | Purpose of data processing | Scope of processed data | Duration of the processing | |
1 | Contacting the company, Requesting a quotation | Article 6(1)(a) of the GDPR, your explicit consent. | Recording your quotation request or any other messages you send us for the purpose of responding and maintaining contact. | · Name · E-mail address · Telephone number · Message | For as long as necessary to fulfill the purpose of your contact inquiry or quotation request, but no longer than 6 months from the date of your inquiry. |
2 | Performance of the contract | Article 6(1)(b) of the GDPR, performance of the contract. | Performance of the contract concluded between the Data Controller and you. | · Name · Address · Mother’s name · Place and date of birth · Nationality · Identity card number / Passport number | The data shall be retained for five years following the termination of the contract, in compliance with the general limitation period under the Hungarian Civil Code. |
3 | Contact details specified in the contract | The legitimate interest of the Data Controller in accordance with Article 6(1)(f) of the GDPR. | Facilitating the performance of a contract concluded between the Data Controller and you, or facilitating the performance of a contract concluded between the Data Controller and a contracting partner in which you act as the contact person. | · Name · Address for service · E-mail address · Telephone number
| The data shall be retained for five years following the termination of the contract, in compliance with the general limitation period under the Hungarian Civil Code. |
4 | Accommodation reservation | Article 6(1)(b) of the GDPR, performance of the contract.
| Recording accommodation reservations on the Data Controller’s website, processing payments, and issuing and sending electronic invoices. | · Name · E-mail address · Telephone number · Reservation data · Invoicing data · Bank card data | Data necessary for the accommodation reservation (Name, E-mail address, Telephone number, Reservation data) shall be retained for five years in accordance with the general limitation period of the Hungarian Civil Code. We retain invoicing data for eight years from the date of issuance of the invoice, in accordance with Paragraph (2) of Section 169 of Act C of 2000 on Accounting. |
5 | Complaint handling | Compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, in accordance with Section 17/A. of Act CLV of 1997 on Consumer Protection | Complaint investigation | · Name · E-mail address · Telephone number · Additional data provided by the complainant. | Copies of records taken about the complaint and responses to written complaints shall be retained for three years in accordance with Paragraph (7) of Section 17/A. of Act CLV of 1997 on Consumer Protection. |
6 | Newsletter | Your explicit consent pursuant to Article 6(1)(a) of the GDPR. | Sending direct marketing messages (newsletters). | · Name · E-mail address | Until withdrawal of consent. |
5.
Where does the Data Controller obtain your personal data from?
Only the personal data that You have provided will be processed by the Data Controller.
6.
Where are the data stored?
Your personal data are stored electronically by the Data Controller via the hosting provider indicated in Section 7.2.
7.
Is a data processor engaged?
In the course of data processing, the Data Controller uses the following data processors, who act solely on the instructions of the Data Controller and do not collect, store, or process personal data for their own purposes.
Company name | Registered office | Company registration number | Tax identification number | Purpose of data processing | Data processed by the data processor | |||
1 | NTAK (National Tourist Information Center) Hungarian Tourism Agency Ltd. | H-1027 Budapest, Kacsa utca 15-23. | 01-10-041364 | 10356113-4-41 | Creation of a user account, provision of services and intermediary services accessed through the website, invoicing of fees related to the services, retention of documents related to the services and invoicing, and fulfilling statutory data reporting obligations. | · name, · birth name, · e-mail, · mother’s name, · date of birth, place of birth, · home country, · tax identifier, · permanent residency, · notification address, · telephone number, · type and serial number of the identification document and the photograph on the identification document. | ||
2 | Amazon Web Services, Inc. (AWS), eu-central-1 (Frankfurt) | 2121 7th Avenue (SEA41) Seattle, WA 98121. USA | Contact details of the hosting provider: aws.amazon.com/contact-us | Hosting provider | Data specified in Section 4. | |||
3 | WP Online Hungary Ltd. | H-1094 Budapest, Balázs Béla utca 15-21. D. lház. 2. em. 4. ajtó | 01-09-967529 | 23480403-2-43 | Providing downloadable documents requested by the user, managing newsletter subscriptions, and enabling user contact. | · Surname · First name · E-mail address · Telephone number · Message · Newsletter subscription | ||
4 | Framer B.V. | Rozengracht 207B, 1016 LZ, Amsterdam | 59920637
| NL853695386B01 | domain service | - | ||
5 | MailChimp (The Rocket Science Group LLC) | 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA | (EIN):58-2554149 | newsletter distribution and management service | · Surname · First name · E-mail address | |||
| STRIPE, INC | 354 Oyster Point Blvd, South San Francisco, California, United States, 94080 (EU-based registered office: The One Building, 1 Grand Canal Street Lower, Dublin 2, D02 H210, Ireland) | USA: 4675506 (EU: 513174) | EU: IE9825611F
| Storage and validity verification of bank card data provided by the user, assessment of funds necessary for order fulfilment, and detection of bank card-related fraud and misuse. | · Name · e-mail address · bank account number | ||
8.
What measures does the Data Controller take to ensure the security of the personal data it processes?
8.1. The Data Controller designs and carries out data processing operations in such a way as to ensure the highest level of protection of your privacy when applying the provisions of the Information Act, the GDPR, and other data protection regulations.
8.2. The Data Controller ensures the security of the data, implements the necessary technical and organisational measures, and establishes procedural rules required for the enforcement of the provisions of the Information Act, the GDPR, and other data protection and confidentiality regulations.
8.3. The Data Controller protects the data with appropriate measures, particularly against unauthorised access, alteration, transmission, disclosure, erasure, or destruction, as well as accidental loss or damage, and inaccessibility resulting from changes in the technology used.
8.4. If the Data Controller uses an automated system for processing personal data, it shall ensure additional measures to guarantee the following:
a) the prevention of unauthorised data entry;
b) the prevention of unauthorised use of automated data processing systems by unauthorised persons through data transmission equipment;
c) the ability to verify and determine which entities have received or may receive personal data through the use of data transmission equipment;
d) the ability to verify and determine which personal data, when, and by whom have been entered into the automated data processing systems;
e) the ability to restore the installed systems in the event of a malfunction; and
f) that errors occurring during automated processing are reported.
8.5. The Data Controller shall consider the development stage of technology at all times when establishing and applying measures to safeguard data security. Where multiple data processing options are available, the Data Controller shall select the solution that provides the highest level of personal data protection, except where such a choice would impose a disproportionate difficulty to the Data Controller.
9.
Under what circumstances may personal data be transferred to third parties?
The Data Controller shall not disclose your personal data to third parties.
10.
What rights do You have and how can they be exercised?
You are entitled to various rights concerning the processing of your personal data, which You may exercise at any time. The Data Controller lists these rights below, with explanations of their implications for you. You may exercise your rights by submitting a request to one of the contact details specified by the Data Controller in Section 2.
The data processing activities specified in Subpoints 1 and 6 of the Table in Section 4 are based on your consent, which You may withdraw at any time. Withdrawal of consent does not affect the lawfulness of data processing carried out before the withdrawal. Please send your request to withdraw consent to one of the contact details specified in Section 2.
Rights of access to and rectification of personal data
You have the right to access your personal data, request a copy, and have them rectified or updated at any time.
Based on the right of access, You are entitled to receive information about the following:
the purposes of data processing;
the categories of personal data relating to the data subject;
the recipients or categories of recipients with whom the personal data have been or will be shared, including in particular third-country recipients and international organisations;
where appropriate, the intended storage period of the personal data;
the data subject’s right to request the Data Controller to rectify, erase, or restrict the processing of their personal data, and to object to such processing;
the right to lodge a complaint with a supervisory authority; and
the fact of automated decision-making, including profiling (which in this case refers to determining personal preferences and interests based on the personal data in the database, and sending direct marketing messages accordingly).
We understand the importance of this, so if You wish to exercise these rights, please contact us using any of the contact details specified in Section 2.
Right to data portability
Your personal data are portable. This means that your personal data can be transferred, copied, and transmitted electronically.
If You wish to exercise your right to data portability, please contact us through any of the contact details specified in Section 2.
Right to delete personal data
You have the right to request the deletion of your data in the following cases:
your personal data are no longer necessary for the purpose(s) for which they have been collected; or
You withdraw your previous consent to the processing of your personal data and there is no other legal basis for the processing; or
You object to the processing of your personal data;
the processing of personal data is not executed in a lawful fashion; or
the deletion of your personal data is required for compliance with legal obligations.
However, the Data Controller is not obliged to comply with your request if the data processing is necessary for the following:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
for reasons of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the deletion of data is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise, or defence of legal claims.
If You wish to exercise this right, please contact us using any of the contact details specified in Section 2.
Right to restriction of processing
You may request the restriction of the processing of your personal data under the following conditions:
if You believe that the personal data stored in relation to You are not accurate; or
the processing of personal data is not executed in a lawful fashion, but instead of requesting their erasure, You would prefer to restrict their processing; or
the Data Controller no longer needs your personal data for the original purpose(s) for which they have been collected; however, You need them for the purpose of lodging or enforcing a claim or to object to a particular claim; or
You have objected to the processing of your personal data and are awaiting verification as to whether the legitimate grounds of the Data Controller override your interests related to the objection.
If You wish to restrict the processing of your personal data, please contact us using any of the contact details specified in Section 2.
Right to object
You may object to the processing of your personal data at any time. If You intend to exercise this right, please contact us using any of the contact details specified in Section 2.
Automated decision-making
The Data Controller does not carry out automated decision-making processes.
11.
Privacy Policy for data processing related to IT operations of the immocto.com website
The Data Controller carries out automated data collection on the immocto.com website, including the use of cookies and Google Analytics. Cookies are small files that are placed on the computer of the website visitor (hereinafter also referred to as the ‘User’ or ‘Data Subject’) when they visit the website. Their types and purposes may vary. The Data Controller’s website uses cookies for the following purposes:
To ensure the protection and secure use of the website;
To collect statistical data on website visitors and traffic in order to continuously improve the website’s performance;
To record the visitor’s settings and usage preferences on the website, as well as to assess their usage patterns in order to enhance the user experience;
For advertising purposes;
To identify any potentially malicious IT operations.
The Data Controller uses the following types of cookies on the website: essential cookies, which are necessary for the website to function, statistical and optimisation cookies, functional cookies, and marketing cookies. You can access the full list of cookies and related information, such as their retention period, type, and provider, by clicking the ‘Show details’ button in the cookie consent panel at the bottom of the website.
The cookies used by the Data Controller’s website can also be categorised according to their retention period as follows:
Where the retention period is indicated as ‘Session’, the cookies are automatically deleted when you leave the website;
Where the retention period is indicated as ‘Persistent’, the cookies are stored for a longer period, the exact duration of which depends on the settings in the visitor’s web browser.
Where a specific retention period is indicated, the cookies are stored until that period expires or, if deleted earlier, until the time of deletion.
During the use of cookies on the Data Controller’s website, the following personal data are collected:
IP address;
type of browser used;
language settings of the browser;
characteristics of the operating system of the device used for browsing (e.g. type, set language);
exact time of the visit;
functions or services used on the visited website;
time spent on the website.
If you prefer the Data Controller’s website not to use cookies as described in this Privacy Policy, you can partially or fully disable cookies in your browser settings. Guidance on managing cookie settings for different web browsers can be found at the following links:
Mozilla Firefox: How to enable or disable cookies used by websites to save your settings;
Google Chrome: Turn cookies on or off;
Microsoft Internet Explorer: Deleting and managing cookies;
Microsoft Edge: Microsoft Edge, browsing data, and privacy;
Apple Safari: Manage cookies and website data in Safari on Mac
Users can find more information about the role of cookies and better protect their online privacy by visiting the following websites:
the website of the European Interactive Digital Advertising Alliance, available at http://www.youronlinechoices.com/.
11.1 Essential (core functionality) cookies
These cookies are necessary to ensure that You can use all functions of the website, including browsing, smoothly and without interruptions. For this reason, they cannot be disabled, as the proper functioning of the website would not be possible without their use.
For these cookies, the legal basis for data processing is the legitimate interest of the Data Controller, in accordance with Article 6(1)(f) of the GDPR.
According to Opinion 04/2012 on Cookie Consent Exemption issued by the Article 29 Data Protection Working Party (hereinafter: ‘Opinion 04/2012’), the GDPR does not require obtaining consent for the following types of cookies (thus, providing information on their use is sufficient):
user-input cookies,
authentication cookies,
user centric security cookies,
multimedia player session cookie,
load balancing session cookies,
user interface customisation cookies.
11.2 Statistical and optimisation cookies
During the use of the Data Controller’s website, in addition to the personal data of the Data Subject, technical data generated by the Data Subject’s computer during the website visit are recorded (logged) when accessing and leaving the website. The purpose of these data is to compile statistics related to the website’s traffic and usage, as well as to support the overall development of the website’s IT system. Except where required by law, the Data Controller does not link these data with the personal data of the Data Subject, and access to these data is restricted to the Data Controller and the Data Processors’ personnel only. The Data Subject may delete cookies from their own computer at any time using the relevant settings in their browser, and may also disable the use of cookies via the browser settings (typically through the ‘Help’ function). By disabling the use of cookies, the User acknowledges that the website may not function at its full capacity without cookies.
The legal basis for data processing is the Data Subject’s consent, in accordance with Article 6(1)(a) of the GDPR. The Company does not carry out any personal data processing in this context.
11.3 Preference cookies
The purpose of functional cookies is to enable the website to remember the settings You have selected, such as the website’s language, even after You leave the site, in order to provide a more personalised and convenient user experience.
The legal basis for data processing is the Data Subject’s consent, in accordance with Article 6(1)(a) of the GDPR.
11.4 Marketing cookies
As their name suggests, these cookies serve advertising purposes, tracking users across websites in order to display content and advertisements that are relevant to them. Thus, an advertising partner may use these cookies to display relevant advertisements tailored to your interests when You visit another website.
The legal basis for data processing is the Data Subject’s consent, in accordance with Article 6(1)(a) of the GDPR.
These cookies also track the User’s activities on other sites to provide a more relevant advertising experience.
The Data Controller currently uses the following marketing cookies:
Name of the service provider | Google Ireland Limited | Meta Platforms Ireland Limited |
Registered office | Gordon House, Barrow Street, Dublin 4, Ireland | 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland |
Company registration number | 368047 | 462932 |
Tax identification number | IE6388047V | IE9692928F |
Website | https://ads.google.com | https://www.facebook.com/business/tools/meta-pixel |
Privacy Policy | https://policies.google.com/privacy | https://www.facebook.com/privacy/policy |
Contact form | https://support.google.com/policies/contact/general_privacy_form | https://www.facebook.com/help/contact/540977946302970 |
Purposes of data processing | Displaying online advertisements, remarketing, conversion tracking | Measuring advertising campaigns, remarketing, displaying targeted advertisements |
Applied technologies | DoubleClick cookie, Google Ads script | Meta Pixel (JavaScript code on the website) |
11.5. Granting and withdrawing consent
You can give your consent to the use of cookies via the Cookiebot consent panel displayed at the bottom of the page. On the panel, the User can choose which categories of cookies to consent to, and by clicking the ‘Show details’ button, the User can view the purpose, provider, and validity period of each cookie.
Consent can be withdrawn at any time using the ‘Change settings’ option on the same Cookiebot panel, which can be accessed again from the website footer.
Exact list of cookies and their purposes
The exact list of cookies used on the website – including their names, types, validity periods, and providers – is automatically generated by the Cookiebot system and can be accessed within the consent panel under the ‘Show details’ section, as well as by clicking the ‘Cookie information’ link located in the website footer.
12.
What are the consequences of unlawful data processing? Right to lodge a complaint with a supervisory authority
12.1. The Data Controller is liable to compensate for any damage caused by unlawful processing of your data or by a breach of data security requirements.
12.2. If the Data Controller, through unlawful processing of your data or breach of data security requirements, also infringes your personal rights, You may claim compensation from the Data Controller.
12.3. If the Data Controller refuses to recognise any of your rights, or if You are not satisfied with our response, or if You wish to file a complaint, You may approach a civil court as well as the supervisory authority, the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.; postal address: H-1363 Budapest, Pf.: 9.; telephone number: +36 (1) 391-1400; e-mail address: ugyfelszolgalat@naih.hu).
Dated: Budapest, January 1, 2024