Privacy Policy
Personal data is handled only in accordance with the law. Data is stored as safely as possible. Personal data will only be transferred to third parties with consent.

Introduction
Hellobotanika.com (webshop operator: Metanoia Oktatási és Tanácsadó Bt.), address: 1222 Budapest, Bérkocsi utca 5., tax number:  20567266-1-43, bank account number:  16200223-10032990  (hereinafter the Service Provider, Data Controller) will submit himself under the following. Pursuant to Paragraph (1), Section 20 of Act CXII of 2011 on Information Self-determination and Freedom of Information the data subject (here in the case of the webshop the user, hereinafter the “User”) must be informed prior to the processing of the data whether the data management is based on a consent or is mandatory. Before the data is processed, the data subject must be clearly and thoroughly informed of all the facts related to his or her data management, in particular the purpose and legal basis of data management, the data controller and the person entitled to process it, and the duration of the data handling.
Pursuant to Paragraph (1), Section 6 of the Privacy Act the affected party must also be informed that personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
– for compliance with a legal obligation pertaining to the data controller, or
– for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
The user must also be informed of their rights and This information should also include the rights and remedies available to the data subject in question. If the personal information of the data subjects would be impossible or disproportionate (such as in this case with a webshop), information may also be disclosed by publishing the following information:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects and remedies available relating to data processing; and
g) where the processing operation has to be registered, the number assigned in the data protection register.
This Privacy Policy describes the data management of the following websites: www.hellobotanika.com and is based on the content specification above. The information is available at: www.hellobotanika.com/privacypolicy
Amendments to the prospectus will be published by publication at the above address. Behind the section headings the legal reference is also shown.

Definitions (3.§)
1. ’data subject’ / ‘User’: shall mean any natural person directly or indirectly identifiable by reference to specific personal data;
2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
3.‘the data subject’s consent’:shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;
4. ‘the data subject’s objection’: shall mean a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
5. ‘controller’: shall mean natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor ;
6. ‘data processing’: shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);
7. ‘data transfer’: shall mean ensuring access to the data for a third party;
8. ‘disclosure’: shall mean ensuring open access to the data;
9. ‘data deletion’: shall mean making data unrecognisable in a way that it can never again be restored;
10. ‘tagging data’ shall mean marking data with a special ID tag to differentiate it;
11. ‘blocking of data’: shall mean marking data with a special ID tag to indefinitely or definitely restrict its further processing;
12. ‘data destruction’: shall mean complete physical destruction of the data carrier recording the data;
13. ‘data process’: shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;
14. ‘data processor’ shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions ;
15. ‘data source’: shall mean the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated;
16. ‘data disseminator’: shall mean the body responsible for undertaking the public responsibility which uploads the data sent by the data source it has not published the data;
17. ‘data set’: shall mean all data processed in a single file;
18. ‘third party’: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;

 Legal basis of data processing (5.-6.§)
Personal data may be processed under the following circumstances:
-when the data subject has given his consent, or when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest.
Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
a) for compliance with a legal obligation pertaining to the data controller, or
b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
1. If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
2. The statement of consent of minors over the age of sixteen shall be considered valid without the permission or subsequent approval of their legal representative.
3. Where processing under consent is necessary for the performance of a contract with the controller in writing, the contract shall contain all information that is to be made available to the data subject under this Act in connection with the processing of personal data, such as the description of the data involved, the duration of the proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his data processed as stipulated in the contract.
4. Where personal data is recorded under the data subject’s consent, the controller shall – unless otherwise provided for by law – be able to process the data recorded where this is necessary:
– for compliance with a legal obligation pertaining to the controller, or
– for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.

The object of data management (4.§ [1]-[2])
1. Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.
2. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

Other principles of data management (4.§ [3]-[4])
In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall – in particular – be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification. The accuracy and completeness, and – if deemed necessary in the light of the aim of processing – the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

Functional data management
1. Pursuant to Paragraph (1), Section 20 of Act CXII of 2011 on Information Self-determination and Freedom of Information the data subject the following should be specified in the operation of the webshop website functionality:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects relating to data processing.
2. Data collection, scope of managed data: Surname and firstname, e-mail address, phone number, shipping address, shipping name, billing address, billing name, amount payable, date of purchase, IP address of purchase.
3. Data subjects targeted: all parties shopping in the webshop on the website.
4. Purpose of data collection: The Service Provider manages the User’s personal data for the full use of the website, to create the contract for the provision of services, for the definition, modification, monitoring of the performance of said contract, the billing of its fees and the enforcement of related claims.
5. Duration of data collection, deadline for deleting data: Immediately after the purchase is completed. Except in the case of accounting documents, as under Section 169 (2) of Act C of 2000 on Accounting, this data must be stored for 8 years. Accounting documents directly and indirectly (including G / L accounts, analytical and / or detailed records), which are directly and indirectly supported, must be legible in a readable form for at least 8 years, retrievable in a manner consistent with the accounting records.
6. Legal basis for data handling: the User’s consent, Section 5 (1) of the Privacy Act and the Section 13/A (3) of CVIII Act of 2001 on certain aspects of electronic commerce services and information society services. (hereinafter referred to as E-Commerce Act):
The Service Provider may manage the personal data that are technically indispensable for the provision of the service. If the other conditions are identical, the service provider must choose and always operate the tools used to provide the information society service in such a way that personal data is processed only if it is strictly necessary for the provision of the service and for the fulfillment of other purposes set out in this Act as required, but also in this case only to the extent and for the duration required.

Our principles for functional data management (E-commerce Act 13/A)
1. The Service Provider may manage the natural identity data, address and date of the service, the duration and the place of the service for the purpose of billing the charges resulting from the contract for the provision of information society services.
2.The Service Provider may manage the personal data that are technically indispensable for the provision of the service. If the other conditions are identical, the service provider must choose and always operate the tools used to provide the information society service in such a way that personal data is processed only if this is strictly necessary for the provision of the service and for the fulfillment of other purposes set out in the E-commerce Act as required, but also in this case only to the extent and for the duration required.
3. The handled data shall be deleted if the contract fails to enter into force, if it is terminated or following billing. The data must be deleted when the data management goal has been terminated or if the user so wishes. Unless otherwise stated in the law, the deletion of the data shall be made immediately.
4. The service provider must ensure that at any time before and during the use of the service relating to information society, the user can know the data types the service provider handles and for what data management purposes, including the handling of data that cannot be directly associated with the user.

Managing cookies
1. Pursuant to Paragraph (1), Section 20 of Act CXII of 2011 on Information Self-determination and Freedom of Information the cookie data management of the website’s webshop must specify:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects relating to data processing.
2. Webshops feature cookies are the so-called ‘password-protected session cookies’, ‘shopping cart cookies’ and ‘security cookies’, which require no prior consent from the affected users.
3. Data collection, scope of managed data: unique ID number, dates, times
4. Data subjects targeted: all parties visiting the website.
5. Purpose of data collection: identifying users, tracking the ‘shopping cart’, and tracking visitors.
6.Duration of data collection, deadline for deleting data: the duration of the data processing in session cookies lasts until the site visits are completed.
7. Potential data controllers with the right of access to the data: personal data can be handled by the data controller’s staff, respecting the principles above.
8. The right of data subjects relating to data processing: data subjects have the option to delete cookies in the Tools / Settings menu of browsers, usually under the Privacy menu settings.
9. Legal grounds for data management: no consent is required if the sole purpose of the use of cookies is the communication service provided through the electronic communications network or the provision of information society services expressly requested by the subscriber or user.
10. The webshop’s traffic data is measured by the Service Provider using the Google Analytics service. Data is transmitted when using this service. The transmitted data are not suitable for the identification of the subject. For more information about the Google Privacy Policy, see www.google.com/policies/privacy/ads/ and Act XLVIII of 2008.

Data Forwarding
1. Pursuant to Paragraph (1), Section 20 of Act CXII of 2011 on Information Self-determination and Freedom of Information the data forwarding activities of the website’s webshop must specify:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects relating to data processing.

Data collection and the scope of collected data.
1. The scope of the data transmitted for the shipping: shipping name, shipping address, telephone number, amount payable.
2. The scope of data transmitted to make an online payment: billing name, billing address, payable amount.
3. Data subjects targeted: all subjects requesting shipping, making an online purchase.
4. Purpose of data collection: shipping the ordered product, conducting the online purchase.
5. Duration of the proposed processing operation: until the shipping/online payment is completed.
6. Potential data controllers with the right of access to the data: personal data can be handled by the following, respecting the above principles:

Magnet Bank Zrt.
1062 Budapest, Andrássy út 98.
Tax no.: 14413591-4-44
Company registration no.: 01-10-046111
Privacy policy: www.magnetbank.hu/adatvedelem

Borgun hf.
Member of the National Net Accounting System of the National Bank of Hungary.
Hungarian National Bank ID: K8761097
Borgun hf. Is represented in hungary by B-Payment Zrt.

B-Payment Szolgáltató Zrt.
1132 Budapest, Váci út 4.
Tax no.: 24722137-2-41
Company registration no.: 01-10-047882
Privacy policy:
www.b-payment.com/images/pdf/
B-Payment-adatvedelmi-szabalyzat.pdf

Magyar Posta Zrt.
1138 Budapest, Dunavirág utca 2-6.
Tax no.: 10901232-2-44
Company registration no.: 01-10-042463
Privacy policy:
www.posta.hu/adatkezelesi_tajekoztato

Billingo/Octonull Kft.
1085 Budapest, József körút 74. I. em. 6.
Tax no:  25073364-2-42
Company registration:  01-09-1981177
Adatkezelési tájékoztató: https://www.billingo.hu/adatkezelesi-tajekoztato

Hosting provider:
23VNet Számítástechnikai és Internet Szolgáltató Kft.
1094 Budapest, Liliom u. 24-26.
Tax no: 12188224-2-43
Company registration: 01-09-563212

7. The right of data subjects relating to data processing: the user can request the service provider data controller providing the shipping/online payment to delete their personal data as soon as possible.
8. Legal basis for data forwarding: the User’s consent, Section 5 (1) of the Privacy Act and the Section 13/A (3) of CVIII Act of 2001 on certain aspects of electronic commerce services and information society services.

Data security (7.§)
1. Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects.
2. Controllers, and within their sphere of competence, data processors must implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of the Privacy Act and other regulations concerning confidentiality and security of data processing.
3. Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique
4. For the protection of data sets stored in different electronic filing systems, suitable technical solutions shall be introduced to prevent – unless this is permitted by law – the interconnection of data stored in these filing systems and the identification of the data subjects.
5. In respect of automated personal data processing, data controllers and processors shall implement additional measures designed to:
a) prevent the unauthorized entry of data;
b) prevent the use of automated data-processing systems by unauthorized persons using data transfer devices;
c) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data transfer devices;
d) ensure that it is possible to verify and establish which personal data have been entered into automated data-processing systems and when and by whom the data were input;
6. ensure that installed systems may, in case of malfunctions, be restored; and
7. ensure that faults emerging in automated data-processing systems are reported.
8. In determining the measures to ensure security of processing, data controllers and processors shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller

Closing remarks
During the preparation of the policy we have been following the following legislation:
– Act CXII of 2011. – on information self-determination and freedom of information  (hereinafter Privacy Act),
– Act CVII of 2001. – on certain aspects of electronic commerce services and information society services (in particular 13/A),
– Act XLVII of 2008 – on the ban on unfair commercial practices against consumers,
– Act XLVIII of 2008  – the basic conditions and some limitations of economic advertising activity,
– Act XC of 2005 on the freedom of electronic information,
– Act C of 2003 on electronic communications.
– 16/2011 opinion on the EASA / IAB Recommendation on Best Practice in Behavioral Online Advertising