VitrioVitrio

Privacy notice

Effective: 2026-06-13

Draft. This text is a template and requires a privacy review before launch. Fields marked [KITÖLTENDŐ: ...] must be filled, and the list of processors and retention periods must be aligned with actual operations.

This notice explains how ServFaces Hungary Kft. processes the personal data of vitrio.hu visitors and customers, in line with Regulation (EU) 2016/679 (GDPR) and Hungarian Act CXII of 2011.

1. Controller

  • Name: ServFaces Hungary Kft. (the "Controller").
  • Registered office: [KITÖLTENDŐ: registered address]
  • Email: [KITÖLTENDŐ: privacy contact email]
  • Phone: [KITÖLTENDŐ: phone]
  • Data protection officer: [KITÖLTENDŐ: name and contact if appointed; otherwise delete]

Further identification details are on the Imprint.

2. Data processed, purposes, legal bases, retention

2.1. Order and contract performance

  • Data: name, email, phone, shipping and billing address, ordered items and order data, payment method, order ID.
  • Purpose: processing the order, performing the contract, order-related contact.
  • Basis: performance of a contract (GDPR Art. 6(1)(b)).
  • Retention: until the civil-law limitation period after performance (typically 5 years); accounting documents per section 3.

2.2. Invoicing

  • Data: name or company name, billing address, tax number (business invoice), purchase and invoice data.
  • Purpose: issuing and retaining the legally required invoice.
  • Basis: legal obligation (GDPR Art. 6(1)(c)), under the Hungarian Accounting Act and VAT Act.
  • Retention: 8 years (Section 169 of the Accounting Act).

2.3. User account

  • Data: email, hashed password, name, optional phone, saved addresses, order history.
  • Purpose: sign-in, managing order history and saved data.
  • Basis: performance of a contract / pre-contract request (GDPR Art. 6(1)(b)).
  • Retention: until account deletion, or after [KITÖLTENDŐ: e.g. 3 years] of inactivity.

2.4. Shipping

  • Data: recipient name, shipping address, phone, email (for delivery notifications).
  • Purpose: delivering the ordered product.
  • Basis: performance of a contract (GDPR Art. 6(1)(b)).
  • Retention: until complaint and limitation periods after delivery is closed.

2.5. Newsletter (optional)

  • Data: email, name, subscribe/unsubscribe data.
  • Purpose: product updates, offers and discounts.
  • Basis: consent (GDPR Art. 6(1)(a)), revocable any time.
  • Retention: until consent is withdrawn (unsubscribe).

2.6. Wishlist

  • Data: list of products linked to the account.
  • Purpose: remembering selected products for convenience.
  • Basis: contract / user request (GDPR Art. 6(1)(b)); when signed out, stored on the user's device.
  • Retention: until account or item deletion.

2.7. Warranty registration

  • Data: order ID, product SKU, install date, serial number, contact details.
  • Purpose: handling guarantee/warranty claims.
  • Basis: contract performance and legal obligation (GDPR Art. 6(1)(b) and (c)).
  • Retention: warranty period + [KITÖLTENDŐ: e.g. 1 year].

2.8. Referral and reseller programs

  • Data: data identifying referrer and referee (name, email), referral code, coupons used, business data for B2B.
  • Purpose: running the referral/reseller program, accounting for discounts and rewards.
  • Basis: contract performance and legitimate interest in running the program (GDPR Art. 6(1)(b) and (f)).
  • Retention: until participation ends, plus accounting retention for settlements.

2.9. Model request (with photo)

  • Data: name, email, vehicle details, optional uploaded photo.
  • Purpose: templating a new film, notifying availability.
  • Basis: consent (GDPR Art. 6(1)(a)).
  • Retention: [KITÖLTENDŐ: e.g. 2 years] or until consent withdrawal.

2.10. Contact and complaints

  • Data: name, email, message content, complaint and handling data.
  • Purpose: answering enquiries, investigating complaints.
  • Basis: legitimate interest and legal obligation (GDPR Art. 6(1)(f) and (c)); complaint records kept 5 years under the Consumer Protection Act.

3. Processors

The Controller uses the following processors, who process data only on the Controller's instructions.

  • Stripe Payments Europe, Ltd. (Ireland): card payment processing. Full card data is created and stored at Stripe; the Controller does not store card data.
  • KBOSS.hu Kft. (Számlázz.hu) ([KITÖLTENDŐ: address]): issuing and delivering electronic invoices.
  • Resend, Inc. (USA, with appropriate safeguards such as the EU Standard Contractual Clauses): delivering transactional and system emails (e.g. confirmations, password resets).
  • Cloudflare, Inc. (Cloudflare R2) ([KITÖLTENDŐ: storage region, e.g. EU]): storing uploaded model-request photos and product images.
  • Hosting provider: [KITÖLTENDŐ: hosting provider name and address] (running the site and database).
  • Courier: GLS, and for international delivery the GLS partner network [KITÖLTENDŐ: exact courier company details] (parcel delivery).

Any transfer to the USA or a third country takes place only with appropriate safeguards under Chapter V of the GDPR (e.g. an adequacy decision or the EU Standard Contractual Clauses).

4. Cookies

The site uses cookies. Non-essential cookies are activated only with the user's consent, which can be given, changed and withdrawn via the cookie banner.

  • Strictly necessary: cart, sign-in, security tokens and core function cookies. Basis: legitimate interest / provision of the service; no consent required.
  • Analytics (Google Analytics 4): visit and usage metrics. Basis: consent.
  • Marketing (Meta Pixel): measuring and targeting ads. Basis: consent.

GA4 is operated by Google Ireland Ltd. and the Meta Pixel by Meta Platforms Ireland Ltd. For details, see each provider's own privacy notice.

5. Your rights

Under the GDPR you have the right to:

  • access (Art. 15),
  • rectification (Art. 16),
  • erasure / "right to be forgotten" (Art. 17),
  • restriction (Art. 18),
  • data portability (Art. 20),
  • object to processing based on legitimate interest (Art. 21),
  • withdraw consent at any time, without affecting prior processing (Art. 7).

To exercise these rights, write to [KITÖLTENDŐ: privacy contact email]. The Controller responds without undue delay, at the latest within one month, and may ask you to verify your identity.

6. Data security

The Controller protects data with technical and organisational measures proportionate to the risk (e.g. hashed password storage, access control, secure connection). In case of a data breach, the Controller notifies the supervisory authority within the statutory deadline and, where required, the data subjects.

7. Complaint, supervisory authority

You may lodge a complaint with the supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH), 1055 Budapest, Falk Miksa utca 9-11., mailing address 1363 Budapest, Pf. 9., phone +36 1 391 1400, email ugyfelszolgalat@naih.hu, website naih.hu. You may also turn to a court; proceedings may be started before the tribunal for your place of residence or stay.