Privacy Policy

Privacy Policy

For the data processing related to the toolvia.ai website

Name and contact details of the Data Controller

Company name: BRAUNIQ SOLUTION Kft (the "Service Provider") Registered seat: 1154 Budapest, Bercsényi Miklós utca 51., Hungary Tax number: 24896784-2-42

Company registration number: 01 09 188120 Represented by: Gergely-Nagy Arnold

Contact: marketing@toolvia.ai

Concepts used in this Policy

"personal data" and "data subject": any information relating to an identified or identifiable natural person (the "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, a number, location data, or an online identifier.

"processing": any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or

alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"controller": the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"processor": the natural or legal person, public authority, agency or other body which processes personal data on behalf of and in the interest of the controller, according to the provisions of the contract concluded with the controller (and the controller's instructions).

"recipient": the natural or legal person, public authority, agency or other body to which the personal data are disclosed.

"User": the person who visits the site and reads its content.

"Customer": the User who purchases a product or service through the website.

Data processing related to the use of the website

The Controller does not process any data that it did not collect from the data subject. No profiling or automated decision-making takes place.

Registration

Data subjects are those visitors of the website who register on the website by providing their e-mail address.

The Controller does not carry out profiling or automated decision-making, but reserves the right to subsequently restrict or block access on a case-by-case basis.

Scope of data

Purpose

Data subject's e-mail address

Facilitating the use of the website

Legal basis of processing: The processing is based on point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council; the data subject has given their explicit consent to the processing.

Duration of processing: Until deletion of the profile. Recipient of the data: The Controller's representative. Processor: Commercial platform (Shopify)

Data transfer: None

Purchase

Data subjects are those Users who have made a purchase through the website.

The Controller handles payment through several payment providers. The Controller does not process bank card data or other banking data.

Scope of data

Purpose

Order data;

Acceptance of statements

Sending the ordered digital product

Legal basis of processing: based on point (b) of Article 6(1) of Regulation (EU) 2016/679; necessary for the performance of a contract concluded between persons not present.

Duration of processing: The Controller processes the data for 8 years from the purchase, or for 1 year after deletion of the profile.

Processors: Commercial platform (Shopify), database software developer (Supabase), and the chosen payment provider (Apple Pay, Google Pay, PayPal)

Data transfer: None

Data processing related to invoicing

Data subjects are those Users who have paid for a product purchased through the website.

Scope of data

Purpose

Invoicing data

Legal compliance — invoice issuance

Legal basis of processing: based on point (c) of Article 6(1) of Regulation (EU) 2016/679; necessary due to a legal obligation applicable to the Controller.

Duration of processing: 8 years following the issuance of the invoice.

Processors: The Controller's appointed accountant (iSuccess Kft.) and the operator of the invoicing system used by the Controller (Szamlazz.hu).

Data transfer: National Tax and Customs Administration (NAV — Hungary)

Data processing related to complaints

Data subjects are those Customers who have sent a complaint to the rma@toolvia.ai electronic address.

Scope of data

Purpose

Order data;

Complaint data

Legal compliance — complaint handling

Legal basis of processing: based on point (c) of Article 6(1) of Regulation (EU) 2016/679; necessary due to a legal obligation applicable to the Controller.

Duration of processing: 5 years following the closure of the complaint.

Processors: None

Data transfer: None

Data processing related to product reviews

Data subjects are those Customers who have reviewed a product purchased through the website.

Scope of data

Purpose

E-mail address; Review data

Measuring and publishing customer satisfaction

Legal basis of processing: based on point (a) of Article 6(1) of Regulation (EU) 2016/679; the data subject has given their explicit consent to the processing.

Duration of processing: Until consent is withdrawn.

Processors: Commercial platform (Shopify), review-system support application (Judge.me)

Data transfer: None

Advertising-purpose contact

Data subjects are those Customers who, at some point on the website, by providing their e-mail address, consented to receiving electronic mail for advertising purposes.

Scope of data

Purpose

E-mail address

Keeping in contact, sending offers

Legal basis of processing: based on point (a) of Article 6(1) of Regulation (EU) 2016/679; the data subject has given their explicit consent to the processing.

Duration of processing: Until consent is withdrawn.

Processors: Webshop developer (Shopify), marketing and customer-relationship platform (Klaviyo)

Data transfer: None

Cookies used on the website

Like most websites, we also use cookies on the website. These cookies are small data files that may serve several purposes.

You can accept, refuse, or customise the cookies in the pop-up window on the website that requests permission for cookies.

Scope of data

Purpose

Session cookies

Ensuring the use of the website.

Convenience cookies

Enhancing the user experience

Other cookies

Purchase encouragement, sending targeted advertisements, measuring advertising effectiveness.

Legal basis of processing: based on point (a) of Article 6(1) of Regulation (EU) 2016/679; the data subject has

given their explicit consent to the processing. Consent can be given by accepting the cookies on the website. In the absence of acceptance of the session cookies, the site cannot be viewed.

Duration of processing: For session cookies, until the use of the site. For convenience cookies, 1 month. If you delete your browsing history, the cookies are also deleted. Other cookies: for a variable period — tracking

programs known as Meta, TikTok, and Google pixel, which measure the Controller's advertising effectiveness.

Processors: Meta, TikTok, Google.

Data security: Importantly, even when cookies are enabled, the site's Operator does not memorise any identifier or password. Even when accepting cookies, the visitor can use the Controller's electronic services in complete safety.

Scopes of data

The groups indicated in the scopes of data comprise the following personal data.

      • Order data: E-mail address, Order ID, Name and quantity of products, Amount payable in USD, Transaction receipt, Electronic mail confirming performance.
      • Acceptance of statements: E-mail address, Order ID, Date and time of acceptance, Content of the statements.
      • Invoicing data: Customer's name, Customer's address, Order ID, Date, Receipt ID, Name and quantity of products, Amount paid in HUF.
      • Complaint data: Product name, Description of the complaint.
      • Review data: E-mail address, Product name, Rating and text of the review, Date of the review.

Recipients of the personal data, and categories of recipients

On the Controller's side: The Controller's representative may access the data.

Processors: The Controller works only with processors that demonstrably carry out the processing and protection of personal data in accordance with the law. Some of our processors operate outside the EEA (USA, Singapore) and have appropriate safeguards (SCC) with regard to the processing of personal data.

The Controller is in contact with the following processors in connection with the data processing.

Name

Address

Activity

Shopify Inc

Ground Floor, 151 O'Connor Street, Ottawa, Ontario, K2P 2L8, Canada

Website support

Supabase PTE Ltd.

65 Chulia Street #38-02/03, OCBC Centre, Singapore 049513

Data storage and query support

Apple Inc (Apple Pay)

One Apple Park Way, Cupertino, CA 95014, United States

Payment service

Google LLC (Google Pay)

1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA

Payment service

PayPal (Europe) S.à r.l. et Cie, S.C.A.

22-24 Boulevard Royal, L-2449 Luxembourg

Payment service

iSuccess Kft.

1161 Budapest, Csömöri út 10., Hungary

Accounting service

Szamlazz.hu — KBOSS Kft.

1031 Budapest, Záhony utca 7/D, Hungary

Invoicing system

Judge.me Ltd.

Buckworths 2nd Floor, 1-3 Worship Street, London, England, EC2A 2AB

Support for collecting reviews

Klaviyo Inc.

125 Summer Street, Floor 6, Boston, MA 02111, United States

Marketing and customer-relationship support

The data subject's rights in relation to the data processing

Deadline

The Controller fulfils the data subject's request for the exercise of their rights within a maximum of one month from its receipt. The day of receipt of the request is not included in the deadline.

Data subject rights related to the data processing

Right of access

The data subject is entitled, through the contact details given in point 1, to request information as to whether the processing of their personal data is ongoing, and if such processing is ongoing, is entitled to access the data.

The Controller provides a copy of the personal data undergoing processing free of charge on the data subject's first such request; thereafter it may charge a reasonable fee based on administrative costs.

In order to meet the data security requirements and to protect the data subject's rights, the Controller is obliged to verify that the identity of the data subject and of the person wishing to exercise the right of access match; for this

reason, information, inspection of the data, and the issuing of a copy thereof are conditional on identification of the data subject.

Right to rectification

The data subject may request, through the contact details given in point 1, that the Controller modify any of their personal data. The Controller fulfils the request within a maximum of one month and notifies the data subject of this at the contact details provided by them.

Right to erasure

In connection with the data processing described in this Policy, the data subject may exercise their right to erasure at any time. The Controller fulfils the erasure as soon as possible, if no other right obliges it to retain the data.

With the deletion of the profile, the personal data are also deleted, but the deletion does not affect data processed due to a legal obligation. Due to a legal obligation, invoicing data cannot be deleted for 8 years and complaint-

related data for 5 years.

Right to blocking (restriction of processing)

The data subject may request, through the contact details given in point 1, that the Controller restrict the processing of their personal data.

Right to object

The data subject may, through the contact details given in point 1, object to the processing at any time on grounds relating to their particular situation, if in their view the Controller is not properly processing their personal data in

connection with the purpose indicated in this Privacy Policy. With regard to the processing of data to which the data subject has given their consent, objection is not applicable.

Right to data portability

The data subject is entitled to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, machine-readable format, and is further entitled to transmit this data to another

controller.

Right to remedy

Hungarian data protection authority

If the data subject considers that the Controller has infringed the applicable data protection requirements during the processing of their personal data, they may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

Address: 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, Pf. 9.

E-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu

In addition, in order to protect their data, the data subject has the option to turn to a court, which acts in the matter as a priority. In this case, the data subject may freely decide whether to file their action with the competent regional court of their domicile (permanent address) or residence (temporary address), or of the Controller's

registered seat. The regional court can be located at https://birosag.hu/birosag-kereso.

EU data protection authorities

In justified cases, the data subject has the right to turn to the data protection authority of another EU Member State. The contact details of the EU authorities can be found here: https://www.naih.hu/unios-adatvedelmi-felugyeleti-hatosagok

International dispute resolution

In disputed matters, the Service Provider always strives for an amicable settlement, and therefore primarily seeks to resolve disagreements with the assistance of a national or EU body specialised for this purpose. The body

recommended by the Service Provider is the Budapest Conciliation Board, competent according to the registered seat (Address: HU-1016 Budapest, Krisztina krt. 99. E-mail: bekelteto.testulet@bkik.hu).

In the case of a cross-border digital service, it recommends the Consumer Redress Portal, where the Customer can find the territorially competent dispute-resolution forum specialised for the service.

Portal: https://consumerredress.ec.europa.eu/index_en