PRIVACY NOTICE

Welcome to the airvape.eu privacy notice.

I. Purpose of the privacy notice

The scope of this notice covers the data processing applied on the Controller’s website (https://airvape.eu), on its social interfaces, and during e-mail messaging as well as the Controller’s offline data processing. The latest effective version of this privacy notice is continuously available on the following website: https://airvape.eu/privacy-policy/

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The Controller reserves the right to amend the prospectus with the intention of improving it.

Below is a description of my company’s data processing practices.

II Controller

• Name : OMNI-TECH Design Kft.
• Registered office: 1066 Budapest, Weiner Leó utca 12. fszt. 6., Hungary
• Mailing address: 1066 Budapest, Weiner Leó utca 12. fszt. 6., Hungary
• Tax number: HU14328976
• Representative: Both Zsolt
• Telephone number: +36205989144
• E-mail: support@airvape.eu
• Webpage: https://airvape.eu/

III Contact details of the data protection officer

We do not engage in any activity that would justify the use of a data protection officer.

IV. Legal grounds for data processing and what information do we collect

Pursuant to the provisions of the Information Act and the GDPR, personal data may be processed only on one of the following legal grounds:

• consent (may be requested if the remaining five legal grounds do not apply to data processing);
• contract conclusion;
• fulfillment of reporting obligations;
• protection of the data subject’s vital interests;
• exercising public interest or public authority;
• enforcement of legitimate interests

• When you purchase products or make inquiries about our products, we may collect personal data from you, such as your name, billing address and delivery address details, your email address, and a contact telephone number.
• We will also require your bank account, credit/debit card details to process transactions.
• When you sign up to be kept informed about our products we may collect your personal data, such as your name and email address.
• If you contact us by telephone we may collect your name and contact telephone number.
• As you move around our site we will collect technical information about your visit, such as which pages you visit, how often you visit and what links you click on, the Internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, operating system, and platform;
• We may also collect information about your visit such as the full Uniform Resource Locators (URL) clickstream to, through, and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
• We are active on various social media outlets (including Facebook, Instagram, Pinterest) and we may collect information in any comments or posts that you submit on our social media pages. Your personal information will be processed by the applicable social media outlet for these purposes and we would recommend reviewing their privacy policy before posting any personal information on our social media pages.

We wish to remind the data subjects that, if they do not provide their own personal data, it is the duty of the data provider to obtain the consent of the data subject.

IVI.1. Range, method of collection and storage period of data processed based on consent – legal ground: Article 6 (1) a) of the GDPR

IV.1.1. Data collection on the Contact page of the website and creating of an account

1. The fact of the data collection, range of data processed, and purpose of data processing:

2. Range of data subjects: the natural persons who complete the contact form on the website. Preconditions for contacting are familiarity with this Privacy Notice and the acceptance of the provisions contained herein.
3. Duration of data processing: until the date of erasure of the data, i.e. until the data subject requests erasure of data. The data is reviewed by the Controller once every year.
4. Persons authorized to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorized employees, in accordance with the provisions of this notice.
5. Please be informed that

• data processing is required for answering questions and starting a purchase procedure.
• your failure to provide data or to consent to data processing will have the consequence that I will be unable to respond to your inquiry, also you will not be able to proceed with your purchase procedure;

IV.1.2. Customer relations

1. If the Controller contacts the data subjects via any of the contact details listed below, the consent shall be deemed to be given through the inquiry – otherwise, e.g. in the case of a request submitted by e-mail, we will not be able to answer. If this method of contacting is applied, the Controller will provide the following information:
2. Fact of the data collection, range of data processed, and purpose of data processing:

3. Range of data subjects: all those, who liaise with the Controller by telephone / e-mail / personally.
4. Duration of data processing, deadline for data erasure: until withdrawal of the consent to data processing. The data is reviewed by the Controller once every year.
5. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorised employees, in accordance with the provisions of this notice.
6. Please be informed that

• data processing is required for liaison purposes.
• your failure to provide data or to consent to data processing will have the consequence that we will be unable to lawfully liaise with the data subject or to respond to their inquiry.

IV.1.3. Newsletter

We want to keep you informed about all our products, promotions and news, and where you have indicated you are happy to receive marketing by post, email, or phone we will keep in touch with the latest news.

1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions relating to Commercial Advertising Activities, User / Data Subject have provided their express prior consent to the Service Provider / Controller to provide them with current information or to contact them using the contact details provided upon registration.
2. Furthermore, subject to the provisions of this Notice, the data subject agrees that the Controller will process his/her personal data required for the activities listed in section 1.
3. Controller will not send any unsolicited newsletters, and the data subject may unsubscribe from receiving offers, free of charge, without limitation or justification. In this case, Controller will erase from its record all personal data – which is necessary for sending newsletters – and will no longer contact the data subject with any further newsletters. Data Subject may unsubscribe from the newsletter by clicking the link in the message.
4. Fact of the data collection, range of data processed and purpose of data processing:

5. Range of data subjects: all data subjects subscribing to the newsletter.
6. Purpose of data processing: to send electronic messages (e-mails) presenting the Controller’s activity to the data subject, to provide information on current information, products, events, articles, etc.
7. Duration of data processing, deadline for data erasure: until withdrawal of the declaration of consent to data processing. i.e. until un-subscription.
8. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s employees, subject to observance of the above basic principles.
9. Please be informed that

• where the processing is based on your consent;
• we can only send newsletters if you provide us with your personal information as specified above;

10. The data subject may unsubscribe from the newsletter at any time, free of charge.

IV.1.4. Social media sites

1. Fact of the data collection, range of data processed:

Registered name on the Facebook / Instagram social media sites or the user’s public profile image.

2. Range of data subjects: all data subjects who have registered on the Facebook / Instagram social media site and “liked” the website.
3. Purpose of data collection: on the social media sites, the sharing, “liking” or promoting of specific content elements, products, actions of the website or the website itself, or the presentation of the company, expression of an opinion or initiating a contact. Data that can be interpreted from the point of view of data processing is not extracted from this site, and the statistics, if any, are irrelevant in terms of data processing.
4. Duration of data management, deadline for data erasure, potential Controller persons authorised to access the data and presentation of the data subject’s rights related to data processing: the data subject will find information on the source and processing of the data, the manner of, and the legal grounds for, transferring on the relevant social media site. Since the data processing is carried out on the social media sites, the duration and method of processing and the possibilities for erasure and modification of data are governed by the regulation of the given social media site.
5. Legal grounds for data processing: the data subject’s voluntary consent to the processing of his/her data on community sites.

IV.1.5. Cookies

IV.1.5.1. Tasks of the cookies:

• to gather information on visitors and their tools;
• memorise the visitors’ custom settings that will (may) be later used e.g. when requesting online transactions, so they need not be entered again;
• facilitate the use of the website;
• provide for a quality user experience.

In order to provide customised service, a small data package, a so-called “cookie” is placed on the user’s computer, which will later be retrieved during subsequent visits. If the browser returns a previously saved cookie, then the service provider managing the cookie has the option of linking the user’s current visit to the previous one, but only in respect of its own content. Cookies do not contain personal information and are not suitable for identifying an individual user. Cookies often contain a unique identifier – a secret, randomly generated sequence of numbers – stored on the data subject’s device. Some cookies will cease after the website is closed and some will be stored on the visitor’s computer for a longer period of time.

If the visitor wishes to block the activities related to cookies or to delete any data files placed on the computer during previous visits, they can find the necessary instructions on the following pages:

For Firefox
In Edge

In Chrome,
In Internet Explorer

In Safari

Some browsers also allow you to automatically delete your browsing data every time you close it.

IV.1.5.2. Mandatory session cookies

The purpose of these cookies is to allow visitors to browse the Controller’s website thoroughly and without any disturbance, to use its functions and the services available there. The validity period of this type of cookies runs until the session (browsing) ends, and when you close the browser, this type of cookie is automatically deleted from the computer or from any other device used for browsing.

IV.1.5.3. Third-Party Cookies (Analytics)

We also use Google Analytics as third party cookies on our website. By using Google Analytics for statistical purposes, we collect information about how visitors use web pages. The data is used to improve the website and improve the user experience. These cookies will also remain on their visitor’s computer or on any other device used for browsing until they expire, or until the visitor deletes them.

We have linked our site to several social media sites (Facebook, Instagram). These social media sites also place cookies on visitors’ pages that may contain personal data. The Controller does not see or process this data. Such cookies may be disabled by data subjects in the browser of their own computer.

IV.1.5.4. Cookies used by the Controller:

IV.1.6. Withdrawal of consent

The consent can be withdrawn at any time in the same easy way as it was given.

In the case of a newsletter, the consent can be revoked by clicking on the unsubscribe link at the end of the newsletter.

In the case of a Facebook page, the ‘Like’ can be withdrawn, and the private message or comment can be deleted.

The Controller also deletes the data manually if a request to that effect is sent to the [email protected] email address.

A legitimate data processing preceding the withdrawal of the consent is considered to be legitimate after deletion as well.

The time limit for storage by consent is, on the one hand, the withdrawal of consents as listed above or the un-subscription, and, on the other hand, the annual review of the data by the Controller. The data is stored on a computer protected by a password and by an antivirus software. Considering that, in exceptional cases, the Controller also signs paper-based contracts, these are stored in a separate lockable cabinet.

IV.2. Contract and legal obligation – as legal grounds: Article 6 (1) b) and c) of the GDPR

IV.2.1. Data processing applicable to registered users in the case of purchasing

1. The Controller processes the data required for the purchase of the product provided in the web-shop on the legal grounds of the contract concluded with the data subject.
2. Fact of the data collection, range of data processed and purpose of data processing:

3. Range of data subjects: all data subjects ordering the service.
4. Duration of data processing, deadline for data erasure: for 5 years following fulfilment of the order.
5. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorised employees, in accordance with the provisions of this notice.
6. Please be informed that

• data processing is necessary for the performance of the contract.
• your failure to provide data or to consent to data processing will have the consequence that we will be unable to lawfully liaise with the data subject or to perform the contract.

IV.3. Designation of legitimate interest – as legal grounds: Article 6 (1) f) of the GDPR

Controller classifies in this category all those collaborators who are not present in the business as interested parties or customers, but with whom it works together on a specific aspect of the business.

We store your contact information – name, phone number, e-mail address, registered office, home address – after personal meetings or online contact, and we do not forward it to third parties, except when we fulfil our legal obligations.

The Controller stores its business partners’ data (name, e-mail address, phone number, registered office, home address) until the end of the business relationship or until erasure is requested, on a computer protected by a password and by an antivirus software.

V. Security measures

In the course of the business activity, the Controller provides for the processed data applying appropriate security measures. Our goal is to prevent unauthorised access to the data in whatever manner. Our computers are protected by passwords and by the  Kaspersky Security antivirus software. We can use our phones after double pin identification. We can log in to mailing systems or to Facebook only after identification. We apply SSL encryption on our website.

When designing appropriate security measures, we have taken into account the current state of science and technology, the nature, scope, context and purposes of data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

VI. Data processors

In our business we use the services of the data processors listed below:

Domain: https://digitalocean.com

Name: DigitalOcean, LLC

Registered office: 101 Avenue of the Americas 10th Floor New York, NY 10013 United States

Contact details: [email protected]

Webshop operator:

OMNI TECH DESIGN Kft.

(Access to the full content of the website.)

Newsletters:

Not Available at the moment.

(Access to the name and email address of the newsletter subscribers.)

Receiving and sending e-mails:

Gmail – Google Inc., Mountain View, California, USA

(Access to correspondence and all the related data.)

Invoicing:

https://Billingo.hu

(Access to invoices issued.)

Controller:

Omni Tech Design Kft.

E-mail address:  [email protected]

(Access to the invoices.)

Facebook side:

Facebook Inc.

Menlo Park, California, USA

Information on data processing: https://www.facebook.com/about/privacy/update

(Access to the user’s name and comments.)

Facebook pixel:

Facebook Inc.

Menlo Park, California, USA

(Access to HTTP header [IP address, page location, redirect, user agent], pixel ID, Facebook cookie.)

Google Analytics:

Google Inc., Mountain View, California, USA

(Access to anonymous, non-personal IP address of visitors to the website.)

Instagram share button:

Instagram – Facebook Inc., Menlo Park, California, USA

Privacy Notice: https://www.instagram.com/legal/privacy/

(Access to visit details)

Shipping:

WEBSHIPPY: https://webshippy.com

(Access to name and address.)

Payment provider:

PensoPay: https://pensopay.com

VII. Transmission of the data subjects’ data to third countries

Data is transferred to the United States of America, with whom an adequacy decision was made on 12 July 2016.

(https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en), which is observed by

• Google
• (https://policies.google.com/privacy/frameworks),
• Facebook (https://www.facebook.com/about/privacyshield)
• and Instagram, as a Facebook-owned company as well.

VIII. Rights of the data subjects

IX.1. Transparency and the data subjects’ access to personal data

In compliance with the statutory regulations and with our own mission statement, the Controller strives to make all information available to the data subjects transparent and easy to understand, on an interface that is easily accessible to the data subjects.

The data subjects are entitled to request feedback on whether the processing of their personal data is currently in progress, and, if so, they may be provided access to the following information managed by the Controller:

• purposes of data processing;
• categories of the data subject’s personal data;
• the recipients to whom or to which the personal data has been or will be disclosed, including recipients in third countries and international organisations;
• the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• designating the right to lodge a complaint with a supervisory authority;
• where personal data is not collected from the data subject, any available information regarding its source;
• the existence of automated decision-making – for example, the use of their data for profiling.

The above information will be made available to the applicant free of charge within 30 days of receipt of the request.

IX.2. Right to rectification and right to erasure

The data subjects are entitled to request that the personal data concerning them be rectified or supplemented.

If one of the following cases occurs, I, as Controller, am obliged to delete the personal data of the data subjects without undue delay:

• the personal data is no longer necessary in relation to the purposes for which we have collected or otherwise processed it;
• the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;
• the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
• we have processed the personal data unlawfully;
• the personal data must be erased to comply with a legal obligation stipulated by a European Union or Member State law, to which the Controller is subject;
• the personal data has been collected in connection with the offering of information society services.

Personal data is not required to be deleted if it is used for the purpose of exercising the right of freedom of expression and information; or if data processing is required for the establishment, exercise or defence of legal claims. In the event of such a situation, the data subject must be informed of the above.

IX.3. Right to restriction of processing

The data subjects shall have the right to request restriction of processing, if:

• they contest the accuracy of the personal data, until the inaccuracy is clarified
• data processing is unlawful, and they request that the use of the data be restricted rather than its erasure;
• we no longer need the personal data for the purposes of the processing, but it is still required by the data subjects for the establishment, exercise or defence of legal claims;
• the data subject has objected to its data being processed on grounds of legitimate interests; in this case the restriction shall apply to the period until it is established that the Controller’s legitimate grounds override those of the data subject.

Where processing has been restricted, the personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

The data subject shall be informed of the lifting of the restriction.

IX.4. Right to data portability

If the legal ground for data processing is consent or a contract, and processing is carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to me, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller, provided that this is technically feasible.

The right to data portability shall not adversely affect the rights and freedoms of others.

IX.5. Right to object

The data subject shall have the right to object at any time to the processing of personal data concerning him or her, including profiling based on the above-mentioned provisions. In the event of objection the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or which are related to the establishment, exercising or defence of legal claims.

IX.6. Automated individual decision-making, including profiling

The Controller informs the data subjects that it profiles the persons subscribing to the newsletter. During the profiling process it determines, by technical means, whether the newsletter subscribers have previously viewed the webshop based on the newsletter, what products they have viewed, what they have purchased or whether they have made any purchases at all, and it will send a newsletter based on that information, in line with the data subjects’ sphere of interests. This activity is intended to provide a better user experience and has no legal effect on the data subject other than the recommendation of products and special offers, and therefore does not conflict with the provisions of Article 22 of the GDPR.

X. In case of complaints

We process the data subjects’ personal data with the greatest care.

In spite of the above, if you have any complaints or questions, please feel free to contact us at the [email protected] e-mail address, and we will try to remedy the problem within our own competence.

The data subjects are, of course, entitled to go to court to enforce their claims. Disputes related to violations of data processing principles and procedures are within the jurisdiction of the tribunal, and litigation may be initiated in the court of the data subject’s place of residence.

We are open to participate in the mediation process at any time before or during the initiation of any litigation related to our data processing.

Furthermore, any complaint or question related to personal data may be referred by the data subject to the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa Street 9-11., e-mail: [email protected], website: http://www.naih.hu).

XII. List of relevant statutory regulations

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions relating to Commercial Advertising Activities;
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
• Act V of 2013 on the Civil Code;
• Act LXXVI of 1999 on Copyright;
• Government Decree 45/2014 (II.26.) on the detailed rules governing contracts between consumers and companies
• Act CL of 2017 on Taxation;
• Act CXXVII of 2007 on Value Added Tax