Privacy policy

Reviewed: 25.09.2018

1. Data controller’s data

Xeropan International Kft.
Seat: 4028 Debrecen, Simonyi út 14.
VAT number: 26304706-2-09
Company registration number: 09-09-029639
Representative: Mile Ferenc managing director, independently, Al-Gharawi Madzsid Attila managing director, independently

2. The processor’s data and contact information

Name: CodeYard Kft.
Seat: 4026 Debrecen, Mester utca 1. III. em. 6.
Email: info@codeyard.eu
Activity: Development

Name: VENGIT Kft.
Seat: 1143 Budapest, Gizella út 42-44.
Activity: Computer consultancy activities

Name: Gonda József self-employed
Seat: 4225 Debrecen, Kiserdő u. 92.
Activity: Marketing

MailChimp

c/o The Rocket Science Group, LLC

675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308

MOSS No. EU 826 477 914

Activity: newsletters

DigitalOcean, LLC

101 Avenue of the Americas, 10th Floor, New York, NY 10013

Activity: hosting service

Facebook, Inc.
1601 Willow Road Menlo Park, CA 94025
Activity: analytic and remarketing

Google LLC
1600 Amphitheatre Parkway Mountain View, CA 94043

Activity: Analitical and remarketing services

Mailgun Technologies, Inc.
535 Mission St. San Francisco, CA 94105

Activity: newsletters

 

3. Description of personal data, the purpose, legal basis and duration of data processing

Processing of data relating to the users of the Xeropan© mobile application shall be made on the basis of the users’ freely given and informed consent, which shall contain the Data Subject’s explicit consent for the processing of personal data provided in the course of using the Website.

The processing of data by the Data Controller shall be made on the basis of the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph a) of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as: Freedom of Information Act) and on the basis of Act CVIII of 2001 on certain issues of electronic commerce and information society services.

The Service Provider does not verify the authenticity of the personal data received. The provider of the personal data, the data subject or contracting party shall bear the exclusive responsibility for the accuracy of the data provided. The Data Subject undertakes to be the sole person using the services with the data provided. With respect to this, the Data Subject who registered the e-mail address shall bear all responsibility in relation to signing in with the data provided.

The processing of data by the Service Provider is based on the voluntarily given consent of the Data Subject, of which the Service Provider shall provide information in this paragraph, and on separate, incidental occasions.

If the Data Subject does not provide his own personal data to the Service Provider, the Data Subject shall be the one obligated to obtain the consent of the Data Subject.

a. Xeropan© website
i. The legal basis of data processing: the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act, and section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce and information society services.
ii. Description of processed data: The computer identifier (IP address) of the Data Subject’s computer, the browser type, the date and time of visit, the content accessed, the website from where the visitor came from, and the site which the visitor accesses after exiting the website. These data are unsuitable for the personal identification of the Data Subject, and the Data Controller, except for when it is provided by law and with the observance of conditions laid down therein, shall not take steps to identify the owner of the IP address.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service.
iv. The duration of data processing: 3650 days starting from the accessing of the website. The html code of the Data Controller’s website available at www.xeropan.com contains links from and to third-party servers, which are independent of the Data Controller. The providers of these links are able to collect data upon direct connection to their servers.

b. Downloading of the Xeropan© mobile application (IOS and Android platforms)
i. The legal basis of data processing: the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act
ii. Description of processed data: the unique device identifier of the Data Subject’s mobile phone, the hardware type, the operating system version number of the mobile phone, the name of the mobile phone, the e-mail address of the Data Subject (for joining with Facebook or Google), the Data Subject’s location (based on IP address). The Data Controller uses an own identification number (Player ID) as well for the identification of the Data Subject in connection with the use of the application.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service, delivering the proper Xeropan© mobile application version depending on the location of the Data Subject, prevention of abuse.
iv. The duration of data processing: until the receipt of the Data Subject’s request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request.

c. The use of the Xeropan© mobile application
i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act.
ii. Description of processed data: The full name of the Data Subject, his Facebook or Google identifier and/or username, e-mail address, location, gender, date of birth, profile picture or the URL of the picture, the identifier of the Data Subject’s Facebook or Google friends who have also registered in the application, the interactions of the Data Subject in connection with the Service via the log files, which can be related to the Data Subject’s Player ID, IP address or his mobile phone’s unique identification number.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service, prevention of abuse. Correspondence, electronically, providing information on the Company’s services, contractual terms and conditions and discounts. Advertisement may be sent electronically as part of the information provided.
iv. The duration of data processing: Until the receipt of the Data Subject’s request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request.

d. Newsletter
i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act
ii. Description of processed data: User ID, full name of Data Subject, his e-mail address, the date and time of subscription.
iii. The purpose of data processing: sending of newsletters and other advertisements, communication of current information, invitation of friends, sending of system messages and notifications regarding the use of the Service.
iv. The duration of data processing: Until the unsubscription of the Data Subject. For the analysis of the Data Subject’s interactions with the newsletter, the Service Provider uses newsletter tracking codes (mailgun, MailChimp), which provide feedback to the Service Provider if the Data Subject opened, read, or clicked on the newsletter. In the process of registration in the Xeropan© mobile application via Facebook or Google accounts, the Data Subject can subscribe to newsletters and other advertisements sent by the Data Controller. The Data Subject is entitled, at any time and at no charge, to withdraw his consent by clicking on the “Unsubscribe” link located at the bottom of the newsletter. After unsubscribing, the Data Subject will not receive any newsletters or other advertisements from the Data Controller, and the Data Controller shall delete the Data Subject’s data from the list of subscribed users.

5. Newsletters blacklist

The process:

1. A current User invites one or more of his friends to use Xeropan.
2. The email address of the invited friend, who is not a user yet, is added to the mailing list. – Unless blocked before and has already been added to the Invitations Block List (IBL) – This is called the PERMISSION REQUEST LIST (PRL) -
3. The system automatically sends a letter to the User informing him that he was invited by one of his friends, and requesting him to give permission to the system to send further information.
4. There are two choices in this letter:

A) I do want to receive letters.
B) I do not want to receive letters.


5. The aforementioned letter will contain the links to the Terms of use and the documents on data processing.

If the user chooses option A) I do want to receive letters:
A1.) The Service Provider enlists the email address in the PERMITTED email list (PERM). The Service Provider stores the date of subscription. 
A2.) The Service Provider deletes the email address concerned from the PRL.
A3.) The invitation letter and the notifications on the validity of the invitation will be sent by the Service Provider.
A4.) Decision:

1. New user: The User is recorded in the users’ database (USERS)
2. Not a user – 72 hours after the expiry of the invitation, the Service Provider deletes the email address from the PERM list.

If the User choses the option B) I do not want to receive letters:
B1.) The Service Provider opens, upon the User’s clicking on the button, a webpage for unsubscribing for the User.
B2.) A remarketing code running in the webpage adds the user’s device anonymously to a remarking list to which the Service Provider sends no Google or Facebook advertisements.
B3.) The invited person must choose between the options of „refusing to give permission”:

1.  „Not now”
2. „Not now and remember this address to avoid sending letters to me in the future.” The User clicks on the box to consent for the storage of the email address and declares to have read our rules of data processing.   

B3.) In one case – „Not now”:

1. The Service Provider does not add the email address to the PERM mailing list.
2. The user is immediately deleted from the PRL list.
3. In case of a new invitation, the whole process starts over, which means that in the case of a new invitation, the user is added to the PRL list, receives a letter requesting permission and may choose from the options.

B3.) In case two - „Not now and remember this address to avoid sending letters to me in the future”:

1. Upon the User’s consent, the Service Provider adds the User’s email address to the Invitation Block List (IBL).
2. This list contains the email address, the place, date and time of unsubscription for the sole purpose of avoiding future invitations to the Xeropan by the User’s friends. 
3. The User will not receive further invitations from his friends even if they wish to invite the User.
4. Regardless, the User may become an USER but the email address will be stored in the block list until unsubscription.

 

If the User chooses neither option A) or B), then
The User will be deleted from the PRL list within 72 hours, which entails the same consequences as option B3.)1.

Legal basis for processing: the User’s voluntary consent as per Section 5 (1) b) of Infotv.  
Processed data: email address
The purpose of processing: blocking e-mail invitations
Duration of processing: until the Data Subjects unsubscribes or requests for deletion.

4. Customer correspondence, complaint-handling

i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act.
ii. Description of processed data: The full name, e-mail address and other information provided voluntarily by the Data Subject.
iii. The purpose of data processing: Recording the observations and questions of the Data Subject for the development and verification of the functioning of the Service, the handling of the Data Subject’s complaints.
iv. The duration of data processing: up to 5 years commencing from the solving of the case.

5. Other data processing

Data processing not covered by this Policy shall be notified by the Data Controller upon the recording of the data.
The court, the prosecutor, the investigating authority, the misdemeanor authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, and other bodies, based on authorization conferred by law, may request the Service Provider to disclose information, transmit and disclose data, and hand over documents.

The Data Controller shall only disclose personal data to the authorities -- where the purpose and description of data has been specified -- to the extent and for the purposes necessary for the fulfillment of the objective of the request.

6. Cookies and other tracking technologies

In the interest of the proper functioning of certain features of the Service the use of cookies may become necessary, which can also fulfill certain convenience functions for the Data Subject. Cookies set by the Data Controller can help the Data Controller to identify the computer (IP address), to track browsing data, to remember the username and the password (autocomplete). Cookies may contain information for the identification of the Data Subject (User ID), which is processed by the Data Controller in order to customise the service according to the needs and interests of the Data Subject, and to ease the Data Subject’s use to the Service. The Data Subject may disable or delete cookies in his web browser at any time and by doing so acknowledges that certain features of the Service may not function properly as a result.

The Data Controller uses the Google Ads remarketing tracking code, which uses cookies to tag Data Subjects. With the help of the remarketing tracking codes, the Data Subject will be shown ads on the websites part of the Google Display network. The aforementioned shall apply accordingly to the handling of cookies.

The Data Controller can offer the possibility to third-party advertising service providers to share advertisements during the use of the Service. These advertising service providers can place cookies on the computer and/or mobile phone of the Data Subject in order to track browsing data, viewed advertisements and to customise their services based on the interests and needs of the Data Subject. This Policy does not apply to and the Data Controller shall not be liable for the privacy practices of these third-party advertising service providers.

In better understanding the use of the services by the Data Subject -- through analysing the visitor data of the Xeropan© website and Xeropan© mobile application, and through the measurement and auditing of other analytical data -- the Data Controller is helped by third-party servers (especially Google Analytics). These third-party servers may use cookies, APIs and SDKs. This Policy does not apply to and the Data Controller shall not be liable for the privacy practices of these third-party servers. The Data Subject can find information about their privacy policies at https://www.google.com/analytics/

7. Methods of storing personal data, security of data processing

The data are stored at the cloud computing softwares operated by VENGIT Kft., accessible by CodeYard Kft., Gonda József, self-employed, as well as the employees of Xeropan International Kft. The Data Controller implements appropriate technical, organisational measures for the adequate safeguarding of the security of data processing, and the Data Controller provides protection in particular against:

• unauthorized access,
• modification,
• transmission,
• disclosure to the public,
• deletion or destruction, and
• accidental destruction and damage, and
• the inaccessibility due to the changes in the technology used.

With regard to ongoing technical developments, the Data Controller and the data processor(s) shall select data security measures that provide adequate levels of protection against the risks that arise during data processing, and, when faced with more options, shall apply the option that provides a higher level of security of personal data, except if such measure would represent a disproportionate burden for the Service Provider.

The Data Controller employs personal data security measures on a server-side and application level.

8. The recipients of the personal data

CodeYard Kft., VENGIT Kft., Gonda József e.v., Digital Ocean:
User’s identification
Family name
Given name
Facebook identification
Google identification
Date of birth
Email address
Sex
Facebook profile picture
Language
Phone’s language settings
Application user activity
List of Facebook friends

Mailchimp: Family and given name, Email addeess

Mailgun: Email address, User activity

Facebook: User’s ID, User activity

Facebook ads: Email

Google: User’s ID, User activity

Google ads: Email address

9. The User’s rights and the possibilities of the enforcemet thereof

9.1. The right to information
The controller informs the Data Subject of the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.

9.2. The right of access by the data subject
The Data Subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

9.3. Right to rectification
The Data Subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him.

9.4. Right to erasure
The Data Subject has the right to obtain from the Controller the erasure of personal data concerning him without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent and there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services.

The erasure of data may not be requested if data processing is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health, or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; for the establishment, exercise or defence of legal claims.

9.5. Right to restriction of processing
The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
• the Data Subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

9.6. Right to data portability
The Data Subject shall have the right to receive the personal data concerning him, which he has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where: the processing is based on consent or on a contract the processing is carried out by automated means. The Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

The right to portability shall not adversely affect the rights and freedoms of others.

9.7. Right to object
The Data Subject has the right to object, on grounds relating to his particular situation, at any time to processing of his personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the purposes of the legitimate interests pursued by the Controller or by a third party, including the profiling carried out upon the following provisions. The Controller no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

9.8. Automated individual decision-making, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

9.9. The right to withdraw consent
The data subject has the right to withdraw his consent at any time if processing is based on the Data Subject’s consent.

9.10. The right to bring infringement to the court
The Data Subject has the right to bring the violations of his right to the Court. The court proceeds as a matter of priority in the case.

9.11. Official proceedings of data protection


Complaint may be submitted to the National Data Protection and Information Authority:
Name: National Data Protection and Information Authority
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal addres: 1530 Budapest, Pf.: 5.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu

Other provisions

The Data Controller reserves the right to unilaterally modify this Privacy Policy subject to prior notification of the Data Subjects through the Xeropan© website and the Xeropan© mobile platform. Following the entering into force of the modification, by continuing to use the Xeropan© website and Xeropan© mobile application, the User shall be deemed to have implicitly accepted the provisions of the modified Privacy Policy.

The Service Provider manages a Facebook profile for advertising and promoting its products and services.
Questions asked on the Service Provider’s Facebook profile does not qualify as duly submitted complaints.
The Service Provider does not process personal data that are posted by Users in the Service Provider’s Facebook page.
Visitors are subject to the Facebook’s Privacy Policy.
The Service Provider may delete, without prior notification, the user from members for posting unlawful and offensive contents or may delete the user’s posts.
The Service Provider assumes no liability for unlawful contents or comments posted by Facebook users. The Service Provider assumes no liability for any error or malfunction related to the operation of Facebook or for problems arising from changes in the system operation.