Ügyfélszolgálat:+36 706 183 299officebp@takofoods.eu
    Nyelv
    Magyar
    Kezdőlap / Privacy policy

    Privacy policy

    1. Identification of the Controller

    The online store available at https://takofoods.eu is operated by

    TAKO FOODS HUNGARY Kft.
    Medve utca 28-30. 1st floor, door 1
    1027 Budapest
    Hungary
    Company ID: 01-09-359885
    VAT ID: HU27975750
    Tax ID: 27975750-2-41
    Phone: +36 706 183 299
    E-mail: officebp@takofoods.eu

    (hereinafter: Controller).

    2. Applicable laws and scope of this notice

    2.1.

    The Controller processes Users’ data primarily on the basis of the following laws:

    • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);
    • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;
    • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Services related to the Information Society (Ekertv.).

    2.2.

    The scope of this notice covers data processing carried out during the use of the website available at the above internet address (hereinafter: Website), the use of the services available there and the fulfillment of orders placed in the online store.

    2.3.

    For the purposes of this notice, User means natural persons who browse the Website, use the services of the Website, and/or place product orders with the Controller.

    3. Legal basis of processing

    3.1.

    The legal basis for processing by the Controller is, for certain processing operations, the User’s consent pursuant to Article 6(1)(a) GDPR, and for processing related to the order, Article 6(1)(b) GDPR, i.e. processing necessary for the performance of a contract to which the User is party.

    3.2.

    For processing based on consent, the User gives consent by ticking the checkbox preceding the data processing statement at the relevant locations. The User may read this privacy notice at any time by clicking the “Privacy Policy” link displayed at the bottom of every page of the Website, or by clicking on the link labeled “Privacy Policy” in the data processing statement mentioned in this section, by which the Controller ensures the User’s clear and detailed prior information. By ticking the checkbox preceding the data processing statement, the User declares that he/she has read the privacy notice and, being aware of its content, consents to the processing of his/her data as described herein.

    3.3.

    In some cases, the Controller is required by law to carry out certain processing operations, or may rely on its legitimate interests as a legal basis for processing. Details are set out below in the sections on specific processing operations.

    4. Processing related to ensuring the operation of the IT service

    4.1.

    The Controller uses cookies to operate the Website and to collect technical data on Website visitors.

    4.2.

    The Controller provides a separate notice on cookie-based processing: Privacy Notice on the Use of Cookies.

    5. Processing related to receiving and answering messages

    5.1. Data subjects

    Users who send a message to the Controller via the contact form available from the “Contact” menu of the Website or by using the email address(es) indicated on the Website.

    5.2. Legal basis

    Article 6(1)(a) GDPR – the User’s consent.

    5.3. Scope of data processed

    • name of the User sending the message,
    • email address,
    • any other data the User may provide in the message.

    With regard to any other data possibly provided by the User in the message, the Controller only processes such data to the extent necessary for receiving the message and for the subject matter of the message; the Controller does not request the provision of any such personal data from the User. In the event of the provision of any such unsolicited personal data, the Controller does not store such data and deletes it from its IT system without delay.

    5.4. Purpose

    To enable the User to exchange messages with the Controller. Related services:

    • writing a message on the Website,
    • receiving messages sent by email (using the email address(es) indicated on the Website),
    • answering messages received in the above ways, which the Controller completes within 2 business days.

    5.5. Storage period

    Until the message is answered and/or the User’s request is fulfilled. After answering/fulfillment, the Controller deletes the data processed for this purpose. If the information exchange involves several related messages, the Controller deletes the data upon completion of the information exchange and/or after fulfilling the request.

    If, following the exchange of messages, a contract is concluded and the content of the messages is relevant for the contract, the legal basis and storage period will be as set out in the section “Processing related to orders” (processing related to orders).

    5.6. Storage method

    In a separate processing list within the Controller’s IT system.

    6. Processing related to sending newsletters

    6.1. Data subjects

    Users who subscribe to the newsletter on the Website by completing the subscription fields and ticking the consent statement.

    6.2. Legal basis

    Article 6(1)(a) GDPR and Sections 6(1)–(2) of Act XLVIII of 2008 (Grt.) – the User’s consent. The User gives voluntary consent by reading this privacy notice and completing the subscription fields for the newsletter and ticking the consent statement located there, thereby consenting to the processing of data as set out in this privacy notice and to the sending of newsletters.

    In addition to sending useful information, the newsletter service also aims at direct marketing by the Controller. The User may subscribe to this service independently of the use of other services. This service is voluntary and based on the User’s decision following appropriate information. If the User does not use the newsletter service, it does not entail any disadvantage for the use of the Website or other services. The Controller does not make the use of its direct marketing service a condition for the use of any of its other services.

    6.3. Scope of data processed

    • name,
    • email address.

    6.4. Purpose

    Sending newsletters by the Controller to the User via email. Newsletters include information about the Controller’s service, news and updates, promotional offers, advertising and sales content.

    6.6. Storage period

    Until the User withdraws consent (unsubscribes) or requests deletion.

    6.7. Storage method

    In a separate processing list within the Controller’s IT system.

    7. Processing related to registration

    7.1. Data subjects

    Users who register on the Website.

    7.2. Legal basis

    Article 6(1)(a) GDPR – the User’s consent. The User gives voluntary consent by completing the registration form that appears during registration, ticking the checkbox before the data processing statement, and finally clicking the button necessary to finalize the registration.

    7.3. Scope of data processed

    For registered Users, processing covers the personal data and contact details marked as required on the registration form referred to above:

    • surname,
    • first name,
    • email address,
    • password.

    Purpose: registration on the Website, facilitating regular purchases.

    Related services:

    • creating a personal account for the User,
    • facilitating online ordering of products by storing the data necessary for the performance of the order and enabling the User to modify these data independently,
    • storing previous orders and making them accessible to the User in the user account.

    7.4. Storage period

    For registered Users, until deletion at the request of the registered User. Processing may also end upon the User’s deletion of the registration or upon the Controller’s deletion of the User’s registration. The User may delete the registration at any time or request deletion from the Controller, which the Controller executes without delay, but no later than within 10 business days of receipt of the request.

    7.5. Storage method

    In a separate processing list within the Controller’s IT system.

    8. Processing related to orders

    8.1. Data subjects

    Users who place an order on the Website.

    8.2. Legal basis

    Article 6(1)(b) GDPR – processing necessary for the performance of a contract to which the User is party.

    8.3. Scope of data processed

    • surname
    • first name
    • billing address
    • phone number
    • email address
    • shipping address
    • designation of the ordered product(s)
    • purchase price of the ordered product(s)
    • method of collection/delivery
    • method of payment
    • any other information provided by the User at the time of ordering that is necessary for fulfilling the order
    • time of order
    • time of payment

    8.4. Purpose

    Concluding and performing the contract arising from the order.

    8.5. Storage period

    The above data processed for the performance of the order are retained by the Controller for the period necessary to fulfill the accounting document retention obligation arising from accounting law. Under accounting law, this is at least 8 years from the date of invoice issuance, after which the Controller deletes the data within one year.

    During delivery necessary for fulfilling the order, the handling of the data required (name, shipping address, phone number) for this purpose lasts until the completion of the delivery. When transferring the data necessary for the performance of delivery to the delivering party, the Controller applies a processing restriction, whereby the delivering party may process the transferred data only to the extent and for the time necessary to perform the delivery.

    The company performing the delivery may, however, have a legitimate interest in retaining the above data or part of them for a certain period for the purpose of potential complaints, claims or civil disputes. In such cases, it acts as an independent Controller; further information is available in that service provider’s privacy notice. Service providers used by the Controller for such purposes are listed in this notice under “Use of Processors,” where links to their privacy notices are also indicated.

    Any additional data processed during the ordering process – e.g., messages of material relevance between the User and the Controller concerning the order – are retained by the Controller for 5 years from the conclusion of the contract, i.e., the general limitation period for civil law claims.

    8.6. Storage method

    In a separate processing list within the Controller’s IT system, and, for data necessary for proper accounting, on accounting vouchers to comply with the document retention obligation set out in accounting law.

    9. Data transfers

    9.1. Data subjects

    Users who choose an online payment method during the order on the Website, irrespective of the use of other services provided on the Website.

    9.2. Recipient of the transfer (online card payment service)

    Shoptet a.s.
    Dvořeckého 628/8, Břevnov, 169 00, Praha 6, Czech Republic
    Company ID (IČO): 28935675
    Recorded in the Commercial Register maintained by the Regional Court in České Budějovice, Section C, Insert No. 11030.
    Service: ShoptetPay – online card payment processing.

    9.3. Legal basis for transfer

    Article 6(1)(f) GDPR – the Recipient’s legitimate interests.

    The Recipient is required by applicable laws to operate a fraud prevention and detection system in connection with the provision of the payment service and is entitled to process the personal data necessary for this purpose. The Recipient has established a system in compliance with its statutory obligations, and the transfer by the Controller is necessary for the operation of that system. Accordingly, the Recipient has a legitimate interest in operating the fraud prevention and detection system to comply with legal obligations.

    Both the Controller and the Recipient have a legitimate interest in fraud prevention and ensuring the proper functioning of online payments. This relates to the main source of revenue for both organizations. It is also in the User’s interest, particularly to avoid misuse of bank card data.

    The data transfer enables the filtering and detection of fraud and the elimination of obstacles that may arise during the payment process.

    Data are transmitted from the set of data processed during the order/checkout via an encrypted electronic channel, exclusively to the Recipient and only in the case of online card payment; the Recipient does not use the data for any other purpose. Therefore, the transfer does not entail significant risk to the User and has no further perceptible effect.

    The transfer of data is necessary to achieve the purposes described here and is suitable for making the payment service more secure.

    Considering the above and the built-in safeguards, the data transfer does not constitute an unjustified interference with the privacy of Users; therefore, the transfer is a necessary and proportionate processing operation.

    9.4. Scope of data transferred

    • products placed in the cart and purchase data displayed in the cart (prices, costs),
    • name,
    • phone number,
    • email address,
    • address.

    The bank card details provided during payment are given by the User directly to the payment service provider; they are not accessible to the Controller.

    9.5. Purpose of the transfer

    Proper operation of the payment service and the technical execution of payment, confirmation of transactions, operation of fraud monitoring (a fraud detection system supporting the control of bank transactions initiated electronically) and customer support for the User.

    9.6.

    For information on processing carried out by the online payment service provider, including its legal basis, purpose, exact scope of data and storage period, the User can consult the provider’s website/privacy notice.

    9.7.

    The Controller does not transfer data to third parties for business or marketing purposes.

    9.8.

    Other than in the above case, the Controller transfers data only to authorities where required by law.

    10. Use of Processors

    The Controller uses the following business entities as processors.

    10.1. Hosting provider

    Shoptet a.s. (see company details above) – web hosting for the e-shop platform.

    Data subjects: Users visiting the Website, regardless of the use of other services.
    Scope of data processed: all data indicated in this notice may be processed to the extent necessary for hosting.
    Purpose: ensuring the operation of the Website from an IT perspective.
    Duration: identical to the storage periods set for each processing purpose in this notice.
    Nature of processing: provision of hosting only.

    10.2. Website developer

    Shoptet a.s.
    Dvořeckého 628/8, 169 00 Prague 6, Czech Republic
    Company ID (IČO): 28935675
    Phone: +420 604 600 444
    E-mail: info@shoptet.cz
    Website: https://www.shoptet.cz/
    (as Website developer – Processor).

    Data subjects: Users visiting the Website, regardless of the use of other services.
    Scope of data processed: all data indicated in this notice may be processed to the extent necessary for development/maintenance.
    Purpose: ensuring the operation of the Website from an IT perspective, through the necessary IT operations entailing processing.
    Duration: identical to the storage periods set for each processing purpose in this notice.
    Nature of processing: technical operations necessary for the IT operation of the Website only.

    10.3. Processing related to sending newsletters

    Currently, no separate email marketing provider is used. If such a provider is engaged in the future, this section will be updated with the provider’s identification details and processing terms.

    10.4. Processing related to product delivery

    Delivery by TakoFoods Hungary – carrier / delivery service

    TAKO FOODS HUNGARY Kft.
    Medve utca 28-30. 1st floor, door 1
    1027 Budapest
    Hungary
    Company ID: 01-09-359885
    VAT ID: HU27975750
    Tax ID: 27975750-2-41

    Data subjects: Users who order delivery to the address specified by them.
    Scope of data processed: surname, first name, phone number, shipping address.
    Purpose: delivery of the ordered product as part of performing the contract, including, if necessary, scheduling the place and time of delivery by phone.
    Duration: for the time necessary to perform delivery and handover.
    Nature of processing: only processing operations necessary for delivery and handover.

    10.5. Processing related to the issuance of invoices

    The Controller uses invoicing software; the identification data of the invoicing software provider will be indicated here if a third-party processor is engaged. Until then, invoicing data are processed within the Controller’s systems to the extent permitted by law.

    Scope of data processed: name and address of the ordering User, designation of the ordered goods and/or services, date of purchase and the purchase price, shipping fee and any other fees as appearing on accounting documents.
    Purpose: ensuring the operation of the invoicing software (where applicable) from an IT perspective, through the technical operations necessary for the secure operation of the software.
    Duration: for 8 years from the date of the invoice in order to fulfill the document retention obligation arising from accounting law.

    10.6. Processing related to accounting services

    If the Controller engages an external accounting firm, its identification data will be indicated here. Until then, accounting is handled in accordance with applicable law.

    Scope of data processed: name and address of the ordering User, designation of the ordered goods, date of purchase and the purchase price, shipping fee and any other fees as appearing on accounting documents.
    Purpose: fulfillment of statutory accounting obligations relating to the Controller’s business activities using the services of the above Processor (if engaged).
    Duration: at most for the time necessary to fulfill the accounting document retention obligation – deletion in the year following the 8th year from the date of invoice issuance.

    10.7.

    No processing for other purposes takes place.

    10.8.

    Other than the Processors indicated above, the Controller does not use additional processors.

    11. Users’ rights in relation to processing

    11.1. Right of access

    At the User’s request, the Controller provides information about the User’s data that it processes and/or that are processed by a Processor on its behalf or according to its instructions, their source, the purpose, legal basis and duration of processing, the name and address of the Processor and its processing activities, the circumstances of any data breach that may have occurred, its effects and the measures taken to remedy it, and – in the case of transfer of the personal data concerned – the legal basis and recipient of the transfer. The Controller provides the information without undue delay, but no later than one month from receipt of the request.

    As part of the right of access, the Controller provides the User with a copy of the personal data undergoing processing no later than one month from receipt of the request. For any further copies requested by the User, the Controller may charge a reasonable fee based on administrative costs.

    11.2. Right to data portability

    The User has the right to receive the personal data concerning him/her, which he/she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    • the processing is based on the User’s consent or on a contract, and
    • the processing is carried out by automated means.

    In exercising the right to data portability, the User has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

    11.3. Right to rectification

    The User may request the rectification of processed data, which the Controller performs without undue delay, but no later than one month from receipt of the request. Taking into account the purposes of the processing, the User has the right to have incomplete personal data completed, including by means of a supplementary statement.

    11.4. Right to restriction of processing

    The Controller marks the personal data it processes for the purpose of restricting processing. The User has the right to obtain from the Controller restriction of processing where one of the following applies:

    • the User contests the accuracy of the personal data – in which case restriction applies for a period enabling the Controller to verify the accuracy of the personal data;
    • the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead;
    • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims; or
    • the User has objected to processing based on the Controller’s legitimate interests – in which case restriction applies pending verification whether the Controller’s legitimate grounds override those of the User.

    11.5. Right to erasure

    The Controller deletes the personal data where:

    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the User withdraws consent on which the processing is based, and there is no other legal ground for the processing;
    • the User objects to the processing and there are no overriding legitimate grounds for the processing, or the User objects to processing for direct marketing purposes;
    • the personal data have been unlawfully processed;
    • the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
    • the User requests erasure or objects to processing and the personal data were collected in relation to the offer of information society services directly to a child.

    The Controller notifies the User concerned of any rectification, restriction or erasure, as well as all controllers to whom the data have previously been transferred. Notification may be omitted where it proves impossible or involves disproportionate effort. At the User’s request, the Controller informs him/her about those recipients.

    11.6. Right to object

    The User has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on the Controller’s legitimate interests. In such a case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims.

    12. Fulfillment of Users’ requests

    12.1.

    The Controller provides the information and takes the measures described above free of charge. If the User’s request is manifestly unfounded or – in particular because of its repetitive character – excessive, the Controller, taking into account the administrative costs of providing the requested information or communication or taking the requested action, may:

    • charge a reasonable fee, or
    • refuse to act on the request.

    12.2.

    The Controller informs the User about the measures taken in response to the request without undue delay and in any event within one month of receipt of the request, including the provision of data copies. Where necessary, taking into account the complexity and number of requests, that period may be extended by two further months. The Controller informs the User of any such extension within one month of receipt of the request, together with the reasons for the delay. If the User’s request is made electronically, the information is provided electronically unless the User requests otherwise.

    12.3.

    If the Controller does not take action on the User’s request, the Controller informs the User without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority indicated below and seeking a judicial remedy as described there.

    12.4.

    The User may submit requests to the Controller in any manner enabling identification of the person. Identification of the User submitting the request is necessary because the Controller can only fulfill requests of authorized persons. If the Controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the User’s identity.

    12.5. Contact for requests

    By post to the Controller’s mailing address: Medve utca 28-30. 1st floor, door 1, 1027 Budapest, Hungary, or by email to info@takofoods.eu. Requests sent by email are considered authentic only if sent from the User’s email address provided to and recorded by the Controller; however, using a different email address does not mean that the request will be disregarded. In the case of email, the time of receipt is deemed to be the first business day following sending.

    13. Data protection and data security

    13.1.

    In the course of its processing and that carried out by its Processors, the Controller ensures the security of data by technical and organizational measures and internal procedures to enforce laws and other data and trade secret protection rules. The Controller protects the data processed, in particular, against unauthorized access, alteration, transfer, disclosure, deletion or destruction, accidental destruction and damage, and against becoming inaccessible due to changes in the technology used.

    13.2.

    Data underpinning the measurement of visits and mapping of Website usage habits are recorded by the Controller’s IT system from the outset in such a way that they cannot be directly linked to any person.

    13.3.

    Data are processed only for the purposes specified in this notice and to the extent necessary and proportionate to achieve those purposes, in accordance with the applicable laws and recommendations and with appropriate security measures.

    13.4.

    To this end, the Controller uses the “https” scheme of the HTTP protocol to access the Website, which encrypts and uniquely identifies web communications. In addition, as described above, the Controller stores the processed data in encrypted data files in processing lists separated by processing purpose, which can be accessed by the Controller’s specified employees (performing the activities indicated in this notice) who have job responsibilities for data protection and for responsible processing in accordance with this notice and applicable law.

    14. Enforcement

    Data subjects may exercise their rights before a court and may also contact the National Authority for Data Protection and Freedom of Information:

    Nemzeti Adatvédelmi és Információszabadság Hatóság
    Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
    Postal address: 1530 Budapest, Pf.: 5.
    Phone: +36 1 391 1400
    Fax: +36 1 391 1410
    E-mail: ugyfelszolgalat@naih.hu
    Website: http://www.naih.hu/

    When choosing the judicial route, proceedings may – at the choice of the User concerned – also be brought before the general court (törvényszék) having jurisdiction over the User’s domicile or place of residence, since the adjudication of the case falls within the jurisdiction of the general court.

    Effective date: 05.11.2025