Privacy Policy - BrickHunter

Privacy Policy

Last updated: 2026-07-07

This privacy policy describes how BrickHunter ("we", "us") collects, uses, stores, and shares personal data when you use our website and related services (the "Service"). It is written to meet the requirements of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information ("Infotv.").

By using the Service, you acknowledge that you have read this policy. Processing activities that rely on your consent only take place after you have given that consent.

1. Data controller

The data controller responsible for processing your personal data is:

  • Name: Geiger Tamás e.v. (sole proprietor)
  • Address: Váci út 83/A 2/208, 1044 Budapest, Hungary
  • Tax ID: HU60384649
  • Email: [email protected]

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. For any data protection matter, you may contact us at the address above.

The competent supervisory authority for the controller is the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, "NAIH"). Its contact details are listed in section 11.

2. Scope and legal bases of processing

Personal data is any information relating to an identified or identifiable natural person. The table below lists each processing activity we carry out, the categories of data involved, the purpose, the legal basis under Article 6(1) GDPR, and the retention period.

2.1 Account registration and management

  • Data: email address, name, hashed password, market of registration (home market), timezone, notification preferences, terms and privacy policy acceptance timestamps, optional profile-personalisation fields (shopping interests, buying motivation, year of birth — see section 2.14). If you sign in with Google or Facebook, we additionally store the provider user ID returned by that provider.
  • Purpose: to create and maintain your user account, authenticate you, enforce our Terms of Service, and record that you have accepted this policy.
  • Legal basis: performance of a contract between you and us — Art. 6(1)(b) GDPR.
  • Retention: for the lifetime of your account. When you request deletion, your account is retained for a 14-day grace period (see section 2.9) and then deleted.

2.2 Sign in with Google / Sign in with Facebook

  • Data: your Google or Facebook user ID, email address, name, and (if available) whether the email is verified.
  • Purpose: to let you authenticate using an external identity provider instead of a password.
  • Legal basis: performance of a contract — Art. 6(1)(b) GDPR. When you click the sign-in button you initiate the authentication flow, which is necessary to provide the Service.
  • Recipients: Google Ireland Limited and Meta Platforms Ireland Limited act as independent controllers for their own authentication services. See section 3.
  • Retention: the provider user ID is stored for as long as you keep your account linked to that provider, and deleted together with your account.

2.3 Wishlist, price alerts, and preferences

  • Data: product references you add to your wishlist, target prices, personal notes on wishlist items (optional, up to 500 characters), alert preferences (notify on any price drop, notify on back in stock), the market you were browsing when you added each item.
  • Purpose: to provide the wishlist and price-alert features you have requested.
  • Legal basis: performance of a contract — Art. 6(1)(b) GDPR.
  • Retention: for as long as the entries remain in your wishlist, and until the account is deleted (entries are deleted together with the account).

2.4 Push notification tokens

  • Data: Firebase Cloud Messaging (FCM) device tokens registered by your browser or, in the future, by our mobile application; the platform, user agent, and activity status of each token.
  • Purpose: to deliver browser and mobile push notifications you have opted in to (for example, price-drop alerts), and — on the mobile application — to send occasional silent background messages that refresh the home-screen wishlist widget when your wishlisted products' prices or availability change. Silent messages display no notification; they only prompt the app to refresh in the background and carry no personal data beyond a message-type marker.
  • Legal basis: your consent — Art. 6(1)(a) GDPR. You give consent in two steps: by accepting the browser or operating-system prompt, and by enabling push notifications in your account settings. You may withdraw consent at any time by disabling notifications in the Service or revoking the browser / OS permission.
  • Retention: active tokens are retained while you keep push notifications enabled. Tokens that become inactive (for example, when your browser revokes the subscription) are deleted 30 days after they were last seen active. All tokens are deleted when your account is deleted.

2.5 Transactional email

  • Data: your email address, name, and the content of the message (for example, a price-drop link, an email-verification link, or a password-reset link).
  • Purpose: to send emails that are strictly necessary to operate the Service — email verification, password reset, email-change confirmation, account-deletion confirmation, and price-alert notifications you have subscribed to.
  • Legal basis: performance of a contract — Art. 6(1)(b) GDPR.
  • Recipient: Sendinblue SAS (operating as Brevo) — see section 3.
  • Retention: for the duration of your account. Delivery metadata (opens, bounces) held at Brevo is retained according to Brevo's retention policy.

2.6 Marketing email and audience segmentation

  • Data: we store you as a contact at Brevo with the following identity fields — email address, name, market, locale, timezone, registration date, email-verified flag, authentication provider (password / Google / Facebook) — and the following segmentation attributes derived from your activity on the Service: your consent states (marketing, email notifications, push notifications), your optional profile answers (shopping interests, buying motivation, year of birth — see section 2.14), activation signals (whether you have any wishlist items, number of wishlist items, the date of your first wishlist add, the last date you were active on the Service), the slugs of the top five LEGO themes present in your wishlist, up to twenty set numbers from your wishlist, the slugs of the top five themes among the products you have clicked out to partner shops in the last 30 days, the slugs of the top five themes among the products you have viewed in the last 30 days, and the total number of partner-shop click-outs you made in the last 30 days. We never send user-generated free text (wishlist notes, category names), credentials, or provider-specific IDs (Google / Facebook IDs) to Brevo.
  • Purpose: to send you personalised messages about LEGO sets, price deals, and Service updates we believe are relevant to you; and to compute per-market audience segments (for example, opted-in users whose wishlist or recently-browsed themes overlap a specific LEGO theme) so that we can run partner-sponsored marketing campaigns from within Brevo without exposing any user data to partners.
  • Legal basis: your consent — Art. 6(1)(a) GDPR. We only add you to a marketing list and only send marketing email if you have explicitly opted in, either via the dedicated checkbox at registration or by turning on "Tailored deals & recommendations" in your account settings. You may withdraw consent at any time via the "unsubscribe" link in every marketing email or from your account settings; we then remove you from every market list at Brevo immediately, and your segmentation attributes are no longer updated. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Recipient: Sendinblue SAS (Brevo) — see section 3.
  • Retention: contact attributes are retained at Brevo until you withdraw consent or delete your account. Event data (workflow triggers such as user_registered, wishlist_add, price_drop_notified) are retained at Brevo according to Brevo's 90-day default event-retention period. When you delete your account (section 2.9), your Brevo contact is removed at the end of the 14-day grace period; Brevo's event history decays separately on the schedule above. Once consent is withdrawn while the account still exists, your email is placed on an internal suppression list solely to ensure we do not email you again.

2.7 Outbound click tracking

  • Data: for every click on a "visit shop" button, we log: product ID, shop ID, market ID, referring user ID (if logged in), a keyed HMAC-SHA256 hash of your IP address, user-agent string, Accept-Language header, the GA4 client ID and session ID associated with your visit (if present), and a timestamp.
  • Purpose: to measure which offers are most useful, to provide aggregated shop and product performance reports, to detect fraudulent or automated traffic, and to reconcile outbound traffic with our retailer partners.
  • Legal basis: our legitimate interest in running and improving the Service and preventing abuse — Art. 6(1)(f) GDPR. The data we store is not directly identifying (IP addresses are never stored in plain text — only a keyed hash).
  • Retention: aggregated shop statistics are retained indefinitely, because they do not identify you. The GDPR-relevant fields attached to each click record — the hashed IP, user agent, Accept-Language header, GA4 client ID, GA4 session ID, and (if any) the link to your user account — are removed after 12 months, so that only non-identifying statistics remain. If you delete your account before that point, the user-account link on your click records is removed immediately.

2.8 Session cookies and authentication

  • Data: a session identifier stored in the brickhunter-session cookie, and — while the session is active — the user you are logged in as, your active market, a keyed HMAC-SHA256 hash of your IP address (not the IP itself), and your user agent.
  • Purpose: to keep you logged in, to protect against session-hijacking, and to display the correct market.
  • Legal basis: performance of a contract — Art. 6(1)(b) GDPR. Session cookies are strictly necessary for the Service and do not require a consent banner.
  • Retention: the session cookie expires 120 minutes after your last activity, or sooner if you log out. Session records are garbage-collected automatically afterwards.

2.9 Account deletion

  • Data: your account email, the scheduled deletion date.
  • Purpose: to let you exercise your right to erasure. When you request deletion, your account is marked with a scheduled deletion date 14 days in the future and a verification email is sent. At the end of that period, the account is processed.
  • Legal basis: compliance with a legal obligation under Art. 17 GDPR — Art. 6(1)(c) GDPR. The 14-day grace period is a legitimate-interest measure (Art. 6(1)(f)) to let you cancel an accidental or unauthorised deletion request.
  • What is deleted: your user record, your wishlist items, your alerts log entries, your device tokens, and all API tokens. In the clicks table, personal identifiers (hashed IP, user agent, Accept-Language header, GA IDs, and link to your user ID) are set to null — the click events themselves remain as anonymous shop statistics.
  • Retention: the account record is deleted on the scheduled date. See section 2.7 regarding anonymised click data.

2.10 Customer support communication

  • Data: your email address and the content of the messages you send to us.
  • Purpose: to reply to your support requests, complaints, or data-subject requests.
  • Legal basis: performance of a contract — Art. 6(1)(b) GDPR for service-related requests; compliance with a legal obligation — Art. 6(1)(c) GDPR for data-subject requests we must answer under Chapter III GDPR.
  • Retention: 3 years from the last message, to evidence that we answered within the legally required timeframes. Data-subject requests we have acted on are retained for 3 years to evidence compliance.

2.11 Security and API access logging

  • Data: server application logs containing request metadata (URL, HTTP status, timing), error stack traces, and — for rate-limit decisions and abuse detection — keyed HMAC-SHA256 hashes of IP addresses. For requests to our mobile-app and browser-extension API (paths under /api/), we additionally keep a per-request access log recording the HTTP method, endpoint, status code, response time, the API client and installation identifiers, the authenticated user ID (only when the request is authenticated), the user-agent string, and the same keyed hash of the IP address. We never log IP addresses in plain text.
  • Purpose: to detect and investigate security incidents and abuse (for example brute-force login, credential stuffing, scraping, or rate-limit evasion against the API), to monitor API error rates and service reliability, and to debug service errors.
  • Legal basis: our legitimate interest in operating a secure and reliable service — Art. 6(1)(f) GDPR. The data is not directly identifying — IP addresses are stored only as keyed hashes; where a request is authenticated, the access-log entry may be linked to your account through your user ID solely for the purpose of investigating abuse of that account.
  • Retention: 14 days, after which logs are rotated out automatically.

2.12 Web analytics (Google Analytics 4)

  • Data (with analytics consent): GA4 client ID (stored in the brickhunter_client_id cookie), GA4 session ID, page views, events (searches, wishlist actions, outbound clicks, etc.), approximate location derived from IP (the IP itself is not stored by GA4 in identifiable form — Google truncates it before storage), device and browser details.
  • Data (without analytics consent): no Google Analytics cookies (_ga, _ga_*) are set or read, and no persistent user or device identifier is transmitted. Google Analytics runs in Google Consent Mode v2 in advanced mode (see Google's documentation): a cookieless "ping" is sent to Google containing only the timestamp, the user-agent string, the referrer URL, a boolean consent state, a flag indicating whether the current or a prior page contained ad-click information in the URL (such as a gclid / dclid), and a random number generated on each page load. Google states that the IP address received as part of the network request is not stored or logged. Google uses these signals solely to produce aggregated, modelled reports — no individual user profile is built from them.
  • Server-side events: when a conversion-relevant event occurs, we send it to GA4 from our server using the Measurement Protocol. The event inherits the current consent signals from your browser session (both analytics_storage and ad_storage). If no GA4 client ID is available, a one-time UUID is generated and the event is sent with an explicit permanent-denied consent state.
  • User-identifying signals (only with marketing consent): when you are signed in and have granted marketing consent, the server-side event additionally carries a SHA-256 hash of your email — both as the GA4 user_id (for cross-device attribution) and in the user_data.sha256_email_address field, which Google uses, together with its own signed-in users' data, to improve audience reports, conversion attribution, and ads-measurement accuracy. Only the SHA-256 hash is sent; the plaintext email never leaves our servers, and the hash cannot be reversed by Google. If you are not signed in, or if you have not granted marketing consent, no user-identifying hash is sent in either field.
  • Purpose: to understand how the Service is used and improve it.
  • Legal basis: your consent — Art. 6(1)(a) GDPR. You may grant, reject, or change your choice at any time via the cookie banner or the cookie-settings link in the site footer.
  • Recipient: Google Ireland Limited — see section 3.
  • Retention: GA4 retains event-level data for 14 months by default. Our own cookies brickhunter_client_id (up to 24 months) and brickhunter_session_id (30 minutes) are used for GA4 correlation.
  • Email link tracking: outbound links inside our transactional emails (password reset, email verification, price-drop alerts, account-deletion notifications, etc.) carry standard UTM query parameters (utm_source, utm_medium, utm_campaign, utm_content) so that GA4 can attribute the resulting visit to the email it originated from. The UTM parameters themselves describe the email type and subject — not the recipient — and do not set or read any cookies on their own. When you click such a link, GA4 records the visit subject to the same consent-based behaviour described above: with analytics consent the visit is attached to your GA4 client ID, without analytics consent only the cookieless modelled signal is sent.

2.13 Advertising (Google Ads, Meta Ads)

  • Data (with marketing consent): conversion events, page views, and interactions you make while on the Service, sent to Google Ads, the Meta (Facebook) Pixel, and the Meta Conversions API for measurement and remarketing. Depending on the platform's behaviour, this may include your IP address, cookie identifiers, and a hashed version of your email (for Google's Enhanced Conversions and Meta's Advanced Matching).
  • Data (without marketing consent):
    • Google Ads continues to run in Google Consent Mode v2 advanced mode. No Google Ads cookies (_gcl_*) are set or read, and any gclid / dclid identifiers are redacted from the outgoing network requests. Cookieless pings with the same minimal signals described in section 2.12 are still sent to Google, and are used solely for aggregate conversion modelling (to estimate, at an aggregate level, conversions that would otherwise have been measured with consent). No individual user is tracked, profiled, or retargeted.
    • Meta Pixel does not implement an equivalent consent-mode mechanism. When you deny the marketing category, the Meta Pixel is not loaded and does not fire at all — no request is made to Meta from the Service in that case.
  • Server-side conversion events (Meta Conversions API): when you have granted marketing consent, conversion-relevant events (specifically: outbound clicks to partner shops) are also sent to Meta from our server using the Meta Conversions API. The server-side event carries: a SHA-256 hash of your email if you are signed in (em), your IP address (client_ip_address, transmitted to Meta over TLS — Meta hashes it on receipt and does not retain the plaintext), your browser user-agent (client_user_agent), and the values of the _fbp and _fbc cookies if your browser has them. Meta uses these signals together with the browser-side Pixel signals to improve ad measurement, attribution, and audience matching despite browser-level tracking limitations (third-party cookie blocking, ad-blockers). The server event is only dispatched when you have granted marketing consent — without that consent, no server event is sent. If you are signed out, the em field is omitted.
  • Purpose: to measure the effectiveness of our advertising campaigns and, when you have given marketing consent, to show you relevant ads on third-party platforms.
  • Legal basis: your consent — Art. 6(1)(a) GDPR. Tag firing is controlled through Google Tag Manager according to your choices in the cookie banner. You may withdraw consent at any time via the cookie-settings link.
  • Recipients: Google Ireland Limited and Meta Platforms Ireland Limited — see section 3.
  • Retention: governed by the third-party platform's retention policies. We do not store advertising identifiers on our own servers.
  • Up-to-date third-party information: Google maintains an up-to-date list of cookies used by its advertising products at business.safety.google/adscookies. Meta publishes the current list of cookies it sets at facebook.com/privacy/policies/cookies. These pages take precedence over the cookie names listed in section 6 if they diverge.

2.14 Profile personalisation

  • Data: your answers to three voluntary onboarding questions — who you typically shop for (yourself, children, extended family, friends/acquaintances), what matters most to you when you buy (lowest price, best value for money), and your year of birth. All three questions are optional and individually skippable; no answer is required to use the Service. We collect year of birth only, never an exact date, and use it solely to place users into broad age bands for targeting. We also store an internal timestamp for each question recording when you last engaged with it.
  • Purpose: to personalise the on-site experience and — once you have given explicit marketing consent (section 2.6) — to inform partner-coupon targeting via Brevo.
  • Legal basis: our legitimate interest in personalising the on-site experience — Art. 6(1)(f) GDPR — for the on-site use; your consent under Art. 6(1)(a) GDPR for the Brevo-based marketing use, which is only activated if you have opted into marketing email.
  • Retention: for the lifetime of your account. These fields are deleted together with your account at the end of the deletion grace period (section 2.9). You may clear or change any of the three answers at any time from your account settings.

2.15 Aggregated browsing history (theme-level)

  • Data: while you are logged in and you have turned on "Tailored deals & recommendations" (see section 2.6), we log a theme-level record for each LEGO product-detail page you visit — specifically: your user ID, the LEGO theme ID of the product you viewed, the market on which you viewed it, and a timestamp. We do not log the individual product, the price you saw, the shop you clicked through to (click-outs are a separate processing activity — section 2.7), nor anything about the page layout or your scroll/interaction behaviour. We skip known bot traffic.
  • Purpose: to determine, at a theme level, which parts of the LEGO catalogue are currently of interest to you, so that the weekly product-lifecycle digests (newly-announced sets, newly available to preorder or buy, entering "Retiring soon") and other marketing messages described in section 2.6 can be filtered or prioritised around themes you actually engage with.
  • Legal basis: your consent — Art. 6(1)(a) GDPR. No theme-view record is written unless you are logged in AND you have explicitly opted into marketing. Turning marketing off stops further theme-view logging immediately; existing theme-view records expire on their own schedule below. Anonymous visitors and logged-in users who have not opted in never have theme-view records created.
  • Retention: 90 days. Theme-view records older than 90 days are deleted automatically by a scheduled daily job. The 90-day window matches the 30-day recency window used in your Brevo segmentation attributes (see section 2.6) with a buffer for operational reprocessing. On account deletion, all of your theme-view records are removed together with your account.

2.16 Browser extension authorization

  • Data: when you sign into the BrickHunter browser extension (Chrome or Firefox companion), we record an OAuth 2.0 authorization code bound to your user account, the extension's registered redirect URI, the PKCE code challenge, the market you selected during the consent step (optional, for telemetry), and timestamps for issue / expiry / consumption. The code is hashed at rest with HMAC-SHA256 and is single-use with a 60-second lifetime. After successful exchange we issue you a long-lived API access token labelled "extension" attached to your account, identical in nature to the access tokens issued to our mobile app.
  • Purpose: to let the extension act on your behalf — read and modify your wishlist, receive price-drop alerts, and identify products you are viewing on partner shop pages — without you having to enter your password again. Authorization codes themselves are operational artefacts; only the resulting access token is retained.
  • Legal basis: performance of the contract — Art. 6(1)(b) GDPR. The extension cannot function on your account without an access token.
  • Retention: authorization codes expire after 60 seconds and are deleted within 5 minutes of expiry by an automated cleanup job. Access tokens persist until you revoke them (extension logout, "Log out everywhere" from settings, password reset, or account deletion). All extension-issued tokens are revoked together with the rest of your tokens on account deletion.

2.17 Google CSS service applications

  • Data: if you apply for our free Google Comparison Shopping Service (CSS) on the /css page, we collect your full name, company name, business email address, and one or more Google Merchant Center account IDs, together with the locale and market you applied from and the timestamp on which you accepted the CSS Service Terms of Service. If you separately choose to grant us a user role on your Google Merchant Center account, that grant is made and managed inside Google Merchant Center, not stored by us; granting it is optional.
  • Purpose: to receive and evaluate your application, to associate your Merchant Center account with our CSS, and to contact you about the CSS service (including a confirmation email). Application details are also sent to our internal CSS mailbox so we can act on them.
  • Legal basis: the taking of steps at your request prior to, and the performance of, the free CSS service arrangement — Art. 6(1)(b) GDPR — together with our legitimate interest in evaluating and administering applications for a service we offer free of charge — Art. 6(1)(f) GDPR.
  • Recipient: the confirmation email is delivered via Sendinblue SAS (Brevo) — see section 3.2. Applications are not shared with any other third party. Note that this application is a business-to-business relationship separate from any personal user account you may hold.
  • Retention: application records are retained for as long as your account is associated with our CSS and for a reasonable period afterwards to evidence the arrangement; applications that do not proceed are deleted within 24 months.

2.18 Mobile application

Our mobile application (BrickHunter) processes the same account data as the website, plus the following mobile-specific data:

  • Device identifier. A per-installation identifier (Identifier for Vendor on iOS, or an equivalent app-scoped identifier on Android) secures API access (installation token) and prevents abuse. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in securing the Service.

  • Push notification token. If you enable notifications, a Firebase Cloud Messaging (FCM) device token is registered with us to deliver the price-drop and target-price alerts you configured. We also use this token to send silent background messages that keep the home-screen wishlist widget up to date: these display no notification, wake the app only to refresh the widget in the background, and carry no personal data beyond a message-type marker. You can disable notifications at any time in the app or your device settings, which removes the token. Legal basis: performance of the service you requested (Art. 6(1)(b)) / your consent to notifications.

  • Camera (barcode scanner). When you use the barcode scanner, the camera image is processed on your device only to decode the EAN/GTIN. No image is stored or transmitted; only the decoded number is sent to look up the matching set. Legal basis: performance of the service (Art. 6(1)(b)).

  • Biometric unlock. If you enable biometric unlock, authentication is performed by your device's operating system (Face ID / Touch ID / fingerprint / passcode). We never receive or store your biometric data — it never leaves your device. Legal basis: your consent to enable the feature.

  • Diagnostics. We use Firebase Crashlytics and Firebase Performance Monitoring to collect crash reports and performance data so we can fix defects. These reports do not contain your account credentials. Legal basis: legitimate interest in a stable Service.

  • Analytics. We use Firebase Analytics, in the same GA4 property as the website, gated by the in-app consent screen (see the Cookie Policy). Analytics is denied by default until you choose to allow it. Legal basis: your consent (Art. 6(1)(a)).

  • Firebase (processor). Firebase Cloud Messaging, Analytics, Crashlytics, Performance Monitoring, and Remote Config are provided by Google Ireland Limited as our processor. See section 3 (Recipients of data) for its role and privacy policy.

  • Advertising and app-install measurement (Meta App Events SDK). The app integrates Meta's App Events SDK so that we can measure and optimise our Meta (Facebook / Instagram) app-install advertising campaigns and attribute installs and conversions to them. This SDK is denied by default and collects nothing until you both (a) grant the in-app marketing/ads consent — the same Consent Mode v2 choice described in the Cookie Policy, which is denied by default — and (b), on iOS, allow tracking in Apple's system App Tracking Transparency (ATT) prompt. Only after that consent does the SDK transmit the following to Meta:

    • App events: app install and activation; product content views; searches (the search term itself is never sent to Meta); wishlist additions; account registrations (only the sign-up method — email, Google, or Facebook — never your email address); and purchases recorded when you click out to a partner shop (the offer value, the currency, and the LEGO set number as the content identifier).
    • Your device advertising identifier — the IDFA on iOS (only if you allow tracking in the ATT prompt) or the Google Advertising ID (GAID) on Android.
    • Technical data the SDK attaches to each event — your IP address, app and device information, and an anonymous, Meta app-scoped identifier.

    The content identifiers we send are LEGO set numbers, which are not personal data. The app does not send your hashed email address or phone number to Meta — Meta "Advanced Matching" is disabled in the app. Legal basis: your consent — Art. 6(1)(a) GDPR. You may withdraw consent at any time in the app's consent settings and, on iOS, by turning off tracking for the app in your system privacy settings; the SDK then stops collecting. Meta Platforms Ireland Ltd. is the recipient and transfers this data to Meta Platforms Inc. in the United States under the safeguards described in section 4. See section 3.4.

  • Apple SKAdNetwork (iOS only). On iOS, install attribution additionally uses Apple's SKAdNetwork, which reports campaign performance to Meta in a privacy-preserving, aggregated form that contains no user-level data. SKAdNetwork operates at the operating-system level and does not identify you.

Apart from the Meta App Events SDK described above — which is off by default and runs only after you opt in — no mobile data is used for cross-app advertising tracking. Because that SDK can, with your permission, measure app-install advertising across apps, the app shows Apple's App Tracking Transparency prompt on iOS. If you choose "Ask App Not to Track" there, or leave the in-app marketing/ads consent denied, no advertising identifier is collected and Meta app-event tracking stays off.

3. Recipients of data (subprocessors)

We share personal data only with the processors and independent services listed below, each of which provides an appropriate level of data protection. Data is never sold to third parties.

3.1 Hosting infrastructure

3.2 Email delivery

  • Sendinblue SAS (Brevo) — 17 rue Salneuve, 75017 Paris, France. Delivers transactional email, and — if you have opted into marketing — stores your contact record with the segmentation attributes listed in section 2.6, manages your membership in our per-market contact lists, receives server-side workflow-trigger events (such as registration, email verification, wishlist add, price-drop notified, and the three weekly product-lifecycle digest triggers: newly-announced sets, newly available to preorder or buy, entering "Retiring soon"), and sends the resulting marketing messages. Role: processor. Data is processed within the European Union. Privacy policy: brevo.com/legal/privacypolicy. DPO: [email protected].

3.3 Identity providers

  • Google Ireland Limited — Gordon House, Barrow Street, Dublin 4, Ireland. Provides "Sign in with Google". Role: independent controller for the authentication flow, processor for information returned to us. Privacy policy: policies.google.com/privacy.
  • Meta Platforms Ireland Limited — Merrion Road, Dublin 4, D04 X2K5, Ireland. Provides "Sign in with Facebook". Role: independent controller for the authentication flow, processor for information returned to us. Privacy policy: facebook.com/privacy/policy.

3.4 Analytics and advertising

  • Google Ireland Limited — as above. Provides Google Analytics 4, Google Tag Manager, and Google Ads. Role: processor for Google Analytics; joint/independent controller for Google Ads, depending on the product. Consent Mode v2 documentation: support.google.com/analytics/answer/9976101. Up-to-date information on cookies used by Google advertising products: business.safety.google/adscookies.
  • Meta Platforms Ireland Limited — as above. Provides the Meta (Facebook) Pixel, the Meta Conversions API, and Meta Ads on the website, and — in our mobile application — the Meta App Events SDK used, subject to your in-app marketing consent and (on iOS) the App Tracking Transparency prompt, to measure and optimise app-install advertising (see section 2.18). Role: joint controller with us (per CJEU case C-40/17, Fashion ID) for the Pixel and the Conversions API, since both transmit user-identifying signals to Meta for the same advertising purposes; recipient of the app-event data collected by the App Events SDK. Data collected in the app is transferred to Meta Platforms Inc. in the United States (see section 4). Joint-controller information is made available through Meta's Business Tools Terms. Meta's data policy: facebook.com/privacy/policy. Up-to-date information on cookies used by Meta: facebook.com/privacy/policies/cookies.

3.5 Push notifications, mobile analytics, and diagnostics

  • Google Ireland Limited — as above. Provides Firebase Cloud Messaging (browser and mobile push delivery), and — for our mobile application — Firebase Analytics (the same GA4 property as the website), Crashlytics, Performance Monitoring, and Remote Config. Role: processor. Privacy policy: firebase.google.com/support/privacy. Analytics collection in the app is governed by Consent Mode v2 exactly as on the website.

4. International data transfers

Personal data processed by us is stored primarily on servers located in the European Union (Frankfurt, Germany). Some of the recipients listed in section 3 are established in, or transfer data to, countries outside the European Economic Area (in particular, the United States).

For any such transfer, we rely on one or more of the following safeguards under Chapter V GDPR:

  • The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), incorporated into each provider's Data Processing Agreement.
  • The EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023, where the recipient is self-certified under that framework.

You may request a copy of the applicable safeguards by emailing us.

5. Your rights under the GDPR

You have the following rights in respect of your personal data:

  • Right of access (Art. 15) — to obtain confirmation whether we process personal data about you and, if so, a copy of that data.
  • Right to rectification (Art. 16) — to have inaccurate personal data corrected or completed.
  • Right to erasure / "right to be forgotten" (Art. 17) — to have your personal data deleted, subject to the limits in Art. 17(3). You can trigger erasure yourself at any time from your account settings.
  • Right to restriction of processing (Art. 18) — to request that we limit processing in specified situations.
  • Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
  • Right to object (Art. 21) — to object to processing that relies on our legitimate interest (section 2.7, 2.9 grace-period, 2.11).
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent (sections 2.4, 2.6, 2.12, 2.13, and the consent-based mobile processing in section 2.18), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
  • Right not to be subject to automated individual decision-making (Art. 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
  • Right to lodge a complaint with a supervisory authority (Art. 77) — see section 11.

How to exercise your rights

Email us at [email protected] from the email address associated with your account, or use the relevant action in your account settings. We will answer within 30 days of receiving a clear request. If the request is complex, we may extend this period by a further two months and will inform you of the extension within the first 30 days. Exercising your rights is free of charge; we may charge a reasonable fee or refuse the request only if it is manifestly unfounded or excessive (Art. 12(5) GDPR).

To protect you, we may ask you to verify your identity before we answer — typically by confirming you can act on the account.

6. Cookies

The Service uses cookies and similar technologies. Cookies fall into three categories — strictly necessary, analytics, and marketing — and each category is subject to your choices in the cookie banner. The processing activities behind the analytics and marketing cookies, including their purposes, legal bases, and retention periods, are described in sections 2.12 and 2.13 above.

For the full list of cookies we set and read, their durations, and how to change your choices at any time, see our separate Cookie Policy.

7. Data-breach procedure

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (NAIH) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, pursuant to Article 34 GDPR. We maintain an internal register of all breaches, regardless of notification requirement.

8. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, in line with Article 32 GDPR. These include:

  • HTTPS with HTTP Strict Transport Security (HSTS) on all domains.
  • Passwords stored as bcrypt hashes — plain-text passwords are never stored or logged.
  • IP addresses stored only as keyed HMAC-SHA256 hashes; the hash key is rotated independently of the database.
  • API tokens and installation tokens stored only as HMAC-SHA256 hashes.
  • Session cookies marked Secure, HttpOnly, and SameSite=Lax.
  • Server-side CSRF protection on all state-changing web requests and API rate-limiting per client, per installation, and per authenticated user.
  • Brute-force protection on the login endpoint (per-email / per-installation / per-hour limits).
  • Regular security updates to the server operating system and application dependencies.
  • Access to the production environment restricted to the controller; all third-party processors listed in section 3 have signed a Data Processing Agreement or accepted equivalent contractual terms.
  • Application logs rotated and deleted after 14 days.

9. Children

The Service is not directed at children. If you are under 16 years old, you must not use the Service or create an account without the consent of your parent or legal guardian, as required by Article 8 GDPR and Hungarian Infotv. § 6(3). If we become aware that we have collected personal data from a child without proper authorisation, we will delete it without delay.

10. Automated decision-making and profiling

We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do use aggregated, non-individual profiling to display modelled advertising (Google Ads, Meta Ads) and to prioritise products in listings; this profiling never produces a decision with a legal effect and is always subject to your consent (see section 2.13).

11. Legal remedies

If you believe that our processing of your personal data infringes the GDPR or Hungarian data-protection law, you have the right to:

  1. Contact us first at [email protected] — we will investigate and respond within 30 days.
  2. Lodge a complaint with the supervisory authority:
    • Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
    • Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
    • Postal address: 1363 Budapest, P.O. Box 9
    • Phone: +36 (1) 391-1400
    • Email: [email protected]
    • Website: naih.hu
    • You may also lodge your complaint with the supervisory authority of the EU Member State where you habitually reside, work, or where the alleged infringement occurred.
  3. Seek a judicial remedy before the competent court of your habitual residence or of the controller's habitual residence (Hungarian courts, for claims against us), pursuant to Articles 78–79 GDPR.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in the Service, in applicable law, or in our processors. When we make material changes, we will update the "Last updated" date at the top of this page and, where the change affects a processing activity based on your consent, ask for renewed consent. We recommend reviewing this page periodically.

13. Contact

For any question about this privacy policy or about your personal data, please contact:

  • Email: [email protected]
  • Postal address: Geiger Tamás e.v., Váci út 83/A 2/208, 1044 Budapest, Hungary