Privacy Policy

Last updated: 2026-05-01

This privacy policy describes how BrickHunter ("we", "us") collects, uses, stores, and shares personal data when you use our website and related services (the "Service"). It is written to meet the requirements of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information ("Infotv.").

By using the Service, you acknowledge that you have read this policy. Processing activities that rely on your consent only take place after you have given that consent.

1. Data controller

The data controller responsible for processing your personal data is:

Name: Geiger Tamás e.v. (sole proprietor)
Address: Váci út 83/A 2/208, 1044 Budapest, Hungary
Tax ID: HU60384649
Email: [email protected]

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. For any data protection matter, you may contact us at the address above.

The competent supervisory authority for the controller is the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, "NAIH"). Its contact details are listed in section 11.

2. Scope and legal bases of processing

Personal data is any information relating to an identified or identifiable natural person. The table below lists each processing activity we carry out, the categories of data involved, the purpose, the legal basis under Article 6(1) GDPR, and the retention period.

2.1 Account registration and management

Data: email address, name, hashed password, market of registration (home market), timezone, notification preferences, terms and privacy policy acceptance timestamps, optional profile-personalisation fields (shopping interests, buying motivation, year of birth — see section 2.14). If you sign in with Google or Facebook, we additionally store the provider user ID returned by that provider.
Purpose: to create and maintain your user account, authenticate you, enforce our Terms of Service, and record that you have accepted this policy.
Legal basis: performance of a contract between you and us — Art. 6(1)(b) GDPR.
Retention: for the lifetime of your account. When you request deletion, your account is retained for a 14-day grace period (see section 2.9) and then deleted.

2.2 Sign in with Google / Sign in with Facebook

Data: your Google or Facebook user ID, email address, name, and (if available) whether the email is verified.
Purpose: to let you authenticate using an external identity provider instead of a password.
Legal basis: performance of a contract — Art. 6(1)(b) GDPR. When you click the sign-in button you initiate the authentication flow, which is necessary to provide the Service.
Recipients: Google Ireland Limited and Meta Platforms Ireland Limited act as independent controllers for their own authentication services. See section 3.
Retention: the provider user ID is stored for as long as you keep your account linked to that provider, and deleted together with your account.

2.3 Wishlist, price alerts, and preferences

Data: product references you add to your wishlist, target prices, personal notes on wishlist items (optional, up to 500 characters), alert preferences (notify on any price drop, notify on back in stock), the market you were browsing when you added each item.
Purpose: to provide the wishlist and price-alert features you have requested.
Legal basis: performance of a contract — Art. 6(1)(b) GDPR.
Retention: for as long as the entries remain in your wishlist, and until the account is deleted (entries are deleted together with the account).

2.4 Push notification tokens

Data: Firebase Cloud Messaging (FCM) device tokens registered by your browser or, in the future, by our mobile application; the platform, user agent, and activity status of each token.
Purpose: to deliver browser and mobile push notifications you have opted in to (for example, price-drop alerts).
Legal basis: your consent — Art. 6(1)(a) GDPR. You give consent in two steps: by accepting the browser or operating-system prompt, and by enabling push notifications in your account settings. You may withdraw consent at any time by disabling notifications in the Service or revoking the browser / OS permission.
Retention: active tokens are retained while you keep push notifications enabled. Tokens that become inactive (for example, when your browser revokes the subscription) are deleted 30 days after they were last seen active. All tokens are deleted when your account is deleted.

2.5 Transactional email

Data: your email address, name, and the content of the message (for example, a price-drop link, an email-verification link, or a password-reset link).
Purpose: to send emails that are strictly necessary to operate the Service — email verification, password reset, email-change confirmation, account-deletion confirmation, and price-alert notifications you have subscribed to.
Legal basis: performance of a contract — Art. 6(1)(b) GDPR.
Recipient: Sendinblue SAS (operating as Brevo) — see section 3.
Retention: for the duration of your account. Delivery metadata (opens, bounces) held at Brevo is retained according to Brevo's retention policy.

2.6 Marketing email and audience segmentation

Data: we store you as a contact at Brevo with the following identity fields — email address, name, market, locale, timezone, registration date, email-verified flag, authentication provider (password / Google / Facebook) — and the following segmentation attributes derived from your activity on the Service: your consent states (marketing, email notifications, push notifications), your optional profile answers (shopping interests, buying motivation, year of birth — see section 2.14), activation signals (whether you have any wishlist items, number of wishlist items, the date of your first wishlist add, the last date you were active on the Service), the slugs of the top five LEGO themes present in your wishlist, up to twenty set numbers from your wishlist, the slugs of the top five themes among the products you have clicked out to partner shops in the last 30 days, the slugs of the top five themes among the products you have viewed in the last 30 days, and the total number of partner-shop click-outs you made in the last 30 days. We never send user-generated free text (wishlist notes, category names), credentials, or provider-specific IDs (Google / Facebook IDs) to Brevo.
Purpose: to send you personalised messages about LEGO sets, price deals, and Service updates we believe are relevant to you; and to compute per-market audience segments (for example, opted-in users whose wishlist or recently-browsed themes overlap a specific LEGO theme) so that we can run partner-sponsored marketing campaigns from within Brevo without exposing any user data to partners.
Legal basis: your consent — Art. 6(1)(a) GDPR. We only add you to a marketing list and only send marketing email if you have explicitly opted in, either via the dedicated checkbox at registration or by turning on "Tailored deals & recommendations" in your account settings. You may withdraw consent at any time via the "unsubscribe" link in every marketing email or from your account settings; we then remove you from every market list at Brevo immediately, and your segmentation attributes are no longer updated. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Recipient: Sendinblue SAS (Brevo) — see section 3.
Retention: contact attributes are retained at Brevo until you withdraw consent or delete your account. Event data (workflow triggers such as user_registered, wishlist_add, price_drop_notified) are retained at Brevo according to Brevo's 90-day default event-retention period. When you delete your account (section 2.9), your Brevo contact is removed at the end of the 14-day grace period; Brevo's event history decays separately on the schedule above. Once consent is withdrawn while the account still exists, your email is placed on an internal suppression list solely to ensure we do not email you again.

2.7 Outbound click tracking

Data: for every click on a "visit shop" button, we log: product ID, shop ID, market ID, referring user ID (if logged in), a keyed HMAC-SHA256 hash of your IP address, user-agent string, Accept-Language header, the GA4 client ID and session ID associated with your visit (if present), and a timestamp.
Purpose: to measure which offers are most useful, to provide aggregated shop and product performance reports, to detect fraudulent or automated traffic, and to reconcile outbound traffic with our retailer partners.
Legal basis: our legitimate interest in running and improving the Service and preventing abuse — Art. 6(1)(f) GDPR. The data we store is not directly identifying (IP addresses are never stored in plain text — only a keyed hash).
Retention: aggregated shop statistics are retained indefinitely, because they do not identify you. The GDPR-relevant fields attached to each click record — the hashed IP, user agent, Accept-Language header, GA4 client ID, GA4 session ID, and (if any) the link to your user account — are removed after 12 months, so that only non-identifying statistics remain. If you delete your account before that point, the user-account link on your click records is removed immediately.

2.8 Session cookies and authentication

Data: a session identifier stored in the brickhunter-session cookie, and — while the session is active — the user you are logged in as, your active market, a keyed HMAC-SHA256 hash of your IP address (not the IP itself), and your user agent.
Purpose: to keep you logged in, to protect against session-hijacking, and to display the correct market.
Legal basis: performance of a contract — Art. 6(1)(b) GDPR. Session cookies are strictly necessary for the Service and do not require a consent banner.
Retention: the session cookie expires 120 minutes after your last activity, or sooner if you log out. Session records are garbage-collected automatically afterwards.

2.9 Account deletion

Data: your account email, the scheduled deletion date.
Purpose: to let you exercise your right to erasure. When you request deletion, your account is marked with a scheduled deletion date 14 days in the future and a verification email is sent. At the end of that period, the account is processed.
Legal basis: compliance with a legal obligation under Art. 17 GDPR — Art. 6(1)(c) GDPR. The 14-day grace period is a legitimate-interest measure (Art. 6(1)(f)) to let you cancel an accidental or unauthorised deletion request.
What is deleted: your user record, your wishlist items, your alerts log entries, your device tokens, and all API tokens. In the clicks table, personal identifiers (hashed IP, user agent, Accept-Language header, GA IDs, and link to your user ID) are set to null — the click events themselves remain as anonymous shop statistics.
Retention: the account record is deleted on the scheduled date. See section 2.7 regarding anonymised click data.

2.10 Customer support communication

Data: your email address and the content of the messages you send to us.
Purpose: to reply to your support requests, complaints, or data-subject requests.
Legal basis: performance of a contract — Art. 6(1)(b) GDPR for service-related requests; compliance with a legal obligation — Art. 6(1)(c) GDPR for data-subject requests we must answer under Chapter III GDPR.
Retention: 3 years from the last message, to evidence that we answered within the legally required timeframes. Data-subject requests we have acted on are retained for 3 years to evidence compliance.

2.11 Security logging

Data: server application logs containing request metadata (URL, HTTP status, timing), error stack traces, and — in a small number of cases, for rate-limit decisions — keyed HMAC-SHA256 hashes of IP addresses. We never log IP addresses in plain text.
Purpose: to detect and investigate security incidents, to protect against brute-force login and abuse, to debug service errors.
Legal basis: our legitimate interest in operating a secure service — Art. 6(1)(f) GDPR.
Retention: 14 days, after which logs are rotated out automatically.

2.12 Web analytics (Google Analytics 4)

Data (with analytics consent): GA4 client ID (stored in the brickhunter_client_id cookie), GA4 session ID, page views, events (searches, wishlist actions, outbound clicks, etc.), approximate location derived from IP (the IP itself is not stored by GA4 in identifiable form — Google truncates it before storage), device and browser details.
Data (without analytics consent): no Google Analytics cookies (_ga, _ga_*) are set or read, and no persistent user or device identifier is transmitted. Google Analytics runs in Google Consent Mode v2 in advanced mode (see Google's documentation): a cookieless "ping" is sent to Google containing only the timestamp, the user-agent string, the referrer URL, a boolean consent state, a flag indicating whether the current or a prior page contained ad-click information in the URL (such as a gclid / dclid), and a random number generated on each page load. Google states that the IP address received as part of the network request is not stored or logged. Google uses these signals solely to produce aggregated, modelled reports — no individual user profile is built from them.
Server-side events: when a conversion-relevant event occurs, we send it to GA4 from our server using the Measurement Protocol. The event inherits the current consent signals from your browser session (both analytics_storage and ad_storage). If no GA4 client ID is available, a one-time UUID is generated and the event is sent with an explicit permanent-denied consent state.
User-identifying signals (only with marketing consent): when you are signed in and have granted marketing consent, the server-side event additionally carries a SHA-256 hash of your email — both as the GA4 user_id (for cross-device attribution) and in the user_data.sha256_email_address field, which Google uses, together with its own signed-in users' data, to improve audience reports, conversion attribution, and ads-measurement accuracy. Only the SHA-256 hash is sent; the plaintext email never leaves our servers, and the hash cannot be reversed by Google. If you are not signed in, or if you have not granted marketing consent, no user-identifying hash is sent in either field.
Purpose: to understand how the Service is used and improve it.
Legal basis: your consent — Art. 6(1)(a) GDPR. You may grant, reject, or change your choice at any time via the cookie banner or the cookie-settings link in the site footer.
Recipient: Google Ireland Limited — see section 3.
Retention: GA4 retains event-level data for 14 months by default. Our own cookies brickhunter_client_id (up to 24 months) and brickhunter_session_id (30 minutes) are used for GA4 correlation.
Email link tracking: outbound links inside our transactional emails (password reset, email verification, price-drop alerts, account-deletion notifications, etc.) carry standard UTM query parameters (utm_source, utm_medium, utm_campaign, utm_content) so that GA4 can attribute the resulting visit to the email it originated from. The UTM parameters themselves describe the email type and subject — not the recipient — and do not set or read any cookies on their own. When you click such a link, GA4 records the visit subject to the same consent-based behaviour described above: with analytics consent the visit is attached to your GA4 client ID, without analytics consent only the cookieless modelled signal is sent.

2.13 Advertising (Google Ads, Meta Ads)

Data (with marketing consent): conversion events, page views, and interactions you make while on the Service, sent to Google Ads, the Meta (Facebook) Pixel, and the Meta Conversions API for measurement and remarketing. Depending on the platform's behaviour, this may include your IP address, cookie identifiers, and a hashed version of your email (for Google's Enhanced Conversions and Meta's Advanced Matching).
Data (without marketing consent):
- Google Ads continues to run in Google Consent Mode v2 advanced mode. No Google Ads cookies (_gcl_*) are set or read, and any gclid / dclid identifiers are redacted from the outgoing network requests. Cookieless pings with the same minimal signals described in section 2.12 are still sent to Google, and are used solely for aggregate conversion modelling (to estimate, at an aggregate level, conversions that would otherwise have been measured with consent). No individual user is tracked, profiled, or retargeted.
- Meta Pixel does not implement an equivalent consent-mode mechanism. When you deny the marketing category, the Meta Pixel is not loaded and does not fire at all — no request is made to Meta from the Service in that case.
Server-side conversion events (Meta Conversions API): when you have granted marketing consent, conversion-relevant events (specifically: outbound clicks to partner shops) are also sent to Meta from our server using the Meta Conversions API. The server-side event carries: a SHA-256 hash of your email if you are signed in (em), your IP address (client_ip_address, transmitted to Meta over TLS — Meta hashes it on receipt and does not retain the plaintext), your browser user-agent (client_user_agent), and the values of the _fbp and _fbc cookies if your browser has them. Meta uses these signals together with the browser-side Pixel signals to improve ad measurement, attribution, and audience matching despite browser-level tracking limitations (third-party cookie blocking, ad-blockers). The server event is only dispatched when you have granted marketing consent — without that consent, no server event is sent. If you are signed out, the em field is omitted.
Purpose: to measure the effectiveness of our advertising campaigns and, when you have given marketing consent, to show you relevant ads on third-party platforms.
Legal basis: your consent — Art. 6(1)(a) GDPR. Tag firing is controlled through Google Tag Manager according to your choices in the cookie banner. You may withdraw consent at any time via the cookie-settings link.
Recipients: Google Ireland Limited and Meta Platforms Ireland Limited — see section 3.
Retention: governed by the third-party platform's retention policies. We do not store advertising identifiers on our own servers.
Up-to-date third-party information: Google maintains an up-to-date list of cookies used by its advertising products at business.safety.google/adscookies. Meta publishes the current list of cookies it sets at facebook.com/privacy/policies/cookies. These pages take precedence over the cookie names listed in section 6 if they diverge.

2.14 Profile personalisation

Data: your answers to three voluntary onboarding questions — who you typically shop for (yourself, children, extended family, friends/acquaintances), what matters most to you when you buy (lowest price, best value for money), and your year of birth. All three questions are optional and individually skippable; no answer is required to use the Service. We collect year of birth only, never an exact date, and use it solely to place users into broad age bands for targeting. We also store an internal timestamp for each question recording when you last engaged with it.
Purpose: to personalise the on-site experience and — once you have given explicit marketing consent (section 2.6) — to inform partner-coupon targeting via Brevo.
Legal basis: our legitimate interest in personalising the on-site experience — Art. 6(1)(f) GDPR — for the on-site use; your consent under Art. 6(1)(a) GDPR for the Brevo-based marketing use, which is only activated if you have opted into marketing email.
Retention: for the lifetime of your account. These fields are deleted together with your account at the end of the deletion grace period (section 2.9). You may clear or change any of the three answers at any time from your account settings.

2.15 Aggregated browsing history (theme-level)

Data: while you are logged in and you have turned on "Tailored deals & recommendations" (see section 2.6), we log a theme-level record for each LEGO product-detail page you visit — specifically: your user ID, the LEGO theme ID of the product you viewed, the market on which you viewed it, and a timestamp. We do not log the individual product, the price you saw, the shop you clicked through to (click-outs are a separate processing activity — section 2.7), nor anything about the page layout or your scroll/interaction behaviour. We skip known bot traffic.
Purpose: to determine, at a theme level, which parts of the LEGO catalogue are currently of interest to you, so that the weekly product-lifecycle digests (newly-announced sets, newly available to preorder or buy, entering "Retiring soon") and other marketing messages described in section 2.6 can be filtered or prioritised around themes you actually engage with.
Legal basis: your consent — Art. 6(1)(a) GDPR. No theme-view record is written unless you are logged in AND you have explicitly opted into marketing. Turning marketing off stops further theme-view logging immediately; existing theme-view records expire on their own schedule below. Anonymous visitors and logged-in users who have not opted in never have theme-view records created.
Retention: 90 days. Theme-view records older than 90 days are deleted automatically by a scheduled daily job. The 90-day window matches the 30-day recency window used in your Brevo segmentation attributes (see section 2.6) with a buffer for operational reprocessing. On account deletion, all of your theme-view records are removed together with your account.

2.16 Browser extension authorization

Data: when you sign into the BrickHunter browser extension (Chrome or Firefox companion), we record an OAuth 2.0 authorization code bound to your user account, the extension's registered redirect URI, the PKCE code challenge, the market you selected during the consent step (optional, for telemetry), and timestamps for issue / expiry / consumption. The code is hashed at rest with HMAC-SHA256 and is single-use with a 60-second lifetime. After successful exchange we issue you a long-lived API access token labelled "extension" attached to your account, identical in nature to the access tokens issued to our mobile app.
Purpose: to let the extension act on your behalf — read and modify your wishlist, receive price-drop alerts, and identify products you are viewing on partner shop pages — without you having to enter your password again. Authorization codes themselves are operational artefacts; only the resulting access token is retained.
Legal basis: performance of the contract — Art. 6(1)(b) GDPR. The extension cannot function on your account without an access token.
Retention: authorization codes expire after 60 seconds and are deleted within 5 minutes of expiry by an automated cleanup job. Access tokens persist until you revoke them (extension logout, "Log out everywhere" from settings, password reset, or account deletion). All extension-issued tokens are revoked together with the rest of your tokens on account deletion.

3. Recipients of data (subprocessors)

We share personal data only with the processors and independent services listed below, each of which provides an appropriate level of data protection. Data is never sold to third parties.

3.1 Hosting infrastructure

Laravel Holdings Inc. — 60 Broad Street, 24th Floor, #1559, New York, NY 10004, USA. Provides the server management platform ("Laravel Forge") through which we operate the Service. Role: processor. Terms: laravel.com/legal/forge-terms. Trust Center: trust.laravel.com.
DigitalOcean, LLC — 105 Edgeview Drive, Suite 425, Broomfield, CO 80021, USA. Operates the underlying virtual server on which the Service runs. The server is located in the Frankfurt (Germany) data center. Role: processor. DPA: digitalocean.com/legal/data-processing-agreement. Privacy policy: digitalocean.com/legal/privacy-policy.

3.2 Email delivery

Sendinblue SAS (Brevo) — 17 rue Salneuve, 75017 Paris, France. Delivers transactional email, and — if you have opted into marketing — stores your contact record with the segmentation attributes listed in section 2.6, manages your membership in our per-market contact lists, receives server-side workflow-trigger events (such as registration, email verification, wishlist add, price-drop notified, and the three weekly product-lifecycle digest triggers: newly-announced sets, newly available to preorder or buy, entering "Retiring soon"), and sends the resulting marketing messages. Role: processor. Data is processed within the European Union. Privacy policy: brevo.com/legal/privacypolicy. DPO: [email protected].

3.3 Identity providers

Google Ireland Limited — Gordon House, Barrow Street, Dublin 4, Ireland. Provides "Sign in with Google". Role: independent controller for the authentication flow, processor for information returned to us. Privacy policy: policies.google.com/privacy.
Meta Platforms Ireland Limited — Merrion Road, Dublin 4, D04 X2K5, Ireland. Provides "Sign in with Facebook". Role: independent controller for the authentication flow, processor for information returned to us. Privacy policy: facebook.com/privacy/policy.

3.4 Analytics and advertising

Google Ireland Limited — as above. Provides Google Analytics 4, Google Tag Manager, and Google Ads. Role: processor for Google Analytics; joint/independent controller for Google Ads, depending on the product. Consent Mode v2 documentation: support.google.com/analytics/answer/9976101. Up-to-date information on cookies used by Google advertising products: business.safety.google/adscookies.
Meta Platforms Ireland Limited — as above. Provides the Meta (Facebook) Pixel, the Meta Conversions API, and Meta Ads. Role: joint controller with us (per CJEU case C-40/17, Fashion ID) for both the Pixel and the Conversions API, since both transmit user-identifying signals to Meta for the same advertising purposes. Joint-controller information is made available through Meta's Business Tools Terms. Up-to-date information on cookies used by Meta: facebook.com/privacy/policies/cookies.

4. International data transfers

Personal data processed by us is stored primarily on servers located in the European Union (Frankfurt, Germany). Some of the recipients listed in section 3 are established in, or transfer data to, countries outside the European Economic Area (in particular, the United States).

For any such transfer, we rely on one or more of the following safeguards under Chapter V GDPR:

The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), incorporated into each provider's Data Processing Agreement.
The EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023, where the recipient is self-certified under that framework.

You may request a copy of the applicable safeguards by emailing us.

5. Your rights under the GDPR

You have the following rights in respect of your personal data:

Right of access (Art. 15) — to obtain confirmation whether we process personal data about you and, if so, a copy of that data.
Right to rectification (Art. 16) — to have inaccurate personal data corrected or completed.
Right to erasure / "right to be forgotten" (Art. 17) — to have your personal data deleted, subject to the limits in Art. 17(3). You can trigger erasure yourself at any time from your account settings.
Right to restriction of processing (Art. 18) — to request that we limit processing in specified situations.
Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to object (Art. 21) — to object to processing that relies on our legitimate interest (section 2.7, 2.9 grace-period, 2.11).
Right to withdraw consent (Art. 7(3)) — where processing is based on consent (sections 2.4, 2.6, 2.12, 2.13), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
Right not to be subject to automated individual decision-making (Art. 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
Right to lodge a complaint with a supervisory authority (Art. 77) — see section 11.

How to exercise your rights

Email us at [email protected] from the email address associated with your account, or use the relevant action in your account settings. We will answer within 30 days of receiving a clear request. If the request is complex, we may extend this period by a further two months and will inform you of the extension within the first 30 days. Exercising your rights is free of charge; we may charge a reasonable fee or refuse the request only if it is manifestly unfounded or excessive (Art. 12(5) GDPR).

To protect you, we may ask you to verify your identity before we answer — typically by confirming you can act on the account.

6. Cookies

The Service uses cookies and similar technologies. Cookies fall into three categories — strictly necessary, analytics, and marketing — and each category is subject to your choices in the cookie banner. The processing activities behind the analytics and marketing cookies, including their purposes, legal bases, and retention periods, are described in sections 2.12 and 2.13 above.

For the full list of cookies we set and read, their durations, and how to change your choices at any time, see our separate Cookie Policy.

7. Data-breach procedure

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (NAIH) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, pursuant to Article 34 GDPR. We maintain an internal register of all breaches, regardless of notification requirement.

8. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, in line with Article 32 GDPR. These include:

HTTPS with HTTP Strict Transport Security (HSTS) on all domains.
Passwords stored as bcrypt hashes — plain-text passwords are never stored or logged.
IP addresses stored only as keyed HMAC-SHA256 hashes; the hash key is rotated independently of the database.
API tokens and installation tokens stored only as HMAC-SHA256 hashes.
Session cookies marked Secure, HttpOnly, and SameSite=Lax.
Server-side CSRF protection on all state-changing web requests and API rate-limiting per client, per installation, and per authenticated user.
Brute-force protection on the login endpoint (per-email / per-installation / per-hour limits).
Regular security updates to the server operating system and application dependencies.
Access to the production environment restricted to the controller; all third-party processors listed in section 3 have signed a Data Processing Agreement or accepted equivalent contractual terms.
Application logs rotated and deleted after 14 days.

9. Children

The Service is not directed at children. If you are under 16 years old, you must not use the Service or create an account without the consent of your parent or legal guardian, as required by Article 8 GDPR and Hungarian Infotv. § 6(3). If we become aware that we have collected personal data from a child without proper authorisation, we will delete it without delay.

10. Automated decision-making and profiling

We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do use aggregated, non-individual profiling to display modelled advertising (Google Ads, Meta Ads) and to prioritise products in listings; this profiling never produces a decision with a legal effect and is always subject to your consent (see section 2.13).

11. Legal remedies

If you believe that our processing of your personal data infringes the GDPR or Hungarian data-protection law, you have the right to:

Contact us first at [email protected] — we will investigate and respond within 30 days.
Lodge a complaint with the supervisory authority:
- Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
- Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
- Postal address: 1363 Budapest, P.O. Box 9
- Phone: +36 (1) 391-1400
- Email: [email protected]
- Website: naih.hu
- You may also lodge your complaint with the supervisory authority of the EU Member State where you habitually reside, work, or where the alleged infringement occurred.
Seek a judicial remedy before the competent court of your habitual residence or of the controller's habitual residence (Hungarian courts, for claims against us), pursuant to Articles 78–79 GDPR.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in the Service, in applicable law, or in our processors. When we make material changes, we will update the "Last updated" date at the top of this page and, where the change affects a processing activity based on your consent, ask for renewed consent. We recommend reviewing this page periodically.

13. Contact

For any question about this privacy policy or about your personal data, please contact:

Email: [email protected]
Postal address: Geiger Tamás e.v., Váci út 83/A 2/208, 1044 Budapest, Hungary