Data processing information

– iFitCore.co

The purpose of the following data management information is to provide a detailed description of the personal data processed by the operator of the ifitcore.co webshop (hereinafter referred to as the Data Controller ) and the legal obligations it complies with. The Data Controller, as a self-employed person exempt from personal tax ( AAM ), is committed to the protection of personal data and undertakes that all its data management activities are carried out in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR ) and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information ( Infotv. ). The Data Controller will treat personal data confidentially and will take all necessary security, technical and and organizational measures to protect data.

1. Purpose and legal background of the information

1.1 Scope of the information

This document applies to all data processing on the ifitcore.co website, including ordering products, registering, using contact forms, subscribing to newsletters, and using cookies on the website. The purpose of this notice is to provide visitors and customers with detailed information about how and for what purpose we process their personal data, as well as what rights they have.

1.2 Legal basis

The Data Controller undertakes to ensure that all data processing processes of its activities comply with applicable laws, in particular the following:

•

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, which applies within the European Union

uniformly regulates the processing of personal data.

•

Infotv. – Act CXII of 2011 on the right to informational self-determination and freedom of information.

law.

•

Civil Code – Act V of 2013, which regulates the conclusion of contracts and contractual

contains general rules governing legal relationships.

•

Accounting Act – Act C of 2000, according to which tax and accounting documents must be retained for a specified period of time.

•

Electronic Commerce Act – Act CVIII of 2001, and Government Decree 45/2014 (II. 26.) on distance contracts, which determines the rights of buyers

right of withdrawal.

1.3 Unique regulatory environment in 2025

From 2025, all Hungarian-language websites and online stores must have their own data processing information, especially when customers register, receive newsletters or participate in a prize draw. Such information must be accepted by visitors when using the service. According to the new GDPR regulation, users must be given the opportunity to withdraw their consent and modify their previous decision at any time. Therefore, there are separate checkboxes on our website for newsletter subscription and order forms.

2. Data controller's data

Company name: Gergő Szitai EV, operator of the ifitcore.co web store

Registered office: 2217 Gomba, Szemere Huba Street 1.

Mailing address: 2217 Gomba, Szemere Huba Street 1.

Tax number: 55926148-1-33 – subject tax exempt ( AAM )

Registration number: 54674910

Representative: Gergő Szitai

Email: info@ifitcore.com

Phone: +36 30 597 6075

Website: https://ifitcore.co

The Data Controller treats personal data confidentially and takes all necessary security and technical measures. and organizational measures that guarantee data security.

3. Definitions

The terms used in this privacy policy are based on the definitions of the GDPR and the Information Act. The most important ones are as follows:

•

Personal data: any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, number, location data, online identifier or to the physical, physiological, based on characteristics relating to their genetic, economic, cultural or social identity. •

Data processing: any operation performed on personal data or data files, whether or not by automated means, such as collection, recording, organization, storage, modification, use, transmission, retrieval, coordination, deletion or destruction. •

Data controller: the natural or legal person who determines the purpose and determines its means.

•

Data Processor: the natural or legal person who processes personal data on behalf of the Data Controller. handles data.

•

Data Subject: the natural person whose data is processed by the Data Controller. •

Consent: a voluntary, clear expression of the data subject's will, by which he or she gives his or her consent to the processing of his or her personal data.

4. Scope of processed data and purposes of data processing

During the operation of the ifitcore.co webshop, we process various types of personal data. The following list presents the most common data groups and the purpose of data processing.

4.1 Orders

Processed data: name, billing address, shipping address, telephone number, e-mail address, details of the ordered product(s), payment method.

Purpose: creation and fulfillment of the purchase contract; delivery of products; fulfillment of invoicing and payment obligations.

Legal basis: performance of a contract (Article 6(1)(b) of the GDPR) or compliance with legal requirements regarding invoicing obligations (Article 6(1)(c) of the GDPR).

4.2 Contact and customer service

Data processed: name, e-mail address, telephone number, content of the message sent, data from any previous orders.

Purpose: answering user questions, handling complaints, warranty administration, customer support.

Legal basis: legitimate interest (GDPR Article 6(1)(f)), as the Data Controller has a legitimate interest in communicating with customers.

4.3 Newsletter subscription and marketing

Data processed: name (optional), email address.

Purpose: sending electronic newsletters to subscribers, sharing new products, promotions and useful information.

Legal basis: prior, voluntary consent of the data subject (Article 6(1)(a) GDPR). We provide a separate checkbox for subscribing to the newsletter. The user can withdraw their consent and unsubscribe from the newsletter at any time.

4.4 Billing and accounting data

Processed data: name, billing address, tax number (optional, only for corporate customers), order data, invoice number.

Purpose: to fulfill invoicing and tax obligations; to comply with accounting and legal requirements. Legal basis: to fulfill a legal obligation (Article 6(1)(c) GDPR).

4.5 Technical data and cookies

Data processed: IP address, browser type, operating system, behavioral data related to the use of the website (e.g. time of visit, pages visited). Cookies can be session cookies, statistical (analytical) cookies and marketing cookies.

Purpose: to ensure the technical operation of the website; to improve the user experience; to prepare visitor statistics; to measure the effectiveness of marketing activities. It is important to highlight that the new According to regulations, both the IP address and the cookie ID are considered personal data.

Legal basis: legitimate interest for technical operation (GDPR Article 6(1)(f)); consent to marketing cookies (GDPR Article 6(1)(a)). We provide detailed information on the use of cookies and the user can set which cookies they consent to.

5. Data processors and data transfer

During the operation of the webshop, the Data Controller uses partners who provide services necessary for the fulfillment of orders. These partners - as data processors - have access to personal data only to the extent necessary to fulfill the given purpose.

5.1 Hosting provider

Provider name: Shopify International Ltd.

Headquarters: 2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Service: website operation, database and email infrastructure provision.

5.2 Logistics partners

Data processed: name, delivery address, telephone number, e-mail address, ordered products. Purpose: home delivery of ordered products or delivery to a parcel point.

Note: Logistics partners are considered independent data controllers in the processing of shipping data.

5.3 Payment service provider

Processed data: When paying by bank card, the customer's payment data (card number, expiration date, CVV) is not processed by ifitcore.co, but by the payment service provider. Our webshop only processes the transaction receives feedback on its success.

Purpose: to ensure the payment process is secure.

Note: The payment service provider provides its own data processing information regarding bank card payments.

5.4 Billing and accounting system

Provider name: [Name of billing or accounting software]

Processed data: name, address, tax number, order data.

Purpose: issuing invoices, fulfilling tax and accounting obligations. The transfer of data is based on a legal obligation.

5.5 Newsletter service provider

Service provider name: [Name of company operating the newsletter system]

Data processed: name (optional), email address.

Purpose: to send marketing messages, promotions, and interesting articles to newsletter subscribers. The processing of data stored in the newsletter sending system is based on the consent of the data subject, which can be withdrawn at any time.

6. Data security measures

The Data Controller ensures that personal data is secure and not accessible to unauthorized persons. Security measures include:

•

Access control: only employees who are authorized to access personal data can access it.

this is necessary to perform their job duties.

•

Encrypted data transmission: communication between the website and the servers takes place via the TLS/SSL protocol.

•

Password protection and authentication: access to the data controller's systems is protected by strong passwords and multi-factor authentication.

•

Regular backup: to maintain data integrity, perform regular backups

backups are being made.

•

Vulnerability tests and updates: we continuously ensure that systems are updated and maintained.

The Data Controller considers it particularly important to respect the right of informational self-determination of the data subjects 2

and treats personal data confidentially.

7. Rights of data subjects

Data subjects are entitled to exercise the following rights in accordance with the provisions of the GDPR and the Infotv. The Data Controller shall comply with the requests received without undue delay, but no later than within one month.

7.1 Right of access

The data subject has the right to request information about whether the Data Controller processes his or her personal data and, if so, what data, on what legal basis, for what purpose, for how long, and to whom it is transferred.

7.2 Right to rectification

The data subject may request the correction of inaccurate or incomplete data or the completion of data.

7.3 Right to erasure (right to be forgotten)

The data subject may request the deletion of their personal data if the processing of the data has become unjustified or if the data subject has withdrawn their consent.

7.4 Right to restriction of data processing

The data subject may request that the Data Controller restrict the processing of personal data (e.g. if he or she disputes the accuracy or legitimacy of the data).

7.5 Right to data portability

The data subject has the right to receive the personal data he or she has provided in a structured, commonly used and machine-readable format and has the right to transmit these data to another controller.

7.6 Right to object

The data subject has the right to object to the processing of his or her personal data where the processing is based on legitimate interests. In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the rights of the data subject.

7.7 Withdrawal of consent

The data subject may withdraw their consent at any time, which, however, will not affect the previous data processing. does not affect its legality.

7.8 Submitting a complaint

The data subject has the right to lodge a complaint with the competent supervisory authority if he or she believes that the processing of his or her personal data violates the applicable laws. In Hungary, the National Authority for Data Protection and Freedom of Information ( NAIH ) is competent:

•

Address: 1055 Budapest, Falk Miksa Street 9–11.

•

Postal address: 1363 Budapest, P.O. Box 9. •

Phone: +36 1 391 1400

•

E-mail: ugyfelszolgalat@naih.hu •

Website: https://naih.hu

8. Data retention period

The Data Controller will only retain personal data for as long as the purpose of the data provision requires or as long as required by law:

•

Data related to the performance of a contract: within the civil law limitation period (usually 5 years) or up to 8 years due to the need to enforce claims.

•

Invoices and accounting documents: according to the Accounting Act, they must be kept for 8 years.

•

Newsletter subscription: until the user unsubscribes from the newsletter. •

Contact details: up to 1 year after the communication has ended, unless

a legal dispute arises.

•

Technical data and cookies: depending on the type of cookie, a few minutes or days (session cookies) or up to 12 months (analytical and marketing cookies).

9. Managing cookies

ifitcore.co uses several types of cookies to ensure the proper functioning of the website and to improve the user experience. Cookies are small data files that are stored by the browser on the user's device. Types of cookies:

•

Session cookies: they create an identifier when you visit the website, which is stored in the browser

automatically deleted when you close it. These are essential for the cart and login to work.

•

Preference cookies: remember user preferences (such as language or display preferences)

options), so they provide more convenient use on your next visit. •

Analytical cookies: help us collect statistical information about visits (for example, Google Analytics). According to the GDPR, these cookies may also collect personal data, 9

for example, IP address, and are therefore only processed in an anonymized form.

•

Marketing cookies: used to display targeted advertisements, for example on Facebook or

In Google's advertising system. These require separate consent.

We ask for the user's consent before using any non-necessary cookies; consent can be changed or withdrawn at any time in the cookie management settings.

10. Regular data transfer abroad

ifitcore.co does not transfer personal data outside the borders of the European Union, unless the data processor of the newsletter sender or payment service provider is established outside the Union. In such cases, the data transfer will only take place under appropriate guarantees (e.g. standard contractual clauses approved by the European Commission).

11. Automated decision-making and profiling

ifitcore.co does not use automated individual decision-making or profiling that would have legal effects on the data subjects. All our marketing activities are based on the user's consent and no analysis is carried out on the basis of which a significant decision would be made.

12. Amendment of the data processing information

The Data Controller reserves the right to modify this information at any time. We will inform users of any changes by means of a notice on the website and/or by e-mail. The current version of this information is available on the ifitcore.co website. The modifications will only apply after publication.

13. Contact and further information

If you have any questions or requests regarding this data management policy, please contact us at the following address:

•