PRIVACY POLICY

BERRIVIT Limited Liability Company
Version: 1.0
Effective: May 1, 2026

DATA CONTROLLER INFORMATION

Company Name: BERRIVIT Limited Liability Company
Abbreviated Company Name: BERRIVIT Kft.
Legal Form: Single-member limited liability company
Registered Office: 1013 Budapest, Pauler utca 11.
Company registration number: 01-09-455835
Tax ID number: 33039156-2-41
EU VAT number: HU33039156
Registering court: Company Registry of the Budapest Metropolitan Court
Representative / Managing Director: Richárd Király
Email: berrivit@gmail.com
Phone number: +36 20 566 4758
(hereinafter: Data Controller)
The Data Controller declares that, in accordance with the GDPR, it will do everything in its power to ensure the lawful and secure processing of its customers’ data. Under the GDPR, the Data Controller is not required to appoint a Data Protection Officer (DPO); inquiries regarding data protection matters may be directed to the contact information provided above.
To ensure data protection, the ordering process is secured with SSL encryption.

1. LEGAL REFERENCES

Our data processing principles are in compliance with applicable data protection laws. The applicable laws are:
– Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) – Act CXII of 2011 on the Right to Self-Determination in Information and Freedom of Information (Infotv.) – Act V of 2013 on the Civil Code (Ptk.) – Act CVIII of 2001 on Electronic Commerce Services (Ekertv.) – Act XLVIII of 2008 on the Basic Conditions of Commercial Advertising Activities (Grtv.)

2. DATA PROCESSORS AND INDEPENDENT DATA CONTROLLERS

2.1 Online card payment – OTP Mobil Ltd. (SimplePay) – DATA PROCESSOR
OTP Mobil Ltd.
Registered office: 1093 Budapest, Közraktár u. 30–32.
SimplePay – Data transfer statement
I acknowledge that my following personal data stored in the user database of berrivit.com by BERRIVIT Limited Liability Company (1013 Budapest, Pauler utca 11.) as the data controller will be transferred to OTP Mobil Ltd. as the data processor. The scope of data transferred by the data controller is as follows: surname, first name, phone number, email address, billing address.
The nature and purpose of the data processing activity carried out by the data processor can be reviewed in the SimplePay Data Processing Notice at the following link: https://simplepay.hu/vasarlo-aff

2.2 Hosting service provider – GoDaddy (data transfer to a third country)
GoDaddy.com, LLC
Registered office: 14455 North Hayden Road, Suite 219., Scottsdale, AZ 85260, USA
EU VAT number: EU826010755
Note: GoDaddy is a company operating in the United States; the legal basis for data transfer is the application of the Standard Contractual Clauses approved by the European Commission (SCC, Article 46(2)(c) of the GDPR). GoDaddy’s privacy terms are available at https://www.godaddy.com/agreements/privacy

2.3 Newsletter and CRM service provider
SalesAutoPilot Limited Liability Company
Registered office: 1016 Budapest, Zsolt utca 6/C, 4th floor, apartment 4.
Company registration number: 01-09-286773
EU VAT number: HU25743500

2.4 Automated invoicing
KBOSS.hu Commercial and Service Limited Liability Company (Számlázz.hu)
Registered office: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
Website: https://www.szamlazz.hu
Privacy policy: https://www.szamlazz.hu/adatvedelem/

2.5 Shipping
General Logistics Systems Hungary Ltd. (GLS)
The data processing conditions are described in the current GLS privacy policy.

2.6 SMS notification
Bip Communications Service and Consulting Ltd.
Registered office: 1134 Budapest, Bulcsú utca 23. b. building, 3rd floor, apartment 8.
Company registration number: 01-09-947432
Website: https://sms.bipkampany.hu

2.7 Statistical analysis
Google LLC (Google Analytics)
Registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy
Note: Google LLC also operates in the United States; the legal basis for data transfer is SCC (Article 46 of the GDPR).

2.8 Cookie consent management
CookieYes (Gower Street Technologies Limited)
Website: https://app.cookieyes.com
The Data Controller works exclusively with reliable partners who also consider security and legal compliance important.

3. SCOPE, LEGAL BASIS AND PURPOSE OF PERSONAL DATA PROCESSED

3.1 Website visit
Legal basis: consent of the data subject (GDPR Article 6(1)(a); recorded via CookieYes)
Data processed: IP address, date and duration of the visit, subpages visited, operating system, browser type, screen resolution
Purpose of data processing: statistical analysis, monitoring and improving the quality of the service
Retention period: 2 years
Data processor: Google Analytics (Google LLC)
Note: the data is analysed exclusively in aggregated, anonymised form; no individual persons are identified.

3.2 Order fulfillment (webshop)
Legal basis: performance of a contract (GDPR Article 6(1)(b))
Data processed: surname, first name, email address, phone number, billing address, shipping address, IP address, order amount, date and time, any customer notes
Purpose of data processing: processing the order, delivering the product, maintaining contact with the Customer, fulfilling contractual obligations
Retention period: 8 years from the last day of the year of the order (accounting legal obligation)
Data processors: CRM system (SalesAutoPilot), invoicing system (KBOSS.hu / Számlázz.hu), shipping (GLS), SMS notification (Bip Communications Ltd.)

Online card payment – data transfer to OTP Ltd.:
In the case of online bank card payment, the Customer’s personal data (surname, first name, phone number, email address, billing address) is transferred to OTP Mobil Ltd. (1093 Budapest, Közraktár u. 30–32.) as the data processor for the purpose of providing the SimplePay payment service. The nature and purpose of the data processing activity carried out by the data processor can be reviewed in the SimplePay Data Processing Notice at the following link: https://simplepay.hu/vasarlo-aff – The legal basis for the data transfer is the Customer’s explicit consent provided when placing the order (GDPR Article 6(1)(a)), given by ticking the checkbox located on the checkout page.

3.3 Invoicing
Legal basis: fulfilment of a legal obligation (GDPR Article 6(1)(c); VAT Act, Accounting Act)
Data processed: billing name, billing address, purchase amount and time
Purpose of data processing: fulfilment of statutory invoicing obligations
Retention period: 8 years
Data processor: KBOSS.hu Commercial and Service Ltd. (Számlázz.hu)

3.4 Newsletter and direct marketing
Legal basis: explicit consent of the data subject (GDPR Article 6(1)(a); Grtv. Section 6)
Data processed: surname, first name, email address
Optional data: field of interest (if multiple newsletter subscription options are available)
Purpose of data processing: sending information about promotions, new products and campaigns; general communication for marketing purposes
Retention period: until withdrawal of consent or unsubscribing
Data processor: SalesAutoPilot Ltd.

Consent may be withdrawn (unsubscribe) at any time free of charge: by clicking the unsubscribe link in the email or by sending a request to berrivit@gmail.com. Upon unsubscription, the data is physically deleted from all our systems. Withdrawal of consent for direct marketing does not affect other data processing legal bases related to webshop usage.

3.5 Contact (email, telephone inquiries)
Legal basis: consent of the data subject (GDPR Article 6(1)(a)) and/or legitimate interest of the Data Controller (GDPR Article 6(1)(f))
Data processed: name, email address and/or phone number, content of the inquiry
Purpose of data processing: responding to inquiries, customer service activities
Retention period: 1 year from the closure of the inquiry, unless a legal dispute justifies longer retention

3.6 SMS notifications
Legal basis: performance of a contract (GDPR Article 6(1)(b))
Data processed: phone number, order-related notification data
Purpose of data processing: notifying about the status of the order (e.g. delivery notifications)
Retention period: 30 days from completion of the order
Data processor: Bip Communications Ltd.

4. COOKIES

4.1 What is a cookie?
Cookies are small data files that your browser stores on your device (computer, smartphone). They contain a unique string of characters that allows the browser to be identified when you visit the website again. Their purpose is to make the website more user-friendly, provide certain features, and analyze visitor behavior.
4.2 Consent Regarding Cookies
The Data Controller informs the visitor about cookies requiring consent during the first visit and requests consent (via the CookieYes system). Providing consent is not mandatory and can be withdrawn at any time in your browser settings.
The Data Controller does not use or allow cookies that enable third parties to collect data without your consent.
4.3 Types of Cookies Used
Session cookies These are automatically deleted when you close your browser. They ensure the secure and efficient operation of the website. They do not require prior consent.
Persistent cookies These remain even after you close your browser; they are stored for a specified period of time and then automatically deleted. They save the visitor’s settings and preferences. They can be deleted in the browser’s security settings.
Third-party (tracking) cookies These come from partner companies (e.g., Google Analytics, Google Remarketing) and require explicit consent. They enable website optimization and the display of personalized content. Storage period: up to 180 days. Detailed information: https://www.google.com/policies/technologies/types/

5. PROFILING AND AUTOMATED DECISION-MAKING

The Data Controller does not engage in profiling and does not use decision-making or classification based solely on automated data processing.

6. DATA TRANSFER TO GOVERNMENT AGENCIES

The courts, the public prosecutor’s office, the police, the tax authority, the National Authority for Data Protection and Freedom of Information (NAIH), and other authorities may contact the Data Controller to request information, the disclosure of data, or the provision of documents. In such cases, we will fulfill our obligation to provide data, but only to the extent strictly necessary to achieve the purpose of the request.

7. RIGHTS OF DATA SUBJECTS

7.1 Right to information (Articles 13–14 of the GDPR)
The data subject has the right to receive concise, transparent, and easily understandable information regarding data processing. We will provide our response within 14 days of receiving the request (within a maximum of 1 month). This information is provided free of charge, unless you have already submitted a request regarding the same set of data in the current year.
7.2 Right of Access (GDPR Article 15)
The data subject has the right to request information regarding the personal data we process, its purpose, categories, retention period, recipients of any data transfers, the data subject’s rights, and the source of the data.
7.3 Right to Rectification (Article 16 of the GDPR)
The data subject may request the rectification of inaccurate or incomplete personal data.
7.4 Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)
The data subject may request the erasure of their personal data if the purpose of the processing has ceased to exist, they have withdrawn their consent, or the processing is unlawful. Erasure may not be requested if the processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
7.5 Right to restriction of processing (GDPR Article 18)
The data subject may request restriction of processing if they contest the accuracy of the data, the processing is unlawful, the Data Controller no longer needs the data but the data subject requires it to assert a legal claim, or they have objected to the processing.
7.6 Right to Data Portability (GDPR Article 20)
The data subject has the right to receive the personal data concerning him or her, which he or she has provided, in a structured, machine-readable format, and to have it transmitted to another controller.
7.7 Right to Object (GDPR Article 21)
The data subject may object at any time to the processing of their personal data, particularly in the case of use for direct marketing purposes. In the event of an objection, the Data Controller may no longer process the personal data, unless compelling legitimate grounds for the continued processing exist.
7.8 Right to Withdraw Consent (GDPR Article 7(3))
In cases where data processing is based on consent, the data subject has the right to withdraw their consent at any time. Withdrawal does not affect the lawfulness of data processing carried out prior to withdrawal.
7.9 Right to bring a legal action
In the event of a violation of the data subject’s rights, the data subject may bring a legal action against the Data Controller. The adjudication of data protection disputes falls within the jurisdiction of the court; the action may also be brought before the court of the data subject’s place of residence or habitual residence, at the data subject’s discretion.
Please contact the Data Controller first via email (berrivit@gmail.com) or by mail (1013 Budapest, Pauler utca 11) before contacting a supervisory authority or a court, so that we can resolve the issue as quickly as possible.

8. RIGHT TO FILE A COMPLAINT – REGULATORY AUTHORITIES

Data subjects in Hungary may contact the National Authority for Data Protection and Freedom of Information (NAIH):
Address: 1055 Budapest, Falk Miksa utca 9–11. Postal address: 1363 Budapest, P.O. Box 9. 
Email: ugyfelszolgalat@naih.hu 
Website: www.naih.hu
Data subjects residing in other EU member states may also contact the data protection authority in their own country.

9. DATA SECURITY

The Data Controller protects personal data through appropriate technical and organizational measures, ensuring its security and availability, and safeguarding it against unauthorized access, alteration, damage, disclosure, and other unauthorized use. The ordering process is secured with SSL encryption.

10. FINAL PROVISIONS

The Data Controller notes that the data subject is responsible for the accuracy of the personal data provided. If the data subject provides personal data that does not belong to them, they are obligated to fully indemnify the Data Controller against any claims by third parties arising therefrom.
In matters not covered by this Privacy Notice, the provisions of applicable laws—in particular the GDPR—shall apply.
The Data Controller reserves the right to unilaterally amend this Notice, of which it will inform the data subjects in an appropriate manner (e.g., by posting a notice on the website). The amended provisions shall apply upon their entry into force.
Budapest, May 1, 2026
BERRIVIT Limited Liability Company
Represented by: Richárd Király, Managing Director