Privacy Policy / Data Protection and Data Management Policy
Purpose of Privacy Policy / Data Protection and Data Management Policy
DATA MANAGEMENTNOTICE
1. Data controller, data protection officer, data processors
1.1. Data controller
Name: LoxTrade Kereskedemi és Szolgáltató Korlátolt Felelősségű Társaság
Registered office: 1077 Budapest, Wesselényi street 13., 1st floor., 3rd door
E-mail address: hello@uplan.io
Company registration number and name of the registering court:
CRN. 01-09-279238 / Budapest-Capital Regional Court
Tax number: 23183261-2-42
Website: www.uplan.io
Data Protection Register number: NAIH-146467/2018.
LoxTrade Kft. (hereinafter referred to as the “Data controller”) processes the data of visitors and
registered users (hereinafter referred to as the “Data subject”) of the website www.uplan.io.
1.2. Data Protection Officer
The Data controller has considered the possibility of appointing a Data Protection Officer pursuant to
Article 37 of the GDPR and has concluded that the processing of personal data occurring during the
operation of the website and the purchases made on the website do not justify the appointment of a Data
Protection Officer.
1.3. Data processors
The Data controller uses the following Data processors:
ACCOUNTING
Gold Medal Kft.
1061 Budapest, Andrássy way 46.
COURIER SERVICES
Hajtás Pajtás Kerékpáros Futárszolgálat
1074 Budapest, Vörösmarty street 20.
COURIER SERVICES
Magyar Posta Zrt.
1138 Budapest, Dunavirág utca 2-6.
COURIER SERVICES
UPS Magyarország Kft.
2020 Vecsés, Lőrinci u. 154.
Airport City Logistic Park G. épület
ELECTRONIC ACCOUNTING SYSTEM OPERATOR
Billingo Technologies Zrt.
1133 Budapest, Árbóc street 6. III. floor
MAIL SYSTEM OPERATOR
Eworx Network & Internet GmbH
A-4150 Rohrbach-Berg, Hanriederstraße 25, Austria
REGISTRATION OF TRAINING
Acuity Scheduling, Inc.
450 W 17th Street
New York, NY 10011
ONLINE TRAINING REGISTRATION
Genesis Digital LLC
7660 Fay Ave #H184, La Jolla, CA 92037
2. Introductory provisions
2.1 The purpose of this notice is to provide clear, up-to-date and transparent information about the
processing of personal data in the course of the services provided by this website. This notice may be
amended and/or withdrawn unilaterally by the Data controller at any time, with simultaneous notification
of the Data subjects. The information will be provided on the website.
2.2 Further purpose of this notice is to set out the data protection and data management principles and the
data protection and data management policy of LoxTrade Kft. and to comply with the information
obligation pursuant to Articles 13-14 of Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as
“GDPR”).
2.3. The data protection terms that are used in this notice are defined in Article 4 of the GDPR, as well as
supplemented by Act CXII of 2011 on the right to informational self-determination and on the freedom of
information (hereinafter: “Info. Act”). This Data management notice applies to all natural persons (Data
subjects) whose personal data is managed by the Data controller, if the data management is related to the
performance of the activities specified in this Data management notice.
3. Detailed information on the circumstances of data management
3.1. Shopping on the website
3.1.1. You can use the services of the Website only by registering. In this context, we process your
personal data as follows:
Scope of processed personal data: surname and first name, residential address, e-mail address and other
personal data provided by you.
The purpose of data management: to identify you, to create and fulfill a purchase agreement between you
and the Data controller.
Legal basis for data management: creation and fulfillment of an agreement (GDPR Article 6 (1) point b)).
Duration of data management: for the time necessary to fulfill the purchase agreement between you and
the Data controller, up to the statute of limitations for civil claims (5 years).
The Data controller does not verify the authenticity or accuracy of the personal data you provide (e.g. e-
mail address, etc.). Only the person who provided the data is responsible for its accuracy. The Data
controller excludes any liability arising from the incorrectness of the data.
Provision of telephone number:
Purpose of data management: Although the telephone number is not a condition for the fulfillment of the
purchase agreement, as personal data, it would be difficult to solve any problems related to the order in
the absence of the telephone number. In the event you have ordered the service and paid the purchase
price, but there is a problem with the service for some reason, it is necessary to ensure that you are
informed by telephone about the solution and the procedure to overcome the problem.
Legal basis for processing: voluntary consent of the Data subject (Article 6(1)(a) of the GDPR).
Duration of processing: for the time necessary to fulfill the purchase agreement between you and the Data
controller, up to the statute of limitations for civil claims (5 years). The Data controller shall have primary
access to the personal data processed for the purposes of the purchase.
Data subject rights: in addition to the data subject rights set out in point 11 of the Data management
notice, the Data subject has the right to withdraw his consent to the processing of his personal data at any
time; in this case, the Data controller will no longer process his personal data and will delete the personal
data processed on this legal basis, unless another legal basis allows for the processing of such data. The
withdrawal shall not affect the lawfulness of the processing carried out on the basis of the consent prior to
the withdrawal.
Data transfer:
We use external service providers to fulfill orders:
Credit card payment: In case of payment by card, the data of the bank card and the card payment
transaction are managed by Stripe. In case of payment by bank card, the payer’s ID, the amount, date and
time of the transaction are transmitted.
Legal basis for data transfer: data management is necessary for the performance of the agreement [Article
6 (1) b) of GDPR].
3.1.2. Personal data processed for the purpose of paying the consideration for the ordered
service/product
You can pay for the products/services ordered on the Website by choosing from the following payment
methods: bank transfer, bank card payment through the Stripe system.
a)Bank transfer: in the case of a bank transfer, you can settle the consideration for the ordered
product/service with the help of your bank. In this case, the Data controller only processes
personal data in connection with the crediting of the transferred amount to the Data controller’s
account at Raiffeisen Bank.
Beneficiary name: LoxTrade Kft.
HUF bank account number: ………………………………
Range of processed data: first and last name, e-mail address, bank account number, value of the
product/service ordered, time of transfer.
Purpose of data management: to identify you, to create and fulfill a purchase agreement between you and
the Data controller.
Legal basis for data management: execution of an agreement (Article 6 (1) b) of GDPR).
Duration of data processing: 8 years in order to fulfill the obligation to preserve accounting documents
(Article 169 (2) of the Act C of 2000 on accounting).
In the case of bank transfers, access to the personal data processed is primarily granted to the Data
controller or the Data controller’s bank.
b)Payment by bank card: According to point 3.1.1 of the Data management notice
Regarding payment by bank card, please note that the use of the ordered product/service is based on a
monthly subscription, which will be automatically deducted from your bank account each month until you
manually cancel it in your profile settings. If the deduction was unsuccessful, Stripe will try the payment
three times on different days, or you can manually initiate the payment in your profile settings.
3.2. Personal data processed for the purpose of providing information relating to a purchase
Contact and communication between the Data controller and you are essential for the operation of the
Website. You will receive confirmation of the purchase in the form of an electronic mail. In some cases,
the Data controller sends notification to the Data subjects via e-mail about the products or services, as
well as changes to the General Terms and Conditions. However, the Data controller does not use such
notifications for advertising purposes.
In this context, we process your personal data as follows:
Range of processed data: first and last name, e-mail address, telephone number
Purpose of data management: to identify you, to execute a purchase agreement between you and the Data
controller.
Legal basis for data management: execution of an agreement (Article 6 (1) point b) of GDPR).
Duration of data management: for the time necessary to fulfill the purchase agreement up to the statute of
limitations for civil claims (5 years).
The Data controller has primary access to the personal data processed for the purpose of providing
information about the use of the Website.
4. Processing personal data due to accounting obligations
According to section 2 of Act C of 2000 on Accounting the Data controller is obliged to retain the
accounting documents underlying the accounting records directly or indirectly (including ledger accounts,
analytical records and registers) in a legible form and in a retrievable manner for 8 years. To this end, we
process your personal data as follows:
Range of processed data: first and last name, home address.
Purpose of data management: fulfillment of the obligation to retain the accounting documents underlying
the accounting records directly or indirectly, as defined in the Accounting Act
Legal basis for data management: fulfillment of the legal obligation of the Data controller (Article 6 (1) c)
of GDPR).
Duration of data processing: 8 years in order to fulfill the obligation to preserve accounting documents
(Article 169 (2) of the Act C of 2000 on Accounting).
The personal data processed for the purpose of fulfilling the obligation to retain the accounting documents
underlying the accounting records directly or indirectly as defined in the Accounting Act may be accessed
primarily by the Data controller, by Könyvelésmegoldás.hu Kft. as the accountant, and by the operator in
connection with the operation of the electronic invoicing system.
5. Handling complaints
If you are not satisfied with the ordered product/service or if you have any other complaint regarding the
website, the Data controller shall provide you with the opportunity to file a complaint pursuant to section
17/A-17/C of the Act CLV of 1997 on consumer protection. In this case, we process your personal data as
follows:
Range of processed data: surname and first name, home address, e-mail address, product/service data
(name, purchase price), the claim that the consumer wishes to enforce, the determination of the error, the
method of settlement of the objection, the date of recording of the minutes.
Purpose of data management: handling customer objections and complaints.
Legal basis for data management: fulfillment of the legal obligation of the Data controller related to the
handling of consumer protection complaints (Article 6 (1) c) of GDPR).
Duration of data processing: 3 years for recorded minutes, 2 years for copies of entries made in the
customer complaint register and 3 years for copies of responses to written complaints.
The Data controller has access to personal data processed for the purpose of handling complaints.
6. E-mail customer support – support for customers and interested parties
The website provides an opportunity for customers or other interested parties to send a message to the
Data controller and report their interest in a message or raise questions to the Data controller via e-mail
hello@uplan.io.
Purpose of data management: information requests related to purchases and products/services.
Range of processed data: name, e-mail address, personal data that may appear in the message.
Legal basis for data management: necessity to fulfill a contract/take steps prior to concluding a contract
[Article 6 (1) b) of GDPR].
Duration of data management: 60 days
7. Data management related to newsletter subscription
The Data controller pays high attention to the legality of the use of the electronic mail addresses it
manages, so he only uses them in the manner specified below to send (informational or advertising) e-
mails.
The management of e-mail addresses primarily serves the identification of the Data subject, contact and
information provision during the fulfillment of orders, therefor e-mails are sent primarily for this purpose.
The Data controller will send letters containing promotions or advertisements (newsletters) to the e-mail
addresses provided during registration only with the express consent of the Data subject, in cases and in a
manner that complies with legal requirements. The newsletter has direct marketing elements and contains
advertising. The Data controller manages the data provided by the Data subject when using the newsletter.
In case of a newsletter, the Data controller manages the Data subject’s data provided during the
subscription to the newsletter until the Data subject unsubscribes from the newsletter by clicking on the
“Unsubscribe” button at the bottom of the newsletter or requests to be removed from the list of
subscribers to the newsletter by email. In case of opt-out, the Data controller will not contact the Data
subject with further newsletters and offers. The Data subject can unsubscribe from the newsletter and
withdraw his consent at any time free of charge.
Legal basis for data management: voluntary consent of the Data subject (Article 6 (1) a) of GDPR)
The Data subject is voluntarily providing his consent to hand out data related to subscribing to the
newsletter with regard to individual data management.
Range of processed data:
– name
– e-mail address
The purpose of data management is for the Data controller to contact the Data subject by e-mail or
newsletter and inform them about the products/services.
8. Use of cookies
The website uses so-called cookies for the best possible user experience. Cookies store information in
your browser, their job is to recognize you when you return to this website later. The cookies help us by
providing information about the User’s use of the website and by doing so we learn which elements of the
website the User considers the most usable or the worst. Cookies are stored on your computer. Regarding
the cookie settings, we would like to point out that the use of cookies is allowed according to the basic
settings of the browsers. You can delete cookies from your computer or even set your browser to block
their use. In the latter case, we would like to draw your attention to the fact that the website will not be
fully functional.
By clicking on the “I accept the cookie settings” button on the website, you consent to the use of cookies
managed by our own or external service providers (“third parties”), which are necessary to record the data
and information written in this information sheet. Such data is the data of your computer that is generated
when you use our website, or that is recorded by the cookies used on our website as an automatic result of
technical processes. The automatically recorded data is automatically logged by the system – without your
separate consent – when you visit or exit the website. We do not connect these data with any other
personal data, therefor you cannot be identified. Only we and the provider managing the cookies have
access to this data.
Cookies supporting basic functionality: These are essential for navigating the given website, for the
operation of the website’s key functions and for accessing protected content. These cookies do not collect
information that could be used for marketing purposes or that would remember what other websites the
visitor visited. After closing the website, these cookies are automatically deleted and the session is closed.
If the visitor does not accept these cookies, the website or some of its parts may not be displayed, or may
be displayed incorrectly, making it impossible to use the website or fill out forms.
The legal basis for data management is the legitimate interest of the Data controller operating as an
MSME based on Article 6 (1) f) of the GDPR.
You, as a Data subject have the right to access, correct, delete, restrict data processing and object in
connection with technical cookies.
We draw our visitors’ attention to the fact that since the purpose of cookies is to support and facilitate the
usability and processes of the website, if cookies are disabled, we cannot guarantee that the visitor will be
able to fully use all the functions of the website. In this case, the website may function differently than
planned in the browser.
Convenient cookies that support use: These cookies allow our website to remember which mode of
operation you have chosen (for example: you have accepted the cookie information and according to
which sorting method the results obtained in the list of search results should be displayed). This is done so
that on the next visit you do not have to accept the cookie information again and again or set the sorting
method according to which you want to view the content displayed on the page. Without the information
contained in the cookies that store preferences, our website may function less smoothly.
We do not record personal data in the convenience cookies, we only store an identification number, from
which the site is informed that the cookie notice was previously accepted. The convenience cookie is
stored in the browser of the client’s machine with an expiration date of 1 month. If cookies are enabled,
the Data controller does not record any identifiers. The visitor can use the site and services in complete
safety when accepting cookies.
Cookies for statistical purposes:
Statistical data is automatically generated from the data generated by viewing the website.
Legal basis and duration of data management: Based on the information displayed in the pop-up window,
by clicking on the “I accept” button, you can authorize the Data controller to use cookies on the website
and thereby manage the above personal data.
Clicking on the “I accept” button is considered a voluntary consent according to Article 6 (1) a) of the
GDPR, thus the Data controller will process your data until you withdraw your consent. Based on the
information displayed in the pop-up window, by clicking on the “I do not accept” button, you do not
allow the Data controller to use cookies on the website and thereby to manage the above personal data. If
you do not allow the use of cookies, the website will be limited to the use of basic cookies and
technologies in terms of its operation, and no personal data will be processed.
Cookie classification | Purpose of data management | Scope of managed data | Legal basis | Retention period |
cookies ensuring basic functionality | ensuring the proper functioning of the website | – Google Analytics with reduced functionality — JSESSIONID – gdpr_level – gdpr_time | GDPR Article 6 (1) f) legitimate interest | Session cookies: until the end of visiting Cookies to facilitate use: for 6 months |
Cookies for statistical purposes | Collecting information about how our visitors use our website | Google Analytics code _ga _gid _dam _gac_<property-id> Hotjar codes _hjClosedSurveyInvites _hjDonePolls _hjMinimizedPolls _hjDoneTestersWidgets _hjMinimizedTestersWidgets _hjIncludedInSample _hjShownFeedbackMessageGoogle Optimize cookies__utmx__utmxx_gaexpPiwik PRO cookies_pk_ref_pk_cvar_pk_id_pk_ses_pk_hsrpiwik_ignore | GDPR Article 6 (1) a) your consent | Depending on the cookie: – until the end of the session – for 2 years – until 24 hours – for 1 minute – for 90 days – for 365 days |
_pk_uid |
With the exception of cookies that are absolutely necessary for the operation of the website (which do not
collect information considered personal data), the use of cookies is based on your express and appropriate
consent, which forms the legal basis for related data management. Cookies will only be used if you
specifically authorize their use on the dedicated interface. You have the option to change your settings –
and in this case to revoke your consent – at any time.
In addition to the website’s cookie settings, most browsers also provide the option to view, manage, delete
and disable cookies from a specific website. Please note that if you delete all cookies, the settings stored
in them will also be lost, including blocking the acceptance of cookies, as this function also requires
cookies to be placed on the device. Below you will find instructions on how to control the use of cookies
in the most common browsers.
More detailed information about the cookie settings can be found at the following browsers:
If you do not accept the use of cookies, certain functions will not be available to you. You can find more
information about deleting cookies at the following links:
Mozilla Firefox: Sütik engedélyezése és tiltása, amit a weboldak használnak beállítások mentésére
Google Chrome: A cookie-k be- és kikapcsolása
Microsoft Internet Explorer: Cookie-k törlése és kezelése
Microsoft Edge: A Microsoft Edge, a böngészési adatok és az adatvédelem
Apple Safari: Sütik és webhelyadatok kezelése a Mac gép Safari alkalmazásában
9. Method of storing personal data, security measures
Taking into account the science and technology, the Data controller implements appropriate technical,
administrative and organizational measures to guarantee data security:
– Only our employees and partners who have been authorized to do so have access to personal data;
– Our website receives encrypted data via a secure HTTPS protocol, so it is not possible for unauthorized
persons to access personal data via any network device between the target server;
– Our employees use operating systems and software with the latest security updates when performing
their tasks;
– We encrypt our backups;
– Personal data that are no longer needed are deleted or anonymized for use for statistical purposes;
– The servers of our hosting provider operate in a secure data center;
– Our website stores personal data on its IT devices located at its headquarters, as well as on the hosting
provider’s servers located in a secure data center.
The Data controller keeps records of any data protection incidents, indicating the facts related to the data
protection incident, its effects and the measures taken to remedy it.
The Data controller shall report any data protection incident to the National Authority for Data Protection
and Freedom of Information without delay and, if possible, no later than 72 hours after becoming aware
of the data protection incident, unless the data protection incident is likely to pose no risk to the rights and
freedoms of natural persons. We review our security measures regularly, we record the necessary actions
in our internal Incident Management regulations and our employees always perform their duties in
accordance with the current regulations.
10. Automatic decision-making
The Data controller does not perform automatic decision-making procedures and profiling with the
personal data of the data subject.
11. Affected rights, legal remedies
The data subject may request information about the management of his personal data, as well as request
the correction of his personal data, or – with the exception of mandatory data management – deletion,
withdrawal, limitation of data management, and may exercise his right to data portability and protest at
one of the contact details provided in section 1. of this Data Management Notice, or at customer service
(e-mail address) as defined in section 6 of the Data Management Notice.
Right to information:
You are entitled to contact the Data controller with a request for information on the processing of your
personal data at the above contact details of the Data controller. The Data controller informs the data
subject without undue delay, but in any case within one month of the receipt of the request, of the
measures taken following the data subject’s request. If necessary, taking into account the complexity of
the application and the number of applications, the 30-day deadline can be extended by another two
months. The Data controller shall inform the Data subject of the extension of the deadline, indicating the
reasons for the delay, within one month of receiving the request. If the Data subject submitted the request
electronically, the Data controller will provide the information electronically, unless the Data subject
requests otherwise. Information and measures are provided by the Data controller free of charge. If the
Data subject’s request is clearly unfounded or – especially due to its repetitive nature – excessive, the Data
controller may, taking into account the administrative costs associated with providing the requested
information or taking the requested measure, charge a reasonable fee or refuse to take action based on the
request.
Right of access:
The Data subject has the right to obtain from the Data controller feedback as to whether or not his
personal data are being processed and, if such processing is taking place, the right to access the personal
data and the following information: the purposes of the processing; the categories of personal data
concerned; the recipients or categories of recipients to whom or with which the personal data have been
or will be disclosed, including in particular recipients in third countries or international organisations; the
envisaged period of storage of the personal data; the right to rectification, erasure or restriction of
processing and the right to object; the right to lodge a complaint with a supervisory authority; information
on the data sources; the fact of automated decision-making, including profiling, clear information on the
logic used and the significance of such processing and its likely consequences for the data subject. The
Data controller shall provide the Data subject with a copy of the personal data which are the subject of the
processing. For additional copies requested by the Data subject, the Data controller may charge a
reasonable fee based on administrative costs. At the request of the Data subject, the Data controller shall
provide the information in electronic form.
Right of rectification:
The Data subject may request the correction of inaccurate personal data concerning him and the addition
of incomplete data.
Right to erasure:
If one of the following reasons exists, the Data subject has the right to request from the Data controller to
delete the personal data relating to him without undue delay:
● personal data are no longer needed for the purpose for which they were collected or otherwise
processed;
● the data subject withdraws his consent, which is the basis of the data management, and there is no other
legal basis for the data management;
● the data subject objects to data processing and there is no overriding legal reason for data processing;
● personal data were handled illegally;
● personal data must be deleted in order to fulfill the legal obligation prescribed by EU or member state
law applicable to the data controller;
● the collection of personal data took place in connection with the offering of services related to the
information society.
Data deletion cannot be initiated in the case of mandatory data processing: in the case of a legal basis
based on Article 6 (1) c) of the GDPR.
The right to restrict data processing:
At the request of the Data subject, the Data controller restricts data processing if one of the following
condition is met:
● the Data subject disputes the accuracy of the personal data, in which case the restriction applies to the
period that allows checking the accuracy of the personal data;
● the data management is illegal and the Data subject opposes the deletion of the data and instead
requests the restriction of its use;
● the Data controller no longer needs the personal data for the purpose of data management, but the Data
subject requires them to present, enforce or defend legal claims; or
● the Data subject objected to data processing; in this case, the restriction applies to the period until it is
determined whether the legitimate reasons of the Data controller take precedence over the legitimate
reasons of the Data subject.
If data management is subject to restrictions, personal data may only be processed with the consent of the
Data subject, with the exception of storage, submission, enforcement or defending legal claims, or to
protect the rights of another natural or legal person, or in the important public interest of the European
Union or a member state.
The Data controller will inform the Data subject in advance of the lifting of the restrictions on data
management.
Right to data portability:
The Data subject has the right to receive the personal data concerning him and which he provided to the
Data controller in a segmented, widely used, machine-readable format, and to forward this data to another
Data controller.
Right to object:
The Data subject has the right to object at any time to the processing of his personal data necessary to
assert the legitimate interests of the Data controller or a third party for reasons related to his own
situation. In the event of an objection, the Data controller may no longer process the personal data, unless
it is justified by compelling legitimate reasons that take precedence over the interests, rights and freedom
of the Data subject, or that are related to the presentation, enforcement or defense of legal claims.
Procedural rules:
The Data controller informs the Data subject without undue delay, but in any case within one month of
the receipt of the request, of the measures taken following the request in accordance with Articles 15-22
of the GDPR. If necessary, taking into account the complexity of the application and the number of
applications, this deadline can be extended by another two months.
The Data controller shall inform the Data subject of the extension of the deadline, indicating the reasons
for the delay, within one month of receiving the request. If the data subject submitted the request
electronically, the information will be provided electronically, unless the Data subject requests otherwise.
If the Data controller does not take measures following the Data subject’s request, he shall inform the
Data subject without delay, but at the latest within one month of the receipt of the request, of the reason
for the failure to take action, as well as of the fact that the Data subject may file a complaint with a
supervisory authority and exercise his right to judicial redress.
The Data controller provides the requested information free of charge. If the Data subject’s request is
clearly unfounded or – especially due to its repetitive nature – excessive, the Data controller may, taking
into account the administrative costs associated with providing the requested information or taking the
requested measure, charge a reasonable fee or refuse to take action based on the request.
The Data controller informs all recipients of all corrections, deletions or data management restrictions
carried out by him, to whom or to whom the personal data was disclosed, unless this proves to be
impossible or requires a disproportionately large effort. At the request of the Data subject, the Data
controller informs about these recipients.
The Data controller provides a copy of the personal data that is the subject of data management to the
Data subject. For additional copies requested by the Data subject, the Data controller may charge a
reasonable fee based on administrative costs. If the Data subject submitted the request electronically, the
information will be provided in electronic format, unless the data subject requests otherwise.
Right to go to court:
In the event of a violation of their rights, the Data subject may apply to the court against the Data
controller. The court acts out of sequence in the case.
Official data protection procedure:
You can file a complaint with the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
Registered office: 1055 Budapest, Falk Miksa street 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Telephone: 06-1-391-1400
Fax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
12. Code of Conduct
The Data controller is not subject to the provisions of any code of conduct.
Dated: Budapest, 01.01.2024