Privacy Policy

Introduction

Alpen Pharma Kft., located at 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2, with tax number 25723667-2-43 and company registration number 01-09-285719 (hereinafter referred to as the Service Provider or Data Controller), adheres to the following data protection policy.

This policy complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).

This policy governs the data processing activities for the website: https://davroe.hu/hu/. The data protection notice is accessible at: https://davroe.hu/hu/adatvedelem. Amendments to this policy are effective upon publication at the aforementioned link.

Data Controller and Contact Information

Name: Alpen Pharma Kft.
Registered Office: 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2
Email: info@davroe.hu
Phone: +36 30 313 5887

Definitions

Personal Data: Information relating to an identified or identifiable natural person (data subject), identifiable by identifiers such as name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Data Processing: Operations performed on personal data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure, or destruction.
Data Controller: The entity determining the purposes and means of processing personal data.
Data Processor: An entity processing personal data on behalf of the controller.
Recipient: An entity to which personal data are disclosed, excluding public authorities receiving data under specific inquiries.
Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data.
Data Breach: A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
Profiling: Automated processing of personal data to evaluate personal aspects, such as performance, economic situation, health, preferences, or behavior.

Principles of Personal Data Processing

Personal data shall be:

Processed lawfully, fairly, and transparently.
Collected for specified, explicit, and legitimate purposes and not processed incompatibly with those purposes.
Adequate, relevant, and limited to what is necessary for the purposes.
Accurate and kept up to date, with inaccurate data erased or rectified promptly.
Kept identifiable only for as long as necessary, except for archiving, scientific, historical, or statistical purposes with appropriate safeguards (storage limitation).
Processed with appropriate security measures to protect against unauthorized or unlawful processing, loss, destruction, or damage.

The Data Controller is responsible for and demonstrates compliance with these principles (accountability).

Data Processing for Online Store Operations

1. Scope, Purpose, and Legal Basis of Data Processing

Personal Data	Purpose	Legal Basis
Username	User identification and registration.	GDPR Art. 6(1)(a) (Consent).
Password	Secure access to user account.	GDPR Art. 6(1)(a) (Consent).
Surname and First Name	Contact, purchase, invoicing, and withdrawal rights.	GDPR Art. 6(1)(b) (Contract).
Email Address	Communication with users.	GDPR Art. 6(1)(b) (Contract).
Phone Number	Communication, billing, and delivery coordination.	GDPR Art. 6(1)(b) (Contract).
Billing Name and Address	Issuing invoices, contract management, and claims enforcement.	GDPR Art. 6(1)(c) (Legal obligation, Act C of 2000, Section 169(2)).
Delivery Name and Address	Enabling home delivery.	GDPR Art. 6(1)(b) (Contract).
Purchase/Registration Date	Technical operations.	Act CVIII of 2001, Section 13/A(3).
IP Address at Purchase/Registration	Technical operations.	Act CVIII of 2001, Section 13/A(3).

2. Scope of Data Subjects

All individuals registering or purchasing on the webshop. Username and email address need not contain personal data.

3. Duration of Processing

Data is processed until the data subject requests erasure, provided GDPR Art. 17(1) conditions are met. Accounting documents are retained for 8 years per Act C of 2000, Section 169(2). Contractual data may be erased after the civil law limitation period (5 years, Act V of 2013, Section 6:22).

4. Access to Data

Personal data may be accessed by the Data Controller and its authorized employees, adhering to the above principles.

5. Data Subject Rights

Data subjects may:

Request access, rectification, erasure, or restriction of their personal data.
Exercise data portability.
Withdraw consent at any time.

6. Exercising Rights

Requests can be made:

By post: 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2
By email: info@davroe.hu
By phone: +36 30 313 5887

7. Legal Basis

GDPR Art. 6(1)(b) (Contract performance).
Act CVIII of 2001, Section 13/A(3) (E-commerce Act).
GDPR Art. 6(1)(c) (Legal obligation for invoicing).
Act V of 2013, Section 6:22 (5-year limitation period for claims).

8. Important Information

Data processing is necessary for contract performance and order fulfillment.
Providing personal data is required to process orders.
Failure to provide data prevents order processing.

Cookie Management

1. Cookies Not Requiring Consent

Cookies such as session, shopping cart, security, essential, functional, and statistical cookies do not require prior consent.

2. Data Processed

Unique identifiers, dates, and times.

3. Scope of Data Subjects

All website visitors.

4. Purpose

User identification, visitor tracking, and customized functionality.

5. Duration and Legal Basis

Cookie Type	Legal Basis	Duration
Session/Essential Cookies	No processing occurs.	Until browser closure.
Statistical/Marketing Cookies	GDPR Art. 6(1)(a) (Consent).	1 day to 2 years, or until consent withdrawal.

6. Access to Data

Only the Data Controller may access cookie data.

7. Data Subject Rights

Cookies can be deleted via browser settings under Privacy options.

8. Browser Settings

Customize cookie settings in:

Google Chrome
Internet Explorer
Firefox
Safari

Google Ads Conversion Tracking

The Data Controller uses Google Ads and its conversion tracking service, provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). A conversion tracking cookie is placed on the user’s device when accessing the site via a Google ad. These cookies:

Have limited validity.
Do not contain personal data.
Enable Google and the Controller to track ad clicks and page visits.

Each Google Ads customer receives a unique cookie, preventing cross-site tracking. Data is used to generate conversion statistics, showing the number of users who clicked an ad and visited a tagged page, without identifying individuals.

To opt out, disable cookies in your browser. Google Consent Mode v2 introduces ad_user_data (for sharing data for ads) and ad_personalization (for personalized ads), managed via the cookie banner. Consent can be withdrawn without affecting prior processing legality.

More information: Google Privacy Policy.

Google Analytics

This website uses Google Analytics, a web analytics service by Google Inc. Cookies store data about website usage, transmitted to Google servers in the USA. IP anonymization shortens IP addresses within the EU/EEA. Google uses this data to:

Evaluate website usage.
Compile activity reports.
Provide related services.

IP addresses are not merged with other Google data. Prevent cookie storage via browser settings or install the opt-out plugin: Google Analytics Opt-out.

Newsletter and Direct Marketing

1. Consent

Per Act XLVIII of 2008, Section 6, users may consent to receiving advertising offers at provided contact details.

2. Data Processed

Personal Data	Purpose	Legal Basis
Name, Email Address	Newsletter subscription and promotional offers.	GDPR Art. 6(1)(a) (Consent), Act XLVIII of 2008, Section 6(5).
Subscription Date	Technical operations.	GDPR Art. 6(1)(a).
IP Address at Subscription	Technical operations.	GDPR Art. 6(1)(a).

3. Scope of Data Subjects

All newsletter subscribers.

4. Purpose

Sending promotional emails, SMS, or push notifications about updates, products, or promotions.

5. Duration

Until consent withdrawal or newsletter cessation.

6. Access to Data

Processed by the Data Controller and its marketing employees.

7. Data Subject Rights

Request access, rectification, erasure, or restriction.
Object to processing.
Exercise data portability.
Withdraw consent at any time.

8. Exercising Rights

Via:

Post: 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2
Email: info@davroe.hu
Phone: +36 30 313 5887
Unsubscribe link in messages.

9. Important Information

Processing is based on consent.
Providing data is required for newsletters.
Failure to provide data prevents newsletter delivery.
Consent withdrawal does not affect prior processing legality.

Complaint Handling

1. Data Processed

Personal Data	Purpose	Legal Basis
Surname, First Name	Identification, communication.	GDPR Art. 6(1)(c) (Legal obligation, Act CLV of 1997, Section 17/A(7)).
Email Address	Communication.	GDPR Art. 6(1)(c).
Phone Number	Communication.	GDPR Art. 6(1)(c).
Billing Name and Address	Handling complaints and quality issues.	GDPR Art. 6(1)(c).

2. Scope of Data Subjects

Users submitting complaints or quality issues.

3. Duration

Complaint records are retained for 3 years per Act CLV of 1997, Section 17/A(7).

4. Access to Data

Processed by the Data Controller and authorized employees.

5. Data Subject Rights

Request access, rectification, erasure, or restriction.
Exercise data portability.
Withdraw consent.

6. Exercising Rights

Via:

Post: 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2
Email: info@davroe.hu
Phone: +36 30 313 5887

7. Important Information

Providing data is a legal obligation.
Data is required to process complaints.
Failure to provide data prevents complaint handling.

Data Recipients

1. Data Processors

The Data Controller engages processors to facilitate operations, ensuring GDPR compliance. Processors act only on the Controller’s instructions and are liable for non-compliance.

2. Specific Processors

Activity	Details
Hosting	SwissCenter, OpenBusiness SA, World Trade Center Av. Gratta-Paille 2, 1018 Lausanne, Switzerland, Email: info@swisscenter.com, Phone: +41 21 641 10 10
Online Invoicing	Számlázz.hu, KBOSS.hu Kft., Email: info@szamlazz.hu, Phone: +36 30 35 44 789, Website: https://www.szamlazz.hu
Administration	Dolphin Kft., 1132 Budapest, Alig u. 14., Phone: +36-1-487-0280, Email: info@dolphin.hu, Website: https://www.dolphin.hu/

3. Third-Party Controllers

Activity	Details
Transportation	DPD Hungária Kft., 1134 Budapest, Váci út 33., Phone: +36 (1) 501-6200, Email: dpd@dpd.hu
	FoxPost Zrt., 3300 Eger, Maklári út 119., Phone: +36-1-999-0-369, Email: info@foxpost.hu
Online Payment	OTP Mobil Szolgáltató Kft., 1138 Budapest, Váci út 135-139., Email: ugyfelszolgalat@simple.hu, Phone: +36 1/20/30/70 3-666-611

Social Media

1. Data Processed

Registered name and public profile picture on platforms like Twitter, Pinterest, YouTube, Instagram, TikTok, LinkedIn, etc.

2. Scope of Data Subjects

Users who “like” the Controller’s social media pages or contact the Controller via social media.

3. Purpose

Promoting content, products, or the website on social media.

4. Duration and Rights

Data processing occurs on social media platforms, governed by their regulations. Rights and erasure depend on platform policies. Legal basis: Consent (GDPR Art. 6(1)(a)).

Facebook / Meta Joint Data Processing

The Controller operates a Facebook profile, engaging in joint data processing with Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Details are in the Facebook Page Insights Controller Addendum.

1. Data Subjects

Users who “like” the Controller’s Facebook page.
Users contacting the Controller via private messages.

2. Purpose

Promoting services and responding to messages. No data is collected beyond message responses.

3. Legal Basis

GDPR Art. 6(1)(a) (Consent).

4. Data Processed

Registered name, public profile picture, and other publicly shared data.

5. Withdrawal of Consent

Delete posts/comments or request conversation deletion. Withdrawal does not affect prior processing.

6. Duration

Until consent withdrawal or 2 years for message exchanges.

7. Exercising Rights

Via:

Post: 1095 Budapest, Soroksári út 48, Building 15, 1st floor, Door 2
Email: info@davroe.hu
Phone: +36 30 313 5887

8. Consequences of Not Providing Data

Inability to receive information or communicate via Facebook.

9. Automated Decision-Making

No automated decision-making or profiling occurs.

Customer Relations

Messages via phone, email, or social media are deleted within 2 years unless otherwise required. Specific processing details are provided at data collection.

Data Subject Rights

Access: Confirm processing and access data.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request data deletion under certain conditions.
Restriction: Restrict processing if accuracy is contested, processing is unlawful, or data is needed for claims.
Data Portability: Receive or transfer data in a machine-readable format.
Objection: Object to processing based on legitimate interests or direct marketing.
Automated Decision-Making: Avoid decisions based solely on automated processing, except for contracts, legal obligations, or explicit consent.

Response Deadline

The Controller responds within 1 month, extendable by 2 months if needed, with reasons provided. If no action is taken, the Controller informs the data subject of reasons and complaint options.

Data Security

The Controller implements:

Pseudonymization and encryption.
Confidentiality, integrity, and availability of systems.
Restoration capabilities for incidents.
Regular testing of security measures.

Specific Measures

Physical: Secure, lockable storage for paper records; fire and property protection.
IT: Virus protection, backups, restricted server access, and username/password authentication.

Data Breach Notification

High-risk breaches are communicated to data subjects promptly, detailing the breach, consequences, and measures taken. Notification is unnecessary if:

Data is encrypted or unintelligible.
Risks are mitigated.
Notification is disproportionate (public notice used instead).

Breaches are reported to the supervisory authority within 72 hours unless low risk, with reasons for delays provided.

Mandatory Data Processing Review

Mandatory processing is reviewed every 3 years if not specified by law. Results are documented, retained for 10 years, and available to the National Authority for Data Protection and Freedom of Information.

Complaints

Lodge complaints with:

National Authority for Data Protection and Freedom of Information
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Mailing: 1363 Budapest, Pf. 9.
- Phone: +36-1-391-1400
- Email: ugyfelszolgalat@naih.hu

Legal References

Recommendations by the National Authority for Data Protection and Freedom of Information

GDPR (Regulation (EU) 2016/679)

Act CXII of 2011 (Infotv.)

Act CVIII of 2001 (E-commerce)

Act XLVII of 2008 (Consumer Practices)

Act XLVIII of 2008 (Advertising)

Act XC of 2005 (Electronic Information)

Act C of 2003 (Electronic Communications)

Opinion 16/2011 (EASA/IAB)

Recommendations by the National Authority for Data Protection and Freedom of Information