20 October 2021

 

Thank you for choosing us! We protect and respect your rights related to your personal data.

Therefore, this Privacy Notice (hereinafter referred to as: “Notice”) contains detailed information on the processing of personal data provided by the Parties described hereunder in line with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as: “GDPR”):

Company name: MULTICORE Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

Registered seat: H-1052 Budapest, Deák Ferenc tér 3. MEYER LEVINSON emelet

Company registration number: 01-09-706665

VAT number: 12854088-2-41

Registered by: Budapest-Capital Regional Court as Court of Registration

Represented by: Béla Bellányi Managing Director independently

E-mail:    

(hereinafter referred to as: “Service Provider”)

its merchant business partners (hereinafter referred to as: “Merchant” or “Partner”) and the persons visiting the www.appandtank.hu website (hereinafter referred to as: “Website”), the Customer Web Interface (hereinafter referred to as: “CWI”), as well the Service Provider’s customer service centers and use the App&Tank application (hereinafter referred to as: “User”). The purpose of the Privacy Notice is to provide a clear view of why and how, as well as for how long we process the personal data obtained by the Service Provider through the Website and the Application – or, in case the Customer participates in the award game which can be accessed in the Application, then in the organization of such award game –  in the course of its contractual relationship with its Partners and/or Users, by visiting our registered seat or through other channels.

  1. Definitions used in the Privacy Notice

 

Personal data

means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

The data controller responsible for processing your personal data is the Service Provider.

Data Processor

means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party

means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Data transfer

Disclosing data to a specified third party.

Data subject

Everyone who shares his/her personal data with the Service Provider on the Website or anywhere else (e.g. in the course of a contractual relationship), or whose personal data is otherwise processed by the Service Provider. For example, you who are reading this Notice.

Consent of the data subject

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Special data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning health, addictions, criminal record or a natural person’s sex life or sexual orientation.

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of a natural person that give unique information about the physiology or health of that natural person and is primarily derived from the analysis of a biological sample gathered from such natural person.

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Personal data breach

A breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored or otherwise processed.

Most of the aforementioned definitions are used in the GDPR. The full text of the GDPR is available at http://eur-lex.europa.eu/legal-content/HU/TXT/?uri=celex%3A32016R0679 . The list is not comprehensive. Should you need additional information, do not hesitate to contact us.

Please be advised that we do not process special categories of personal data including genetic or biometric data and do not request such data from you.

  1. In what cases do we process personal data?

 

Taking into consideration the principles laid down in Article 5, paragraph (1) of the GDPR, the Service Provider processes the Customer’s personal data in the following cases:

  • Registration
  • User profile management
  • Processing of purchases
  • Saved payment methods
  • Fraud prevention and platform security
  • Services related to the use of CWI
  • Browsing the Website
  • Contractual relationship
  • Customer service inquiry
  • Contact through the Website
  • Invoicing
  • Placement of cookies embedded in the website
  • Registration for the participation in the award game
  • Participation in the award game

III.      What data do we process, what is the purpose of data processing and how long do we process such data?

 

The legal basis of the processing of personal data may be the following in certain cases defined above:

  • Pursuant to Article 6, paragraph (1) item a) of the GDPR, the Employee’s voluntary consent to the processing of his personal data based on adequate information (hereinafter referred to as: “Consent”);
  • Pursuant to Article 6, paragraph (1), item b) of the GDPR, data processing is necessary for the performance of a contract to which the Data Subject is party (hereinafter referred to as: “Performance of Contract”);
  • Pursuant to Article 6, paragraph (1), item c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject (hereinafter referred to as: “Compliance with a legal obligation”);
  • Pursuant to Article 6 (1) item f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (hereinafter referred to as: “Legitimate interest”);

III.1.    Browsing

Scope of data processed Purposes of data processing Legal basis of data processing Designation of the legitimate interest Period of data processing
IP address of the data subject Protection of the Service Provider’s IT systems and the security of the Website Legitimate interest Secure operation of the Website and Service 30 days from the last visit

Anyone can visit and browse the Website freely, without providing any personal data to the Service Provider. When the data subject starts to use the Website, he/she sends a request to the Service Provider from his/her computer or mobile device. It is like sending a letter and expecting to receive the content of the Website as a response. However, the Service Provider can only respond to the request if the data subject provides his/her address. This address is the internet identification address of the data subject, i.e. his/her IP address. The Service Provider’s server sends the requested Website to this IP address. This is an automated process, by entering the address of the Website into the browser or clicking on a link published anywhere on the Website, the data subject consents to the provision of his/her IP address and its processing by the Service Provider. In order to make the above-described communication between the Service Provider and the data subject as smooth as possible, which communication takes place when the Website is opened, the Service Provider’s server stores the IP address of the data subject in so-called log files.

The identification and storage of the IP address is required for the protection of the Service Provider’s IT systems and the secure operation of the Website. Protection against potential malicious activities against the Website is partly ensured by the logs created by the Service Provider on the operation of the Website and such log lists the IP addresses where requests originated from. If the Service Provider detects activity from an IP address that may disrupt the secure operation of the Website, such IP address will be blacklisted. Avoiding any malicious activity and its legal settlement is performed based on this information. If nothing abnormal is detected, the Service Provider deletes the log files and the corresponding IP addresses. The IP addresses stored in the log files are not used by the Service Provider for purposes other than intended and are automatically deleted within 30 days. IP addresses will solely be retained if a prohibited activity of the data subject is detected concerning such IP addresses. Such activities may include any of the above or any other activity that violates the provisions of local, state, national or international law.

III.2.    Contractual relationship

Scope of data processed Purposes of data processing Legal basis of data processing Designation of the legitimate interest Period of data processing
First name and surname and e-mail address of the designated contact person of the Partner/User Liaising to perform an Agreement Legitimate interest Communication of information with the Partner/User in order to perform the Agreement Until an objection is made against data processing or a new contact person is appointed, but for the purpose of enforcing a claim, until the end of the 5th year following the termination of the agreement (statute of limitations, Section 6:22, paragraph (1) of the Civil Code of Hungary)
E-mail address of the designated contact person of the Partner/User Liaising to perform an Agreement Legitimate interest Communication of information with the Partner/User in order to perform the Agreement Until an objection is made against data processing or a new contact person is appointed, but for the purpose of enforcing a claim, until the end of the 5th year following the termination of the agreement (statute of limitations, Section 6:22, paragraph (1) of the Civil Code of Hungary)
The phone number of the designated contact person of the Partner/User Liaising to perform an Agreement Legitimate interest Communication of information with the Partner/User in order to perform the Agreement Until an objection is made against data processing or a new contact person is appointed, but for the purpose of enforcing a claim, until the end of the 5th year following the termination of the agreement (statute of limitations, Section 6:22, paragraph (1) of the Civil Code of Hungary)

If a contractual relationship has been established between the Service Provider and the Partner/User, the personal data of the designated contact person of the Partner/User as detailed above will be indicated in the resulting Agreement. In these cases, the legal basis for data processing shall be the legitimate interest of the Service Provider, and the purpose is to provide information and other communication to the Partner/User regarding issues that may arise during the contractual relationship. The Partner/User acknowledges that it is the Partner/User’s task and responsibility to obtain consent from the designated contact person to provide his/her data to the Service Provider.

III.3.    Customer service

The Service Provider maintains a customer service center in order to provide assistance and information to existing and prospective Partners/Users, as well as to any interested parties, and to enforce their rights (liability for defects, product warranty). We accept and handle customer service inquiries by phone or e-mail.

III.3.1.  In case of an e-mail inquiry:

If the Partner or User makes an inquiry to the Service Provider via email from info@appandtank.com (e-mail address), in order for the Service Provider to handle the customer service inquiry by adequate quality assurance, the following data will need be processed:

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
First name and surname of the data subject Identification of the data subject, fulfillment of customer service inquiries Performance of Contract Until the objection against data processing, or for quality assurance reasons until December 31 of the year following the year in which the customer service inquiry was resolved.
Address of the data subject Identification of the data subject, fulfillment of customer service inquiries Performance of Contract Until the objection against data processing, or for quality assurance reasons until December 31 of the year following the year in which the customer service inquiry was resolved.

III.3.2. In case of a telephone inquiry:

If the Partner/User or the data subject contacts our customer service by telephone, or if our customer service representative calls the Partner/User or the data subject back, at the beginning of the telephone conversation, we draw your attention to the fact that the following data will be processed for quality assurance reasons or in order for the Service Provider to be able to fulfill the customer service inquiry. Please be advised that no audio of the telephone conversation will be recorded.

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
First name and surname of the data subject Identification of the data subject, fulfillment of customer service inquiries Performance of Contract Until the objection against data processing, or for quality assurance reasons until December 31 of the year following the year in which the customer service inquiry was resolved.
Telephone number of the data subject Identification of the data subject, fulfillment of customer service inquiries Performance of Contract Until the objection against data processing, or for quality assurance reasons until December 31 of the year following the year in which the customer service inquiry was resolved.

 

III.4.    Filling station search via the Application

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
Real location of the User/data subject (geolocation) Based on the data subject’s location, the filling stations in the data subject’s vicinity that can be used using the Application and the Service and displayed. Performance of Contract As long as the data subject

–  allows the Application to access its location data; and

–  uses the Application and the feature required for positioning is turned on on his mobile device.

The “Filling station search” function in the Application allows the data subject to search for filling stations in their vicinity that can be used by the Application and the Service.

III.5.    Liaising through the Website

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
First name and surname of the data subject Liaising with the data subject Performance of Contract For quality assurance reasons, for 1 year from the date of answering the question
Address of the data subject Liaising with the data subject Performance of Contract For quality assurance reasons, for 1 year from the date of answering the question
Telephone number of the data subject Liaising with the data subject Performance of Contract For quality assurance reasons, for 1 year from the date of answering the question

 

III.6.    Visit to our headquarters

III.7.    Invoicing

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
First name and surname and of the designated contact person of the Partner Liaising with the Partner regarding invoicing Compliance with a legal obligation Upon termination of the contractual relationship
E-mail address of the designated contact person of the Partner Liaising with the Partner regarding invoicing Compliance with a legal obligation Upon termination of the contractual relationship

The Service Provider only processes the e-mail address as a personal data if the e-mail address of the designated contact person contains the name of a natural person. If a general e-mail address is provided for liaising (e.g. info@példa.hu or pénzügy@példa.hu), the Service Provider processes the data, however, the data is not considered to be personal data. The Service Provider draws the attention of the Partner to the fact that if the e-mail address provided for liaising contains the name of a natural person, it is the Partner’s responsibility to obtain the consent of the contact person to data processing.

III.8.    Registration for the participation in the award game

If the Customer wishes to participate in the award game organized by the Service Provider in relation with the use of the Application, then the Service Provider registers them in the award game.

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
E-mail address of the designated contact person of the Customer Ensuring the Customer ‘s participation in the award game, Liaising with the Customer Customer’ consent, as provided in GDPR art. 16. (1) a) Upon termination of the registration, withdrawal of consent, or the end of 5 years period from the Customer’s last log-in in the Application.

III.9.    Participation in the award game

If the Customer as a natural person participates in the award game, then personal data as follow are processed.

Scope of data processed Purposes of data processing Legal basis of data processing Period of data processing
E-mail address of the designated contact person of the Customer Operating the picking of the winner in the award game Customer’ consent, as provided in GDPR art. 16. (1) a) Upon termination of the registration, withdrawal of consent, or the end of 5 years period from the Customer’s last log-in in the Application.
  1. What is a cookie and why do we use cookies?

 

A cookie is a data package sent by the web server to your computer when you visit our website and is retained there for a certain period of time depending on the type of the particular cookie.

Cookies placed on your computer do not pose any security risk or cause any malfunctions.

In order to ensure the uninterrupted use of the Website, certain cookies (so-called session cookies) are automatically installed on your computer when you visit the Website. The purpose of such cookies is to guarantee the security of the Website, to retain the data recorded in our online forms, to display multimedia content, and to balance the load of the Website. We process the personal data collected using these cookies (in particular the IP address of your computer) based on our legitimate interest related to the safe and smooth operation of the Website until you are browsing our website. Such cookies are automatically deleted from your computer upon closing the browser.

Based on your consent provided on the Website, the following types of cookies may be installed on your computer for the purposes described below:

  • Statistical cookies, analytics cookies (e.g. Google Analytics). Such cookies are important to us because they enable us to understand certain characteristics of our visitors (IP address, city, device, browser, operating system used, the subpages of our website visited and the time spent there). Anonymous data are used to compile general statistics and reports on the number of visitors to the Website, to improve both the Website and our marketing strategy.
  • Remarketing cookies (e.g. Google Adwords), which enable us to analyse how you use our website and display personalised content and advertising to you accordingly, even on online platforms other than our website (e.g. other websites or social media).

Furthermore, we distinguish between session cookies and persistent cookies. A session cookie is valid for a single session until the data subject closes the browser. Persistent cookies are valid for longer, they are not deleted automatically when the browser is closed. Persistent cookies enable the site to load faster, they store settings made by the data subject on the Website.

You may withdraw your consent any time, free of charge and without restriction by visiting the Website and clicking on the pop-up window that appears while the Website is being loaded.

You can also manage cookies in your browser settings. Setting options depend on the browser used.

For more information on cookie settings in the most commonly used browsers visit:

  1. Where and how do we store your personal data?

 

We store personal data on hardcopy documents or electronically. If the data is stored on hardcopy documents (for example, in the case of contractual data), it is stored in a locked-up place, whose access is restricted among the Service Provider’s employees. Data is stored electronically on a server owned by the Service Provider

The Website is stored on a server operated by an external service provider. Contact details of the third party web hosting provider:

  • Company name: DAM Invisible Technology Zrt.
  • Registered seat: 1118 Budapest, Budaörsi út 64.
  • Registration number: 01-10-141779
  • Represented by: Dorn András
  • E-mail: let-it@damit.hu
  • Phone number: +36 1 666 3 777
  • Web: www.damit.hu
  • Data Protection Officer: Balogh András

(hereinafter referred to as: “DAMIT”)

The Privacy Notice of DAMIT is available at https://admin.appandtank.hu/public-asset/docs/adatvedelmi_tajekoztato_infra_szolgaltatasok.pdf.

The Website was developed by a third party for the Service Provider. The Website engine is provided by the following service provider:

  • Company name: Nextent Informatika Zrt.
  • Registered seat: 1119 Budapest, Fehérvári út 97-99.
  • Registration number: 01-10-045260
  • Represented by: Szalai Balázs
  • E-mail: info@nextent.hu
  • Phone number: +36 1 246 2907
  • Web: www.nextent.hu

The Service Provider takes all necessary technical and organisational measures and precautions to protect personal data and its quality, including, but not limited to restricting access to personal data among its employees, ensuring the continuous availability of physical, electronic and procedural protection that comply with privacy rules, its servers operate in a locked-up environment, IT devices are protected by passwords and firewalls.

Notwithstanding the above, the Service Provider does not assume any liability for damage and/or destruction of data and/or unauthorised access as a result of a technical malfunction, natural disaster, terrorism or crime.

  1. How can you exercise your privacy rights?

 

Request for information (right of access): You can request information about the processing of your personal data from us any time, in person at our headquarters, in writing by registered mail or registered mail with delivery confirmation sent to our registered seat address, or by e-mail at info@multicore.hu.

Pursuant to Article 15, paragraph (1) of the GDPR, the request for information may cover the processed data, their source, the purpose, legal basis, and duration of the data processing, the name and address of any data processors, activities related to data processing, and your rights in connection with data processing. In case of data transfer, who received or will receive your data and for what purpose.

The request for information is considered authentic if your request allows us to clearly identify you. If the request is received by e-mail or regular mail, we will only consider the e-mail sent from the e-mail address registered with us as authentic, and we can only send information to the mailing address registered with us. We cannot send information to an e-mail address or mailing address not registered in our records for the sake of the security of your data, unless you voluntarily confirm your identity in a different manner.

Rectification: You can request the rectification, amendment or completion of your personal data any time in the manners described above. This request may solely be fulfilled if the request is received from an authentic source presented in the request for information.

Restriction: You can request that we restrict the processing of your personal data in particular if:

  1. a) You dispute the accuracy of the personal data processed. In this case, the restriction applies for the period required to verify the accuracy of the data.
  2. b) We no longer have a legal basis for processing the data, but you request in writing that they be retained for a limited period of time in order to enable you to submit, exercise or defend any legal claims you may consider necessary.

Objection: If we process your personal data for a legitimate interest according to this Notice, you may object to the processing of your personal data any time. We will assess the legitimacy of your objection and, if we consider it justified, we will terminate the processing of data and inform all those to whom the personal data concerned by the objection may have been disclosed to of the objection and the measures taken in response to it.

Erasure (“right to be forgotten”): You may request us to erase your personal data any time on any of the grounds specified in Article 17, paragraph (1) of the GDPR.

We may refuse to erase personal data if we are required to process it by law or if processing is necessary in order to enforce our legal claims. In any case, we will inform you of the refusal of your request on erasure. Data erased cannot be recovered in the future.

Transfer of personal data (data portability): You have the right to receive personal data related to you provided to us in a commonly used, machine-readable format and to transfer such data to another data controller.

Kindly exercise your aforementioned rights as intended when you have a real ground to do so, or if one of the conditions specified in the GDPR actually exists.

VII.   Who do we forward your personal data to, and who has the right to access such data?

 

We keep the confidentiality of your personal data and do not disclose it to third parties, except for those listed herebelow.

VII.1. Transfer of data related to billing

The Service Provider’ issues its invoices using PitT Számlázó Rendszer. If the data of a data subject is provided by the Partner as billing information, as described above, since it constitutes personal data, it is subject to processing of data by the Service Provider.  The operator of the https://www.paytech.hu website is:

  • Company name: PayTech International Kft.
  • Registered seat: 6044. Kecskemét-Hetényegyháza, Szarkás 370/a.
  • E-mail: info@paytech.hu
  • Represented by: Pozsár Gábor Szabolcs

(hereinafter referred to as: PayTech)

The third party, which provides the aforementioned billing service has a GDPR-compliant privacy policy in place, which is available at http://www.paytech.hu/Paytech_Adatvadelmi_tajekoztato.pdf.  

 

VII.2. Transfer of data related to bookkeeping

 

Data is transferred to the following company, which performs bookkeeping tasks for the Service Provider:

  • Company name: MEYER & LEVINSON Accounting Korlátolt Felelősségű Társaság
  • Registered seat: H-1052 Budapest, Deák Ferenc tér 3. (MEYER & LEVINSON floor
  • Company registration number: 01-09-928027
  • Tax identification number: 14964303-2-41
  • Represented by: Zoltán Kristó Managing Director independently
  • E-mail cím: accounting@meyerlevinson.com

VII.3.   Transfer of data related to enforcement of claims

If the Service Provider intends to enforce a legitimate claim, it may transmit documents that contain personal data. The Service Provider shall be entitled to transfer personal data to a legal representative, authority or court for the purpose of enforcing a claim.

VIII.    Whom and in what cases are we obliged to disclose personal data to?

 

We are obliged to disclose personal data processed to the acting authority upon request. We cannot be held responsible in the case of such data transfer and the resulting • consequences. We will always notify you about such data transfer.

  1. What responsibilities may arise in association with the personal data provided?

 

When you provide us with your personal data, you are responsible for ensuring that the data and consent is provided by you and is true and fair.

Kindly refrain from providing us with third party data unless the particular third party has specifically authorised you to do so. We assume no responsibility for any resulting claims.

If a third party objects to the processing of personal data by proving their identity in a credible manner, the personal data will be erased with immediate effect and without notifying you. Kindly provide the personal data of a third party only if you have informed the third party of the availability of this Notice.

Kindly refrain from providing us with any additional data other than those requested by the Service Provider and specified in item III above. If the data subject provides the Service Provider with any personal data other than those requested by the Service Provider, the Service Provider shall immediately render them unrecognisable and irretrievably erase them, and shall exclude its liability in respect of data that the data subject has voluntarily provided to the Service Provider without the Service Provider’s express request.

  1. Personal data breach management

Any personal data breach will be reported to the supervisory authority within 72 hours of becoming aware of it, in accordance with the law, and records will be kept of any personal data breach. Data subjects will also be notified in cases specified by law.

  1. Data Protection Officer (DPO)

 

Pursuant to Article 37 of the GDPR, the appointment of a data protection officer is mandatory if:

  1. a) data processing is performed by public authorities or other bodies performing public duties, except for courts, which perform judicial duties;
  2. b) the main activities of the data controller or the data processor include data processing operations which require regular and systematic, large-scale monitoring of the data subjects due to their nature, scope and/or purpose;
  3. c) the main activities of the data controller or the data processor include the processing of a large number of special categories of personal data specified in Article 9 and data related to the establishment of criminal liability and criminal offenses referred to in Article 10.

Taking into consideration that the Service Provider does not fall into any of the mandatory categories described above, or because there are no other compelling reasons, the Service Provider will not appoint a data protection officer.

XII.     Amendments to the Privacy Notice

If the scope of the data processed, the legal basis for the processing or other circumstances change, this Notice will be amended and published on the Website within 30 days in accordance with the relevant provisions of the GDPR along with the notification of data subjects. Kindly read the amendments to the Privacy Notice carefully in all cases, as they contain important information about the processing of your personal data.

XIII.    Who can you contact in case of any questions about your personal data or to exercise your rights as a data subject?

 

Should you have any questions, do not hesitate to contact us at 1052 Budapest, Deák Ferenc tér 3.  or by mail: info@appandtank.com

The data subject is entitled to exercise his/her rights related to the processing of his/her personal data at the Service Provider as a data controller. If the data subject intends to exercise his rights, he/she shall first notify the Service Provider thereof.

If your rights are violated, you can lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information:

Name: Hungarian National Authority for Data Protection and Freedom of Information Registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: H-1530 Budapest, Pf.: 5.
Phone: +36 1 391 1400
E-mail: ugyfelszolgalat@naih.hu
Web: https://naih.hu/