This Privacy Policy governs the management of personal data on the website operated by:

Company name: EN-TAN Limited Liability Company (EN-TAN Korlátolt Felelősségű Társaság)
Company registration number: 13-09-215249
Tax number: 14237283-2-13
Registered office: 2120 Dunakeszi, Magdolna Street 28., Hungary
Email: entankft@gmail.com

(hereinafter referred to as: Service Provider or Data Controller).

This Privacy Policy is based on the following regulation:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).

The Privacy Policy applies to the following website:
https://alter-go.com

The Privacy Policy is permanently available at the following link:
https://alter-go.com/privacy-policy

The Service Provider reserves the right to amend the Privacy Policy. Amendments enter into force upon their publication on the above website.

1.1. Data Controller and Contact Information

Name: EN-TAN Korlátolt Felelősségű Társaság
Registered office: 2120 Dunakeszi, Magdolna utca 28., Hungary
Email address: entankft@gmail.com

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
Recipient: A natural or legal person, public authority, agency, or another body to whom the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry shall not be regarded as recipients.
Data Subject’s Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Protection Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

3. Principles relating to the processing of personal data

The processing of personal data must be:

a) Lawful, fair, and transparent: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

b) Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes.

c) Data minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

d) Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

e) Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate technical and organizational measures.

f) Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The Data Controller is responsible for compliance with these principles and must be able to demonstrate compliance (“accountability”).

4. Specific Data Processing Activities

4.1 Registration (Creating a User Account)

Scope of Collected Data and Purpose of Processing:

Personal Data	Purpose of Processing
First name, Last name	Identification, secure login to the user account.
Email address	Communication, system notifications, login to the user account.
Notification phone number	Identification, communication.
Password	Secure login to the user account.
Registration date and time	Technical operation.
Registration IP address	Technical operation.
Date of birth	Enhancing player experience by enabling personalized character creation.
Gender identity (male, female, other)	Enhancing player experience and character development in the game.
ZIP code of residence	For statistical purposes and regional service optimization.

Note: Providing an email address containing personal data is not mandatory.

Scope of Data Subjects:
All individuals who register on the website and create a user account.
Duration of Data Processing, Deadline for Deletion:
Until the user’s deletion request, in accordance with Article 17(1) GDPR. Upon deletion of the registration, all personal data will be deleted immediately, except where retention is legally required.
Persons Authorized to Access Data:
Authorized employees of the Data Controller involved in operating the service.
Rights of Data Subjects:

The data subject may request access to, rectification or erasure of personal data, restriction of processing, and has the right to data portability and to withdraw consent at any time.

Methods of Exercising Data Subject Rights:

By mail: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: info@alter-go.com
By phone: Mon-Fri, 10:00–12:00 CET

Legal Basis for Data Processing:
Article 6(1)(a) (consent) and Article 6(1)(b) (performance of contract) GDPR.
Information:

The processing is necessary for creating the user account based on the user’s request.
Failure to provide personal data results in the inability to create a user account.

4.2 Operation of the Mobile Application

Scope of Collected Data and Purpose of Processing:

Personal Data	Purpose of Processing
First name, Last name	Contact, fulfillment of contractual obligations.
Email address	Communication, sending confirmations.
Phone number	Communication regarding service usage or technical issues.
ZIP code of residence	Regional service optimization, statistical purposes.
Date of birth	To create a personalized in-game character and enhance the player experience.
Gender identity (male, female, other)	Character personalization in the game to provide a higher quality player experience.
Date and time of application registration	Technical operation.
IP address at the time of registration	Technical operation.

Note: Providing an email address containing personal data is not mandatory.

Scope of Data Subjects:
All users who register in the mobile application or purchase and use the service.
Duration of Data Processing, Deadline for Deletion:
Until the user’s deletion request, in accordance with Article 17(1) GDPR. Upon deletion, personal data is immediately erased, except where retention is legally required (e.g., accounting documentation according to applicable law).
Persons Authorized to Access Data:
Authorized employees of the Data Controller, involved in service operation and support.
Rights of Data Subjects:

The data subject may request access to, rectification or erasure of personal data, restriction of processing, and has the right to data portability and to withdraw consent at any time.

Methods of Exercising Data Subject Rights:

By mail: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: info@alter-go.com
By phone: Mon-Fri, 10:00–12:00 CET

Legal Basis for Data Processing:

Article 6(1)(b) GDPR (necessary for the performance of a contract).
Article 6(1)(c) GDPR (compliance with legal obligations).
Based on Act CVIII of 2001 on certain issues of electronic commerce services (Elker tv.) §13/A(3).

Information:

Processing of personal data is necessary to provide the purchased service and for its legal accounting documentation.
Failure to provide the required personal data results in the inability to fulfill the service.

4.3 Customer Relations

Scope of Collected Data and Purpose of Processing:

Personal Data	Purpose of Processing
Name, email address, phone number	Contact, identification, fulfillment of customer support and contractual obligations.

Scope of Data Subjects:
All users contacting the Data Controller by phone, email, or in person, or users who have a contractual relationship with the Data Controller.
Duration of Data Processing, Deadline for Deletion:
Until the deletion request of the data subject, but no longer than 2 years after the last contact.
Persons Authorized to Access Data:
Authorized employees of the Data Controller, involved in customer service.
Rights of Data Subjects:

The data subject may request access to, rectification or erasure of personal data, restriction of processing, and has the right to data portability and to withdraw consent at any time.

Methods of Exercising Data Subject Rights:

By mail: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: info@alter-go.com
By phone: Mon–Fri, 10:00–12:00 CET

Legal Basis for Data Processing:

Article 6(1)(b) GDPR (necessary for the performance of a contract).
Article 6(1)(c) GDPR (compliance with legal obligations).
Based on Act V of 2013 on the Civil Code (Ptk.) §6:21 regarding claims limitation (5 years).

Information:

Providing personal data is necessary for the fulfillment of the contract and customer requests.
Failure to provide personal data may result in the inability to fulfill the contract or process the request.

4.4 Newsletter and Direct Marketing Activity

Consent for Marketing Communications:
In accordance with Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, users may give prior and explicit consent to the Data Controller to contact them with marketing offers and other communications using the contact details provided at registration.
Scope of Collected Data and Purpose of Processing:

Personal Data	Purpose of Processing
Name, email address	Identification, enabling newsletter subscription.
Date of subscription	Technical operation.
IP address at the time of subscription	Technical operation.

Scope of Data Subjects:
All users who subscribe to the newsletter.
Purpose of Data Processing:
Sending electronic messages (e-mails, SMS, push notifications) containing advertisements, providing information about current news, products, promotions, new features, etc.
Duration of Data Processing, Deadline for Deletion:
Until the withdrawal of consent, i.e., until unsubscribing from the newsletter.
Persons Authorized to Access Data:
The Data Controller’s authorized sales and marketing staff.
Rights of Data Subjects:

The data subject may request access to, rectification or erasure of personal data, restriction of processing, object to the processing of personal data, and exercise the right to data portability, and may withdraw consent at any time.

Methods of Exercising Data Subject Rights:

By mail: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: info@alter-go.com
By phone: Mon–Fri, 10:00–12:00 CET

Information:

The data processing is based on the user’s consent and the legitimate interest of the service provider.
Providing personal data is necessary to receive newsletters.
Failure to provide data will result in the inability to send newsletters.
Users can withdraw their consent at any time by clicking the unsubscribe link in the newsletter.

Legal Basis for Data Processing:

Article 6(1)(a) and (f) GDPR (consent and legitimate interest).
Section 6(5) of Act XLVIII of 2008 on Commercial Advertising Activities.

4.5 Complaint Management

Scope of Collected Data and Purpose of Processing:

Personal Data	Purpose of Processing
First and last name	Identification, contact.
Email address	Contact.
Phone number	Contact.
Billing name and address	Identification and management of quality complaints, questions, and issues related to the purchased product or service.

Scope of Data Subjects:
All users who purchase on the app (through App Store or Google Play) and lodge a quality complaint.
Duration of Data Processing, Deadline for Deletion:
Records, transcripts of complaints, and copies of responses must be retained for 5 years in accordance with Section 17/A(7) of Act CLV of 1997 on Consumer Protection.
Persons Authorized to Access Data:
The authorized customer service staff of the Data Controller may access the personal data, in compliance with the principles set forth in this Policy.
Rights of Data Subjects:

The data subject may request access to, rectification or erasure of personal data, restriction of processing, object to the processing, and exercise the right to data portability, and may withdraw consent at any time.

Methods of Exercising Data Subject Rights:

By mail: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: info@alter-go.com
By phone: Mon–Fri, 10:00–12:00 CET

Legal Basis for Data Processing:

Article 6(1)(c) GDPR (compliance with a legal obligation);
Section 17/A(7) of Act CLV of 1997 on Consumer Protection.

Information:

Providing personal data is based on a legal obligation.
The processing of personal data is a prerequisite for handling the complaint.
Failure to provide personal data will result in the inability to handle the complaint properly.

5. Recipients of Personal Data

Definition of “Recipient”:
A natural or legal person, public authority, agency, or any other body to whom or with whom the personal data are disclosed, regardless of whether they are a third party. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

5.1 Data Processors (acting on behalf of the Data Controller)

The Data Controller uses data processors to assist in its activities and to fulfill contractual obligations and legal requirements related to the data subjects.

The Data Controller takes special care to engage only those data processors that provide sufficient guarantees for implementing appropriate technical and organizational measures in accordance with the GDPR to ensure the protection of data subjects’ rights.

Data processors act only based on the Data Controller’s instructions and do not make independent decisions regarding the data.

The Data Controller remains legally responsible for the activities of the data processors unless the processor breaches specific GDPR obligations or acts contrary to the Data Controller’s lawful instructions.

Categories of Data Processors:

Hosting Services:
BlazeArts Kft. (operating under Forpsi.hu)
Registered Office: 1148 Budapest, Fogarasi út 3–5., Hungary
Email: support@forpsi.hu
Website: https://www.forpsi.hu
Email Services:
- Google LLC (Gmail)
  Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- BlazeArts Kft. (Forpsi email services)
Analytics:
- Apple Inc. (App Store Analytics)
- Google LLC (Google Play Console Analytics)

Note: The App Store and Google Play platforms collect usage analytics independently according to their respective privacy policies.

Couriers / Delivery Services:
Not applicable for this service, as purchases are digital and delivery is via app stores.

5.2 Data Transfers to Third Parties

Definition of “Third Party”:
Any natural or legal person, public authority, agency, or body other than the data subject, the Data Controller, the data processor, or persons who, under the direct authority of the Data Controller or processor, are authorized to process personal data.

In case of in-app purchases and related payment processing, third-party data controllers involved are:

Apple Inc.
(for purchases made through the Apple App Store)
Address: One Apple Park Way, Cupertino, CA 95014, USA
Privacy Policy: https://www.apple.com/privacy/
Google LLC
(for purchases made through Google Play)
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy: https://policies.google.com/privacy

Note: These entities act as independent data controllers, processing personal data according to their own privacy policies.

6. Cookie Management

6.1 Cookies Used on the Website

The website (https://alter-go.com) uses cookies primarily for the following purposes:

Essential cookies:
Cookies that are necessary to ensure the basic operation of the website and enable core functions such as security, network management, and accessibility. These cookies do not require user consent.
Functional cookies:
Cookies that allow the website to remember choices the user makes (such as language preference) and provide enhanced, more personal features.
Analytics cookies:
Cookies that collect information about how visitors use the website (e.g., which pages are most frequently visited, or if users receive error messages).
Analytical cookies are placed by:
- Google Analytics (Google LLC, USA)
- Apple App Analytics (Apple Inc., USA) via the App Store
- Google Play Console Analytics (Google LLC, USA)

Important: These analytics services process aggregated data and generally do not identify individual users directly.

Social Media Cookies:
Links from the website may direct users to third-party social media platforms (Facebook, Instagram, X (Twitter), TikTok). These platforms may place their own cookies through interactions (such as clicking a link), over which the Data Controller has no direct influence.
Users are encouraged to review the privacy and cookie policies of these platforms separately.

6.2 Management of Cookies

Upon the first visit, the website displays a cookie banner that informs the user about cookie usage and allows consent management for non-essential cookies.

The user may at any time modify their cookie preferences, or block or delete cookies using their browser settings.
Instructions for cookie settings in commonly used browsers:

Blocking cookies may impact the usability of certain features on the website.

6.3 Data Processed via Cookies

Unique identifier
Session timestamps
Browser and device information
IP address (anonymized where applicable)

Note: No sensitive personal data (such as name or contact details) are stored in cookies.

6.4 Legal Basis for Cookie Usage

Essential cookies: Legitimate interest of the Data Controller (Article 6(1)(f) GDPR)
Functional, analytics, and social media cookies: Consent of the user (Article 6(1)(a) GDPR)

The user can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7. Use of Google and Facebook Services

7.1 Use of Google Ads Conversion Tracking

The Data Controller uses the Google Ads online advertising program and its conversion tracking service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

When a user clicks on an advertisement placed by Google, a cookie is placed on their device. These cookies are valid for a limited time and do not contain any personal data, thus the user cannot be identified through them.

If the user visits certain pages of the website while the cookie is active, Google and the Data Controller may recognize that the user clicked on the advertisement and was redirected to that page.

Each Google Ads customer receives a different cookie; thus, cookies cannot be tracked across different advertisers’ websites.

The information collected via the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. These customers learn the total number of users who clicked on their advertisement and were redirected to a page with a conversion tracking tag. However, they do not receive information that personally identifies users.

Users who do not wish to participate in tracking can easily disable the Google conversion tracking cookie in their internet browser settings. By doing so, they will not be included in the conversion tracking statistics.

Further information and Google’s privacy policy can be found at:
https://policies.google.com/privacy

7.2 Use of Google Analytics

The website uses Google Analytics, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Google Analytics uses cookies to help analyze how users interact with the website. The information generated by the cookie about the use of the website is generally transmitted to a Google server in the USA and stored there.

The website uses IP anonymization: within the European Union or the European Economic Area, Google shortens users’ IP addresses before transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

Google uses this information on behalf of the Data Controller to evaluate the use of the website, compile reports on website activity, and provide other services relating to website and internet usage.

The IP address transmitted by the browser within Google Analytics will not be merged with other Google data.

Users can prevent the storage of cookies by setting their browser software accordingly.
Additionally, users can prevent Google from collecting the data generated by the cookie relating to their use of the website (including their IP address) and from processing this data by downloading and installing the browser plug-in available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en

7.3 Use of Facebook Pixel

The website uses the Facebook Pixel of Meta Platforms, Inc. (formerly Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA).

The Facebook Pixel is a piece of code that helps track user behavior after they are redirected to the website by clicking on a Facebook advertisement. This allows the effectiveness of Facebook advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected via the Facebook Pixel is anonymous to the Data Controller and does not allow conclusions to be drawn about the identity of users. However, the data is stored and processed by Facebook, allowing connection to the respective user profile and use for Facebook’s own advertising purposes, in accordance with Facebook’s Data Policy.

Users can control how their data is used for advertising purposes in their Facebook account settings:
https://www.facebook.com/settings?tab=ads

More information about Facebook’s data policy can be found at:
https://www.facebook.com/about/privacy

7.4 Links to Social Media Platforms

The website contains links to social media platforms such as:

Facebook
X (formerly Twitter)
Instagram
TikTok

Clicking these links may allow these platforms to place cookies on the user’s device independently of the Data Controller.
The management of personal data and cookies on these platforms is governed by the respective platform’s own privacy policies.

The Data Controller recommends that users review the privacy and cookie policies of the respective platforms separately.

8. Customer Relations and Other Data Processing

In the event of questions, inquiries, or issues arising during the use of the Data Controller’s services, users may contact the Data Controller via the provided communication channels (telephone, e-mail, social media platforms, etc.).
The Data Controller processes incoming messages, including the name, e-mail address, telephone number, and any voluntarily provided personal data of the inquirer, for the purpose of handling the inquiry and maintaining contact.
Personal data collected through inquiries will be stored for a maximum of 2 years from the date of communication unless the user requests earlier deletion.
For data processing activities not specifically mentioned in this Privacy Policy, information will be provided at the time the personal data is collected.
In exceptional cases, if requested by authorities or authorized bodies and as permitted by applicable law, the Data Controller may be obliged to disclose personal data.
In such cases, the Data Controller shall disclose only those personal data that are necessary to fulfill the request and only to the extent required.
Legal Basis of Processing:
- Article 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract)
- Article 6(1)(c) GDPR (compliance with a legal obligation)

9. Data Subjects’ Rights

Right of Access
You have the right to obtain confirmation from the Data Controller as to whether or not your personal data is being processed, and if so, to access the personal data and certain related information specified in the GDPR.
Right to Rectification
You have the right to request the correction of inaccurate personal data concerning you without undue delay. Considering the purposes of the processing, you also have the right to have incomplete personal data completed.
Right to Erasure (“Right to be Forgotten”)
You have the right to request that the Data Controller erase personal data concerning you without undue delay, and the Data Controller is obliged to erase personal data without undue delay under certain circumstances (Article 17 GDPR).
Right to Restriction of Processing
You have the right to obtain restriction of processing from the Data Controller where one of the following applies:

You contest the accuracy of the personal data (for a period enabling verification);
The processing is unlawful and you oppose erasure and request restriction instead;
The Data Controller no longer needs the personal data, but you require it for legal claims;
You have objected to processing pending the verification whether the legitimate grounds of the Data Controller override yours.

Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance.
Right to Object
Where personal data is processed based on a legitimate interest or in the exercise of official authority, you have the right to object at any time to such processing on grounds relating to your particular situation.
Right to Object to Direct Marketing
Where personal data is processed for direct marketing purposes, you have the right to object at any time to such processing. In this case, the personal data shall no longer be processed for such purposes.
Right not to be Subject to Automated Decision-Making, including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except if:

It is necessary for entering into or performance of a contract;
It is authorized by Union or Member State law;
It is based on your explicit consent.

10. Response Deadline

The Data Controller shall provide information on action taken on the data subject’s request under Articles 15 to 22 of the GDPR without undue delay and, in any event, within one month of receipt of the request.

If necessary, this period may be extended by two further months, taking into account the complexity and number of the requests. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the Data Controller does not act on the request of the data subject, the Data Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action, and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

11. Security of Processing

The Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

Such measures shall include, as appropriate:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The Data Controller shall ensure that personal data is stored in a way that prevents unauthorized access. In the case of paper-based data storage, this includes developing an appropriate filing and storage system; for electronic data, it includes using centralized access management systems.

In case of deletion, the deletion must be irreversible and must be carried out securely.

Specific security measures applied by the Data Controller include:

Paper-based security measures:

Documents containing personal data are stored in a secure, lockable room.
The premises are protected by fire and security systems.
Access to personal data is restricted to authorized personnel only.
In case of leaving a workplace during work involving data processing, all documents must be locked or the room must be secured.
If paper-based data is digitized, the rules for digital data storage apply.

IT security measures:

Devices used for data processing are the property of the Data Controller.
Access to data on computers is protected by username and password.
Only authorized persons can access the server with proper permissions.
Regular data backups and archives are maintained.
Systems are protected with antivirus software.
The website uses SSL encryption.

12. Information to the Data Subject about Personal Data Breach

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.

The notification to the Data Subject shall describe in clear and plain language the nature of the personal data breach and contain at least:

the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Communication to the Data Subject shall not be required if any of the following conditions are met:

the Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach — in particular, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize;
it would involve disproportionate effort. In such a case, a public communication or similar measure shall be made whereby the Data Subjects are informed in an equally effective manner.

If the Data Controller has not already communicated the personal data breach to the Data Subject, the supervisory authority, after considering the likelihood of a high risk, may require the Data Controller to do so.

Risk Level Examples:

Minor incidents (e.g., typo in a user account) do not require notification.
Medium-risk incidents (e.g., leak of email addresses) require notification to the affected individuals.
High-risk incidents (e.g., leak of bank card data) require notification to both the Data Subject and the Supervisory Authority (within 72 hours).

13. Notification of Personal Data Breach to the Authority

The Data Controller shall notify the personal data breach to the competent supervisory authority without undue delay, and where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

The notification to the supervisory authority shall at least:

describe the nature of the personal data breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Data Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance.

14. Review in Case of Mandatory Data Processing

If the duration of mandatory data processing or the necessity of its periodic review is not defined by law, municipal decree, or a binding legal act of the European Union, the Data Controller shall review at least every three years from the commencement of the data processing whether the processing of the personal data by the Controller or by a processor acting on its behalf or according to its instructions is still necessary for achieving the purpose of the processing.

The circumstances and the result of such review shall be documented by the Data Controller.
This documentation must be preserved for ten years following the review and must be made available to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) upon request.

15. Right to Lodge a Complaint

15.1. Complaint to the Supervisory Authority

If you believe that the processing of personal data relating to you infringes the provisions of the General Data Protection Regulation (GDPR), you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

The supervisory authority competent for the Data Controller is:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu/

15.2. Judicial Remedy

Regardless of the right to lodge a complaint, you may also seek judicial remedy if you believe that your rights under the GDPR have been infringed as a result of the unlawful processing of your personal data. Such proceedings may be brought before the courts of the Member State where you have your habitual residence.

In Hungary, lawsuits related to data protection fall under the jurisdiction of the Regional Courts (“Törvényszék”).

You are entitled to bring the case, at your choice, either before the court of your permanent or habitual residence.

16. Closing Provisions

During the preparation of this Privacy Policy, we have taken into consideration the following legislation:

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act)
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (especially Section 13/A)
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Section 6)
Act XC of 2005 on the Freedom of Electronic Information
Act C of 2003 on Electronic Communications (specifically Section 155)
Opinion No. 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
Recommendations of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) on preliminary information requirements regarding data protection.

This Privacy Policy is valid from the date of publication on the alter-go.com website and remains in effect until it is modified or withdrawn.

The Controller reserves the right to amend this Privacy Policy unilaterally. In case of changes, the updated version will be published on the website, and the amendments will take effect upon publication.