Privacy Notice

DATA MANAGEMENT INFORMATION

Galvanize Nutrition Ltd.

https://puregoldprotein.com/hu website visitors, registered users and business partners for

1.INTRODUCTION

Galvanize Nutrition Kft. (registered office: 1145 Budapest, Columbus u. 27-29/b; place of business: 2120 Dunakeszi, Pallag u. 25/B. company registration number: 01-09305771), hereinafter referred to as the "Data Controller", as the Data Controller, acknowledges the contents of this legal notice as binding upon it. It undertakes to ensure that any processing of data relating to its activities complies with the requirements set out in this Notice and in the applicable national legislation and European Union acts.

As stated above, the service provider intends to fully comply with the legal requirements for the processing of personal data, in particular with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as "GDPR").

In the course of operating the website, the Data Controller processes the data of the persons registered on the site in order to provide them with an appropriate service.

The Data Controller reserves the right to make changes to this notice without restriction. The Data Controller will notify data subjects of any changes in due time (https://puregoldprotein.com/hu).

If you have any questions about the contents of this Notice, please contact us using one of our official contact details and one of our dedicated staff will answer your question (see designated contact).

Galvanize Nutrition Ltd., as a data controller, is committed to protecting the personal data of its customers, while respecting the legal obligations, and attaches great importance to respecting the right of informational self-determination of its customers. The Data Controller handles personal data confidentially and takes all security, information technology and organizational measures to ensure the security, confidentiality, integrity and availability of the data.

This Privacy Notice has been prepared pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data of natural persons and on the free movement of such data, subject to the provisions of Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information.

Please note that we can only process your personal data in accordance with the provisions of the GDPR if you, as a natural person, are aware of your civil and criminal liability and provide us, as Data Controller, with only your real personal data. Providing inaccurate, incorrect or fictitious personal data does not allow us to provide you with our services and is contrary to our legal obligations.

2. Data controller data

Name / company name: Galvanize Nutrition Ltd.

Seat: 1145 Budapest, Columbus u. 27-29/b

Location: 2120 Dunakeszi, Pallag u. 25/B.

Company registration number: 01-09-305771

Website name, address: https://puregoldprotein.com/hu

Fromdata managementinformation contact details: https://puregoldprotein.com/hu

3. Contact details of the Data Controller

Name / company name: László Garai /Galvanize Nutrition Kft.

Mailing Address: 1145 Budapest, Columbus u. 27-29/b

E-mail: info@puregoldprotein.com/hu

Telephone: +36301310453

4. Definitions of terms

- the GDPR (General Data Protection Regulation) is the European Union's General Data Protection Regulation;

- Processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

- processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

- personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

- controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller's designation may also be determined by Union or Member State law;

- data subject's consent: a voluntary, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation;

- data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

- recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, to whom or with whom the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

- third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

5. THE SCOPE OF THE PERSONAL DATA, THE PROCESSING PURPOSE, TITLE AND DURATION

The data processing of the Data Controller's activities is based on voluntary consent or on legal authorisation. In the case of processing based on voluntary consent, data subjects may withdraw their consent at any stage of the processing. In certain cases, the processing, storage and transmission of some of the data provided may be required by law. The principles of this Privacy Notice are in accordance with the applicable data protection and related legislation, in particular the following:

• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

• Act V of 2013 on the Civil Code (Civil Code);

• Act C of 2000 on Accounting (Accounting Act);

• Act LIII of 2017 on the Prevention of Money Laundering and Terrorist Financing and on the preventing (Pmt)

• 19/2017 (VII. 19.) MNB Decree on the detailed rules for the development and operation of a screening system for service providers supervised by the MNB and the implementation of the Act on the implementation of financial and asset restriction measures ordered by the European Union and the United Nations Security Council

• Act CVIII of 2001 on electronic commerce services and the on certain aspects of information society services (Eker.)

• Act C of 2003 on Electronic Communications (Eht.)

• Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising (Act XLVIII of 2008).

5.1.ADATKEZÉSEK

Purpose of data processing

The legal basis for processing (where the legal basis for processing in the Prospectus is contains the following legal provisions):

• voluntary consent of the data subject (Article 6(1)(a) GDPR)

• performance of a contractual obligation (Article 6(1)(b) GDPR)

• fulfil a legal obligation (Article 6(1)(c) GDPR)

• legitimate interests of the controller or a third party (Article 6(1)(f) GDPR)

Scope of the data processed:

• for natural persons: name, address, telephone number, e-mail address

• for legal persons/companies: name, registered office, tax number, postal address, telephone number, e-mail address

The time limit for data retention:

• in the case of a contractual obligation, for the duration of the contract;

• until the data subject's voluntary consent is withdrawn;

• Retention of accounting data as defined in the Accounting Act (8 years)

Data controller tasks:

1145 Budapest, Columbus u. 27-29/b

ld. Further subsections in chapter 5.1.

Data processing tasks:

Name Headquarters Data processing task

Vodafone Hungary Zrt.

1112 Budapest, Boldizsár street 2.

Invitech ICT Services Kft.

1013 Budapest, Krisztina krt. 39.

ACE Telekom Ltd.

OTP Simple Pay

https://simplepay.hu/wpcontent/uploads/2021/01/OTPM _trade_relationship_management_ada tkezeles_hun_20210114.pdf

Stripe

https://stripe.com/en-hu/privacy

Amazon

https://www.amazon.com/gp/hel p/customer/display.html?nodeId

=GX7NJQ4ZB8MHFRNJ

1037. Budapest, Zay Road 3

1143 Budapest, Hungária krt. 17-19.

https://stripe. com/en-hu

https://www.a mazon.com/

internet service (Budapest)

internet service (Dunakeszi)

internet service (Dunakeszi)

electronic payment service

electronic payment service

external hosting provider

Béradmin Ltd.

DPD Hungária Kft.

1222 Budapest, Mész u. 6.

1134 Budapest, Váci út 33. 2. em.

Google LL.C.

The Rocket Science Group LL.C

Mailchimp

(1600 Amphitheatre Parkway Mountain View, CA 94043)

(675 Ponce De Leon Ave NE Ste 5000 Atlanta, GA, 30308-2172)

IToperations

legal advice

accounting

mail and parcel delivery

Cookie management

Newsletters

Possible consequences of not providing data:

Possible consequences of not providing data to the data subject upon request: under the EU General Data Protection Regulation (GDPR), the data subject may lodge a complaint with the supervisory authority, which may establish the failure to act in the framework of an administrative procedure and impose a fine on the offending/defaulting controller.

5.1.1.Registration on the website

On the company's website, the visitor/contacted person has the possibility to register and to implement a registration. By filling in the form, the visitor provides the personal data required for contacting the company. However, the data can only be actually recorded if the data subject accepts the company's Privacy Policy and confirms this by ticking a checkbox. The completion of the above operation is a necessary element of the finalisation of the registration. Without this, the registration will not be successful.

The purpose of the processing is to provide additional services (complaints and grievances) and to contact you.

The legal basis for registration data processing is your consent.

The data subjects are the registration users of the website.

Duration of processing: processing will continue until consent is withdrawn. You can withdraw your consent to the processing at any time by sending an e-mail to the contact e-mail address. The data will be deleted when consent is withdrawn.

The controller and processors have the right to access the data.

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

The modification or deletion of personal data may be initiated by e-mail or by letter to using the contact details above.

The provision of personal data is strictly necessary for identification in databases and contact purposes. The exact name/company name and address are required for billing purposes, which is a legal obligation.

Scope of data processed Specific purposes of the processing of data

Name Identification, contact, billing.

Address Identification, contact, billing.

E-mail Identification, contact.

Phone Identification, contact.

User name Identification, contact.

Registration Date Technical information operation.

IP address + client-side technical fingerprint

Technical information operation.

The user can give his/her consent to data processing by voluntarily ticking the empty checkbox on the website.

As a data subject, you have the right to object to the processing of your personal data, in accordance with the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.2.Ordering on the website, online shopping

After registering on the website, the visitor has the possibility to visit the online shop initiate an online purchase (place an order) and process it.

The enablingof online purchases and sales on the website operated by the Data Controller and the performance of the contract under the GTC published on the website is based on Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.

The purpose of the processing is to provide additional services and to contact you. The legal basis for registration data processing is your consent.

The data subjects are the registration users of the website.

Duration of processing: processing will continue until consent is withdrawn. You can withdraw your consent to the processing at any time by sending an e-mail to the contact e-mail address. The data will be deleted when consent is withdrawn.

The controller and processors have the right to access the data.

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

The modification or deletion of personal data may be initiated by e-mail or letter to. using the contact details above.

The provision of personal data is strictly necessary for identification in databases and contact purposes. The exact name/company name and address is required for delivery and invoicing, which is a legal obligation.

Scope of data processed

Specific purposes of the processing of data

Name Identification, contact, billing.

Address Identification, contact, billing.

E-mail Identification, contact.

Phone Identification, contact.

User name Identification, contact.

Online shopping Date

Order number

Package information

IP address + client-side technical fingerprint

Technical information operation.

Technical information operation.

Technical information operation.

Technical information operation.

The user can give his/her consent to data processing by voluntarily ticking the empty checkbox on the website.

As a data subject, you have the right to object to the processing of your personal data, in accordance with the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.3.Product delivery, delivery

Purpose of the processing The legal basis for processing is the consent of the data subject

The data subjects are the registered customers of the service provider.

Duration of processing: processing is based on a legal requirement. Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

Changes or corrections to the delivery data can be initiated by e-mail or by letter using the contact details above.

Scope of data processed

Specific purposes of the processing of data

Name Identification, contact, billing.

Address

Identification, contact, billing.

E-mail Identification, contact.

Phone Identification, contact.

Delivery data

Delivery date

Identification of the transport

Technical information operation

The user can give his/her consent to data processing by voluntarily ticking the empty checkbox on the website.

The data subject may object to the processing of his or her personal data, in which respect he or she has the right to the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.3.Setting up an account

The purpose of the processing is to issue and send an electronic invoice as an e-mail attachment.

The legal basis for processing is mandatory processing based on law.

The data subjects are the registered customers of the service provider.

Duration of processing: processing is based on a legal requirement.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

Changes or corrections to invoice details can be initiated by e-mail or letter using the contact details above.

Scope of data processed

Specific purposes of the processing of data

Name Identification, contact, billing.

Address Identification, contact, billing.

E-mail Identification, contact.

Phone Identification, contact.

Account details

Invoice issue date

Identification of the account

Technical information operation

The user can give his/her consent to data processing by voluntarily ticking the empty checkbox on the website.

The data subject may object to the processing of his or her personal data, in which respect he or she has the right to the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.4.Send newsletter

As the operator of this website, we declare that the information and descriptions published by us fully comply with the relevant legal provisions. We also declare that when subscribing to a newsletter, we are not in a position to verify the authenticity of the contact details or to establish whether the details provided relate to an individual or a company. Companies that contact us will be treated as a customer partner.

The purpose of data processing is to send you professional brochures, electronic messages containing advertising, information and newsletters, from which you can unsubscribe at any time without any consequences.

The legal basis for processing is your consent. Please be informed that the user may give his/her prior and explicit consent to be contacted by the service provider with promotional offers, information and other mailings to the e-mail address provided at the time of registration. As a consequence, the user may consent to the processing of the necessary personal data by the service provider for this purpose.

Please note that if you wish to receive a newsletter from us, you must provide the necessary information. If you do not provide this information, we will not be able to send you a newsletter.

Duration of processing: processing will continue until consent is withdrawn. You may withdraw your consent to the processing at any time by sending an e-mail to the contact e-mail address.

The data will be deleted when consent to data processing is withdrawn. You can withdraw your consent to data processing at any time by sending an e-mail to the contact e-mail address.

You can also withdraw your consent by following the link in the newsletters sent to you.

The controller and processors have the right to access the data.

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

The modification, correction or deletion of data can be initiated by e-mail or by by letter using the contact details above.

Name Identification, contact, billing.

E-mail

Date of subscription

IP address + Client side technical fingerprint

Identification, contact.

Technical information operation.

Technical information operation

Please note that neither the username nor the e-mail address need to contain any personally identifiable information. For example, it is not necessary for the username or e-mail address to contain your name. You are entirely free to choose whether to provide a username or an e-mail address that contains information that identifies you. The e-mail address, which is used to contact you, is absolutely necessary to ensure that any newsletter or professional information sent to you is received.

5.1.5.Cookies (cookies)

Cookies are placed on the user's computer by the websites visited and contain information such as the page settings or login status.

Cookies are therefore small files created by the websites you visit. They improve the user experience by saving browsing data. Cookies help the website to remember your website settings and offer you locally relevant content.

A small file (cookie) is sent by the provider's website to the website visitors' computer in order to establish thefact and time of the visit. The provider informs the website visitor of this.

Data subjects concerned: visitors to the website

Purpose of data processing: additional services, identification, tracking of visitors.

Legal basis for processing: consent of the user

Scope of the data: unique ID number, time, preferences

The user has the option to delete cookies from browsers at any time by going to the Settings menu.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

5.1.6.

Google Analytics

Our website uses Google Analytics X □ does not use Google Analytics

When using Google Analytics:

The company's website runs software that analyses website traffic data. However, the software does not process any personal data in accordance with the applicable data protection regulations, but it does record data on visits. The company receives automatically generated information about visitors to its website.

As IP addresses are considered relative personal data under the current Data Protection Regulation, the National Authority for Data Protection and Freedom of Information and internationally accepted practice, the company protects all technical information obtained in the course of the processing of the website with the protection afforded to personal data under this policy.

Google Analytics uses internal cookies to compile reports for its customers on the habits of website users.

On behalf of the website operator, Google will use this information toevaluate how users use the website. As an additional service, the website operator will compile reports on website activity for the website operator so that it can provide additional services.

Data subjects concerned: visitors to the website

Purpose of data processing: to study website visiting habits

Legal basis for processing: the user's consent

Data: the Internet Protocol (IP) address of the visitor, the time of the visit to the website, the pages viewed, the name of the browser program used

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

Scope of data processed

IP address

website visit Date

details of pages viewed

Specific purposes of the processing of data

Technical information operation

Technical information operation

Technical information operation used browser program data

Technical information operation

5.1.7.Provision of electronic payment services

The nature and purpose of the data processing activities carried out by the processor can be found in the Data Processing Notice of {the electronic payment service provider}, at the following link: https://simplepay.hu/adatkezelesi-tajekoztatok/

The User acknowledges that if he/she chooses the payment method provided by the Service Provider on any website {the electronic payment service provider}, the following personal data stored by the Service Provider in its user database will be transferred to Simple Pay Kft. as a data processor.

The data transmitted by the data controller are the following: name, e-mail address, telephone number, billing name, billing address

5.1.8.Community sites

The company will also allow visitors to participate on social networking sites to promote the service and to connect effectively.

The scope of the data processed: the name of the registered user on Facebook/Youtube/Instagram/TikTok etc. social networking sites, as well as the user's public profile picture.

Data subjects: all data subjects who are registered on Facebook/ /Youtube/Instagram/TikTok etc. on social networking sites and "liked" the website.

Purpose of the data collection: to share or "like" certain content, products, promotions or the website itself on social networking sites.

Our company processes data subjects' data in the course of its activities as a data processor. The tasks of data controller and the rights and obligations related to data processing are exercised by the operators of social networking sites.

Description of the data subjects' rights in relation to data processing: the data subject can find out about the source of the data, the processing of the data and the method and legal basis of the transfer on the relevant Community site (duration of processing, deadline for deletion of data, the identity of the potential controllers who are entitled to access the data and the data subjects' rights in relation to data processing)

The processing of data takes place on social networking sites, so the duration of the processing, the method of processing and the possibility to delete and modify the data are governed by the rules of the social networking site concerned.

Legal basis for processing: the data subject's voluntary consent to the processing of his or her personal data on social networking sites.

5.1.9."Cart abandonment" message

The purpose of the processing is for the Data Controller to notify you of a purchase that has been started but not completed. In other words, that you have placed the product ordered via the website in your shopping cart but have not completed the purchase process.

The legal basis for processing is the legitimate interest of the Data Controller

The data subjects are the registered customers of the service provider.

Duration of processing: the Data Controller shall process the personal data on the basis of a legitimate interest in the for a period of 1 year from the date of its inclusion in the basket.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic. Scope

E-mail Identification, contact.

Cookiek Identification, contact.

The data subject may object to the processing of his or her personal data, in which respect he or she has the right to the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.10.Ad hoc promotions

From time to time, the Data Controller organizes ad hoc promotions, in which personal data are you can also manage.

The purpose of the processing is to promote the products of the Data Controller, to promote the promoting its services.

The legal basis for processing is the data subject's consent

The data subjects are the customers participating in the promotion.

Duration of processing: the Data Controller processes personal data on the basis of consent as a legal basis until the purpose of the processing is fulfilled (end of the promotion) or until the date of withdrawal of the data subject's consent.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

Scope of data processed

Specific purposes of the processing of data

Name Identification, contact, billing.

E-mail Identification, contact.

Phone Identification, contact.

Picture/photo Identification

The scope of the data required to be provided during the promotion varies from case to case, usually name, email address, picture, the personal data processed in the specific promotion can be found on the promotion's website, where the data subject can find out which personal data he/she is required to provide.

The user's consent to the processing of personal data is given on the website and by voluntarily ticking the empty checkbox.

The data subject may object to the processing of his or her personal data, in which respect he or she has the right to the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.11.Images published on websites, social media

The purpose of the Data Management is to promote the products and services of the Data Controller and to raise awareness of the benefits of a conscious and balanced diet. In this context, you may publish on your website or on social media platforms the photos you have taken or submitted to us ("before and after" photos)

The legal basis for processing is the consent of the data subject.

The data subjects are the participating customers.

Duration of processing: the Data Controller will process personal data with consent as the legal basis on the basis of the data subject's consent until the date of withdrawal of the data subject's consent.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

Scope of data processed

Specific purposes of the processing of data

Name Identification, contact, billing.

E-mail Identification, contact.

Picture/photo Identification

The user can give his/her consent to data processing by voluntarily ticking the blank checkbox on the website.

The data subject may object to the processing of his or her personal data, in which respect he or she has the right to the procedure set out in the processing information detailed above and in this notice and the legislation described in this notice.

5.1.10. KYC data management

KYC stands for "Know Your Costumer" and is a customer identification procedure required by Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: AML) and other relevant provisions (see Information Chapter 5), which banks and other financial service providers use to document the true identity of customers and the source of their assets, with the aim of ensuring the legitimacy of those assets. KYC customer identification is implemented as a third party electronic service. Details of the third-party service provider's rules on data management are available on its website.

For natural persons, the following information must be provided in the electronic when identifying a customer:

Data processed: full name - name at birth - mother's maiden name - permanent addressdate of birth - place of birth - nationality

The primary identity documentation required for identification must be uploaded in the manner and location specified by the external service provider. In addition to the primary identification documents, a photograph of the person concerned is required for customer identification.

Primary identification documents can be: 1. Valid passport; 2. National Identification Card; 3. Valid driving licence.

Information and documents must be uploaded via the website in the manner prescribed and deemed appropriate by the external service provider.

5.2.OTHER DATA PROCESSING BY THE CONTROLLER

5.2.1.E-mail service

Galvanize Nutrition Ltd. provides an e-mail service for its customers. The mail traffic (letters, attachments, log files) is stored on the servers of the data processor of Galvanize Nutrition Ltd., the Web Hosting Provider indicated in section 5.1.

The purpose of the processing: the smooth operation of the email service. Legal basis for processing: consent of registered customers.

Data processed: letters, attachments, log files. Duration of data processing: 5 years

5.2.2.Client register

The data of registered customers and partners are recorded in the company's unique system.Purpose of data management: to fulfil the order requests of customers and partners communication.

scope of data processed: customer's name, e-mail address, telephone number, address, shopping habits legal basis for processing: user's consent

data retention period: until the deletion of contact data at the request of the data subject, in the case of accounting documents and other invoicing-related cases 8 years in accordance with Section 169 (2) of the Act on Accounting.

Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

5.2.3.Data transmission

By accepting this Privacy Notice, the Data Subject expressly consents to the transfer of his or her personal data to the recipients as data processors specified below:

Data range: name, telephone number, e-mail address, address, ...

Data source: data collected directly from the data subject

Recipient of the transfer: the set of data processors set out in point 2.1.

legal basis for processing: consent of the user

time limit for data storage: until the contact details are deleted at the request of the data subject, Persons entitled to access the data: the controller and processors

The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.

Data storage method: electronic.

6.CONTACT How to contact the Data Controller

If you contact us, you can contact the controller using the contact details provided in this Notice or find more information on the official website (https://puregoldprotein.com/hu)

The Data Controller deletes all e-mails received by it, together with the sender's name, email address, date, time and other personal data provided in the message, after a maximum of five years from the date of the communication.

7. OTHER DATA PROCESSING

We inform our Customers that, based on legal obligations, the court, the prosecutor, the investigating authority, the administrative authority as an authority for administrative offences, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents.

The Data Controller shall disclose to public authorities, where the public authority has indicated the precise purpose and scope of the data, only such personal data as are strictly necessary for the purpose of the request and to the extent strictly necessary for the purpose of the request.

8. HOW THE PERSONAL DATA IS STORED, THE SECURITY OF DATA PROCESSING

The Data Controller's electronic information systems and other data storage locations shallbe and its data processors.

The Data Controller shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data:

a)is accessible to authorised persons (availability);

b)authenticity and verification (authenticity of processing);

c)can be verified to be unchanged (data integrity);

d)be protected against unauthorised access (data confidentiality).

The Data Controller shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction, damage or loss, and inaccessibility resulting from technical changes in the technology used.

The Data Controller shall ensure, by appropriate technical means, that the data stored cannot be directly linked and attributed to the data subject, except where permitted by law, in order to protect the data files managed electronically in its various registers.

The Data Controller shall ensure the security of data processing by means of technical, organisational and organisational measures, taking into account the state of the art, which provide a level of protection appropriate to the risks associated with the processing.

The Data Controller shall retain during the processing

a)confidentiality: it protects information so that only those who are entitled to it have access to it;

b)integrity: it protects the accuracy and completeness of the information and the method of processing;

c)availability: ensuring that when the authorised user needs it, he or she can actually access the information and the tools to do so are available.

The Data Controller and its partners' IT systems and networks are protected against computer fraud, espionage, sabotage, vandalism, fire and flooding, computer viruses, computer intrusions and denial of service by computer security procedures.

We inform users that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. The controller will take all reasonable precautions to protect against such threats. Systems are monitored to ensure that any security discrepancies are recorded and evidence of any security incidents is provided. System monitoring also allows the effectiveness of the security measures in place to be verified.

9. RIGHTS OF DATA SUBJECTS

The data subject may request information on the processing of his or her personal data, and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and may exercise his or her right to data portability and objection in the manner indicated when the data were collected, or by contacting the controller at the above contact details.

Right to information:

The controller shall take appropriate measures to ensure that all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data is provided to data subjects in a concise and transparent manner,

in an understandable and easily accessible form, clearly and concisely presented.

The right to obtain information can be exercised in writing via the contact details indicated in the Introduction or in point 3. Upon request, the data subject may also be provided with information orally, after proof of his or her identity.

The data subject's right of access (Article 15 GDPR):

The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; the envisaged period of storage of the personal data; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority; information on the data sources; the fact of automated processing, including profiling, and clear information on the logic used and the significance of such processing and the likely consequences for the data subject. In the case of transfers of personal data to third countries or international organisations, the data subject is entitled to be informed of the appropriate safeguards for the transfer.

The Data Controller shall provide the data subject with a copy of the personal data processed free of charge upon request. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Controller shall provide the information in electronic form. The controller shall provide the information within a maximum of one month from the date of the request.

Right to rectification (Article 16 GDPR):

The data subject may request that inaccurate personal data relating to him or her which are processed by the Controller correcting and completing incomplete data.

Right to erasure (Article 17 GDPR):

If one of the following applies, the data subject is entitled, at his or her request. The controller to delete personal data relating to him or her without undue delay:

• the personal data are no longer necessary for the purposes for which they were collected, or treated in a different way

• the data subject withdraws the consent on which the processing is based and the processing is no other legal basis

• the data subject objects to the processing and there are no overriding legitimate grounds for the for data processing

• the personal data have been unlawfully processed

• the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject

• personal data is collected in connection with the provision of information society services.

The erasure of data may not be initiated if the processing is necessary: for the exercise of the right to freedom of expression and information, for compliance with an obligation under Union or Member State law that requires the controller to process personal data, or for reasons of public interest, or for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18 GDPR):

At the request of the data subject, the Data Controller shall restrict processing if the following conditions are met one of the following is met:

• the data subject contests the accuracy of the personal data, in which case the restriction applies for a period of time which allows the accuracy of the personal data to be verified

• the processing is unlawful and the data subject opposes the erasure of the data and requests instead that the data be restrictions on the use of;

• the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

• the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

• Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

The controller shall inform the data subject in advance of the lifting of the restriction on processing.

Right to data portability (Article 20 GDPR):

The data subject has the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit such data to another controller.

Right to object (Article 21 GDPR):

The data subject shall have the right to object at any time to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In the event of an objection, the controller may no longer process the personal data, unless it is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.

Automated decision making in individual cases, including professional searches (Article 22 GDPR):

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The above right shall not apply where the processing is

• necessary for the conclusion or performance of a contract between the data subject and the controller;

• is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or

• based on the explicit consent of the data subject

Right of withdrawal (Article 7(3) GDPR):

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

10. PROCEDURAL RULES

Without undue delay and in any event within one month of the request being made, the controller shall inform the data subject of the request and of the action taken in response to it pursuant to Articles 15 to 22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months.

The data controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.

If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

The Data Controller shall provide the requested information and data free of charge. Where the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested, charge a reasonable fee or refuse to act on the request.

The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort.

The controller shall inform the data subject of these recipients at his or her request.

The data controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs.Where the data subject has made the request by electronic means, the information shall be provided in electronic format unless the data subject requests otherwise.

11. COMPENSATION AND DAMAGES

Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Data Protection Regulation shall be entitled to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for damage caused by its processing only if it has failed to comply with obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller.

Where several controllers or several processors or both controller and processor are involved in the same processing and are liable for the damage caused by the processing, each controller or processor is jointly and severally liable for the entire damage.

The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

12. LEGAL REMEDIES

Initiate a complaint:

If you have a problem with the Data Controller's handling of your data, you can contact the Managing Director:

Name: László Garai Phone number: +36301310453

E-mail: info@puregoldprotein.com/hu

Right to apply to the courts:

In the event of a violation of his/her rights, the data subject may, in accordance with the applicable national legislation (Civil Code, § 2:51), take legal action against the controller before the competent court in the territory of the country. The court shall rule on the case out of turn.

Data protection authority procedure:

If you are not a Hungarian citizen and you wish to use the Company's services and you have a complaint, you can contact one of the national supervisory authorities available at the link below using the contact details provided.

https://edpb.europa.eu/about-edpb/board/members_hu

If you are a Hungarian citizen or a foreign national, you can lodge a complaint with the Hungarian supervisory authority as the elected body at:

You can lodge a complaint with the National Authority for Data Protection and

Freedom of Information: Name: National Authority for Data Protection and

Freedom of Information

Headquarters: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf.: 9.

Phone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu