I. General Provisions

1. Purpose and Scope of the Notice

Smoking Acc. International Kft. (hereinafter referred to as the “Data Controller” or the “Company”) provides this Privacy Notice to inform visitors to its website (hereinafter referred to as “Data Subjects”) about the processing of their personal data, in accordance with the applicable data protection laws — in particular, Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (“Infotv.”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).

The Data Controller is committed to protecting the personal data of its customers and partners. It treats all personal data confidentially and takes all necessary technical, organizational and security measures to ensure the protection of the data.

This Privacy Notice applies to data processing related to the services available on our website. We only process personal data that is strictly necessary for the purpose for which it was collected.
Please read this Privacy Notice carefully. If you have any questions or comments regarding this Notice or the processing of your personal data, please contact us.

2. Contact Details of the Data Controller

Name: Smoking Acc. International Kft.
Registered office: H-4028 Debrecen, Kassai út 131/B, Hungary
E-mail: info@smokingacc.hu
Phone: +36 70 670 6550

Data Protection Officer:
The Data Controller is not required to appoint a Data Protection Officer under Article 37 of the GDPR.

3. Definitions

The terms used in this Privacy Notice shall be interpreted in accordance with the definitions set forth in the GDPR and the Infotv.

  • Personal Data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

  • Data Subject/User: Any identified or identifiable natural person based on any information.

  • Consent: The data subject’s freely given, specific, informed and unambiguous indication of his or her wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

  • Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • Processing: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  • Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

  • Third Party: Any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

  • Data Transfer: Making data available to a specific third party.

  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

II. Rights of the Data Subject

The Data Subject may, at any time, request information about the processing of his or her personal data and may request rectification, correction, erasure, or restriction of such data, and may exercise all other rights granted under applicable laws.

Under the GDPR, the Data Subject has the following rights:

  • Right of access

  • Right to rectification

  • Right to erasure (“right to be forgotten”)

  • Right to restriction of processing

  • Right to notification regarding rectification or erasure of personal data or restriction of processing

  • Right to data portability

  • Right to object

III. Details of Data Processing

The website can be visited without providing personal data; however, certain functions require the processing of personal data. If the Data Subject does not provide the required data, the Company may be unable to process their inquiry or fulfill their order.

The Data Controller processes and stores personal data only for specified and legitimate purposes. The personal data may be accessed and processed by authorized employees of the Company (especially those working in customer service and finance).

1. Registration

To make purchases on the website, prior registration is required, during which the following information must be provided: personal (contact) details, billing details, shipping details, registration country, and reseller status.
Registration requires the acknowledgment of this Privacy Notice and consent to data processing.

  • Purpose of processing: To ensure online purchases and maintain communication.

  • Legal basis: Voluntary consent of the Data Subject.

  • Storage period: Until the withdrawal of consent. Inactive user data are stored for a maximum of 1 year.

Users may request deletion of their registration via email. Upon receipt of the request, the Operator will promptly delete the registration. After deletion, user data are removed from the system immediately; however, this does not affect the retention of data related to completed orders, which must be kept in accordance with legal obligations.

2. Order Management

Processing personal data is necessary for managing orders and fulfilling contracts concluded electronically between the parties.

  • Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

  • Processed data: Customer’s billing and shipping data, username, order history, order ID, registration and purchase dates.

  • Data subjects: Customers of the online store.

  • Storage period: Until withdrawal of consent, or for the period prescribed by law related to contractual performance and civil limitation periods.

3. Invoicing

The Data Controller processes personal data to fulfill accounting obligations, in particular for issuing invoices and retaining accounting records.

  • Purpose: Compliance with legal obligations.

  • Processed data: Name, billing address, tax number.

  • Legal basis: Act C of 2000 on Accounting, Section 169(2), and GDPR Article 6(1)(c).

  • Storage period: 8 years from the date of invoice issuance.

  • Data transfer: To the invoicing software provider for the purpose of issuing invoices.

4. Contact and Communication

The Data Subject may contact the Company through the contact form on the website, by direct email, or by phone. Messages may contain personal data. These data are necessary for communication and identification. Personal data are used solely for the stated purpose and treated confidentially. Phone calls are not recorded.

  • Purpose: Identification of the Data Subject and maintaining communication.

  • Processed data: Name, email, phone number, and any other voluntarily provided data.

  • Legal basis: Consent of the Data Subject (GDPR Article 6(1)(a)).

  • Storage period: Until the purpose is fulfilled or, at most, 1 year after the inquiry.

5. Bank Card Payments

When paying by bank card, the card details are entered on the bank’s own website; therefore, payment data are processed directly by the payment service provider. The online store has no access to these data.

6. Newsletter and Direct Marketing

The online store may send marketing emails to users who have given their prior explicit consent or who have made a purchase previously.
The legal basis for processing is Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities, Section 6, and GDPR Article 6(1)(a) and (f).

Users may unsubscribe at any time, free of charge, without restriction or justification, via the unsubscribe link in the newsletter or by contacting the Company through its communication channels.

  • Purpose: Informing subscribers about current offers and news.

  • Data subjects: Newsletter subscribers and previous customers.

  • Processed data: Name, email address, ID (unique identifier), source.

  • Storage period: Until withdrawal of consent.

  • Access: Company employees authorized to process personal data.

7. Complaint Handling

When a customer submits a complaint, processing personal data is necessary for investigating and documenting the circumstances.

  • Purpose: Handling the complaint and maintaining contact.

  • Processed data: Customer’s name, address, billing information, contact details (email, phone, postal address), description of complaint, mode, place, and date of submission, attached documents.

  • Legal basis: Legal obligation (GDPR Article 6(1)(c)).

  • Storage period: 5 years from the closure of the complaint, in line with the civil limitation period.

IV. Social Media and Google Services

1. Social Media

Social media plugins are disabled by default on the website and only activated if enabled by the user.
By enabling the plugin, the user consents to their data being transmitted to social media platforms (e.g. Facebook, Instagram, LinkedIn).
If logged into such platforms, the visit to our website may be linked to their social media profile.
For more information, please refer to the privacy policy of the respective social network.

2. Website Analytics and Google Ads

The Company uses Google Analytics and Google Ads services provided by Google Inc.

  • Google Analytics: Used to measure and audit website traffic and performance. Google Analytics employs cookies, but does not store identifiable personal data such as IP addresses or user identities. Users can disable cookies in their browser settings.

  • Google Ads: Used for online advertising and conversion tracking. Cookies set for conversion tracking do not contain personal data and only assist in evaluating ad performance. Users can disable these cookies in their browser.

For more information on Google’s privacy policy, visit:
https://policies.google.com/privacy

V. Data Transfers and Recipients

To fulfill orders and provide certain services, the Data Controller uses external service providers.
Data may only be transferred to third parties when it is necessary for contract performance, based on consent, or as permitted by law.

The Data Controller may provide personal data to competent authorities where required by law or lawful order.
In the event of legal enforcement (e.g. legal notice, lawsuit), personal data may be transferred to a legal representative.
No data transfers are made to third countries outside the EU.

1. Transactional Email Provider

Processor: The Rocket Science Group LLC (Mandrill)
Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA
Email: dpo@mailchimp.comPhone: +1 (404) 806-5843
Privacy Policy: https://mailchimp.com/legal/privacy
Purpose: Sending system emails (e.g. order confirmation, registration success).
Data processed: Name, email, ID, source.
Storage: Until deletion upon user request.
Legal basis: Consent of the data subject.

2. IT Service Provider

Company: PW Studio Kft.
Address: 4026 Debrecen, Múzeum utca 4. 2nd floor 1.a
Email: info@pwstudio.hu
Purpose: Website hosting and maintenance.
Legal basis: GDPR Article 6(1)(b).

3. Accounting Service

The accounting provider processes invoices and related documents.
Data processed: Name, billing address.
Purpose: Accounting tasks required by law.
Storage period: 8 years.
Legal basis: Act C of 2000 on Accounting.

VI. Data Security

The Data Controller implements all necessary technical and organizational measures to protect personal data from unauthorized access or loss.
Data are stored primarily in electronic form on secure servers, while paper-based documents are kept in locked facilities.
Access to personal data is restricted to authorized personnel only.
In case of physical or technical incidents, backup systems ensure data recovery and availability.

VII. Cookie Policy

Our website may use cookies to track user activity and improve functionality. Cookies enable features such as the shopping cart and personalized browsing experience.
Session cookies are temporary and deleted when the browser is closed, while persistent cookies help recognize returning visitors.
Cookies do not store personal data.

  • Data processed: Unique identifier, date, time.

  • Purpose: User identification and visit tracking.

  • Duration: Depends on the specific cookie type.

Users can manage or disable cookies in their browser settings at any time.

VIII. Remedies

If a Data Subject has a complaint regarding data processing, we recommend contacting the Data Controller first.
The Company will investigate and respond within 30 days.

If the complaint remains unresolved, the Data Subject may contact the National Authority for Data Protection and Freedom of Information (NAIH):
Address: 1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, Pf. 9
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu

The Data Subject may also seek judicial remedy before the competent court based on residence or domicile. Court proceedings are exempt from fees and handled as a priority.

IX. Data Breach

A personal data breach is a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
In the event of a data breach, the Data Controller acts in accordance with the GDPR.
If the breach is likely to result in a high risk to the rights of individuals, the Data Controller will promptly inform the affected Data Subjects and take the necessary corrective actions.

If you believe a data breach has occurred concerning your personal data, please contact us by email.
All reports will be investigated, and appropriate measures will be taken.