Privacy Policy

1. Introduction

This Privacy Policy (the "Policy") sets out the rules for the processing of personal data carried out by SoulQuest Technology Korlátolt Felelősségű Társaság (the "Controller" or "we") in relation to the operation of the "Pilgrim Companion" (in Hungarian: ZarándokÚtitárs) web platform (https://zarandokutitars.hu) and mobile application (jointly, the "Service").

The Controller processes personal data with due care, in particular in compliance with the following laws:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR");

• Hungarian Act CXII of 2011 on Informational Self-determination and Freedom of Information ("Privacy Act");

• Hungarian Act CVIII of 2001 on certain aspects of electronic commerce services and information society services ("E-commerce Act");

• Government Decree No. 45/2014 (II. 26.) on the detailed rules of contracts between consumers and businesses;

• Hungarian Act C of 2000 on Accounting (the "Accounting Act").

This Policy aims to provide users (the "User" or "Data Subject") with clear, transparent and comprehensive information regarding the processing of their personal data and their related rights and remedies.

2. Controller details

Company name: SoulQuest Technology Korlátolt Felelősségű Társaság (SoulQuest Technology Ltd.)

Registered seat: 7140 Bátaszék, József A. u. 18., Hungary

Company registration number: 17-09-014154

VAT number: 32639681-2-17

Court of registration: Court of Registry of the Szekszárd Regional Court

Represented by: the managing director registered in the company register

Email: info@zarandokutitars.hu

Website: https://zarandokutitars.hu

Pursuant to Article 37 of the GDPR, the Controller is not required to designate a Data Protection Officer (DPO) and has not appointed one. For any data protection enquiry, please use the contact details above.

3. Definitions

Personal data: any information relating to an identified or identifiable natural person.

Processing: any operation or set of operations performed on personal data (collection, recording, storage, use, transmission, erasure, etc.).

Controller: the legal entity which, alone or jointly with others, determines the purposes and means of the processing; in this case SoulQuest Technology Ltd.

Processor: a natural or legal person processing personal data on behalf of and on the documented instructions of the Controller.

Data Subject / User: the identified or identifiable natural person whose personal data is processed, typically a registered or non-registered user of the Service.

Consent: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes.

4. Purposes, legal bases, categories and retention of processing

The Controller only processes personal data necessary for the provision of the Service and for compliance with applicable legal obligations. The processing activities are described below.

4.1. Account registration and account management

Purpose: identifying the User, providing access to the Service, creating and managing the user account, communicating with the User.

Legal basis: Article 6(1)(b) GDPR - performance of a contract (the electronic service contract concluded between the User and the Controller, as set out in the Terms of Use).

Categories of data processed:

• full name;

• username / nickname (optional);

• email address;

• password (stored in hashed form; the Controller has no access to it in cleartext);

• postal address (postal code, city, street, house number);

• country (optional);

• date of birth;

• gender;

• age (optional, calculated from the date of birth);

• areas of interest (optional, selected from a predefined list);

• registration date, last login, technical log data.

Retention: for the duration of the user account; upon deletion of the account, personal data are erased without delay and no later than within 30 days, except where retention is required by law (e.g. accounting records).

4.2. Profile picture (optional)

Purpose: visual identification of the User on the platform; supporting the community experience.

Legal basis: Article 6(1)(a) GDPR - consent. Uploading a profile picture is voluntary; not providing one does not affect the use of the Service.

Data: the image file uploaded by the User.

Retention: until the consent is withdrawn or the account is deleted.

4.3. Religious-tourism statistical data (optional)

At registration, the User may provide separate, explicit and freely-given consent for the Controller to process the following data for statistical and research purposes. Refusing or withdrawing this consent at any time has no impact whatsoever on the use of the Service.

Purpose: preparation of anonymised / aggregated statistics in the field of religious tourism and pilgrimage habits; improvement of the Service; support of scientific analyses.

Legal basis: Article 6(1)(a) GDPR - consent. For data revealing religious beliefs, processing is also based on Article 9(2)(a) GDPR - explicit consent.

Categories of data:

• religious denomination (special category of data, Article 9 GDPR);

• pilgrimage experience (beginner, advanced, regular, etc.);

• preferred type of pilgrimage;

• motivation for pilgrimage;

• willingness to travel (geographic radius);

• travel companions (alone, family, group, etc.).

Retention: until the consent is withdrawn, but no later than the deletion of the account. Statistical results may be retained beyond this period in anonymised form that does not allow re-identification of the Data Subject.

The User may withdraw consent at any time, free of charge, by changing the relevant setting in their profile, or by sending an email to info@zarandokutitars.hu. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.4. Purchase of packages and processing of payments

Purpose: fulfilment of paid packages ordered by the User; payment processing; issuance and storage of invoices.

Legal basis: Article 6(1)(b) GDPR - performance of a contract; for the retention of accounting records, Article 6(1)(c) GDPR - compliance with a legal obligation arising from Section 169(2) of the Hungarian Accounting Act.

Categories of data:

• name, billing address, email address;

• the name, quantity, price and date of the package ordered;

• payment identifier (transaction ID), payment status;

• details of the issued invoice.

Card data (card number, expiry date, CVC) is not received or stored by the Controller. Payments are handled by Stripe Inc. (1209 Orange Street, Wilmington, Delaware 19801, USA) - acting as an independent controller / processor - in a PCI-DSS compliant environment. Stripe’s privacy practices are available at https://stripe.com/privacy.

Retention: accounting documents are retained for at least 8 (eight) years pursuant to Section 169(2) of the Accounting Act. Other purchase data is retained for 5 (five) years (general statute of limitation).

4.5. Customer service and contact

Purpose: answering and managing enquiries, complaints or questions sent by the User.

Legal basis: Article 6(1)(b) GDPR (for contractual Users) or Article 6(1)(f) GDPR (legitimate interest in providing customer service); for complaints, the legal obligation under Section 17/A of Hungarian Act CLV of 1997 on Consumer Protection.

Data: name, email address, content of the enquiry, related case data.

Retention: 5 years for complaints under the Consumer Protection Act; 1 year for other enquiries from the closure of the case.

4.6. Technical logging and security

Purpose: ensuring the operation of the Service, identifying errors, preventing abuse, maintaining IT security.

Legal basis: Article 6(1)(f) GDPR - legitimate interest. The Controller has a legitimate interest in the secure and uninterrupted operation of the Service and in protecting users. The balancing test is available upon request.

Data: IP address, device and browser identifier, type and time of action, error logs.

Retention: up to 12 months from the date of recording; in the event of a security incident, until the case is closed.

4.7. Newsletter (where applicable)

If the User explicitly subscribes to the newsletter, the Controller will use the email address and name provided to send the newsletter. Legal basis: Article 6(1)(a) GDPR and Section 6(1)-(2) of Hungarian Act XLVIII of 2008. Retention: until the consent is withdrawn. Unsubscription is provided free of charge via the link in the footer of the newsletter or by emailing info@zarandokutitars.hu.

5. Processors and recipients

The Controller engages the following processors to process personal data. Processors may only process personal data on the documented instructions of the Controller and within the framework of a data processing agreement (DPA).

5.1. Hosting provider

Tárhely.Eu Kft. (registered seat: 1144 Budapest, Ormánság u. 4., Hungary; company registration number: 01-09-909968; VAT no.: 14571332-2-42; email: support@tarhely.eu)

Activity: hosting of the web platform and related data files.

5.2. Cloud and back-end services (Google / Firebase)

Google Ireland Limited (registered seat: Gordon House, Barrow Street, Dublin 4, Ireland) and its affiliated company Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Activity: Firebase Authentication (user authentication), Cloud Firestore (database), Firebase Storage (file storage), Firebase Cloud Functions (back-end functions).

Transfer to a third country (USA): Google LLC is a certified participant in the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795). Transfers are additionally protected by the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914). For further information: https://policies.google.com/privacy.

5.3. Payment service provider

Stripe Payments Europe, Limited (registered seat: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland), affiliated with Stripe, Inc. (USA).

Activity: processing online card payments. Stripe also acts as an independent controller for payment data due to its statutory obligations (e.g. anti-money-laundering and fraud prevention). Privacy policy: https://stripe.com/privacy.

5.4. Invoicing

For the issuance of invoices, the Controller may use an external online invoicing service provider whose details will appear on the issued invoice. An up-to-date, detailed list of processors is available free of charge upon request at info@zarandokutitars.hu.

5.5. Authorities and other recipients

Personal data are disclosed to public authorities only on the basis of a legal obligation and to the extent specified by the relevant law (e.g. court order, request from the tax authority, supervisory investigation). Personal data are transferred to other third parties only with the explicit consent of the Data Subject.

6. International transfers

As a result of the use of Google and Stripe services, personal data may be transferred to countries outside the European Economic Area (in particular to the United States). The Controller ensures the lawfulness of such transfers as follows:

• European Commission adequacy decision (regarding Google LLC, under the EU-U.S. Data Privacy Framework);

• European Commission Standard Contractual Clauses (SCCs);

• where appropriate, supplementary technical and organisational measures (e.g. encryption, access restrictions).

7. Mandatory or voluntary nature of providing data

The data required for registration and payment that is strictly necessary for the creation of the account and the fulfilment of the order is a contractual prerequisite; without these, the Service cannot be used. Providing data marked as optional is entirely voluntary and not providing them does not result in any disadvantage. Special category data (e.g. religious beliefs) is processed only with the explicit consent of the User.

8. Automated decision-making and profiling

The Controller does not carry out automated decision-making within the meaning of Article 22 GDPR that produces legal effects concerning the Data Subject or similarly significantly affects them. Optional interest and statistical data may be used to display relevant content to the User, which does not constitute automated decision-making within that meaning.

9. Cookies and similar technologies

In order to ensure the proper functioning of the website and the user experience, the website uses cookies and similar technologies (e.g. localStorage, indexedDB). On first visit, a cookie notice is displayed where the User can manage consent on a per-category basis. The choice is stored in the browser’s local storage and may be modified at any time via the "Cookie settings" link in the footer.

9.1. Strictly necessary cookies and storage (no consent required)

These cookies and storage items are essential for the basic operation of the website (maintaining a logged-in session, security, payment process). Legal basis: Article 6(1)(f) GDPR (legitimate interest) and, under Hungarian Act C of 2003 on Electronic Communications Section 155(4) and the E-commerce Act Section 13/A, no consent is required because such processing is technically essential for the provision of the Service. The following technologies fall into this category:

• Firebase Authentication local storage - to maintain the logged-in session (validity: until the User signs out or the browser storage is cleared);

• Stripe payment session cookie - for secure payment and fraud prevention (validity: max. 30 days);

• application state in local storage - language preference, displayed content (validity: until cleared by the User);

• cookie consent record (key: zarandokutitars_consent) - to record the User’s consent decision (validity: 365 days, then re-prompted).

9.2. Statistics cookies (with consent)

Cookies used to collect anonymous visit data (e.g. which page is viewed, what device is used). Legal basis: Article 6(1)(a) GDPR - consent. The Provider currently does not use such cookies - the category is available for future analytics features (e.g. Firebase Analytics) and is activated only with the User’s explicit consent.

9.3. Marketing cookies (with consent)

Cookies used for targeted content and advertising. Legal basis: Article 6(1)(a) GDPR - consent. The Provider currently does not use marketing cookies - the category is reserved for future features.

9.4. Withdrawal of consent

The User may withdraw or modify a previously given consent at any time, free of charge, via the "Cookie settings" link in the footer of the website, or by clearing the relevant storage items in the browser. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

10. Data subject rights

Pursuant to Chapter III of the GDPR and the Hungarian Privacy Act, the Data Subject is entitled to the following rights with regard to the processing of their personal data:

10.1. Right of access (Article 15 GDPR)

The Data Subject may request information on whether the Controller processes their personal data and, if so, regarding the purpose, categories of data, recipients, retention period, and may request a copy of the processed data.

10.2. Right to rectification (Article 16 GDPR)

The Data Subject is entitled to request the rectification of inaccurate personal data or the completion of incomplete data.

10.3. Right to erasure - "right to be forgotten" (Article 17 GDPR)

The Data Subject may request the erasure of their data where it is no longer necessary, where consent has been withdrawn, where they have objected to processing, or where the processing is unlawful. Data processed under a legal obligation (e.g. accounting records) may not be erased before the statutory retention period expires.

10.4. Right to restriction of processing (Article 18 GDPR)

The Data Subject may request the restriction of processing where the accuracy of the data is contested, the processing is unlawful, or the Data Subject has objected to processing.

10.5. Right to data portability (Article 20 GDPR)

The Data Subject may receive personal data processed by automated means based on consent or a contract in a structured, commonly used, machine-readable format (e.g. JSON, CSV) and may request that it be transmitted to another controller, where technically feasible.

10.6. Right to object (Article 21 GDPR)

The Data Subject may at any time, on grounds relating to their particular situation, object to processing based on legitimate interest. In the event of an objection, the Controller shall no longer process the data unless it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject.

10.7. Right to withdraw consent (Article 7(3) GDPR)

Processing based on consent may be withdrawn by the Data Subject at any time, without justification and free of charge. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

11. Exercising rights and response deadline

The Data Subject may exercise the above rights in writing using the following contact details:

• by post: 7140 Bátaszék, József A. u. 18., Hungary;

• by email: info@zarandokutitars.hu;

• through the user account settings (e.g. profile editing, account deletion).

The Controller shall respond to the request within one (1) month of receipt and inform the Data Subject in writing of the action taken. Where necessary, this period may be extended by a further two months, taking into account the complexity and number of requests; in such cases the Data Subject shall be notified within one month of receipt.

The Controller may refuse to act on the request only if it is unable to identify the Data Subject, or it is able to demonstrate that the request is manifestly unfounded or excessive.

Exercising rights is free of charge. For manifestly unfounded or excessive (in particular repetitive) requests, the Controller may charge a reasonable fee or refuse to act on the request.

12. Security measures

The Controller implements appropriate technical and organisational measures to ensure the security of the data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing (Article 32 GDPR), in particular:

• communication is secured by TLS (HTTPS) encryption;

• passwords are stored using one-way cryptographic functions (hashing);

• payments are processed in a PCI-DSS compliant environment provided by Stripe;

• access is role-based, granted only to the extent necessary for performing tasks;

• regular backups and logging are in place;

• written data processing agreements have been concluded with the processors.

In the event of an incident which is likely to result in a high risk to the rights and freedoms of the Data Subject, the Controller shall notify the supervisory authority within 72 hours of becoming aware of it, and the Data Subjects where required.

13. Legal remedies

If the Data Subject considers that the processing is in breach of the GDPR or any other data protection law, they may file a complaint with the Controller using the contact details above, or address the following remedies:

13.1. Supervisory authority

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary

Postal address: 1363 Budapest, Pf. 9.

Phone: +36 (1) 391-1400

Email: ugyfelszolgalat@naih.hu

Website: https://www.naih.hu

Data Subjects who reside in another EU/EEA Member State may also lodge a complaint with their local supervisory authority.

13.2. Judicial remedy

In the event of an infringement of their rights, the Data Subject may bring a court action. Pursuant to Section 23(3) of the Privacy Act, the Data Subject may - at their choice - bring the action before the regional court of their place of residence or stay.

14. Processing of minors’ data

The Service may be used by persons under the age of 16, provided that the holder of parental responsibility gives consent for the registration (Article 8 GDPR; Section 6(3) of the Privacy Act). A user under the age of 16 must expressly declare during registration that they are acting with the knowledge and consent of their parent or guardian.

The Controller relies on the date of birth provided at registration for age verification (self-declaration). Where the date of birth indicates an age below 16, a parental consent declaration is displayed on the registration form; the registration cannot be completed without accepting it. The Controller applies the principle of reasonable efforts (Article 8(2) GDPR), taking into account available technology and the nature of the Service.

Religious-tourism statistical data (special category data) as described in Section 4.3 of this Policy is not collected from users under the age of 16 due to the heightened data protection risk; the related fields are not displayed on the registration form.

If the Controller becomes aware that a person under the age of 16 has provided personal data without parental consent, such data shall be erased without delay, and - where possible - the parent or guardian shall also be notified.

15. Modification of the Policy

The Controller reserves the right to amend this Policy unilaterally. The amended Policy shall be published on https://zarandokutitars.hu and, in case of material changes, the Users shall be notified by email or in-app notice. Modifications take effect on the date of publication, unless otherwise specified.

16. Final provisions

Matters not regulated by this Policy shall be governed by the GDPR, the Privacy Act and the related Hungarian and EU laws. The invalidity of any provision shall not affect the validity of the remaining provisions.