Privacy notice
Effective from 23 April 2026. Last updated: 23 April 2026.
The purpose of this notice is for Tóth István, sole proprietor (the "Controller"), operating pizzabarlang.hu, to inform data subjects about the processing of their personal data in compliance with the GDPR (Regulation (EU) 2016/679) and Hungarian Act CXII of 2011 (Infotv.).
1. The Controller
- Name
- Tóth István, sole proprietor
- Registered office
- Moha utca 12, 6000 Kecskemét, Hungary
- Registration number
- 61056550
- Tax number
- 91397537-1-23
The Controller is not required to designate a Data Protection Officer under GDPR Article 37, as core activities do not involve regular and systematic monitoring of data subjects on a large scale, nor large-scale processing of special categories under Articles 9 and 10.
2. Definitions (GDPR Article 4)
- Personal data: any information relating to an identified or identifiable natural person ("data subject").
- Processing: any operation performed on personal data (collection, storage, modification, transfer, erasure, etc.).
- Processor: a natural or legal person who processes personal data on behalf of the Controller.
- Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes.
3. Principles (GDPR Article 5)
The Controller processes personal data lawfully, fairly and transparently, for specified, explicit and legitimate purposes, in adequate, relevant and limited scope ("data minimisation"), accurately and up-to-date, only for as long as necessary, and with appropriate technical and organisational security measures.
4. Specific processing operations
4.1. Order and contract performance
Recording the User's order, conclusion of the contract, delivery of the product, payment processing, and handling warranty claims. Data is transferred to the payment provider (Stripe), shipping platform (Packli) and through it to the chosen courier.
GDPR Article 6(1)(b) — performance of a contract.
Name, shipping address, billing address, email, phone, ordered products, order total, payment method, shipping method, COD amount (if applicable).
5 years after contract performance (general limitation period under Hungarian Civil Code Section 6:22); 8 years for accounting documents under Hungarian Accounting Act Section 169.
4.2. Invoicing
Compliance with accounting and tax obligations, issuance of invoices.
GDPR Article 6(1)(c) — legal obligation (Hungarian Accounting Act, VAT Act).
Billing name, billing address, tax number (if applicable), products and amounts.
8 years under Hungarian Accounting Act Section 169.
4.3. Newsletter and transactional emails
Newsletter: notifications about products back in stock, promotions. Transactional email: order confirmation, shipping notice, invoice.
Newsletter: GDPR Article 6(1)(a) — consent (under Hungarian Act XLVIII of 2008 §6). Transactional: GDPR Article 6(1)(b) — performance of a contract.
Name, email, order ID and contents.
Newsletter: until consent is withdrawn (you can unsubscribe any time). Transactional: same retention as section 4.1.
4.4. Customer service / contact
Answering customer questions, complaints, expert advice requests.
GDPR Article 6(1)(f) — legitimate interest; for complaints, the Hungarian Consumer Protection Act.
Name, email, phone, message content.
1 year after the matter is closed; 3 years for complaints under the Hungarian Consumer Protection Act.
4.5. Webshop visits (cookies)
Operating and securing the webshop, measuring traffic, improving user experience.
Necessary cookies: GDPR Article 6(1)(f) — legitimate interest. Statistics and marketing: GDPR Article 6(1)(a) — consent.
IP address, browser type, OS, time of visit, pages visited, referrer.
Until cookie expiry (see section 7) or consent withdrawal.
5. Processors
The Controller uses the following processors (GDPR Article 28).
- Hosting
- Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Website and data storage.
- Shipping
- Packli — packli.hu. Order recording, label generation. Data: customer name, shipping address, phone, email, package parameters, COD.
- MPL
- Magyar Posta Zrt., Dunavirág utca 2-6, 1138 Budapest. Home delivery and pickup points.
- FoxPost
- FoxPost Zrt., Batsányi János u. 9, 3200 Gyöngyös. Parcel-locker delivery.
- Payment
- Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland. Card payment. Card data is handled directly by Stripe.
- Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Transactional emails.
- Invoicing
- Billingo Technologies Zrt., Váci út 76, III. em., 1133 Budapest. Electronic invoices, NAV reporting.
- Web analytics
- Brily (Tóth István sole proprietor). Pseudonymous web statistics, only with consent.
6. Transfers to third countries
Vercel Inc. and Resend, Inc. are based in the USA. Under European Commission Implementing Decision 2023/1795 (10 July 2023), entities certified under the EU-U.S. Data Privacy Framework provide adequate protection (GDPR Article 45). Both Vercel and Resend are certified. Stripe Payments Europe, Ltd. is in the EEA (Ireland). Other processors are in Hungary.
7. Cookies
7.1. Necessary cookies and local storage
Essential to the site's basic operation, processed without consent. Cart contents are stored in browser localStorage; this is not personal data, only product IDs and quantities.
7.2. Statistics cookies
Brily conversion-tracking system — only activated with consent. Stores: brily_did (anon_id, 365 days), brily_sid (session_id, 30 minutes inactivity), brily_sts (timestamp). Brily's server retains events for 180 days.
7.3. Marketing cookies
Personalised advertising, only with consent. You can change cookie settings any time via the "Cookie settings" link in the footer.
8. Data-subject rights (GDPR Articles 15-22)
- Right to information and access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal
You can exercise your rights at hello@pizzabarlang.hu or by post (Moha utca 12, 6000 Kecskemét, Hungary). The Controller will provide a substantive response no later than 1 month (extendable by 2 months with prior notice).
9. Data security
- encrypted transmission (HTTPS / TLS);
- regular security updates and software maintenance;
- access-rights control;
- regular backups;
- data-breach notification under GDPR Articles 33-34.
10. Remedies
10.1. Supervisory authority
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Falk Miksa utca 9-11, 1055 Budapest, Hungary · PO Box 9, 1363 Budapest
Tel: +36 1 391 1400 · ugyfelszolgalat@naih.hu · naih.hu
10.2. Judicial remedy
If your rights are infringed you may bring proceedings before a court. The case falls within the jurisdiction of the regional court (törvényszék); at your choice, you may also file at the regional court of your residence or place of stay.
11. Changes to this notice
The Controller reserves the right to amend this notice unilaterally (in particular if applicable laws change). The current version is always available from the webshop's footer; for material changes, data subjects will be notified by email or by notice posted on the website.
Last updated: 23 April 2026.