Privacy Policy
🇬🇧 English version | 🇭🇺 Magyar verzió
Effective from: 22 April 2026
The Controller provides the data subjects with the following prior information regarding personal data processed during the use of the „https://premiumretrofit.net” website, in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR).
I. Identity and contact details of the Controller
- Name
- Lencse Gábor ev. (hereinafter: the Controller)
- Registered office
- 2142 Nagytarcsa, Tompa M. u. 2. A. ép. 1., Hungary
- Postal address
- 2142 Nagytarcsa, Tompa M. u. 2. A. ép. 1., Hungary
- Representative
- Lencse Gábor
- Telephone
- +36 70 633 0795
- info@premiumretrofit.net
II. Data Protection Officer
The Controller is not required to appoint a data protection officer.
III. Purpose and legal basis of processing
| Processing activity | Purpose | Legal basis |
|---|---|---|
| Visiting the website | Appropriate access and operation of the website, and compliance with legal obligations. | Depending on the settings, the legitimate interest of the Controller — Article 6(1)(f) GDPR; or the consent of the data subject — Article 6(1)(a) GDPR. |
| Conclusion of the sales contract and payment | Compliance with legal requirements applicable to the contract, communication, enforcement of rights. | Performance of a contract — Article 6(1)(b) GDPR. |
| Shipping | Successful delivery of the ordered goods, notification, communication. | Performance of a contract — Article 6(1)(b) GDPR. |
| Invoicing | Issuing invoices and complying with accounting law. | Compliance with a legal obligation — Article 6(1)(c) GDPR. |
IV. Data subjects and scope of processed personal data
| Processing activity | Data subjects | Processed personal data |
|---|---|---|
| Visiting the website | Natural persons visiting the website. | Information stored in the log files sent by the internet browser. |
| Conclusion of the sales contract and payment | Natural persons initiating the conclusion of the contract. | E-mail address, name, billing and shipping name and address, payment data, other information provided with the order; where the user chooses to save their data, telephone number. |
| Shipping | Natural persons concluding the contract. | Name, address, e-mail address, telephone number, and any other contact or shipping-related information provided by the data subject. |
| Invoicing | Natural persons concluding the contract. | Name, address, e-mail address. |
V. Persons authorised to access the personal data and the recipients of personal data
Persons authorised to access the data: personal data may be accessed only by the Controller and its employees.
Transfers: personal data are, to the extent necessary, transferred to the following controllers.
For delivery fulfilment
FedEx Express Hungary Transportation Kft.
- Registered office
- 1185 Budapest, BUD International Airport II. Logistics Centre — Office Building, 283., Hungary
UPS SCS (Hungary) Szállítmányozási Kft.
- Registered office
- 2220 Vecsés, Lőrinci út 154., Airport City Logistic Park, G. ép., Hungary
Processors
The following service providers participate in the processing of personal data.
Website operation (hosting provider)
- Name
- REFA-Controlling Energia Kft.
- Registered office
- 1036 Budapest, Kiskorona utca 6. 5. em. 25., Hungary
For website access
- Name
- CookieYes Limited
- Registered office
- 3 Warren Yard Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom
For contract conclusion and payment (depending on the payment method chosen)
- Stripe Payments Europe, Limited
- 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
- PayPal (Europe) S.à.r.l. et Cie, S.C.A.
- 22-24 Boulevard Royal L-2449, Luxembourg
For delivery logistics
- FÜRGEFUTÁR.HU Kft. (furgefutar.hu)
- 1027 Budapest, Horvát utca 14-26., Hungary
For invoicing
- KBOSS.hu Kft. (szamlazz.hu)
- 1031 Budapest, Záhony utca 7., Hungary
Transfers to third countries
For certain processors and recipients, personal data may be transferred to a third country outside the European Economic Area (EEA). Pursuant to Article 13(1)(f) GDPR, the Controller provides the following information:
- CookieYes Limited (United Kingdom): the UK is a third country, but the European Commission has adopted an adequacy decision in respect of the UK data-protection regime [C(2021) 4800 final, 28 June 2021, extended in 2025 until 27 December 2028]. Legal basis for the transfer: Article 45 GDPR.
- Stripe Payments Europe, Limited (Ireland): a payment service provider established in the European Union; however, its US parent (Stripe, Inc.) may also access certain data. Legal basis for transfers to the United States: the adequacy decision under the EU–US Data Privacy Framework [C(2023) 4745 final, 10 July 2023; Article 45 GDPR], and, where necessary, the Standard Contractual Clauses adopted by the European Commission [Article 46(2)(c) GDPR].
- PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg): a PayPal entity established in the European Union, which may transfer data within the PayPal Holdings, Inc. (US) group. Legal basis as for Stripe (EU–US Data Privacy Framework and/or SCCs).
- FedEx (international shipping): where the parcel is shipped to a country outside the EEA (e.g. the United States, Switzerland, the United Kingdom, Australia), the data necessary to carry out the delivery (recipient name, shipping address, telephone, e-mail) is transferred to the destination country and to the relevant FedEx group entities — including FedEx Corporate Services, Inc. (USA). Legal basis: a transfer necessary for the performance of the contract between the data subject and the Controller [Article 49(1)(b) GDPR]; with respect to the United States, the adequacy decision under the EU–US Data Privacy Framework [Article 45 GDPR], provided that the FedEx entity concerned is on the DPF list.
Further information on these transfers and on the safeguards in place (SCCs, adequacy decisions) can be requested via the Controller’s contact details.
VI. Location, method and duration of processing
Location of processing: the Controller stores the data in the electronic systems of the processors involved in the respective contractual processes, with appropriate IT security measures. Data-security features of the individual systems can be reviewed through the processors’ contact details.
Duration of processing:
- for website visits, data are retained for the period specified in the cookie notice;
- for the conclusion of the sales contract and payment, data are deleted 5 years after the termination of the contract, pursuant to Section 6:22 of Act V of 2013 (Civil Code);
- for shipping, data are deleted 5 years after the termination of the contract, pursuant to Section 6:22 of Act V of 2013 (Civil Code);
- for invoicing, data are deleted 8 years after the year in which the invoice was issued, pursuant to Section 169(2) of Act C of 2000.
VII. Automated decision-making and profiling
The Controller does not carry out automated decision-making in connection with the purposes set out in this notice, and does not process personal data for profiling purposes.
VIII. Data security
The Controller ensures the security of the data, taking all technical and organisational measures and establishing the procedural rules necessary to enforce the GDPR’s rules on confidentiality and data security. It protects the data against unauthorised access, alteration, transmission, public disclosure, deletion or destruction, and against accidental destruction or damage.
IX. Rights of the data subject
The data subject has the right, at any time and without restriction, to request information about, access to, rectification, erasure or restriction of processing of their personal data, and to request data portability, as well as to withdraw their consent. The data subject may exercise the above rights through the Controller’s contact details.
Without undue delay — and in any event within one month of receiving the request — the Controller informs the data subject of the action taken. Where necessary, this period may be extended by a further two months.
The Controller provides the requested information and communication free of charge, except where the data subject’s request is manifestly unfounded or excessive. In such cases, the Controller may charge a reasonable fee or refuse to act on the request.
Right to be informed and right of access
For every processing activity, the data subject is entitled to request — through the Controller’s contact details — information regarding the following:
- whether their personal data is being processed;
- what personal data is processed, on what legal basis, for what purpose, and for how long;
- who received access to which of their personal data, when, and on what legal basis, or to whom their data have been transferred;
- whether the Controller uses automated decision-making, including profiling.
To satisfy data-security requirements and protect the data subject’s rights, the Controller must verify that the person exercising the right of access is the data subject; accordingly, providing information, granting access to the data, or issuing copies of the data are all conditional on identification of the data subject.
Right to rectification, erasure and restriction of processing
The data subject may request the rectification and restriction of their data in connection with any processing activity, and deletion of their data in connection with any processing activity except for invoicing, through the Controller’s contact details. If the Controller processes the data based on a legal obligation, it remains entitled to continue processing for that purpose and legal basis despite the data subject’s request.
Right to data portability
The data subject has the right to receive the personal data concerning them that they have provided — in connection with contract conclusion, payment, shipping, and data processed on the basis of consent — in a structured, commonly used, machine-readable format, and to have these data transmitted to another controller at their request.
Right to withdraw consent
Where data is processed on the basis of consent, the data subject may withdraw consent at any time without restriction; such withdrawal does not affect the lawfulness of processing carried out on the basis of consent before the withdrawal.
X. Legal remedies
If a data subject becomes aware of any breach relating to the processing of their personal data, they may contact the Controller, the competent court, or the data-protection authority at the following contact points.
Lencse Gábor ev. (Controller)
- Postal address
- 2142 Nagytarcsa, Tompa M. u. 2. A. ép. 1., Hungary
- Telephone
- +36 70 633 0795
- info@premiumretrofit.net
Regional Court of Budapest Environs
- Postal address
- 1590 Budapest, Pf. 225., Hungary
- birosag_bkt@birosag.hu
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
- Postal address
- 1363 Budapest, Pf. 9., Hungary
- ugyfelszolgalat@naih.hu
- Website
- http://naih.hu
Advertising cookies
The Controller does not place advertising cookies (remarketing, behavioural) on the website. Google Ads and Reddit advertisements that link to the website operate according to those providers’ own privacy notices.
📄 Download Privacy Policy (PDF)
For questions about this document, please contact us at info@premiumretrofit.net.