Privacy Notice

Effective: 2026-05-24

Your personal data is processed by:
Name: Kocsis Kristóf Sándor sole proprietor
Registered seat: 4400 Nyíregyháza, Rákóczi utca 18-20. building A/2, Hungary
Tax number: 59709488-1-35
– hereinafter: Data Controller.

Please read this privacy notice (hereinafter: Notice) carefully. It describes our practices regarding the processing of your personal data in accordance with the General Data Protection Regulation (GDPR, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council). This Notice applies to persons (You) who use the Data Controller's services as a consumer. It explains how the Data Controller collects, uses and, in certain cases, shares your personal data with third parties, and also informs you about your rights as a data subject in relation to the processing of your data.

Merely visiting and browsing the website does not, in itself, constitute acceptance of this Notice; the Notice serves an informational purpose only. The data subject accepts the terms set out in this Notice upon entering into a rental contract with the Data Controller, by way of an express written declaration to that effect, and thereby also confirms that they were provided with information on the processing prior to the conclusion of the contract. Any consent required for marketing-related processing may be given by the data subject within the rental contract or independently of it, by way of a separate, express declaration, and may be withdrawn at any time using the methods set out in this Notice.

The Data Controller is committed to protecting the personal data and privacy of individuals visiting the website. This Notice primarily concerns the confidential handling and protection of customers' personal data transmitted via the internet, but also covers visitors of the website. It summarises what data the Data Controller may collect and use about You, and how it may be used. The data is not transferred to unauthorised persons and is used only in the manner described in this Notice.

In contracts, in individual cases, the purpose of processing may differ — in such cases processing happens under the conditions set in the given contract.

This Notice provides you with important information about the protection of your personal data and the rights related to it. We recommend reading it carefully so that you are fully informed of the conditions of processing prior to entering into a rental contract.

1. Responsibility of the Data Controller

1.1 Remarks regarding data processing

For any remarks, questions or complaints regarding our data processing practices, we are available via the Data Controller's contact channels.

1.2 Liability

The Data Controller accepts no liability for data loss arising from improper use of the website.

The data subject is entitled to access and browse the website without providing any personal data. The Data Controller does not collect personal data directly via the website; in the booking and contracting process, personal data is provided through the embedded third-party booking interface (Cal.com), directly via the Data Controller's phone or email contact channels, or in the course of concluding the rental contract. Data collection always takes place under transparent and confidential processing, based solely on the data subject's voluntary disclosure.

If the data subject refuses to provide the requested data, the conclusion of a contract with the Data Controller or rental-related contact may not be possible.

The Data Controller takes all necessary measures to ensure that the personal data it processes is accurate and up-to-date.

The following personal data is processed:

• Surname, first name, company name and contact person name (for companies)
• Registered seat (for companies), residential address, postal address
• Email address
• Telephone number
• Date of birth (for marketing purposes)

Anonymous data processed for statistical purposes:

When you visit the website, the Data Controller processes certain technical data — in particular truncated or anonymised IP address, operating-system type and version, screen resolution, browser used, pages viewed, and referring source — solely in aggregated, anonymised form, for statistical purposes. In line with Recital 26 of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council), such data does not permit the identification of a natural person, does not qualify as personal data, and is not combined with the personal data listed above.

The Data Controller uses this data solely to measure the performance of the website, produce visitor statistics, and improve the quality of the service; it is not transferred to any third party in an identifiable form.

Purposes and legal bases of processing:

The Data Controller processes the personal data provided for the following purposes and on the following legal bases:

• Conclusion and performance of the rental contract, invoicing (legal basis: performance of a contract, Article 6(1)(b) GDPR; and compliance with a legal obligation to which the Data Controller is subject, Article 6(1)(c) GDPR): in the case of a natural-person renter, the surname, first name, residential address and postal address; in the case of a corporate renter, the company name, registered seat and contact-person name are processed solely for the purposes of concluding and performing the rental contract and issuing and retaining the accounting documents required by law.
• Rental-related contact (legal basis: performance of a contract, Article 6(1)(b) GDPR; and, for the pre-contractual coordination stage, steps taken at the data subject's request): the Data Controller processes the email address and phone number for the purposes of pre-rental coordination, communication during the rental, and post-rental follow-up (in particular deposit refund, invoicing, and damage handling). Such contact may include transactional electronic messages related to the rental (e.g. booking confirmation, reminder, contract signing, payment notification).
• Marketing communications and personalised offers (legal basis: the data subject's explicit, freely given consent, Article 6(1)(a) GDPR): the Data Controller may use the email address — or the email address together with the date of birth — to send general newsletters, promotional offers, and offers personalised to the data subject (in particular birthday-related discounts).

The data subject may withdraw their consent to marketing contact at any time, without giving reasons and free of charge:

• by clicking the unsubscribe link included in any marketing email,
• at https://mailer.clubsoda.hu/unsubscribe, or
• by submitting a written request via any of the Data Controller's contact channels listed in the Imprint.

The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

Duration of processing:

The Data Controller retains the personal data processed for the periods set out below:

• For marketing purposes (email address, date of birth): until the data subject withdraws their consent. Consent may be withdrawn at any time using the methods described above.
• For identification and contact data necessary for the conclusion and performance of the rental contract (email address, phone number, name, residential address, postal address, company name, contact-person name): 5 years following the termination of the rental contract, in line with the general limitation period for civil claims set out in Section 6:22 (1) of Act V of 2013 on the Civil Code, with regard to the period during which civil claims may be enforced.
• For accounting documents (invoicing data): 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting; this statutory obligation continues to apply even where the data subject has submitted a deletion request.

The data subject may submit a deletion, rectification or access request in writing via any of the Data Controller's contact channels listed in the Imprint; the Data Controller will comply with the request within the statutory deadline, except where further retention of the data is required by the legal obligations identified above.

Conditions of data transfer:

Beyond the data processors identified in section 2.1, the Data Controller may transfer the personal data it processes — solely to the extent necessary and in connection with tasks arising from the rental contract — to external service providers engaged by it, in particular:

• to a legal representative or legal adviser, in the event of a dispute or enforcement of a claim;
• to an accounting service provider, for the purpose of complying with accounting obligations;
• to a delivery service provider (postal or courier), for the purpose of forwarding documents;
• to a debt-collection service provider, for the purpose of enforcing overdue claims;
• to a service provider engaged for the dispatch of marketing communications, subject to the data subject's explicit consent.

In addition, where required by law, the Data Controller may also transfer the processed data to the competent authority or to the court entitled to adjudicate the dispute.

2. Data processors

2.1 Companies and persons performing data processing or otherwise involved in data handling

The Data Controller carries out the processing of the data itself.

In addition to the Data Controller, other companies are involved in storing and handling the data of contracted customers.

Companies involved in data processing in the course of the Data Controller's activity, and the data collected by them:

• Hosting provider, DNS server and proxy: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München: processes technical data necessary for serving the website, service availability, and prevention of abuse (e.g. request metadata, device parameters). The IP address is passed on to the Data Controller's own systems only in a truncated, anonymised form after processing. More info: https://www.cloudflare.com/privacypolicy/

• Error diagnostics: Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105: Extended user data in the event of a critical error. More info: https://sentry.io/privacy/

• Analytics: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114: Anonymised visitor data. More info: https://posthog.com/privacy

• In special cases the contract may include further data processors (persons or companies).

2.2 Rights of the data subject and enforcement

The data subject may exercise any of their data-processing rights by submitting a written request — primarily by email or post — to any of the Data Controller's contact channels listed in the Imprint. The Data Controller will comply with the request within the statutory deadline and free of charge.

Under the General Data Protection Regulation (GDPR), the data subject is entitled in particular to the following rights:

• Right of access (Article 15 GDPR): information on what data the Data Controller processes about the data subject, for what purpose, and on what legal basis.
• Right to rectification (Article 16 GDPR): correction or completion of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") (Article 17 GDPR): erasure of personal data in the cases set out by law, except where further retention of the data is required by a statutory obligation (see "Duration of processing").
• Right to restriction of processing (Article 18 GDPR).
• Right to data portability (Article 20 GDPR).
• Right to object (Article 21 GDPR), in particular against processing for direct-marketing purposes.
• Right to withdraw consent (Article 7(3) GDPR): in respect of marketing processing, at any time, without giving reasons and free of charge, by the methods set out in this Notice — by clicking the unsubscribe link in any marketing email, at https://mailer.clubsoda.hu/unsubscribe, or via any of the Data Controller's contact channels.
• Right to lodge a complaint: the data subject may file a complaint with the Authority (see the definition in section 3) and may also turn to the competent court.

2.3 Protection of personal data of minors and persons with limited legal capacity

The Data Controller's website and the content of its publications are generally not intended for minors under 16. We do not collect or process personal data on children under 16 without verifiable parental or guardian consent. Parents or guardians may request the release or deletion of data relating to the child. If during the course of data processing the age becomes apparent to the Data Controller, the data may be used in order to obtain parental consent.

The consent of a legal representative is required for the declaration of a person without or with limited legal capacity, except for service components aimed at registration and not requiring particular consideration that occur in everyday life on a mass scale.

2.4 Cookies

The Data Controller does not place any cookies on the website directly. However, during the serving and operation of the website, certain third-party providers listed in section 2.1 — in particular Cloudflare Germany GmbH (hosting, security filtering), Vercel Inc. (serving and operations), and PostHog Inc. (anonymous visitor statistics) — may place cookies on the visitor's device in accordance with their own data-protection practices. These cookies serve the secure availability of the service and the anonymous performance measurement of the website.

By browsing the website, the data subject acknowledges and accepts the use of cookies placed by these third-party providers. The data subject may prevent or delete these cookies at any time via their browser settings; this may, however, limit the availability or quality of certain features of the website.

3. Definitions

• Data processor: a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller
• Data processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, transformation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, otherwise making available, alignment, combination, restriction, erasure or destruction
• Data transfer: making personal data processed by the Data Controller available to third parties
• Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed
• Identifiable natural person: a natural person who can be identified, directly or indirectly, by one or more identifiers, such as: name, ID number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity
• Recipient: a natural or legal person, public authority, agency or any other body to which personal data is disclosed, whether or not a third party
• Data subject's consent: the freely given, specific, informed and unambiguous indication of the data subject's wishes, by which they signify their agreement to the processing of their personal data, by way of a statement or by clear affirmative action
• Data subject: an identified or identifiable natural person on the basis of any information
• Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorised to process personal data
• Authority: Hungarian National Authority for Data Protection and Freedom of Information (registered seat: 1055 Budapest, Falk Miksa utca 9–11., phone: +36-1 391-1400, email: ugyfelszolgalat@naih.hu, website: naih.hu)
• Personal data: any information relating to the data subject
• Website: the websites operated by the Data Controller, available at https://www.clubsoda.hu/ and at the other addresses specified there