Privacy Policy
The Privacy Policy may be downloaded from the following link: Woodestic_Privacy_Policy (.pdf)
COGITATE GAMES KFT.
- Introduction:
COGITATE GAMES Társasjáték FejlesztÅ‘ és ÉpÃtészeti Korlátolt FelelÅ‘sségű Társaság (registered seat: 5008 Szolnok, Ménes utca [Street] 6., company registration number: 16-09-013219, tax number: 23367546-2-16) as controller (hereinafter referred to as Controller) shall process the personal data of the buyer ordering the products provided by it during its business activity and operation, as set forth herein.
The Controller intends to entirely comply with the regulations of the relevant legal acts regarding the processing of personal data, especially the provisions of Act CXII of 2011 on the right of informational self-determination and freedom of information (Information Act) and Regulation (EU) 2016/679 of the European Parliament and Council (Regulation or GDPR), therefore, it intends to ensure the enforcement of the right to transparent information laid down in Article 12 of the GDPR.
This Privacy Policy was drawn up based on the Regulation and by taking into account the Information Act.
Name and contact information of the Controller, that is, the service provider:
Name: | COGITATE GAMES Társasjáték FejlesztÅ‘ és ÉpÃtészeti Korlátolt FelelÅ‘sségű Társaság |
Registered seat: | 5008 Szolnok, Ménes utca (Street) 6. |
Tax number: | 23367546-2-16 |
Company registration number: | 16-09-013219 |
Name and address of the website: | https://woodestic.com/ |
Postal address: | 8200 Veszprém, Szűcs utca (Street) 10. |
E-mail: | hello@woodestic.com |
Telephone number: | +36 30 443 0231 |
- Definitions:
- GDPRÂ (see above);
- processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- processor: the service provider used by the Controller, which is such a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller;
- personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determined the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller of the specific criteria for its nomination may be provided for by Union or Member State law;
- data transfer: making the data accessible to third parties referred to in this Privacy Policy;
- consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- data subject: a natural person relating to whom personal data is processed;
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- recipient: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- third party: a natural or legal person, public authority, agency, or body other than the data subject, Controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- erasure of data: the making of the data unrecognisable in such a manner that its restoring is no longer possible;
- blocking of data: marking data with an identifier for the purposes to indefinitely or definitely restrict its further processing;
- data destruction: complete physical destruction of the data carrier recording the data.
- General guidelines of data processing
The Controller declares that it processes the personal data as set forth in the Privacy Policy, and it shall comply with the provisions of the GDPR, the Information Act, and any further relevant legal acts, with particular attention to the provisions of this Section:
Personal data shall be processed lawfully, fairly, and transparently in relation to the data subject.
Personal data shall be processed for specified, explicit, legitimate, and previously disclosed purposes.
The purposes of the processing of personal data shall be adequate and relevant, and processing may be limited to what is necessary.
Personal data shall be accurate and up to date. Inaccurate personal data shall be erased without delay.
Personal data shall be stored in a manner that the identification of data subjects may be limited only to the shortest period determined by the purposes of processing.
Further processing of personal data deviating from the provisions hereof shall constitute legitimate if processing is required by the compliance with legal obligations, for the purposes of public interest, scientific research purposes, or statistical purposes, and/or it is necessary for pursuing and enforcing legal claims.
Personal data shall be processed in such a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The principles of data protection shall be applied in relation to any information regarding an identified or identifiable natural person.
- Relevant information on data processing
Personal data may only be processed for the purposes of exercising rights or fulfilling obligations under the GDPR and the Information Act, by observing the principle of purpose limitation, for a previously defined purpose, to the extent and for a period required for the reaching of such purpose. Processing, in each of its stages, shall comply with its purpose, and should such a purpose cease to exist or should the processing be otherwise unlawful, the Controller shall erase the data.
Prior to the starting of data processing, by this Privacy Policy, the Controller informs the data subject of the purpose, legal basis of the processing, the scope of the processed data, as well as any further information regarding processing.
We shall indicate the purpose, legal basis, data subjects, and the period of processing by the Controller separately, at the activities. The rights of the data subjects are detailed below, in Section 11 of this Privacy Policy, as they are the same regarding all of the processing activities.
In case of processing based on the consent of the data subject, the data subject may withdraw their previously granted consent at any time, even in an e-mail sent to the e-mail address indicated in the contact information. Upon the withdrawal of the consent of data processing, the data processed based on the consent shall be erased.
The persons entitled to access the data are the Controller and its processors and their employees and agents.
The person ordering the service as data subject may request information of the processing of their data, they may request access to the personal data relating to them, the rectification thereof, in case of processing based on consent, the erasure or the restriction of processing thereof from the Controller, and they may also object to the processing of such personal data, moreover, they may request information of their right to data portability.
The data subject may withdraw their consent to the processing at any time, nonetheless, this does not affect the lawfulness of the data processing performed based on consent before such withdrawal.
In case of processing based on consent, the data subject, upon their request, is entitled to have the inaccurate personal data relating to them erased by the Controller without undue delay, and should the legal basis of the data processing cease to exist, the Controller is obligated to erase the personal data relating to the data subject without undue delay,
The modification or erasure of personal data may be requested in writing, and any declaration regarding the merits of processing may only be validly made in writing. The written declaration may be made traditionally, in paper, and by an e-mail indicated in Section 1 hereof.
During purchase through the website operated by the Controller, payment may be performed at personal delivery, by bank transfer, or by the payment method of cash on delivery.
It is highly important to note that in case of data processing based on consent, the withdrawal of such consent by the data subject does not terminate the contract concluded by and between the data subject and the Controller, consequently, neither does the fact of withdrawal affect the data subject’s payment obligation toward the Controller. The fact of non-payment itself justifies the processing of the data subject’s data, as it is performed with regard to their payment default towards the Controller. The prerequisite of the starting of processing is the starting of the order.
- Ordering of the products
The data subject customers may order the Controller’s products online. The performance of the service and the products starts with the signing of the contract to be concluded by and between the Controller and the data subject. The establishment of the contract is not subject to registration on the website operated by the Controller.
The Controller processes the data subject’s following data as set forth below:
Purpose
|
Providing services and selling products offered by the Controller, exercising the rights, and fulfilling the obligations based on and deriving from the contract, enforcing the legitimate interest of the Controller, preventing, examining, and revealing misuse |
Scope of the processed data | Name, address, e-mail address |
Legal basis
|
Under Article 6, paragraph (1), point a) and b), the consent of the data subject and the fact that it is necessary for the performance of the contract concluded with the data subject |
Scope of the data subjects
|
The data subjects of the contractual relationship |
Period of processing
|
5 years following the performance of the order |
Controller
|
The Controller |
Data transfer | To the processor that is in a contractual relationship with the Controller and the persons entitled to independent processing based on law |
Persons entitled to have access to the data | The Controller and its employees and agents, who are in an employment or agency relationship with it, respectively, the processor and their employees |
Method of storing the data
|
Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
Following the performance of the order, any data and content provided by the data subject in relation to the performance of the order shall be stored on the server (Contabo GmbH; registered seat: Germany, 81549 München, Aschauer Strasse 32a.) used by the Controller, the period of which the data subject is informed here:
https://contabo.com/en/legal/terms-and-conditions/
- People-to-people contact
The Controller processes the customer’s data indicated below for the purposes of keeping people-to-people contacts and performing the order.
Purpose | Identification, keeping contact |
Scope of the processed data | Name, address, e-mail address |
Legal basis | The performance of contractual obligations under Article 6, paragraph (1), point b) of the GDPR and the performance of the obligation of providing information to the data subject |
Scope of the data subjects
|
The data subjects of the contractual relationship |
Controller | The Controller |
Persons entitled to have access to the data
|
The Controller and its employees and agents, who are in an employment or agency relationship with it, respectively, the processor and their employees |
Period of processing | Until the end of the provision of the service |
Method of storing the data | Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
- Invoicing and accounting
With respect to the service provided by the Controller, it is subject to the obligation of providing invoices to the person using such services, regarding which obligation the Controller shall use the cooperation of KBOSS.hu Kft. (registered seat: 1031 Budapest, Záhony u. [Str.] 7., company registration number: 01-09-303201) operating the invoicing software, Vesztenadó Betéti Társaság (registered seat: 8200 Veszprém, Egry J. u. [Str] 41. ground floor 3.) performing the accounting, and OTP Bank Nyrt. (registered seat: 1051 Budapest, Nádor u. [Str.] 6.) managing the banking transactions, which organisations constitute processing entities in their own right.
Method of storing invoicing data: in paper and electronic form.
In relation to invoicing, the Controller processes the following personal data of the data subject:
- name;
- address;
- amount of the claims;
- consideration of the services.
Purpose
|
Complying with the statutory conditions for pursuing the claims deriving from the contract |
Legal basis
|
Performing the legal obligations which the Controller is subject to under Article 6, paragraph (1), point c) of the GDPR, and pursuing the legitimate interest under Article 6, paragraph (1), point f) of the GDPR |
Scope of the data subjects
|
The data subjects of the contractual relationship |
Period of processing
|
Until the end of the 8. year following the issuance of invoices |
Controller
|
The Controller |
Processors
|
KBOSS.hu Kft. and OTP Bank Nyrt.; Vesztenadó Bt. performing the accounting |
Data transfer
|
KBOSS.hu Kft. and OTP Bank Nyrt.; Vesztenadó Bt. performing the accounting |
Persons entitled to have access to the data
|
The Controller and its employees and agents, who are in an employment or agency relationship with it, respectively |
Method of storing the data
|
Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
- Social media
Social media is a type of media where the message is transmitted through social media users. Social media uses internet and online interfaces in order for the users to become content editors from content recipients.
Social media is the interface of online applications where content created by users is displayed, such social media platforms are Facebook, Google+, Twitter, etc.
Social media may take the form of public speeches, presentations, performances, provision of information on products or services.
The scope of personal data displayed on social media are the following:
- forums,
- blog posts,
- images, video, and audio files,
- message boards,
- e-mails,
- public profile picture of the user.
Purpose
|
Promoting the Controller and the website operated by the Controller |
Legal basis
|
The freely given consent of the data subject, that is, the customer |
Scope of data subjects
|
The data subjects following the social media platform |
Period of processing
|
As set forth in the regulation pertaining to the specific social media platform, available there |
Information on erasure
|
Following the request of erasure or the withdrawal of the consent, the Controller, where possible, is obligated to remove the data in question |
Controller
|
The Controller |
Persons entitled to have access to the data
|
As set forth in the regulation pertaining to the specific social media platform, available there |
Method of storing the data
|
Electronic form |
Data transfer
|
The undertaking operating the social media platform concerned |
Profiling
|
None |
Automated decision-making
|
None |
It is of utmost importance to take into consideration that when the user uploads or sends any personal data, they give a valid and applicable consent globally to the operator of the social media to store and use these contents. Consequently, it is important to make sure that the user has unrestricted rights to disclose the information published.
- Cookies
Cookies are placed on the user’s computer by the visited websites indicated above, and it includes information such as the settings of the site or the state of signing-in.
Accordingly, cookies are small files created by the visited websites. By saving the browsing data they improve user experiences. By using cookies, the website stores the settings of the website and offers locally relevant content.
The website of the service provider sends a small file (cookie) to the computer of the visitors of the website to make the fact and time of visit assessable. The service provider informs the visitor of the website thereof.
Purpose
|
Providing additional services, identification, monitoring visitors |
Legal basis
|
The user’s consent is not required if the use of the cookies is necessarily required by the service provider |
Scope of the data subjects
|
The visitors of the website |
Controller
|
None |
Persons entitled to have access to the data
|
By using cookies, the Controller does not process personal data |
Method of storing the data
|
Electronic form |
Data transfer
|
None |
Profiling
|
None |
Automated decision-making
|
None |
Google Analytics
Our website          x uses           □ does not use the application of Google Analytics.
Upon the application of Google Analytics:
Based on first-party cookies, Google Analytics makes a report of user behaviours to its customers.
On behalf of the operator of the website, Google uses the information to evaluate and assess how the users use the website. As an additional service, it makes reports regarding the activity detected on the website to the operator of the website in order for it to provide further services.
The data are stored in coded form by the servers of Google to obstruct and prevent misuse of data.
You may opt-out of Google Analytics as follows, see a quote from the page:
Website visitors who don’t want their data used by Analytics can install the Analytics opt-out browser add-on. This add-on instructs the Analytics JavaScript (ga.js, analytics.js, and dc.js) running on websites to prohibit their information from being used by Analytics. The browser add-on may be used in most of the newer browsers. Using the Analytics opt-out plug-in will not prevent site owners from using other tools to measure site analytics.
https://support.google.com/analytics/answer/6004245?hl=en
Privacy policy of Google:Â https://policies.google.com/privacy?hl=en
Information on the use and protection of data in detail is available at the link indicated above.
Data protection in detail:
https://static.googleusercontent.com/media/www.google.com/en
Company name | Â OTP Bank Nyrt. |
Registered seat: | 1051 Budapest, Nádor u. (Str.) 6. |
Telephone number: | (06 1) 366 6388 |
E-mail: | informacio@otpbank.hu |
With respect to the bank account of the Controller, the payment transactions performed by the data subject shall be carried out by the payment systems provided by the payment service provider indicated in this Section. Only the colleagues of the Controller, and, as per their own privacy policy, the colleagues of the payment service provider shall have access to the data, who are all liable for the secure processing of the data.
 Purpose
|
Ensuring the payment transactions by the Controller |
Legal basis
|
Performing legal obligations under Article 6, paragraph (1), point c) of GDPR |
Scope of the data subjects | The data subjects of the contractual relationship |
Scope of the data | The data subject’s name, bank maintaining its bank account, bank account number, and the amount paid by them |
Controller
|
The Controller |
Data transfer
|
OTP Bank Nyrt. |
Persons entitled to have access to the data
|
The payment service provider and its employees or agents, who are in an employment or agency relationship with it, respectively. |
Deadline of processing and erasure of data | Until the Controller carries out its business activity and operation. The payment service provider erases the data after 10 years. |
Method of storing the data
|
Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
Company name: | KBOSS.hu Kft. |
Registered seat: | 1031 Budapest, Záhony u. (Str.) 7. |
Telephone number: | +36 30 3544 789 |
E-mail: | info@szamlazz.hu |
The data subject shall fulfil its payment obligation towards the Controller based on an accounting document issued by the service provider of invoicing. Only the colleagues of the Controller, and, as per their own privacy policy, the colleagues of the service provider shall have access to the data, who are all liable for the secure processing of the data.
 Purpose
|
Complying with the accounting regulations and performing the obligation to pay taxes |
Legal basis
|
Performing legal obligations under Article 6, paragraph (1), point c) of the GDPR |
Scope of the data subjects
|
The data subjects of the contractual relationship |
Scope of the data
|
The data subject’s name, address, and the amount paid by them |
Controller
|
The Controller |
Data transfer | KBOSS.hu Kft. |
Persons entitled to have access to the data
|
The Controller, the service provider, and their employees or agents, who are in an employment or agency relationship with them respectively |
Deadline of processing and erasure of data | The service provider shall erase the data after 8 years |
Method of storing the data
|
Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
Company name: | Vesztenadó Betéti Társaság |
Registered seat: | 8200 Veszprém, Egry J. u. (Str.) 41. ground floor 3. |
The Controller may comply with its tax return and tax payment obligation based on the accounting documents performed by the data subject by sending the tax returns prepared by the accounting service provider to the tax authority, and based on the tax returns, it shall fulfil its tax payment obligations. Only the colleagues of the Controller, and, as per their own privacy policy, the colleagues of the service provider shall have access to the data, who are all liable for the secure processing of the data.
Purpose
|
Complying with the accounting regulations and performing the tax payment obligation |
Legal basis
|
Performing legal obligations |
Scope of the data subject
|
The data subject of the contractual relationship |
Scope of the data
|
The data subject’s name, address, the amount paid by them, their bank maintaining the bank account, bank account number |
Controller
|
The Controller |
Data transfer | Vesztenadó Bt. |
Persons entitled to have access to the data
|
The Controller, the service provider, and their employees or agents, who are in an employment or agency relationship with them respectively |
Deadline of processing and erasure of data | The accounting service provider shall erase the data after 8 years |
Method of storing the data
|
Electronic form |
Profiling
|
None |
Automated decision-making
|
None |
- Rights relating to data processing
Right to request information
The data subject may request information from the Controller via the provided contact information of their data processed by the Controller or any processor mandated by it, the fact that which data of the data subject is processed, on what legal basis, for what processing purposes, from which source and for how long, furthermore, the name, address of the processor, and its activity relating to data processing, the circumstances and effects of data breach and the measures taken to avert it, moreover, in case of transfer of the data subject’s personal data, the legal basis and the recipient of the data transfer. Upon the request of the data subject, the Controller shall provide information to the data subject without delay but not later than 30 days, to the e-mail address provided by them.
The information is free of charge one time a year, and in case of any further requests of providing information, a fee may be imposed on the data subject. However, the already paid charges may be reimbursed if the unlawful nature of processing has been determined or if the data are to be rectified due to a reason that is attributable to the Controller.
Right to rectification
The data subject may request the Controller via the provided contact information to modify any of their data. Upon the request of the data subject, the Controller shall take the necessary measures without delay but not later than 30 days, and it shall provide information thereof to the e-mail address provided by the data subject.
Right to erasure
The data subject may request the Controller via the provided contact information to erase their data. Upon the request of the data subject, the Controller shall take the necessary measures without delay but not later than 30 days, and it shall provide information thereof to the e-mail address provided by the data subject.
Personal data may be erased if
- a) the personal data are no longer necessary in relation to the purposes for which they were processed;
- b) the data subject withdraws their consent on which the processing is based, and there is no other legal ground for processing;
- c) the data subject objects to the processing and there are no overriding legitimate grounds for processing;
- d) the personal data have been unlawfully processed;
- e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- f) the personal data have been collected in relation to the offer of information society services to children under age 16;
- g) the Controller has made the personal data public and the personal data are no longer necessary for the purpose which it was processed, it is obligated to erase such data, and the Controller, by taking into account the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to blocking
The data subject may request the Controller via the provided contact information to block their data. The blocking of the data shall last until the reason indicated by the data subject requires the storing of the data. Upon the request of the data subject, the Controller shall take the necessary measures without delay but not later than 30 days, and it shall provide information thereof to the e-mail address provided by the data subject.
Right to objection
The data subject may object to processing via the provided contact information. The Controller shall examine the objection within the shortest period but not later than 15 days after the submission of the request, it shall resolve regarding its merits, and it shall inform the data subject thereof in writing.
An objection may be submitted against the processing of the personal data if processing or transferring the personal data is only required for the performance of legal obligations regarding the Controller or it is necessary for pursuing the legitimate interests of the Controller, the data importer, or a third party unless the processing is mandatory; if the personal data is used or transferred for the purposes of direct marketing, opinion polls or scientific research, and in any other cases laid down by law.
Should it be assessed that the data subject’s objection has merits, the Controller shall terminate processing, block the data, and inform of the objection and the measures taken due to it any such person to whom the personal data subject to the objection were transferred before, who, in turn, are also obligated to take the necessary measures to pursue the right of objection.
Pursuing rights relating to data processing, complaints
Should the data subject notice any unlawful processing, they are advised to notify the Controller thereof, thereby the opportunity arises to restore the lawful state. The Controller shall take the necessary steps in order to offer the data subject a solution with respect to the indicated issue.
If, according to the data subject’s opinion, the lawful state could not be restored, the data subject may notify the competent authority via any of its contact information indicated below:
Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor (Avenue) 22/c
Telephone number: +36 (1) 391-1400
Facsimile: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL https://naih.hu
coordinates: N 47°30’56”; E 18°59’57”
- Legal acts applicable to data processing
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Act CXII of 2011 on the right of informational self-determination and freedom of information
- Act LXVI of 1995 on public records, public archives, and the protection of private archives
- Government Decree 335/2005 (XII.29.) on the common provisions of the document management in public administrative bodies
- Act CVIII of 2001 on certain issues of electronic commerce and information society services
- Act C of 2003 on electronic communications
- Miscellaneous provisions
With respect to data transferred in the scope referred to in this Privacy Policy, the processors proceeding on behalf of the Controller shall bear independent liability for data processing personally performed by them.
This Privacy Policy is in force from 11 November 2021 until its revocation.
The Controller reserves the right to unilaterally amend this Privacy Policy at any time, with the proviso that it shall notify the data subjects thereof in advance. The notification of the data subjects shall occur by the publication placed on the website of www.woodestic.com, 8 calendar days before such amendment.