Botanic Origin Ltd.

_________________________

Privacy Policy

Effective as of 8 October 2025

1. Introduction

The controller of the personal data is Botanic Origin Limited Liability Company (seat: H-1096 Budapest, Sobieski János utca 36. alagsor 1. ajtó., tax number: 32862238-2-43; company registration no.: 01-09-446577, hereinafter the Controller or Company).

The purpose of the present policy is to stipulate the data protection and data processing principles used by the Controller, and the data protection and data processing policies that the Company recognises as binding upon itself.

Our company takes particular care to ensure that – irrespective of their nationality or their places of residence – the data subjects using its services, and who provide their data in connection with that, or who are contacted by the Company in other ways resulting in their personal data being processed by the Company should be able to exercise their rights and fundamental freedoms, in particular their rights to the protection of their personal data and their privacy without unjustified limitations.

The scope of the present policy covers the electronic data processing operations performed by the Company that are listed in the present policy.

We hereby remind data subjects that the Company does not verify whether the personal data provided by the parties concerned are correct. All the data subjects who share their personal data with the Company or allow the Company access to their data in another manner as specified in the present policy assume the liability at the time of communicating the data that they only provide access to their own personal data which they are entitled to dispose over. If a data subject acts without compliance with that provision, they shall assume all associated liability in relation to that.

The Controller is committed to the protection of the personal data of its clients and partners, and attaches particular importance to respecting the privacy rights of its clients. The Controller handles personal data confidentially and takes all security, technical and organisational measures that guarantee the security of the data.

Contact information:

• E-mail address:         support@botanicbathhouse.com
• Phone no.: +36 70 344 3933
• Mailing address: H-1096 Budapest, Sobieski János utca 36. alagsor 1. ajtó.

1. Definitions

Personal data: any information relating to an identified or identifiable natural person, or a natural person identifiable by one or more identifiers, factors or properties.

Processing: any operation performed on persona data irrespective of the method; such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, communication, transmission, dissemination or otherwise making available, alignment, restriction, erasure, destruction.

Controller: Botanic Origin Ltd., which, alone or in case of joint processing jointly with other controllers, determines the purposes and means of processing of persona data.

Recipient: the natural or legal person, public authority or other body to which the personal data are disclosed.

Data operations: the performance of technical tasks on personal data connected with data processing, irrespective of the methods or equipment used, or the place of performance.

Processor: the natural or legal person which processes personal data on behalf of the controller.

Consent: the freely given, specific, informed and unambiguous indication of the data subject’s wishes by which her or she, by a statement or by a clear and affirmative action, signifies agreement to the processing of personal data.

Filing system: a database containing personal data that can be accessed on the basis of specific criteria.

Restriction of processing: the marking of stored personal data in order to restrict future processing.

Supervisory authority: an independent authority established for the protection of the rights and freedoms of natural persons in relation to the processing of personal data and for facilitating the flow of personal data within the European Union. In Hungary, the National Authority for Data Protection and Freedom of Information .

Personal data breach: a breach of data security provisions leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure to or access by unauthorised persons of personal data transmitted, stored or otherwise processed.

Cookie: a so-called anonymised session identifier that the Controller places on, and then retrieves from the device used by data subjects accessing the Website or purchasing products through the web store on the Website, while browsing. A cookie is a unique sequence of data whose use allows the settings selected on the website to be retained, and also the tracing of the visits of individual users to the website along with the operations they performed.  Such a data sequence in itself is not in any way suitable for identifying the user, it contains to personal data, it’s function is to improve browsing comfort.

Product: all of the goods featured in the Controller’s product catalogue and available in its web store.

The service associated with the Products is a service provided by the Controller in the web store on the Website, with registration free of charge and also without registration, in which the Controller undertakes to transfer the ownership of the Products selected by the customer, the delivery of the Products to the customer, while the customer undertakes to pay the purchase price and take delivery of the Products.

Web store: an e-commerce platform that allows the online sale and purchase of products and services. Customers can browse the range 24 hours a day, place products in a virtual cart and pay for their orders online, in advance using a bank card, PayPal or other methods.

1. About the individual instances of processing

Accessing and viewing the Controller’s website (www.botanicbathhouse.com, hereinafter “Website”), contacting the processor business and use of the services it provides, and the purchasing of products in the web store are all activities involving the processing of personal data. Personal data are processed on the basis of, and in compliance with the provisions of the present Privacy Policy, Regulation (EU) 2016/679 of the European Parliament and the Council (hereinafter the “GDPR”) and Hungary’s Act CXII of 2011 (hereinafter the Information Act)

All of the personal data processed by the Controller are collected in every instance directly from the data subjects. Accordingly, the Controller only stores in its database and uses for the purposes stipulated in the present Policy personal data that was provided to the Controller by the data subjects themselves. The Controller does not collect personal data from publicly available databases or from any other source, and personal data are not transferred to the Controller by third parties.

When determining the method of processing, and throughout the processing process, the Controller shall implement all the technical and organisational measures that are appropriate for ensuring compliance with the data protection principles and protection of the rights of data subjects. The measures to be implemented by the Controller as the responsible controller are determined based on a survey and evaluation of the current state of science and technology, the costs of implementation and potential risks to the rights of natural persons.

The Controller shall process all the personal data it obtains in a lawful and honest manner, and so as to render the processing transparent to the data subjects throughout the entire duration of processing.

During the activities of the Controller, personal data may only be collected for the lawful purposes clearly stipulated in the present Policy. The Controller takes particular care to ensure that it does not process any personal data in a manner that is not compliant with the purposes detailed in the Policy.

The Controller shall only process personal data that is suitable and relevant for the individual purposes of processing, and which is necessary to realise the purposes. The Controller shall endeavour to ensure that the personal data it stores and processes is always accurate and up to date, and for that purpose it shall take all required measures to have any inaccurate or erroneous data corrected or deleted as soon as possible.

In every instance when the Controller wishes to use the data provided by data subjects for a purpose other than its original purpose stipulated in the present Policy, it shall inform the data subject in advance, in writing – providing information about the new purpose along with supplementary information about the processing – and shall ensure that in such cases it shall also have appropriate legal basis for processing the data.

It is important for the Company, as the Controller, to ensure that it implements technical and organisational measures in its data processing processes that are suitable to ensure that personal data are only processed to the extent and the period required for achieving the specific purpose of processing, and to provide access to the data with the same constraints. It is exceptionally important for the Company to delete all data for which the purpose of processing has been achieved, the period of processing has expired, or the data subject has submitted a lawful request to that effect immediately, or if deletion is not possible for any reason, to anonymise such data.

1. Processing of the data of Website visitors

During visits to the Website, the server that hosts the Website may record certain data generated in the course of the visit using automated technology. The system logs the automatically recorded data upon entry and exit without a specific declaration of action by the Website visitor. The system processes those data for the minimum period required for providing its services and ensuring operational security, which is usually less than 1 day, after that, the data are overwritten, i.e. deleted. Such stored data may include for instance: IP address, browser data, visit parameters.

1. Processing of cookies on the Website

The Website uses cookies and similar technologies when a visitor of the Website uses it from a computer, tablet, mobile phone etc. The fundamental purpose of cookies is rendering certain basic functions of the Website operational, the improvement and personalisation of user experience, and the serving of appropriate, personalised advertising and offers, along with the collection of statistical data with a view to further development of the Website.

A cookie is a package of information, generally a small text file, that contains a unique identifier and which is stored on the computers or mobile devices of the Website’s visitors. The cookie misplaced on the visitor’s device by the visited Website itself for the purpose of identification, so the visitor’s device will be recognisable when it visits the same website again. Cookies collect information about visitors and their devices; they retain users’ personal settings that are (may be) used e.g. when using online transactions, so they do not need to be typed in again; they make it easier to use the Website; they provide a quality user experience. When the browser returns a previously saved cooke, the service provider processing the cookie has the opportunity to link the user’s current visit with previous ones, but only in respect of its own content.

In the case of cookies necessary and indispensable for the operation of the Website, the use of cookies is based on the Controller’s legitimate interest (GDPR Article 6, section (1) f)), while in the case of cookies that are not indispensable for the operation of the Website, it is based on the visitor’s consent (GDPR Article 6, section (1) a)).

The website uses the following cookies when visitors open the Website and browse it:

Session cookies indispensable for the operation of the Website:

These cookies are indispensable for the correct operation of the Website. Without acceptance of these cookies, the Controller is not able to guarantee the operation of the Website as expected, or that visitors will find the information they seek. The data stored by these cookies do not “collect” any personal data for marketing, analytical and other purposes, they are strictly only necessary or the fundamental operation of the Website. The purpose of these cookies is to allow visitors to browse the full content of the Website without obstacles, to use its functions and services.

The processing conducted by these cookies concerns persons visiting the Website.

The purpose of processing is the recording of visitor data and the identification of data subjects in the interest of controlling the operation of the Website and the prevention of abuse.

The legal basis for the processing is the Controller’s legitimate interest – GDPR Article 6, section (1) f): the visitor’s approval is not required if the sole purpose of the use of cookies is the transmission of messages via the electronic communications network, or if they are indispensable for the Controller, as service provider, in order to provide services associated with the information society that are specifically requested by the subscriber or user.

Data managed by these cookies: unique identification number, dates, times.

The data subjects have the opportunity to delete cookies in the Tools/Settings menu of their browser, in most cases in the settings of the Privacy submenu.

If the user rejects these cookies, the Website will not be displayed and basic functions will not work.

Cookies used:

Statistical cookies:

The purpose of processing: the Website uses statistical cookies to collect information about how users use it. They facilitate analysis and further development of the Website. One of those is Google Analytics, which is also featured on the Website.

Cookies used:

Legal basis of the processing associated with statistical cookies: visitor’s consent (GDPR Article 6 section (1) a).

Marketing cookies:

Marketing cookies track users across websites, for instance for displaying adverts, to ensure that they receive content relevant to them.

  Cookies used:

Legal basis of the processing associated with this cookie: visitor’s consent (GDPR Article 6 section (1) a).

Cookie settings in browsers

Some Internet browsers accept cookies automatically, but visitors have the option to use or adjust the settings of their computer browser applications to permit, delete or automatically reject them. If users do not consent to the use of cookies, this may result in certain functions of the Website not being fully functional. The ‘Help’ pages of browsers provide information and assistance for managing cookies in the browser.

  Cookies used:

Using cookie settings on the Website

After entry to the Website, the Controller presents a pop-up window to provide information about the details of the use of cookies on the Website, where visitors have to specify their consent to the Website’s use of cookies. Visitors can opt to consent or not to consent to the use of cookies.

1. Contact, communication

When you contact us via one of our contact channels (e-mail address, phone number, Facebook, Messenger, Instagram, TikTok), for instance to request information about our services, to make a complaint or to enforce your rights as a data subject, we will process your personal data for the purpose of communicating with you and responding to your query..

1. Processing associated with the web store operating on the Controller’s website

Processing of personal data is required for determining the content of the electronic sale and purchase contracts for the purchase of the products sold in the online web store available via the Website, for the conclusion of such contracts, for the performance of contractual obligations arising from them, and for the enforcement of the Company’s legitimate interests associated with such contracts.

We hereby inform data subjects that they can submit orders via the Website as registered users, and also without registration. Data subjects wishing to purchase products sold on the Website shall be required to provide the personal data stipulated in the sections below – depending on whether they order as registered users or without registration.

The web store uses the e-commerce platform Shopify, which system is used for the technical operation of the Company’s web store. The Privacy Policy of the operator of Shopify, Shopify Inc. (seat: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland) is available at this address: https://www.shopify.com/legal/privacy

3.4.1.   Processing associated with registration on the Website (creation of a use account)

The Controller maintains a registration interface on the Website. Data Subjects, as participants can register by providing their personal data at the link provided by the Controller. Storage of the data provided during registration allows the Controller to provide a more comfortable service (e.g. Data Subjects do not have to reenter their data when making a subsequent purchase).

1. 2. Processing associated with the Product sales conducted by the Company, associated services, customer communications and the conclusion of associated contracts

The Controller sells Products to its Customers. Prior to submitting orders, Data Subjects provide the data required for the sale of the Product. The Controller processes that data in order to prepare and perform the contracts.

Processing of the persona data listed above is indispensable for the sale of the Products ordered, and also for their price being billed, and the Products being delivered. Therefore the processing of the personal data of the data subjects is based on the contractual relationship established.

Within the scope of the performance of the contract, the personal data of the data subjects shall also be processed in order to provide information to the data subjects about the use of the service provided, for instance to send notification about successful registration, the confirmation of the receipt, recording and processing of orders placed through the Website, and in order to provide information to the data subjects about the processing status of the orders. Those information notices do not constitute newsletters or any other type of marketing or advertising messages, specific consent is not required from the data subjects for sending them.

If a data subject does not provide the personal data above, or only provides incomplete data to the Company, then – do to the lack of fundamental information required for performing the contract – the Controller shall not be able to conclude the contract.

The data listed above shall also be processed, in case of the data subject’s potential failure to perform voluntarily, to initiate the legal procedures for enforcing the financial claim arising from the contract. In the case of that purpose, the legal basis of processing is the Company’s legitimate interest in being able to assert its claims against the data subject.

1. Processing associated with online payment

Data Subjects can pay by bank transfer, or using an online payment facility.

Data transfers

Purpose of data transfer: provision of the transaction data required for the payment transaction initiated with the online payment service provider to the online payment service provider.

Legal basis of data transfer: the performance of the contract concluded between the Data Subject and the Controller, as provided for in GDPR Article 6, section (1) b), as this includes payment by the customer, and in the case of online payment, the data transfer stipulated in the present section is required.

In order to allow customers to use online payment methods to pay for the products ordered in the web store, the Company uses the services of PayPal (Europe) S.a.r.l.et Cie, S.C.A. (seat and mailing address: 22-24 Boulevard Royal L-2449, Luxemburg, foreign registration no.: B118349); Google Pay, a service provided by Google Ireland Limited (seat and mailing address: Gordon House, Barrow Street, Dublin 4,  Ireland, foreign registration no.: 368047); and Apple Pay, a service provided by the company Apple Distribution International Limited (seat and mailing address: Hollyhill Industrial Estate, Cork, Ireland, foreign registration no.: 470672); (“Payment Providers”), for which the processing of certain personal data is indispensable.

If the Data Subject pays for the order using a bank card, using the secure payment solution of one of the Payment Providers, the following personal data shall be transferred to the selected Payment Provider: the designation of the product(s), service(s) purchased, and the price payable for the order.

Transfer of the above data is indispensable for the Company to be able to guarantee that the price of the products ordered can be paid for online, with a bank card, using the secure payment solutions of the Payment Providers. The transfer of personal data is based on the contract concluded between the data subject and the Company by ordering the products.

The Company notes that when making a payment through the online secure payment solutions – bank card or payment provider account – of the Payment Providers, the Payment Providers may request additional personal data from the Data Subject, which they will be asked to provide after being automatically redirected from the web store to the secure payment site of the Payment Provider selected. The personal data that the Data Subject provides on the payment site will only be made available to the Payment Provider – the Company is not authorised to do so – so the Company does not process that data.

The Company and the Payment Providers act as independent controllers in respect of the data they process about the Data Subject in relation to the provision of the secure payment solutions of the Payment Providers. The Company and the Payment Providers are equally required to comply with the provisions of the GDPR in the course of their data processing operations, to ensure that the data of Data Subjects is processed securely, and to provide appropriate information to Data Subjects about the processing.

The Company hereby informs Data Subjects that they may exercise their data subject rights in respect of the processing of their personal data against the Company or against the Payment Providers at any time; they can submit such claims to the Company in accordance with the provisions of the present Policy, while they can submit claims to the Payment Providers as provided for in their own privacy policies.

If the Data Subject initiates a payment transaction through the secure payment site of a Payment Provider, then the Payment Provider as well as third party providers may use cookies in order to identify the Data Subject as a user, to improve browsing experience, and to be able to personalise the service or other online content and advertising, to be able to measure the efficiency of their promotions, to produce or procure analyses. Those cookies are required to ensure the security of the Data Subject’s account, and their use is indispensable to prevent potential fraud. Some functions of the secure payment sites of the Payment Providers are only available if cookies are accepted, therefore if the data subject rejects the use of cookies, they may only be able to use the secure payment sites of the Payment Providers to a limited extent, or not at all.

1. Processing associated with billing

Based on the data provided by the Customer during contracting, the Controller issues an invoice to the Customer or another party.

1. Processing associated with the delivery of the Products

The Company delivers the products purchased by Data Subjects by home delivery.

1. Processing and records associated with complaints

The Customer is entitled to submit complaints to the Controller in relation to the Products sold by the Controller. In the case of Customers who are considered Consumers, the Controller shall review verbal and written complaints immediately, and to inform the Customer of the result as soon as possible, but no later than within 3í working days in writing. Complains shall be recorded, and the documents and records associated with complaints and their review shall be retained for 3 years.

1. Processing associated with marketing

1. Processing associated with the distribution of newsletters

The Controller informs subscribers about its Products, services, promotions and offers in e-mail newsletters.

Data Subjects may subscribe to the newsletter before or during purchasing the Product, or in another fashion, with the data specified below. Declaration of consent can be provided to our Company during the process of registering in the web store, by responding to a confirmation email, and by checking a checkbox during shopping provided for this purpose. A link at the bottom of the newsletter can be used to unsubscribe.

The Company shall only process the personal data obtained for this purpose until the Data Subject unsubscribes from the newsletter list. The Data Subject may unsubscribe at any time using the contact information provided in the newsletter, or through the website of the newsletter provider, or by sending an unsubscribe request to the Company’s e-mail address. They can also unsubscribe from the newsletter by mail, at the address provided in the present Policy.

The Company uses the automated mailing platform of OmniSend for distributing the newsletters. In that capacity, Omnisend UAB (seat: Verkių g. 25C-1, LT-08223 Vilnius, Republic of Lithuania, mailing address: legal entity code 302530363), as the platform service provider, constitutes a processor, its processing activity is the provision of a technical background service for processing. Its privacy policy is available through the following link: https://www.omnisend.com/privacy/, while its terms of service are available here: https://www.omnisend.com/terms/.

1. Processing associated with social media sites

The Controller maintains presences on the Facebook social portal as well as other social media pages (Pinterest/YouTube/Instagram/TikTok). The primary purpose of the content placed on those pages is the presentation of the Products and the sharing, publications and marketing of content from our Website on social media. Data Subjects may use the social media sites to obtain information about our latest Products, the associated Services and any promotions or new offers from the Company.

In the course of its operations on social media pages, with a view of sharing, obtaining likes for or promoting certain components of its social media page, its products or offers, or its social media page itself, the Company may process the names and public data of Data Subjects registered on the Facebook/ Twitter/LinkedIn/Pinterest/YouTube/Instagram/TikTok etc. social media pages linked to its Website who have “liked” or followed the Company’s social media pages. The Company shall only communicate with Data Subjects via social media sites, and hence the purpose of the range of data processed shall only become relevant if the Data Subjects first contact the Company via the social media site in question.

The Company may link a specific social media site with other social media sites in accordance with the rules applicable to the social media site in question, so publication on one page shall be understood to include publication of such other linked social media portals. Data Subjects may obtain information about the processing conducted by social media platforms, the sources of their data, their processing and method and legal basis for the provision of data from the social media platforms concerned. Processing of that sort takes place on the social media platforms, so the period, method, deletion and amendment conditions of such data are subject to the regulations of the respective social media platforms.

1. Processing of the data of the contact persons of contractual partners

In the course of its business activities, Controller may process personal data if such data is provided to it by the Customer, Data Subjects or other legal person contractual partners (hereinafter “Contractual Partners). The Controller shall process the personal data provided to it by its Contractual Partners. The Controller shall assume that its Customers and partners possess appropriate authorisation or consent from the Data Subjects Concerned, in respect of the data of natural persons they provide.

4. Access to data, processing, data transfers, data security

1. Access to data

The personal data processed by the Company can be accessed by the subcontractors retained in order to provide the service. The subcontractors are only entitled to access the data that is indispensable for completing their tasks.

Our subcontractors and all third parties with access to the data (Processors) are obliged to maintain confidentiality in respect of the processing.

Our subcontractors used in the interest of providing our service may at times have access to your personal data – for instance, e-mail you send us reaches us via an e-mail service provider. Therefore all of those subcontractors operate under strict confidentiality, and have provided contractual guarantees that they shall comply fully with our instructions and effective data protection regulations. Your data remains under our control even when we use processors.

1. Processing

Within the scope of our activities, we use the following Processors:

• Hosting: Rackhost Zrt., contact: info@rackhost.hu
• Web developer: Botanic Origin Kft., contact: support@botanicbathhouse.com
• E-mail provider: Omnisend UAB, contact: https://www.omnisend.com/contact-us/support/no-account/
• Deliveries: iLogistic Kft., contact: sales@ilogistic.hu
• Billing: Billingo Technologies Zrt., contact: hello@billingo.hu
• Accountant: Partner Audit Consulting Kft., contact: iroda@partneraudit.hu

1. Data transfers

Outside the cases specified in Section 4.2 above, we only transfer your personal data to third parties in special circumstances, such as in order to comply with a legal obligation, generally at the request of a court of law or other official body, of if the Data Subject specifically consents to the transfer.

We maintain a record of occasional data transfers, which is available upon request to Data Subjects.

As the Controller, we may transfer your personal data to third countries with your consent or pursuant to our legitimate interest, but we do so only if we receive appropriate guarantees from our partners concerning processing in third countries to the effect that your data is subject to actually enforceable rights and effective legal redress.

We do not transfer your personal data to international organisations.

1. Data Security

In accordance with the principle of “privacy-by-design”, the company takes the requirement of data security into account throughout the establishment of its data protection process. The Company’s objective is to reduce the processing of personal data to a minimum in order to reduce processing risks.

The Company shall ensure that it complies with the data security regulations prescribed in applicable legislation. When determining and implementing the measures aimed at data security, the Company takes into account the prevailing state of technology, and in case of several different data processing solutions, it choses the one with the highest level of protection for personal data, unless that would involve a disproportionate difficulty. The Company shall take the technical and organisational measures and implement rules of procedure that are required for compliance with applicable legislation and data protection and confidentiality regulations.

The Company shall take appropriate measures to protect the data against unauthorised access, alteration, transfer, publication, deletion or destruction as well as accidental destruction or corruption, or loss of availability due to changes in the technology used.

Within its scope of data security tasks, the Controller shall:

- take technical and organisational measure to ensure the security of data stored electronically;

- ensure compliance with the data security regulations prescribed in legislation;

- ensure compliance with data protection and confidentiality regulations;

- prevent unauthorised access to the data;

- take the required measures to prevent corruption of the data;

- promote data processing awareness among its employees in order to ensure data security;

- ensure physical protection of data stored on paper;

- ensure physical protection for the equipment used to store data digitally;

- provide password protection for data stored electronically;

- perform regular security backups of the data;

- ensure that only authorised persons are granted access to the data.

The Company shall implement technical, process-related and organisational measures in order to protect the security of processing that will result in an appropriate level of protection against the risks associated with processing. It shall select the IT equipment used, and operate it so that the data processed:

- is available to authorised persons (availability);

- is authentic and authenticated (authenticity of processing);

- can be certified to be free of alterations (data integrity);

- is only available to authorised persons, and is protected against unauthorised access (data confidentiality).

In the interest of compliance with the requirements of data security, the Company shall ensure that the personnel involved receive appropriate training. During the processing of data – in particular its storage, rectification and deletion – the Company shall provide the required level of protection when Data Subjects request information or lodge protests.

1. The rights of Data Subjects

Your right to control your personal data remains in effect during and after the period of processing. As a Data Subject, during the processing you have the right to access your personal data, and you may request that it be rectified, deleted, or for its processing to be requested, you may object to the processing of your data, and in certain cases you also have the right to data portability.

Your Data Subject rights are described in detail in Articles 14-22 of the GDPR.

If you wish to assert your Data Subject rights, please contact us using one of the channels provided in our contact information above. We shall respond to your query as soon as possible, but certainly within one month. We shall not charge any costs for the action we take in order to comply with your request.

If you wish to assert your Data Subject rights, this will require your identification, and the Controller will off necessity have to communicate with you about the matter. Accordingly, for the purpose of identification you will have to provide personal data (but identification may only be based on data already held about you by the Controller), and the query you submit will be available in the Controller’s e-mail account for the period stipulated for communication.

1. The right of information

You have the right, as Data Subject, to receive concise, transparent, legible and easily accessible information formulated in a clear and understandable fashion about the processing of your personal information from us. It was for that purpose and with that intention that we produced the present Policy.

If the processing of your data has not been described with sufficient clarity or unambiguously, or if you have any questions concerning the matter, please contact us using our contact information.

1. The right of access

At the request of the Data Subject, after identification, we shall provide information whether we process your personal data, and if yes, also information about the details of the processing.

1. The right of rectification

If any of your data that we process is inaccurate or deficient, we shall rectify it at your request, or supplement it pursuant to your declaration.

1. The right of erasure (“the right to be forgotten”)

At your request we shall delete your personal data once the purpose of the processing is achieved; In the case of processing based on consent, we shall also do so if you withdraw your consent; or if you object to the processing of your data legitimately; or if processing your data would not be lawful; or if we must delete your data in order to comply with a legal requirement.

We will only continue to process your data despite your request to delete it in special cases, in order to comply with legal requirements or to enforce legal claims.

1. The right to restriction of processing

At your request, we shall restrict the processing of your data:

• If you believe your data to be inaccurate, until it is verified;
• In case of suspicion of unlawful data processing, if you object to the deletion of your data, untilla the issue is investigated;
• If we no longer need the data, but you request the data to be deleted for the enforcement of a legal claim, until the claim is enforced;
• If you object to the processing, until a decision is reached about your objection.

In those cases, with the exception of storage we shall only process the data with your consent, or to enforce legal claims, or in the material interest of the public.

When restricting processing at your request, we shall inform you in advance of the lifting of the restriction.

1. Our obligation to inform Recipients

As the Controller, we shall inform all Recipients of every rectification, deletion or restriction of processing to whom we have transferred the personal data concerned, unless this proves impossible or would require disproportionate effort. We shall inform you of the Recipients at your request.

1. The right to data portability

As a Data Subject, at your request and pursuant to your consent or a contract concluded between us, we shall provide the personal data you provided to us that we process in a structured, commonly used and machine-readable format. You may also request us to transfer the data directly to another controller.

1. The right to object

As a Data Subject, you may object to the processing of personal data at any time if we process the data about you in one of our legitimate interests. We shall discontinue the processing at your request unless the data are required in order to assert our rights.

1. Automated decision-making in individual cases, including profiling

We do not use automated decision-making or profiling in the course of processing.

1. The right to withdraw consent

If we process your personal data based on your consent, you may withdraw your consent at any time. However, withdrawal of consent does not impact the lawfulness of processing conducted prior to withdrawal on the basis of consent.

1. The right of Data Subjects to lodge a complain and other legal remedies

If you have any questions, comments or complaints concerning the processing of your personal data, please feel free to contact us and we should do our best to respond or resolve your query.

• E-mail Address support@botanicbathhouse.com
• Phone no.: +36 70 344 3933
• Mailing address: 1096 Budapest, Sobieski János utca 36. alagsor 1. ajtó.

If the data subject believes that the Company’s processing of their personal data infringes prevailing effective privacy legislation, in particular the provisions of the GDPR, they are entitled to submit a complaint to the National Data Protection and Freedom of Information Authority.

Contact details for the National Data Protection and Freedom of Information Authority:

Website: http://naih.hu/

Address: H-1055 Budapest, Falk Miksa utca 9-11., Mailing address: 1363 Budapest, Pf. 9.

Phone: +36-1-391-1400, Fax: +36-1-391-1410, e-mail: ugyfelszolgalat@naih.hu

Data Subjects are also entitled to submit complaints to other supervisory authorities in particular those established in the European Union member states where their place of residence, workplace or the alleged location of the infringement is located.

Independently of their right to lodge a complaint, Data Subjects can also petition a court of law if they believe that their rights under the GDPR were infringed in the course of the processing of their personal data.

The Company, as a Hungarian Controller, can be sued before a Hungarian court.

If the Data Subject’s habitual residence is in another member state of the European Union, the suit may be brought before a court of law with jurisdiction and competency in the member state of the habitual residence as well.

If the Data Subject wishes to initiate legal proceedings against the Processor, they must do so in a court of the Member State where the Processor operates.

Data subjects may launch legal proceedings before a court of law with jurisdiction over their residential address or habitual residence. Contact information for the courts in Hungary is available via the following link: http://birosag.hu/torvenyszekek.

1. Amendment of the Policy

The Controller retains the right to amend the present Privacy Policy unilaterally. Amendments shall be published on the Controller’s Website.

Botanic Origin Limited Liability Company

Adatkezelési tájékoztató - MAGYAR VÁLTOZAT (pdf)