Privacy Policy
Upshift R Kft. (registered seat: 2086 Tinnye, Ady Endre str. 18. tax number: 25597880-2-13 hereinafter: "Data Controller") hereby informs the Data Subjects on the basis of Regulation (EU) 2016/679 of the European Parliament and the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR") as follows:
1. The identity and the contact details of the Data Controller:
Upshift R Kft.
- Contact person: Gergely Daroczi
- Postal address: 2086 Tinnye, Ady Endre str. 18.
- Email address: legal@sparecores.com
2. The categories of the processed personal data, the purposes of the processing for which the personal data are intended, the legal basis for the processing and the period for which the personal data will be stored:
Categories of personal data | Legal basis for the processing | Purposes of the processing | Period for which the personal data will be stored |
---|---|---|---|
Name, affiliation, email address | Performance of a contract [General Data Protection Regulation, Point b) of Article 6 (1)] | Processing is necessary for registration and the performance of a contract | Eight years following expiry of the contract |
Email address | Consent of the data subject [General Data Protection Regulation, Point a) of Article 6 (1)]. Consent can be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal. |
Sending newsletters (information about developments of the service) | Until the withdrawal of consent |
Any personal data given in user surveys | Consent of the data subject [General Data Protection Regulation, Point a) of Article 6 (1)]. Consent can be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal. |
To improve the product | After concluding the analysis of the survey responses, but no later than 6 months after the survey was filled in. |
Personal preferences (e.g. currency etc.) | Consent of the data subject [General Data Protection Regulation, Point a) of Article 6 (1)]. Consent can be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal. |
To improve user experience | Until the termination of the contract. |
Only those employees have access to the personal data, who need to have access to such data for performing their tasks. No automated decision-making, including profiling takes place in connection with the data processing.
3. Transfer personal data, the recipients or categories of recipients of the personal data:
The Data Controller uses the following data processors in connection with the processing:
- Hosting: Upshift uses Amazon Web Services (AWS) to host the Website. Due to technical requirements, such as server logs, AWS has access to certain data including your IP address, user agent, and pages visited. This information is essential for the operation of our service and for ensuring security and performance. For more details on AWS's data handling practices, please visit AWS Compliance at https://aws.amazon.com/compliance.
- Analytics: To analyze user interactions and improve our Services, Upshift uses Posthog, Inc. for product analytics, and platform auditability. Posthog collects information such as your IP address, user agent, timestamps of events, and other related properties like which pages were viewed. Posthog does not use any persistent identifier to track guest visitors, but identifies returning registered users. This data helps us to understand user behavior and enhance our services. It will not be shared with third parties for marketing purposes. Posthog is based in the USA, and complies with the requirements of CCPA, GDPR, and other international privacy frameworks. Data is stored in the EU region. Find more information at https://posthog.com/docs/privacy.
- Email newsletters: To improve the reliability of sending automated product update emails to subscribers, Upshift uses SendPulse Inc. SendPulse will retain your IP address, name and affiliation in their log files on their server. This data is retained only for the purposes of delivering the email and providing us with information should there be a problem with the delivery. It will not be shared with third parties for marketing purposes. Data is stored in the EU region. Find more information at https://sendpulse.com/legal.
- Backups: Upshift uses Amazon Web Services (AWS) for backups due to their redundant and flexible data storage options. Data is encrypted both in transit and at rest, and stored in the EU region. For more details on AWS's data handling practices, please visit AWS Compliance at https://aws.amazon.com/compliance.
No transfer of data to third countries (i.e. outside the European Union) takes place. Data may be processed by international organizations provided they operate within the European Union and comply with all applicable EU data protection regulations.
4. The data subject’s rights in connection with the processing:
The data subject may request from the Data Controller
- access to his/her personal data,
- rectification of his/her personal data, and
- erasure of his/her personal data or restriction of processing concerning the data subject.
The right of access:
The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right to rectification:
The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her.
Right to erasure:
The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Right to restriction of processing:
The data subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to data portability:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and (b) the processing is carried out by automated means.
General rules regarding the data subjects' rights:
The Data Controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Information to the data subject and any actions taken shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The Data Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Where the Data Controller has reasonable doubts concerning the identity of the natural person making the request, the Data Controller may request the provision of additional information necessary to confirm the identity of the data subject.
6. Possible legal remedies:
The data subject may turn to the Data Controller in connection with the processing of his/her personal data at any time.
In case of the infringement of his/her rights, the data subject may submit a claim against the Data Controller to the court. The court shall proceed out of turn. The Data Controller shall prove that the processing is in compliance with the applicable laws. The Court of Appeal (törvényszék), in Budapest, the Metropolitan Court of Appeal (Fővárosi Törvényszék) is competent. The lawsuit may also be initiated in front of the Court of Appeal that has jurisdiction based on the permanent or temporary address of the data subject.
The Data Controller shall compensate the data subject for the damages caused to the data subject by the unlawful processing of the personal data of the data subject or by the infringement of data security requirements. The Data Controller shall be exempted from liability if it can prove that the damages were unavoidable and the causes were out of the scope of data processing. Damages that were due to the data subject’s deliberate or grossly negligent behavior shall not be compensated.
The data subject has the right to lodge a complaint with the National Authority of Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, Postal address: 1363 Budapest, Pf. 9, Address: 1055 Budapest, Falk Miksa utca 9-11., Phone number: +36 (1) 391-1400; Telefax: +36 (1) 391-1410; E-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).