Privacy Policy

Privacy Policy

Leonória Edutainment Ltd. on data management related to the activities of and the operation of the https://leonoria.hu/  website

Introduction

This Information Notice provides information on the activities of Leonória Edutainment Ltd. (hereinafter referred to as the Data Controller) with regard to the data of natural persons in the course of performing its tasks as detailed below, in accordance with the rules of the EU General Data Protection Regulation 2016/679 (hereinafter referred to as GDPR/General Data Protection Regulation). It will inform you of the rules it follows in carrying out these activities and of the measures it has taken to protect the data it uses. Finally, it provides information on the rights of data subjects to the protection of their interests.

The Data Controller shall provide the data subjects and interested parties with the mandatory information pursuant to Article 13 of the GDPR as follows.

1. Identification of the data controller

Name: Leonória Edutainment Kft.

Register of Companies: 01-09-438733

Registration Court: Capital Court of Registration

Tax Number: 32713206-2-42

Head Office: 1066 Budapest, Jókai str. 18. (8)

Customer Service: info@leonoria.hu ; tel: +3620 5826 990

Website: https://leonoria.hu/   

Hosting provider: Shopify

Hosting provider contact: shopify.com

Complaints handling: https://www.shopify.com/legal/eu-terms#9-internal-complaint-handling-system 

Data management: https://www.shopify.com/legal/privacy

1. Principles of personal data processing

The Data Controller acts in accordance with the following principles:

• Purpose limitation: it shows the purposes for which the Data Controller stores and uses the data of natural persons in the course of its activities.
• Data minimisation principle: the scope of the data processed is appropriate to the purpose and only to the extent necessary for that purpose.
• Accuracy principle: according to this principle, personal data that are inaccurate, both for the data subjects and for the purposes of legal compliance, will be corrected or deleted by the Data Controller without undue delay.

As Data Controller, we receive personal data directly from the data subjects. We accept the obligation to fulfil our duties related to the protection of personal data processed in connection with our activities, where applicable, to help demonstrate to the authorities, business partners and customers concerned that we have acted in compliance with the Regulation and the Info Law and other relevant legislation in this respect (accountability principle).

1. The main legal regulations governing our data processing activities:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR, hereinafter: Regulation)
• Act CXII of 2011 on the right to self-determination in relation to information and freedom of information (Info. tv.)
• Act XLVIII of 2008 on the basic conditions and certain restrictions on economic advertising activities
• Act I of 2012 on the Labor Code
• Act CL of 2017 on the Rules of Taxation
• Act C of 2000 on Accounting

1. Definitions

GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Personal data: any information relating to an identified or identifiable natural person; this includes information such as a name, an email address, a phone number, a location, an online ID, or data about someone's physical, physiological, genetic, mental, economic, cultural, or social identity.

Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data processing: any operation or set of operations performed on personal data or on sets of personal data, regardless of the means used, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, the granting or refusal of access to data, the prevention of further use of data, the taking of photographs, sound or video recordings, and the recording of physical characteristics (e.g. fingerprints or palm prints) that can be used to identify a person.

Data controller: a natural or legal person or an organization without legal personality who, alone or jointly with others, determines the purposes and means of the processing of personal data, makes decisions regarding the processing of personal data and implements them or has them implemented by a data processor.

Data processor: a natural or legal person or an organization without legal personality who processes personal data on behalf of the data controller.

Data subject: any natural person identified or identifiable, directly or indirectly, on the basis of one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. A natural person who is identifiable is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data transfer: making personal data available to a specific third party. Data transfers to EEA member states or to European Union bodies shall be considered as data transfers within Hungary.

Data erasure/deletion: rendering data unidentifiable by erasing its content or using other means to achieve the same result.

Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

EEA Member State: a Member State of the European Union and any other state party to the Agreement on the European Economic Area, as well as any state whose citizens are nationals of the European Union and its Member States, and a state that is not a party to the Agreement on the European Economic Area but enjoys the same legal status as a state party to the Agreement on the European Economic Area on the basis of an international treaty concluded between the European Union and the state concerned.

Third country: any state that is not an EEA member state.

NAIH: National Authority for Data Protection and Freedom of Information, the supervisory authority under the GDPR in Hungary.

1. Data processing procedure

We process any business partner or customer data that comes to our knowledge in the course of our activities in any manner and to any extent in accordance with this Privacy Policy, subject to confidentiality obligations, the provisions of the GDPR and the relevant Hungarian legislation.

We may lawfully store personal data received in the course of our activities, organize it within the framework of the law, and use it to the extent necessary.

We will immediately terminate data processing if its purpose has been fulfilled or has ceased to exist, or we will consider doing so if requested by the data subject.

We do not use profiling or automated decision-making.

1. Details of data processing related to our activities, by purpose

1. Contact

Data subjects: Natural persons / legal representatives of natural persons who contact us with the intention of establishing contact

Purpose of data processing: Establishing contact, providing information

Data processing procedure:

If you provide us with your contact details by email or telephone, we will use them to keep in touch with you and to provide you with information about our services.

Providing the above data is not mandatory, but without it we will not be able to keep in touch with you. You may withdraw your consent at any time without giving any reason, but this will not affect the lawfulness of the data processing carried out on the basis of your consent prior to the withdrawal. You can withdraw your consent by sending a request to the above email address, which we will comply with as soon as possible, but within a maximum of 5 working days.

1. Data processing related to the service

Data subjects: players (the terms and conditions of the service are set out in the GTC)

Purpose of data processing: performance of the service

Game room reservations are made on our website: we do not request any personal data for this purpose.

The booking results in an immediate payment obligation, for which we send an invoice and pass on the necessary identification data to the online payment service provider. We do not receive or process any data related to the financial transaction (payment and bank account).

We work with the following (data processing) partners.

- Service provider: customer database and website provider: Shopify

- Data management info: https://www.shopify.com/legal/privacy

- Service provider: Stripe for online payments

- Data management info: https://stripe.com/en-hu/privacy

1. Management of other contract data

Data subjects: Signatories and contact persons (company representatives, contact persons) of contracts concluded with our partners outside our scope of services (suppliers, service providers).

Purpose of data processing: Contract conclusion and maintenance of contact

Data processing procedure:

The provision of personal data is essential for the conclusion of a contract. The data processed in this way will be used exclusively for the performance of the contract and for maintaining contact. Without the provision of this personal data, it is not possible to conclude a contract.

1. Registration of job applicants, evaluation of applications, CVs

Data subjects: Persons applying for job opportunities

Purpose of data processing: evaluation of applications, notification of applicants

Data processing procedure:

Applicants for a given job opportunity send us their CV and a cover letter. Both may contain personal data that the applicant considers important to share with us in order to be considered for the position.

Providing the above data is not mandatory, but without it we will not be able to evaluate the application and/or notify the applicant. You may withdraw your consent at any time without giving a reason, but this will not affect the lawfulness of any data processing carried out on the basis of your consent prior to withdrawal. You can withdraw your consent by sending an email to the above email address, which we will comply with as soon as possible, but within 5 working days at the latest.

1. Data processing related to employment (summary form)

Data subjects: Persons in an employment relationship with the data controller

Purpose of data processing: administration related to the employment relationship in accordance with legal requirements

Data processing:

The purpose of providing the above data is to comply with the administrative requirements of the law relating to employment. The provision of this data is mandatory.

1. Marketing

Data subjects: marketing campaign subscribers, interested parties

Purpose of data processing: marketing, making offers, sales support

Data processing process:

For some of our marketing campaigns, we use social media service providers where you can provide data, express interest, and initiate contact by subscribing or registering.

- Service provider: META (Facebook, Instagram)

- Data processing info: https://www.facebook.com/privacy/policy/

- Service provider: TikTok

- Data processing info: https://www.tiktok.com/legal/page/eea/privacy-policy/hu

Information: The indicated service providers have access to all data that arises during marketing campaigns displayed on their platforms. This also includes data transfers abroad, which are completely independent of our data processing and over which we have no influence.

1. Handling of complaints regarding data processing

Data subjects: Natural persons who feel that their rights have been violated

Purpose of data processing: Identification, conducting the procedure and maintaining contact

Data processing procedure:

All data subjects have the right to lodge a complaint regarding our data processing activities if they feel that their rights have been infringed.

The provision of data is mandatory for the investigation of the infringement and for maintaining contact, i.e. for the proper conduct of the procedure. Without this, the complaint and/or the complainant cannot be identified, and we are therefore unable to conduct the procedure.

1. Account management, accounting

Data subjects: persons named on the account

Purpose of data processing: Document management in accordance with the Accounting Act

Data processing procedure:

In the case of natural persons and sole traders, documents may contain personal data. We store this data in accordance with the provisions of the Accounting Act.

The provision of this data is mandatory under the relevant legislation. Failure to do so will result in the invoice being rejected. The tax authorities have access to the data.

- NAV

- Data protection info: https://nav.gov.hu/ugyfeliranytu/keressen_minket

We store our invoices electronically in the szamlazz.hu system.

- Service provider: KBOSS.hu Kft.

- Data protection info: https://rendezveny.szamlazz.hu/adatvedelmi-tajekoztato/

1. Use of our website

Data subjects: anyone who visits our website https://leonoria.hu/

Purpose of data processing: operation of the website and collection of information related to its operation

Our website currently uses the following cookies:

• Strictly necessary cookies, no consent required

• Performance cookie, requires consent, acceptance is not mandatory

• Targeted cookie, requires consent, acceptance is not mandatory.

Data processing:

Our website uses (or may use) a technique known as "cookies". A cookie is a small text file that is placed on your computer's hard drive by your website provider. Cookies provide various functions that support the operation of the website.

As a user, you have the option to accept or reject cookies when you first visit the website. You can change your decision at any time during subsequent visits. If you decide to reject cookies, you may not be able to use certain features of our website.

1. Camera surveillance data processing

Data subjects: anyone who enters the camera image

Purpose of data processing: property protection

Data processing procedure:

We operate cameras in the game room for property protection reasons.

No data is transferred, and the recordings are not accessible to external, unauthorized persons. If you wish to exercise your rights (details on page 9), please notify us immediately so that we can record the camera image, as the system automatically and permanently deletes the images within a maximum of three weeks! More detailed information can be found in the Camera Policy. The "Balancing Test" is available upon request.

1. Transfer and disclosure of data

In some cases, we may transfer personal data to third parties in connection with our activities. Data may be transferred in paper form or electronically, in both cases ensuring that the data is only accessible to the recipient.

• Paper-based transfer: by personal delivery or by post, specifically to the recipient
• electronically (e-mail): personal data does not appear in the text of the message. If necessary, personal data is sent in an attached Excel file or compressed file, in each case with a unique password.

As data controller – on the legal basis of "performance of contracts" or "compliance with legal obligations" – we transfer data – in addition to the partners indicated in point 6 – to the following organizations acting as data processors or independent data controllers:

• Bank partner: Unicredit Bank Ltd.
• Data processing info.: https://www.unicreditbank.hu/hu/rolunk/hasznos_informaciok/penzugyi_informaciok/tajekoztato_az_adatkezelesrol.html

1. Data security

We ensure the security of the personal data we process through technical and organizational measures and the development of procedures.

To ensure data security:

• we assess and take into account potential risks during the design and operation of our IT system, striving to continuously reduce them
• we monitor emerging threats and vulnerabilities (such as computer viruses, computer intrusions, denial of service attacks, etc.) so that we can take timely action to prevent and mitigate them
• We protect IT equipment and information stored on paper against unauthorized physical access and environmental influences (e.g., water, fire, power surges).
• We monitor our IT system to detect potential problems and incidents.
• Reliability is a fundamental criterion in the selection of service providers involved in operations

1. Based on Articles 15-20 of the GDPR, data subjects have the following rights with regard to their personal data:

• the right to information;
• the right of access;
• the right to rectification;
• the right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object.

You can exercise your rights by sending a request to the email address info@leonoria.hu.

The right of access entitles you to obtain information about whether your personal data is being processed and, if so, to access your personal data and obtain information about the security conditions of the data processing.

Right to rectification: upon your request, we will correct any inaccurate personal data and complete any incomplete data without undue delay.

Right to erasure: we will erase your personal data without undue delay in the following cases:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• if the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;
• if the personal data has been processed unlawfully;
• if we are required to erase the personal data by law.

We cannot delete personal data if it is necessary for the establishment, exercise or defence of legal claims.

Upon request, we will restrict the use of personal data based on the right to restriction of processing, in which case we will only use the personal data within a limited scope.

Based on the right to data portability, provided that this does not violate the rights and freedoms of others, we will send your data to you in a structured, commonly used and machine-readable format, or forward the data directly to another data controller at your request.

Right to information: During the period of data processing, the data subject may request information from us about the processing of their personal data. We will provide the data subject with the following information in writing, in the shortest possible time, but no later than 30 days after the request is submitted in an easily understandable form, we will provide the data subject with information about the data processed, the purpose of the data processing, the legal basis, the duration, and, if the data has been transferred, who will receive or has received the data and for what purpose.

Right to object: We will examine the objection within the shortest possible time after the request is submitted, but within 15 days at the latest, decide on its merits, and inform you of our decision in writing. If we are unable to comply with the data subject's request for rectification, blocking or erasure, we will communicate the factual and legal reasons for the refusal of the request for rectification, blocking or erasure in writing or, with the consent of the data subject, by electronic means within 30 days of receipt of the request.

1. Other provisions relating to data processing

Termination of data processing

We will delete all personal data

• whose processing is no longer necessary for the purposes of data processing, or
• for which the data subject has not given consent,
• for which the data subject has withdrawn consent or prohibited processing, or
• for which there is no legal basis for processing.

Instead of erasure, we will block personal data if the data subject requests this or if, based on the information available to us, it can be assumed that erasure would violate the legitimate interests of the data subject. Personal data blocked in this way will only be processed for as long as the purpose of processing that precludes erasure of the personal data continues to exist.

1. Our procedural rules for handling data protection complaints

The procedure: we treat and handle all comments made to us in writing by the natural persons concerned as complaints if they relate to data protection and express dissatisfaction with our procedures or omissions that are not in accordance with this Privacy Policy (hereinafter: complaint).

Complaints can be submitted (electronically) to the above email address or by post to our mailing address.

The complaint must contain at least: the name, address (e-mail address) and telephone number of the complainant, the date of the infringement, a specific description of the complaint, the signature of the complainant, and a statement that the complainant consents to the processing of the data contained in the complaint in the complaint procedure at the time of signing the complaint. In the absence of this information and the statement, we will not investigate the complaint and will notify the Complainant in writing.

We will process the Complainant's data exclusively in connection with the complaint and will not disclose it to third parties, except in response to official requests from authorities or courts as required by law, and will not use it for business purposes.

We will investigate the complaint and provide a reasoned written response within 30 days of receipt, using the same method as the complaint was submitted (by email or post). If the 30-day deadline is not sufficient to investigate the complaint, we will inform the complainant accordingly. In this case, we will provide a written, reasoned response within 3 months of the complaint being made, using the same method as the complaint was made.

If, after investigating the complaint, we find that it was factual and justified, we will inform you of the manner and extent of the remedy at the same time as the complaint is decided.

If the complaint is rejected, we will inform you in writing that you may refer the complaint to the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) or, in the event of an injury, to the court.

The NAIH assists in enforcing the rights of data subjects by issuing formal letters: https://naih.hu/panaszuegyintezes-rendje.html

• Complaints: NAIH; 1055 Budapest, Falk Miksa u. 9-11,
• E-mail address: ugyfelszolgalat@naih.hu
• tel.: +36(1) 391 1400
• website: www.naih.hu

1. Data protection incidents and their handling

Data protection incident: any activity, intervention or omission that enables the unlawful processing or handling of personal data, in particular unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction or damage.

If you notice any such incident in connection with our activities, please report it as soon as possible by email to info@leonoria.hu or by phone: +3620 5826 990

As the data controller, we will record the report and immediately begin investigating it. If the data protection incident occurred in relation to an IT system, we will also inform the service providers responsible for operating the databases concerned.

In order to investigate the report and handle the incident, we will collect all information that may be necessary to identify it, mitigate any damage and develop further measures to prevent it from recurring. Where possible, we will record

• the time and place of the incident
• a description of the incident, its circumstances and effects
• the scope and number of data compromised during the incident,
• the scope of persons affected by the compromised data

In addition, in accordance with legal requirements, we will report the incident to the Authority (NAIH) within 72 hours.

Data Protection Officer: As data controllers, we do not process large amounts of personal data or personal data that can be classified as particularly sensitive in connection with our main activities, therefore we do not consider it necessary to appoint or employ a data protection officer, nor are we required to do so by the applicable legal regulations.

Note: As data controller, we reserve the right to continuously update this Privacy Policy and to unilaterally modify the information contained herein in accordance with changes in the law. The currently valid Privacy Policy is always available on our website.

Budapest, May 2025

Leonória Edutainment Kft.