Privacy
Privacy Policy

INTRODUCTION
The ingyenpolo.com website (hereinafter referred to as: Service Provider, Data Controller) adheres to the following information.
We provide the following information according to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).

This privacy policy governs the data processing of the following website: ingyenpolo.com

DEFINITIONS

1. "Personal data": Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. "Processing": Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. "Controller": A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
4. "Processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
5. "Recipient": A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
6. "Data subject's consent": Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
7. "Data breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
Personal data must be:
a. Processed lawfully, fairly, and transparently concerning the data subject ("lawfulness, fairness, and transparency");
b. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (Article 89(1)) ("purpose limitation");
c. Adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed ("data minimisation");
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
e. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) subject to the implementation of appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation");
f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles ("accountability").

DATA PROCESSING

DATA PROCESSING RELATED TO THE OPERATION OF THE ONLINE STORE

1. The fact of data collection, scope of processed data, and purpose of data processing:

• First and last name: Required for contact, purchasing, issuing an invoice, and exercising the right of withdrawal.
• Email address: Communication purposes.
• Phone number: Communication purposes, ensuring more efficient coordination of billing or delivery issues.
• Billing name and address: Issuing a valid invoice, creating and defining the content of the contract, monitoring its fulfillment, invoicing fees arising from the contract, and enforcing related claims.
• Shipping name and address: Facilitating home delivery.
• Age: Verification of eligibility for participation.
• Date of purchase: Technical operation.
• IP address at the time of purchase: Technical operation.

2. Regarding the email address, it is not required to contain personal data.
3. Data subjects: All individuals placing an order on the website.
4. Duration of data processing, deadline for data deletion: A maximum of 5 years. Upon deletion of any personal data provided by the data subject, the data controller notifies the data subject electronically in accordance with Article 19 of the GDPR. If the data subject's deletion request includes their provided email address, the controller will delete the email address after notification, except for accounting records.
5. Authorized potential data controllers and recipients of personal data: Personal data may be processed by sales and marketing personnel of the data controller while respecting the principles above.
6. Information about the rights of data subjects regarding data processing:

• The data subject may request access to, correction, deletion, or restriction of processing of their personal data from the controller.
• The data subject has the right to data portability and to withdraw their consent at any time.

7. Methods to initiate access, deletion, modification, restriction of processing, data portability, or objection to data processing:

• Via email at info@ingyenpolo.com.

8. Legal basis for data processing:

• GDPR Article 6 (1) (b): Processing is necessary for the performance of a contract to which the data subject is party.

The service provider processes personal data necessary for providing the service. The service provider must choose and operate tools for delivering the service in such a way that personal data is processed only if essential for the service and only to the extent and duration necessary.

9. We inform you that:

• Data processing is necessary to fulfill the contract.
• You are obliged to provide personal data to fulfill your order.
• Failure to provide the required data will result in the inability to process your order.

DATA PROCESSORS USED

Delivery

1. Activity performed by the processor: Product delivery and transport.
2. Name and contact details of the processor: DPD
• Email: dpd@dpd.com
3. Fact of data processing and scope of processed data: Shipping name, shipping address, phone number, and email address.
4. Data subjects: All individuals requesting home delivery.
5. Purpose of data processing: To facilitate the delivery of ordered products.
6. Duration of data processing: Until the delivery is completed.

Hosting Provider

1. Activity performed by the processor: Hosting services.
2. Name and contact details of the processor: GoDaddy
3. Fact of data processing and scope of processed data: All personal data provided by the data subject.
4. Data subjects: All individuals using the website.
5. Purpose of data processing: Making the website accessible and ensuring its proper operation.
6. Duration of data processing: Until the termination of the agreement between the controller and the hosting provider, or until the data subject requests deletion from the hosting provider.

COMMUNICATION:

Messages are delivered to our customers via the MyNextMail.com messaging service. For message processing, all provided personal data are forwarded, as these are included in the outgoing message content as well.

• Contact: info@mynextmail.com

COOKIES MANAGEMENT

1. Typical cookies in online stores include "password-protected session cookies," "cookies necessary for shopping carts," and "security cookies," which do not require prior consent from the data subject.
2. Fact of data processing and scope of processed data: Unique identifier, dates, and times.
3. Data subjects: All visitors of the website.
4. Purpose of data processing: Identifying users, maintaining the "shopping cart," and tracking visitors.
5. Duration of data processing and deadlines for data deletion:

1. Authorized personnel: The data controller does not process personal data through cookies.
2. Rights of data subjects: Data subjects can delete cookies in their browsers under the Tools/Settings menu, typically in the Privacy settings.
3. Legal basis for data processing: Consent is not required if cookies are used solely for electronic communication or providing a service explicitly requested by the user.

USE OF GOOGLE ADS CONVERSION TRACKING

1. The data controller uses the Google Ads online advertising program and its conversion tracking service. Google Conversion Tracking is an analytical service by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
2. If the user reaches a website via a Google advertisement, a conversion tracking cookie is placed on their computer. These cookies have limited validity and do not contain personal data, so the user cannot be identified.
3. Further details are provided in Google's privacy policy: www.google.de/policies/privacy.

USE OF GOOGLE ANALYTICS

1. This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies," which are text files placed on your computer to help analyze how users use the website.
2. The information generated by the cookies regarding your use of the website is generally transferred to and stored on a Google server in the USA. With IP anonymization activated on this website, Google will shorten your IP address within the member states of the European Union or other parties to the Agreement on the European Economic Area before transferring it.
3. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the website operator, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services relating to website activity and internet usage.
4. The IP address transmitted by your browser within the scope of Google Analytics will not be combined with other Google data. You can prevent the storage of cookies by selecting the appropriate settings in your browser software. However, please note that in this case, you may not be able to fully use all of this website's features.
5. Furthermore, you can prevent Google from collecting and processing data generated by cookies and related to your website use (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

HANDLING COMPLAINTS

1. Fact of data collection, scope of processed data, and purpose of data processing:

1. Data subjects: All customers who purchase on the website and submit a complaint.
2. Duration of data processing, deadline for data deletion: Complaint records and responses will be retained for 5 years.
3. Authorized data processors and recipients: The data may be processed by sales and marketing personnel of the data controller in compliance with the principles mentioned above.
4. Information about the rights of data subjects:
• The data subject may request access, correction, deletion, or restriction of processing of their personal data.
• The data subject has the right to data portability and to withdraw their consent at any time.
5. Methods to exercise rights regarding data processing:
• Via email at info@ingyenpolo.com.
6. We inform you that:
• Providing personal data is based on contractual and legal obligations.
• The processing of personal data is a prerequisite for contract fulfillment.
• Failure to provide the required data will result in the inability to process complaints.

SOCIAL MEDIA PAGES

1. Fact of data collection and scope of processed data: Name registered on social media platforms (Facebook/Twitter/Pinterest/YouTube/Instagram, etc.) and the user’s public profile picture.
2. Data subjects: Any user who registers on these social media platforms and “likes” or shares the website’s content.
3. Purpose of data processing: To share and promote certain content, products, campaigns, or the website itself on social media platforms.
4. Duration of data processing and data deletion: Information about data processing, data transfer, and legal basis can be found on the respective social media platform. Processing takes place on the social media platforms, and their rules apply to the duration, modification, or deletion of data.
5. Legal basis for data processing: Voluntary consent of the data subject for processing personal data on social media platforms.

CUSTOMER COMMUNICATION AND OTHER DATA PROCESSING

1. If the data subject has any questions or issues while using the data controller's services, they may contact the data controller through the provided channels (phone, email, social media, etc.).
2. The data controller deletes any emails, messages, or data provided through social media, including the data subject’s name and email address, within 2 years from the date of data submission.
3. For any data processing not explicitly listed in this notice, the data controller provides information at the time of data collection.
4. The Service Provider may be obligated to disclose or transfer data to authorities or other organizations under legal obligations. In such cases, the Service Provider ensures that only the minimum data necessary to fulfill the request is disclosed.

RIGHTS OF DATA SUBJECTS

1. Right of access: You have the right to request confirmation as to whether your personal data is being processed and access information as outlined in the GDPR.
2. Right to rectification: You have the right to request correction of inaccurate personal data without undue delay and to complete any incomplete data.
3. Right to erasure: You may request the deletion of your personal data if specific conditions under the GDPR apply.
4. Right to be forgotten: If the controller has made personal data public and must delete it, reasonable steps will be taken to inform other controllers to erase links, copies, or replications of the data.
5. Right to restriction of processing: You may request restriction of processing if:
• You contest the accuracy of the data;
• The processing is unlawful but you oppose deletion;
• The data is no longer needed by the controller, but you need it for legal claims;
• You object to processing, pending verification of the controller's legitimate interests.
6. Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
7. Right to object: You may object to the processing of your personal data, including profiling.
8. Right to object to direct marketing: If your data is processed for direct marketing, you can object at any time, and the data will no longer be used for this purpose.
9. Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affects you.

DEADLINE FOR TAKING ACTION

The data controller shall inform the data subject without undue delay, but no later than 1 month from receiving the request, about the measures taken in response to the request outlined in the previous sections.

If necessary, this period may be extended by 2 months. The controller shall inform the data subject of the extension within 1 month of receiving the request, along with the reasons for the delay.

If the controller does not take action on the data subject's request, it shall inform the data subject without delay, but at the latest within 1 month of receiving the request, of the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

SECURITY OF DATA PROCESSING

The controller and the processor shall implement appropriate technical and organizational measures, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk, including:

1. The pseudonymization and encryption of personal data;
   b. Ensuring the confidentiality, integrity, availability, and resilience of processing systems and services;
   c. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
   d. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

NOTIFICATION OF DATA BREACH TO THE DATA SUBJECT

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.

The notification to the data subject shall describe the nature of the personal data breach, the name and contact details of the data protection officer or other contact points, the likely consequences of the data breach, and the measures taken or proposed to address the data breach and mitigate its possible adverse effects.

The data subject does not need to be informed if:

• The controller has implemented appropriate technical and organizational protection measures (e.g., encryption) and these measures were applied to the data affected by the breach.
• The controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
• Notification would involve disproportionate effort. In such cases, the data subject shall be informed through publicly available information or similar means.

If the data controller has not yet communicated the data breach to the data subject, the supervisory authority may require the data controller to do so, considering the likelihood of high risks.

REPORTING A DATA BREACH TO THE AUTHORITY

The data controller shall notify the supervisory authority of the data breach without undue delay and, where feasible, within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

REVIEW OF MANDATORY DATA PROCESSING

If the duration or periodic review of mandatory data processing is not defined by law, a local government regulation, or a binding legal act of the European Union, the controller shall review at least every three years whether the processing of personal data is still necessary to achieve the purpose of the processing.

The circumstances and results of this review shall be documented by the controller, and this documentation shall be retained for ten years following the review. Upon request, the documentation shall be made available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as: Authority).

Game Rules and Conditions of Participation

OFFICIAL GAME RULES

1. General Provisions

1.1. These Game Rules (hereinafter: “Rules”) govern the online prize games organized by the Organizer (hereinafter: “Game” or “Games”).

1.2. The Games are not considered gambling, participation in the Game does not require payment of money or purchase of goods, nor the conclusion of a contract or participation in an advertising event.

1.3 Participation in the Games is voluntary.

1.4 The Organizer reserves the right to change the duration of the Games.

Participation in the Game constitutes automatic acceptance of these Official Game Rules.

2. Organizer and Organizer of the Game

2.1. The organizer and organizer of the Game is ingyenpolo.com

3 Duration and Place of the Game

3.1. The Games are held on the Organizer’s website

4. Conditions of Participation

4.1. Any natural person (hereinafter referred to as: Player) who has reached the age of 10 may participate in the Game. The Organizer has the right to verify the identity of the Player and the Winner in order to ensure the success of the Game.

4.2. The Organizer’s senior officials and employees, as well as the close relatives of these persons, may not participate in the Game.

4.3. The Organizer has the right to exclude from the Game any Player who violates the provisions of the Game Rules during the Game, or who otherwise commits fraud during the Game, or acts in bad faith, or who violates the Organizer’s legitimate interests.

5.1. The Game is governed by these Rules.

5.2 In each Game, only as many Players may win as there are prizes in the given Game.

5.3 By participating in the Game, the participant confirms that he/she accepts these Rules, acknowledges them as binding on him/her and consents to the processing of his/her personal data.

6. Prizes, winners

We will distribute various material prizes among the participants in the game, provided by our partners, in the available quantity.

The participants expressly agree that if there is not enough material prize to be distributed, the Organizer may compensate the participants in any other way (coupon, discount, digital product, digital asset, etc.), or the participant may be left without any compensation or without a gift. The Organizer may exclude any player from the game at its own discretion, without giving any reason, and the player may not make any claim for compensation for this.

7. Announcement of winners and delivery of prizes

7.1 The Organizer will contact the winner by e-mail.

7.2. If the winner fails to agree on the time and method of prize delivery within 7 days of contact, or if the winner does not accept the prize in accordance with the Organizer's instructions, the winner's right to receive the prize shall be terminated, and the Organizer may decide to give the prize to another participant in the Game.

7.3. The prize is not exchangeable for cash and is not transferable, and cannot be enforced in court.

7.4 The Organizer is not liable for defects in the prizes or for any damage caused by them.

If the prize is delivered by post, the Organizer is not liable for any damage caused to the prize during postal delivery or for the loss of the prize.

8. Participation in the Game as consent to the processing of personal data

8.1. Participation in the Game is voluntary.

The Participant acknowledges that the General Data Protection Regulation [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; hereinafter: GDPR Regulation] shall apply to the processing of personal data.

The Participant declares that he/she gives the Organizer and the implementing company his/her full, express and informed consent to the processing of his/her personal data in accordance with points 6 and 7 of the Regulations.

The Organizer shall not be liable for any incorrect data provided by the Participant.

The Organizer, as the data controller, shall be entitled to process the Player’s personal data for 5 years from the start of the Game, even if the Player withdraws his/her consent, for the purposes of data processing indicated above, based on the Organizer’s legitimate interest, in accordance with point f) of Article 6(1) of the GDPR.

Given that the data processing is based on consent, the Player may withdraw the consent at any time with effect for the future without calling into question the lawfulness of the data processing already carried out.

The withdrawal of consent does not affect the lawfulness of the data processing based on the consent given before the withdrawal.

The withdrawal of the relevant consent before the end of the Game period will result in exclusion from the Game and the impossibility of informing about the prize. The Player acknowledges that requesting the deletion of data necessary for the conduct of the Game before the prize is awarded will lead to exclusion from the Game.

8.3. According to the GDPR, Players, as data subjects, have the following rights:

- the right to be informed about the data controller and the data protection officer;

- the right to be informed about the purpose of the processing of personal data;

- the right to access personal data and whether or not personal data is being processed;

- the right to lodge a complaint;

- the right to rectify personal data;

- the right to erase personal data (the right to be forgotten);

- the withdrawal of consent to the processing of personal data;

- the right to restrict data processing;

- the right to data portability;

- the right to object;

- any other rights granted by the regulation.

8.4. The data controller and the data processor shall act in compliance with the relevant legal requirements during data processing. The Data Controller (Organizer) ensures the security of the Players’ personal data and takes the technical and organizational measures and develops the procedural rules necessary to ensure the adequate protection of the Players’ (participants’) personal data. The Data Controller treats personal data confidentially. Its data processing principles are in accordance with the applicable data protection legislation.

9. Final provisions

9.1. The Organizer reserves the right to amend the rules and/or conditions of the Game at any time, including amending the duration of the Game, or to interrupt the Game at any time without compensation, starting from the date of publication on the Organizer’s Facebook page.

9.2 The Organizer is not liable for technical problems related to participation in the Game.

9.3 The Organizer is not liable for any damages caused by or in connection with the preparation or implementation of the Game, participation in the Game or winning the Game.

9.4 By participating in the Game, the Player accepts the rules set out in the Game Rules and Game Description and undertakes to fully comply with them.

9.5 Participation in the Game cannot be legally enforced.