This website uses cookies to improve your browsing experience, analyze site traffic, and display personalized content and advertisements. Cookies are small text files stored on your device by your browser. Some cookies are essential for the website to function properly (e.g., cart, login), while others are used for analytics or marketing purposes. By continuing to use this website, you agree to our use of cookies. You can change your cookie preferences at any time in your browser settings. More information: Privacy Policy
Introduction
OutletClub.hu Kft. (registered office: 1194 Budapest, Puskás Ferenc utca 20. Fsz. 1. ajtó, Hungary; tax number: 24688628-2-43; company reg. no.: 01-09-348487) (hereinafter: Service Provider, Controller) submits to the following rules.
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), we provide the following information.
This Privacy Notice governs data processing on the website: https://ultraherb.eu
The Privacy Notice is available at: https://ultraherb.eu/privacy (or equivalent page).
Amendments take effect upon publication at the above link.
Controller and Contact Details
Name: OutletClub.hu Kft.
Registered office: 1194 Budapest, Puskás Ferenc utca 20. Fsz. 1. ajtó
E-mail: info@ultraherb.eu
Phone: +36 (20) 342 9947
Definitions
“personal data”, “processing”, “controller”, “processor”, “recipient”, “data subject’s consent”, “personal data breach” have the meanings set out in the GDPR.
Principles of Processing
We process personal data in line with GDPR Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. The Controller declares compliance with these principles.
Data Processing Related to Operating the Webshop / Providing Services
1) Categories of Data, Purposes and Legal Bases
| Personal data | Purpose | Legal basis |
|---|---|---|
| Username | Identification, enabling registration | GDPR Art. 6(1)(b); Hungarian E-commerce Act (Elker tv.) §13/A(3) |
| Password | Secure login to user account | (necessary for contract performance) |
| First and last name | Contact, purchase, lawful invoicing, exercising right of withdrawal | GDPR Art. 6(1)(b) |
| E-mail address | Contact | GDPR Art. 6(1)(b) |
| Phone number | Contact; efficient coordination on billing/shipping | GDPR Art. 6(1)(b) |
| Billing name and address | Issuing lawful invoices; contract creation/performance; invoicing fees; enforcing claims | GDPR Art. 6(1)(c); Hungarian Accounting Act §169(2) |
| Shipping name and address | Enabling home delivery | GDPR Art. 6(1)(b); Elker tv. §13/A(3) |
| Time of purchase/registration; IP address | Technical operations, security | GDPR Art. 6(1)(f) – legitimate interests (system security) |
Data subjects: all users who register and/or purchase on the website.
Note: username and e-mail do not have to contain natural-person data.
2) Retention
Until the data subject’s erasure request is fulfilled, except for accounting documents retained for 8 years under the Accounting Act §169(2). Contractual data may be erased after expiry of civil law limitation (generally 5 years, Civil Code §6:22).
3) Access and Recipients
Personal data may be accessed by the Controller and authorised staff, in line with the above principles.
4) Data Subject Rights (summary)
Right of access, rectification, erasure, restriction, portability, withdrawal of consent; right to lodge a complaint with the supervisory authority.
5) Legal Bases (overview)
-
GDPR Art. 6(1)(b), (c), (f)
-
Elker tv. §13/A(3)
-
Accounting Act §169(2)
-
Civil Code §6:22 (5-year limitation)
Notice: provision of necessary data is required to fulfil your order; without it we cannot process the order.
Cookies
-
No prior consent is required for session, cart, security, strictly necessary, functional and website statistics cookies.
-
Processed data: unique ID, dates, timestamps.
-
Data subjects: all visitors to the website.
-
Purpose: user identification and visitor tracking.
-
Retention:
-
Session cookies: until end of session (Elker tv. §13/A(3))
-
Persistent cookies: until deleted by the data subject
-
Analytics/marketing cookies: 1 month – 2 years
-
For necessary cookies, the Controller does not process personal data.
-
Cookies can be deleted in your browser settings.
-
Legal basis: consent is not required where storage/access is strictly necessary for transmission over an electronic communications network or for providing an information society service explicitly requested by the user (ePrivacy / Elker).
-
Major browsers allow cookie preference management (Chrome, Edge/IE, Firefox, Safari).
Google Ads Conversion Tracking
We use Google Ads conversion tracking (Google Ireland/Google LLC). When a user arrives via a Google ad, a conversion cookie with limited validity is placed and contains no personal data. If you do not wish to participate, disable cookie storage in your browser.
Further information: Google Privacy Policy – policies.google.com/privacy
Google Analytics
This site uses Google Analytics. IP anonymisation is enabled: your IP address is shortened within the EU/EEA; full IP is sent to the USA only in exceptional cases. The IP transmitted by your browser is not merged with other Google data.
Opt-out browser add-on: tools.google.com/dlpage/gaoptout
Automated Newsletter Delivery (Processor)
Processor:
M.I. Solution Kft. – 2045 Törökbálint, Hosszúrét u. 1.
Tel.: +36 20 362 8289 • E-mail: info@miclub.hu
Scope of data: all personal data provided during use of the service.
Purpose: operation of services on the website (e.g., newsletters).
Retention: until the controller–processor agreement ends or until the data subject’s erasure request.
Legal basis: GDPR Art. 6(1)(a), (c); Elker tv. §13/A(3).
Operation note: cookies and click events may be used to tailor automated emails; unsubscribe at any time via the link in the footer to stop emails and such tracking.
Árukereső (Price Comparison) – “Trusted Shop” Programme
Processor: Online Comparison Shopping Kft. (Árukereső) – 1074 Budapest, Rákóczi út 70–72.
Purpose: post-purchase satisfaction surveys; Legal basis: GDPR Art. 6(1)(a) (consent).
Árukereső processes any transmitted e-mail addresses under its own privacy policy.
Newsletters / Direct Marketing
-
Legal basis: GDPR Art. 6(1)(a) + Act XLVIII of 2008 §6
-
Data: name, e-mail; time of subscription and IP address
-
Purpose: send electronic marketing messages (e-mail, SMS, push); updates on products, promotions, new features
-
Retention: until withdrawal (unsubscribe)
-
Rights: access, rectification, erasure, restriction, objection, portability
Unsubscribe anytime free of charge via the link in each message.
Complaints Handling
Data: name, e-mail, phone, billing name and address.
Purpose: handling complaints and product/service quality issues.
Legal basis: GDPR Art. 6(1)(c); Act CLV of 1997 on Consumer Protection §17/A(7).
Retention: 3 years (records and responses).
Recipients
1) Processors (acting on behalf of the Controller)
-
Hosting: ShopRenter.hu Kft. (4028 Debrecen, Kassai út 129.; info@shoprenter.hu; www.shoprenter.hu; Tel.: +36 70 410 2535, +36 1 234 5011)
-
Other processor (e.g., online invoicing, web development, marketing):
Nagy Machinátor – Progen Kft. (www.progen.hu; info@progen.hu; Tel.: +36 1 481 9000)
Processors act only on the Controller’s instructions. The Controller remains legally responsible for their activities.
2) Transfers to Independent Third-Party Controllers (for their own purposes)
-
Delivery / shipping:
GLS Hungary Kft. (2351 Alsónémedi, Európa u. 2.; info@gls-hungary.com; Tel.: +36 29 886 694)
MPL Magyar Posta Logisztika Kft. (1138 Budapest, Dunavirág u. 2–6.; ugyfelszolgalat@posta.hu; Tel.: +36 1 767 8282; terms and privacy at posta.hu) -
Online payments:
OTP Mobil Kft. (1143 Budapest, Hungária krt. 17–19.; Licence: 983/1997/F; Tel.: +36 1 366 6611)
These third parties process any data received under their own privacy policies.
Social Media
UltraHerb.eu may be present on Meta/Twitter/Pinterest/YouTube/Instagram. Data processing on these platforms is governed by the respective providers’ own policies. Legal basis: the data subject’s voluntary consent on those platforms.
Customer Contact and Other Processing
For queries or issues, you can contact us by phone, e-mail or social media. Incoming messages (with the data you provide) are retained for up to 2 years from disclosure, then deleted. In exceptional official requests, we provide data strictly to the extent necessary and required by law.
Data Subject Rights – Details
-
Right of access
-
Right to rectification
-
Right to erasure
-
Right to be forgotten (where applicable)
-
Right to restriction
-
Right to data portability
-
Right to object (notably where based on legitimate interests or for direct marketing)
-
Right not to be subject to automated decision-making, including profiling, except where permitted by GDPR (contract necessity, Union/Member State law, or explicit consent with safeguards)
Response time: without undue delay and within 1 month of receipt; may be extended by 2 months where necessary (you will be informed of reasons within 1 month).
Security of Processing
We implement appropriate technical and organisational measures proportionate to risk, including pseudonymisation and encryption where appropriate, ensuring confidentiality, integrity, availability and resilience of systems; backup and recovery; access control; physical and IT security; and regular testing and evaluation. Paper records are stored securely and disposed of safely; electronic data uses role-based access, antivirus, backups and logging.
Personal Data Breach Notifications
Where a breach is likely to result in a high risk to rights and freedoms, we inform affected data subjects without undue delay and notify the supervisory authority within 72 hours, unless the breach is unlikely to result in a risk.
Periodic Review of Mandatory Processing
Where the duration of mandatory processing is not set by law, we review at least every three years whether processing remains necessary, document the review and retain the documentation for ten years, making it available to the supervisory authority upon request.
Complaints – Supervisory Authority
You may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36 1 391 1400 • Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Closing Note
This Notice was prepared with regard to: GDPR (EU 2016/679); Act CXII of 2011 (Info Act); Act CVIII of 2001 (E-commerce – esp. §13/A); Act XLVII of 2008 (Unfair Commercial Practices); Act XLVIII of 2008 (Commercial Advertising – esp. §6); Act C of 2003 (Electronic Communications – esp. §155); relevant EASA/IAB recommendations; and NAIH guidance.