Privacy notice

(registration number: 59087166, tax number: 49380152-1-42, registered office: 1161 Budapest, Rákosi út 102., hereinafter referred to as „Data Controller”) operated by Sybell Informatika Kft. in order to inform you about the processing of data concerning natural persons collected and processed during the visit to the loulou.hu website (hereinafter referred to as „Webshop” or „Webshop”) and the purchase of goods from the Webshop (hereinafter referred to as „Purchase”).

The data controller is engaged in the production and sale of confectionery products, cakes and pastries in the Loulou Cake Studio unit. In view of the fact that, in addition to ordering directly from the Data Controller, the confectionery products can also be purchased in a Webshop, the Data Controller publishes the following information in accordance with the provisions of Regulation (EC) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, hereinafter „GDPR”), in order to explain the detailed rules on the processing of natural persons with regard to the Webshop:

The Data Controller shall publish this Privacy Notice for the benefit of its customers (hereinafter referred to as „Customer”) interested in its advertised and offered for sale products on its website, in a prominent place, which shall enter into force upon publication and shall remain in force until the Data Controller publishes a new Privacy Notice.

The Data Controller reserves the right to unilaterally amend this Privacy Policy, in which case the previous Privacy Policy shall apply to browsing, product purchases and data processing that have been started but not yet completed prior to the publication of the amended Privacy Policy. In the interests of transparency and customer focus, the Data Controller shall publish on its website a separate notice of any amendments to this Notice. The Data Controller nevertheless undertakes to regularly review and, if necessary, update the Privacy Notice published on its website to ensure that its personal data processing activities comply with the applicable laws.

I. The legal authorisations relating to your personal data include, but are not limited to:

- Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information - Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Act on the Protection of Information Society Services) - Act V of 2013 on the Civil Code - the GDPR Regulation mentioned above

II. Definitions:

personal data: any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

an identifiable natural person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

data management: whatever the procedure used, any operation or set of operations which is performed upon the data, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and the recording of physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or has the possibility to have the processing carried out with the processor, within the limits set by law or by a legally binding act of the European Union; data processing: all processing operations carried out by a processor acting on behalf of or under the authority of the controller; data processor: a natural or legal person or an unincorporated body which, within the limits and under the conditions laid down by law or by a legally binding act of the European Union, processes personal data on behalf of or under the authority of the controller; which performs purely technical tasks related to the processing operations (e.g.: recording of data);

data transmission: making the data available to a specified third party;

privacy incidents: a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;

addressed to: the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party;

third party: a natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations which are intended to process personal data.

III. Principles of data management:

The Data Controller attaches particular importance to the processing, secure use and recording of personal data provided by Customers in accordance with applicable laws and regulations, to ensuring the full exercise of Customers' rights of informational self-determination and to providing detailed information on personal data processing.

The Data Controller processes your data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, accuracy, limited storage, integrity and confidentiality, and accountability, which it fully commits its employees and staff to uphold.

The principle of purpose limitation applies to the processing of data for specified and unambiguous purposes, as explained below, while data economy means that the Data Controller only processes data that is strictly necessary for the purpose, and in accordance with the principle of limited storage, i.e. only for the time strictly necessary.

The Data Controller informs you that after the expiry of the period or criteria for determining the period specified below, the Data Controller will irrevocably destroy your personal data and will retain them solely for the purpose of statistical analyses and calculations, for the purpose of its development, and that they can no longer be associated with you in any way whatsoever, and that they can no longer be used to identify you.

IV. Lawfulness of our data processing

1./ Processing based on consent: the clear, voluntary, explicit and properly informed expression of the Customer's will, by which the data subject indicates, by means of a statement or other conduct unambiguously expressing his or her will, that he or she consents to the processing of personal data concerning him or her;

2./ Processing for the performance of a contract: the performance of a contract to which the Customer is a party;

3./ Processing for the fulfilment of a legal obligation: processing is necessary for the fulfilment of a legal obligation to which the Data Controller is subject (e.g.: accounting, bookkeeping);

4./ Processing for legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party;

5./ Processing of data pursuant to Article 13/A of the Act on the Protection of Information Society Services: according to which the Data Controller may process the Customer's natural person identification data necessary for the identification of the Customer for the purposes of creating, defining the content of, amending, monitoring the performance of, invoicing the fees arising from, and enforcing claims in connection with the provision of information society services.

V. Data asset map

In the following, we inform you about the scope of your personal data that we process and the lawfulness of the processing and its intended use. Data subjects can visit our website and use our Webshop service, through which they can purchase the confectionery products, cakes and pastries of Loulou Tortastúdió, operated by Péter Horváth Ev. in the desired quantities.

The scope of personal data processed and recorded is set out below:

1. user circle - Browser status: If you are browsing and collecting information on our website indicated above, you are using our website service (hereinafter referred to as „Browser”) as a browser until you make a purchase from our Web Store. As a Browser, we do not hold or store any personally identifiable information about you. However, when you browse (also), we create a technical identifier called a cookie (a 3 information packet consisting of letters and numbers), which does not collect any information about you, but rather sends us information about your usage patterns on the computer from which you are logged in. So, we receive information about the pages you open on your computer, the clicks you make and the browser you use, but we can only link this information to the computer you are using at that moment, not to you. The cookie is used to make your use of our website more convenient, efficient and enjoyable, and to send you personalised promotions and advertising. You do not provide us with the necessary information to create the technical identifier, but we collect it when you use the website, taking into account the above. Thus, the exchange of data is in fact automatic during the communication between computers. The legal basis for the use of cookies is your consent, since by clicking on the „I accept” button in a window that automatically pops up when you open the page, you give your consent to the lawful use of the aforementioned. You can also delete cookies from your computer or disable their use in your browser at any time. The management of cookies is usually possible in the Tools/Preferences menu of browsers under Privacy settings, under the designation cookie or cookie, which is thus considered as a withdrawal of your consent. Please also note that we may use a web beacon when you visit our site. A web beacon is a small, usually unnoticeable image placed on the website. By placing web beacons, your actions as a browser on the website can be tracked and statistics can be generated from the data obtained.
2. user circle - Buyer status: If you wish to purchase products offered in the Webshop published on our website, you can do so by providing the following personal information.

The Customer is required to provide this information when making an online purchase.

1. surname and first name*
2. email address*
3. phone number
4. billing address* (if different from the delivery address)
5. delivery address*
6. the amount of the purchase
7. Date of purchase*
8. Bank details required for online card payments* (name, card number, issuing bank, card expiry date, CVV code)

We would like to inform you that the data marked with * in the above table are essential for the conclusion of the contract, and are a prerequisite for the conclusion of the contract. Without the above personal data, we will not be able to conclude or perform a contract with you. Please note that you will be required to provide a delivery address if it is different from the billing address.

VI. Data controller and processors

A.) Data Controller: Your personal data specified in point V. is processed by the following person as Data Controller: Péter Horváth Ev. (registration number: 59087166, tax number: 49380152-1-42, registered office: 1161 Budapest, Rákosi út 102.) Please note that only the Data Controller has access to your data specified in point V. No Data Protection Officer has been appointed under the GDPR Regulation, as the scale and nature of the processing does not require it.

B.) Data processors: the Data Controller transfers your personal data as defined in point V to the following companies, or these companies have access to the data we hold about you for the following purposes, which are strictly necessary for the achievement of the purpose. hello@sybell.hu, the company that provides the operational platform for our Webshop.

VII. Email marketing rights - newsletters

Please note that if you have provided your email address on our website for any reason (including when making a purchase), we will periodically send you newsletters containing advertising, offers and other information to ensure that you receive updates as soon as possible. The legal basis for the processing of your personal data as set out in this point is the legitimate interest of the Data Controller, given that you have the right to email marketing for direct marketing purposes. Your data received in this form will be processed until the newsletter service used by the Data Controller is operational, however, if you object to this and the conditions set out in the GDPR apply, your personal data as defined in this point will be deleted and we will no longer send you newsletters. Please also be informed that if you unsubscribe from the newsletter, you will be added to a separate list of persons who no longer wish to receive the newsletter.

VIII. Your rights regarding the processing of your personal data

Right of access: You have the right to ask us to inform you about the purposes for which we process your data, the categories of data to which they relate, the categories of recipients, i.e. the recipients with whom we are or will be communicating your personal data, including in particular recipients in third countries or international organisations, the duration of the storage of the data or the criteria for determining that duration. You may request a one-time copy of your data that we process, free of charge, and we will charge a fee for additional copies.

Right to rectification, erasure (right to be forgotten): You have the right to request the Controller to correct, rectify, amend or supplement your personal data at any time if you notice that it is not recorded correctly or has changed. Upon receipt of such a request, the Controller shall comply with it without delay. You may request the deletion of your data in the cases provided for by law, which will be carried out if the conditions set out in Article 17 of the GDPR and Article 20 of the Info Act are met. In such cases, your data will be permanently and irrevocably deleted from our records. Right to restriction of processing: may request that we restrict the processing of your data in the cases set out in Article 18 of the GDPR and Article 19 of the Info Act. In relation to the rights set out above, we also inform you that, in the case of requests with the above content, we will inform all recipients to whom we have previously disclosed personal data of these operations, unless this would involve disproportionate difficulties.

Right to data portability: Under Article 20 of the GDPR, you may request that we disclose your personal data processed for the purposes of your consent or for the performance of a contract or transfer those data directly to another controller at your request.

Right to object: You may object at any time to the processing of your data based on the legitimate interests of the Data Controller.

Withdraw consent: Where our processing is based on your consent, you have the right to withdraw your consent at any time. Please note, however, that such withdrawal is not retroactive and therefore does not affect the lawfulness of our processing prior to the withdrawal.

Right to complain: If you become aware of unlawful processing of your data or if you suffer damage to your rights in relation to our processing, you have the right to lodge a complaint with the supervisory authority or to bring a civil action before the competent court.

Contact details of the supervisory authority: address of the National Authority for Data Protection and Freedom of Information: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 Email: ugyfelszolgalat@naih.hu Website: https://naih.hu/

IX. Ensuring data security

If we become aware of a data breach, we will notify the supervisory authority referred to in point VIII without delay, but no later than 72 hours. If we determine that the personal data breach is likely to result in a high risk to your rights and freedoms, we will also notify you within 72 hours at the latest. Please be informed that we have in place an internal data protection policy that complies with the law and that we implement and maintain measures to ensure the secure processing of your personal data in our organisational and technical systems as described above.

Budapest, 26.07.2025.