Privacy Notice regarding data processing on the www.kotta.io platform / website
Introduction
This Privacy Notice (hereinafter: Notice) provides information on the processing of personal data carried out on the www.kotta.io website (hereinafter: Website) in relation to the specific purposes of data processing, at the time of data collection, in order to comply with our information obligation set out in Article 13 of the GDPR.
This Notice applies to the processing of personal data carried out on the Website from the date of publication until its withdrawal.
Personal data means any information or piece of information relating to a natural person by which the data subject (i.e. the individual concerned) can be identified, either directly (e.g. by name) or indirectly (e.g. via a unique personal identifier). Personal data may include, for example: surname, first name, residential address, IP address, email address, or a cookie identifier placed on internet-enabled devices by the browser.
Persons under the age of 16 may not independently consent to the processing of their personal data. Therefore, in the case of minors under the age of 16, we request the personal data and the consent to its processing from their legal representative. The approval of the legal representative also entails full responsibility for the user activity of the person under the age of 16.
If you are under 16 years old:
Do not provide your personal data on our Website on your own and do not consent to the processing of your data. Please ask your parents to read this Privacy Notice and to provide your data and consent to the processing of your data on your behalf.
For matters not detailed in this Notice, the following legislation shall apply:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR).
Name and contact details of the Data Controller
Data Controller:
Name: Kotta Commerce Ltd.
Represented by: Ocskay László
Headquarters: 1061 Budapest, Liszt Ferenc tér 6. 8. em. 83.
Mailing address: 1242 Budapest, Postafiók: 404.
Tax number: 26218290-2-42
Company registration number: 01 09 308383
E-mail: info@kotta.io
Telephone number: +36 70 622 4898
Website: www.kotta.io
Hereinafter referred to as: Data Controller
The Data Controller carries out the following data processing activities:
A.1. Information about Cookies
The Website uses cookies.
We use cookies to personalize content and advertisements, provide social media features, and analyze our website traffic. In addition, we share information about your use of the Website with our social media, advertising, and analytics partners, who may combine it with other information that you have provided to them or that they have collected from your use of other services.
Cookies are small text files that a website may use to make the user experience more efficient. According to applicable legislation, we may store cookies on your device if they are strictly necessary for the operation of our Website. For all other types of cookies, we require your consent. This Website uses different types of cookies. Some cookies appearing on our Website are placed by our third-party service providers.
We do not use or allow the use of cookies on the Website that would enable third parties to collect data without the user’s consent.
The Data Controller only uses cookies where it can be clearly determined what data is processed through the cookie, for what purpose, and to which third party the data is collected, where applicable.
Cookies that store data recorded by the user / Website visitor, authentication session cookies, user-centric cookies, multimedia player session cookies, load-balancing session cookies, and user interface customization session cookies require prior information to be provided to the data subject; however, their consent is not required. In the case of any other cookies, the prior consent of the data subject must also be obtained.
With regard to user interface customization session cookies, we inform you that on our Website we combine certain information in order to identify visitors in a way that may collectively identify a user. The purpose of this data processing is to verify and ensure that content restricted to registered account holders is accessed only by our registered visitors. For this purpose, we use a JavaScript library called ClientJS (https://clientjs.org/).
We use the following data points for visitor identification:
Browser information:
Screen and display information:
System information:
Installed fonts: Detection of available system fonts using a predefined list and measuring text dimensions.
Browser features and settings: Listing certain browser characteristics and settings, such as touch support (navigator.maxTouchPoints), the presence of an ad blocker, and other configurations.
Data processing is carried out in an automated manner. Cookies are deleted after the session is terminated.
Upon the explicit consent of the Website visitor as data subject, we use cookies, tracking codes, measurement codes, identification solutions, and pixels in order to display advertisements to users / Website visitors via Google. This also includes the transfer of event data such as page views.
Data processing is carried out without human intervention.
Cookies and Tracking Technologies Used on the Website
Strictly necessary cookies
We inform visitors that so-called session cookies do not contain personal data; therefore, their use does not involve the processing of personal data. The processing of other strictly necessary cookies is based on our legitimate economic interest.
Cookies for marketing:
The user may configure their web browser to accept all cookies, reject all cookies, or notify the user when a cookie is being sent to their device. These settings are usually available in the “Options” or “Settings” menu of the browser. By disabling the use of cookies, the user may experience that the Website does not function fully without cookies. Detailed information in English about cookie settings for different browsers is also available at www.aboutcookies.org.
You can find more information at the following links about how to:
Delete, disable, or enable cookies in Google Chrome:
https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=hu
Delete cookies in Mozilla Firefox:
https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito
Delete, disable, or enable cookies in Microsoft Edge:
https://support.microsoft.com/hu-hu/microsoft-edge/tudnivalók-a-követés-megelőzéséről-a-microsoft-edge-ben-5ac125e8-9b90-8d59-fa2c-7f2e9a44d869
On 10 July 2023, the European Commission adopted its adequacy decision on the EU–U.S. Data Privacy Framework (hereinafter: DPF). The decision establishes that the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. organizations participating in the DPF. Therefore, personal data may be transferred from EU Member States (as well as from Iceland, Liechtenstein, and Norway) to U.S. organizations participating in the DPF without the need for additional data protection safeguards.
The administration of the DPF is carried out by the U.S. Department of Commerce, which processes certification applications and assesses whether participating organizations comply with the applicable certification requirements. Compliance with the obligations under the DPF is enforced by the U.S. Federal Trade Commission.
On our Website, we use the “CookieYes” application to monitor and manage cookies. Detailed information about cookies and tracking codes is always available under the “Cookie Notice” link within the cookie management application, where you can review exactly what you have consented to and modify your settings. You may withdraw your consent at any time; however, this does not affect the lawfulness of data processing carried out prior to the withdrawal of consent.
Use of Google Ads Conversion Tracking
We use the online advertising platform “Google Ads” and, within its framework, the Google conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
When a user reaches the Website via a Google advertisement, a cookie required for conversion tracking is placed on their computer. These cookies have limited validity. When the user / Website visitor browses certain pages of the Website and the cookie has not yet expired, Google and the Data Controller can see that the user clicked on the advertisement. Each Google Ads customer receives a different cookie, so cookies cannot be tracked across the websites of different Ads customers.
The information obtained through conversion tracking cookies is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Customers receive information about the number of users who clicked on their advertisement and were redirected to a page equipped with a conversion tracking tag.
If the user does not wish to participate in conversion tracking, they may refuse this by disabling the installation of cookies in their browser settings. In this case, they will not be included in the conversion tracking statistics.
Please note that this service may transfer data outside the European Union and the European Economic Area to countries that do not provide an adequate level of data protection. If data is transferred to the United States, there is a risk that your data may be processed by U.S. authorities for control and surveillance purposes without you having access to legal remedies. Data may be transferred to the following country for various purposes, such as storage or processing: United States of America.
Further information, including Google’s privacy policy, is available at:
google.de/policies/privacy/
Use of Google Analytics
Our Website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” which are text files stored on the user’s computer to help analyze how users interact with the Website.
The information generated by cookies relating to the use of the Website is generally transmitted to and stored on a Google server in the USA. If IP anonymization is activated on the Website, Google will shorten the user’s IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
Google will use this information on our behalf to evaluate the use of the Website, compile reports on Website activity, and provide other services related to Website and internet usage. Within the framework of Google Analytics, the IP address transmitted by the user’s browser will not be merged with other Google data.
The user may prevent the storage of cookies by adjusting their browser settings accordingly. Furthermore, users may prevent Google from collecting and processing data generated by cookies relating to their use of the Website (including their IP address) by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=hu
Please note that this service may transfer data outside the European Union and the European Economic Area to countries that do not provide an adequate level of data protection. If data is transferred to the United States, there is a risk that your data may be processed by U.S. authorities for control and surveillance purposes without you having access to legal remedies.
A.2. Server Logging
Purpose of the planned processing of personal data:
The purpose of data processing is to ensure IT security-level monitoring of the operation of services during visits to the www.kotta.io Website and to review visitor data in order to prevent misuse.
Legal basis for data processing:
The legitimate economic interest of the Data Controller in ensuring the security of its service provision (Article 6(1)(f) GDPR).
Recipients of personal data:
The Data Controller’s data processor (see: Data Processor).
Data Processor:
Sigmanet Kft (Registered seat: 31132 Budapest, Viktor Hugo utca 18–22.) – Hosting service provider
Transfer of data to third countries:
No data is transferred to third countries.
Information on data subject rights:
The data subject may request from the Data Controller access to personal data concerning them, rectification, erasure (except in cases falling under Article 17(3) GDPR), restriction of processing, and may object to the processing of such personal data.
Categories of personal data concerned:
System-generated and provided data such as date and time, as well as the visitor’s IP address, browser-related data (name and version), operating system, and the referring page from which the visitor accessed the Website.
Planned storage period of personal data:
Logged data is automatically deleted after 30 days. We reserve the right to retain log data for a longer period if there is a well-founded suspicion of unlawful access attempts or any IT security attack. Even in such cases, we ensure that personal data is stored only for the minimum period necessary and is deleted without delay once the purpose of processing has been fulfilled.
A.3. Contact via Email
Website visitors may contact the Data Controller by sending an electronic message to info@kotta.io.
Purpose of the planned processing of personal data:
To respond to questions submitted in the message and to provide a contact opportunity via info@kotta.io.
Legal basis for data processing:
Your consent (Article 6(1)(a) GDPR).
You may withdraw your consent at any time using the above contact details. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Recipients of personal data:
The Data Controller’s data processors (see: Data Processors).
Data Processors:
Google LLC (Registered seat: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – G-Suite email and document storage service
Transfer of data to third countries:
Google LLC – Data is transferred to a third country.
Google LLC’s SCC and DPA (Data Processing Agreement) documents are available at:
https://cloud.google.com/terms/data-processing-terms
On 10 July 2023, the European Commission adopted its adequacy decision on the EU–U.S. Data Privacy Framework (DPF). The DPF administration is carried out by the U.S. Department of Commerce, and compliance is enforced by the U.S. Federal Trade Commission.
Information on data subject rights:
The data subject may request access, rectification, erasure (except under Article 17(3) GDPR), restriction of processing, and data portability. Consent may be withdrawn at any time without affecting prior lawful processing.
Consequences of refusing data processing:
Providing data is voluntary; failure to provide it means you will not be able to contact the Data Controller via email.
Categories of personal data concerned:
First and last name, email address, any additional information provided in the message, and system-generated data such as date and time.
Storage period:
Data is processed until the purpose is fulfilled, i.e., until the question or request has been properly resolved and answered.
A.4. Business Contact Data Processing
Oander Technologies Korlátolt Felelősségű Társaság maintains contact with its clients and prospective clients to maintain existing business relationships and establish future ones. For these purposes, it processes as personal data the name, telephone number, email address, and, where applicable, job title of client contact persons.
Purpose:
Maintaining and establishing business relationships with clients and prospective clients.
Legal basis:
The legitimate economic interest of the Data Controller in establishing business relationships, fulfilling orders, and maintaining contact with a specific person at the corporate partner (Article 6(1)(f) GDPR).
Only strictly necessary contact data is processed, and the contact person’s fundamental rights and freedoms do not override the legitimate interests of the Data Controller and its corporate partner.
Recipients of personal data:
Data processors of the Data Controller.
Data Processors:
Sigmanet Kft – Hosting service provider
Google LLC – G-Suite email and document storage service
Transfer to third countries:
Google LLC – Data transfer to a third country occurs.
SCC and DPA documentation:
https://cloud.google.com/terms/data-processing-terms
DPF adequacy decision applies as described above.
Information on data subject rights:
Access, rectification, erasure (except under Article 17(3) GDPR), restriction, and objection rights apply.
Consequences of refusal:
Failure to process the data may result in refusal to prepare, conclude, or perform a contract with the company represented by the data subject.
Categories of personal data:
Name, telephone number, email address, and possibly job title of contact persons of prospective and new corporate clients.
Storage period:
Data is processed until the contact person status ends; if earlier, upon account deletion or after termination of the contract, contact data is deleted.
A.5. Account Registration and Login
Browsing the Website and accessing published news and knowledge materials (limited to two articles) does not require registration. Access beyond two articles requires registration.
Purpose:
Recording data of individuals interested in knowledge materials, granting access, maintaining contact, identifying registered users, and verifying authorization.
Legal basis:
Steps prior to entering into a contract (Article 6(1)(b) GDPR).
Recipients:
Data Processor:
Sigmanet Kft – Hosting service provider
Transfer to third countries:
No data transfer to third countries.
Data subject rights:
Access, rectification, erasure (except under Article 17(3)), restriction, and data portability rights apply.
Consequences of refusal:
Providing data is voluntary; failure to provide it means the user cannot access content beyond two articles.
Categories of personal data:
Username, email address, telephone number (optional), confirmation of acknowledgment of the Privacy Notice, and system-generated identifiers such as date and time.
Storage period:
Users may terminate registration at any time via their account or by contacting us. Registration data will be deleted without delay. If the user does not log in for 2 years, data will be retained for a maximum of 2 years from the last login.
A.6. Sending Diagnostic Questionnaire Results by Email
Visitors may complete thematic diagnostic questionnaires and provide company-related information. After automated analysis, company-specific results are sent by email. Data is retained until the results are sent.
Purpose:
Promotion and presentation of Oander Kft.’s services through the analysis of the diagnostic questionnaire.
Legal basis:
The legitimate economic interest of promoting and advertising our services (Article 6(1)(f) GDPR).
Recipients:
Data Processor:
MailerLite Limited (Registered seat: Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland) – Hosting and newsletter system service
Transfer to third countries:
No data transfer to third countries.
Data subject rights:
Access, rectification, erasure (except under Article 17(3)), restriction, and objection rights apply.
Consequences of refusal:
Providing data is voluntary; failure to provide it means we cannot send the diagnostic evaluation results by email.
Categories of personal data:
Email address and system-generated data such as date and time.
Storage period:
Diagnostic data, automated evaluation results, and the provided email address are stored until the evaluation results are sent to the specified email address. Thereafter, the data is deleted.
A.8. Newsletter / eDM Distribution
We keep in touch with our Users and clients who are interested in our services, have subscribed to our newsletter list, and have consented to the processing of their data for this purpose, by sending newsletters. Please subscribe by completing the designated fields if you would like to receive news, information, and possibly content that qualifies as advertising about our services. You can subscribe to our newsletter by giving your explicit consent to data processing for this purpose. You can provide the required declaration by ticking an unticked, mandatory checkbox.
Purpose of the planned processing of personal data:
The purpose of data processing is to promote and advertise the services of Oander Technologies Kft., to deliver our news, and to advertise our activities.
Legal basis for data processing:
The consent of the natural person subscribing to our newsletter / eDM (Article 6(1)(a) GDPR).
The data subject may withdraw their consent at any time, unconditionally, via the above contact details or via the footer of our newsletter / eDM. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Recipients of personal data:
The Data Controller’s data processor (see: Data Processor).
Data Processor:
MailerLite Limited (Registered seat: Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland) – Hosting and newsletter system service
Transfer of data to third countries:
No data is transferred to third countries.
Information on data subject rights:
The data subject may request access to personal data concerning them, rectification, erasure (except in cases under Article 17(3) GDPR), restriction of processing, and the right to data portability.
Consequences of refusing data processing:
Providing data is voluntary; failure to provide it means we cannot deliver our newsletter / eDM.
Categories of personal data concerned:
First and last name, email address, system-generated data such as date and time, and detailed information on whether the email was opened and/or read.
Planned storage period of personal data:
You may unsubscribe from the newsletter free of charge at any time and withdraw your consent. In this case, the personal data used for sending the newsletter will be deleted without undue delay, but no later than within 3 days.
We also delete the data of subscribers without a specific request if the data subject does not comply with our periodic request to confirm their newsletter subscription and does not confirm their data, interest, and consent within the requested deadline. In such cases, the data will be deleted.
Appropriate Security
When designing its security system, the Data Controller took into account the state of the art in science and technology, the nature, scope, circumstances and purposes of data processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons.
Together with its server operators, the Data Controller ensures the security of data through technical, organizational, and administrative measures that provide a level of protection appropriate to the risks arising from data processing. Data is protected against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage.
To ensure the security of personal data stored on the Data Controller’s computers and network, access to data is permitted only with valid, personal, identifiable authorization, at least via a username and password. The Data Controller regularly ensures password changes.
What Do Data Subject Rights Mean?
We welcome questions and requests regarding the processing of your personal data by post at:
Kotta Commerce Kft.
1242 Budapest, P.O. Box: 404.
by email: info@kotta.io
or by phone: +36 70 622 4898.
Data subjects may exercise the following rights throughout the entire duration of the data processing:
Access to personal data
The data subject has the right to receive confirmation from the Data Controller as to whether their personal data is being processed, and if such processing is taking place, to obtain access to the personal data and, where applicable, to request an electronic copy thereof.
Right to rectification
The data subject may request the rectification of their personal data.
Right to erasure (“right to be forgotten”) (Article 17 GDPR)
The data subject has the right to have the Data Controller delete personal data concerning them without undue delay if the processing has no purpose, the data subject has withdrawn consent and there is no other legal basis, there is no overriding legitimate ground in the event of an objection, the data was processed unlawfully, or the data must be erased for compliance with a legal obligation. If the Data Controller has made the personal data public and is obliged to erase it, it shall take reasonable steps— including technical measures—taking into account available technology and the cost of implementation, to inform other controllers processing the data that the data subject has requested the erasure of links to, or copies/replications of, the personal data.
With regard to this right, it is important to note that erasure is not possible where one of the cases listed in Article 17(3) GDPR applies, i.e. where processing is necessary:
Right to restriction of processing
The data subject may request, where applicable, the restriction of processing while their request is being assessed—for example, if they object to processing based on legitimate interest or challenge the accuracy of the processed data.
Objection to the processing of personal data
The data subject may object to processing based on legitimate interest. In such cases, processing must cease unless it is justified by compelling legitimate grounds overriding the interests, rights and freedoms of the data subject, or unless processing is necessary for the establishment, exercise, or defence of legal claims.
Data portability
Where processing is based on the data subject’s consent or on the performance of a contract, the data subject has the right to data portability. The data subject is entitled to receive the personal data concerning them which they have provided to a controller in a structured, commonly used, machine-readable format, and to transmit that data to another controller without hindrance from the controller to which the data has been provided. The data subject may also request the transmission of personal data to another controller. Exercising this right must not adversely affect the rights and freedoms of others.
Automated decision-making and profiling
The data subject has specific rights in cases of automated decision-making and profiling. The data subject has the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning them or similarly significantly affects them.
The Data Controller’s procedure
The Data Controller shall inform the data subject of the measures taken without undue delay, but no later than within one month of receipt of the request, or of the reasons for not taking action. If the request is complex, the deadline may be extended by a further two months. Information and measures are provided free of charge, except for requests that are manifestly unfounded or excessive. The first copy of the processed personal data is free of charge; for additional copies we may charge a fee corresponding to our administrative costs.
Right to Lodge a Complaint
National Authority for Data Protection and Freedom of Information (NAIH)
H-1055 Budapest,
Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, Pf. 9.
Tel.: +36 (1) 391-1400
ugyfelszolgalat@naih.hu
If the data subject’s rights are violated, they may also bring an action before a court against the Data Controller.
The case falls within the jurisdiction of the regional court. The action may also be brought, at the data subject’s choice, before the regional court of the data subject’s place of residence (a list of regional courts and their contact details is available via the following link: http://birosag.hu/torvenyszekek).
Dated: Budapest, 11 February 2026.
Kotta Commerce Kft.
.svg)