PRIVACY POLICY

DATA PROCESSING NOTICE REGARDING COOKIES USED ON THE WEBSITE

Judit Ember, sole proprietor (hereinafter referred to as: Data Controller ) operates www. anamcara.hu website (hereinafter: Website), where it processes personal data as set out in Section II of this document, during which it pays special attention to the fact that, during data processing, it processes and stores the personal data contained in its system in accordance with the provisions of Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation) (“Regulation”).

I. EXACT NAME AND CONTACT DETAILS OF THE DATA CONTROLLER :

Name of data controller : Ember Judit, sole proprietor

Data controller registration number: 60671019

Data controller's tax number: 91208633-1-41

Data controller's registered office: 1039 Budapest, Zsirai Miklós utca 2. 9/83.

Data controller's email address: anamcara.judit@gmail.com

Data controller representative: Judit Ember

( NAME AND ) CONTACT INFORMATION OF THE DATA PROTECTION OFFICER OF THE DATA CONTROLLER : Judit Ember

email address: anamcara.judit@gmail.com

II. DATA PROCESSING CASES

1. Personal data logged by the system

Scope of data processed:

Purpose of data processing

IP address

An identification number assigned by an internet service provider to the device of the User logging into the system. The Data Controller manages it to ensure the IT security of the system.

Browser type

Sending html code appropriate to the browser type.

Legal basis for data processing: Pursuant to Article 6(1)(e) of the Regulation, data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Duration of data management: The system stores the data indicated here for 6 months from the date of its creation, after which it is automatically deleted.

Possible consequences of failure to provide data : inaccuracy of analytical measurements

2. www. anamcara,hu Managing website-related Cookies

Types of cookies and their names

Treated

range of data

Purpose of data processing

Persistent cookie: • Google Analytics

Record page visit

Monitoring and measuring attendance data

Duration of data processing: They are stored in the browser's cookie file for a longer period of time. The duration of this depends on the settings used by the data subject in their internet browser.

Data source: Taken directly from the data subject.

Possible consequences of not processing data: inaccuracy of analytical measurements, lack of relevant targeted advertisements.

a. Deleting Cookies

The data subject has the right to delete the cookie from his/her own computer or to disable the use of cookies in his/her browser. Cookies can usually be managed in the Tools/Settings menu of browsers under the Privacy/History/Personal Settings menu, under the name cookie, cookie or tracking.

If the data subject would like to learn more about what cookies their browser uses, please visit one of the following websites appropriate for their browser:

Google Chrome ( https://support.google.com/chrome/answer/95647?hl=hu )

Mozilla Firefox ( https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak haszn )

Windows Internet Explorer ( https://support.microsoft.com/hu-hu/help/260971/description-of-cookies

Safari ( https://support.apple.com/hu-hu/guide/safari/manage-cookies-and-website-data sfri11471/mac )

b. Data processing by external service providers

The html code of the portal contains links coming from and pointing to external servers independent of the Data Controller. The server of the external service provider is directly connected to the data subject's computer. We draw the attention of our visitors to the fact that the service providers of these links are able to collect user data due to the direct connection from their server and direct communication with the data subject's browser.

The Website interface may contain information, in particular advertisements, originating from third parties, advertising providers who are not affiliated with the Data Controller. It may happen that these third parties also place cookies, web beacons on the Data Subject's computer, or collect data using similar technologies in order to send the Data Subject targeted advertising messages in connection with their own services. In such cases, the data processing is governed by the data protection regulations specified by these third parties, and the Data Controller assumes no liability for such data processing.

The data controllers listed below can provide detailed information about the processing of data by external service providers.

In order to provide personalized service, external service providers place and read back a small data package, called a cookie, on the data subject's computer. If the browser sends back a previously saved cookie, the service providers managing it have the opportunity to connect the data subject's current visit with previous ones, but only with regard to their own content.

c . Cookies placed by Google Analytics

Managed data

Purpose of data processing

IP address

External servers help to independently measure and audit the Website's traffic and other web analytics data (Google Analytics). These cookies are not able to personally identify the Data Subject (they only partially record the IP address currently used).

Which part of the Website did the data subject click on?

The Data Controller intends to use it for the development of the Website and to improve the experiences provided to the Data Subject.

How many pages did you visit?

The Data Controller intends to use the Website for the purpose of developing the Website and improving the experiences provided to the Data Subject.

Duration of data management : 36 5 days. If the data subject does not want Google Analytics to measure data in the manner and for the purpose described, install the add-on that blocks this in their browser.

Legal basis for data processing : The legal basis for data processing is the voluntary consent of the data subject pursuant to Article 6(1)(a) of the Regulation.

Data source: Taken directly from the data subject.

Possible consequences of failure to provide data: inaccuracy of analytical measurements.

about data processing by Google Analytics can be found at http://www.google.com/intl/hu/policies/ . The document "How Google uses data when you use a partner's site or app" can be found at the following link: http://www.google.com/intl/hu/policies/privacy/partners /

d. Facebook pixel

Managed data

Purpose of data processing

Record page visit

For a better user experience (e.g. providing optimized navigation, providing relevant advertising).

Data processing period : 180 days.

Legal basis for data processing: The legal basis for data processing is the voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation.

Data source : Taken directly from the data subject.

Possible consequences of failure to provide data: The Website uses Facebook's retargeting tracking codes. The basis for this is that the Data Controller can later reach visitors to the site with retargeting ads on Facebook. The retargeting code uses cookies to tag visitors. If disabled, retargeting ads will not be displayed.

Any content that may be personalized for the data subject is served by the external service provider's server. The data controller's advertisements may be displayed on Facebook and Instagram.

III. DATA PROCESSING

The Data Controller is entitled, in accordance with the applicable legislation, to use a data processor for the purpose of certain technical operations or the provision of the service. The data processor is only entitled to execute the instructions and decisions of the Data Controller.

DATA OF THE OPERATOR OF www.anamcara.hu :

• Name: Judit Ember, sole proprietor

• Registration number: 60671019

• Tax number: 91208633-1-41

• Address: 1039 Budapest, Zsirai Miklós Street 2. 9/83.

• Contact: +36 707712617

www.anamcara.hu STORAGE PROVIDER DATA :

• Name: Wix.com UK Limited

• Tax number: EU442008451

• Company registration number: 2576807

• Address: 30 Old Bailey, London, United Kingdom, EC4M 7AU

IV. DATA TRANSFER

The Data Controller informs the data subject that the court, the prosecutor, the investigating authority, the misdemeanor authority, the administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law may contact the Data Controller to provide information, communicate or transfer data, or make documents available.

The data controller will only provide personal data to the authorities - if the authority has specified the exact purpose and scope of the data - to the extent and insofar as this is absolutely necessary to achieve the purpose of the request.

The data provided by the data subject will not be transferred for any other purpose.

V. DATA SECURITY MEASURES

The Data Controller shall take all necessary measures expected of it in order to ensure the security of the data, and shall ensure their adequate level of protection, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller shall ensure the security of the data by means of appropriate technical and organizational measures.

The data controller selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the managed data:

• accessible to those authorized to do so (availability);

• its authenticity and authentication are ensured (authentication of data processing);

• its immutability can be verified (data integrity);

• be protected against unauthorized access (data confidentiality).

The data controller retains the data during data processing.

• confidentiality: protects information so that only those who are authorized to access it can access it;

• integrity: protects the accuracy and completeness of the information and the processing method;

• availability: ensures that when the authorized user needs it, they can actually access the desired information and that the related tools are available.

VI. RIGHTS OF THE DATA SUBJECT

The data subject may request information about the processing of his or her personal data; may request the correction of his or her personal data; may request the deletion of his or her data by sending an email to anamcara.judit@gmail.com ; may request the restriction of data processing; and may request data portability and legal remedies.

In case of a complaint, you can contact the National Data Protection and Freedom of Information Authority in Hungary or – at your choice – a court. The court has jurisdiction in the court proceedings.

1. Information and access to personal data

The data subject has the right to access his/her personal data stored by the Data Controller and information related to their processing; check what data the Data Controller keeps about him/her, and is entitled to access the personal data. The data subject must submit his/her request for access to the data to the Data Controller in writing (by e-mail or by post). The Data Controller shall provide the information to the data subject in a widely used electronic format, unless the data subject requests it in writing, on paper.

The Data Controller does not provide verbal information over the telephone when exercising access.

In the event of exercising the right of access, the information covers the following:

• definition of the scope of processed data, purpose, time and legal basis of data processing with regard to the scope of processed data,

• data transfer: to whom the data has been transferred or will be transferred in the future,

• data source designation.

The Data Controller shall provide the data subject with a copy of the personal data by email, in a widely used electronic format.

After the information, if the data subject does not agree with the data processing or the accuracy of the processed data, he/she may request the correction, completion, deletion, or restriction of the processing of personal data concerning him/her, as specified in Sections VI. 2.-7., object to the processing of such personal data, or initiate the procedure specified in Section VII.

2. Right to correct and supplement processed personal data

Upon written request of the data subject, the Data Controller shall, without undue delay, correct inaccurate personal data indicated by the data subject in writing or in person at one of the Data Controller's stores, or supplement incomplete data with the content indicated by the data subject. The Data Controller shall inform all recipients to whom the personal data has been disclosed of the correction or supplementation, unless this proves impossible or requires a disproportionate effort. The data subject shall be informed of the data of these recipients if he or she so requests in writing.

3. Right to restriction of data processing

The data subject may request the Data Controller to restrict the processing of his/her data by means of a written request if the

• the data subject disputes the accuracy of the personal data, in which case the restriction applies for a period of time that allows the Data Controller to verify the accuracy of the personal data,

• the data processing is unlawful and the data subject opposes the deletion of the data and instead requests the restriction of their use,

• The Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims, • the data subject objects to data processing: in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.

If the data subject's objection is well-founded, the data will be restricted by the Data Controller, i.e. only storage as data management can take place as long as

• the data subject consents to the data processing;

• the processing of personal data is necessary to enforce legal claims;

• the processing of personal data becomes necessary to protect the rights of another natural or legal person; or

• data processing is ordered by law in the public interest.

If the data subject requested the restriction of data processing, the Data Controller will inform the Data Subject in advance about the lifting of the restriction.

4. Right to erasure (to be forgotten)

At the request of the data subject, the Data Controller shall erase the personal data concerning the Data Subject without undue delay if one of the specified reasons applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Data Controller;

• the data subject withdraws his/her consent which forms the basis for data processing and there is no other legal basis for data processing;

• the data subject objects to the processing for reasons relating to his or her own situation and there are no legitimate grounds for the processing,

• the data subject objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling, if it is related to direct marketing,

• the Data Controller processes personal data unlawfully;

• the collection of personal data took place in connection with the provision of information society services directly to children.

The data subject may not exercise the right to erasure or to be forgotten if data processing is necessary :

• exercise of the right to freedom of expression and information

• for the purpose;

• on the basis of public interest in the field of public health;

• for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where exercising the right to erasure would render such processing impossible or would seriously jeopardise such processing; or

• to assert, enforce or defend legal claims.

5. Right to data portability

Data portability allows the data subject to obtain and further use their "own" data provided by the data subject, which is located in the Data Controller's system, for their own purposes and through various service providers specified by them. In all cases, the right is limited to the data provided by the data subject, and there is no possibility of portability of other data. (e.g. statistics, etc.)

The data subject can provide the personal data relating to him/her, which can be found in the Data Management system (e.g. when subscribing to a newsletter):

• you will receive it in a structured, widely used, machine-readable format,

• is entitled to transfer it to another data controller,

• request the direct transfer of data to another data controller – if this is technically feasible in the Data Controller's system.

The Data Controller shall only fulfill the request for data portability based on a request sent by e-mail or post. In order to fulfill the request, the Data Controller must verify that the data subject entitled to do so actually wishes to exercise this right. This requires that the data subject appear in person at the Data Controller’s registered office after the notification, in order for the Data Controller to be able to identify the requesting data subject using the data in its system. Within the framework of this right, the data subject may request the portability of the data that he or she has provided to the Data Controller. Exercising the right does not automatically result in the deletion of the data from the Data Controller’s systems, therefore the data subject will remain registered in the Data Controller’s systems even after exercising this right, unless he or she also requests the deletion of his or her data.

6. Objection to the processing of personal data

The data subject may object to the processing of his or her personal data by means of a statement addressed to the Data Controller, if the legal basis for the processing is

• public interest pursuant to Article 6(1)(e) of the GDPR or

• legitimate interest pursuant to Article 6(1)(f) of the GDPR.

In the event of exercising the right to object, the Data Controller may no longer process the personal data, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The Data Controller’s executive director shall decide whether the processing is justified by compelling legitimate grounds. He shall inform the data subject of his position in an opinion. The data subject may object in writing (by e-mail or post).

7. Enforcement of the rights of the deceased data subject by another person

Within five years of the death of the data subject, the rights to which the deceased was entitled during his/her lifetime, such as the right to access, rectification, erasure, restriction of processing, data portability and objection, may be exercised by a person authorized by the deceased to do so by an administrative order or by a declaration made to the Data Controller in a public document or a private document with full probative force. If the deceased made more than one such declaration to the Data Controller, the person named in the declaration made at a later date may exercise these rights.

If the deceased did not make such a declaration, the rights to which the deceased was entitled during his/her lifetime and specified in the previous paragraph may be asserted by the close relative of the person concerned under the Civil Code within five years following the death of the person concerned (in the case of multiple close relatives, the close relative who exercises this right first is entitled to assert the above rights).

According to Section 8:1. (1) Point 1 of the Civil Code, a close relative is a spouse, a relative by blood, an adopted child, a stepchild and a foster child, an adoptive, stepparent and foster parent, and a sibling. A close relative of the deceased is required to provide proof of:

• the fact and time of the deceased's death, as evidenced by a death certificate or court decision, and

• his/her own identity – and, if necessary, his/her status as a close relative – with a public document.

The person asserting the rights of the deceased, in particular during the enforcement of these rights – in particular against the Data Controller, as well as in proceedings before the National Data Protection and Freedom of Information Authority or before the court – is entitled to the rights and is subject to the obligations of the deceased during his lifetime, in accordance with the Privacy Act and the Regulation.

Upon written request, the data controller is obliged to inform the close relative of the measure taken, unless the deceased expressly forbade this in his/her statement.

VII. DEADLINE FOR ACCOMPLISHING A REQUEST, PROCEDURAL RULES The Data Controller shall inform the data subject of the measures taken without undue delay, but in any case within one month of receipt of any request pursuant to points III. 1-6. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months, but in such case the Data Controller shall inform the data subject within one month of receipt of the request, indicating the reasons for the delay, and that the data subject may lodge a complaint with the supervisory authority and exercise his/her right to a judicial remedy.

If the data subject's request is clearly unfounded or excessive (especially given its repetitive nature), the Data Controller may charge a reasonable fee for fulfilling the request or may refuse to take action based on the request. The Data Controller shall bear the burden of proof.

If the data subject submitted the request electronically, the Data Controller will provide the information electronically, unless the data subject requests otherwise.

The Data Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing made by it, unless this proves impossible or involves a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.

VIII. REMEDIES

The data subject may exercise his/her rights by sending a written request to the Data Controller by e-mail or post.

The data subject's rights cannot be enforced if the Data Controller proves that it is not in a position to identify the data subject. If the Data Controller has doubts about the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the applicant.

The data subject may, based on Info.tv., the Regulation and the Civil Code (Act V of 2013), contact the National Data Protection and Freedom of Information Authority (1055 Budapest, Falk Miksa utca 9-11., www.naih.hu) or

• You can enforce your rights before a court. The lawsuit can also be initiated – at the choice of the person concerned – before the court of your place of residence (you can view the list of courts and their contact details via the following link: http://birosag.hu/torvenyszekek).

IX. DAMAGES AND REMEDIES

Any person who has suffered material or non-material damage as a result of a breach of the Regulation is entitled to compensation for the damage suffered from the Data Controller or the Data Processor. The Data Processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations expressly imposed on data processors by law, or if it has disregarded or acted contrary to the lawful instructions of the Data Controller. The Data Controller or the Data Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

X. HANDLING DATA PROTECTION INCIDENTS

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The controller shall keep a record of the personal data affected by the incident, the scope and number of data subjects, the date, circumstances, effects, and measures taken to address the incident, for the purpose of monitoring the measures taken in connection with the data breach, informing the supervisory authority, and the data subject. In the event of an incident, the controller shall, unless it does not result in a risk to the rights and freedoms of natural persons, inform the data subject and the supervisory authority of the data breach without undue delay and no later than 72 hours.

XI. PROCEDURE FOR HANDLING SECURITY SAVINGS

Within the scope of its tasks related to IT protection, the Data Controller shall ensure in particular measures ensuring the possibility of restoring data files, including regular backups and the separate, secure management of copies (backup).

Accordingly, in order to prevent the loss of electronically stored data, the Data Processor regularly, once a week, automatically backs up its database containing personal data within the Wix.com platform .

Access to backups: Access to backups is restricted to persons with specific authorizations. Data can only be accessed after proper identification (at least username and password).

XII. OTHER PROVISIONS

The Data Controller reserves the right to unilaterally amend this Data Protection Notice with prior notice to the data subject, in particular, but not exclusively, in the event of changes in legislation. The amendments shall enter into force for the data subject on the date specified in the notice, unless the data subject objects to the amendments in writing.

If the data subject provided third party data to use the service and caused damage, the Data Controller is entitled to claim compensation from the data subject.

The data controller does not verify the personal data provided to it. The person providing it is solely responsible for the accuracy of the data provided. When providing personal data of any data subject, he/she also assumes responsibility for the accuracy of the data provided, and that he/she is the only one who uses his/her own personal data and the service provided by them.