Quantity discount for Nogrey lotion

Registration

Customer support:+36706765050info@nogreylotion.comRegister
Home / Privacy Policy

Privacy Policy

Privacy Policy

1. Identification of the Data Controller

The online store available at www.nogreylotion.com is operated by:

Tradegap Kft.
Company registration number: 01-09-916202
Tax number: HU14709049
Registered office: 1027 Budapest, Varsányi Irén u. 17
Place of business: 1113 Budapest, Edömér u. 2
Business operation address: 1113 Budapest, Edömér u. 2
Phone: +36 70 676 5050
E-mail: info@nogreylotion.com
Representative of the Data Controller and contact: Dóra Petneházi (info@nogreylotion.com)
Data Protection Officer (if applicable): Dóra Petneházi (info@nogreylotion.com)

(hereinafter referred to as the “Data Controller”).

2. Governing Laws and Scope of This Policy

2.1. The Data Controller processes users’ personal data primarily based on the following legal provisions:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR),

  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grt.),

  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Ekertv.).

2.2. This Policy applies to data processing carried out in connection with the use of the website accessible at the above-mentioned address (hereinafter: “Website”), the use of the services available there, and the fulfillment of orders placed in the online store.

2.3. For the purposes of this Policy, “User” means any natural person browsing the Website, using its services, or ordering a product from the Data Controller. The data subjects affected by specific processing operations are defined in sections 4–8 below.

3. Legal Basis of Data Processing

3.1. The legal bases of the data processing activities carried out by the Data Controller are described in detail in sections 4–8 below.
For certain processing operations, the legal basis is the User’s consent under Article 6(1)(a) of the GDPR.
In relation to data processing connected to orders, the legal basis is Article 6(1)(b) of the GDPR, according to which processing is necessary for the performance of a contract to which the User is a party.
In some cases, data processing is required by law (Article 6(1)(c) GDPR), or based on the legitimate interests of the Data Controller (Article 6(1)(f) GDPR).
Detailed explanations are provided in the relevant sections below.

3.2. In cases where processing is based on consent, the User grants consent by ticking the checkbox preceding the relevant data processing declaration.
The User can read this Privacy Policy at any time by clicking the “Privacy Policy” link displayed at the bottom of every page of the Website, or via the link embedded in the consent declaration.
By ticking the checkbox, the User declares that they have read and understood this Privacy Policy and consent to the processing of their personal data as described herein.

4. Data Processing Related to the Operation of IT Services

4.1. To operate the Website and collect technical data about visitors, the Data Controller uses cookies.

4.2. The Data Controller provides a separate information notice regarding the use of cookies:
“Privacy Notice on the Use of Cookies.”

5. Data Processing Related to Receiving and Responding to Messages

5.1. Scope of data subjects:
Users who send messages to the Data Controller via the “Contact” form available on the Website, or by email using the email address(es) displayed on the Website.

5.2. Legal basis:
The User’s consent pursuant to Article 6(1)(a) of the GDPR, given by sending the message.

5.3. Scope of processed data:

  • Name of the User sending the message,

  • Email address,

  • Any additional data voluntarily provided in the message.

The Data Controller processes any additional personal data included in the message only to the extent necessary for receiving and responding to it, and such data is not requested from the User.
If the User provides unsolicited personal data, the Data Controller will not store such data and will delete it immediately from its IT system.

5.4. Purpose of processing:
To enable communication between the User and the Data Controller.

Services related to this include:

  • Sending messages via the Website,

  • Receiving messages sent by email to the contact addresses shown on the Website,

  • Responding to such messages, which the Data Controller completes within 2 working days.

5.5. Duration of processing:
Until the message is answered or the User’s request is fulfilled.
After the reply/fulfillment, the Data Controller deletes the data.
If multiple related exchanges occur, deletion takes place after the conversation and request are completed.

If the message exchange results in a contract, and the messages contain information relevant to that contract, the legal basis and retention period are governed by the section “Data Processing Related to Orders”.

5.6. Method of data storage:
Data are stored in a separate list within the Data Controller’s IT system.
For details on data protection and security, see section 13.

6. Data Processing Related to Newsletter Subscription

6.1. Data subjects: Users who subscribe to the newsletter by filling in the designated fields on the website and checking the consent box.

6.2. Legal basis for data processing: Based on Article 6 (1) (a) of the GDPR and Sections 6 (1) and (2) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grt.), the User’s consent. The User gives voluntary consent by familiarizing themselves with this Privacy Notice, filling in the newsletter subscription fields, and checking the consent box provided. By doing so, the User declares that they consent to the processing of their data in accordance with this Privacy Notice and to receiving newsletters.

The newsletter service, in addition to sending useful information, also serves direct marketing purposes by the Data Controller. The User may subscribe to this service independently of any other services. The use of this service is voluntary and based on the User’s informed decision. If the User does not use the newsletter service, it does not entail any disadvantage regarding the use of the website or other services. The Data Controller does not make the use of any other services conditional upon the use of the newsletter service.

6.3. Categories of processed data:

  • Name

  • Email address

6.4. Purpose of data processing: To send newsletters by the Data Controller to the User via email, as well as for direct marketing purposes. Sending newsletters includes information about the Data Controller’s services, news, and updates, as well as promotional offers, advertising, and sales-related content.

6.5. Duration of data processing: The Data Controller processes the data for newsletter delivery until the User withdraws their consent (unsubscribes) or requests the deletion of their data.

6.6. Method of data storage: In a separate data processing list within the Data Controller’s IT system. For more information on data protection and data security, see Section 13.

7. Data Processing Related to Registration

7.1. Data subjects: Users who register on the website.

7.2. Legal basis for data processing: Based on Article 6 (1) (a) of the GDPR, the User’s consent. The User gives voluntary consent by completing the registration form, checking the data processing consent box, and clicking the button necessary to finalize the registration.

7.3. Categories of processed data: In the case of registered Users, data processing concerns the personal data and contact information requested on the registration form.
Processed data include:

  • Last name

  • First name

  • Email address

  • Password

Purpose of data processing: Website registration and facilitating repeat purchases.

Associated services:

  • Creating a personal account for the User

  • Enabling online product ordering by storing data necessary for order fulfillment and allowing the User to modify them

  • Storing and providing access to previous orders through the User account

7.4. Duration of data processing: For registered Users, data processing continues until the User requests deletion. Data processing may also end upon the User deleting their registration or the Data Controller deleting it. The User may delete their registration or request its deletion at any time; the Data Controller will execute the request immediately, but no later than within 10 business days from receipt.

7.5. Method of data storage: In a separate data processing list within the Data Controller’s IT system. For details on data protection and security, see Section 13.

8. Data Processing Related to Orders

8.1. Data subjects: Users who place orders on the website.

8.2. Legal basis for data processing: Article 6 (1) (b) of the GDPR — processing necessary for the performance of a contract to which the User is a party; and Article 6 (1) (c) — processing necessary for compliance with a legal obligation applicable to the Data Controller (e.g., accounting record-keeping obligations).

8.3. Categories of processed data:

The User’s:

  • Last name

  • First name

  • Billing address

  • Phone number

  • Email address

  • Shipping address

  • Ordered product(s)

  • Price of the ordered product(s)

  • Delivery/collection method

  • Payment method

  • Any additional information provided by the User necessary for order fulfillment

  • Order date

  • Payment date

8.4. Purpose of data processing: To conclude and perform the contract resulting from the order.

8.5. Duration of data processing: Data processed for order fulfillment are retained by the Data Controller for the period required by the accounting record-keeping obligation. According to the Accounting Act (Act C of 2000), this period is at least 8 years from the invoice date. After this time, the Data Controller deletes the data within one year.
Data processed for delivery (name, shipping address, phone number) and other related data (e.g., order-related communications between the User and the Data Controller) are retained for 5 years from the conclusion of the contract, corresponding to the general limitation period for civil claims.

When transferring delivery-related data to the shipping provider, the Data Controller limits processing so that the provider may only process the data to the extent and duration necessary for delivery.
The service providers used by the Data Controller for this purpose are listed in the section “Use of Data Processors,” where links to their privacy notices are also provided.

8.6. Method of data storage: In a separate data processing list within the Data Controller’s IT system, and in accounting records as required by law. For further information on data protection and data security, see Section 13.

9. Data Transfer

9.1. Data subjects concerned:
Users who select an online payment method during the ordering process on the website, regardless of whether they use other services provided by the website.

9.2. Recipient of the data transfer:

Shoptet Kft.
• Company registration number: 01-09-357795
• VAT number: 27933460-2-41
• Registered office: 1027 Budapest, Kacsa utca 15-23.
• Telephone: 1027 Budapest, Kacsa utca 15-23.
• E-mail contact: info@shoptet.hu
• Website: www.shoptet.hu

A business entity acting as the provider of the online payment service available on the Controller’s website.

9.3. Legal basis for data transfer:
In accordance with Article 6 (1) (f) of the GDPR, the legitimate interests of both the Controller and the Recipient.

Under applicable laws, the Recipient is obliged to operate fraud prevention and detection systems in connection with the provision of payment services and is authorized to process the necessary personal data for this purpose. The Recipient has established a system in compliance with these legal obligations, the operation of which requires data transfer by the Controller. Accordingly, the Recipient’s legitimate interest lies in being able to operate this fraud prevention and detection system as required by law.

The legitimate interests of both the Controller and the Recipient are the prevention of fraud and ensuring the proper operation of online payments. The proper functioning of payment services is essential to both parties’ core business activities. Furthermore, it is also in the User’s interest, especially to avoid misuse of bank card data.

The data transfer enables the detection and prevention of fraudulent activities and the resolution of any obstacles arising during the payment process.

The data are transferred from the set of data processed during the User’s purchase/order, through a secure, encrypted electronic channel, solely to the Recipient and only in cases where an online card payment occurs. The Recipient does not use the data for any other purpose. Therefore, the transfer poses no significant risk or noticeable impact to the User.

The data transfer is necessary to achieve the purposes described above and contributes to improving the security of the payment service.

Taking into account the above and the built-in safeguards, the data transfer does not constitute an undue intrusion into the Users’ privacy and is therefore a necessary and proportionate data processing operation.

9.4. Scope of transferred data:

  • products placed in the shopping cart and purchase-related data displayed therein (prices, costs),

  • name,

  • telephone number,

  • e-mail address,

  • address.

The bank card data provided during the payment process are submitted directly by the User to the payment service provider and are therefore not accessible to the Controller.

9.5. Purpose of data transfer:
To ensure the proper operation of the payment service and the technical execution of payments, confirmation of transactions, operation of fraud-monitoring systems that support the control of electronically initiated banking transactions, and to provide customer service assistance to the User.

9.6.
Further details on the data processing activities carried out by the online payment service provider — including the legal basis, purpose, exact categories of processed data, and retention period — can be found on the provider’s website.

9.7.
The Controller does not transfer personal data to third parties for business or marketing purposes.

9.8.
Other than the cases described above, the Controller transfers data only when legally required, to the competent authorities.

10. Use of Data Processors

The Controller uses the following business entities as data processors.

10.1. Web Hosting Provider

10.1.1. Data subjects concerned:
Users visiting the website, regardless of the services used.

10.1.2. Data processor:

Shoptet Kft.
• Company registration number: 01-09-357795
• VAT number: 27933460-2-41
• Registered office: 1027 Budapest, Kacsa utca 15-23.
• Telephone: 1027 Budapest, Kacsa utca 15-23.
• E-mail contact: info@shoptet.hu
• Website: www.shoptet.hu

acting as the web hosting service provider (hereinafter referred to as the “Data Processor”).

10.1.3. Scope of processed data:
All data specified in this privacy policy.

10.1.4. Purpose of processing:
To ensure the website’s operation from an information technology perspective.

10.1.5. Duration of processing:
Same as the data retention periods specified in this privacy policy for each specific purpose of processing.

10.1.6.
The processing of data includes only the provision of hosting necessary for the website’s technical operation.

10.2. Website Developer

10.2.1. Data subjects concerned:
Users visiting the website, regardless of the services used.

10.2.2. Data processor:
Shoptet Kft. (see details above), acting as the website developer.

10.2.3.–10.2.6.
The scope, purpose, and duration of data processing are identical to those described in section 10.1.
Data processing is limited to technical operations required for the website’s IT operation.

10.3. Newsletter Management

10.3.1. Data subjects concerned:
Users subscribing to the newsletter, regardless of the use of other services.

10.3.2. Scope of processed data:
Name and e-mail address of the subscriber.

10.3.3. Purpose of processing:
To ensure the IT operation of the newsletter software used by the Controller, through data processing activities necessary for its secure operation.

10.3.4. Duration of processing:
Until the User withdraws consent (unsubscribes) or requests data deletion.

10.3.5.
Processing includes only technical operations necessary for the software’s operation.

10.4. Product Delivery

10.4.1. Data subjects concerned:
Users requesting delivery of ordered products to a specified address.

10.4.2. Data processor:

GLS General Logistics Systems Hungary Kft
Company registration number: 13-09-111755
Tax number: 12369410-2-44
EU VAT number: HU12369410
Registered office: 2351 Alsónémedi, GLS Európa utca 2., Hungary
Business site: same as above
Telephone: +36 29 886 700 (customer service, weekdays 07:00–20:00)
E-mail: info@gls-hungary.com
Privacy / Data processing policy: https://gls-group.eu/HU/hu/adatkezelesi-tajekoztato/

acting as the product delivery service provider (hereinafter referred to as the “Data Processor”).

10.4.3. Scope of processed data:

  • surname,

  • first name,

  • telephone number,

  • delivery address.

10.4.4. Purpose of processing:
Execution of delivery under the purchase contract concluded with the User, including potential telephone coordination of delivery location and time.

10.4.5. Duration of processing:
Up to 5 years following delivery and completion.

10.4.6.
Processing includes only operations necessary for delivery, fulfillment, and handling of related complaints.

10.5. Invoicing

10.5.1.–10.5.5.
Covers the data, purpose, and duration of processing necessary for the issuance and secure operation of invoices, in accordance with the Accounting Act. Data are processed for 8 years following invoice issuance.

10.6. Accounting Services

10.6.1.–10.6.5.
Covers data necessary for fulfilling the Controller’s statutory accounting obligations. Data are retained for up to 8 years following invoice issuance, then deleted in the following year.

10.7.
No processing is carried out for any other purpose.

10.8.
The Controller does not use any data processors other than those specified above.

11. Data Subject Rights

11.1. Right to withdraw consent
The User may withdraw consent to data processing at any time, free of charge. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

11.2. Right of access
Upon request, the Controller provides the User with information about their processed data, including categories, recipients, purposes, legal basis, retention periods, processors, and any data breaches. The Controller shall respond without undue delay, but no later than one month from receipt of the request. The User may receive a copy of their personal data free of charge; additional copies may incur a reasonable administrative fee.

11.3. Right to data portability
The User has the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit those data to another controller if processing is based on consent or contract and carried out by automated means.

11.4. Right to rectification
The User may request the correction or completion of inaccurate or incomplete personal data. The Controller must comply without undue delay and within one month of receipt.

11.5. Right to restriction of processing
The User may request restriction of processing under certain circumstances, such as when data accuracy is contested or processing is unlawful, or when data are required for legal claims.

11.6. Right to erasure (“right to be forgotten”)
The Controller shall delete personal data if any of the following apply:

  • the data are no longer needed for their original purpose,

  • the User withdraws consent and there is no other legal basis,

  • the User objects to processing,

  • the data were unlawfully processed,

  • deletion is required by law,

  • the data were collected in connection with information society services offered directly to children.

11.7. Right to object
The User may object at any time to processing based on the Controller’s legitimate interests or to processing for direct marketing purposes. In such cases, the Controller shall cease processing unless overriding legitimate grounds are demonstrated.

12. Fulfillment of User Requests

12.1. The Controller provides the information and actions referred to above free of charge. If the User’s request is clearly unfounded or – in particular due to its repetitive nature – excessive, the Controller, taking into account the administrative costs of providing the requested information or action, may:
a) charge a reasonable fee, or
b) refuse to act on the request.

12.2. The Controller shall inform the User without undue delay, but no later than within one month of receiving the request, about the actions taken on the basis of the request, including the provision of copies of the data. Where necessary, considering the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Controller shall inform the User of any such extension within one month of receipt of the request, stating the reasons for the delay. If the User submits the request electronically, the Controller shall provide the information electronically, unless the User requests otherwise.

12.3. If the Controller does not take action on the User’s request, the Controller shall inform the User without delay, but no later than within one month of receipt of the request, of the reasons for not taking action and of the User’s right to lodge a complaint with the data protection authority specified below and to seek judicial remedy as described there.

12.4. The User may submit requests to the Controller in any form that allows for identification of their person. Identification of the requesting User is necessary, as the Controller may only fulfill requests for authorized individuals. If the Controller has reasonable doubts regarding the identity of the individual submitting the request, it may request additional information necessary to confirm the User’s identity.

12.5. The User may submit their requests by post to the Controller at:
1027 Budapest, Varsányi Irén u. 17,
or by e-mail to: info@nogreylotion.com.
The Controller will only consider e-mail requests authentic if they are sent from the e-mail address registered with the Controller by the User. However, using a different e-mail address does not mean that the request will be ignored. In the case of e-mail, the receipt date is considered the first working day after sending.

13. Data Protection and Data Security

13.1. Within its data processing and handling activities, the Controller ensures the security of personal data through technical and organizational measures and internal policies to enforce applicable legal and confidentiality requirements. The Controller takes appropriate steps to protect data against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental loss or damage, and to prevent data from becoming inaccessible due to technological changes.

13.2. The Controller’s IT systems record data used for measuring website traffic and mapping user behavior in a way that they cannot be directly linked to any specific individual.

13.3. Data is processed only for the purposes defined in this notice and to the extent necessary and proportionate to achieve these purposes, in accordance with applicable laws and recommendations, and with adequate security measures in place.

13.4. To this end, the Controller uses an “https” protocol for accessing the website, which enables encrypted and uniquely identifiable web communication. Furthermore, in accordance with the above, the Controller stores processed data in encrypted files separated by data processing purposes, to which only specific employees of the Controller—those performing the activities defined in this notice—have access. These employees are responsible for protecting the data and handling it responsibly, in compliance with this notice and applicable law.

14. Legal Remedies

Users may exercise their rights before a court or may contact the National Authority for Data Protection and Freedom of Information (NAIH):

National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11
Postal address: 1363 Budapest, Pf.: 9
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu/

In the case of court proceedings, the lawsuit may be initiated—at the choice of the User—before the competent court of the User’s place of residence or habitual residence, as the competent authority for such cases is the regional court (törvényszék).

30 October 2025
Tradegap Kft.

What are you looking for?