Privacy Policy

At Topo Guru, our mission is to make climbing easier for climbers from all over the world. That mission covers our activities, and extends to our online community as well through our website and application. Our Privacy Policy describes what Personal Data we collect online and how we use that information.

1. INTRODUCTION

Topo Guru Kft. (Company registration number: 01-09-331478) hereinafter referred to as “Data Controller” in this Privacy Policy (hereinafter referred to as “Privacy Policy”) describes how we collect, use, transfer, transmit and handle user data of https://www.topoguru.com website and Topo Guru x theCrag mobile phone application users (collectively: Customers).

The Data Controller has the right to unilaterally change this Privacy Policy at any time in order to comply with the legal provisions in force at any time, including changes related to changes in the Data Controller's services. Changes to this Privacy Policy will be published on our website at https://www.topoguru.com/ at the same time as the change.

If you have any questions about this Privacy Policy, please write to us at info@topoguru.com and we will answer your questions. This Privacy Policy and any amendments thereto may be found on the Company's website at https://www.topoguru.com/privacy/.

During the development of this Privacy Policy, the Data Controller has been regarded to the following legislation:

Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (hereinafter "GDPR"),

• Act CXII of 2011 on the right to information self-determination and freedom of information. Act ("Information Act")
• Act V of 2013 on the Civil Code (“Civil Code”)
• Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity Act (“Grt”),
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services Act ("Circular Act")
• Act C of 2000 on Accounting ("Accounting Act")
• CL of 2017 on the order of taxation Act ("Art.")
• CLV of 1997 on consumer protection Act ("Fgy. Act")

2. DEFINITIONS

The following terms used in this prospectus have the following meanings

"Processor" means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

 "Processing" means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, sorting, storage, transformation or alteration, retrieval, consultation, use, communication, transmission, distribution or other harmonization or interconnection, restriction, deletion or destruction;

"Restriction of data processing" means the marking of stored personal data with the aim of limiting their future processing;

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or national law, the controller or the specific criteria for the designation of the controller may also be determined by Union or national law;

"Data protection incident" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data which have been transmitted, stored or otherwise handled.

 "Recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data are communicated, whether a third party or not. Public authorities that may have access to personal data in the framework of an individual investigation in accordance with Union or national law shall not be considered as recipients; the processing of such data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

"Cookie": a cookie is a short text file that our web server sends to the affected device (be it any computer, mobile phone or tablet) and reads it back. There are temporary cookies (also known as session) that are automatically deleted from your device when you close your browser, and there are longer-lived cookies that stay on your affected device for a longer period of time (this also depends on the settings of your affected device);

"Data subject" means a person identified or identifiable, directly or indirectly, on the basis of personal data, who must always be a specified person. Only natural persons are considered to be concerned, so not legal persons, so data protection only protects the data of natural persons. However, personal data includes, for example, the data of a sole proprietor or a representative of a company (eg telephone number, e-mail address, place of birth, time, etc.).

"Consent of the data subject" means a voluntary, specific and well-informed and unambiguous statement of the will of the data subject to indicate his or her consent to the processing of personal data concerning him or her by means of a statement or unambiguous statement of confirmation;

"Third party" means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons authorized to process personal data under the direct control of the controller or processor; they got;

 "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); identify a natural person who, directly or indirectly, in particular by an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable. Individuals may also be associated with online identifiers, such as IP addresses and cookie identifiers, and other identifiers, such as radio frequency identification tags, provided by the devices, applications, devices and protocols they use. This can create clues that, when combined with unique identifiers and other information received by the servers, can be used to create a profile of natural persons and identify that person;

 "Undertaking" means any natural or legal person engaged in an economic activity, regardless of the legal status of the entity, including partnerships and associations carrying on a regular economic activity;

3. DESCRIPTION OF PRINCIPLES OF DATA MANAGEMENT

The Data Controller handles personal data lawfully and fairly, in a way that is transparent to the data subjects, for the clear and legitimate purposes specified in this Privacy Policy (“according to the purpose limitation principle”). Data management is limited to what is necessary to achieve the purposes of the Data Controller ("data saving"). In accordance with the principle of accuracy, the Data Controller shall ensure that the personal data processed by him or her are up-to-date, for which purpose the Data Controller shall take all reasonable measures to delete or correct inaccurate personal data for the purposes of data processing ("accuracy principle"). The data controller acknowledges that personal data may only be stored for the time necessary to achieve its purposes ("limited storage principle"). The controller shall process the data in such a way as to ensure adequate security of personal data, including appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to the data ("integrity and confidentiality"). In order to verify compliance with the principles presented, the data controller shall keep internal data management records for each of his data processing operations ("accountability principle").

The principles contained in this Privacy Policy describe our personal data practices. Our data management principles apply to paper-based data management and to all devices, websites, customer service platforms or other online applications operated by the Data Controller that link to them via the Internet or otherwise.

4. GENERAL INFORMATION RELATING TO DATA PROCESSING

The Data Controller handles the personal data of the data subject in order to provide the services used by the data subject and to improve the user experience. This Privacy Policy provides information on the data management performed by the data controller in connection with the activities listed below:

a) When using the Topo Guru x theCrag mobile application, such as: the Registration; Photo or video uploa

b) when subscribing to newsletters via the website or the mobile application

c) In response to inquiries addressed to the company through various communication channels

d) In connection with the processing of data via cookies on the website operated by the company.

4.1. General information about each data processing:

For the purposes of this data management information, the following are considered to be data controllers:

Topo Guru Kft.

1032 Budapest, Kiscelli utca 33. 3rd floor 2.

Tax number: 26548212241

Company registration number: 01 09 331478

5. INFORMATION RELATING TO EACH DATA PROCESSING

 5.1. Registration and purchase in the Topo Guru x theCrag mobile application:

 The purpose of data management:

- user identification and contact

- registration of user status (free, premium)

Affected customers: Customers using the company's mobile application

Data managed: Name, email address, country, city, type of subscription

Legal basis for data management: Identification of the user as a customer and contact with the data subject in accordance with Article 6 (1) of the GDPR .

Duration of data management: Until the registration of the data subject is canceled or the premium subscriber status is terminated.

Persons entitled to access the data The company's customer service and invoicing employees

Data transmission:

Since the application is only available from the official application download center (store) for both Android and IOS systems, and it is also possible to pay the premium status through this, the user status must be recorded by the service providers, so it will be transferred to Google inc, or Apple inc. depending on which “store” the app was downloaded from.

Data processors: none

5.2. Data management when subscribing to a newsletter

Purpose of data management: Newsletters can also be subscribed to on the website and in the mobile application. The main purpose of data management is to send marketing inquiries to data subjects. The Data Controller may use the data for marketing research and surveys. In accordance with the relevant legal regulations, the Data Controller keeps a register of the natural persons who have subscribed to the newsletter service. The Data Controller does not send newsletters to natural persons not included in the register.

The data managed: Name, email address

Legal basis for data management: Consent to the Info. TV. § 5 (1) a) and Article 6 (1) a) of the GDPR, Eker. TV. 13 / A. § and Grt. Pursuant to Section 6 (1).

Duration of data processing: Until the exercise of the right to protest or the voluntary unsubscription.

Persons entitled to access the data: Employees of the company who control the sending of newsletters

Data transmission: None

Data processors: We use the mailchimp system to send newsletters, and store the names and email addresses of our subscribing customers in it. Mailchimp handles personal information only for the purpose and for the time specified by us.

5.3. Contact data management

The company can be contacted through several communication channels, eg email, telephone, social media. If you search by phone, the conversation will not be recorded.

The purpose of data management: To serve those interested in the company's services, to answer their questions, to keep in touch.

The data managed: The personal data provided during the contact typically: Name, email address, telephone number

Legal basis for data processing: Consent of the data subject, pursuant to Article 6 (1) (a) of the GDPR. As the contact is always initiated by the data subject, the provision of your personal data can be considered voluntary and the consent to the data processing has been given.

Duration of data management: Until the given question is answered.

Persons entitled to access the data: Employees of the company entrusted with customer service

Data transmission: none

Data processors: The provider of our mail system is BlazeArts Kft. (Hungary, H-6090 Kunszentmiklós, Damjanich u. 36. 1/8).

5.4. Upload pictures or videos

Users of the Topo Guru x theCrag app can also upload images and videos to the app that will be shared.

The purpose of data management: Publishing images and videos shared by users.

The data processed: If there are private individuals suitable for identification in the image or video recording, their facial image is present as personal data.

Legal basis for data processing: Consent of the data subject, pursuant to Article 6 (1) (a) of the GDPR.

Duration of data management: Images or videos are stored until the user requests their deletion.

Persons entitled to access the data: Employees of the company entrusted with customer service.

Data transfer: After editing, the uploaded videos will be uploaded to the Yotube video sharing page and linked to the application so that the data will be transferred to Google inc., Which operates Youtube. towards.

Data processors: none

5.5. Data management related to cookie handling

Cookies are short text files of letters and numbers that are downloaded to the browser of a computer, mobile device or other device by web stores visited by the user. The cookie can be installed based on the user's device and a request sent to the server hosting the website or to a server of a third party. Cookies can be divided into 3 major groups:

Required cookies:

In order for the web store to work properly, we need to use cookies. Cookies are required if the web store would not be able to function properly.

The required cookies can control, for example, the following functions:

- whether or not the visitor page should reappear to the visitor

- a list of products on a wish list

- the current language of the store, which can be set by the customer

- etc.

Statistical cookies:

The statistical cookie collects information about how our visitors use our web store. These cookies cannot accurately identify the user. The information collected by statistical cookies includes pageviews, clicks, session length, time of visit, and more.

Marketing cookies:

Marketing cookies help the web store to provide the most pleasant browsing experience for its visitors, including by displaying personalized offers and advertisements.

When you visit www.topoguru.com, the following cookies are loaded:

6. INFORMATION ABOUT THE RIGHTS OF DATA SUBJECTS

Right to information and access to personal data processed:

The data subject has the right to receive feedback from the Data Controller as to whether the processing of his / her personal data is in progress and, if such data processing is in progress, he / she has the right to access the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations;

(d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

(e) the data subject's right to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority;

(g) if the data were not collected from the data subject, all available information on their source;

(h) the fact of automated decision-making, including profiling, and at least in such cases, comprehensible information on the logic used and the significance of such data processing and the expected consequences for the data subject.

If personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate guarantees for the transfer.

The Data Controller shall provide the data subject with a copy of the personal data subject to data processing. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the request electronically, the information shall be provided by the Data Controller in a widely used electronic format, unless the data subject requests otherwise.

The right to request a copy referred to in the preceding paragraph shall not adversely affect the rights and freedoms of others.

Right of correction:

At the request of the data subject, the Data Controller shall correct inaccurate personal data concerning the data subject without undue delay. Taking into account the purpose of the data processing, the data subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary statement.

To delete ("right to forget"):

The data subject has the right to have the personal data deleted by the Data Controller without undue delay upon his / her request for any of the following reasons:

(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;

(b) the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;

(c) the data subject objects to the processing and there is no overriding legitimate reason for the processing or if the processing would be linked to a direct acquisition;

(d) personal data have been processed unlawfully;

(e) personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the controller;

(f) personal data have been collected in connection with the provision of information society services.

Deletion of data cannot be initiated if data management is required:

(a) for the purpose of exercising the right to freedom of expression and information;

(b) compliance with an obligation under Union or Member State law applicable to the controller to process personal data or in the public interest;

(c) for preventive health or occupational health purposes, to assess a worker's ability to work, to make a medical diagnosis, to provide health or social care or treatment, or to manage health or social systems and services under Union or Member State law or under contract to a health professional; the processing of data is carried out by or under the responsibility of a professional subject to professional secrecy laid down in Union or Member State law or in the rules laid down by the competent authorities of the Member States, or by another person who is also subject to Union or Member State law; is subject to the conditions of professional secrecy laid down in the rules laid down by the competent authorities of the Member States;

(d) in the public interest in the field of public health, such as protection against serious cross-border threats to health or the provision of high quality and safety of healthcare, medicines and medical devices, and under Union or Member State law that is appropriate and specific; provides for measures to guarantee the protection of the rights and freedoms of the data subject, and in particular professional secrecy;

(e) in the public interest in the field of public health and the processing of such data is carried out by or under the responsibility of a professional subject to professional secrecy laid down in Union or Member State law or in the rules laid down by the competent authorities of the Member States; who is also subject to an obligation of confidentiality laid down in Union or Member State law or in rules laid down by the competent authorities of the Member States;

(f) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right of erasure is likely to make such processing impossible or seriously jeopardize it.

1. g) to submit, assert or defend legal claims.

Right to restrict data processing:

At the request of the data subject, the Data Controller shall restrict the data processing if one of the following conditions is met:

(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period which allows the data subject to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests that their use be restricted;

1. c) the Data Controller no longer needs the personal data for the purpose of data processing, but the data subject requests them in order to submit, enforce or protect legal claims; obsession
2. d) the data subject has objected to the data processing in connection with the data processing of the Data Controller based on the public interest or a legitimate interest; in that case, the restriction shall apply for as long as it is established whether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject.

Where the processing is subject to a restriction on the basis of the above, such personal data, with the exception of storage, shall be subject to the consent of the data subject or to the submission, enforcement or protection of legal claims can be treated.

The Data Controller shall inform the data subject, at whose request the data processing has been restricted on the basis of the above, in advance of the lifting of the data processing restriction.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her made available to the Data Controller in a structured, widely used machine-readable format and to transfer such data to another data controller without being hindered by the data controller whose provided personal data if:

(a) the processing is based on consent or contract; and

(b) the processing is carried out in an automated manner.

In exercising the right to data portability as described above, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers.

The exercise of the right to data portability shall not infringe the right of erasure ("forgetting"). That law shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The right to data portability must not adversely affect the rights and freedoms of others.

Right to protest:

The data subject has the right to object to the processing of his / her personal data by the Data Controller at any time for reasons related to his / her situation, if the data processing is based on the public interest or the exercise of public authority including profiling based on those provisions. In this case, the Data Controller may not further process the personal data, unless it proves that the data processing is justified by overriding legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.

Where personal data are processed for the purpose of direct business acquisition, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, in so far as it relates to direct business acquisition. If the data subject objects to the processing of personal data for the purpose of direct business acquisition, the personal data may no longer be processed for this purpose.

Where personal data are processed for scientific and historical research or statistical purposes, the data subject shall have the right to object to the processing of personal data concerning him or her on grounds relating to his or her situation, unless such processing is necessary for the performance of a task carried out in the public interest.

Right of withdrawal:

The data subject has the right to withdraw his or her consent at any time if the data controller's data management is based on the data subject's consent. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal.

Procedure in the event of an application by a data subject concerning the exercise of the above rights:

The Data Controller shall, without undue delay, but in any case within one month (30 days) from the receipt of the request, inform the data subject of the action taken on the data subject's request regarding the exercise of the rights set forth in this Privacy Policy. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months.

The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months (60 days). If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise.

If the Data Controller fails to take action on the data subject's request, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for non-action and of the data subject's right to appeal to a supervisory authority.

The Data Controller shall provide the requested information and information free of charge, provided that if the data subject's request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the Data Controller may charge a reasonable fee for the administrative costs of providing the requested information or information or taking the requested action. , or refuse to act on the request.

The Data Controller shall inform all recipients to whom he or she has communicated the personal data of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.

Please send any questions or requests related to your personal data and data management stored in the system to our e-mail address. Please note that we are only able to provide information or take action on the processing of your personal data in your interest if you have provided credible proof of your identity.

In order to respond to your request, we always need the following information:

• your email address provided during registration
• Your full name
• your billing address

Please be sure to send the request from the email address provided during registration.

7. DATA SECURITY MEASURES

The Data Controller and the server network operator shall protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, in addition to reasonably available state-of-the-art hardware and software support. As a general rule, the data managed by the Data Controller may be disclosed only to the Data Controller's employees and other contributors participating in the implementation of the data management objectives specified in these Rules. they shall be bound by the obligation of professional secrecy with regard to the information which they obtain.

All data management activities of the Data Controller must be accurately documented. The Data Controller must keep records of all data management activities performed by him / her (eg newsletter, webshop, employee register). In order to check the lawfulness of the data transfer and to inform the data subject, the Data Controller keeps a data transfer register, which contains the date of transfer of the processed data, legal basis, recipient, determination of the scope of data and other data specified in the legislation prescribing data management.

7.1 Security of digitally stored personal data

In order to ensure the security of personal data stored on the computer or network, the Data Controller shall take the following measures:

• continuously provides virus protection on the personal data management network,
• prevents unauthorized persons from accessing the network by using the available computer tools

8. DATA PROCESSORS

The Data Controller uses the named Data Processors indicated in this Privacy Policy during each data processing to perform its activities. The Data Processor does not make an independent decision, it is only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. The Data Controller monitors the work of the Data Processor. The Data Processor is entitled to use an additional data processor only with the prior written consent of the Data Controller.

 9. PRIVACY INCIDENT

Privacy Incident: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal information that is transmitted, stored, or otherwise handled.

If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall, without undue delay, inform the data subject of the data protection incident in a clear and comprehensible manner.

The data subject need not be informed if any of the following conditions is met:

(a) the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular measures such as the use of encryption which make it incomprehensible to persons not authorized to access personal data; make the data;

(b) the controller has taken further measures following the data protection incident to ensure that the high risk to the data subject's rights and freedoms is no longer likely to materialize;

(c) the information would require a disproportionate effort. In such cases, the data subject shall be informed through publicly available information or a similar measure shall be taken to ensure that the data subject is informed in an equally effective manner.

10. LEGAL REMEDIES 

a) The Data Controller may be contacted at any of the contact details provided in this Privacy Policy with any questions or remarks related to data management.

b) by submitting an investigation to the Hungarian National Authority for Data Protection and Freedom of Information (mailing address: 1374 Budapest, Pf. 603., phone: + 36-1-391-1400, email: ugyfelszolgalat@naih.hu, website: www.naih.hu) may initiate on the grounds that the processing of your personal data has been infringed or is in imminent danger; or

c) In case of violation of his / her rights, the data subject may take legal action against the Data Controller. The court is acting out of turn in the case. The Data Controller is obliged to prove that the data management complies with the provisions of the law. The trial falls within the jurisdiction of the tribunal. The action may, at the option of the person concerned, also be brought before the court of the place of residence or stay of the person concerned.