Privacy Policy
1. Introduction

The operator of the website crossfit314.hu – hereinafter referred to as the “Website” – is Highlander Ltd. (hereinafter referred to as the “Data Controller”). By publishing this Privacy Statement and Data Management Information (hereinafter referred to as the “Privacy Policy”), the Data Controller outlines the principles governing its data processing activities, which it acknowledges as binding upon itself. The Data Controller takes all reasonably expected measures to ensure the security of personal data it manages.

Please read this Privacy Policy before using our website, as it clearly explains how we handle your personal data in a transparent manner. The Data Controller provides clear and detailed information to the data subjects about all relevant aspects of data processing.

During the operation of the website, the Data Controller processes the data of registered individuals in order to provide them with appropriate services. The service provider fully complies with the legal requirements related to the processing of personal data, particularly those set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR).

This Privacy Policy has been prepared based on Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, taking into account the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

Service provider and Data Controller identification and contact details:

Name: Highlander Ltd.
Registered office: 43 Körte Street, 2095 Pilisszántó, Hungary
Tax number: 25461402-1-13
Website name and address: crossfit314.hu
E-mail: crossfit314@crossfit314.hu

2. Definitions

• Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Data subject: any identified or identifiable natural person whose personal data is processed by the Data Controller.
• Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction.
• Data erasure: making the data unrecognizable in such a way that its restoration is no longer possible.
• Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
• Data processing operation: the performance of technical tasks related to data processing operations, regardless of the method and means used for execution and the location of the application, provided that the technical task is performed on the data.
• Data set: all data managed within a single record system.
• Data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• Recipient: a natural or legal person, public authority, agency, or another body, to which personal data are disclosed, whether a third party or not.
• Third party: a natural or legal person, public authority, agency or body other than the data subject, Data Controller, Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process personal data.
• Information society service: any service normally provided for remuneration, at a distance, by electronic means, and at the individual request of a recipient of services.
• Electronic commerce service: any information society service aimed at the commercial sale, purchase, exchange, or use of movable tangible goods, services, real estate, or rights of value.
• GDPR (General Data Protection Regulation): the new Data Protection Regulation of the European Union.

3. Scope of Users

A “User” is any identified or identifiable natural person, whether registered or unregistered, who uses the services of the Website and whose personal data is processed directly or indirectly.

4. Principles of Data Processing

The Data Controller declares that it processes personal data in accordance with the provisions of this Privacy Policy and complies with all applicable legal regulations, with particular regard to the following:

• Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
• Personal data shall be collected only for specified, explicit, and legitimate purposes.
• The purpose of processing shall be appropriate and relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Personal data must be accurate and kept up to date. Inaccurate personal data shall be erased without delay.
• Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Longer storage may only occur for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
• Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
• The principles of data protection shall apply to all information concerning an identified or identifiable natural person.

5. Important Information About Data Processing

• Purpose of data processing: communication, providing information, and additional services.
• Legal basis of data processing: consent of the data subject.
• Scope of data subjects: registered users of the website (newsletter subscribers, users submitting forms).
• Duration of data processing and data deletion: the duration depends on the specific purpose of use, but data shall be deleted immediately once the original purpose is fulfilled. The data subject may withdraw consent at any time via the contact e-mail address, and if there is no legal obstacle, the data will be deleted.
• Persons authorized to access data: the Data Controller and its employees.
• Rights of the data subject: the data subject may request access, rectification, deletion, or restriction of processing concerning his/her data and may object to such processing, as well as exercise the right to data portability.
• The data subject may withdraw consent to data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• The data subject has the right to lodge a complaint with the supervisory authority.
• If the data subject wishes to use the benefits of registration (i.e., access services that require registration), providing personal data is necessary. Data provision is voluntary; however, certain website features may not be accessible without registration.
• The data subject has the right to request rectification or completion of inaccurate personal data without undue delay.
• The data subject has the right to request the erasure of personal data without undue delay, and the Data Controller must delete such data unless another legal basis applies.
• Modification or deletion of personal data may be requested via e-mail, phone, or letter using the contact details provided above.

6. Completion of the Website Inquiry Form

The Data Controller uses the data received through the website’s inquiry form solely for communication and providing information.

Data Processor responsible for data handling:

Name: Highlander Ltd.
Registered office: 43 Körte Street, 2095 Pilisszántó, Hungary
Tax number: 25461402-1-13
Website: crossfit314.hu
E-mail: crossfit314@crossfit314.hu

7. Sending Newsletters

As the operator of the website, we declare that all published information and materials fully comply with applicable laws. We also declare that upon newsletter subscription, we are unable to verify the authenticity of contact information or determine whether it belongs to an individual or a business entity. Businesses contacting us are treated as client partners.

The purpose of data processing is to send professional materials, electronic messages containing advertisements, information, and newsletters, which can be unsubscribed from at any time without consequences. You may unsubscribe at any time, even if your business has ceased to exist or someone provided your contact information to us.

The legal basis of processing is your consent. By subscribing, you expressly consent to being contacted by the service provider via e-mail with offers, information, and other communications, and to the processing of your personal data for this purpose.

Please note that providing the necessary data is required to receive newsletters. Without providing this information, we cannot send newsletters.

The duration of processing: until consent is withdrawn. Consent may be withdrawn at any time by sending an e-mail to the contact address provided above. Data will be deleted upon withdrawal of consent. Consent may also be withdrawn through the link provided in the newsletters.

• Persons authorized to access the data: the Data Controller and its employees.
• Data storage method: electronic.
• Data modification or deletion: may be requested via e-mail, phone, or letter using the contact details above.
• Data Processor used: Highlander Ltd.

Please note that your e-mail address does not have to contain any information identifying you personally. You are free to use a generic address. However, an e-mail address is essential to receive newsletters or professional information.

Newsletter Service Provider
Company name: Twilio Ireland Limited
Address: 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland
E-mail: info@twilio.com

8. Authorized Data Processor

The entity authorized to process personal data is Highlander Ltd., acting as the Data Processor. The personal data being processed may be accessed by the Data Processor’s legal representatives, employees, contractors, or partners. The Data Processor does not transfer personal data to third parties, except when the data subject has given explicit consent.

Hosting Provider
Company name: RackForest Plc.
Address: 1132 Budapest, Victor Hugo Street 11., 5th floor, B05001
Phone: +36 1 211 0044
E-mail: info@rackforest.com

The data you provide are stored on servers operated by the hosting provider. Only our employees and the server operator’s staff have access to this data, and all are responsible for ensuring secure data handling.
Activity description: hosting and server services.

Purpose of data processing: to ensure the operation of the website.

The processed data: personal data provided by the data subject.
The duration and deletion period of data processing: until the end of website operation or as specified in the contractual agreement between the website operator and the hosting provider.
The data subject may also request deletion of their data directly from the hosting provider if necessary.
Legal basis of data processing: consent of the data subject and/or processing required by law.

9. Duration of Data Processing

The Data Controller processes personal data provided by the User based on consent until the purpose of processing is achieved or the User withdraws consent. Personal data provided during registration are processed until the User’s registration is terminated.
Unless otherwise provided by law, the Data Controller may continue processing the collected personal data:

• (a) to fulfill its legal obligations, or
• (b) to enforce its legitimate interests or those of a third party, provided that such interests are proportionate to the limitation of the right to personal data protection.

The Data Controller retains and processes personal data collected to fulfill accounting obligations for 8 years in accordance with Section 169 of Act C of 2000 on Accounting, and within the limitation period defined by Act XCII of 2003 on the Rules of Taxation.

10. Data Transfer and Data Linking

The Data Controller does not sell, rent, or otherwise make available personal data or information about the User to other companies or individuals.
The Data Controller ensures appropriate security of the data and implements the necessary technical and organizational measures to enforce data protection principles and safeguard personal data.
The Data Controller transfers personal data to third parties only with the explicit consent of the data subject.

11. Cookies

Cookies are small text files placed on the user’s computer by visited websites. They contain information such as website settings or login status. Cookies improve user experience by saving browsing data and allowing the website to remember preferences and provide locally relevant content.
The website’s server sends a small file (cookie) to the visitor’s computer to record the fact and time of the visit, which the service provider informs the visitor about.

• Scope of data subjects: visitors of the website.
• Purpose of data processing: providing additional services, identification, and visitor tracking.
• Legal basis of processing: user consent is not required when cookies are essential for the website’s operation.
• Scope of processed data: unique identifier, timestamp, configuration data.

Users can delete cookies from their browsers at any time through the Settings menu.

• Authorized Data Controllers: the Data Controller does not process personal data using cookies.
• Data storage method: electronic.

12. Social Media

Social media is a communication tool where messages are distributed through social users. It uses the Internet and online platforms to enable users to become content creators rather than mere content consumers.
Social media platforms contain user-generated content such as Facebook, Google+, Twitter, and others. These platforms may include public speeches, presentations, product or service descriptions, blog posts, photos, videos, audio files, message boards, and emails.
Accordingly, the range of data processed may include, in addition to personal data, the user’s public profile picture.

Scope of data subjects: all registered users.

• Purpose of data collection: to promote the website or related web pages.
• Legal basis of data processing: voluntary consent of the data subject.
• Duration of data processing: according to the policies available on the respective social media platform.
• Data deletion deadline: according to the respective platform’s rules.
• Authorized persons to access the data: as defined by the relevant social platform.
• Rights related to data processing: as defined by the relevant social platform.
• Data storage method: electronic.

It is important to note that when a user uploads or submits any personal information, they grant a global license to the social media platform operator to store and use such content. Therefore, it is essential to ensure that the user has full authorization to share the information made public.

13. Rights Related to Data Processing

Right to information:

• You may request information from us via the provided contact details regarding what personal data we process, on what legal basis, for what purposes, from what sources, and for how long. We will respond to your request without undue delay, but no later than 30 days, via the e-mail address you provide.

Right to rectification:

• You may request correction of any of your data through the contact details provided. Upon your request, we will make the correction without undue delay, but no later than 30 days, and inform you via e-mail.

Right to erasure (“right to be forgotten”):

• You may request the deletion of your personal data at any time. Upon your request, we will delete the data without undue delay, but no later than 30 days, and inform you via e-mail.

Right to restriction of processing:

• You may request the restriction of data processing. The restriction will remain in effect as long as the reason you specify requires the storage of the data. Upon your request, we will restrict the data within 30 days and inform you via e-mail.

Right to object:

• You may object to the processing of your personal data. We will examine the objection as soon as possible, but no later than 15 days after submission, decide on its justification, and inform you of our decision via e-mail.

14. Enforcement of Rights Related to Data Processing

In case of unlawful data processing, please contact our company first, so we can promptly restore lawful operation. We will do our utmost to resolve any issue raised.
If, in your opinion, the lawful state cannot be restored, you may contact the supervisory authority:

National Authority for Data Protection and Freedom of Information (NAIH)
Postal address: 1530 Budapest, P.O. Box 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu
Coordinates: N 47°30’56”; E 18°59’57”17

Legal basis of data processing

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
• Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives.
• Government Decree No. 335/2005 (XII. 29.) on the general requirements for record management of public bodies.
• Act CVIII of 2001 on Electronic Commerce and Information Society Services.
• Act C of 2003 on Electronic Communications.

Effective date of this Privacy Policy: 12 March 2022.
The Data Controller reserves the right to amend this Privacy Policy at any time.