Privacy Policy

1. Introduction
Keystone Services Limited Liability Company (registered office: 1053 Budapest, Ferenciek tere 2. ground floor, tax number: 32734511-2-41, company registration number: 01-09-439823, hereinafter referred to as the “Data Controller”) provides the following information in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR).

This Privacy Policy (sections 1–8) governs the data processing activities related to the following website: https://www.keystoneservices.hu/ (hereinafter: “Website”).
Section 9 applies exclusively to the Data Controller’s social media pages, taking into account the specific characteristics of those platforms.

Amendments to this Privacy Policy shall take effect on the date of their publication on the Website.

2. Data Controller’s contact details
Name: Keystone Services Limited Liability Company
Address: 1053 Budapest, Ferenciek tere 2. ground floor
Email: kapcsolat@keystoneservices.hu

3. Data processing during contact and communication
The Data Controller informs data subjects that it processes the following data for the purposes indicated below after contact has been initiated:

• Name of the requester: to enable identification

• Email address of the requester: for communication and sending replies

• Telephone number of the requester: for communication

• Date and time of contact: for technical processing

General purpose of data processing:
The Data Controller informs data subjects that the processing of the above data is necessary for providing a quote following the data subject’s inquiry. Neither the name nor the email address must contain personal data.

The legal basis for processing is Article 6(1)(a) of the GDPR and Section 13/A(3) of Act CVIII of 2001.
According to Article 6(1)(a) of the GDPR, processing is lawful if the data subject has given consent. Article 4(11) of the GDPR defines consent as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data concerning them.

Under Section 13/A(3) of Act CVIII of 2001, the service provider may process personal data that are technically essential for providing the service.

4. Duration of data processing
Messages containing inquiries or quote requests will be retained for a maximum of 6 months, or until the data subject requests their deletion.

If any of the conditions in Article 17(1) of the GDPR apply, the data subject has the right to request the deletion of their personal data. The Data Controller shall inform the data subject of the deletion in accordance with Article 19 of the GDPR.

The data subject may request deletion in the following cases:
• The personal data are no longer necessary for the purposes for which they were collected or otherwise processed
• The data subject withdraws consent under Article 6(1)(a) or 9(2)(a), and there is no other legal basis for the processing
• The data subject objects to processing under Article 21(1) or (2), and there are no overriding legitimate grounds for processing
• The personal data have been unlawfully processed
• The personal data must be deleted to comply with a legal obligation under EU or Member State law
• The personal data were collected in connection with the offer of information society services to children as referred to in Article 8(1)

5. Rights of data subjects
Data subjects include anyone who requests a quote or sends a message via the contact form on the Website.

The data subject has the right to obtain confirmation from the Data Controller as to whether personal data concerning them are being processed and, if so, to access the information listed in Article 15(1) of the GDPR, including: the purpose of processing, categories of personal data, recipients or categories of recipients (including international organizations), envisaged storage period, the right to rectification, erasure, restriction of processing, or objection, the right to lodge a complaint with a supervisory authority, the source of data (if not collected from the data subject), the existence of automated decision-making (including profiling) and meaningful information about the logic involved, as well as the significance and potential consequences of such processing.

The data subject also has the right to request rectification or erasure of personal data (Articles 16–17 GDPR), or restriction of processing if any of the conditions listed in Article 18(1) apply, in particular:
• The data subject contests the accuracy of the personal data (restriction applies while verification takes place)
• The processing is unlawful and the data subject opposes erasure, requesting restriction instead
• The Data Controller no longer needs the personal data for processing purposes, but the data subject requires them for legal claims
• The data subject objects to processing under Article 21(1); restriction applies while it is determined whether the Data Controller’s legitimate grounds override those of the data subject

According to Article 20 of the GDPR, the data subject has the right to receive their personal data from the Data Controller in a concise, transparent, intelligible, and easily accessible form. The data subject also has the right to withdraw consent at any time (Article 13(2)(c) GDPR). Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

The data subject may exercise their rights by contacting the Data Controller as follows:
By post: 1053 Budapest, Ferenciek tere 2. ground floor
By email: kapcsolat@keystoneservices.hu

The Data Controller will inform the data subject within one month of receiving the request about the actions taken under Articles 15–20 of the GDPR. This period may be extended by two months depending on the complexity and number of requests. The Data Controller will inform the data subject of any delay within one month, including the reasons.

Information and actions are provided free of charge. A reasonable fee may be charged, or the request refused, only if it is manifestly unfounded or excessive, particularly due to its repetitive nature.

6. Data security and data protection incidents
Personal data may only be accessed by sales and marketing staff employed by the Data Controller. Data processors act solely in accordance with the Data Controller’s instructions. Computers used for processing are protected with antivirus software, and access to the central server is restricted to authorized personnel.

If a data protection incident occurs, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of becoming aware of it, in accordance with Articles 33(1)-(3) and 34(1)-(2) GDPR. If the incident is likely to result in a high risk to the rights and freedoms of individuals, the Data Controller will also notify the affected individuals without undue delay, providing details on the nature of the incident, categories of data affected, contact details of the person providing further information, possible consequences, and measures taken or proposed to mitigate those consequences.

Notification to the supervisory authority is not required if the incident is unlikely to pose a risk to the rights and freedoms of individuals.

7. Cookies and chat-based real-time communication on the website
The Data Controller informs users that they may delete cookies stored on their browser at any time or configure their browser settings to manage which cookies are saved.

Cookies do not in themselves identify users; they merely recognize the device used to access the Website.

7.1. Cookies necessary for website operation
Data subjects: all visitors to the Website.
Purpose: to ensure proper website functionality.
Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Data Controller) and Section 13/A(3) of Act CVIII of 2001.
Such cookies are only processed for the duration necessary to maintain website functionality, typically until the end of a browsing session. Session cookies prevent data loss and operate only during an active visit.

7.2. Non-essential cookies
Data subjects: all visitors to the Website.
Purpose: statistical (e.g., visitor analytics) or marketing (e.g., advertising tracking) purposes.
Legal basis: Article 6(1)(a) GDPR (consent of the data subject).
Retention period: from 1 month up to 1 year.

8. Complaints
If the Data Controller violates applicable data protection laws, the data subject may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH):
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest, P.O. Box 5
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu

The data subject may also bring a civil action against the Data Controller before the competent court. The case shall fall within the jurisdiction of the Metropolitan Court of Budapest, but the action may also be filed before the court of the data subject’s domicile.

9. Social media policy
Activities on social media platforms are governed by the terms and privacy policies of the respective platforms. The Data Controller acts as both administrator and owner of its social media pages (e.g., Facebook), and is therefore responsible for data processing on those pages.

Data processed: registered name and public profile picture of the user.
Data subjects: all individuals who have registered on the relevant social media platform and have “liked” or otherwise interacted with the Data Controller’s page.
Legal basis: Article 6(1)(a) GDPR (consent).
Purpose: communication and information sharing with individuals who contact the Data Controller through social media.

If any content shared by the Data Controller violates the rights of the data subject, they may first contact the Data Controller to raise objections or request deletion. If the Data Controller fails to act appropriately, the data subject may file a complaint with the National Authority for Data Protection and Freedom of Information.