1.1 Preamble
The scope of this Privacy Notice applies equally to all domain addresses from which this system is officially accessible. In addition, it covers the legal relationships of the connected applications and networks. This Document is placed in the footer of the current Website, available in multiple languages, effective from the indicated date, and valid until revoked. By using the Website—especially when placing an order and expressly designating the related field—the User accepts that all regulations relating to the use of the Website automatically apply to them.
If the User accesses the Website operated by the Company or uses a related application, and reads its content in any manner, they acknowledge the obligations set forth in this Document as binding on themselves. The Operator reserves the right to unilaterally amend the content of the Document, which is not retroactive.
1.2 Data Controller, Operator
Enternova Kft.
- 2161 Csomád
- 48 Szent István Street
- Tax number: HU24892955
- Contact: via the Website’s support ticket system
- Application development: NOVA26
1.3 Data Processors and Data Transfer Partners
| Partner | Activity | Headquarters | Guarantees |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA / Ireland | EU-US Data Privacy Framework |
| ClickSend (Synph Pty Ltd) | Transactional SMS delivery | Australia | SCC contractual guarantees |
| Cloudflare, Inc. | CDN and web security | USA | EU-US Data Privacy Framework |
| KBOSS.hu Kft. (Számlázz.hu) | Invoicing | Hungary (EU) | Data transfer within the EU |
| Google LLC (Google Ads) | Advertising and conversion tracking | USA / Ireland | EU-US Data Privacy Framework |
| National road toll management organizations and their official registration partners | e-vignette registration according to the regulations of the relevant country | EU / destination countries | According to the country’s laws |
Data transfers to the USA are based on the EU-US Data Privacy Framework. Data transfers to Australia rely on contractual guarantees (Standard Contractual Clauses – SCC).
1.4 Definitions
- GDPR (General Data Protection Regulation): Regulation (EU) 2016/679 of the European Union.
- Data processing: any operation or set of operations performed on personal data or sets of personal data by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data controller, data processor: a natural or legal person, agency, or any other body which processes personal data on behalf of the controller and which independently or jointly determines the purposes and means of processing personal data.
- Operator, Company: the operator of the Website
- Personal data: any information relating to an identified or identifiable natural person (data subject).
- Consent of the data subject: a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Third party: any natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
- User: visitors, users, purchasers of the Website (data subjects).
1.5 Principles of data processing and handling
The Data Controller declares that personal data is handled in accordance with this privacy notice and in compliance with all relevant applicable laws, with particular attention to the following:
- Personal data must be processed lawfully, fairly, and in a transparent manner for the User (data subject).
- Personal data may only be collected for specified, explicit and legitimate purposes.
- The purpose of data processing must be adequate and relevant and limited to what is necessary.
- Personal data must be accurate and up-to-date. Inaccurate data must be erased without delay.
- Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary.
- Personal data must be processed in a manner that ensures appropriate security through suitable technical or organizational measures.
1.6 Processed data and their legal basis
When visiting the Website, certain parameters of visitors are automatically recorded. For the given User, these log parameters may include:
- Login time, time spent on the website, activities performed during this time, logout time.
- Type of browser, screen resolution, language settings, operating system, type of IT device used by the visitor.
- Visitor’s IP address.
1.7 Data processed on the Website
The processed data includes the User’s provided personal name, email address, phone number, billing name, billing address, tax number, vehicle registration number, country of origin (country code). In case of insurance matters, other personal data required for issuing the relevant insurance may also be processed.
Purpose of data processing: full use of the Website, creation of contracts for purchases, determining contract content, monitoring contract performance, billing of charges resulting therefrom, and enforcing related claims.
1.8 Data categories, purposes, legal bases, and retention periods
| Data Category | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Identification data (name, email, phone) | Contract conclusion and performance | Art. 6(1)(b) GDPR – performance of contract | 8 years (accounting obligation) |
| Billing data (name, address, amount) | Invoicing, tax compliance | Art. 6(1)(c) GDPR – legal obligation | 8 years (accounting obligation) |
| Vehicle data (registration number, VIN) | e-vignette issuance, contract performance | Art. 6(1)(b) GDPR – performance of contract | 8 years (accounting obligation) |
| Payment data (card reference, transaction ID) | Payment processing | Art. 6(1)(b) GDPR – performance of contract | 8 years (accounting obligation) |
| IP address, browser, session data | Security, quality assurance | Art. 6(1)(f) GDPR – legitimate interest (security) | 1 year |
| Google Ads click identifier (gclid) | Conversion tracking, business analytics | Art. 6(1)(f) GDPR – legitimate interest (business operations) | 2 years |
| SMS data | Transaction confirmation | Art. 6(1)(b) GDPR – performance of contract | 8 years (accounting obligation) |
| Customer service communication | Customer service, legal compliance | Art. 6(1)(b) and (f) GDPR | 8 years (accounting obligation) |
| Stripe risk assessment | Fraud prevention (by payment processor) | Art. 6(1)(f) GDPR – legitimate interest | According to Stripe’s data privacy policy |
1.9 Data processing duration, deletion deadlines
Upon data subject request, processed data shall be deleted within 48 hours, except for mandatory accounting record retention. Accounting documents must be retained according to the relevant accounting regulations. Requests for data deletion can be submitted via the Website’s support ticket system. The Data Controller may request further identifying information if it is not clear that the person requesting deletion is duly authorized.
2.0 Cookies
The Website uses cookies for operation and to enhance the user experience. Cookies are small text files stored by the browser on the user’s device.
2.1 Essential (technical) cookies
These cookies are essential for the basic operation of the Website and may be used without consent.
| Cookie name | Type | Expiration | Purpose |
|---|---|---|---|
| XSRF-TOKEN | Essential | 2 hours | CSRF security protection |
| evignet24_session | Essential | 2 hours | Session identifier (Laravel) |
| cookie_consent_essentials | Essential | 1 year | Status of consent to essential cookies |
| cookie_consent_analytics | Essential | 1 year | Status of consent to analytics cookies |
| cookie_consent_marketing | Essential | 1 year | Status of consent to marketing cookies |
| evignet24_cookie_consent | Essential | 1 year | Full consent object |
| __cf_bm | Essential | 30 minutes | Cloudflare bot management and security protection |
2.2 Consent management
The Website uses a cookie consent banner, which manages consent in three categories: Essential, Analytics, Marketing. The analytics and marketing categories can be enabled or disabled at any time in the cookie settings menu. Withdrawal of consent does not affect the legality of data processing prior to its withdrawal (Art. 7(3) GDPR).
2.3 Automated decision-making
Enternova Kft. does NOT use automated decision-making, profiling, or scoring concerning users’ personal data. Transactions are processed manually.
Stripe, as the payment processor, uses its own risk assessment system (Stripe Radar) for fraud prevention. This is Stripe’s proprietary automated system; Enternova Kft. does not make decisions based on these assessments.
2.4 Data transfer to third countries
Data transfers to the United States (Stripe, Cloudflare, Google) are based on the EU-US Data Privacy Framework. Data transfers to Australia (ClickSend) are based on Standard Contractual Clauses (SCC) contractual guarantees.
2.5 Newsletter, direct marketing activity
The Operator declares that it fully complies with the relevant legal requirements regarding published information and notices. The User may give prior and explicit consent for the Operator to contact them via the provided contact details with promotional offers or other communications. Processed data includes: personal name, email address, phone number, date.
The User may unsubscribe from promotional offers at any time, without restriction or justification. Unsubscription from the newsletter is available via the “unsubscribe” link placed at the bottom of each newsletter sent.
2.6 Data Protection Officer (DPO)
Under Art. 37 GDPR, Enternova Kft. is not obliged to appoint a Data Protection Officer, as it is not a public interest organization, its operation does not require large-scale regular monitoring, and it does not process special categories of data on a large scale.
Data protection inquiries can be submitted via the Website’s support ticket system.
3.1 Rights related to data processing
- Right to information:
You may request from us, via the support ticket system, what data we process about you, under what legal basis, for what processing purpose, from what source, and for how long. We will provide information to the email address specified in your request within 30 days at most. - Right to rectification:
You may request us to modify any of your data. We will arrange for this within 30 days of your request. - Right to erasure:
You may request us to erase your data. We will do this within 30 days of your request. - Right to restriction:
You may request us to restrict the processing of your data. Restriction applies as long as the reason you indicated makes data storage necessary. - Right to object:
You may object to data processing. We will investigate the objection within 15 days of its submission, decide on its merits, and inform you of the decision via email. - Right to data portability:
The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used and machine-readable format.
3.2 Remedies
If you believe that your data has been processed unlawfully, you may file a complaint with the supervisory authority of your residence, place of stay, or the location of the alleged infringement (Art. 77 GDPR). The supervisory authority at the Data Controller’s seat: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) – www.naih.hu
3.3 Final provisions
The data provided by the User is stored on servers. Only the Operator’s staff have access to the data, and all are responsible for the secure handling of the data.
If you notice any errors or omissions in this notice, please notify us immediately via the Website’s support ticket system.
Data protection questions and requests may be submitted via the Website’s support ticket system.
Legislation underlying data processing:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) – on the protection of natural persons with regard to the processing of personal data and the free movement of such data.
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
2026.02.27.