ARKAIOS STUDIO KFT. pays special attention to ensuring that personal data processed from the Arkaios mobile application owned by it or from other sources is processed, stored, and used in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR).
In connection with data processing, ARKAIOS STUDIO KFT., hereby informs users of the mobile application (hereinafter: Users) about the personal data it processes, its principles and practices regarding the processing of personal data, and the manner and possibilities for Users to exercise their rights.
The Data Processing Notice contains information on how ARKAIOS STUDIO KFT. processes and uses the personal data received through the mobile app, as well as how to contact ARKAIOS STUDIO KFT., if you have further questions regarding the processing of personal data.
The data controllers are as follows:
ARKAIOS STUDIO KFT.
Registered office and mailing address: 1104 Budapest, Sörgyár utca 64. B. ép. Fsz. 1. ajtó
Company registration number: 01-09-450400
Tax number: 32937178-2-42
Registering court: Budapest Metropolitan Court of Registration
Data controller:
Gergő Fodor, contactable by post at the registered office of ARKAIOS STUDIO KFT. or electronically at gera@arkaiosstudio.com.
Certain data must be provided when registering and logging into the mobile application. As a consequence of refusing to provide this information, the user will not be able to use the mobile application.
The data controller does not store personal data for longer than is necessary to achieve the specified purpose.
This means that ARKAIOS STUDIO KFT. will delete personal data if it is no longer needed to process requests or fulfill orders.
| Personal data | Purpose of data processing | Duration of data processing | Legal basis for data processing |
|---|---|---|---|
| To use the Arkaios mobile application, you must provide your email address during registration and login. | ARKAIOS STUDIO KFT. data controller processes personal data until the user account is deleted. | Article 6(1)(a) point (a) the User's voluntary consent. |
Source of data: Collected directly from the User.
Possible consequences of failure to provide data: The User will not be able to register and log in to the Arkaios mobile application.
| Personal data | Purpose of data processing | Duration of data processing | Legal basis for data processing |
|---|---|---|---|
| Name, Email address (optional/not required), Phone number (optional/not required) | If the User has a complaint regarding the service provided by the data controller or if the User has any other type of complaint, ARKAIOS STUDIO KFT. will handle the personal data will also be processed during the handling of the complaint. Data will also be processed. The purpose of data processing is to handle warranty claims and other complaints in accordance with legal requirements in accordance with legal requirements, as well as maintaining contact between ARKAIOS STUDIO KFT. and the User in connection with the issue that has arisen. | Pursuant to the Consumer Protection Act, data and associated complaint letters complaint handling for a period of 5 years by the retain retain | Article 6 of the Regulation (1) paragraph c) point, Consumer Protection Act and the Civil Code |
| Filing and retention of complaints | Filing and retention of complaints in accordance with the applicable laws for the period specified by applicable law. |
Source of data: Collected directly from the User.
Possible consequences of failure to provide data: failure to handle the complaint, given that without the provision of personal data, ARKAIOS STUDIO KFT. is unable to contact and maintain contact with the User in connection with the matter in question, and remedy the problem.
Personal data may primarily be accessed by data controllers and their employees for the purpose of performing their duties. In addition, the User's personal data may be accessed by the data processor specified in Section 5 in the course of and for the purpose of performing its duties.
ARKAIOS STUDIO KFT. shall only transfer the personal data it processes to other bodies or state authorities in the manner and for the purposes specified by law.
ARKAIOS STUDIO KFT. informs the User that the court, the prosecutor, the investigating authority, the administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law may request information, data disclosure, transfer, or the provision of documents from the data controller.
ARKAIOS STUDIO KFT. shall only disclose personal data to the authorities – provided that the authority has specified the exact purpose and scope of the data – to the extent that is strictly necessary to achieve the purpose of the request.
The data provided by the User will not be transferred for any other purpose.
During data processing, the data controller shall maintain
- confidentiality: it protects the information so that only those who are authorized to do so can access it;
- integrity: protects the accuracy and completeness of the information and the processing method
completeness of the information and the processing method;
- availability: ensures that when an authorized user needs it,
they can actually access the desired information, and the tools related to this
related tools.
As part of its IT security responsibilities, the data controller shall take measures to ensure that data files can be restored, including regular backups and the separate, secure management of copies (backups).
Accordingly, in order to prevent the loss of electronically stored data, the data controller shall make regular weekly cloud-based backups of the data in its database containing personal and company data.
Location of backup storage: Arkaios Studio Kft. Drive belonging to the AWS account, which is a physical device located at the AWS data center in Frankfurt.
Backups are stored for 5 days, with continuous data overwriting regardless of the type of data.
Access to backups: Access to backups is restricted, and only persons with specific authorisation may access them. The data can only be accessed after appropriate identification (at least username and password).
ARKAIOS STUDIO KFT. uses data processors to perform certain tasks during data processing. Data processors may only process personal data in accordance with the instructions of ARKAIOS STUDIO KFT., within the scope of their contractual obligations, and in full compliance with data security requirements. The data processor may not use the data for any other purpose and may only engage additional data processors with the prior approval of ARKAIOS STUDIO KFT.
Data processor:
MongoDB Inc.
Data storage location: Infrastructure operated in the EU (Frankfurt) region belonging to the AWS account of ARKAIOS STUDIO KFT. (Address: Westendcarree Gervinusstraze 17 60322 Frankfurt am Main, Germany)
Task:
Storage of personal data, data processing necessary for backups, and provision of database infrastructure.
Scope of data processed:
User email addresses and other technical data necessary for the operation of the mobile application.
Data processor:
SendInBlue SAS
Data storage location:
Servers operating within the EU.
Task:
Sending system messages, registration, and notification emails.
Scope of data processed:
User email address.
The contractual developer team of ARKAIOS STUDIO KFT. – as data processor – may access personal data stored in the live system solely for the purposes of error correction, operation, and technical support.
Scope of data processed:
User email address and technical data necessary for bug fixing.
Purpose of data processing:
To detect and correct system malfunctions and to maintain the secure operation of the service.
ARKAIOS STUDIO KFT. does not currently use any external service providers that process data exclusively for aggregated or statistical purposes, rather than personal data. If such a data processor is engaged, the data processing policy will be amended.
The User may request information in writing from ARKAIOS STUDIO KFT. via the contact details provided in point 1, asking the data controller to provide information on:
- what personal data it holds,
- on what legal basis,
- for what data processing purposes,
- from what source,
- for how long it processes them,
- to whom, when, on what legal basis, and to which personal data ARKAIOS STUDIO KFT. has granted access or to whom it has transferred your personal data.
The data controller provides the information to the User in a widely used electronic format
unless the User requests it in writing on paper. ARKAIOS STUDIO KFT. does not provide verbal information by telephone regarding the data it processes concerning the User. ARKAIOS STUDIO KFT. provides the User with a copy of their personal data free of charge for the first time.
The data controller may charge a reasonable fee based on administrative costs for any additional copies requested. If the User requests a copy electronically, the information will be provided by email in a widely used electronic format.
After receiving the information, if the User does not agree with the data processing or the accuracy of the processed data, they may request the correction, supplementation, deletion, or restriction of the processing of their personal data as specified in Section 6, object to the processing of such personal data, or initiate the procedure specified in Section 7.
Upon the User's written request, ARKAIOS STUDIO KFT. shall, without undue delay, correct any inaccurate personal data indicated by the User in writing and supplement any incomplete data with the content indicated by the User. ARKAIOS STUDIO KFT. shall inform all recipients to whom it has disclosed the personal data of the correction or supplementation, unless this proves impossible or requires a disproportionate effort. The User shall be informed of the details of these recipients upon written request.
The User may request ARKAIOS STUDIO KFT. in writing to restrict the processing of their data if
- the User disputes the accuracy of the personal data, in which case the restriction shall apply to the
period of time that allows ARKAIOS STUDIO KFT. to verify the accuracy of the personal data
accuracy,
- the processing is unlawful, and the User opposes the erasure of the data and requests the
restriction of their use,
- ARKAIOS STUDIO KFT. no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise, or defense of legal claims,
- the User objects to the data processing: in this case, the restriction shall apply for the period
until it is determined whether the legitimate grounds of ARKAIOS STUDIO KFT. take precedence over the legitimate grounds of the User.
Personal data subject to restriction may only be processed during this period with the User's consent, or for the purpose of submitting, enforcing, or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. ARKAIOS STUDIO KFT. shall inform the User whose data processing has been restricted at their request in advance of the lifting of the restriction on data processing.
At the request of the User, ARKAIOS STUDIO KFT. shall erase the personal data concerning the User without undue delay if one of the following grounds applies:
i) the personal data is no longer necessary for the purposes for which ARKAIOS STUDIO KFT. collected or otherwise processed it;
ii) the User withdraws their consent on which the processing is based, and there is no other
legal basis for data processing;
iii) the User objects to the processing on grounds relating to his or her particular situatio,n and there are no legitimate grounds for the processing;
iv) the User objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling, insofar as it relates to direct marketing,
v) ARKAIOS STUDIO KFT. processes personal data unlawfully;
vi) the collection of personal data took place in connection with the offering of information society services directly to children
services.
The User may not exercise their right to erasure or to be forgotten if the processing is necessary:
i) for the purpose of exercising the right to freedom of expression and information;
ii) on grounds of public interest in the area of public health;
iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
iv) for the establishment, exercise, or defense of legal claims.
If data processing is necessary for the performance of a contract or is based on the User's voluntary consent, the User has the right to request that the data provided by the User to ARKAIOS STUDIO KFT. be provided in a machine-readable format. In all cases, the right is limited to the data provided by the User; other data cannot be transferred. (e.g., statistics, etc.)
The User may receive the personal data relating to them that is stored in the ARKAIOS STUDIO KFT. system (e.g., when subscribing to a newsletter)
- in a structured, widely used, machine-readable format,
- is entitled to transfer it to another data controller,
- request the direct transfer of the data to another data controller, if this is technically
feasible in the ARKAIOS STUDIO KFT. system.
The data controller will only fulfill requests for data portability based on written requests sent by email or post. In order to fulfill the request, the data controller must
be satisfied that the User is indeed entitled to exercise this right. Within the scope of this right, the User may request the portability of data that they themselves have provided to ARKAIOS STUDIO KFT. Exercising this right does not automatically result in the deletion of the data from the data controller's systems, therefore, even after exercising this right, the User will remain registered in the data controller's systems, unless they also request the deletion of their data.
The User may object to the processing of their personal data by submitting a statement to the data controller if the legal basis for the data processing is:
- public interest pursuant to Article 6(1)(e) of the GDPR, or
- legitimate interest pursuant to Article 6(1)(f) of the GDPR.
If the right to object is exercised, the data controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the User or for the establishment, exercise, or defense of legal claims. The data controller shall decide whether the processing is justified by compelling legitimate grounds. The data controller shall inform the User of its position in this regard.
The User may object in writing (by email or post) or, in the case of a newsletter, by clicking on the unsubscribe link in the newsletter.
Within five years of the User's death, the rights to which the deceased was entitled during his or her lifetime, such as
access, rectification, erasure, restriction of processing, data portability, and objection, may be exercised by a person authorized by the deceased in an administrative provision, public document, or private document of full probative force, by means of a statement made to the data controller. If the deceased made several such statements to the data controller, the person named in the later statement may exercise these rights.
If the deceased did not make such a statement, the rights to which the deceased was entitled during his or her lifetime and which are specified in the previous
paragraph, may be exercised by the User's close relative as defined in the Civil Code
within five years of the User's death (in the case of multiple close relatives, the close relative who first exercises this right shall be entitled to exercise the above rights).
According to Section 8:1 (1) 1 of the Civil Code, close relatives are spouses, direct relatives, adopted children, stepchildren and foster children, adoptive parents, step-parents and foster parents, and siblings. The close relative of the deceased is required to prove:
- the fact and time of death of the deceased User by means of a death certificate or court
decision, and
- their own identity and, if necessary, their status as a close relative with a public document.
The person exercising the rights of the deceased shall be entitled to exercise these rights, in particular in relation to the data controller
and in proceedings before the National Authority for Data Protection and Freedom of Information or a court, shall be subject to the rights and obligations that applied to the deceased during his or her lifetime, in accordance with the Infotv. and the Regulation.
The data controller shall, upon written request, inform the close relative of the measures taken, unless the deceased expressly prohibited this in his or her statement.
The data controller shall inform the User of the measures taken without undue delay, but in any case within one month of receiving any request referred to in point 6. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months, but in this case, the data controller shall inform the User within one month of receipt of the request, indicating the reasons for the delay, and that the User may lodge a complaint with the supervisory authority and exercise their right to judicial remedy.
If the User's request is clearly unfounded or excessive (in particular due to its repetitive nature), the data controller may charge a reasonable fee for fulfilling the request or may refuse to take action. The burden of proof lies with the data controller.
If the User has submitted the request electronically, the data controller shall provide the information electronically, unless the User requests otherwise.
The data controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure, or restriction of processing carried out by the data controller, unless this proves impossible or involves a disproportionate effort. At the request of the User, the data controller shall inform the recipients thereof.
Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall have the right to receive compensation from the data controller or data processor for the damage suffered. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations specifically imposed on data processors by law, or if it has disregarded or acted contrary to the lawful instructions of the data controller. The data controller or data processor shall be exempt from liability if it proves that it is in no way responsible for the event causing the damage.
The User may exercise his or her rights by sending a written request by email or post.
The User cannot exercise their rights if the data controller proves that they are not in a position to identify the User.
situation to identify the User. If the User's request is clearly unfounded or excessive (especially in view of its repetitive nature), the data controller may charge a reasonable fee for fulfilling the request or refuse to take action. The burden of proof lies with the data controller. If the data controller has doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the applicant.
Pursuant to Info.tv., the Regulation, and the Civil Code (Act V of 2013), the User may:
a) the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca
9-11; www.naih.hu) or
b) enforce their rights in court.
The lawsuit may also be brought before the court of the User's place of residence, at the User's discretion (the list of courts and their contact details can be found at the following link: http://birosag.hu/torvenyszekek).
A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. The data controller shall keep a record of the measures taken in relation to the data protection incident, informing the supervisory authority, and informing the User, which shall include the scope of personal data affected by the incident, the scope and number of data subjects, the date, circumstances, and effects of the incident, and the measures taken to remedy it. In the event of an incident, unless there is no risk to the rights and freedoms of natural persons, the data controller shall inform the User and the supervisory authority of the data protection incident without undue delay, but within 72 hours at the latest.
The Data Controller reserves the right to unilaterally modify this Privacy Policy after giving prior notice to Users via the website. The modifications shall take effect on the date specified in the notice, unless the User objects to the modifications.
If the User has provided third-party data in order to use the service and has caused damage in any way in connection with this, the Data Controller is entitled to claim damages from the User.
The Data Controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the data provided. When providing their personal data, Users also assume responsibility for ensuring that the data provided is accurate and that they are the only ones using their personal data and the services associated with it.
Effective date of this Privacy Policy: December 10, 2025.