Privacy Policy



This Privacy Policy (hereinafter: Policy) was created for the purpose of www.bercode.com website and related application (hereinafter: website) operated by Benefit Barcode, Inc. (hereinafter: Benefit Barcode or Data Controller)  as a service provider on the referenced website (headquarter: 8 The Green, Ste B, Dover, DE 19901 USA) based on Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the data processing operations of Benefit Barcode to provide information on the processing of personal data, taking into account the provisions of the General Data Protection Regulation (hereinafter: GDPR) and for the purpose of fulfilling the obligation to provide information.

This Policy, therefore, applies to any natural person (as defined by GDPR: data subject) whose personal data is managed by Benefit Barcode, Inc. as a service provider on the website.

This Policy uses the terms defined in the GDPR; therefore, in order to facilitate the understanding of the Policy, the meaning of the terms are set out in Annex 1.

We also inform the interested parties that the names and terms specified in the Terms of Use on the website must be used with the same content in the interpretation of this Policy.

Although the Data Controller is headquartered in the United States, it provides its services in the European Union through its website. Therefore, the Data Controller strives to comply with European Union data protection requirements.

Please note that persons under the age of 13 may not use our website. We do not intend to collect personal information about individuals under the age of 13. If we become aware that we have obtained personal information from people under the age of 13, we will take steps to delete that information from our database. Please monitor the internet use of younger persons in your household and please assist us in our work. If you believe we have personal information for people under the age of 13, please contact us at dataprotection(at)benefitbarcode.com.

1. The Data Controller, as well as the data processors

Data Controller

Company name: Benefit Barcode, Inc.

Headquarters: 8 The Green, Ste B, Dover, DE 19901 USA

Registration number: 6045923

Represented by: László Jáger

We would like to inform you that Bercode Issuers also qualify as separate Data Controllers; therefore the parties concerned should contact the relevant Bercode Issuer directly regarding their data management, as Benefit Barcode does not see the data management of Bercode Issuers, it has no influence on it.

Data processors

We inform those concerned that we may use data processors for the data management operations specified in our Policy. This list of data processors is as follows:

Name of Data processor

Headquarters of Data processors

Activity of Data processor

Amazon Web Services, Inc.

https://aws.amazon.com/

P.O. Box 81226

Seattle, WA 98108-1226

Hosting services

Magyar Posta Zrt.

[javascript protected email address]

1138 Budapest, Dunavirág utca 2-6.

In order to perform postal services and parcel delivery, it will receive the personal data necessary for the delivery of the ordered product and will deliver the product using it.

 

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

[javascript protected email address]

2351 Alsónémedi, GLS Európa utca 2.

Performing a parcel delivery task.

CardDeal Kft.

4400 Nyíregyháza, Bethlen Gábor utca 25.

Administration services.

Szűcs Network Hungary Kft.

4400 Nyíregyháza, Rákóczi utca 98.

Card manufacturing and administration services.

Microsoft Corporation

USA - One Microsoft Way Redmond, Washington 98052

Microsoft 365 cloud service provider

Mailgun Technologies, Inc.

535 Mission St., 14th Floor San Francisco, CA 94105

Forwarding messages sent by the Bercode platform, to which we provide the name and email address of the concerned data subject.

 

The Data Controller provides the Bercode Merchant with the IT service free of charge, through which the Merchant(s) automatically sends the data of the purchases with bercode to the Data Controller as a service provider simultaneously with the purchases (https://www.bercode.com/content/dataforwardingapi), they are stored by the Data Controller on the server of the hosting provider specified in the table above, as a data processor, and made available for download to its Partners, authorities, and courts for a period of 5 years, retroactively. The provision of data is optional for the Points of Acceptance that do not qualify as a web store, and it is obligatory for the web stores.

2. The scope of personal data processed in connection with the data subject, the purpose, legal basis ,and duration of the data processing

We inform you that the consent to the data processing of the data subject may be revoked at any time without justification. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal. However, some data cannot be deleted for mandatory data management.

I. Registration on the website

We would like to inform you that three types of profiles can be created on our website:

1. bercode holder services profile (this profile is automatically generated during the first registration on our website, other profiles can only be created after that)

Categories of personal data

Purpose of data management

Legal basis for data management

Duration of data management

name, email address, password, date of birth (month/day/year), gender

Registration and contact on the website.

Consent of the data subject based on Article 6 par (1) letter (a) of GDPR, subject to preamble 32 of the GDPR and necessary for the performance of the contract pursuant to Article 6 par (1) letter (b) of the GDPR.

Until the profile is not deleted by the profile holder, but no later than 5 years from the last activity.

 

After creating a bercode-holder services profile on the website, a user of our website may expand the profile information by entering the following information:

Categories of personal data

Purpose of data management

Legal basis for data management

Duration of data management

Phone number, profile picture, area of ​​interest (geographical), areas of interest, billing address, shipping address, payment information (card number, expiration date), the  maximum amount that can be automatically deducted from the card, form currency

Provide a better user experience, and faster and more efficient user options.

Consent of the data subject based on Article 6 par (1) letter (a) of GDPR, subject to preamble 32 of the GDPR.

Until the profile is not deleted by the profile holder, but no later than 5 years from the last activity.

Area of ​​interest (geographical), areas of interest *

* With regard to this data, we need your cooperation so that we can provide our service properly because without this, we do not know what bercode options you are interested in, and we cannot notify you about the service provider belonging to the given area of ​​interest.

Providing the bercode service.

Legal obligation on the controller, as the performance of contracts, concluded in connection with the bercode service, as a legal obligation under Article 6 par (1) letter (c) of the GDPR and Article 6 par (1) letter (b) of the GDPR, with the consent of the data subject Article 6 par (1) letter (a) of the GDPR, subject to preamble 32 of the GDPR.

Until the profile is not deleted by the profile holder, but no later than 5 years from the last activity.

2. bercode-issuer services profile (so-called Partner profile)*

Categories of personal data

Purpose of data management

Legal basis for data management

Duration of data management

Mandatory data: name (which appears as the name of the partner profile), name (real name-entrepreneur name), country, postcode, city, street, house number, email address, by ticking the appropriate checkboxes marking as an Issuing Partner, marking as a Merchant by entering a bercode

Optional data:

profile picture, cover image, telephone number, tax number, website address, company registration number, bank account number, payment information (card number, expiration date), the maximum amount that can be automatically deducted from the card, form of currency, billing address, shipping address

Create a partner profile and contact on the website.

Consent of the data subject based on Article 6 par (1) letter (a) of GDPR, subject to preamble 32 of the GDPR and necessary for the performance of the contract pursuant to Article 6 par (1) letter (b) of the GDPR.

Until the profile holder does not request deletion, but no later than 5 years from the last activity

* the processing of personal data can be interpreted if the holder of the Partner profile is self-employed because they qualify as a natural person. In other cases, the data of the legal entity does not qualify as personal data.

3. bercode-merchant service profile (so-called Partner profile)*

Categories of personal data

Purpose of data management

Legal basis for data management

Duration of data management

Mandatory data: name (which appears as the name of the partner profile), name (real name-entrepreneur name), country, postcode, city, street, house number, email address, by ticking the appropriate checkboxes marking as an Issuing Partner, marking as a Merchant by entering a bercode

 

Optional data:

profile picture, cover image, tax number, website address, company registration number, bank account number, payment information (card number, expiration date), the  maximum amount that can be automatically deducted from the card, form of currency, billing address, shipping address

Create a partner profile and contact on the website.

Consent of the data subject based on Article 6 par (1) letter (a) of GDPR, subject to preamble 32 of the GDPR and necessary for the performance of the contract pursuant to Article 6 par (1) letter (b) of the GDPR.

Until the profile holder does not request deletion, but no later than 5 years from the last activity

* the processing of personal data can be interpreted if the holder of the Partner profile is self-employed because they qualify as a natural person. In other cases, the data of the legal entity does not qualify as personal data.

We would like to inform you that we are entitled to display our cooperating Partners on our website for promotional purposes (name, logo) and, if they also provided their web access when creating their profile, to publish them accordingly. We inform you that for the given name, web address, logo - if it can be interpreted for any errors, misspellings, etc. - the liability is excluded by Benefit Barcode, Inc.

II. Purchase of the bercode credit on the website and data management related to the sending of the related bercode carrier, i.e., card or other bercode carrier offered as an option by the Data Controller

Categories of personal data

Purpose of data management

Legal basis for data management

Duration of data management

Data provided for profile data (see Point I.)

Identifying the buyer as a concerned person.

The consent of the data subject based on Article 6 par (1) letter (a) of the GDPR

Due to the fact that the bercodes purchased are recorded, the data management time is the same as the retention time of the data related to the profile.

Name, delivery address, bercode

Completion of purchase.

Necessary for the performance of the contract based on Article 6 par (1) letter (b) of the GDPR.

For 5 years from the performance of the contract, with bercodes expiring and being deleted after their validity period (optionally 1-36 months)*.

 

*Except: a plastic card made with offset technology, a plastic keychain or sticker has an unlimited validity period, as it can be re-validated each time with a sticker when a new validity period is requested and issued.

Name, delivery address, phone number

Delivery of the bercode carrier.

Necessary for the  performance of the contract based on Article 6 par (1) letter (b) of the GDPR.

For 5 years from the delivery of the product.

 

Name, billing name, billing address, tax number *

 

* Relevant for self-employed, as the data of legal entities do not qualify as personal data.

Issuance of an invoice.

Fulfillment of a legal obligation based on Article 6 letter (c) of the GDPR.

For a period of time in accordance with the accounting and record-keeping rules of the country where the service is provided.

III. Benefit Barcode application (Application)

We would like to inform those interested that the Application can be downloaded from both the Google Play Store and the App Store. This notice only and exclusively provides information related to the data management of the Application, so please inquire about the operation of the Application in the Application and on the Data Controller's website www.bercode.com. The data management related to the creation of a profile through the Application is governed by Section I of this Policy.

If you, as a person, allow the use of the locator on your device, you can view our partner Merchants´ locations and their contact information (address, email, phone number, web contact information, and other information). Through the Application, the data subject can manage their savings in a transparent manner, which information can be considered as data belonging to the profile created during registration, the data processing time of which in this Policy is the same as the data processing period related to the created profiles.

The Application also contains the affected bercode code related to the profile, and the data subject can register an additional bercode code with the help of the Application by entering the data manually or by scanning the barcode, which bercodes data processing duration by the Data Controller is also the same as in Point I and II of this Policy.

The Application provides an opportunity for the subject to even upload a photo to the Application. In this regard, we would like to inform you that the legal basis for the processing of the data subject's image is the data subject's consent based on Article 6 point (1) letter (a) of the GDPR, which is implemented by uploading the photograph. If the photograph does not contain only the image of the data subject, the data subject is responsible for obtaining the consent of the third party - which is included in the photograph - for the photographs to be transferred to the Data Controller by uploading them to the Application. The processing of photographs as personal data shall last until the consent is withdrawn unless the transfer of the right of use has been carried out by the data subject without a time limit.

IV. Register of Bercodes

We would like to inform you that in the submenu MY BERCODES the Data Controller registers the bercodes you have purchased, shared with you, transferred to you, or deleted. The registration of newly purchased, shared with you, or transferred to you bercodes is performed automatically by our platform. These bercode carriers and bercodes also appear visually in the submenu MY BERCODES after the purchase, transfer, or sharing.

3. Data transfer

We inform concerned partners that in all cases when the concerned partner

Name of the service provider

Availability of the Service Provider's Data Management Information*

Stripe, Inc.

https://stripe.com/en-hu/privacy

*Due to the fact that the information available on the link may be constantly updated independently of Benefit Barcode, Inc., please always keep up to date with the current content on the website of the respective service provider.

In order to submit, validate or protect a legal claim, the Data Controller may also transfer the personal data of the data subject to a legal representative or consultant.

Furthermore, when fulfilling the legal obligation of the Data Controller, they are obligated to forward the personal data of the data subject to an authority or court in the event of such a call.

Data Controller employees with access to data are obligated to keep all personal data confidential.

The Data Controller draws the attention of the data subjects to the fact that, as the Data Controller is domiciled in the United States, the transfer of the data subject's personal data outside the European Union may take place when the Bercode Issuer transfers the data subject's personal data to Benefit Barcode.

Pursuant to Article 46 (2) (c) of the GDPR, the transfer of data to a third country may constitute an adequate guarantee without the specific permission of the supervisory authority the application of the general data protection clauses adopted by the European Commission in accordance with the examination procedure referred to in Article 93 (2) of the GDPR between the data transmitter and the data receiver. The content of the data transfer agreement can be accessed by clicking on the link: https://www.bercode.com/site/legal. Please also read this document in detail.

4. Data security

The Data Controller is obligated to plan and perform data management operations in such a way as to ensure the protection of the privacy of the data subjects.

Within the scope of its activities, the Data Controller or the data processor is obligated to ensure the security of the data, as well as to take the technical and organizational measures and establish the procedural rules necessary to enforce the GDPR and other data and confidentiality rules. The data shall be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage and from inaccessibility due to changes in the technology used.

The Data Controller must take into account the current state of the technology development when applying measures for the security of personal data. From several possible data management solutions, they must choose the one that provides a higher level of protection of personal data, unless this would be a disproportionate burden for the Data Controller.

We strive to protect the security of the data collected through the website and to apply generally accepted IT security standards designed to protect against loss of information, misuse and unauthorized access, disclosure, modification, or destruction.

However, the security or integrity of the information provided online cannot be guaranteed, including due to technological limitations and the fact that no data available or sent over the internet is completely secure.

You further agree that if for any reason you or any person acting on your behalf are fraudulent or suspected of otherwise violating our terms and conditions, or you are in breach of the terms, we will suspend, block and/or terminate your use of our website, and/or initiate criminal and/or civil proceedings against you in the course of our enforcement.

5. Profiling, remarketing activity

Individuals, as data subjects, may be associated with online identifiers (such as IP addresses and cookies) provided by the devices, applications, and protocols they use. Combined with these unique IDs and other information received by the servers, they can be used to create a profile of those involved and identify that person.

In all cases, please find out about the cookies we use from our Cookie Notice, which can be accessed by clicking on the link below: https://www.bercode.com/site/legal

If the Data Controller carries out profiling or remarketing activities, the data subject considers his / her consent to do so by reading the information provided in this Policy, Cookie Notice, and accepting the referenced documents, as well as the cookie settings. If you wish to object, you may do so by sending an email to dataprotection(at)benefitbarcode.com.

6. Rights of the data subject

1. The data subject has the right, based on the request, to receive feedback from the Data Controller as to whether the processing of their personal data is in progress. If your personal data is being processed, you have the right to receive detailed information about the processing of your personal data, including the categories of personal data processed in connection with it.

The Data Controller shall provide a copy of the personal data which are the subject of the data processing available to the data subject. The information is free of charge if the data subject has not yet submitted a request for information to the Data Controller for the same data set in the current year. For further information requested by the data subject, the controller may charge a reasonable fee based on administrative costs. [Right of access by the data subject]

2. The data subject shall have the right, based on the request, to rectify inaccurate personal data concerning him or her without undue delay by Data Controller. The Data Controller corrects the personal data if they do not correspond to reality and personal data that corresponds to reality is available. Taking into account the purpose of the data processing, the data subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary statement. [Right to rectification]

3. The data subject shall have the right, based on the request, to delete personal data concerning him or her without undue delay by Data Controller. The controller may comply with this request if the personal data are no longer required for the purpose for which they were collected or otherwise processed. The erasure of personal data concerning the data subject shall be carried out even if the data subject objects to the data processing and there is no priority legitimate reason for the data processing on the part of the Data Controller or a third party. Personal data must be deleted by the controller even if the personal data have been processed unlawfully or in order to fulfill a legal obligation under Union or Member State law applicable to the controller. [Right to erasure (‘right to be forgotten’)]

4. The data subject shall have the right, based on the request, to restrict the processing if one of the following is met:

If the processing is subject to restrictions on the basis of the above, such personal data, with the exception of storage, shall be subject to the consent of the data subject, or to bring, assert or defend legal claims, or to protect the rights of another natural or legal person, or in the overriding public interest of the Union or of a Member State. The controller shall inform all recipients to whom or with whom the personal data have been communicated of the rectification, erasure, forgetting or restriction of data processing have been notified unless this proves impossible or requires a disproportionate effort. [Right to restriction of processing]

5. The data subject shall have the right to receive the personal data concerning them made available to the Data Controller in a structured, widely used, machine-readable format and to transfer such data to another data controller without being hindered by the Data Controller; data management based on consent; and data management is automated. In exercising the right to data portability, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers. The exercise of this right shall not prejudice the right of cancellation. That law shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The exercise of the right must not adversely affect the rights and freedoms of others. [Right to data portability]

6. The data subject has the right to object at any time for reasons related to their situation to the processing of their personal data on the basis of Article 6 par (1) letter (e) or (f) of the GDPR, including profiling based on those provisions. In that case, the controller may not further process the personal data unless it demonstrates that the processing is justified by overriding legitimate reasons which take precedence over the interests, rights, and freedoms of the data subject or which relate to the submission, enforcement, or defense of legal claims. [Right to object]

7. The consent of the data subjects to the processing of the data may be revoked at any time without justification. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal. However, some data cannot be deleted for mandatory data management. [Right to withdraw his or her consent]

Exercise of the rights of the data subject in the event of the death of the data subject

In the event of an unexpected death, the data subject's rights in his or her life shall be exercised within five years of his or her death by a person authorized by the data subject by an administrative order or a public document or a private document of full probative value. If the data subject does not make a legal declaration in accordance with the above during their lifetime, their close relative according to the Civil Code ,is entitled to enforce their right to rectification or protest against the data processing, and - if the data processing was illegal or the purpose of the data processing has ceased with the death of the data subject - their close relative is entitled to exercise the right to delete the data or to restrict the data processing within five years after the death of the data subject. The right to exercise the rights of the data subject under this paragraph shall be granted to the close relative who first exercises that right. In the event of the death of the data subject, the person exercising the rights of the data subject shall certify the fact and time of the data subject's death with a death certificate or court decision and their identity and, in the case of the previous paragraph, their close relatives.

7. Remedies

Data Controller

The data subject may contact the Data Controller by e-mail at dataprotection(at)benefitbarcode.com in order to exercise their rights under the GDPR, as set out in Section 8, or with any other questions or requests concerning their personal data.

If the Data Controller falls within the scope of the GDPR, the Data Controller is obligated to process the request within 1 month from the receipt of the written request in accordance with the provisions of the GDPR. If necessary, taking into account the complexity of the request and the number of pending requests, the controller may extend the time limit for processing the request. The person concerned shall be informed in advance of the fact or reasons for the extension.

If the data subject's request is justified, the controller shall implement the requested action within the procedural time limit and shall inform the data subject in writing of the execution. If the controller rejects the data subject's request, they must make a written statement about their decision. In their decision, they are obligated to indicate the facts on which the decision is based, the justification of their decision by presenting the relevant legislation or case-by-case decisions, and they are obligated to inform the data subject about the legal remedies against the Data Controller's decision. The data subject may be obligated to reimburse the costs related to the exercise of their rights only if the Data Controller has informed the data subject in writing after receiving their request about the circumstance that their request is excessive and at the same time informed the amount of the administrative cost, but the person concerned maintained their claim in writing despite all these circumstances. The Data Controller shall not start administration on the subject until clear written feedback of the data subject.

The person liable for the costs shall pay the costs within 8 days of receipt of the request for payment issued by the controller.

Supervisory Authority

If the data subject considers that the processing of their personal data by the Data Controller violates the provisions of the GDPR, they may apply to the relevant National Authority.

Court

Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority.

Without prejudice to other administrative or non-judicial remedies, all data subjects shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the progress or outcome of the complaint.

Proceedings against the supervisory authority shall be brought before a court of the Member State in which the supervisory authority has its seat.

If proceedings are instituted against a decision of the supervisory authority in respect of which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.

The rules for exercising the right to an effective judicial remedy against the supervisory authority are set out in Article 78 of the GDPR.

The data subject is also entitled to go directly to court if his or her rights under the GDPR have been violated in the processing of their personal data.

Please be advised to inquire about the location of the lawsuit in accordance with local data protection laws.

8. Third Party website (s)

The website may contain third-party websites, services, and applications, such as third-party websites, and links to sites operated by resellers (collectively, "Third-Party websites").

When you click on such a link, you will leave our website and be redirected to a third-party website. If you leave our website, you will no longer be subject to the terms and conditions of this Policy.

This Policy does not apply to third-party websites and we do not review or take responsibility for third-party websites, the content contained therein or their privacy practices.

This Policy does not cover anything that is inherent in the operation of the internet and is therefore outside the scope of Benefit Barcode, Inc.

9. Final provision

For all purposes provided by the data subject for the purposes set out in this Privacy Policy, the data subject is solely and exclusively concerned, or if the personal data is received from Bercode Issuers and/or Merchants by Benefit Barcode, the Bercode Issuer/Merchant is responsible, thus, if the data contains any personal data or other information of the data subject/third party or the data is incorrect or incomplete, Benefit Barcode, Inc. excludes its liability. If the data subject does not provide his or her personal data, they are obligated to have the appropriate consent.

The Data Controller is entitled to unilaterally amend this Policy without special consent. The amended Policy will be posted at www.bercode.com.

21 March 2022

Benefit Barcode, Inc.

Annex 1 (based on Article 4 of the GDPR)

For the purposes of this Regulation: