PRIVACY NOTICE

  • Introduction: This privacy notice summarizes the data processing conditions of the Fino Vegajó website (hereinafter: “Website”) in a short, concise, and transparent manner.
  • Data Controller: FINO-FOOD Kft. (Registered office: 1054 Budapest, Szemere utca 21. 3. em. 2. ajtó; Tax number: 11283058-2-41; Company registration number: 01-09-713423) .
  • Data Processing Information: Available at the e-mail address info@fino.hu.
  • Purpose of Data Processing: Building a direct marketing database based on profiling.
    • The Controller’s goal is to build a profiling-based direct marketing database using personal data provided during subscription to electronic direct marketing messages (newsletter) and, within this framework, to send personalized targeted advertisements and offers relevant to your interests regarding the Controller’s products and services to the e-mail address you provided.
  • Contact: Contacting and maintaining contact via the e-mail address available on the website regarding the Controller’s products and services, as well as handling complaints received at the e-mail address.
  • Legal Basis for Processing, Legitimate Interests: We process your data based on the following legal grounds:
    • Consent: Based on Article 6(1)(a) of the GDPR – in connection with your subscription to the newsletter and establishing contact. You are entitled to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
    • Legitimate Interest: Analysis of the website’s usability and quality.
    • Legal Obligation: Based on Article 6(1)(c) of the GDPR – processing your data may be mandatory based on an authority or court request.
  • Scope of Recipients: The Controller may access your data. Extreme Net Kft. acts as the Data Processor.
    • (1034 Budapest, Tímár utca 20. 2. em.; Tax number: 14437081-2-41; Company registration number: 01-09-994233) hereinafter acts as “Organizer”.
  • Data Retention: We retain your personal data until the purpose of data processing is achieved, or until you request the deletion of your data or withdraw your consent given for the processing of your personal data.
  • Further Details and Your Rights: See the FULL PRIVACY NOTICE; last update: June 26, 2025.

FINO VEGAJÓ WEBSITE

FULL PRIVACY NOTICE

This full privacy notice (“Notice”) presents the data processing conditions of the Fino Vegajó Website (“Website”) created by the Data Controller, structured as follows:

  1. Who is the data controller?
  2. What personal data do we process about you?
  3. Why and for how long do we process your personal data?
  4. Cookie notice
  5. On what legal basis do we process your personal data?
  6. Who has access to your personal data?
  7. Where do we process your data?
  8. Data transfer abroad
  9. What rights do you have?
  10. How do we ensure the security of your data?
  11. What is a data breach and how do we handle it?
  12. How can you contact us or enforce your rights?
  13. Other provisions

The Website is not directed at the processing of personal data of minors. Only persons who have completed their 18th year are entitled to provide data during contact.

  1. Who is the data controller?

This Privacy Policy governs the following Data Controller: FINO-FOOD Kft. (hereinafter “Controller”) is responsible for the processing of personal data collected through the contact and electronic newsletter subscription interfaces of the Vegajó Website created by it.

The Data Controller and the Data Protection Officer Data Controller’s details:

  • Registered office: 1054 Budapest, Szemere utca 21. 3. em. 2. ajtó
  • Company registration number: 01-09-713423
  • Tax number: 11283058-2-41
  • Postal address: 7400 Kaposvár, Izzó u. 9.
  • E-mail address: info@fino.hu

The processing of data is performed on behalf of the Controller by Extreme Net Kft. (1034 Budapest, Tímár utca 20. 2. em.; Tax number: 14437081-2-41; Company registration number: 01-09-994233) hereinafter: “Organizer”.

  1. What personal data do we process about you?
  • During subscription to the electronic newsletter, you must provide the following personal data:
    • Full name (surname, first name)
    • E-mail address
  • Additionally, upon subscription, you must provide the following profiling data:
    • Which age group do you belong to?
    • What plant-based milk and dairy alternatives do you usually buy?
    • For what reason do you buy these plant-based products?
  • The data serves the purpose of building a direct marketing database based on profiling, through which the Controller sends electronic mail containing offers and advertisements most suited to your actual interests to the e-mail address you provided.
  • In case of contact via the contact e-mail:
    • Name;
    • Address;
    • Time, mode, subject, and content of contact.
  • Only persons who have completed their 18th year are entitled to provide data.
  1. Why and for how long do we process your personal data?

Purpose of data processing: Building a profiling-based direct marketing database related to sending electronic mail using personal data provided during subscription to electronic direct marketing messages (newsletter), and within this framework, sending personalized targeted advertisements and offers relevant to your interests regarding the Controller’s products and services to the e-mail address you provided.

In case of contact: Contacting and maintaining contact via the e-mail address available on the website regarding the Controller’s products and services, as well as handling complaints received at the e-mail address.

The Controller processes personal data for the duration of the existence of the data processing purpose, or until the User requests the deletion of their data or withdraws their consent given for the processing of their personal data.

  1. Cookie Notice

We use cookies and similar technologies to facilitate browsing for you on the Website, to understand how you interact with us, and in certain cases, to display information and advertisements appropriate to your browsing habits. Please read our Cookie Notice so that—beyond other information of interest—you can get a more comprehensive picture of the cookies and other similar tools we use and their purpose.

  1. On what legal basis do we process your personal data?
  • Your Consent: Based on Article 6(1)(a) of the GDPR – in connection with the subscription to the personalized newsletter and establishing contact. You are entitled to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Legitimate Interest: Analysis of the website’s usability and quality.
  • Legal Obligation: Based on Article 6(1)(c) of the GDPR, processing your data may be mandatory based on an authority or court request.
  • The User may only provide their own personal data. If providing personal data other than their own, it is the data provider’s duty to obtain the consent of the data subject.
  1. Who has access to your personal data?

The Controller and the Data Processor(s) used by it are entitled to know the personal data in accordance with current legislation. The processing of data is performed by the following data processor(s) acting on behalf of the Controller:

  • Extreme Net Kft. (1034 Budapest, Tímár utca 20. 2. em.; Tax number: 14437081-2-41; Company registration number: 01-09-994233).
    • Purpose of processing: Contact via Website – Scope of processed data: full name, e-mail address, phone number, fact of majority. Provision of the Website’s technical background. Hosting.
  • Rackhost Zrt. (Registered office: 6722 Szeged, Tisza Lajos körút 41.).
    • Purpose of processing: Provision of customer service correspondence. It performs no other activity related to data processing or handling.

In the absence of an express legal provision, the Controller will only transfer personal identification data to third parties with the express consent of the given user.

  1. Where do we process your data?

The location of data processing and handling of the processed personal data is the www.vegajo.hu site.

  1. Data transfer abroad

None.

  1. What rights do you have?

Access to personal data: Upon the User’s request, the Controller provides information on whether it processes personal data regarding the User, and if so, grants access to the personal data and informs them of the following information:

  • the purpose(s) of processing;
  • the categories of personal data concerned;
  • in case of transfer of the User’s (as Data Subject’s) personal data, the legal basis and recipient(s) of the transfer;
  • the planned duration of processing;
  • the User’s (as Data Subject’s) rights regarding rectification, deletion, and restriction of processing of personal data, and objection to the processing of personal data;
  • the possibility of legal remedy;
  • the source of the data;
  • the name, address, and processing-related activity of the data processor(s).

The Controller provides a copy of the personal data undergoing processing to the User free of charge. For any further copies requested by the User, the Controller may charge a reasonable fee based on administrative costs. If the User submitted the request electronically, the information must be provided in a widely used electronic format, unless the User requests otherwise. The Controller is obliged to provide the information in an intelligible form upon the User’s request without undue delay, but at the latest within 30 days from the submission of the request. The User may submit the access request at the Controller’s contact details specified in this Privacy Policy.

Rectification of processed data: The User is entitled to request the rectification of inaccurate personal data or the completion of incomplete data, taking into account the purpose of processing (indicating the correct data), at the Controller’s contact details specified in this Privacy Policy. The Controller performs the rectification in the registry without undue delay and notifies the User thereof in writing.

Deletion of processed data (right to be forgotten): The User may request that the Controller delete personal data concerning them without undue delay, and the Controller is obliged to delete personal data concerning the User without undue delay if one of the following reasons exists: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the User withdraws consent and there is no other legal ground for the processing; c) the User objects to the processing of their personal data; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to children.

If the Controller has made the personal data public (made it available to third parties) and is obliged to delete it pursuant to the above, it shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform controllers processing the personal data that the User has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Personal data does not have to be deleted if processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • based on public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise, or defense of legal claims.

Restriction of processing: The User is entitled to obtain from the Controller restriction of processing instead of rectification or deletion of personal data if one of the following applies:

  • the User contests the accuracy of the personal data, in which case the restriction applies for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful, and the User opposes the erasure of the data and requests the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise, or defense of legal claims; or
  • the User has objected to processing; in this case, the restriction applies pending the verification whether the legitimate grounds of the Controller override those of the User.

If processing is restricted, such personal data shall, with the exception of storage, only be processed with the User’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller informs the “Data Subject,” at whose request processing has been restricted, before the restriction of processing is lifted.

The Controller accepts requests for information, rectification, restriction, or deletion via the customer service operated by the Data Processor at the info@fino.hu e-mail address. The Controller sends electronic mails from the info@fino.hu e-mail address. The Controller immediately informs the User in a reply message about the conditions and procedure contained in this point following the receipt of the deletion request.

Notification obligation regarding rectification or erasure of personal data or restriction of processing: The Controller communicates any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller informs the User about those recipients if the User requests it.

Right to object: The User may object to the processing of their personal data if the processing:

  • is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party;
  • is based on profiling.

In the case of the User’s objection, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the User or for the establishment, exercise, or defense of legal claims. If personal data are processed for direct marketing purposes, including profiling related thereto, the User shall have the right to object at any time to processing of personal data concerning them for such marketing.

The Controller informs the User without undue delay, but at the latest within 30 days of receipt of the request, about the measures taken following the request for access, rectification, erasure, restriction, objection, and data portability. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by two further months. The Controller informs the User of any such extension within one month of receipt of the request, together with the reasons for the delay. If the User makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the User.

If the Controller does not take action on the request of the User, the Controller shall inform the User without delay and at the latest within 30 days of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Upon the User’s request, the information, communication, and any actions taken based on the request must be provided free of charge. Where requests from a User are manifestly unfounded or excessive, in particular because of their repetitive character, considering the administrative costs of providing the information or communication or taking the action requested, the Controller may charge a reasonable fee or refuse to act on the request. The burden of demonstrating the manifestly unfounded or excessive character of the request rests on the Controller.

  1. How do we ensure the security of the User’s data?

The Controller ensures the security of the User’s personal data and takes the technical and organizational measures and establishes the procedural rules that ensure that the recorded, stored, or processed data are protected, and prevents their destruction, unauthorized use, and unauthorized alteration. The Controller also undertakes to call upon every third party to whom it transfers or hands over the data based on the User’s consent to comply with the requirement of data security. The Controller ensures that unauthorized persons cannot access, disclose, transfer, modify, or delete the processed data. The processed data may only be known to the Controller and its employees, or the Data Processor(s) used by it; the Controller does not hand them over to third persons not authorized to know the data. The Controller does its utmost to ensure that data is not damaged or destroyed even accidentally. The Controller prescribes the above commitment for its employees participating in the data processing activity and for the data processor(s) acting on the Controller’s behalf.

The User acknowledges and accepts that in the case of providing their personal data via contact—despite the fact that the Controller possesses modern security tools to prevent unauthorized access to or interception of data—the protection of data on the Internet cannot be fully guaranteed. In the event of unauthorized access or data knowledge occurring despite efforts, the Controller is not responsible for such data acquisition or unauthorized access or for any damage caused to the User for these reasons. Furthermore, the User may also provide their personal data to third parties who may use it for unlawful purposes or in an unlawful manner.

The Controller does not collect special data under any circumstances, i.e., data revealing racial origin, belonging to a national and ethnic minority, political opinion or party affiliation, religious or other philosophical beliefs, trade union membership, health status, pathological addiction, sexual life, or criminal record.

  1. What is a data breach and how do we handle it?

A data breach is any event that results in the unlawful handling or processing of personal data processed, transmitted, stored, or handled by the Controller, in particular unauthorized or accidental access, alteration, disclosure, deletion, loss, or destruction, as well as accidental destruction and damage. The Controller is obliged to report the data breach to the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) without undue delay, but no later than 72 hours after becoming aware of the data breach, unless the Controller can prove that the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information may be provided in phases without further undue delay.

The notification to NAIH contains at least the following information:

  • the nature of the data breach, the number and categories of Users and personal data;
  • Name and contact details of the Data Controller(s);
  • the likely consequences of the data breach;
  • the measures taken or proposed to address, eliminate, or remedy the data breach.

The [Data Processor] informs the Controller about the data breach within 72 hours of detecting the data breach. The information must contain at least the data defined in this point. The Controller keeps a registry of data breaches for the purpose of verifying measures related to the data breach and informing Users. The registry contains the following data:

  • scope of Users’ personal data;
  • scope and number of Users;
  • time of the data breach;
  • circumstances and effects of the data breach;
  • measures taken to eliminate the data breach. The Controller retains the data in the registry for 5 years from the detection of the data breach.
  1. How can you contact the Controller, or how can you enforce your rights?

The Controller is obliged to do everything to ensure that the processing of personal data takes place in accordance with the laws. If the User detects a circumstance indicating a breach of these, they may make a report to the Controller. If it arises that their right to the protection of personal data has been violated, they may turn to the court having jurisdiction according to the governing laws, or to the following authority:

  • National Authority for Data Protection and Freedom of Information (Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., ugyfelszolgalat@naih.hu; www.naih.hu).

Regarding advertisements sent electronically, the National Media and Infocommunications Authority acts; the detailed regulation is contained in Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information , and Act CVIII of 2001 on certain issues of electronic commerce services and information society services.

  1. Other provisions

The Hungarian law, in particular the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information , and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, are applicable to this Notice.

Budapest, October 16, 2023. 

Last modified: 08.01.2026.

Data Controller