Privacy and Cookie Policy

Privacy Policy

Applicable from: 01.10.2020.

Contents: 

In this Privacy Policy, you may find information regarding the processing of your personal data on the website at www.donably.com (hereinafter: the Website) in the following chapters

I. General. Besides other general information, this chapter contains the data of the Controller and some processors.

II. Ways of processing. In this chapter you may find specific information (the purpose, grounds and period of processing, the scope of data subjects and the data processed) per each purpose of the processing: 

II/1. Registration, profile, account data

II/2. Data provided voluntarily on the Website

II/3. Invoices

II/4. Cookies

II/5. Newsletters

II/6. Contact

II/7. Personal data of contracting partners

II/8. Proving consent

III. The rights of the data subjects. Here you may find a detailed description of your rights regarding the processing and the related procedure. 

IV. Remedies. In this chapter you may find the detailed description of the remedies you can have if our rights related to your personal data are violated. 

 

I. General

1 In relation to this Privacy Policy, the users or visitors of the Website shall be considered data subjects. The precise scopes of data subjects are specified at the ways of processing. 

2 The Controller

Company name: Donably UK Ltd.

Registered and postal address: Unit A28 - A30, Red Scar Ind. Estate, Longridge, Preston, PR2 5NA, United Kingdom

Phone: +44 121 318 7246 

E-mail: office@donably.com

Tax No: 12875465

Registration No: 12875465

Registered by: Companies House, United Kingdom 

Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

3 It is the Controller’s intention to ensure the protection of the personal data of the persons providing them on the Website to the extent possible. This Privacy Policy shall be applicable in respect of the Website only and no other websites of any third parties, even if such are accessible from the Website.

4 The Controller shall have the right to unilaterally modify this Privacy Policy anytime on which it shall inform the users by email. 

5 The Controller provides its services by protecting the personality rights of the visitors of the Website and its clients, in accordance with the law, especially REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).

6 Please note that it is voluntary to provide personal data on the Website and upon the acceptance of this Privacy Policy, the data subject gives his or her consent to the control of the personal data if the processing is based on a voluntary consent.  The processing of the personal data of a child shall be lawful on the grounds of the consent of the data subject where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. 

7 The Controller may forward personal data to pursue its activities, to the extent required thereto, to data processors as recipients. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

8 The personal data processed by us on the Website are stored at our storage provider as a data processor that is also our web developer: Webinform Consulting Online Produkciós Kft.; www.webinform.hu 

Activities: web storage and web development, in case no data is provided, the Controller cannot fulfill its activities.

9 We use a service provider for our payment systems: 

Name: Barion Payment Zrt. 

Data: www.barion.hu 

You may find the respective cookie policy and privacy policy on the website above. 

Activities: the provision of payment services, in case no data is provided, the Controller cannot fulfill its activities. Processing is required for the performance of contract, the grounds therefor are specified in point (b) of subparagraph 1 of Article 6 of the GDPR.

Forwarded data: the data requested ad provided upon payment. 

10 Should any court, prosecutor, investigative body, such as the authority investigating the processing of personal data, or any other bodies entitled upon law contact the Controller to provide or hand over information or data, the Controller shall provide the personal data necessary for the purpose of the request if the requesting person specifies the exact purpose and grounds for the request and scope the of personal data.  

II. Ways of processing:

II/1. Registration, profile, account data

1.1 Services related to the use of the Website may only be used after registration. The provision of personal data is required for the registration, or otherwise the contract will not be made and the Controller cannot provide its services for the data subject.

1.2  The ground for processing in case of natural person Users is the performance of the contract or it is required in order to take steps at the request of the data subject prior to entering into a contract. [point (a) of subparagraph 1 of Article 6 of the GDPR].

1.3 Please note that in case you register through your Google or Facebook account, data will be collected from these service providers (Facebook Inc.; 1 Hacker Way, Menlo Park, CA 94025, USA; and Google LLC 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA) through plug-ins facilitating connection and the privacy policies of these service providers shall also be applicable in respect of the processing. In such cases your IP-address and the fact that your device opened the Website will be forwarded to the service providers upon the legitimate interests (to show personalized advertisements) of the service providers in accordance with point (f) of subparagraph 1 of Article 6 of the GDPR and such data will be stored by the service providers. The service providers as organizations having their registered seats in third countries outside the EU have Privacy Shield certifications based on the privacy shield agreement between the EU and the USA that ensures compliance with the level of protection applicable in the EU. Should you disagree with this processing or the privacy policies of the two service providers, please choose registration via e-mail. 

1.4 The purpose of processing is allowing the Controller to provide its services. 

1.5 In case of registration via e-mail we use the phone number you give us to send a confirmation code. The phone number will also be registered as registration data after confirmation.  

1.6 The scope of personal data concerned: name (first name and surname); email address; password; date of birth, citizenship; home address; phone number. If you wish to provide further information upon registration, we will process them upon your voluntary consent in accordance with subchapter II/2 below, so please provide such data only upon your voluntary consent based on the information below. 

1.7 Period of processing: until the deletion of the account, unless we have any grounds for further processing as specified below. 

1.8 We will use the contact data provided by you (e-mail address and phone number) to keep contact with you for the performance of the contract and to send you information and messages. 

II/2 Data provided voluntarily on the Website

2.1 The User may, both at the profile and the donation channel, provide further data not specified in subchapter II/1 and not necessary for the performance of the contract, the User may, however enhance the quality of the services this way. If, for example, the User adds a profile picture, he or she may have better chances at acquiring donations. Before providing any personal data on your profile or donation channel, please consider the consequences thereof. The provided personal data shall be stored by the Controller and they will be accessible by visitors as recipients. 

2.2 The purpose of the processing is the enhancement of the quality of the services and the promotion of the success of the call for offer and of the offer through the donation channel. 

2.3 The ground for processing: the consent of the User [point (a) of subparagraph 1 of Article 6 of the GDPR] given upon providing his/her personal data (by changing the data in the Profile/Change of data function or publishing them in the donation channel).

2.4 The scope of the processed personal data: facial image and any personal data provided voluntarily by the User in the introduction at the profile or the donation channel. 

2.5 The data subjects are the registered Users publishing their personal data. 

2.6 Period of processing: until the personal data are deleted (i.e. the account is deleted or the data on the Website is changed or deleted or the donation channel is deleted or changed affecting the personal data). 

III/3 Invoices

3.1 The Controller stores, i.e. processes the personal data on the invoices. 

3.2  The purpose of processing is issuing invoices, compliance with the laws for accounting. 

3.3 The ground for processing is  compliance with a legal obligation.

3.4. Processed personal data: name, address, e-mail address, phone number.

3.5 The data subjects are the natural persons on the invoices. 

3.6 Period of processing: the legal minimum period to keep records, basically 7 years.

3.7 The data in the invoices will be forwarded to the accountant of the Controller: I M Bookkeeping Ltd. 

II/4. Cookies 

4.1 In order to monitor the Website, the Controller uses an analytical tool (cookie) which prepares a data string and tracks how the visitors use the internet pages. When a page is viewed, the system generates a cookie in order to record the information related to the visit (pages visited, time spent on the Controller’s pages, browsing data, exits, etc) and installs it on the computer of the visitor but these data cannot be linked to the visitor's person. This tool is instrumental in improving the ergonomic design of the website, creating and improving a user-friendly website, enhancing the online experience for visitors and preventing data loss. Cookies recognize the computer of the visitor and manage its IP address. 

4.2 Most internet browsers accept cookies, but visitors have the option of deleting or automatically rejecting or allowing them. The visitor has the option to decline the installation of cookies. Since all browsers are different, visitors can set their cookie preferences individually with the help of the browser toolbar. Users might not be able to use certain features on the Website if they decide not to accept cookies. 

4.3 Using cookies, the websites seen by the visitor and the internet use customs of the visitor may be monitored. Only upon revisiting the Website and exclusively the respective service provider can link such data to the person of the visitor. The duration of the storing of such data depends on the type of the cookies. Session cookies erase the data upon closing the Website, Flash-cookies, however may store the data up to one year of inactivity.

4.4 The ground for processing is the voluntary consent  of the data subject (the visitor) in accordance with point (a) of subparagraph 1 of Article 6 of the GDPR.

4.5 Processed data: browser history, identification No, date, time of visit.

4.6 The purpose of processing: improvement of the user experience, storing of the data of the respective session, prevention of data loss, identification and tracking of the data subjects, web analytics .

4.7 In the Menu of most of the browsers, there is a “Help” function providing information for the data subject, in his or her browser where to disable cookies; how to accept new cookies; how to instruct the browser to set new cookies; or turn off other cookies.

4.8 The Controller uses the following cookies: 

Cookie name

Category

Type

purpose

Lapse

G_AUTHUSER_H

functional

permanent

Making Google social login service available

 

g_enabled_idps

functional

permanent

required for Google+ login

 

__qca

 

 

site ranking 

 

_ga

 

 

Google Analytics. This cookie is used for the distinction of the users, adding a randomly generated number as a client ID

 

_gcl_au

 

 

cookie ensuring the advertising efficiency of google adsence 

 

_gid

 

 

cookie used by Google Analytic Universal 

 

_hjAbsoluteSessionInProgress

 

 

cookie placed by Hotjar detecting the first page view session of the user.

30 minutes

_hjid

 

 

Hotjar cookie set when the client is directed to the page containing the Hotjar script for the first time. It is for saving the Hotjar user ID for the respective site in the browser. This ensures that the same behavior will be linked to the same user ID at later visits. 

1 year

_hjTLDTest

 

 

When the Hotjar script runs, the most general cookie-route is sought to be used instead of the hostname of the site. This ensures that the cookies can be divided among the subdomains (where applicable). For this _hjTLDTest is stored for different URl-substring alternatives until it is successful. After checking this, the cookie will be removed. 

Until the end of the session

_hjIncludedInPageviewSample

 

 

Its purpose is notifying Hotjar on whether the visitor is in the data sample of the pageview limit of the website. 

30 minutes

_hjIncludedInSessionSample

 

 

The cookie informs Hotjar whether the visitor is in the data sample of the session limit of the Donably website. 

30 minutes

PHPSESSID

 

 

Identifies users’ sessions. 

24 minutes

v

 

 

A cookie used by the Website required for the tracking of the visitors. It differentiates new visitors from returning visitors.  

30 days

 

 

II/5. Newsletters:

5.1 The User may subscribe to the newsletter with its expressed, voluntary and active declaration. 

5.2 The purpose of processing is informing the data subjects on the services, products, news and events of the Controller and any changes thereto. 

5.3 The ground for processing is the voluntary consent of the data subject in accordance with point (a) of subparagraph 1 of Article 6 of the GDPR. 

Processed personal data:

- name (surname and first name)

- email address

5.4 Period of processing: lasts until the data subject requests to unsubscribe from the newsletters.

 

II/6. Contact

6.1 When somebody contacts the Controller e.g. via e-mail or phone for the first time without any further processing, the Controller processes personal data. 

6.2 The purpose of processing is keeping contact between the data subjects and the Controller.

6.3 The ground for processing is the voluntary consent of the data subject in accordance with point (a) of subparagraph 1 of Article 6 of the GDPR.

6.4 Period of processing: 60 days after the closing of the communication or until the data are processed on new grounds (e.g. entering into a contract).

6.5 The provision of the data is not necessary to enter into the contract, the consequence of failure to provide such data is that contact cannot be kept.

6.6 The scope of the processed personal data: any personal data voluntarily provided by the data subject upon making a contact, especially name, e-mail address, phone number, title, position.

6.7 The recipient of the processing is our colleague dealing with customer relationships, or the addressee of the message sent by the data subject or our colleague handling the matter. 

II/7. Personal data of contracting partners

7.1 In respect of the Controller’s contractual partners, the Controller processes the personal data of natural person partners and the natural person contact persons of the partners not being natural persons (names, home addresses, email addresses, phone numbers of partners and names, phone numbers, email addresses, titles, position of the contact persons) for the purpose of keeping contact and fulfilling contracts. 

7.2 The ground for processing is the performance of the contract [point (b) of subparagraph 1 of Article 6 of the GDPR] in case of natural person partners. In respect of natural person contact persons of the partners not being natural persons, the ground for processing is the legitimate interests of the Controller and the partner that their agreement be fulfilled [point (f) of subparagraph 1 of Article 6 of the GDPR].

7.3 Period of processing: the Hungarian civil law expiry period of 5 year.

7.4 The Controller stores, i.e. processes the personal data on the invoices and accounting documents (e.g. contracts).  The purpose of processing is issuing invoices, compliance with the laws for accounting. The ground for processing is compliance with a legal obligation, [point (c) of subparagraph 1 of Article 6 of the GDPR].  The data subjects are the natural persons in accounting documents. 

7.5. Period of processing: 7 years. 

7.6. The data in the accounting documents will be forwarded to the company providing accounting services.

II/8. Proving consent

8.1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. To this end, the Controller will store and if needed use in front of the acting authority/court the personal data of the data subject. 

8.2 The data subject is the person providing his or her consent.

8.3 This obligation is specified in paragraph (1) of Article 7 of the GDPR [processing in accordance with point (c) of subparagraph 1 of Article 6 of the GDPR].

8.4 Scope of processed personal data: the time of providing the consent, IP-address, data required for identification, such as e-mail address, first name and surname. 

8.5 Period of processing: the Hungarian civil law expiry period.

 

III. The rights of the data subjects

The data subject may exercise his or her rights via the contacts of the Controller listed above. 

III/1. Right for information and access:

1.1 The Controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. 

1.2 Information may be requested in writing through the contact data of the Controller specified above. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

1.3 The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the envisaged period for which the personal data will be stored; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. 

1.4 The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

1.5 The Controller shall be obliged to respond to requests from the data subject at the latest within one month.

III/2. Right to rectification:

2.1 The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data concerning him or her. 

III/3. Right to erasure (‘right to be forgotten’):

3.1 The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: 

- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

- the data subject objects to the processing and there are no overriding legitimate grounds for the processing,;

- the personal data have been unlawfully processed; 

- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; 

- the personal data have been collected in relation to the offer of information society services.

3.2 Erasure may not be requested to the extent that processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims.

III/4. Right to restriction of processing:

4.1 The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

4.2 Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. 

4.3 A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted. 

III/5. Right to data portability:

5.1 The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. 

III/6. Right to object:

6.1 The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

6.2 Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 

III/7. Right to object against automated individual decision-making:

7.1 The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right may not be exercised if the processing  is necessary for entering into, or performance of, a contract between the data subject and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or is based on the data subject's explicit consent.

 

 

III/8. Right of withdrawal:

8.1 The data subject shall have the right to withdraw his or her consent anytime. The withdraw of the consent shall not affect affecting the lawfulness of processing based on consent before its withdrawal.

III/9. Rules on the procedure of the enforcement of rights:

9.1 Deadline: The Controller shall provide information on actions taken on a request under Chapter III hereof to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 

9.2 If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

9.3 Information shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. 

9.4 The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. 

 

IV. Remedies

1 Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

2 Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR. Proceedings against a controller or a processor shall be brought before the courts of the member state where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the member state where the data subject has his or her habitual residence. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.