Privacy Notice
1. Introduction
This Privacy Notice (the “Notice”) explains how we process your personal data in a clear and transparent way, in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and applicable Hungarian law.
The Notice applies to personal data collected through the vigadomystery.cloud website (the “Website”) in connection with the “Vigadó Mystery” interactive treasure-hunt/escape-game service.
This English Notice is a courtesy translation. In case of discrepancy, the Hungarian version prevails.
2. Data Controller
| Name | Matyas Anna sole proprietor (egyéni vállalkozó) |
|---|---|
| Registered seat | 1156 Budapest, Nyírpalota út 74, Hungary |
| Registration number | 62003328 |
| Tax number | 91848538-1-42 |
| Tax status | VAT-exempt (AAM) |
| hello@vigadomystery.cloud | |
| Website | vigadomystery.cloud |
The Controller is not required to appoint a Data Protection Officer under Article 37 GDPR, and therefore has not appointed one. For any data protection query, please contact us at the email address above.
3. Definitions
Terms used in this Notice have the meaning given to them in Article 4 GDPR. In particular:
- Personal data: any information relating to an identified or identifiable natural person (“data subject”).
- Processing: any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).
- Controller: the entity that determines the purposes and means of the processing – in this case Matyas Anna sole proprietor.
- Processor: a party that processes data on behalf of the Controller (e.g. hosting provider, payment processor).
4. Processing Activities
Below we describe, per activity, what data we process, for what purpose, on what legal basis, and for how long.
4.1 Purchases and performance of the contract
| Data processed | Name, email, phone (optional), billing address, order data (product, quantity, price, time), IP address |
|---|---|
| Purpose | Performance of the contract, delivery of the game code, communication about the order |
| Legal basis | GDPR Art. 6(1)(b) – performance of a contract |
| Retention | 5 years from termination of the contract (general limitation period under Hungarian Civil Code § 6:22), then deletion |
4.2 Invoicing and accounting
| Data processed | Name, billing address, purchase data, payment data |
|---|---|
| Purpose | Issuance and retention of accounting records |
| Legal basis | GDPR Art. 6(1)(c) – legal obligation (Hungarian Accounting Act 2000/C § 169(2)) |
| Retention | 8 years following the year of issuance |
4.3 Online payment
Card payments are processed by Stripe Payments Europe, Ltd (Dublin, Ireland). Card data is exchanged directly between you and Stripe – the Controller does not see or store the card number, CVC, or expiry date. Stripe transmits a transaction ID and status to the Controller.
In the case of bank transfer, your name, the order reference included in the transfer note and the amount transferred are received by the Controller through its own bank.
- Legal basis: GDPR Art. 6(1)(b) – performance of a contract
- Retention: 8 years in line with accounting rules (see 4.2)
4.4 Customer support and correspondence
| Data processed | Name, email, message content, attachments if any |
|---|---|
| Purpose | Answering queries, complaint handling |
| Legal basis | GDPR Art. 6(1)(b) (pre-contractual steps) or Art. 6(1)(f) (legitimate interest – maintaining the customer relationship) |
| Retention | 1 year from the enquiry; in case of a formal complaint, 3 years per the Hungarian Consumer Protection Act |
4.5 Newsletter (planned)
If you subscribe to our newsletter, we use your name and email address to send marketing messages. The subscription is given with your explicit, voluntary consent and can be withdrawn at any time with a single click via the unsubscribe link in the newsletter footer or by emailing hello@vigadomystery.cloud.
- Legal basis: GDPR Art. 6(1)(a) – consent; and Hungarian Act XLVIII of 2008 (Grt.) § 6(1)
- Retention: until consent is withdrawn
4.6 Analytics and marketing cookies, measurement
The Website uses cookies and similar technologies (pixels, local storage, server-side events) to analyse visitor behaviour and target advertising. These are described in detail in Section 6.
- Legal basis: GDPR Art. 6(1)(a) – your prior, voluntary consent via the cookie banner
- Retention: cookie- and platform-specific (see the table in Section 6)
5. Recipients of the data – processors
The Controller uses the following processors and service providers. These providers may only access personal data to the extent required for their service and following the Controller’s instructions.
| Provider | Role | Data processed |
|---|---|---|
| Tárhely.Eu Kft. (1132 Budapest, Victor Hugo u. 18–22., Hungary; tax no. 14571332-2-42) | Web hosting, server operation | All data stored on the Website, server logs |
| Stripe Payments Europe, Ltd (1 Grand Canal Street Lower, Dublin 2, Ireland) | Processing of online card payments | Card data (held by Stripe), transaction data |
| Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland) – Google Tag Manager, Google Analytics 4, Google Ads | Visitor behaviour measurement, campaign measurement, remarketing | Cookie ID, truncated IP, device data, interaction and ecommerce events (see Section 7) |
| Meta Platforms Ireland Ltd (Merrion Road, Dublin 4, Ireland) – Meta Pixel + Conversions API | Advertising measurement, audience building, remarketing | Cookie ID, IP, event data, hashed contact details (email/phone – see Section 7) |
| Hotjar Ltd (Dragonara Business Centre, 5th Floor, Dragonara Road, St Julian’s STJ 3141, Malta) – optional | Click, scroll and session recording for UX analysis | Cookie ID, anonymised IP, interaction events; input-field content masked |
| Email provider (Tárhely.Eu Kft. mail) | Transactional and support email | Name, email, message content |
| Billingo Technologies Zrt. (1133 Budapest, Árbóc utca 6, 1st floor, Hungary; company reg.: 01-10-140802; tax no.: 27926309-2-41) | Issuance and storage of electronic invoices | Billing data, purchase data |
The actual list of active providers may change as we integrate new services; this Notice will be updated accordingly.
6. Cookies and similar technologies
A cookie is a small text file placed by the visited website in your browser. Cookies can be used to make the site work, remember preferences, produce statistics, or target advertising.
6.1 Cookie categories
| Category | Description | Consent |
|---|---|---|
| Strictly necessary | Required for the Website to function: login, cart, language setting (vm_lang), cookie-preference storage. | Not required – legitimate interest / contract performance |
| Analytics | Statistical data about Website usage (Google Analytics 4, Google Tag Manager used for this purpose). | Prior consent |
| Marketing | Ad targeting and measurement (Meta Pixel, Google Ads remarketing). | Prior consent |
| Preference / UX research | User-experience analysis – e.g. click and scroll heatmaps (Hotjar, if active). | Prior consent |
6.2 Main cookies and retention
| Name / provider | Purpose | Lifetime |
|---|---|---|
vm_lang (own) | Store site language (HU/EN) | 1 year |
wordpress_*, wp-settings-* (own) | Login session, admin settings | Session – 1 year |
woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_* | Cart and checkout operation | Session – 2 days |
_ga, _ga_* (Google Analytics 4) | User and session identification, statistics | Up to 2 years (our default data retention: 14 months) |
_gcl_au (Google Ads) | Conversion and remarketing measurement | 90 days |
_fbp (Meta Pixel) | Audience building, conversion measurement | 90 days |
_hjSessionUser_*, _hjSession_* (Hotjar, if active) | Session and visitor identification for UX analysis | 30 minutes – 1 year |
6.3 Managing cookie preferences
Non-necessary cookies are only activated with your prior, explicit consent. You can give consent via the cookie banner that appears on your first visit, and change it at any time through the “Cookie settings” link in the Website footer or via your browser’s privacy settings.
Without consent, no marketing or analytics cookies are loaded, and the Meta Pixel and GA4 tag do not fire.
7. Server-side measurement
In addition to cookies and pixels that run in your browser, the Controller also uses server-side event forwarding, whereby purchase and conversion events (e.g. “purchase”) are sent directly from our server to the Google GA4 Measurement Protocol and the Meta Conversions API.
7.1 Why we use it
Server-side measurement provides more accurate conversion measurement even in the presence of cookie blockers and browser restrictions, and lets us strictly limit the data transmitted to what is necessary.
7.2 What data we transmit
- Event name (e.g.
purchase,add_to_cart,view_content) and timestamp - Order ID, product name, quantity, total value, currency
- The SHA-256 hash of your email address and phone number – we do not transmit the original values; the hash is practically irreversible, but allows Google/Meta to match the event to your account if you are logged into that platform
- Truncated IP address, user-agent string, and previously set
_ga/_fbp/fbclic/gclididentifiers
7.3 Legal basis for server-side forwarding
Server-side events are only transmitted if you have consented, on the cookie banner, to analytics and/or marketing processing. Without consent, server-side events are also suppressed.
8. International data transfers
Some of our processors (in particular Google and Meta) may store data outside the European Union, typically in the United States. Such transfers are made on the basis of
- the adequacy decision under the EU–U.S. Data Privacy Framework (DPF), where the provider is DPF-certified, and/or
- the European Commission’s Standard Contractual Clauses (SCCs), with supplementary technical measures.
You can check the current DPF certification status in the Data Privacy Framework List.
9. Data security
The Website is served over HTTPS (TLS encryption). Data is accessible only to the Controller and authorised processors, through accounts protected with strong passwords and – where available – two-factor authentication. Systems are kept up to date, backed up regularly, and in case of a personal data breach we act in accordance with Articles 33–34 GDPR.
10. Your rights
Under GDPR you have the following rights:
- Access (Art. 15): you may ask whether we process personal data about you and, if so, what.
- Rectification (Art. 16): correction of inaccurate or incomplete data.
- Erasure / “right to be forgotten” (Art. 17): under certain conditions, you may request deletion of your data.
- Restriction of processing (Art. 18).
- Data portability (Art. 20): you may receive your data in a machine-readable format.
- Objection (Art. 21): to processing based on legitimate interest or direct marketing.
- Withdrawal of consent: for processing based on consent (e.g. newsletter, analytics cookies), you may withdraw consent at any time – this does not affect the lawfulness of processing before the withdrawal.
- Automated decision-making (Art. 22): the Controller does not make automated decisions based on profiling.
You may exercise these rights by writing to hello@vigadomystery.cloud. We will respond within 30 days; this period may be extended by a further two months where justified, in which case we will notify you.
11. Remedies
If you believe the Controller has infringed your rights, you may file a complaint directly with the Controller (hello@vigadomystery.cloud), or with the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
Postal address: 1363 Budapest, Pf. 9
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Web: naih.hu
You may also seek remedy before the competent court. At your choice, proceedings may be brought before the court of your habitual residence.
12. Changes to this Notice
The Controller reserves the right to amend this Notice unilaterally, in particular in case of legal changes or new processing activities. The amended Notice takes effect upon publication on the Website. In case of a material change, we will notify you by email or via a prominent notice on the Website.
Last updated: 19 April 2026.