Data processing Guidelines
1./ Aim and scope of the Guidelines
1.1./ The aim of these Guidelines is to duly inform you about the processing of the personal data you
provided in the webshop of Bloodstonecompany Ltd. on the webpage https://bloodstonecompany.com
(henceforth: Webshop) as well as on your related rights, in line with Regulation (EU) 2016/679 of the
European Parliament and of the Council (henceforth: Regulation), the Hungarian legal regulations and Act
CXII of 2011 on informational self-determination and freedom of information (henceforth: Information
1.2./ The scope of these Guidelines only covers the personal data you provided in the Webshop on the
website https://bloodstonecompany.com .
1.3./ These Guidelines and their amendments implemented from time to time shall be considered effective
from the moment that they are published on the website https://bloodstonecompany.com .
1.4./ Before you provide any data or information to us, please read the current version of the Guidelines,
which shall always be accessible from https://bloodstonecompany.com . Please note that you should only
provide data or information at any time if you have read the current version of these Guidelines, and
explicitly agree with their contents.
Data subject: natural persons who are explicitly defined or identified, or can be explicitly or implicitly
identified by the use of personal data.
Customer: data subjects who provide their personal data for the purpose of making a purchase from the
Webshop at https://bloodstonecompany.com .
Personal data: data relating to the data subject, in particular by reference to the name and identification
number of the data subject or one or more factors specific to his physical, physiological, mental,
economic, cultural or social identity as well as conclusions drawn from the data in regard to the data
Data controller: natural or legal persons or organisations not having legal personality that (independently
or jointly with others) may determine the purpose of the data processing, make and execute decisions
regarding the data processing (including the devices used), or have their decisions executed by the data
processor. In the context of these Guidelines, Bloodstonecompany Kft. is the data controller.
Data processing: all activities or the sum of activities carried out by Bloodstonecompany Ltd. on the data
provided by the users, including especially collecting, recording, organizing, storing, modifying, using,
querying, transmitting, publishing, harmonising or interconnecting, locking, deleting and destroying the
data, as well as preventing further use of the data.
Data breach: unlawful processing or handling of personal data, especially unauthorized access to the data,
modifying, transmitting, publishing, deleting or destroying the data, as well as incidents where data is
destroyed or corrupted by accident.
3./ Name and details of Controller
Name: Bloodstonecompany Ltd.
Registered seat: 1034 Budapest, San Marco utca 28-30
Registration number: 01-09-329824
Tax ID: HU26517836
Email address: email@example.com
Postal address: 1034 Budapest, San Marco utca 28-30
4./ Legal basis for data processing
4.1./ The legal basis for processing by Bloodstonecompany Ltd. regarding the Webshop is your consent on
one hand, (point (a) of Article 6(1)), and, on the other hand the fact that it is necessary in order to enter
into and execute contracts regarding the Webshop (point (b) of Article 6(1)), furthermore, regarding
invoicing, it is the fact that processing is necessary so Bloodstonecompany Ltd. as Controller may comply
with its legal obligations (point (c) of Article 6(1)).
4.2./ If, when registering on the website https://bloodstonecompany.com , you give your express consent
to have your personal data processed, the legal basis of processing based on consent is realised. If you
place an order on the website https://bloodstonecompany.com , the legal basis related to entering into and
executing a contract is also realised.
5./ Processing related to registering and placing orders
5.1./ Short description of the data processing: If you wish to make use of the services of the Webshop,
prior to placing an order you may register on the website https://bloodstonecompany.com . You need to
fill in the form under the Registration menu in order to register. The personal data you provide when
registering or placing an order are processed on the website https://bloodstonecompany.com , and are
made accessible to the employees responsible for executing the contracts entered into in the Webshop.
5.2./ Legal basis for data processing: By accepting the Data Processing Guidelines when registering on the
website, you – by ticking the appropriate checkbox – accept the current provisions of these Data
Processing Guidelines and give your express consent to have your personal data processed by
Bloodstonecompany Ltd. with regard to the Webshop. Thus the legal basis for data processing for this is
Regulation point (a) of Article 6(1). If you place an order in the Webshop, a further legal basis for
processing is added: processing is necessary in order to enter into and execute contracts regarding the
Webshop (Regulation point (b) of Article 6(1)).
5.3./ The purpose of data processing: Creating a user account for persons registering on the website
https://bloodstonecompany.com for the purpose of purchasing, which is a legitimate basis of processing.
The purpose of the data processing is the operation of the Webshop, the provision of the services available
from the Webshop, operation of the related databases, fulfilment of orders submitted by customers,
collection of the payments related to the orders, and especially:
a) Processing the orders and financial transactions initiated by the Customer.
b) Sending sales confirmations to the Customer.
c) Documenting any benefits that a registered Customer may be eligible for.
d) Responding to Customers’ requests, questions and complaints.
e) Administering the user accounts.
5.4./ Scope of the data processed with regard to the Webshop:
a) last name and first name,
b) email address,
c) phone number,
d) postal address (country, municipality, postcode, street name, house number, floor, door number)
5.5./ Duration of data processing: We process your personal data provided when registering or placing an
order until you withdraw your consent or delete your personal account. Bloodstonecompany Ltd. shall
only process the personal data submitted by the Customer as long as the Customer has an active account,
or until the Customer requests the deletion of their data, or the Customer withdraws their consent to the
processing of their personal data. You may make such requests by emailing us on
6./ Data processing related to invoicing
6.1./ Short description of the data processing: If you make a financial transaction regarding an order on the
Webshop (you pay the price of the product by bank card or PayPal), Bloodstonecompany Ltd. shall issue a
bill about the price of the order.
6.2./ The legal basis for data processing: processing is carried out for the purpose of complying with legal
obligations pertaining to the Data Controller [subsection c) of section (1) of Article 6 of the Regulation].
Applicable law: Act CXXVII of 2007 on the Value Added Tax (VAT Act): Article 159 (on the obligation
to issue invoices), Article 169 (mandatory content elements), Act C of 2000 on accounting (Accounting
Act): Articles 166-169 (accounting documents, strict accountability documents, obligation to keep
6.3./ The purpose of data processing is the support and documentation of the economic event (orders and
their execution), which is a legitimate purpose for data processing.
6.4./ Scope of the processed data: The name, address, date and time of purchase of the customer (natural
6.5./ Duration of data processing: Until revoked
7./ Obligations of the Customer
7.1./ By providing their email address and other personal data, the Customer assumes responsibility for
ensuring that only he or she shall provide data and submit orders from that email address, and that the data
provided shall always be correct. In light of this assumption of responsibility, the Customer who registered
the specific email address shall bear all liabilities related to the logins that were performed with that email
address. Customers please note that if you do not provide your own personal data, it is your responsibility
to obtain the consent of the relevant data subject.
7.2./ The minimum age for Customers consenting to the processing of their personal data on the website is
16 years. If you are not yet 16 years of age, please do not provide your data on this website, and do not use
8./ Data processing related to visitors of the website
https://bloodstonecompany.com . Typical cookies are ones for password-protected sessions, cookies for
the implementation of the shopping cart and safety cookies, the use of which is not subject to the prior
consent of data subjects. Scope of data subjects: all data subjects who visit the websites of
8.2./ Legal basis for data processing: Consent as per point (a) of Article 6(1). By clicking the button “I
accept” on the website you accept the processing. The consent of the data subject is not needed when the
sole purpose of using cookies is to transfer information on an electronic telecommunication network, or if
it is essential for the service provider to be able to provide the information society-related service
expressly requested by the user.
8.3./ The purpose of data processing: In the case of registered users it is the identifying of users, making
statistics, tracking visitors, in the case of customers it is the managing of the “shopping cart”.
8.4./ Scope of the processed data: unique ID numbers, dates, times.
8.5./ Duration of data processing: Session cookie: to identify the user for the login procedure, PHP session
id: the system deletes it when the browser is closed.
8.7./ Controllers authorised to access the data: the staff of Bloodstonecompany Ltd. may process the
personal data, respecting the above principles.
8.8./ Rights of data subjects regarding processing: data subjects may delete cookies under the appropriate
menu of the browser they use.
Third party cookies
8.9./ Short description of the data processing: The site https://bloodstonecompany.com uses third party
cookies (by Youtube and Google) to monitor the activities of visiting users for third party services. Scope
of data subjects: all data subjects who visit the website, regardless of the services actually used.
8.10./ Legal basis for data processing: For the purpose of the data processing, the legal basis for data
processing is defined in Article 6 (1) (a) of the Regulation: the consent of the user. By clicking the
“Accept” button on the website, you consent to the technical data collection and data processing activities
related to visitor analysis.
8.11./ The purpose of data processing: The purpose of data processing is to provide a user-friendly
experience for the visitors of the website, as well as to collect data regarding the use of the website for
purposes of visitor analysis.
The information needed for the following activities cannot be directly linked to specific persons (only to
the device used for accessing the website):
– Assessing how many visitors open the website, how often each pages of the website are accessed, how
much time the users spend on each page – the purpose of which is to tailor the website to the needs of the
– Capturing the physical place from where User (the device used for accessing the website) accesses the
website – to provide a geographical distribution of the users interested in the services provided by the Data
– Identifying the website from where the User opened the current page of the Website – to assess what
topics may be of interest to the Users interested in the services provided by the Data controller, and to
measure the performance of promotional activities regarding the services.
8.12./ Scope of the processed data: The pages visited during the visit to the website and the order in which
they were accessed, as well as the IP address of the device used by the Users.
Data processed for the purpose of measuring the visitor number of the website:
– the pages visited during the visit to the website and the order in which they were accessed,
– the frequency with which each page of the website were viewed,
– other websites from which the User arrived from (only for websites where there is a link placed to the
– the geographical location of the website visitors (based on information about the internet provider,
approximate data on the location of the device used for accessing the website),
– the time the User opens the website,
– the time the User leaves the website,
– the duration which the User spent on the website.
8.13./ Duration of data processing: Regarding the data retention times, please see the data processing
guidelines posted by Google: https://policies.google.com/technologies/retention .
8.14./ Related IT systems: the software of https://bloodstonecompany.com and the server owned by
SiteGround Hosting Ltd. https://www.siteground.com/viewtos/privacy_policy and rented by
8.15./ Controllers authorised to access the data:
Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) has access to the data detailed
above. Google Ireland Ltd. also uses the data outlined above to show targeted advertising to the users of
8.16./ Rights of data subjects regarding processing: Data subjects may delete cookies under the
appropriate menu of the browser they use, or use private/incognito browsing to access the site, which
makes it impossible to connect their activities to their Google profiles.
9./ Controllers, processors, data transfers
9.1./ By accepting these Data Processing Guidelines, the Customer acknowledges that
Bloodstonecompany Ltd. (registered seat: 1034 Budapest, San Marco utca 28-30.) as the data controller
will transfer the following personal data, provided by the Customer, stored in the user database of the site
https://bloodstonecompany.com (as a point of sale) to OTP Mobil Szolgáltató Kft. (1143 Budapest,
Hungária krt. 17-19.) acting as the data processor. The data controller transfers the following personal
data: email address and phone number of the Customer, details of the bill-to address, details of the
You may find out more about the specifics and purposes of the data processing activities carried out by the
data processor in the Data Processing Guidelines of SimplePay, which is available at the following
9.2./ The personal data submitted by users during the course of using the Webshop are processed by the
accountant tasked with carrying out the accounting obligations of Bloodstonecompany Ltd., as well as
those employees of Bloodstonecompany Ltd. tasked with the fulfilment of orders submitted via the
Webshop and monitoring the related payments. The personal data provided upon registration and/or any
purchase made, are stored by the software of https://bloodstonecompany.com on a server and shall not be
disclosed to any third parties.
9.3./ By completing the Registration process and submitting their orders, the Customer consents to the
persons defined in Section 9.1 and 9.2. controlling and processing their data.
9.4./ Except for the cases detailed in sections 9.1. and 9.2., we shall not transfer your personal data to any
third parties unless compelled to do so by law or a final court ruling or public decree.
9.5./ We do not provide personal data to other natural or legal persons for the purpose of carrying out
marketing activities related to their products or services.
10./ Data security measures
10.1./ Bloodstonecompany Ltd. provides protection to the data by means of suitable measures against
unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage
and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to
any changes in or modification of the applied technique. In determining the measures to ensure security of
processing, Bloodstonecompany Ltd. shall proceed taking into account the latest technical development
and the state of the art of their implementation. Where alternate data processing solutions are available,
the one selected shall ensure the highest level of protection of personal data, except if this would entail
unreasonable hardship for the data controller.
10.2./ Personal data provided by the user is protected during their transfer and after their arrival to the
databases of the data controller. However, there are no completely safe methods for transferring data
online and storing data electronically. We implement industry-standard solutions for the protection of
personal data, however, their absolute safety cannot be guaranteed.
10.3./ The operator has put into service several safety and security procedures to safeguard the IT systems
and networks of Bloodstonecompany Ltd., among them the following:
a) The Customer is only able to access their user profile with the password and user ID that they provided.
The password is stored in an encrypted state. The use of a strong, alphanumeric password (one that
contains both letters and numbers) is required, and the user is not allowed to share the password with
b) Your personal data are stored on a secure server. The secure servers are only accessible to certain
employees of Bloodstonecompany Ltd., and are password-protected,
c) We back up the data to avoid data loss
11.1./ According to the wording of the Regulation, “data subject” is a natural person who can be
identified, directly or indirectly by reference to relevant information or personal data.
11.2./ Please note that prior to the fulfilment of claims regarding the enforcement of rights,
Bloodstonecompany Ltd. is obliged to identify the person submitting the request. Where
Bloodstonecompany Ltd. has reasonable doubt about the identity of the natural person submitting the
request, additional information may be requested to confirm the identity of the requestor.
11.3./ You may contact Bloodstonecompany Ltd. or the data protection officer any time in order to
exercise your rights below:
a) you have the right to ask for more information regarding the handling of your personal data, and to
request a copy of your data that Bloodstonecompany Ltd. handles and processes (right of information,
right of access – Regulation Art.15, Information Act section 15).
b) you have the right to request the rectification of incorrect or incomplete data (right to rectification –
Regulation Art.16, Information Act section 17).
c) You are entitled to request the deletion of your personal data, and if your data are published publicly,
you may request that Bloodstonecompany Ltd. forwards your deletion request to other data controllers
(right to erasure – Regulation Art.17, Information Act section 17, subsection (2)).
d) You have the right to request the restriction of processing (right to restriction of processing –
e) You are entitled to receive the personal data concerning you in a structured, commonly used and
machine-readable format and have the right to transmit those data to another controller (right to data
portability – Regulation Art.20).
f) You have the right to object against the data processing activities (right to object – Regulation Art.21,
Information Act section 21).
g) When your data is processed based on consent, you have the right to withdraw your consent any time.
Your withdrawal does not affect the legality of the processing activities carried out before the withdrawal
(right to withdraw consent – Regulation Art.7(3)).
h) You have the right to lodge a complaint with a supervisory authority, if you believe that our processing
activities are in conflict with any law in force (right to lodge complaints with a supervisory authority –
11.4./ Any requests under 11.3 shall be sent via e-mail to the following address in every case:
firstname.lastname@example.org or by mail to the following address: 1034 Budapest, San Marco utca
11.5./ The Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection
and Freedom of Information) shall provide legal remedies, and receives the complaints of the users:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Seat: 1055 Budapest, Falk Miksa utca 9-11
Postal address: 1363 Budapest, Pf.: 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
11.6./ If Bloodstonecompany Ltd. refuses to comply with your (the data subject’s) request, the factual and
legal reasons on which the decision for refusing the request is based shall be communicated in writing or,
subject to your consent, electronically within 25 (twenty-five) days of receipt of the request. If your
request is refused, Bloodstonecompany Ltd. shall inform you of the possibilities for seeking judicial
remedy or lodging a complaint with the Authorities.
11.7./ If you disagree with the decision taken by Bloodstonecompany Ltd., or if Bloodstonecompany Ltd.
fails to meet the deadline, you shall have the right to turn to court within 30 (thirty) days of the date of
delivery of the decision or from the last day of the time limit. You may, at your discretion, start a lawsuit
either at the court in Bloodstonecompany Ltd.’s registered seat or your domicile. The competent court
based on the seat of Bloodstonecompany Ltd. is the Municipal Court of Budapest.
12.1./ Bloodstonecompany Ltd. as the data controller, with a view to control measures relating to personal
data breaches and to inform data subjects – shall keep records containing the personal data affected, the
personal scope affected by the data incident, the time, circumstances and effects of the personal data
breach and measures taken to eliminate it as well as other information required by law.
12.2./ In matters not regulated by these Data Processing Guidelines, the provisions of Regulation (EU)
2016/679 of the European Parliament and of the Council, Act CXII of 2011 on the Right of Informational
Self-Determination and on Freedom of Information, Act V of 2013 on the Civil Code as well as other
relevant acts shall apply.