Privacy Policy

Travel worry-free. Discover how we safeguard your privacy.

Privacy Policy

Introduction

1.1. This Privacy Policy explains how Untold Hungary (operated by Szegedi Szilveszter EV., the “Data Controller”) processes personal data on the Untold Hungary website and in connection with related services.

1.2. The Data Controller reserves the right to unilaterally amend this Privacy Policy. Amendments take effect upon publication on the website; in case of material changes, we may also notify users by email.

1.3. The Data Controller treats personal data as confidential and applies appropriate technical and organizational measures to ensure data security.

1.4. Authorities may lawfully request disclosure of personal data. In such cases, we will disclose only the minimum amount of personal data strictly necessary to fulfill the legal request.

1.5. Personal data is processed in connection with providing and mediating travel offers, including contracting, performance, client communication, marketing, and compliance with legal obligations.

1.6. Our data processing principles comply in particular with the following laws and regulations:

  • GDPR: Regulation (EU) 2016/679

  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Hungary)

  • Act CVIII of 2001 on certain aspects of electronic commerce services (Hungary)

  • Act XLVIII of 2008 on essential conditions and limitations of commercial advertising (Hungary)

  • Act C of 2000 on Accounting (Hungary)

  • Acts CL and CLI of 2017 on tax administration (Hungary)

  • Act C of 2003 on Electronic Communications and the relevant ePrivacy rules

Data Controller Contact

Data Controller: Szegedi Szilveszter EV. (“Untold Hungary”)
Registered office: 1046 Budapest Erdosor street 2. 5/32, Hungary
Email: info@untoldhungary.com

Hosting/Domain: Namecheap (USA/UK infrastructure; as per service agreement)
Site platform: WordPress

Definitions (short)

Personal data, processing, processor, data subject, consent, profiling, personal data breach, etc. have the meanings set out in Article 4 GDPR.

What data we process and for what purposes

1) Website visitors

  • Data: cookies (functional, statistical, marketing), device and browser information. We do not store IP addresses for standalone identification; however, security logging may technically involve IP.

  • Purpose: operate and secure the website, measure performance, compile statistics, run marketing/remarketing.

  • Legal basis: legitimate interests (functional/security cookies), consent (statistical/marketing cookies).

2) Newsletter subscribers and prospects

  • Data: name, email address, country.

  • Purpose: send newsletters, offers, and content updates.

  • Legal basis: consent (GDPR Article 6(1)(a)).

3) Enquiries and bookingsvisitors

  • Data: name, email, phone number (e.g., WhatsApp), travel document details of at least one traveler if required for accommodation bookings, and billing data where applicable.

  • Purpose: conclude and perform contracts (quotations, bookings, customer communication) and comply with legal obligations (accounting).

  • Legal basis: performance of a contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)).

4) Payments

  • No payments can be done on this website. 

5) Customer communication and complaint handling

  • Data: name, contact details, message content, related documentation.

  • Purpose: handle enquiries and resolve complaints.

  • Legal basis: legitimate interests/contract/legal obligation, as applicable.

6) Social media (Meta, Instagram, TikTok, etc.)

  • Data: platform-based profile information and interactions.

  • Purpose: community engagement and remarketing.

  • Legal basis: legitimate interests; and, where applicable, consents managed on the specific platform.

Retention periods

  • Newsletter/marketing: until consent is withdrawn, and in any case deleted after a maximum of 5 years of inactivity.

  • Booking/invoicing data: 8 years (mandatory under the Accounting Act).

  • Customer communication/complaints: until the purpose is achieved and/or for the statute of limitations of related legal claims.

  • Cookies: as per the lifetime shown in the cookie itself (see Cookie section).

Who has access to the data? Processors

Personal data is accessed by the Data Controller and authorized personnel. We use the following processors and service providers:

  • Mailchimp – newsletter distribution

  • Google Analytics (GA4) – statistics

  • Meta/Facebook Pixel – remarketing

  • WordPress + Namecheap – hosting/domain

  • Stripe / PayPal / Apple Pay – payment processing

  • Email service provider (for operating info@untoldjourney.net)

  • Travel partners/providers where necessary to fulfill your booking (e.g., accommodation, booking.com, tour partners)

We conclude GDPR-compliant data processing agreements with our processors.

Data transfers outside the EU

Some providers (e.g., Mailchimp, Meta, Google, certain Namecheap components) are located outside the EU, particularly in the United States. Transfers rely on:

  • the EU–US Data Privacy Framework where the provider is certified, or

  • the European Commission’s Standard Contractual Clauses (SCCs).

These mechanisms ensure an adequate level of protection.

Cookies

Our website uses:

  • Functional cookies (e.g., session, security, load balancing) – legal basis: legitimate interests.

  • Statistical cookies (e.g., Google Analytics) – legal basis: consent.

  • Marketing cookies (e.g., Meta Pixel) – legal basis: consent.

Users can grant or withdraw consent and manage preferences via the cookie banner. The banner lists categories and lifetimes; third-party providers’ own policies apply to their cookies.

Note: cookies can also be deleted/blocked in the browser; some site functions may be affected.

Data subject rights

You have the right to:

  • request access to your personal data,

  • request rectification, erasure, or restriction of processing,

  • object to processing based on legitimate interests,

  • request data portability,

  • withdraw consent at any time (e.g., for newsletters), without affecting the lawfulness of processing before withdrawal.

To exercise your rights, contact: info@untoldhungary.com

Automated decision-making and profiling

We do not carry out automated decision-making. We may use remarketing tools (e.g., Meta Ads) to display personalized ads; this does not produce legal effects concerning you or similarly significantly affect you.

Data security

We apply appropriate access controls, encrypted communications (HTTPS), up-to-date system patching, password and authorization policies, and incident response procedures. In case of a personal data breach, we act in accordance with the GDPR.

Complaints and legal remedies

If you believe your personal data is being processed unlawfully, you may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

Address: 1055 Budapest, Falk Miksa utca 9–11.
Postal address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Website: www.naih.hu
Email: ugyfelszolgalat@naih.hu

You may also bring an action before the competent court; you can choose the court with jurisdiction over your place of residence.

Changes to this Policy

We may update this Policy from time to time. The current version is always available on the website with its effective date. In case of material changes, we may also notify users by email.

Last Updated: October 17, 2025