Privacy Policy
This Privacy Policy describes how your personal data is collected, used, stored, and protected when you visit and use the website https://sundeer.hu (hereinafter: “Website”), operated in connection with the Sundeer — International Gathering of Wisdom Keepers festival (hereinafter: “Festival”). This policy applies to all personal data processing activities carried out through the Website and in relation to ticket purchases for the Festival.
The Data Controller is committed to protecting your personal data and processes it in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: “GDPR”), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungarian Information Act), and all other applicable data protection legislation.
By using this Website, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
| Name: | Sólyomfi-Nagy Zoltán, sole proprietor (egyéni vállalkozó) |
| Address: | 2531 Tokod, Bikás oldal, hrsz 6343/2 |
| Tax number: | 70975008-1-31 |
| Phone: | (+36) 20 363 4076 |
| Email: | sundeerinfo@gmail.com |
| Website: | https://sundeer.hu |
For any questions, requests, or complaints regarding the processing of your personal data, please contact the Data Controller using the contact details above.
2. Data Processors
The Data Controller engages the following data processors to carry out certain data processing activities on its behalf. These data processors act only on the instructions of the Data Controller and are bound by contractual obligations to implement appropriate technical and organisational measures to ensure data protection in accordance with GDPR Article 28.
2.1. Stripe Payments Europe, Ltd.
| Registered office: | Ireland |
| Purpose: | Credit and debit card payment processing |
| Privacy policy: | https://stripe.com/privacy |
2.2. KBOSS.hu Kft. (szamlazz.hu)
| Registered office: | 1031 Budapest, Záhony utca 7., Hungary |
| Purpose: | Automatic generation and delivery of invoices |
| Privacy policy: | https://www.szamlazz.hu/adatvedelem |
2.3. Hostinger International Ltd.
| Registered office: | Lithuania |
| Purpose: | Web hosting services, server infrastructure |
| Privacy policy: | https://www.hostinger.com/privacy-policy |
2.4. Google Ireland Limited
| Registered office: | Gordon House, Barrow Street, Dublin 4, Ireland |
| Purpose: | Website analytics (planned, not yet active) |
| Privacy policy: | https://policies.google.com/privacy |
3. Data Processing Activities
The following sections describe the specific data processing activities carried out in connection with the Website and the Festival, including the purpose, legal basis, categories of personal data, and retention periods for each.
3.1. Website Visits (Server Logs)
| Purpose: | Ensuring the technical operation, security, and performance of the Website; detecting and preventing unauthorised access and cyberattacks; diagnosing technical errors. |
| Legal basis: | Legitimate interest of the Data Controller (GDPR Article 6(1)(f)) — maintaining a secure and functional website. |
| Data categories: | IP address, date and time of access, requested URL, HTTP status code, browser type and version, operating system, referrer URL, data volume transferred. |
| Retention period: | Server log files are retained for a maximum of 90 days, after which they are automatically deleted. |
Server logs are processed by our hosting provider, Hostinger International Ltd. The Data Controller does not use server log data to identify individual visitors.
3.2. Cookies
| Purpose: | Ensuring the proper functioning of the Website (strictly necessary cookies); remembering user preferences; analysing website usage and performance; displaying personalised content where applicable. |
| Legal basis: | Strictly necessary cookies: legitimate interest of the Data Controller (GDPR Article 6(1)(f)). All other cookies (functional, analytics, third-party): consent of the data subject (GDPR Article 6(1)(a)), obtained via the GDPR Cookie Compliance consent banner. |
| Data categories: | Cookie identifiers, session identifiers, language preferences, consent status, browsing behaviour data (for analytics cookies where consent is granted). |
| Retention period: | Session cookies are deleted when you close your browser. Persistent cookies remain for the duration specified by each cookie, generally up to 12 months. You may withdraw consent and delete cookies at any time through the cookie settings panel accessible on the Website or through your browser settings. |
The Website uses the GDPR Cookie Compliance plugin (by Moove Agency) to manage cookie consent. When you first visit the Website, you are presented with a cookie consent banner that allows you to accept or reject cookies by category:
- Strictly Necessary Cookies: These cookies are essential for the basic operation of the Website (e.g., maintaining your shopping cart, remembering your cookie consent choice). They cannot be disabled.
- Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your language preference.
- Analytics Cookies (Third Party): These cookies collect anonymised information about how visitors use the Website. They are only activated when you have given your explicit consent.
You can change your cookie preferences at any time by clicking the cookie settings icon displayed on the Website.
3.3. Contact Form
| Purpose: | Responding to enquiries, requests, or messages submitted by visitors through the contact form on the Website. |
| Legal basis: | Consent of the data subject (GDPR Article 6(1)(a)), given by voluntarily submitting the contact form. Alternatively, where the enquiry relates to a contract or pre-contractual measures, the legal basis is GDPR Article 6(1)(b). |
| Data categories: | Name, email address, and the content of the message as entered by the visitor. |
| Retention period: | Contact form submissions are retained for a maximum of 1 year from the date of the last communication relating to the enquiry, unless a longer retention is required by law or is necessary for the establishment, exercise, or defence of legal claims. |
The contact form is powered by Contact Form 7. The data you submit is stored on the Website’s server hosted by Hostinger International Ltd. and is sent to the Data Controller’s email address. The Data Controller does not share contact form data with any third party unless required by law.
3.4. Ticket Purchase (Online)
| Purpose: | Processing online ticket purchases for the Festival, including order fulfilment, communication regarding the order, and after-sales support. Festival tickets include day tickets and multi-day passes, available in HUF and EUR currencies. |
| Legal basis: | Performance of a contract to which the data subject is party, or taking steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b)). |
| Data categories: | Billing name, billing address, email address, phone number, order details (products purchased, quantities, prices, currency), order date, order status, attendee details (name and email address for each ticket), and any additional information voluntarily provided during checkout. |
| Retention period: | Order data is retained for a minimum of 8 years from the date of the transaction to comply with Hungarian accounting and tax legislation (Act C of 2000 on Accounting, hereinafter: “Accounting Act”). After the statutory retention period expires, the data is deleted. |
Online ticket sales are processed through WooCommerce, a self-hosted e-commerce platform running on the Website. The ticket system (Sundeer Tickets) is a self-developed plugin; ticket purchase data is not transmitted to any third-party booking or ticketing service. Payment processing and invoicing involve the data processors described in Sections 3.5 and 3.6 below.
3.5. Card Payment Processing
| Purpose: | Processing credit and debit card payments for online ticket purchases securely and in compliance with the Payment Card Industry Data Security Standard (PCI DSS). |
| Legal basis: | Performance of a contract to which the data subject is party (GDPR Article 6(1)(b)) — payment is an integral part of the ticket purchase contract. |
| Data categories: | Tokenised card data (card number, expiry date, CVC). The Data Controller does not receive, store, or have access to your full card details. All card data is processed directly by Stripe using tokenisation technology. |
| Retention period: | Stripe retains payment data in accordance with its own privacy policy and applicable legal requirements. The Data Controller retains only the transaction identifier, payment status, and the last four digits of the card number for order reference purposes, for the same period as order data (8 years). |
Card payments are processed by Stripe Payments Europe, Ltd. When you choose to pay by card, your payment details are transmitted directly to Stripe’s secure servers. The Data Controller’s Website does not process or store your full card number. For further information on how Stripe processes your data, please refer to Stripe’s privacy policy at https://stripe.com/privacy.
Alternatively, you may choose to pay by direct bank transfer, in which case the payment is processed through your bank and no card data is collected.
3.6. Invoicing
| Purpose: | Issuing invoices in compliance with Hungarian tax and accounting legislation, including Act CXXVII of 2007 on Value Added Tax (VAT Act) and Act C of 2000 on Accounting (Accounting Act). |
| Legal basis: | Legal obligation to which the Data Controller is subject (GDPR Article 6(1)(c)) — the Data Controller is required by law to issue invoices for all transactions and to retain them for the statutory period. |
| Data categories: | Billing name, billing address, tax number (if provided), invoice number, date of issue, items purchased, amounts, currency, and payment method. |
| Retention period: | Invoices and the personal data contained therein are retained for 8 years from the date of issue, as required by the Accounting Act (Section 169). |
Invoices are generated automatically by szamlazz.hu, a service operated by KBOSS.hu Kft. The billing data you provide during checkout is transmitted to szamlazz.hu solely for the purpose of invoice generation and delivery. For further information on how KBOSS.hu Kft. processes your data, please refer to their privacy policy at https://www.szamlazz.hu/adatvedelem.
3.7. Google Analytics (Planned)
| Purpose: | Analysing website traffic and visitor behaviour to improve the Website’s content, structure, and user experience. |
| Legal basis: | Consent of the data subject (GDPR Article 6(1)(a)), obtained via the cookie consent banner before any analytics cookies are set. |
| Data categories: | Anonymised and aggregated analytics data, including pages visited, duration of visits, traffic sources, approximate geographic location (country/city level), device type, browser type, and operating system. IP anonymisation is enabled. |
| Retention period: | Analytics data is retained by Google for a maximum of 14 months, after which it is automatically deleted. |
Google Analytics is planned to be integrated via Google Site Kit but is not yet active on the Website. Once activated, analytics cookies will only be placed on your device if you have given your explicit consent through the cookie consent banner. You may withdraw your consent at any time through the cookie settings panel on the Website. For further information on how Google processes your data, please refer to Google’s privacy policy at https://policies.google.com/privacy.
3.8. On-Site Ticket Sales
| Purpose: | Selling festival tickets at the venue (Manas Garden, Lengyeltóti, Hungary) and issuing receipts for such sales. |
| Legal basis: | Performance of a contract to which the data subject is party (GDPR Article 6(1)(b)); legal obligation under Hungarian tax law for issuing receipts (GDPR Article 6(1)(c)). |
| Data categories: | On-site ticket sales involve minimal personal data processing. A receipt is issued for each purchase in accordance with Hungarian tax legislation. Receipts do not contain the purchaser’s name or other personal identifiers unless an invoice is specifically requested, in which case the data categories described in Section 3.6 apply. |
| Retention period: | Receipt records are retained for 8 years in accordance with the Accounting Act. |
4. Cross-Border Data Transfers
The Data Controller primarily processes personal data within the European Economic Area (EEA). However, certain data processors engaged by the Data Controller may transfer personal data outside the EEA, in particular to the United States of America. The following safeguards are in place to ensure an adequate level of data protection in accordance with GDPR Chapter V (Articles 44–49):
4.1. Stripe
Stripe Payments Europe, Ltd. is incorporated in Ireland (within the EEA). However, Stripe, Inc. (the parent company) is based in the United States. Personal data transferred to the United States by Stripe is protected under the EU-U.S. Data Privacy Framework (DPF), which was recognised by the European Commission as providing an adequate level of data protection by its adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795). Stripe, Inc. is a certified participant of the EU-U.S. Data Privacy Framework. Additionally, Stripe employs Standard Contractual Clauses (SCCs) as a supplementary transfer mechanism.
4.2. Google
Google Ireland Limited processes data within the EEA, but data may be transferred to Google LLC in the United States. Such transfers are similarly protected under the EU-U.S. Data Privacy Framework, of which Google LLC is a certified participant. Google also implements Standard Contractual Clauses and additional technical safeguards, including encryption of data in transit and at rest.
4.3. Hostinger
Hostinger International Ltd. is incorporated in Lithuania (within the EEA). Hostinger’s data centres serving European customers are located within the EEA. Where any data processing occurs outside the EEA, Hostinger relies on Standard Contractual Clauses and other appropriate safeguards in accordance with GDPR Article 46.
The Data Controller regularly reviews the adequacy of safeguards applied to any cross-border data transfers and will update this Privacy Policy if there are material changes to the transfer mechanisms relied upon.
5. Your Rights
Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact the Data Controller using the contact details set out in Section 1 above. The Data Controller will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.
5.1. Right of Access (GDPR Article 15)
You have the right to obtain confirmation as to whether or not your personal data is being processed and, where that is the case, to obtain access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged retention period, and the existence of your other rights. You may request a copy of your personal data undergoing processing.
5.2. Right to Rectification (GDPR Article 16)
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
5.3. Right to Erasure (“Right to Be Forgotten”) (GDPR Article 17)
You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal ground for the processing; you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. Please note that this right does not apply where the processing is necessary for compliance with a legal obligation (e.g., invoicing data required to be retained under the Accounting Act) or for the establishment, exercise, or defence of legal claims.
5.4. Right to Restriction of Processing (GDPR Article 18)
You have the right to obtain the restriction of processing where one of the following applies: you contest the accuracy of the data (for a period enabling the Data Controller to verify its accuracy); the processing is unlawful and you oppose erasure and request restriction instead; the Data Controller no longer needs the data but you require it for the establishment, exercise, or defence of legal claims; or you have objected to the processing pending verification of whether the Data Controller’s legitimate grounds override yours.
5.5. Right to Data Portability (GDPR Article 20)
You have the right to receive your personal data that you have provided to the Data Controller in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller without hindrance, where the processing is based on consent or on a contract and the processing is carried out by automated means.
5.6. Right to Object (GDPR Article 21)
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on the legitimate interest of the Data Controller (GDPR Article 6(1)(f)). The Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
5.7. Right to Withdraw Consent (GDPR Article 7(3))
Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw your consent by contacting the Data Controller or, in the case of cookies, by adjusting your cookie preferences through the cookie settings panel on the Website.
5.8. Right Not to Be Subject to Automated Decision-Making (GDPR Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Data Controller does not carry out automated decision-making or profiling.
6. Right to Lodge a Complaint
If you believe that the processing of your personal data infringes the GDPR or applicable data protection legislation, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR Article 77).
The competent supervisory authority in Hungary is:
| Name: | Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — Hungarian National Authority for Data Protection and Freedom of Information |
| Address: | 1055 Budapest, Falk Miksa utca 9-11., Hungary |
| Phone: | +36 1 391 1400 |
| Email: | ugyfelszolgalat@naih.hu |
| Website: | www.naih.hu |
You also have the right to an effective judicial remedy against a supervisory authority’s legally binding decision, or where the supervisory authority does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged (GDPR Article 78). Furthermore, you have the right to an effective judicial remedy against a controller or processor where you consider that your rights under the GDPR have been infringed (GDPR Article 79). Such proceedings may be brought before the courts of the Member State where the Data Controller is established or where you have your habitual residence.
7. Data Security
The Data Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. These measures include, but are not limited to:
- Encryption in transit: The Website uses SSL/TLS encryption (HTTPS) to protect all data transmitted between your browser and the server.
- Secure payment processing: Card payment data is processed by Stripe, a PCI DSS Level 1 certified service provider. Full card details never touch the Data Controller’s servers.
- Access control: Access to personal data is restricted to the Data Controller and authorised personnel only, protected by strong authentication mechanisms.
- Server security: The hosting infrastructure provided by Hostinger includes firewalls, intrusion detection systems, regular security updates, and server-level protections.
- Regular backups: Regular backups of the Website and its databases are maintained to ensure data availability and integrity.
- Data minimisation: The Data Controller collects only the personal data that is strictly necessary for the purposes described in this Privacy Policy.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, the Data Controller will notify the competent supervisory authority (NAIH) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to your rights and freedoms, the Data Controller will also communicate the breach to you without undue delay (GDPR Article 34).
8. Changes to This Privacy Policy
The Data Controller reserves the right to amend this Privacy Policy at any time. Any changes will be published on this page with an updated effective date. Where changes are material, the Data Controller will take reasonable steps to inform you, such as displaying a notice on the Website. The Data Controller encourages you to review this Privacy Policy periodically to stay informed about how your personal data is being protected.
Continued use of the Website after the publication of changes to this Privacy Policy constitutes your acknowledgement of such changes. Where a change requires your consent under applicable law, the Data Controller will obtain your consent before implementing the change.
9. Effective Date
This Privacy Policy is effective as of 17th of March 2026.
