Cart
Pay

Privacy policy

Effective as of 12th July 2021

I. Introduction

The aim of the websites of BioTech USA Kft. (hereinafter referred to as Service Provider, Controller), available on the domain biotechusa.com and shop.biotechusa.com (hereinafter referred to as Website), is to serve the needs of the target audience consisting of athletes, health-conscious people wishing to do sports, facilitate communication between people interested in sports and health, provide them with an online platform for sharing experiences and sell related products.

The privacy policy of the Service Provider regarding the websites available at biotechusa.com and shop.biotechusa.com is continuously accessible on the main page.

Service Provider as data controller hereby informs the users of this Website about the personal data it processes on the Website, the principles and practices of processing personal data, the organisational and technical measures taken for protecting personal data, as well as the means and options for exercising user rights of the Users involved.

Other privacy policies accessible from the Website regarding the following platforms and services are available in separate policies which can be accessed through the following platforms: Newsletter and cookie policy.

Service Provider does not verify the provided personal data or the validity thereof. The person providing the data, user or contracting party is solely responsible for the accuracy of the provided data. When providing an email address, all users assume responsibility that they are the exclusive user of the provided email address. For this reason, any liability for logins related to an email address shall be borne exclusively by the user who provided the email address.

Service Provider shall process the recorded personal data confidentially, in compliance with the data protection regulations and international recommendations and in accordance with this privacy policy. Service Provider is committed to protecting the personal data of its partners and users; therefore it is particularly important for Service Provider to respect the informational self-determination rights of the Website’s users. Service Provider shall process all personal data confidentially and take every security, technical and organisational measure to ensure the safety of such data.

Upon establishing and implementing this policy, Service Provider applies the provisions of, acts in accordance with and complies with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services and Regulation (EU) 2016/679 of the European Parliament and of the Council.

Primarily, the Service Provider and its employees are authorized to access the personal data processed on the Website.

Service Provider shall have the right to unilaterally modify this privacy policy at any time. Service Provider informs the users of any modifications via the Website. After the Website finished loading, visitors are informed about the modifications via a pop-up window and they can access the information about the changes by clicking on the link in the window. Users can declare their approval of such changes by clicking on the checkbox in the pop-up window. Service Provider may apply the provisions included in the modified privacy policy in case of those who have declared their approval thereof.

If you have any questions that are not answered clearly in this privacy policy, please contact us at the email address adatvedelem@biotechusa.com to have one of our colleagues answer your questions.

 

II. Details of the Data Controller

 

Name: BioTech USA Korlátolt Felelősségű Társaság

Registered office: 1033 Budapest, Huszti út 60.

Trade Registry Number: 01 09 352550

Tax Registration No.: 25114681-2-44

Registering authority: Company Registry Court of BudapestCapital Regional Court

Postal address: 1033 Budapest, Huszti út 60.

Electronic mail address: webshop@biotechusa.com

Telephone: +36 1 453 27 16

 

III. Details of Controller’s Data Protection Officer

 

Postal address: 1277 Budapest, Pf. 83.

Electronic mail address: dpo.btu@dnui.hu 

 

IV. Controller’s processing activities carried out at shop.biotechusa.com

 

Please note that where processing is based on consent you shall have the right to withdraw your consent at any time. Withdrawing your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

Please note that you have the right to object to the processing of your personal data at any time where processing is based on the legitimate interest of the Controller or a third party.

 

A) Shop Registration

 

Processed personal data: name, email address, declaration of being above the age of 18,

purchase data (date of purchase, type of products purchased).

Purposes of processing: maintaining a record of and distinguishing persons signed up for a webshop account, verifying whether the contracting conditions (age of majority) are met, providing functions resulting from the registration at the webshop: shortening the process of placing orders, re-ordering previously ordered products, view previous orders.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you, which is a condition for the use of the functions associated with the registration of the webshop.

Term of processing: In case of 3 inactive years, Controller erases the personal data from its data base. Personal data are erased if registered users request the erasure thereof at the latest before the deadline for dealing with such request expires.

Recipients: Shopify International Ltd. as data processor (address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32) and as a result of the service provided by them, personal data may be transferred to Canada or to the USA which have been granted an adequacy decision by the European Union. [An adequacy finding allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions.] Another data processor is EMARSYS eMarketing Systems GmbH ( address: 1150 Wien Märzstrasse 1., E-Mail: vienna@emarsys.com, website: https://www.emarsys.com/en/)

 

B) Webshop shopping as a guest shopper

 

Processed personal data: name, email address, declaration of being above the age of 18.

Purposes of the processing: maintaining a record of and distinguishing persons signed up for a webshop account during purchases in the webshop.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you,  in case of purchasing in the webshop, it is a requirement to conclude a contract. Without providing personal data, purchases cannot be initiated in the webshop.

Term of processing: in addition to the data (name, delivery address) required for the issuance of the invoice, the Data Controller handles it for 14 days after the purchase.

Recipients: Shopify International Ltd. as data processor (address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32) and as a result of the service provided by them, personal data may be transferred to Canada or to the USA which have been granted an adequacy decision by the European Union.

 

C) Concluding a contract (placing and processing orders)

 

Processed personal data: name, email address, country, postcode, city, street name and number, telephone number, declaration of being above the age of 18.

Purposes of the processing: verifying whether the contracting conditions (age of majority) are met, gaining information about the offer (order) to conclude a contract, sending a confirmation of the approval thereof via email.

Basis for the processing: under Article 6 (1) (b) of the GDPR, the preconditions for concluding the contract. Providing personal data is a requirement to conclude a contract. Without providing personal data, purchases cannot be initiated in the webshop.

Term of processing: data are erased following the general limitation period set out by the Civil Code.

 

D) Performance of the contract

i) Shipping

 

Processed personal data: name, email address, country, postcode, city, street name and number, telephone number, order number. In case of cash on delivery, the total price of the order is also necessary.

Purposes of the processing: delivering the ordered products.

Basis for the processing: under Article 6 (1) (b) of the GDPR, the preconditions for concluding the contract, the performance of the contract.

Term of processing: data are erased following the general limitation period set out by the Civil Code.

Recipients: UPS Magyarország Kft. as data controller (address: 2220 Vecsés, Lőrinci u. 154., the privacy policy is available at: https://www.ups.com/pl/en/help-center/legal-terms-conditions/privacy-notice.page?).

 

ii) Payment

 

Processed personal data: name, shipping address, billing address, telephone number, email address, the amount of the transaction, IP address, date and time of the transaction.

Purposes of the processing: paying the prices of ordered products.

Basis for the processing: under Article 6 (1) (b) of the GDPR, the preconditions for concluding the contract, performance of the contract.

Term of processing: data are erased following the general limitation period set out by the Civil Code.

Recipients: OTP Mobil Kft. (address: 1093 Budapest, Közraktár u. 30-32.; the privacy policy is available at:  http://simplepay.hu/old/docs/201804/simplepay_b2b_aszf_20180416.pdf) as the provider of SimplePay services.

PayPal Inc. (address: 2211 North First Street San Jose, California, U.S. ; the privacy policy is available at:   https://www.paypal.com/gr/webapps/mpp/ua/privacy-full ) as the provider of PayPal services.

 

iii) Billing

 

Processed personal data: name, country, postcode, city, street name and number, order number.

Purposes of the processing: providing bills (issuing invoices), retention of invoices.

Basis for the processing: according to Article 6 (1) c) of the GDPR, the legal obligation of the Service Provider [Paragraph (3) Section 166 and Paragraph (2) Section 169 of Act C of 2000 on Accounting]

Term of processing: 8 years.

Recipients: IFS Hungary Kft. as data processor (address: 1132 Budapest, Váci út 22-24.).

 

iv) Returning products in case of exercising the right of cancellation

 

Processed personal data: name, country, postcode, city, street name and number, order number.

Purposes of the processing: meet buyer’s requirements (refunding money).

Basis for the processing: according to Article 6 (1) c) of the GDPR, the legal obligation of the Service Provider [Paragraph (1) Section 23 of Government Decree No. 45/2014. (II.26.) on the Detailed Rules of the Contracts Concluded Between the Consumer and the Enterprise].

Term of processing: data are erased following the general limitation period set out by the Civil Code.

 

E) Rating products

 

Processed personal data: name provided for rating the product, other personal data provided in the feedback.

Purposes of the processing: providing written feedback and score ratings for products, publishing feedbacks on the website.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you.

Term of processing: until withdrawal of consent. In order to ensure that the personal data are stored only for the necessary period, Controller erases personal data without withdrawing consent after 3 years following the provision of data.

F) Rating purchases and products

 

Processed personal data: name provided for rating the product, email address, other personal data provided in the feedback.

Purposes of the processing: providing written feedback to the Controller regarding the purchase and the product.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you.

Term of processing: until withdrawal of consent. In order to ensure that the personal data are stored only for the necessary period, Controller erases personal data without withdrawing consent after 3 years following the provision of data.

Recipients: Judge.me LLC (Box 7403, Jackson, Wyoming 83002, USA). The European Union has granted an adequacy decision to the USA.

 

G) Contact in the chat window

 

Processed personal data: name, email address, other personal data provided in the message.

Purposes of the processing: answering received messages.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you.

Term of processing: a) in the absence of a response by the data subject, 15 days after the Service Provider has sent a response b) 1 day following the receipt of data subject’s response ending the conversation.

Recipients: Zendesk Inc. (address: 1019 Market St., San Francisco, California, USA 94103-1612) as data processor and service provider responsible for the communication platform.

 

V. Controller’s processing activities carried out at shop.biotechusa.com

A) Keeping contact

 

Processed personal data: name, email address, telephone number, other personal data provided in the mail.

Purposes of the processing: answering received messages.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you.

Term of processing: a) in the absence of a response by the data subject, 15 days after the Service Provider has sent a response b) 1 day following the receipt of data subject’s response ending the conversation.

 

VI. Controller’s processing activities carried out at biotechusa.com and shop.biotechusa.com

 

A) Cookies

 

Anonymous visitor identifiers (cookies) are files or pieces of information stored on your computer (or other devices capable of connecting to the Internet, such as your smartphone or tablet) when you visit one of our websites. A cookie usually includes the name of the website where it came from and “lifespan” (i.e. how long it will remain on your device) and its value, which usually is a randomly generated, unique number.

We use cookies to enable better future personalisation on our websites and offer you our products in line with your interests and needs, thus to make it easier for you to use our websites. Cookies make your future interactions on our sites faster and improve your browsing experience. Cookies can also be used to create anonymous, aggregated statistics, so that we can understand better how people use our sites in order to improve their structures and content.

 

Based on their lifespan, cookies are divided into session cookies and persistent cookies. Session cookies are temporary, i.e. they only stay on your device until you are browsing our website. Persistent cookies remain on your device for much longer, possibly until you manually delete them.

 

Some websites also collect information using pixel tags, which can be shared with a third party. This directly supports our promotional activities and the development of our websites. For example, the information on how visitors use our websites can be shared with advertisement agencies in order more efficiently use online advertisements on our websites.

 

Most browsers are initially configured to accept cookies. You can change these settings in order to block cookies or you may request notifications when cookies are set up on your device. There are several ways to manage cookies. Please check your browser information or the help page if you need more information on browser settings and their modifications. Disabling cookies that we use may affect your experience while browsing our websites. For example, you may not be able to visit certain parts of the BioTechUSA website or you may not receive personalised information while browsing a BioTechUSA site.
If you use several different devices (e.g. computer, smartphone, tablet etc.) for visiting and using BioTechUSA websites, make sure that all of the browsers used on these devices are set up to meet your needs.

 

Cookies used on our website belong to the following categories:

 

  • Necessary cookies

These cookies help the functioning of the website by enabling fundamental functions such as page navigation. The website cannot function properly without these cookies; therefore it is compulsory to accept them.

 

  • Preference cookies

These cookies allow our websites to remember information that changes the way the site behaves or looks, such as your preferred language or the region you are in. Such cookies may be approved optionally.

 

  • Statistical cookies

These cookies help us understand how visitors use our websites by collecting and reporting anonymous information. Such cookies may be approved optionally.

 

  • Marketing

These cookies are used to track the visitors of the website. The aim is to display relevant adverts that are interesting for visitors thus making them more valuable for those displaying adverts and third party advertisers. Such cookies may be approved optionally.

 

  • Other

The categorization of these cookies is currently in progress with the help of the provider of unique cookies. Such cookies may be approved optionally.

Detailed information about cookies used on the websites is available in our Cookie Policy.

When entering the website, a window pops up at the bottom of the screen which contains our Cookie Policy describing the cookies used on the website, their functions and lifespan.

Cookies may be enabled by clicking on “Accept all Cookies”. By clicking on “Cookie Settings” you can enable or disable cookies stored by certain groups (categories).

Cookies can be enabled or disabled in groups (in categories) and you may confirm the approval of appropriate cookies by clicking on “Accept”.

If new cookie(s) are introduced on the website it is necessary to accept and enable them as well. In this case, the window at the bottom of the screen pops up again highlighting those groups of cookies that were changed. New cookie(s) can be accepted in the same way as described above.

You may view the previously approved cookies at any time and you may change that. This can be carried out by clicking on the following button: Cookie Settings.

If any of the cookies stores personal data, the description of such cookie contains a notification thereof.

Emarsys eMarketing Systems GmbH (address: Märzstrasse 1, 1150 Vienna, Austria) contributes as data processor to the processing of data collected by the cookies.

B) Profiling

 

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's personal preferences, interests, location or movements.

 

With the help of profiling, the Service Provider can send you targeted, personalized offers and messages based on your previous orders and online behaviour.

 

Data necessary for profiling can be collected by the Service Provider via the following activities:

  • completing forms: name, email address, date of birth, gender, aim (the aim to be achieved by consuming dietary supplements, e.g. getting shredded, diet, bulking up).
  • purchases in the webshop: purchase details (what, when, for how much money and from where did you buy, payment method).
  • browsing the website, behaviour: using the website (viewed products, categories, products in the cart, searches).

Based on purchase and behavioural data, with the help of artificial intelligence, Emarsys eMarketing Systems GmbH collects such data about the user that the Service Provider can use to create segments which allow to run personalized campaigns.

Processed personal data: a) collected from the data subject: name, email address, city, postcode, date of birth, telephone number, gender, purchase details, IP address (from which the registration has been carried out); b) data not collected from the data subject, derived data (based on prediction, machine learning algorithm): favourite products, favourite categories, the time of the last visit on the website, the duration thereof; c) in addition, there are other data on the basis which Service Provider can distinguish and create segments: interactions with emails (opening/clicking/ affinity to email categories, from what device and from which city came the clicking/opening), user’s purchase life cycle, customer status (on the basis of spent money), average spending. 

Purposes of the processing: sending targeted, personalized offers, messages.

Basis for the processing: according to Article 6 (1) (a) of the GDPR, the consent of you.

Controller uses marketing cookies for profiling therefore the approval or disapproval of profiling can be indicated by giving or not giving consent to the use of marketing cookies when accepting the Cookie Policy. 

Term of processing: until the withdrawal of the data subject’s consent. In order to ensure that the personal data are stored only for the necessary period, controller erases personal data without withdrawing consent after 3 years following the last time when a newsletter was opened.

Recipients: Emarsys eMarketing Systems GmbH as data controller (address: Märzstrasse 1, 1150 Vienna, Austria).

 

C) Remarketing

 

Remarketing allows the Service Provider to display adverts to such persons who had previously visited the website and provided their email address.

 

Processed personal data: email address, information regarding purchases.

Purposes of the processing: displaying adverts to previous users on Facebook and Google.

Basis for the processing: according to Article 6 (1) (f) of the GDPR, the legitimate interest of the Service Provider (direct marketing). The user’s email address is provided to the Service Provider on the basis of the user’s consent when subscribing to the newsletter. This means the Controller processes the provided email address for purposes (remarketing) other than the purpose the data is collected for (sending a newsletter).

Term of processing: where personal data are processed for remarketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her. If the user withdraws his or her consent to sending the newsletter (to which he or she is entitled at any time), his or her data will no longer be processed for remarketing purposes. In order to ensure that the personal data are stored only for the necessary period, controller erases personal data without objection or withdrawal of consent after 3 years following the last time when a newsletter was opened.

Recipients: Emarsys eMarketing Systems GmbH as data processor (address: Märzstrasse 1, 1150 Vienna, Austria) who – upon Service Provider’s instruction – transfers the advert to be displayed and the email addresses to Facebook Ireland Ltd. (address: 4 Grand Canal square, Grand Canal Harbour, D2 Dublin, Ireland; Facebook Ads) and  Google Inc. (address: 1600 Amphitheatre Pkwy, Mountain View, California 94043, USA) (Google AdWords) who display the advert as processors to those registered users whose email address is listed on the list sent by Emarsys.

 

D) Other

 

The online marketing activities of the Controller is coordinated by commissioned contractors as well who can access the data stored and processed by the Controller in connection with their activities which data are processed by them only in accordance with the purposes the data was collected for and in line with data processing and data protection requirements: CoffeeBreak Consulting Kft. (address: 2030 Érd, Technikus utca 78.).

 

Information is provided regarding data processing not listed herein when such data is collected.
We hereby inform the visitors of the website that courts, the prosecutor’s office, investigating authorities, authorities dealing with administrative offences, administrative authorities, the Hungarian National Authority for Data Protection and Freedom of Information and other authorities if it is stipulated by law may contact the Controller to gain information, receive and gain data and to be provided with documents.

Controller may disclose personal data to the authorities – if the authority has provided the exact purpose and scope of data – only to such extent that is necessary for the implementation of the request’s purpose.

 

VII. Rights of the Website’s visitors and users in connection with data processing

 

You may obtain information about the processing of your personal data or you may request the rectification, erasure and the restriction of processing of your personal data or you may object to the processing of personal data free of charge. Such requests may be submitted to the Controller through the contact details described in Section II.

Controller informs every recipients (data processors) of any rectification, erasure and restriction of processing to whom it disclosed the personal data, unless, the provision of such information proves impossible or would involve a disproportionate effort. Upon your request, we provide information on such recipients.

 

The Controller shall provide information on action taken on a request subject to Paragraphs a)-f) to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.

If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

  1. Right of access: you shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, data processors, term of processing, where the personal data are not collected from you any available information as to their source.

 

  1. Right to rectification: you shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed.

 

  1. Right to erasure (“right to be forgotten”): you shall have the right to obtain from the Controller the erasure of personal data concerning you without undue delay and the Controller shall have the obligation to erase personal data without undue delay if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw your consent and where there is no other legal ground for the processing; you object to the processing; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.

 

Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller shall take reasonable steps to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

 

  1. Right to object: you shall have the right to object at any time to processing of your personal data based on the legitimate interest of the Controller or a third party. In this case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

  1. Right to restriction of processing: you shall have the right to obtain from the Controller restriction of processing if you contest the accuracy of the personal data; the processing is unlawful; the Controller no longer needs the personal data for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims; you have objected to processing. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

 

  1. Right to data portability: where the processing is based on consent and it is carried out by automated means you shall have the right to receive the personal data concerning you, which you have provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided.

 

VIII. Methods of storing the personal data and the security of processing

 

The servers of the Controller are operated by commissioned companies and they are maintained by them in case of any problem:

  1. Mongouse Computer Kft. (address: 1117 Budapest, Budafoki út 183.).
  2. Servergarden Kft. (address: 1023 Budapest, Lajos utca 28-32.)

 

The Controller uses hosting services which are operated by the following commissioned company and it is maintained in case of any problem: JLM PowerLine Kft. (address: 2111 Szada, Ipari park út 12-14.).

 

Taking into account the state of the technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The Service Provider takes all necessary measures to protect the data against any unauthorized access, alteration, transfer, disclosure, erasure or destruction, accidental destruction and erasure and the inaccessibility arising from change of the applied techniques.

 

The Service Provider’s IT system and network is protected against computer assisted fraud, espionage, sabotage, vandalism, fire and flood as well as against computer viruses, hacks and denial-of-service attacks. The Service Provider ensures the security of the data with server-level and application-level security procedures.

Regardless of protocol (email, web, ftp etc.), electronic messages forwarded on the Internet are vulnerable against network threats that lead to fraudulent activity, the contesting of a contract or disclosure or modification of information. Controller makes every reasonable effort for the protection against such threats. It provides surveillance for the systems in order to record every security anomaly and have proof in the event of any security related event. The surveillance of the system enables Service Provider to check the efficiency of the applied security measures as well.

 

Controller keeps a record of any possible personal data breaches indicating all facts relating to such data breach, the effects thereof and the measures taken to address the personal data breach.

 

 IX. Lodging a complaint

 

If you consider that the processing of personal data relating to you infringes the provisions of data protection regulations, you shall have the right to go to court against the Controller and to lodge a complaint with a supervisory authority.

 

Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information

                  registered office: 1055 Budapest, Falk Miksa utca 9-11.               

postal address: 1363 Budapest, Pf. 9.

                  telephone: +36 1 391-1400

                  fax: 36 1 391-1410

                  e-mail: ugyfelszolgalat@naih.hu

                  website: https://naih.hu/