Data Protection Notice - RugBag online store
(Effective: 6 February 2026)
Introduction and details of the data controller
Gyulai Kinga Zsuzsanna EV (registered office: 1131 Budapest, Övezet utca 1., III.lh. 1., tax number: 91820460-1-41) - hereinafter referred to as the "Data Controller" - is committed to protecting the personal data of visitors, users and customers (collectively: Data Subjects) of its website and webshop. The purpose of this Privacy Policy is to explain in a clear and understandable way what personal data we collect and process in the course of operating RugBag's webshop, for what purposes and on what legal basis we do so, with whom we share the data, for how long we retain it, and to provide information about the rights and remedies of Data Subjects. The Data Controller will ensure that all its processing complies with the requirements of this notice and applicable law (in particular the EU General Data Protection Regulation 2016/679 (GDPR) and the Info law).
Contact details of the controller for data protection matters:
Postal address: same as the registered office (1131 Budapest, Övezet utca 1., III.lh. 1.)
E-mail: info@rugbag.hu (for enquiries about data management)
(Data Protection Officer: the Data Controller has not appointed a Data Protection Officer, given that the conditions set out in Article 37 of the GDPR are not met.)
Scope and modification of the prospectus
This privacy notice applies to all processing of personal data that takes place when using the website and webshop under the domain www.rugbag.hu. This includes, but is not limited to, the browsing of the website, the processing of data provided during the registration and purchase process, the subscription to newsletters, and the processing of data collected by cookies and similar technologies used on the website. Important: the Data Controller does not operate a loyalty programme and does not collect or process personal data for such purposes.
The Data Controller reserves the right to amend the information periodically, in particular in the event of changes in legislation or the introduction of new data processing activities. The current version of the notice is available on the website as a separate document (not as part of the GTC). The Data Controller will inform users of material changes by means of a notice published on the website. The changes will enter into force upon their publication.
The principles of data management in brief
RugBag complies with the principles set out in the GDPR when processing data. Your personal data will be processed lawfully, fairly and transparently, collected only for specified and legitimate purposes, and used for the purposes for which it is collected. We only request data that is necessary to achieve the purpose (data minimisation), we ensure that it is accurate and up-to-date, we only store data for the time necessary (limited storage) and we take appropriate technical and organisational measures to protect personal data from unauthorised access or misuse (integrity and confidentiality). The Data Controller is responsible for ensuring compliance with the above principles (accountability).
What data do we process, for what purposes and on what legal basis?
Below is a description of some of the data management activities carried out in relation to the RugBag online store. In each case, we indicate: the scope of the personal data processed, the purpose of the processing, the legal basis for the processing and the period for which the data are retained. The possible legal bases under Article 6 of the GDPR are: performance of a contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c)), consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)) - the latter always after careful consideration of the interests involved and taking into account the rights of the Data Subject.
1. Visiting the website, technical data and cookie management
When you visit our website, we automatically collect certain technical information about you and your device in order to ensure the proper operation, security and performance of the website. In addition, the website uses cookies and similar tracking technologies, which are small data files in your browser - some of which are essential for the website to function, others are used for statistical, analytical or marketing purposes.
The data processed include: the IP address of the visitor's computer or device; the start and end times of the visit; the type of browser and operating system (device configuration data); the pages visited, clicks and other anonymous statistical data; and the cookie identifiers and preferences enabled by the user in the cookie banner or in his/her browser. (The IP address is logged by our system for security and fraud prevention purposes and used anonymously or pseudonymously for statistical analysis).
Purpose of data processing: to ensure and monitor the technical functioning of the website (e.g. correct display of content, identification of errors, guaranteeing IT security); in the case of cookies, to improve the user experience (e.g. to keep the login status, to remember the contents of the shopping cart), to analyse the number of visits and usage patterns (e.g. which product pages are popular, where our visitors come from), and, with your specific consent, to collect data for marketing and remarketing purposes (e.g. displaying customised ads on external platforms such as Facebook or TikTok).
Legal basis: legitimate interest of the Data Controller in the case of technical data processing necessary for the operation of the website (Article 6(1)(f) GDPR), as the processing of these data is essential for the provision of the service and the secure operation of the website. However, the use of cookies for analytical and marketing purposes is based on your consent (Article 6(1)(a) GDPR) - we will only place and use them if you have expressly given your consent in the cookie information bar.)
Data retention period: IP addresses and log data are kept in the security log files on our server for up to 90 days, after which they are deleted or anonymised. The lifetime of cookies varies: session cookies last until the browser is closed, while other cookies (e.g. statistical or marketing cookies) may remain in the browser for a few months to a few years - the exact duration and type of cookie is set out in the separate Cookie Notice. You have the option to refuse or subsequently revoke acceptance of cookies you do not need, or to delete cookies in your browser (see also the Cookie Notice for details).
2. Register in the online store (create a customer account)
In our webshop, we provide the possibility to register a user account, which can facilitate the purchase process and the tracking of your orders. Registration is voluntary, you can use the services of the webshop without registering (as a guest), but as a registered user you will be able to make future purchases faster and have access to your order history.
Data processed: data provided in the registration form: first name, last name, e-mail address, password (stored in encrypted form); optionally: telephone number, billing address (country, postal code, municipality, street, house number), delivery address (if different from billing address). The system also stores the date of account creation and the date of last login.
Purpose of data processing: to identify and manage registered users in a unified way; to create an account where users can manage their data and view their orders; to simplify the purchase process (e.g. not having to re-enter data for each order); to enable contact via the contact details provided if necessary.
Legal basis: the legal basis for the processing of the data provided during registration is to take action on the user's request and to perform the contract (Article 6(1)(b) GDPR) - as the creation of the account is related to the use of the services of the online store. (If you choose not to register, your personal data will only be processed in connection with the specific purchase, see next point.)
Data retention period: the data of the registered account will be kept for the duration of the account. You can request to delete your account at any time, in which case the personal data associated with the account will be deleted from our system (except for those that we are legally obliged to keep because of previous orders, e.g. billing data - see below). In case of inactivity - if the user does not log in to his account for a long period of time (e.g. 5 years) - the Data Controller may send a notification to update the data, and if the account is still inactive, the data may be deleted or anonymised in the future. Of course, if the account is deleted, the user can re-register at any time later, but the deleted data cannot be subsequently restored.
3. Placing and fulfilling the order
When processing and fulfilling orders placed in the online shop, a number of personal data are processed in order to process the purchase transaction, deliver the product and contact the customer. These data are provided by you during the order process or are generated during fulfilment.
Data processed: surname, first name; e-mail address; telephone number; billing address (country, postal code, municipality, street, house number, possibly company name and tax number if the customer is a company); delivery address (if different, the same data); name, quantity, purchase price of the product(s) ordered; order ID, date and time; delivery and payment method chosen; comments related to the order (if provided by the customer); information on the status and progress of the order. In addition, contact details in relation to the order: e.g. the e-mail address and telephone number provided for the purpose of order confirmation, notifications (tracking delivery, resolving any problems).
Purpose of data processing: fulfilment of the sales contract, i.e. processing of the order, delivery of the ordered products to the customer; notifying the customer of the status of the order (confirmation, delivery notification, etc.); if necessary, contacting the customer in connection with the order (e.g. (e.g. reconciliation of missing information, delivery date); issuing invoices and accounting for the purchase; processing customer payments (see separately the handling of payment data); and handling customer claims (e.g. cancellation, warranty, complaints). All of these processing operations are carried out to ensure that we can fulfil our obligations under the contract with the customer and that the customer receives the goods ordered.
Legal basis: primarily for the performance of the contract (Article 6(1)(b) GDPR) - the processing of this data is necessary for the performance of the contract of sale concluded between you and RugBag by placing the order. In addition, there may be other legal bases for certain sub-tasks: for example, the processing of invoicing data is necessary for the fulfilment of a legal obligation (Article 6(1)(c) GDPR), as we are required to keep invoices under accounting and tax legislation. If a subsequent claim or dispute arises in connection with the order, the retention of the related data may also be based on the legitimate interest of the Data Controller (Article 6(1)(f) GDPR) - e.g. for the purposes of proving contractual performance, warranty management.)
Data retention period: personal data relating to orders will be retained for as long as necessary to fulfil the purposes set out above. Specifically: order data and related communications are generally kept for 5 years from the completion of the contract, which is the same as the limitation period for civil claims in Hungary - this ensures that the data is available in case of any future disputes or claims. Invoices and billing data are required by the Accounting Act to be kept for 8 years from the end of the year in which they are issued. In the event of a dispute or legal proceedings, we will retain the necessary data until the proceedings are concluded. After these periods, the personal data will be securely deleted or anonymised. (Note: If you are also a registered user, the order data may be visible in your account until the deletion period. Even in the event of account deletion, we will retain data in our separate systems for the necessary period of time that we need to retain for legal reasons - e.g. invoices - but we will no longer associate them with the account.)
4. Payment by credit card (Stripe payment service)
Online credit card payments in our webshop are provided by the payment service provider Stripe. When you pay for your order by credit card, sensitive card information (e.g. card number, expiry date, CVC code) is collected directly into Stripe's secure system during the payment process - it is not processed or seen by Rug Bag. Stripe transmits information to us about the success or failure of the payment so that we can complete the order.
Scope of data processed: the personal data we process in connection with a payment are primarily the identifiers and status of the transaction (successful or unsuccessful payment, transaction ID, date, amount paid), the name of the customer (cardholder name) and the order ID to which the payment is linked. The credit card details (number, expiry date, security code) are collected directly by Stripe's system via the payment form - no such data is logged by RugBag's server. For us, Stripe only transmits transaction data back to you tokenised or anonymised. We also receive the billing name and address used to verify the credit card at the time of payment (if requested by the system), as this is also included on the invoice.
Purpose of processing: to carry out the purchase transaction, to process the payment by credit card, to prevent fraud and to collect the customer's payment securely. For card data processed by Stripe, the purpose is to authorise and process the payment. For transactional data processed by RugBag, the purpose is to record whether the order has been paid for and the status of the payment, so that we can fulfil the order accordingly or contact the customer if necessary in the event of a payment problem.
Legal basis: the processing of data during payment by credit card is also linked to the performance of the contract (Article 6(1)(b) GDPR) - as the payment of the purchase price is part of the purchase contract. Stripe, as an external service provider, also processes payment data under its own compliance obligations (e.g. PCI-DSS security standards, financial legislation), but this is part of the performance of the contract between RugBag and the buyer. Where there is a fraud prevention or legal compliance (e.g. prevention of money laundering) task in relation to the payment, the legal basis for such processing may also be a legal obligation (Article 6(1)(c) GDPR) on the part of Stripe. The storage of payment-related data (e.g. transaction identifiers) by RugBag may also be linked to the performance of the contract and possible subsequent evidentiary interests (legitimate interest).
Data retention period: transaction data (e.g. payment ID, date, amount, status) are kept as part of the accounting records and linked to the order for 8 years (due to the legal obligation to keep accounting vouchers, as the vouchers are part of the accounting records). The actual details of the card data handled by Stripe are stored by Stripe in accordance with its privacy policy (typically in token form for future reimbursement or customer identification), but we do not access or store this specific card data. If the customer requests that the transaction be cancelled or investigated (e.g. chargeback), we will proceed accordingly in cooperation with the payment service provider.
5. Delivery and logistics
The Data Controller uses the assistance of external logistics partners to deliver the ordered products. The physical fulfilment (storage, packaging, delivery to courier) is currently carried out by GLS and MPL on behalf of RugBag. To this end, customers' delivery details are transferred to these partners, who use them exclusively for the purpose of delivering the parcels.
Data processed: data required for delivery: name of the recipient, delivery address (postcode, town, street, house number, building/floor/doorway if available), recipient's telephone number (for courier service notification or coordination), recipient's e-mail address (for sending package tracking information and notifications), package ID and order number, brief description of the contents of the package (e.g. Courier services often record proof of receipt (e.g. signature or photo of delivery) at the time of delivery and generate tracking information (package status, time of receipt) that RugBag can access to track delivery.
Purpose of data processing: delivery of the ordered products to the customer, the necessary logistical tasks. Bridge Log Ltd. ensures that the right product is packed and handed over to the courier, while the courier service (GLS or MPL) delivers the parcel to the specified address. The purpose of the transfer of data is therefore to carry out the delivery as part of the performance of the contract. In addition, the purpose of the telephone number/e-mail is to allow the courier to inform the recipient of the expected delivery time or to contact the recipient in case of problems (e.g. cannot find the address). We update the status of the order based on feedback from the delivery partner (e.g. successful delivery).
Legal basis: the legal basis for the processing of data relating to the delivery is the performance of the contract (Article 6(1)(b) GDPR), as the delivery of the product is an essential element of the purchase contract. The fact that these tasks are carried out by data processing partners does not change the legal basis - the partners act on behalf of and under the instructions of the Data Controller. Courier services may also process certain data in their own records during delivery (e.g. legal proof of delivery), but they do so also on the basis of their contract with us and the legislation applicable to postal/ courier services (which may also be partly a legal obligation for them, e.g. to keep records of the delivered shipments for a certain period of time). Such transfers are therefore necessary and lawful for the performance of the contract with the customer.
Data retention period: personal data (name, address, contact) provided to delivery partners are kept by courier services in their tracking systems according to their own data management policies, usually until delivery has taken place and for a certain period (a few months) afterwards. In RugBag's systems, delivery data is kept as part of the order for the same period as the order itself (see above: 5 years in general, 8 years for billing data). Information received from the courier service (e.g. proof of delivery) may also be kept as proof of contract performance for the same period of time. The processing of the data transferred to the logistics partner (Bridge Log Ltd.) will be deleted or returned to us immediately upon termination of the contractual relationship or after the order has been fulfilled, and your data will no longer be stored for our own purposes.
6. Contacting, customer service
If you contact us with any questions or requests (whether through the contact form on this website, by email or by telephone), we will also process your personal data in order to process your communication.
The data processed: your name, e-mail address, possibly telephone number (depending on the channel through which you contact us and the information you provide); the subject and content of the request; the communication (correspondence, record of messages); and any additional personal data you provide in the message (e.g. order number if you ask for it, or other personal information you provide to answer the question).
Purpose of processing: to handle your contact, to answer your questions, to fulfil your request; to provide customer support (e.g. product information, order assistance, complaint handling). This also includes possible warranty or cancellation claims, where your order details and contact information may be required.
Legal basis: where the contact is related to an existing contractual relationship (e.g. you are making an enquiry about an existing order or you are submitting a warranty claim), the legal basis for processing is the performance of the contract or the preparation thereof (Article 6(1)(b) GDPR). In other cases, e.g. general enquiries, processing is based on the legitimate interest of the Controller (Article 6(1)(b) GDPR). (In the balancing of interests, we consider that this processing is carried out at your initiative, in accordance with your interests and limited to the minimum necessary data, and is therefore proportionate and does not violate your rights.)
Data retention period: data generated during customer service communications (correspondence, notes) will be retained for 1 year from the closure of the question or complaint, in case the matter arises again or a related question arises. In the case of a complaint, consumer protection rules require us to keep complaints and responses for 5 years. If the contact has led to the conclusion of a contract (e.g. an individual order) or to the modification of an existing contract, its data will be stored as part of the contract for the relevant contractual data retention period. At the end of this period, any communication containing personal data will be deleted.
7. Newsletter subscription and direct marketing (MailerLite)
If you subscribe to RugBag's newsletter (e.g. via the subscription form on the website or by indicating during the ordering process that you wish to receive the newsletter), we process the subscribers' personal data for marketing (direct marketing) purposes. We use our newsletters to inform you about our latest news, promotions and product information. We use an external service provider, MailerLite, to send the newsletter.
Data processed: name (surname, first name - for personal contact), e-mail address. The sending system may technically record the date and IP address of the subscription (to verify consent), as well as statistical data on the opening of the emails and clicks (e.g. which newsletter was opened, which link was clicked) in order to see how relevant the content sent is. However, these statistics are not analysed at an individual level, only in aggregate to measure the success of campaigns.
Purpose of processing: marketing communication, providing business information to interested parties; specifically, sending newsletters, e-mail advertising messages about the Data Controller's products, services and promotions. The data provided when subscribing to the newsletter will be used exclusively for this purpose. The purpose is also to keep subscribers informed of information useful to them, thereby strengthening the relationship between the Data Controller and its customers and building trust.
Legal basis: your voluntary consent (Article 6(1)(a) GDPR) to receive newsletters. By subscribing, you expressly consent to us sending marketing messages to the email address you provide. You can withdraw this consent at any time: at the bottom of each newsletter, you will find an unsubscribe link, which you can click on to remove yourself from the list. You can also request to unsubscribe by contacting the Data Controller (e.g. by e-mail), in which case we will promptly remove your details from the newsletter mailing list. Withdrawing your consent will not affect the lawfulness of previous mailings, but we will no longer send you newsletters.
Data retention period: we will keep the data of newsletter subscribers until the consent is withdrawn, i.e. until you unsubscribe. In case of unsubscription or termination of the newsletter service, your data will be removed from our marketing list. It is important to note that after unsubscribing, the MailerLite system technically keeps your email address on a so-called „block list” to ensure that we do not accidentally send you another email (this avoids a previous subscriber being inadvertently added back to the list). We may analyse statistical data (opens, clicks) in aggregate, without identifying you personally, over time, but this will not be used for profiling at an individual level.
(Note: Only those who have given their prior consent will receive a newsletter. If you have provided your email address during the purchase process, it will not be used for marketing by default, unless you have clearly indicated your intention to subscribe. Sending e-mails for commercial purposes is also regulated by the Grt.
8. Remarketing and online advertising (Meta, TikTok)
Our webshop works with social media and advertising platforms such as Meta (Facebook, Instagram) and TikTok to ensure an effective online presence and targeted advertising (remarketing). This may include tracking codes (pixels) on the website that collect information when you visit certain pages or perform certain actions (e.g. view a product, add a product to your shopping cart, make a purchase). This information is transmitted to the platforms so that they can later display personalised ads to you on their interfaces, for example, reminding you of products you have viewed or offering similar offers.
Data processed: technical and behavioural data about your visits to our website, collected by remarketing pixels: this may include your cookie ID or other online identifier (e.g. Facebook Pixel ID), in some cases a hashed (encrypted) version of your email address (for example, if you are a logged in user or subscriber and we share this with the platform for targeted advertising - but we currently operate primarily on a cookie basis), the URL of the page you visited, the product you viewed, and possibly the value of your purchase (if you made a purchase). This data alone does not identify you by name, but the advertising platform may link this data in its own system to your profile there (e.g. your Facebook account if you are logged in) and so decide which ad to show you.
Purpose of data processing: remarketing, i.e. providing ads that are based on your previous interest and therefore more relevant. The aim is that if you have already visited our website or expressed an interest in certain products, you may later see RugBag ads on Facebook/Instagram or TikTok, reminding you of an incomplete purchase or showing you new offers. This helps the Data Controller to reach potential customers more effectively and to display more relevant content for the Data Subject, rather than generic advertising. In addition, statistical analysis of remarketing data allows us to see the effectiveness of our advertising (e.g. how many people return to the website after a campaign).
Legal basis: the legal basis for remarketing data collection is your consent (Article 6(1)(a) GDPR). When you access the website, you must specifically allow cookies and tracking for marketing purposes in the cookie banner in order for Meta Pixel or TikTok Pixel to collect data about you. If you do not give your consent, these pixels are not active and no remarketing data is collected. (Note: For Meta and TikTok, some basic data may be transferred to a minimal extent in the absence of consent when communicating with the platform - e.g. a request may need to be technically handled - but we do not allow marketing use without your consent.) You may withdraw your consent at any time by changing your cookie settings or by changing your browser cookie settings (e.g. deleting marketing cookies). Meta and TikTok systems are also independent data controllers of the data they receive under their own terms of use and privacy policies - e.g. Facebook uses the information it receives for its own advertising algorithms. Thus, in some respects, RugBag and the platforms may also be joint controllers under the GDPR for the purposes of their joint data collection. However, we will ensure that such data transfers only take place with your consent.
Data retention period: the data collected by remarketing cookies and pixels are not directly stored by our system, but are transmitted to Meta and TikTok servers in real time. A remarketing cookie placed on your browser (e.g. Facebook/Meta cookie) is usually valid for 180 days, similarly TikTok for a few months, after which it will automatically expire unless you delete it first. In remarketing lists, your identifier is typically active on platforms for a few months (or so, depending on the platform's settings), after which it is removed from the target audience unless it is collected again on a subsequent visit. If consent is withdrawn (e.g. by deleting or disabling a cookie), no new data is collected and the previous data is processed/deleted by the platforms according to their own policies. It is important to note that Meta and TikTok handle your profile data at their own discretion - you can also set your own advertising preferences on these platforms (e.g. you can block certain interest-based ads in your Facebook account). We recommend that you also review the privacy policies of these providers for details.
9. Web analytics and usage statistics (Google Analytics, Hotjar)
We use analytical tools to provide a better service and to continuously improve our online store. We currently use Google Analytics 4 (GA4) and Hotjar to help us understand user behaviour on the site (e.g. how many visitors arrive, what they view, how long they spend on the site, what causes them to have difficulty using it). We also collect personal data when using these tools, but we try to do this in as anonymous or pseudonymous a form as possible.
Scope of data processed: Google Analytics collects data on visitor actions, such as: number of page views, time spent on page, where the visitor came from (referring page), what device and browser they are using, language, geographical region (roughly, e.g. And Hotjar does heatmap analysis and user interaction tracking: it can record where the cursor moves, where the user clicks, how long they scroll the page. Hotjar may also occasionally display a questionnaire or pop-up feedback, which, when filled in, may also include your responses as personal data. Both services use cookies to identify the visitor (with a pseudonymous ID).
Purpose of data processing: to measure and improve the performance of the website, to optimise the user experience. Google Analytics provides aggregated statistics about how visitors use the website - for example, which products are most popular, which pages they spend a lot of time on, or where they drop out of the ordering process. Hotjar gives us a deeper insight into the usability of the site - for example, we can see if users miss an important button or if many abandon a form while filling it out. This information is used solely to make the site more user-friendly and efficient, and to correct any errors. Neither GA4 nor Hotjar data is used to identify or profile individuals for marketing purposes; this is for statistical and development purposes.
Legal basis: the use of analytical cookies and tools is based on consent (Article 6(1)(a) GDPR). You must specifically enable statistical/analytical cookies in your cookie banner settings to allow GA4 or Hotjar to collect data about your visit. If you do not consent, we will not enable Google Analytics and Hotjar tracking on your browser. (We try to adapt Google Analytics settings to GDPR requirements: IP anonymisation, data retention timeout setting, and no personally identifiable events.) You can choose to opt out of these at any time: you can withdraw your consent by changing your cookie settings or, in the case of Hotjar, you can even opt out via Hotjar's own website (there is a „Do Not Track” switch on Hotjar's website).
Data retention period: the retention period set in Google Analytics is currently 14 months for event data (after this period, individual visitor-level data is deleted from Google's systems). We have access to trends in the form of aggregated reports (statistics without personal identifiers) for an unlimited period of time. Hotjar recordings and analyses are typically deleted within a few weeks or months or automatically expire in the system (Hotjar retains collected data for 1 year by default, but we usually delete it sooner after extracting the necessary information). Survey feedback, if collected, is stored until it is processed, after which we aggregate the learnings in an anonymised form. Of course, if you withdraw your consent in the meantime, no further data collection will take place and the data already collected will be kept as anonymised statistics.
10. Other data processing
In addition to the processing described in the above points, RugBag only processes personal data in exceptional cases, for example: when organizing a prize draw (we will publish a separate information notice on this, if applicable), to comply with a legal obligation (e.g. to provide data in response to a request from a public authority, which may be based on Article 6 (1) c) GDPR), or for internal administration purposes (e.g. to register contracts with business partners - which typically does not affect the customers of the webshop).
Automated decision making/profiling: the Data Controller does not make automated decisions based solely on a machine algorithm which would have legal effects or similarly significantly affect the Data Subject. Profiling is only done in the context of the marketing analytics described above, but it does not result in an automated decision that would significantly affect your rights. For example, we do not use a system that would only automatically reject an order or credit application. And remarketing profiling (interest-based advertising) is based on your consent and can be stopped by you at any time.
Special categories of data: RugBag does not collect special categories of personal data about customers (such as health data, political opinions, religious beliefs, biometric or genetic data, etc.). Please do not provide any such data when using the online shop.
Children's privacy: our webshop services are not intended for children (under 16) and we do not knowingly collect information from anyone under the age of 16. .
Transfer of personal data, use of data processors
In the course of its activities, it uses third party service providers to perform certain tasks, who may receive and process the personal data we process in accordance with our instructions. These processors and other data recipients may include:
Web hosting and platform provider: as our online shop is powered by Shopify, customer data is primarily stored in the cloud infrastructure hosted by Shopify. Shopify provides the technical support for the web store on our behalf, including database storage and software operation of the system. Shopify processes the data only to the extent necessary to operate the platform and does not use it for its own purposes. (Shopify's detailed privacy policy is available on their website; for EU customers, Shopify complies with European data protection legislation and acts as a data processor through its European subsidiary.)
Payment service provider: Stripe, which processes online payments. Stripe processes the credit card data directly and we receive feedback on the status of the transaction. Stripe processes the data in accordance with its own privacy policy, in compliance with EU-wide security standards (e.g. PCI DSS).
Invoicing system: we use the system of Számlázz.hu (operator: KBOSS.hu Kft.) to issue our invoices. The order data (name, address, e-mail, purchase items, amount) are entered into the online invoicing interface of Számlázz.hu, where we issue your invoice electronically. In accordance with the GDPR, Rechnlázz.hu is our data processor and processes the data solely on our instructions and for the purpose of invoicing, it does not use the data for its own purposes.
Courier services: GLS and MPL (Magyar Posta Logisztika) are the courier services that deliver the goods. The courier services (MSL, GLP, Postal Service) and the Postal Logistics Service (LPL) are the couriers to whom the delivery address and contact details are sent. The courier companies are also their own data controllers of the data transferred, as they have legal obligations related to the delivery of the parcel (e.g. tracking). However, our contracts with them ensure that your data is not used for any other purpose and is not kept beyond a certain period after delivery.
Mailing Service Provider: the MailerLite platform (UAB „MailerLite”) through which we send our newsletters. The name and email address on the newsletter list are stored by the system, as well as the delivery statistics of the mailings. MailerLite operates as a European data processor and is contractually bound to process data in compliance with the GDPR. Their data security measures ensure that email lists are protected.
Social media and advertising partners - Meta Platforms (Facebook, Instagram) and TikTok - these companies may receive data about visitors who have contributed through remarketing codes embedded in our website. It is important to note that Meta and TikTok may also use the data they collect for their own purposes (e.g. to optimise ads in their own systems), so in some cases they are considered independent data controllers. However, the Data Controller has contractually (e.g. Facebook Business Terms) stipulated that the personal data received may only be used by partners on our behalf and for our campaigns. (In practice, this means that, for example, Facebook Pixel data is used by Facebook for the ad audiences we create and does not pass on the specific list to another client - however, Facebook will of course display ads in combination with its own user data.)
Analytics service providers are Google Analytics (operated by Google Ireland Ltd.) and Hotjar Ltd. They are our data processors in the sense that they carry out technical data collection on our behalf on the website for the statistical purposes explained above. Google and Hotjar guarantee compliance with the requirements of the GDPR in a contract (Data Processing Terms and Conditions). However, Google may in certain cases use the data they collect for their own purposes - for example, when combined with other Google services - but we do not share any personally identifiable information using GA4.
In addition to the above, third parties may only have access to your data if authorised by law. This could be, for example, a request by a public authority (police, court, tax authority, etc.) in case of a lawful request - in this case the legal basis is Article 6 (1) (c) GDPR (performance of a legal obligation). The Data Controller will not sell or rent any personal data to third parties for marketing purposes.
Transfer to a third country or international organisation
As a matter of principle, the Data Controller aims to process data within the European Economic Area (EEA). However, some of our service partners are not located in the EEA or use global infrastructure, so data may be transferred to a third country (outside the EU). In such cases, we will apply all necessary safeguards to protect personal data in accordance with Chapter V of the GDPR.
Specifically: Shopify is headquartered in Canada - Canada has a compliance decision from the European Commission, so transfers to Canada for organisations that are subject to the Canadian Privacy Act (PIPEDA) (like Shopify) are recognised as having an adequate level of protection. For Stripe, Meta, TikTok, Google and Hotjar, data processing may occur in the United States or other non-EEA countries. These partners have or have joined EU approved Standard Contractual Clauses (SCCs) or have additional technical and organisational measures in place to ensure that European users' data is adequately protected even when it is physically processed on servers outside the EU. For example, both Google and Meta provide their services through their EU (Ireland) registered subsidiaries and agree to comply with the SCCs, and Hotjar is fully EU (Malta) based but with global reach.
If you would like more information about the specific countries to which data is transferred and the guarantees that apply, please contact us using the contact details above. We will provide copies or the substance of the applicable data transfer guarantees (e.g. standard contractual clauses) upon request.
RugBag does not transfer personal data to international organisations (e.g. UN, NATO, etc.).
Data security
The Data Controller pays particular attention to the security of the personal data we process. To this end, we use appropriate technical and organisational measures to protect the data against unauthorised access, alteration, disclosure, deletion or damage.
Technical measures: the ecommerce platform (Shopify) uses state-of-the-art encryption protocols - the website uses SSL/TLS encryption (HTTPS), so the traffic between you and our servers is encrypted. User passwords are stored in the system using a one-way encryption algorithm (hash), so they are protected without decryption. Our systems are protected by firewalls and intrusion detection mechanisms. We perform regular security updates on the software we use. The security of payment transactions is guaranteed by Stripe, which is PCI DSS Level 1 certified (the highest possible level of bank card security).
Organizational measures: within RugBag, personal data may only be accessed by those employees or agents who need to know the data in order to perform their tasks (e.g. customer service can see the order details, warehouse staff can see the delivery address). Our staff are bound by appropriate confidentiality and data management obligations. We contractually agree with our data processing partners the level of data security expected. We regularly review our data management processes and potential risks, updating our security measures where necessary.
Despite these measures, it is important for you to know that 100% cannot guarantee the security of your data transmission over the Internet - but we will do our best to ensure that your data is protected to the highest level we can. Should any data security incident occur that affects your data and puts it at high risk, we will notify you and the supervisory authority (NAIH) in accordance with the law and take the necessary steps to mitigate the damage.
Rights of Data Subjects
Under the applicable data protection legislation, you - as Data Subject - have the following rights in relation to the processing of your personal data. It is important for us that you are aware of these rights and that you can exercise them. You can exercise your rights at any time by contacting us at the Data Controller's contact details; we will comply with your requests without undue delay and at the latest within 1 month (exceptionally, as provided by law, this may be extended by a further 2 months, but you will be notified accordingly). You can exercise these rights free of charge, unless you make clearly unfounded or excessive (e.g. repetitive) requests, in which case we may charge you administrative charges or refuse to comply - but we have never done so.
Right of access: you have the right to receive feedback from us on whether we are processing your personal data and, if so, to be informed, among other things, about what data we process, for what purposes, to whom we transfer it, for how long we store it, where we obtained it and what your rights are. Upon request, we will also provide you with a copy of the personal data we process (the first copy will be free of charge, additional copies may be subject to an administrative charge).
Right to rectification: You may request that we correct or complete inaccurate or incomplete personal data. For example, if your email address changes or you misspell your name, let us know and we will amend it in our records. (As a registered user, you can amend certain information in your account, but we will be happy to help if you let us know.)
Right to erasure: In certain circumstances, you may request that we erase the personal data we hold about you („right to be forgotten”), such as where the data is no longer necessary for the purposes for which it was collected; where you withdraw your consent and we have no other legal basis; where you object to processing based on legitimate interests and we have no overriding reason to continue; where we have unlawfully processed the data; or where we are required by law to erase it. Please note that a request for erasure may not always be complied with immediately: if we are required by law to retain certain data (e.g. invoices) or if we need certain data to bring, enforce or defend legal claims, we will not erase them but will inform you of this. All other data will of course be deleted on request.
Right to restriction: You can ask us to restrict processing in certain cases. In practice, this means that we will only store the data in question, but no other operations will be carried out on it temporarily. Such a right may be exercised if you contest the accuracy of the data (for the time it takes us to check and correct it); if the processing is unlawful but you are not requesting erasure, only restriction; if we no longer need the data but you request it for legal claims; or if you have objected to the processing and a legitimate interest is being assessed. You will be informed in advance of the lifting of the restriction.
Right to data portability: you have the right to receive the data that you have provided to us and that we process by automated means on the basis of your consent or on the basis of a contract with us in a structured, commonly used, machine-readable format, and to request the transfer of this data to another controller. In practice, this means, for example, that we can export (e.g. in a CSV file) your registration and order data at your request, which you can then pass on to another service provider. (Data portability does not apply to data that does not meet the above conditions - e.g. our comments or derived analytics.)
Right to object: you have the right to object at any time to the processing of your personal data based on legitimate interest (Article 6(1)(f) GDPR). In this case, we will consider on a case-by-case basis whether the legitimate interest we have declared overrides your rights and freedoms - and if not, we will stop the processing in question. In particular, it is important to underline that if we process your personal data for direct marketing purposes, you may object at any time and without giving any reason, and we will no longer process your data for that purpose. In other words, if, for example, you have previously given your consent to receive our newsletter, but change your mind, or even if you would still receive a marketing message from us for some reason in the absence of consent, you may object and we will immediately stop such requests.
Right to withdraw your consent: where the legal basis for processing is your consent (e.g. sending newsletters, using marketing cookies), you can withdraw your consent at any time. You may withdraw your consent where you have given your consent to the use of your personal data, for example when you use the opt-out method (e.g. use of marketing communications, use of cookies, etc.). Importantly, the withdrawal is valid for the future, so it does not affect the lawfulness of the processing up to that point, but once we receive the withdrawal, we will cease the processing concerned. In the event of withdrawal of consent, we may not be able to continue to provide certain services (e.g. if you do not allow the necessary cookies, certain features of the webshop may not function properly).
To exercise your rights, please contact us using the contact details provided at the beginning of this notice (preferably in writing, so that your request can be clearly documented). Before responding to your request, we may ask you for additional information (e.g. clarification or proof of identity), if necessary, to ensure that only authorised persons have access to your data.
Remedies available
We are confident that we can resolve any questions or concerns you may have about data management. However, if you feel that your rights or the applicable data protection standards have been violated in the processing of your data by RugBag, you have the right to lodge a complaint with the supervisory authority or to take legal action.
Complain to the supervisory authority: The National Authority for Data Protection and Freedom of Information (NAIH) is the independent data protection supervisory authority in Hungary. Address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; telephone: +36 (1) 391-1400; e-mail: [email protected]; website: naih.hu. You have the right to lodge a complaint directly with the NAIH if you consider that your personal data have been processed in a way that causes or threatens to cause an imminent breach of rights. The official procedure is free of charge and you can also make an anonymous complaint, although in the latter case the investigation may be limited.
Legal redress: if you believe that your rights have been infringed in relation to the processing of your personal data, you may also bring legal action against the Controller - or, where applicable, the processor or joint controller. You may also bring the action before the Court of the place where you are domiciled or habitually resident (at your choice, or the court in the place where the Controller is established). The Court will decide such a case by default. You may also claim damages or compensation in civil court proceedings if you have suffered damage or non-pecuniary loss as a result of the unlawfulness of the processing.
Of course, we will endeavour to avoid such disputes. We encourage you to contact us first and we will do our best to resolve the complaint amicably.
Annex: List of data processors and service providers
The following is a summary of the main data processing partners and external service providers used by RugBag, with an indication of their activities:
Shopify International Ltd. (based at 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, Ireland) - Web store platform provider. Shopify provides the engine and hosting for the website and stores the data on its servers on our behalf.
Stripe Payments Europe Ltd. (based at One Wilton Park, Wilton Place, Dublin 2, Ireland) - Online payment service provider. Stripe processes credit card transactions and handles payment data securely.
KBOSS.hu Kft. (Számlázz.hu) (headquarters: 1031 Budapest, Záhony u. 7/D, Hungary) - Invoicing system operator. Provides an online invoicing program through which invoices are issued.
Bridge Log Kft. (head office: 1112 Budapest, Repülőtéri út 2/B, Hungary) - Logistics fulfilment partner. Warehouse logistics service: handles the packaging and delivery of products to the courier.
GLS Hungary Kft. (headquarters: 2351 Alsónémedi, GLS Európa u. 2., Hungary) - Courier service. It delivers ordered parcels in Hungary and internationally.
Magyar Posta Zrt. (MPL Courier Service) (headquarters: 1138 Budapest, Dunavirág utca 2-6., Hungary) - Courier Service. MPL is the parcel delivery division of Magyar Posta, involved in the delivery of orders.
MailerLite (UAB “MailerLite”) (headquarters: J. Basanavičiaus g. 15, LT-03108 Vilnius, Lithuania) - Newsletter sending platform. It stores the e-mail address and name of subscribers and sends out newsletters via this platform.
Meta Platforms Ireland Ltd. (based at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Social media advertising partner (Facebook, Instagram). Meta Pixel is operated by Meta Pixel to receive remarketing data to target our Facebook/Instagram ads.
TikTok Technology Ltd. (based at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland) - Social media advertising partner. Processes remarketing data through TikTok Pixel to target TikTok ads.
Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) - Web Analytics (Google Analytics) and other Google services. As part of GA4, it processes statistical data about the use of the website.
Hotjar Ltd. (based at Level 5, Dragonara Business Centre, Dragonara Road, St Julian's STJ 3141, Malta) - Analytical tool (Hotjar). A service for analysing user behaviour, which processes session data on our behalf.
(Note: the companies in the above list are acting under the instructions of the Controller and/or as independent data controllers. We have endeavoured to enter into a contract or agree terms of service with each of them that ensure compliance with the requirements of the GDPR. If you would like more information about them, such as their privacy policies, we encourage you to visit their websites or contact us.)
Final provisions
In matters not covered by this Privacy Notice, the provisions of the GDPR, the Info Act and other applicable Hungarian legislation shall apply. If any part of the Privacy Notice needs to be interpreted, we will be happy to provide you with an explanation - our aim is to make our data management practices transparent and understandable to you.
RugBag reserves the right to amend this notice in the future in accordance with changes in legislation or changes in data management practices. Please review this notice from time to time or check the Effective Date at the beginning of the document.
Thank you for reading our Privacy Notice! We trust that you will find your data safe and secure in our online shop. If you have any further questions or requests regarding data protection, please feel free to contact us using the contact details provided.
Date of entry into force: 6 February 2026.
