Privacy Policy

Regarding the data processing carried out in connection with the operation of the https://unitleads.com/ website and services, operated by Dávid Török sole proprietor

Introduction

This Privacy Policy is provided in accordance with the European Union Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR). It aims to provide transparency on how Dávid Török sole proprietor (hereinafter referred to as “Data Controller”) operating the https://unitleads.com/ website, processes personal data during the performance of tasks described below. It outlines the rules applied during data processing and the measures taken to protect the data used. It also informs data subjects about their rights regarding the protection of their personal data.

The Data Controller provides this information in accordance with Article 13 of the GDPR.

Data Controller Identification

  • Name: Dávid Török sole proprietor
  • Registration Number: 52598177
  • Address: 3036 Gyöngyöstarján, Kossuth Lajos utca 59., Hungary
  • Tax Number: 69031063-2-30
  • Email: info@unitleads.com

Hosting Provider: Tárhely.Eu Kft.
Contact: support@tarhely.eu ; +36(1) 789 2 789
Privacy Policy: https://tarhely.eu/dokumentumok/adatvedelmi_szabalyzat.pdf

Principles of Personal Data Processing

The Data Controller operates in accordance with the following principles:

  • Purpose limitation: Personal data is collected and used only for specific, explicit, and legitimate purposes.
  • Data minimization: The personal data processed is adequate, relevant, and limited to what is necessary.
  • Accuracy: Personal data is kept accurate and up to date. Inaccurate data is rectified or deleted without delay.

The personal data we process is primarily collected directly from the data subjects. The Data Controller is committed to fulfilling all responsibilities associated with the protection of personal data and complying with relevant regulations, including demonstrating such compliance to authorities, business partners, or affected individuals (principle of accountability).

Main Legal Framework for Our Data Processing Activities

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary)
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
  • Act I of 2012 on the Labor Code
  • Act CL of 2017 on the Rules of Taxation
  • Act C of 2000 on Accounting

Definitions

  • GDPR: General Data Protection Regulation (EU 2016/679)
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Special Categories of Personal Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
  • Processing: Any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
  • Data Controller: A person or entity that determines the purposes and means of personal data processing.
  • Data Processor: A person or entity that processes personal data on behalf of the data controller.
  • Data Subject: A natural person who can be identified, directly or indirectly, based on the data.
  • Data Transfer: Making personal data accessible to a specific third party. Transfers to EEA countries or EU institutions are considered equivalent to transfers within Hungary.
  • Erasure: Making data unrecognizable or removing it in a way that it cannot be restored.
  • Data Breach: A security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.
  • EEA Country: An EU Member State or a state party to the Agreement on the European Economic Area.
  • Third Country: Any country that is not an EEA member state.
  • NAIH: Hungarian National Authority for Data Protection and Freedom of Information (supervisory authority under the GDPR in Hungary).
  • Cookie: A small data file stored on a user’s device by the website, used for various purposes such as operation, statistics, preferences, marketing.
  • Profiling: Automated processing of personal data to evaluate or predict personal aspects related to a natural person.
  • Pseudonymization: Processing personal data in such a way that it can no longer be attributed to a specific data subject without additional information.

Data Processing Procedure

During the course of our operations, we handle business partner, client, and user data in accordance with this Privacy Policy, the GDPR, and applicable Hungarian laws.

We may store, organize, and use the personal data we receive for the performance of our duties, strictly within the limits of the law.

We terminate data processing immediately when its purpose has been fulfilled or no longer exists, or upon the request of the data subject, subject to assessment.

 

6. Details of Data Processing Related to Our Activities, by Purpose

6.1 Contact via Website or Email

Data Subjects: Users contacting us with the intention of initiating communication.
Purpose of Processing: Communication and providing information.

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(a); your consent

Until withdrawal of consent, but no longer than 5 years

Email address

Phone number

Processing Procedure:
If you provide us with your contact details via email, website contact form, or phone call, we will use this data to maintain communication and to deliver our services.
Providing the above data is not mandatory; however, without it, we cannot stay in contact with you.
You may withdraw your consent at any time without justification. This does not affect the lawfulness of data processing based on consent before its withdrawal. You may withdraw consent by sending a request to the above email address, which we will fulfill as soon as possible but no later than within 5 working days.

IMPORTANT! Please do not include any personal data in the free-text “message” section of the website form. We are not authorized to process such unsolicited personal data and will immediately and permanently delete it without further consideration.

6.2 Contact via Social Media Platforms

Data Subjects: Natural persons who voluntarily contact the website operator through social media platforms (Facebook, Instagram, Reddit, TikTok), make inquiries, ask questions, or request information.
Purpose of Processing: Communication and providing information.

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(a); your consent

Until withdrawal of consent, but no longer than 5 years

Email address

Phone number

Processing Procedure:
Data subjects voluntarily contact the Website Operator via a social media platform (Facebook, Instagram, Reddit, TikTok) to make inquiries or request information. The data provided during this interaction (e.g., name, message content, possibly phone number) is used solely to respond to the specific inquiry. Communication takes place within the internal messaging systems of the respective platforms.

Social media platforms may also process the data according to their own privacy policies, over which the Operator has no control.

Important Notice on Data Processing via Social Media:
If you send us a message through a social media platform (e.g., Facebook, Instagram, TikTok, YouTube, Reddit), the platform provider may also access the data you provide (e.g., name, message content). We have no control over their processing, so even if we delete your data upon your request (within a maximum of 5 working days), the data may still remain available to the platform provider.

Privacy policies of the platforms are available via the following links:

6.3 Registration via Website as a Service Provider

Data Subjects: Service providers who wish to register via the website in order to receive leads.
Purpose of Processing: To register service providers, maintain communication, facilitate potential lead generation, and monitor the communication and cooperation process. Additionally, part of the data is used for marketing purposes, particularly for targeted advertising (e.g., creating Custom Audiences on Facebook).

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(a); your consent

Until withdrawal of consent, but no longer than 5 years

Email address

Phone number

Company name

Business location

Business industry

Callback time

Processing Procedure:
By filling out and submitting the registration form on the website, the service provider consents to the processing of the aforementioned data. The data is processed for the purpose of tracking collaboration, maintaining contact, and for marketing purposes. As part of this, data—mainly email addresses and phone numbers—may be uploaded to platforms such as Facebook for targeted advertising (e.g., Custom Audience creation).

Data Transfers / Data Processors:
We use the following data processors for managing the provided data:

  • HubSpot Inc.
    Address: 25 First Street, Cambridge, MA 02141, USA
    Provides the CRM system used for processing the data.
    Privacy Policy: https://legal.hubspot.com/privacy-policy
  • Meta Platforms Ireland Ltd.
    Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
    Data (e.g., email address, phone number) may be uploaded into Facebook Ads Manager for targeted advertising. Privacy Policy: https://www.facebook.com/privacy/policy

We aim to ensure the highest level of data security and only use the data for purposes for which the data subject has given prior consent.

 

6.4 Application as a Service Provider via Facebook Ads

Data Subjects: Natural persons who apply as service providers through the form included in a Facebook advertisement, with the aim of receiving leads. Purpose of Processing: Managing the data of applicants for the purpose of contacting them and including them among our eligible service provider partners. The data is also recorded in our CRM system to track cooperation and is used for marketing purposes (e.g., creating Facebook Custom Audiences).

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(a); your consent

Until withdrawal of consent, but no longer than 5 years

Email address

Phone number

Company name

Message

Callback time

Business location

Business industry

Processing Procedure:
By filling out the forms included in Facebook advertisements, the data subject consents to being contacted and recorded as a service provider in our database. The data is stored in our CRM system (HubSpot), and—based on the subject’s consent—may also be used for marketing purposes such as Facebook Custom Audience campaigns. This allows us to target future ads to individuals who have already shown interest.

Data Transfers / Data Processors:
The following data processors provide technical support for data processing:

  • HubSpot Inc.
    Address: 25 First Street, Cambridge, MA 02141, USA
    Provides CRM services to record and manage applicant data.
    Privacy Policy: https://legal.hubspot.com/privacy-policy
  • Meta Platforms Ireland Ltd.
    Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
    Applicant data (e.g., email address, phone number) may be uploaded for targeted ad campaigns.
    Privacy Policy: https://www.facebook.com/privacy/policy

We take all reasonable technical and organizational measures to protect personal data during processing.

6.5 Outbound Contact (Cold Outreach via Email, Phone, or Social Media)

Data Subjects: Natural persons representing organizations, companies, or enterprises and reachable through public channels (e.g., corporate email, LinkedIn profile, Facebook page, Reddit account), contacted by the Operator for potential business cooperation without prior contact. Purpose of Processing: Initiating contact with potential business partners, presenting services, and business development.

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(f); legitimate interest

Up to 5 years from first contact or until objection

Email address

Phone number

Social media profile

Company name, position

Processing Procedure:
The Operator directly contacts individuals, companies, or enterprises potentially interested in the offered services through outbound outreach. These contacts are made via email, phone, or social media platforms (e.g., LinkedIn, Facebook, Reddit). Only publicly available business data is used, collected from company websites, professional platforms, or GDPR-compliant databases.

The purpose of the outreach is to explore potential business cooperation. If the recipient does not wish further contact, they may indicate this, and we will immediately delete their data.

Legitimate Interest Assessment:
The legal basis for this data processing is the legitimate interest of the Operator under GDPR Article 6(1)(f), which is to promote its services to the appropriate target audience. This interest does not override the rights of the data subjects, as the outreach is made via public business contacts and subjects may object to data processing at any time.

Important Note:
If the outreach is made through a social media platform (e.g., LinkedIn, Facebook, Reddit), the platform provider may also access the data you provide. The Operator is not responsible for the data processing practices of these platforms. You may request data deletion from the Operator, but we have no control over how the platforms handle your data.

Links to social media platform privacy policies:

6.6 Invoice Management and Accounting

Data Subjects: Partners, sole proprietors, or natural persons representing business entities. Purpose of Processing: Compliance with accounting record retention obligations under Act C of 2000 on Accounting (the “Accounting Act”).

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(c); legal obligation

8 years following the year of invoice issuance

Tax number, address (sole proprietor)

Processing Procedure:
Providing billing data is mandatory by law. Incomplete or incorrect data will prevent invoice issuance. Invoices are stored electronically via the Billingo Zrt. invoicing system.

Data Transfers / Data Processors:
The following data processors provide technical and professional assistance:

  • Billingo Zrt.
    Address: 1133 Budapest, Árbóc utca 6. III. em. 1., Company Registration No.: 01-10-140802
    Provides the invoicing system and performs electronic data processing.
    Privacy Policy: https://www.billingo.hu/adatkezelesi-tajekoztato
  • Nueva Könyvelő és Adótanácsadó Kft.
    Contact: iroda@nueva.hu, +36 70 607 0284
    As the accounting provider, it has access to the invoicing system and processes data solely for accounting purposes under the assignment.

6.7 Handling Data Protection Complaints

Data Subjects: Natural persons who believe their rights have been violated. Purpose of Processing: Identification, procedure execution, and communication.

Data Type

Legal Basis

Retention Period

Name

GDPR Article 6 (1)(c); legal obligation

3 years following closure of the case

Mother’s name

Email address

Phone number

Information on disputed processing

Processing Procedure:
Any data subject has the right to file a complaint if they feel their rights have been violated regarding our data processing activities.
Providing the requested data is mandatory for investigating the complaint and conducting communication, i.e., for a lawful procedure. Without the necessary data, we cannot identify the complaint or the complainant, and therefore cannot conduct the procedure.

 

6.8 Handling Other Consumer Protection Complaints

Data Subjects: Natural persons who contact us with a consumer complaint.

Purpose of Processing: Identifying the consumer complaint, carrying out the complaint procedure, fulfilling the obligation to respond, and maintaining communication with the data subject.

Data Type

Legal Basis

Retention Period

name

GDPR Article 6 (1) c) – legal obligation and

Legal basis: Act CLV of 1997 on Consumer Protection, Section 17/A (7)

5 years following the closure of the case

email address

phone number

information related to the complaint

Processing Description:

To handle consumer complaints, certain personal data is necessary for identification and for the procedure defined by law. Providing this information is required to fulfill our legal obligations. Without this data, we cannot properly investigate or handle the complaint.

The data is stored electronically, primarily via email.

Data Processors: If any external service provider is involved in handling the complaint (e.g. customer service software or partner), we will provide separate notice.

6.9 Use of Our Website

Data Subjects: Anyone who visits our website at https://unitleads.com/

Purpose of Processing: Operating the website and collecting information related to its operation, including remarketing.

Data Type

Legal Basis

Retention Period

IP address

Necessary cookies: GDPR Article 6 (1) f) – legitimate interest and

Other cookies: GDPR Article 6 (1) a) – consent

See detailed breakdown in the Cookie Policy

browser type and OS

date and time of visit

visited pages, clicks, scrolls, behavior

referrer source (e.g. search engine or other website)

Processing Description:

Our website uses cookies. Cookies are small data files stored by your browser on your device. Some are essential for the functioning of the site, while others serve statistical or marketing purposes.

Upon first visit, users choose which types of cookies they accept via a cookie management interface. This choice can be modified later. Refusing cookies may limit some features of our website.

Detailed information on cookies and cookie settings can be found here: Cookie Policy.

Data Processors and Partners:

Hosting provider: Tárhely.Eu Kft. Contact: support@tarhely.eu | +36 (1) 789 2 789 Privacy Policy: https://tarhely.eu/dokumentumok/adatvedelmi_szabalyzat.pdf

Marketing and analytics partners:

6.91 Data Processing for Compliance with DAC7 Obligations

Data Subjects: Private individuals and companies engaged in sales activities, whose data we report to the Hungarian Tax Authority (NAV) in compliance with DAC7 regulations.

Purpose of Processing: To collect and report necessary data to NAV in order to fulfill our legal obligations under the DAC7 directive.

For Private Individuals:

Data Type

Legal Basis

Retention Period

name

Fulfillment of legal obligation (GDPR Article 6 (1) c))

Up to 5 years after submission to NAV as per legal requirements

primary address

tax identification number and issuing Member State, or place of birth if no TIN

VAT number (if available)

date of birth

For Companies:

Data Type

Legal Basis

Retention Period

name

Fulfillment of legal obligation (GDPR Article 6 (1) c))

Up to 5 years after submission to NAV as per legal requirements

primary address

tax identification number and issuing Member State

company registration number

permanent establishment (if applicable) and its Member State

Processing Description:

Under DAC7, we are required to collect and report the specified data to the Hungarian Tax Authority (NAV) to ensure compliance. Providing this data is mandatory; without it, we cannot meet our legal obligations. The data is used solely for administrative processes and for reporting to NAV. It is not shared with third parties unless legally required.

Data Processors: If external service providers are involved in this process (e.g. support software or partners), we will provide specific notice.

 

Transfer and Disclosure of Data

Occasionally, in connection with our activities, we transfer personal data to third parties. The transfer of data may occur in both paper-based and electronic formats, ensuring in both cases that the data is accessible only to the intended recipient.

Paper-based transfer: via personal delivery or postal mail, expressly addressed to the recipient. Electronic transfer (e-mail): personal data does not appear in the message body. If necessary, personal data is sent in an attached Excel file or compressed file, both protected with a unique password.

We do not transfer personal data to third countries or international organizations.

As a data controller, on the legal bases of “contract performance” or “legal compliance,” we may transfer data – in addition to the partners listed in point 6 – to the following organizations acting as data processors or independent data controllers:

Our banking partner: K&H Bank Zrt.
Data Protection Information: https://www.kh.hu/adatkezelesi-tajekoztato

Data Security

We ensure the security of the personal data we manage through technical and organizational measures and the establishment of internal procedures.

Access to personal data is granted only to those employees who need it to perform their duties.

To ensure data security:

  • During the design and operation of our IT systems, we assess and consider potential risks, striving to reduce them continuously.
  • We monitor emerging threats and vulnerabilities (e.g., computer viruses, hacking, denial-of-service attacks) to act promptly in preventing or eliminating them.
  • We protect IT equipment and paper-based information from unauthorized physical access and environmental effects (e.g., water, fire, electrical surges).
  • We monitor our IT systems to detect potential issues and incidents.
  • When selecting service providers involved in operations, reliability is a primary criterion.

To enhance the data security of our website, we use an SSL certificate that ensures encrypted data transmission, thereby protecting data provided by users and visitors. Additionally, our website is protected by iThemes Security software, which continuously monitors system security and prevents potential attacks, unauthorized access, and exploitation of other security vulnerabilities.

Data Subjects’ Rights under Articles 15–20 of the GDPR

Data subjects are entitled to the following rights concerning their personal data:

  • Right to information
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

You may exercise your rights by sending a request to: info@unitleads.com

Right of Access: Data subjects are entitled to receive confirmation as to whether their personal data is being processed. If so, they may access the personal data they have provided and request information about the purposes, legal basis, and duration of processing, as well as about any data transfers.

We will fulfill access requests within 14 days of receipt, free of charge under general circumstances. If a request is repeated, abusive, or manifestly unfounded, we reserve the right to charge a reasonable administrative fee. In such cases, the response time may also be extended.

To prevent abuse, we reserve the right to verify the identity of the requester before releasing any personal data, ensuring that the data is only provided to the rightful individual.

Right to Rectification: Upon request, we will promptly correct inaccurate personal data and complete any incomplete data.

Right to Erasure: We will delete personal data without undue delay if:

  • The data is no longer necessary for the purpose for which it was collected or otherwise processed;
  • The legal basis for processing (e.g., consent) is withdrawn and no other legal basis applies;
  • The data has been unlawfully processed;
  • Legal obligations require us to erase the data.

We are not obliged to erase personal data if processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing: Upon request, we will restrict the processing of personal data, in which case the data will be processed only for limited purposes.

Right to Data Portability: Provided it does not infringe on the rights and freedoms of others, we will send your personal data in a structured, commonly used, machine-readable format or transfer it directly to another data controller upon request.

Right to Information: During the data processing period, data subjects may request information about the processing of their personal data. We will provide this information in writing and in a clear manner within 30 days of receiving the request.

Right to Object: Objections will be investigated within the shortest possible time but no later than 15 days. We will decide on the validity of the objection and provide written notification of the outcome. If we are unable to fulfill a request for rectification, restriction, or erasure, we will notify the data subject within 30 days of receiving the request, providing factual and legal reasons for the refusal either in writing or, with the data subject’s consent, electronically.


Other Provisions Regarding Data Processing

Termination of Data Processing We delete all personal data where the purpose of data processing no longer exists, or the data subject’s consent for processing is not available, the data subject has withdrawn their consent or has objected to the data processing, or there is no legal basis for processing.

Instead of deletion, we block the personal data if requested by the data subject, or if based on the available information it can be assumed that deletion would harm the legitimate interests of the data subject. The blocked personal data shall only be processed as long as the purpose excluding deletion of the personal data exists.

Procedural Rules Related to the Handling of Privacy Complaints Procedure: We treat and handle as a complaint any written remark made by a data subject, provided it relates to data protection and indicates a concern regarding our conduct or omission inconsistent with this Privacy Notice (hereinafter: complaint).

Complaints can be submitted via our above email address (electronically) or by sending a written notice to our mailing address.

The complaint must include at least: the name of the complainant, address (email address), phone number, the date of the grievance, a specific description of the complaint, the complainant’s signature, and a declaration consenting to the processing of personal data for the purpose of complaint handling by signing the complaint. In the absence of this data and declaration, we will not investigate the complaint and shall notify the complainant in writing.

We only process the complainant’s data for complaint-related purposes and do not disclose it to third parties, except as required by law (e.g., authority or court requests), nor use it for commercial purposes.

We will investigate the complaint and provide a written, reasoned response within 30 days of receipt in the same manner it was submitted (by email or post). If the 30-day deadline is insufficient for the investigation, we will inform the complainant. In this case, a reasoned written response will be provided within 3 months from the submission date.

If the investigation determines that the complaint is factual and justified, we will inform you of the manner and extent of remedying the grievance along with our decision.

In case of complaint rejection, we will inform you in writing that you may further contact the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) or the Court in case of grievance.

The NAIH supports the enforcement of data subjects’ rights through issuing template letters: https://naih.hu/panaszuegyintezes-rendje.html

Complaint Submission: NAIH 1055 Budapest, Falk Miksa u. 9-11, Email: ugyfelszolgalat@naih.hu Phone: +36(1) 391 1400 Website: www.naih.hu

Data Protection Incident and Its Handling A data protection incident refers to any activity, intervention, or omission that results in the unlawful processing of personal data, such as unauthorized access, modification, transfer, disclosure, deletion, destruction, or accidental destruction and damage.

If you detect such an incident related to our activities, please report it as soon as possible via email to: info@unitleads.com

As a Data Controller, we record the report and immediately begin the investigation. If the data breach involves our IT systems, we will also inform the service providers responsible for the affected databases.

To investigate the report and handle the incident, we collect all necessary information to identify it, reduce potential damages, and establish further corrective actions. Where possible, we record:

  • the date and location of the incident,
  • description, circumstances, and impacts of the incident,
  • the scope and volume of compromised data,
  • the data subjects affected by the compromised data.

Additionally, as required by law, we report the incident to the Authority (NAIH) within 72 hours.

Data Protection Officer: As a Data Controller, our primary activities do not involve the processing of large-scale and/or particularly sensitive personal data, thus we do not consider it necessary to appoint or employ a Data Protection Officer, nor are we legally required to do so.

Note: As a Data Controller, we reserve the right to continuously update this Privacy Notice, and to unilaterally amend the information contained herein – including changes to legal regulations. The current valid version of the notice is always available at the Data Controller.

Gyöngyöstarján, 5 April 2025 Török Dávid Sole Proprietor