Privacy Policy

Privacy Policy


for users and subscribers of the taxhungary.hu website


 Effective: 5 June 2026 | Version: 1.1


1. Introduction and scope

The purpose of this Privacy Policy (the "Policy") is to inform data subjects about the purpose, legal basis, duration and scope of the processing of personal data carried out in connection with the use of the taxhungary.hu website (the "Website") operated by ECC-CONSULTING Tanácsadó Zrt. (the "Controller" or "Service Provider"), as well as about the rights of data subjects and the available remedies.

This Policy applies to all visitors of the Website, to registered and subscribing users, to newsletter subscribers, to those completing the contact form, and to any natural person whose personal data are processed by the Controller in connection with the operation of the Website.

The Controller processes personal data in accordance with Regulation (EU) 2016/679 (GDPR), Act CXII of 2011 on the right of informational self-determination and freedom of information (Infotv.) and other applicable legislation.


2. Details of the Controller

  •         Company name: ECC-CONSULTING Tanácsadó Zrt.
  •         Registered seat: 1054 Budapest, Kálmán Imre utca 1., Hungary
  •         Company registration number: 01-10-141119
  •         Tax number: 13702441-2-41
  •         EU VAT number: HU13702441
  •         Represented by: Zoltán Farkas, CEO
  •         E-mail: office@taxhungary.hu
  •         Website: https://taxhungary.hu


3. Principles of data processing

In processing personal data the Controller applies the following principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.


4. Processing related to the use of the Website


4.1 Website visits and technical logging

Purpose: ensuring the secure and proper operation of the Website, preventing abuse, detecting and remedying errors, and producing statistical analyses.

Data processed: the visitor's IP address, the time of the visit, the addresses of the pages visited, the browser and operating system type, and the referring URL.

Legal basis: the legitimate interest of the Controller [Article 6(1)(f) GDPR] in the secure operation of the Website.

Retention period: technical log files are retained for a maximum of 12 months.


4.2 Registration and user account

Purpose: registration on the Website and operation of the user account, identification of the user, use of the Website's services, and contact with the user.

Data processed: the user's name, e-mail address, password (stored solely in irreversible, hashed form), the time of registration and last login, language preference, and optionally a telephone number.

Legal basis: the consent of the data subject [Article 6(1)(a) GDPR] and the performance of a contract [Article 6(1)(b) GDPR].

Retention period: until deletion of the user account. The user may request deletion of the account and related personal data at any time.


4.3 Subscription services and invoicing

At the time this Policy takes effect the Service Provider does not offer paid subscription services on the Website, but plans to introduce them; upon their activation the following processing will apply.

Purpose: enabling the use of the subscription service, conclusion and performance of the contract, issuing invoices, and fulfilling accounting documentation obligations.

Data processed: billing name, company name, billing address, tax number, EU VAT number, the name of the ordered service, the amount of consideration, and the time and method of payment.

Legal basis: performance of a contract [Article 6(1)(b) GDPR] and compliance with a legal obligation [Article 6(1)(c) GDPR], in particular Act C of 2000 on Accounting.

Retention period: until the end of the 8th year following the year of issue, pursuant to Section 169(2) of Act C of 2000.


4.4 Newsletter service

Purpose: sending newsletters and information requested by the user, informing about new content, and marketing communication.

Data processed: the subscriber's name, e-mail address, time of subscription, language preference, and time of unsubscription (where relevant).

Legal basis: the explicit and voluntary consent of the data subject [Article 6(1)(a) GDPR] and Section 6(1)–(2) of Act XLVIII of 2008 on commercial advertising (Grtv.).

Retention period: until consent is withdrawn, i.e. until unsubscription. Unsubscription is possible at any time, free of charge, via the link at the bottom of newsletters or by message to office@taxhungary.hu.


4.5 Contact

Purpose: answering the user's question, investigating the enquiry, and keeping in contact.

Data processed: the name and e-mail address of the person initiating contact, the subject and content of the message, the time of the enquiry, and any other data provided voluntarily.

Legal basis: the consent of the data subject [Article 6(1)(a) GDPR] and the legitimate interest of the Controller [Article 6(1)(f) GDPR] in responding.

Retention period: after closing the matter, until the general limitation period under the Hungarian Civil Code, i.e. a maximum of 5 years.


4.6 Abuse and bot protection (Cloudflare Turnstile)

Purpose: protecting the Website's forms (newsletter sign-up, contact form, registration, login) against automated abuse (bots, unsolicited messages, "spam") and ensuring the secure operation of the Website.

Data processed: the visitor's IP address and technical characteristics of the browser and visitor interaction (signals required for bot detection).

Legal basis: the legitimate interest of the Controller [Article 6(1)(f) GDPR] in the secure operation of the Website and its forms and in preventing abuse and unsolicited contact.

Processor: the service is provided by Cloudflare, Inc. (USA), which processes the data under appropriate safeguards pursuant to Chapter V of the GDPR (Standard Contractual Clauses adopted by the European Commission).

Retention period: data related to the bot check are processed by Cloudflare only briefly under its own rules; the Controller does not store these data independently.


5. Cookies

The Website uses cookies for its operation and to improve the user experience. A cookie is a small text file stored on the user's device that allows the user to be recognised and the operation of the Website to be optimised.


5.1 Strictly necessary cookies

These cookies are essential for the proper operation of the Website and do not require prior consent: session cookies for managing login; security cookies (CSRF protection); and the cookie storing the cookie settings. Legal basis: the legitimate interest of the Controller [Article 6(1)(f) GDPR] and Section 13/A of the Hungarian E-commerce Act.


5.2 Functional cookies

Functional cookies improve the user experience (e.g. remembering the language preference). Their use is subject to prior consent. Legal basis: consent of the data subject [Article 6(1)(a) GDPR].


5.3 Analytics and marketing cookies

The Controller may use analytics cookies to measure traffic and improve content, and marketing cookies to display content and offers tailored to the user's interests. These cookies are used only on the basis of the data subject's prior, explicit consent, which may be withdrawn at any time. Legal basis: consent of the data subject [Article 6(1)(a) GDPR].

To measure website traffic, the Controller uses the Google Analytics 4 web analytics service (operator: Google Ireland Limited / Google LLC). The service processes the visitor's IP address in anonymized form. Google Analytics cookies (in particular _ga, _ga_*, _gid) are loaded only after the data subject's prior, explicit consent, based on the permission given via the cookie banner. Consent may be withdrawn at any time. Data transfer by Google — as a provider outside the European Union (USA) — takes place under appropriate safeguards in accordance with the GDPR.


5.4 Managing and disabling cookies

The user may change cookie settings at any time via the cookie banner on the Website or in the browser settings. Disabling cookies may impair or limit the operation of certain functions.

The complete, detailed list of cookies used on the Website — including the name, purpose, duration and provider — is set out in the separate Cookie Policy available on the Website.


6. Recipients of data and processors

The Controller may use processors in operating the Website and providing the services. Processors do not make independent decisions and act solely in accordance with the contract concluded with the Controller and the Controller's instructions. The Controller uses processors in particular in the following areas:

  •         hosting and server operation;
  •         providers used for the delivery of e-mails and newsletters;
  •         accounting and invoicing provider;
  •         provider ensuring the bot protection and security of the Website and its forms: Cloudflare, Inc. (USA);
  •         web analytics and traffic measurement provider: Google (Google Analytics 4) — only where the data subject has given consent;
  •         online payment provider (after the introduction of the subscription service, only to the extent necessary for the transaction).

The Controller will, upon request, send the current detailed list of processors — indicating the provider's name, seat and area of activity — to office@taxhungary.hu.


7. Transfer to third countries

The Controller transfers personal data to a third country outside the European Economic Area only if the data subject has expressly consented or if the transfer meets one of the conditions of Chapter V of the GDPR (in particular an adequacy decision, standard contractual clauses or other appropriate safeguards). Where certain providers used by the Controller (such as Cloudflare or Google) carry out transfers outside the European Union, such transfers take place solely within the framework of a legal mechanism compliant with the GDPR.


8. Data security measures

The Controller applies technical and organisational measures appropriate to the level of risk, in particular: encrypted data transmission (HTTPS/TLS); storage of passwords in irreversible, hashed form; management and regular review of access rights; regular backups; logging of system access; and confidentiality obligations of staff.


9. Data breach handling

In the event of a personal data breach, the Controller notifies the Hungarian National Authority for Data Protection and Freedom of Information within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In the case of a high risk, the Controller also informs the data subjects directly.


10. Automated decision-making and profiling

The Controller does not carry out decision-making based solely on automated processing — including profiling — that would produce legal effects concerning the data subject or similarly significantly affect them.


11. Rights of the data subject

Under the GDPR the data subject has the following rights: the right to information; the right of access; the right to rectification; the right to erasure ("the right to be forgotten"); the right to restriction of processing; the right to data portability; the right to object; and the right to withdraw consent. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.


12. Enforcement of rights

The data subject may submit questions, requests and complaints regarding data processing to office@taxhungary.hu or by post (1054 Budapest, Kálmán Imre utca 1., Hungary). The Controller responds to requests within 30 days at the latest; this deadline may be extended by a further 60 days in justified cases.

If the data subject considers that the processing of their personal data infringes the law, they may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH; 1055 Budapest, Falk Miksa utca 9–11.; postal address: 1363 Budapest, Pf. 9.; phone: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu; website: https://www.naih.hu) and may also turn to the courts.


13. Provisions concerning minors

The Website's services are intended for natural persons who have reached the age of 16. A person under 16 may consent to processing based on consent only with the consent of the person exercising parental responsibility. If the Controller becomes aware that it processes a minor's data in the absence of such consent, it deletes the data without delay.


14. Amendment of the Policy

The Controller reserves the right to amend this Policy unilaterally, in particular where the legal environment or the processing activity changes. Amendments take effect upon publication on the Website. In the case of a material change to consent-based processing, the Controller notifies the data subjects separately and, where necessary, requests new consent. The current version of the Policy is continuously available on the Website.

Imprint → Terms →