PRIVACY POLICY regarding social media research and data processing related to the website https://cogniverse.eu.
Data Controller:
Lili Kunfalvi, Sole Proprietor
Registered address: 1037 Budapest, Jeles utca 63.
Registration number: 58278839
Tax number: 45036734-1-41
Email: kunfalvi.lili@gmail.com
(hereinafter: “Data Controller”)
This Privacy Policy outlines how the Data Controller processes personal data in relation to the website https://cogniverse.eu and CogniVerse social media research, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.).
I. Definitions
– Personal data: Any information relating to an identified or identifiable natural person.
– Data processing: Any operation performed on personal data, whether automated or not.
– Data controller: The person or organization that determines the purposes and means of data processing.
– Data processor: A person or organization that processes personal data on behalf of the data controller.
– Data destruction: Permanent physical destruction of the data medium.
– Data transfer: Making data available to a specified third party.
– Data deletion: Rendering data unrecognizable and irretrievable.
– Portal: The website operated by the Data Controller at https://cogniverse.eu
II. Legal Basis, Purpose, Method, and Duration of Data Processing
According to Article 6(1) of the GDPR, the legal bases for data processing are:
a) Consent – the data subject has given informed and voluntary consent to the processing of their personal data (GDPR Article 6(1)(a)) (hereinafter: “Consent”)
b) Performance of a Contract – processing is necessary for the performance of a contract to which the data subject is party (GDPR Article 6(1)(b)) (hereinafter: “Contract Performance”)
c) Legal Obligation – processing is necessary for compliance with a legal obligation to which the data controller is subject (e.g., accounting or bookkeeping obligations) (GDPR Article 6(1)(c)) (hereinafter: “Legal Obligation”)
d) Vital Interests – processing is necessary in order to protect the vital interests of the data subject or another natural person (GDPR Article 6(1)(d)) (hereinafter: “Vital Interest”)
e) Public Interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (GDPR Article 6(1)(e)) (hereinafter: “Public Interest”)
f) Legitimate Interest – processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Article 6(1)(f)) (hereinafter: “Legitimate Interest”)
1.Data Processing Related to Social Media Research
The Data Controller conducts analyses based on publicly shared content and user comments on publicly accessible social media platforms. As part of this process, it processes, stores, and analyzes such comments. These comments are recorded without any additional personally identifiable information and are not suitable for the direct or indirect identification of a natural person, provided that the individual who posted the comment has not made themselves directly or indirectly identifiable through the body of the comment or its retrievable context. In such cases where identification is possible, the Data Controller processes the following personal data as part of its social media research:
– Data Subject: User who posted publicly accessible comment
– Type of Data Processed: Comment or excerpt that can identify the user
– Source of Data: Content shared publicly by the data subject, provided to the Data – Controller by SentiOne Spółka Akcyjna (Gdańsk, ul. Lęborska 3B, 80-386), as an independent data controller.
– Purpose of Processing: Conducting research
– Legal Basis: GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller
– Retention Period / Deletion: 1 (one) year from the time of recording
This data processing is based on the Data Controller’s legitimate business interest, which enables it to conduct social media research. Only information published by commenters on public platforms is processed anonymously. Identifiability of the data subjects results solely from their own and direct actions. The Data Controller does not profile the comments, does not link them together, and does not record any data that would allow the reconstruction of the identity of commenters. Identification may only be possible in some cases through internet search engines — which the Data Controller cannot influence or prevent. The Data Controller’s actions do not expose the comments to new publicity. The scope of collected data is limited; it is used exclusively for statistical analysis and reporting. No behavioral preferences are collected, and no automated decision-making is performed. Consequently, the rights and freedoms of the data subjects are not disproportionately affected.
Due to the volume of processed comments, this data processing falls under GDPR Article 14(5), which exempts the Data Controller from the obligation to provide individual information as outlined in Article 14(1)-(4) in cases where it proves impossible or would involve disproportionate effort — particularly in cases of public interest archiving, scientific or historical research purposes, or statistical purposes under the safeguards provided in Article 89(1), or where such an obligation would likely render impossible or seriously impair the achievement of the processing objectives. Accordingly, the Data Controller has taken appropriate measures — including making information publicly available — to protect the rights, freedoms, and legitimate interests of data subjects.
The personal data referred to in Section II is obtained by the Data Controller from SentiOne Spółka Akcyjna (Gdańsk, ul. Lęborska 3B, 80-386), acting as an independent data controller. This company has contractual relationships with operators of online platforms used by commenting users to legally collect, analyze, compile, and sell databases created from public comments. The Data Controller bears no responsibility for any data processing carried out prior to the receipt of such data by SentiOne in its role as an independent data controller.
2. Automated Data Collection Related to the Website (Portal)
– Data Subject: Website visitor
– Type of Data Processed:
1. Country, browser used, type and version of device and operating system, language settings, time of visit
2. Website visit statistics (pages viewed, session duration, referring website, type of device, duration and time of visit, geographical location, Google Analytics)
– Source of Data : Data Subject
– Purpose of Processing: Generating statistics, developing the Portal
– Legal Basis: GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller
– Retention Period / Deletion:
1. Country, browser used, type and version of device and operating system, language settings, time of visit: 120 minutes from the time of visit
2. Website visit statistics (pages viewed, session duration, referring website, type of device, duration and time of visit, geographical location, Google Analytics): 2 years from the time of visit
The Service Provider uses cookies and other tools on the Portal to anonymously understand user needs and to improve the Portal accordingly.
This data processing is based on the Service Provider’s legitimate business interest, as it enables continuous improvement and enhanced security of the Portal. The scope of collected data is limited; it is used solely for statistical and analytical purposes. The Service Provider does not collect behavioral preferences, make automated decisions, or send personalized offers based on this data. As such, the fundamental rights and freedoms of users are not disproportionately affected by this data processing.
Google Analytics
Google Analytics is a web analytics service provided by Google LLC (“Google”) that helps analyze how visitors use the Portal. Google Analytics collects information such as the IP address, which may be transmitted to Google and stored on servers operated by Google. This information — received in anonymized form — is used by the Service Provider to generate reports and improve the functioning of the Portal.
Cookies used by Google Analytics also collect anonymous data such as the number of Portal visitors, from which websites users arrived, and which pages were viewed.
Further information on Google Analytics cookies: http://www.google.com/policies/privacy/
To opt out of Google Analytics tracking: http://tools.google.com/dlpage/gaoptout
3. Contact Form
The Data Controller provides users with the option to contact them directly via a contact form available on the Portal. In doing so, the following personal data is processed:
– Data Subject: User who fills out and submits the form
– Type of Data Processed: Name, e-mail address, phone number, company name
– Source of Data: Data Subject
– Purpose of Processing: Contact, Identification of the user
– Legal Basis: GDPR Article 6(1)(a): Data subject’s consent; GDPR Article 6(1)(f): Legitimate interest; GDPR Article 6(1)(a): Data subject’s consent; GDPR Article 6(1)(f): Legitimate interest.
– Retention Period / Deletion: Until consent is withdrawn, but no longer than 1 year, except in the case of complaint messages. In case of complaint, data is retained for 5 years based on the civil law statute of limitations. If proceedings are initiated during that period, the data is retained until the final conclusion of such proceedings.
Users may withdraw their consent for the processing of their personal data at any time by submitting a written statement addressed to the Data Controller using any of the contact details listed in this Policy. Withdrawal of consent does not affect the lawfulness of data processing conducted prior to its withdrawal.
4. Newsletter Service
The Data Controller sends newsletters to individuals who have expressly subscribed to receive them. Subscription is possible through the Portal by ticking the appropriate checkbox and/or clicking the subscription button.
Subscribers can unsubscribe at any time by clicking the “unsubscribe” link at the bottom of each newsletter.
Once a user unsubscribes, the Data Controller will no longer send newsletters to them. Withdrawal of consent does not affect the lawfulness of previous data processing.
Consent may be re-granted at any time. Providing consent is not a condition for using any services. An email address is required for both giving and withdrawing consent for identification purposes.
– Data Subject Processed: Newsletter Subscriber
– Processed Data: E-mail address
– Source of Data: Data subject
– Purpose of Processing: Sending electronic direct marketing messages, newsletters
– Legal Basis: GDPR Article 6(1)(a): Data subject’s consent Until consent is withdrawn
– Retention Period / Deletion: Until consent is withdrawn.
III. Data Controller and Data Processors
For the data specified in Section II, the Data Controller is:
Name: Lili Kunfalvi, Sole Proprietor
Registered Address: 1037 Budapest, Jeles utca 63.
Registration Number: 58278839
Tax Number: 45036734-1-41
Email: kunfalvi.lili@gmail.com
Data Processors
To manage and store personal data, the Data Controller uses various individuals and companies under a data processing agreement. The following processors are involved in data processing activities:
– Processor Name and Address: Csiby Fruzsina (2120 Dunakeszi, Balin u. 1.)
– Purpose of Data Processing: Data processing, research activities
– Scope of Data Processed: Data as specified in Section II.
– Processor Name and Address: Kurtyán Cintia (7130 Tolna, Alkotmány utca 72/A.)
– Purpose of Data Processing: Data processing, research activities
– Scope of Data Processed: Data as specified in Section II.
– Processor Name and Address: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4., Írország)
– Purpose of Data Processing: Google Analytics service
– Scope of Data Processed: Data as specified in Section II.1
– Processor Name and Address: GoDaddy (2155 E GoDaddy Way, Tempe, Arizona, 85284 USA)
– Purpose of Data Processing: Hosting servive
– Scope of Data Processed: Data as specified in Section II
– Processor Name and Address: Laki Ádám Sole Proprietor (9700 Szombathely, Holdsugár utca 7.)
– Purpose of Data Processing: System administration
– Scope of Data Processed: Data as specified in Section II.
Recipients of Data Transfers
The Data Controller is entitled and obliged to transfer all legally stored personal data to the competent authorities if required by law or by final authority order. The Data Controller is not liable for such data transfers or any consequences thereof.
Data Transfers to Third Countries
The Data Controller does not transfer personal data processed under this privacy policy to third countries outside the EEA, as defined under the GDPR.
Automated Decision-Making and Profiling
The Data Controller does not carry out any automated decision-making or profiling based on the personal data processed under this privacy policy.
IV. Data Protection Principles Applied by Data Controller
The Data Controller respects the rights of data subjects as defined by law. Personal data is used solely for the purposes specified in this policy, based on the legal grounds outlined herein.
The Data Controller commits to handling all personal data in accordance with the GDPR, the Hungarian Information Act (Infotv.), and other applicable legislation. Personal data will not be disclosed to third parties except for data processors listed in this policy, or in anonymized, aggregated form for statistical purposes, which does not constitute data processing or data transfer.
In special cases — such as official court or police requests, legal proceedings related to copyright, property rights or other infringements, or when the Data Controller’s interests or service operations are endangered — personal data may be disclosed as required by law or judicial authority.
The Data Controller takes all necessary measures to ensure that personal data is protected in accordance with applicable laws.
V. Protection of Personal Data
The Data Controller fulfills its obligations under applicable data protection laws by:
– securely storing and disposing of personal data,
– collecting and retaining only the necessary amount of data,
– protecting data against loss, misuse, unauthorized access, or disclosure,
– and implementing appropriate technical and organizational measures to secure data, especially in case of network transmission or unauthorized access attempts.
VI. Rights of Data Subjects
1) Under applicable data protection laws, all data subjects have the right to:
a) Request access to their personal data
b) Request rectification of their personal data
c) Request deletion of their personal data
d) Request restriction of data processing
e) Object to the processing of their personal data
f) Request to not be subject to automated decision-making
g) Request data portability
h) Object to profiling and automated decisions
i) Withdraw consent at any time
j) Submit a complaint to the supervisory authority or seek judicial remedy
a) Right of Access
The data subject has the right to receive confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, if so, access to such personal data.
The data subject also has the right to request a copy of their personal data undergoing processing. For identification purposes, the Data Controller may request additional information or charge a reasonable fee for further copies.
b) Right to Rectification
The data subject has the right to request that inaccurate personal data concerning them be corrected. Taking into account the purposes of the processing, the data subject also has the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.
c) Right to Erasure (‘Right to be Forgotten’)
The data subject has the right to request the deletion of their personal data, and the Data Controller must delete it without undue delay. In such cases, the Data Controller will not be able to provide further services to the data subject. Personal data must be deleted if:
a) it is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent and there is no other legal basis for the processing;
c) the data subject objects to processing and there are no overriding legitimate grounds;
d) the personal data has been unlawfully processed;
e) deletion is required to comply with a legal obligation;
f) the data was collected in relation to the offer of information society services.
d) Right to Restriction of Processing (Right to Blocking)
The data subject has the right to request the restriction of processing of their personal data. In such cases, the Data Controller will mark the personal data to limit processing to specific purposes. Restriction applies when:
a) the data subject contests the accuracy of the data (restriction applies during verification);
b) processing is unlawful and the data subject opposes deletion and requests restriction instead;
c) the Data Controller no longer needs the data, but the data subject requires it for legal claims;
d) the data subject has objected to processing (restriction applies until a decision is made about overriding legitimate grounds).
Restricted data may only be processed with the data subject’s consent, or for legal claims, or to protect another person’s rights.
If the right to restriction is exercised, the Data Controller is still entitled to use the data subject’s personal data if:
a) the Data Controller has received the data subject’s consent for such use; or
b) the use (presence) of the personal data is necessary for the establishment, exercise, or defense of legal claims before a court; or
c) the use (presence) of the personal data is necessary for the protection of the rights of another natural or legal person.
e) Right to Object
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data by the Data Controller, including profiling. The data subject may also request that the Data Controller no longer process their personal data where the processing is based on legitimate interest.
Furthermore, if the Data Controller processes the data subject’s personal data on the basis of legitimate interest, the data subject has the right to object at any time to the processing of such data for that purpose.
In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.
f) Rights Related to Automated Decision-Making
The data subject has the right to request that the Data Controller exempt them from being subject to a decision based solely on automated processing — including profiling — if:
a. such a decision would produce legal effects concerning them; or
b. such a decision would similarly significantly affect them.
This right shall not apply if the decision resulting from automated processing:
a. is necessary for entering into or performing a contract between the data subject and the Data Controller; or
b. is authorized by Union or Member State law to which the Data Controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c. is based on the data subject’s explicit consent.
Please note that the Data Controller does not use any automated decision-making mechanisms.
g) Rights to Data Portability
The data subject has the right to receive the personal data they provided to the Data Controller in a structured, commonly used, machine-readable format, and to transmit those data to another controller, where technically feasible, without hindrance, if:
a. processing is based on consent or a contract; and
b. the processing is carried out by automated means.
h) Right to Object
The data subject has the right to object at any time to processing based on GDPR Article 6(1)(e) or (f), including profiling. The Data Controller shall stop processing unless there are compelling legitimate grounds or the processing is for legal claims.
i) Right to Withdraw Consent
If the legal basis for processing is consent, the data subject may withdraw it at any time without justification. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
j) Right to Lodge a Complaint
If the data subject believes their data has been misused, they can lodge a complaint free of charge with the supervisory authority of their habitual residence, place of work, or the place of the alleged infringement.
In Hungary, the supervisory authority is:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing Address: 1363 Budapest, Pf. 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
2) Deadline
The Data Controller will fulfill data subject requests within 30 (thirty) days of receipt. The date of receipt is not included in the deadline.
3) Fees
The Data Controller does not charge fees for fulfilling rights unless the request is manifestly unfounded, excessive, or repetitive, in which case a reasonable fee may be charged. The Data Controller will inform the data subject of any such fee in advance.
VII. Contact Information
If a data subject wishes to exercise their rights or submit a complaint related to data protection, they may contact the Data Controller via email or postal mail using the details below:
Email: kunfalvi.lili@gmail.com
Mailing Address: 1037 Budapest, Jeles utca 63.
VIII. Other Provisions
The Data Controller reserves the right to amend this Privacy Policy at any time and shall provide written notice of any such changes.
In the event of a data protection incident, the Data Controller shall notify the supervisory authority in accordance with applicable legal requirements within 72 hours of becoming aware of the incident, and shall maintain a record of such incidents. Where required by law, the Data Controller shall also inform the affected data subjects.
This Privacy Policy shall enter into force on the day of June 2025.