Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), we provide the following information.

This privacy policy governs the data processing on the following websites/mobile applications: https://nadanoir.com

The privacy notice is available at: https://nadanoir.com/privacy-policy/

Amendments to the policy take effect upon publication at the above address.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Data Controller and Contact Details Name: EHS Focus Kft. Registered address: 2309 Lórév, Kossuth Lajos utca 97. Email: info@nadanoir.com Phone: +36 30 755 0102

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Definitions

1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. “consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Principles Relating to the Processing of Personal Data Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of individuals (“storage limitation”);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).

The controller declares that its data processing complies with the principles set out in this section.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Data Processing Related to Webshop Operation

1. Fact of data collection, scope of processed data, and purpose of processing:

2. Scope of data subjects: All data subjects registered/purchasing on the webshop website. Neither username nor email address needs to contain personal data.
3. Duration of processing, deadline for data erasure: Until the data subject’s erasure request if any condition under GDPR Art. 17(1) applies. The controller informs the data subject electronically of the erasure of any personal data under GDPR Art. 19. If the erasure request covers the email address, it is also deleted after notification. Exception: Accounting documents must be retained for 8 years under Accounting Act 2000 C. § 169(2). Contractual data may be deleted upon the data subject’s request after the civil law limitation period. Accounting vouchers (including ledgers, analytical records) must be retained in readable form for at least 8 years, retrievable by reference to accounting entries.
4. Description of data subjects’ rights related to processing: The data subject may request access to personal data, rectification, erasure or restriction of processing, data portability, and withdrawal of consent at any time.
5. How to initiate access, erasure, rectification, restriction, or portability: By post to 2309 Lórév, Kossuth Lajos utca 97.; email to ; phone +36 30 755 0102.
6. We inform you that:

• Processing is necessary for contract performance and offer provision.
• You must provide personal data to fulfill your order.
• Failure to provide data results in inability to process your order.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Cookie Management

1. No prior consent is required for “password-protected session cookies”, “shopping cart cookies”, “security cookies”, “strictly necessary cookies”, “functional cookies”, and “cookies for website statistics”.
2. Fact of processing, scope of data: Unique identifier, dates, times.
3. Scope of data subjects: All visitors to the website.
4. Purpose of processing: User identification, tracking visitors, personalized operation.
5. Duration of processing, deadline for erasure:

6. Description of data subjects’ rights: Data subjects can delete cookies in browser settings under Tools/Settings > Privacy.
7. Most browsers allow setting which cookies to save and deleting specific ones. Restricting cookies or third-party cookies may limit full website functionality. Information on customizing cookie settings in common browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647?hl=hu
• Internet Explorer: https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-használ
• Safari: https://support.apple.com/hu-hu/guide/safari/sfri11471/mac

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Use of Google Ads Conversion Tracking

1. The controller uses the online advertising program “Google Ads” and its conversion tracking service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a user reaches a website via a Google ad, a conversion tracking cookie is placed on their computer. These cookies are limited in validity and contain no personal data, so users cannot be identified.
3. If the user browses certain pages while the cookie is active, Google and the controller can see that the user clicked the ad.
4. Each Google Ads client receives a different cookie, so tracking across Ads clients’ sites is not possible.
5. Information obtained via conversion cookies serves to create conversion statistics for Ads clients, informing them of the number of users who clicked the ad and were redirected to the tagged page. No information identifies individual users.
6. To opt out of conversion tracking, disable cookie installation in your browser. You will then not appear in conversion statistics.
7. Based on Google Consent Mode v2, Google uses two new cookie types: ad_user_data and ad_personalization, based on user consent for data use and sharing. ad_user_data consents to user data for advertising; ad_personalization controls use for personalized ads (e.g., remarketing). The controller ensures proper consent acquisition/revocation via the cookie banner/panel. Withdrawal does not affect prior lawful processing.
8. Further information and Google’s privacy policy: https://policies.google.com/privacy

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Use of Google Analytics

1. This website uses Google Analytics, a web analytics service by Google Inc. (“Google”). Google Analytics uses “cookies”, text files placed on your computer to help analyze website use.
2. Information generated by cookies about website use is usually transmitted to and stored on a Google server in the USA. With IP anonymization activated, Google truncates the user’s IP address within the EU/EEA.
3. Full IP transmission and truncation on a US server occurs only in exceptional cases. On behalf of the website operator, Google uses this information to evaluate website use, compile reports on activity, and provide other website/internet services.
4. Google does not combine the IP address transmitted by your browser in Google Analytics with other data. You can prevent cookie storage via browser settings (note: may limit functionality). You can also prevent Google from collecting/processing cookie data (including IP) by downloading/installing the browser plugin: https://tools.google.com/dlpage/gaoptout?hl=hu

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Newsletter and Direct Marketing Activities Based on Consent

1. Under Act XLVIII of 2008 on the Basic Conditions of Economic Advertising Activities, users may give prior explicit consent to be contacted via registration details for advertising offers/other mailings.
2. Users may consent to processing of personal data necessary for sending advertising offers.
3. The controller does not send unsolicited ads; users may unsubscribe freely and without justification/cost. In such cases, all personal data for ad sending is deleted, and no further offers are sent. Unsubscribe via link in messages.
4. Fact of data collection, scope of data, purpose:

5. Newsletter sending complies with Act XLVIII of 2008.
6. Scope of data subjects: All newsletter subscribers.
7. Purpose: Sending electronic messages (email, SMS, push) containing advertisements, providing information on current news, products, promotions, new features, etc.
8. Duration: Until consent withdrawal (unsubscribe or erasure request), or newsletter termination.
9. Description of rights: Access, rectification, erasure, restriction, portability, withdrawal of consent at any time.
10. How to initiate: By post to 2309 Lórév, Kossuth Lajos utca 97.; email to ; phone +36 30 755 0102.
11. Users may unsubscribe from newsletters free at any time.
12. We inform you that:

• Processing is based on your consent.
• You must provide data to receive newsletters.
• Failure results in no newsletters.
• Withdraw consent anytime via unsubscribe.
• Withdrawal does not affect prior lawful processing.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Complaint Handling

1. Fact of data collection, scope of data, purpose:

2. Scope of data subjects: All purchasers filing quality complaints.
3. Duration: Complaint records, transcripts, and responses must be retained for 3 years under Consumer Protection Act 1997 CLV. § 17/A(7).
4. Description of rights: Access, rectification, erasure, restriction, portability.
5. How to initiate: By post to 2309 Lórév, Kossuth Lajos utca 97.; email to ; phone +36 30 755 0102.
6. We inform you that:

• Data provision is based on legal obligation.
• Processing is precondition for contract.
• You must provide data to handle complaints.
• Failure results in inability to handle your complaint.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Recipients with Whom Personal Data Are Shared “Recipient”: a natural or legal person, public authority, agency or other body to which personal data are disclosed (third party or not).

1. Processors (processing on behalf of controller): The controller uses processors to support its activities and fulfill contractual/legal obligations. Processors provide sufficient guarantees for GDPR compliance and rights protection. Processors act only on controller instructions; controller remains liable. Processors have no substantive decision-making authority. Processors may include hosting providers and couriers.
2. Specific processors:

3. Data transfer to third parties: Third-party controllers process data under their own privacy policies.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Social Media

1. Fact of data collection, scope: Registered name and public profile picture on Twitter/Pinterest/YouTube/Instagram/TikTok/LinkedIn etc.
2. Scope of data subjects: All registered on those platforms who “liked” the controller’s page or contacted via social media.
3. Purpose: Sharing/liking/following/promoting website content, products, promotions, or the site itself on social media.
4. Duration, erasure, recipients, rights: Refer to the relevant social platform’s policy for source, processing, transfer, duration, erasure/modification. Processing occurs on social platforms.
5. Legal basis: Voluntary consent to personal data processing on social platforms.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Joint Data Processing with Facebook / Meta The controller has a Facebook / Meta profile. Statistical processing on Facebook is joint processing by the controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Details in the Facebook Page Insights Controller Addendum: https://www.facebook.com/legal/terms/page_controller_addendum

The controller communicates via private message only if contacted there.

1. Categories of data subjects: Those registered on Facebook who “liked” the controller’s page, or contact via private message.
2. Purpose: Sharing/promoting controller’s activities/services on Facebook. Private message data used only to respond; no other data collected/extracted via social media.
3. Legal basis: Consent, GDPR Art. 6(1)(a).
4. Scope of data: Registered name, public profile picture, other public data shared by data subject on Facebook.
5. Source: The data subject.
6. Withdrawal: Withdraw consent anytime by deleting post/comment. Processing via third-party platforms. Controller deletes conversation upon withdrawal. Withdrawal does not affect prior lawful processing.

Initiate access/erasure/rectification/restriction/portability: By post to 2309 Lórév, Kossuth Lajos utca 97.; email to info@nadanoir.com; phone +36 30 755 0102.

7. Duration: Until consent withdrawal; if messaging occurs, 2 years.
8. Transfers/recipients: See GDPR Art. 4(9). Controller discloses data to authorities (courts, prosecutors, police, NDPA) only exceptionally/legally required.
9. Consequences of non-provision: Inability to follow controller’s activities/services on Facebook or send messages via Messenger.
10. Automated decision-making/profiling: None.
11. Joint controller agreement with Facebook Ireland Ltd.: Page Insights shows aggregated data on page use. Facebook Ireland and controller are joint controllers for analytics data. Facebook Ireland bears primary GDPR responsibility for analytics data and compliance. Controller ensures lawful basis and other obligations. Facebook Ireland handles requests; controller cannot act on behalf or respond for Facebook Ireland regarding Page Insights data.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Customer Relations and Other Data Processing

1. If questions/problems arise during service use, contact the controller via provided methods (phone, email, social media, etc.).
2. The controller deletes received emails/messages/phone/Meta data (with name, email, voluntarily provided data) after max. 2 years from receipt.
3. For unlisted processing, information provided at data collection.
4. On exceptional official requests or legal authorization, the controller must provide information/data/documents.
5. In such cases, only data necessary for the request’s purpose (if specified) is disclosed.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Rights of Data Subjects

1. Right of access: Confirmation whether processing is ongoing and access to data/information under GDPR.
2. Right to rectification: Rectify inaccurate/incomplete data without undue delay.
3. Right to erasure (“right to be forgotten”): Erase data without undue delay under certain conditions. If data made public, take reasonable steps (including technical) to inform other controllers to erase links/copies.
4. Right to restriction: Restrict processing if accuracy contested (during verification); unlawful but erasure opposed; no longer needed but required for legal claims; objection pending legitimate grounds assessment.
5. Right to data portability: Receive provided data in structured, machine-readable format and transmit to another controller without hindrance.
6. Right to object: Object at any time on grounds relating to particular situation to processing based on legitimate interests/public task, including profiling.
7. Object to direct marketing: Object anytime to processing for direct marketing (including profiling); data no longer processed for that purpose.
8. Automated individual decision-making/profiling: Not subject to decisions based solely on automated processing (including profiling) with legal/significant effects, except if necessary for contract, authorized by law with safeguards, or explicit consent.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Response Deadline The controller informs you of measures taken without undue delay, but within 1 month of request receipt. Extendable by 2 months if necessary (notify within 1 month with reasons). If no action, inform within 1 month of reasons and right to complain to supervisory authority/court.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Security of Data Processing The controller and processor implement appropriate technical/organizational measures considering state of the art, costs, nature/scope/context/purposes of processing, and varying likelihood/severity risks to rights/freedoms, to ensure appropriate security level, including:

1. Pseudonymization and encryption of personal data;
2. Ensuring ongoing confidentiality, integrity, availability, resilience of processing systems/services;
3. Ability to restore availability/access in timely manner after physical/technical incidents;
4. Regular testing/assessing/evaluating effectiveness of measures.

Data stored to prevent unauthorized access: Physical storage/locking for paper; central authorization system for electronic. Storage method allows erasure (considering deadlines) irreversibly at end/when needed. Paper destroyed via shredder/specialized service; electronic via secure irreversible deletion/physical destruction per rules.

Specific measures: Physical protection

• Documents in secure, lockable dry room.
• If digitized, apply digital rules.
• Staff lock away media/close room when leaving.
• Only authorized access; no third parties.
• Fire/theft protection systems.

IT protection

• Computers/mobile devices owned by controller.
• Virus protection.
• Backups/archiving.
• Server access restricted to authorized persons.
• Username/password access only.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Notification of Data Subjects About a Personal Data Breach If breach likely results in high risk to rights/freedoms, controller notifies data subject without undue delay. Notification clearly describes breach nature, DPO/other contact details, likely consequences, measures taken/planned (including mitigation).

No notification if: measures make data unintelligible (e.g., encryption); subsequent measures eliminate high risk; disproportionate effort (public announcement/similar effective measure). Supervisory authority may order notification if not done.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Reporting a Personal Data Breach to the Authority Controller reports breach to competent supervisory authority without undue delay, if possible within 72 hours of becoming aware, unless unlikely to result in risk to rights/freedoms. If late, include reasons.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Periodic Review in Case of Mandatory Data Processing If duration/necessity of mandatory processing not set by law/local decree/EU act, controller reviews at least every 3 years whether processing (by itself or processors) remains necessary for purpose. Documents circumstances/results; retains for 10 years; provides to NDPA on request.

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Right to Lodge a Complaint In case of infringement, lodge complaint with National Authority for Data Protection and Freedom of Information: National Authority for Data Protection and Freedom of Information 1055 Budapest, Falk Miksa utca 9-11. Mailing: 1363 Budapest, Pf. 9. Phone: +36-1-391-1400 Fax: +36-1-391-1410 Email: 

Version: 1 · Acceptance Date: February 7, 2025 · Generation Date: February 7, 2025 · Update Date: February 3, 2026 · Certified and prepared by: Virtualjog.hu

Closing Remarks This notice was prepared considering the following legislation and recommendations:

• Regulation (EU) 2016/679 (GDPR);
• Act CVIII of 2001 on electronic commerce and information society services (esp. § 13/A);
• Act XLVII of 2008 on prohibition of unfair commercial practices towards consumers;
• Act XLVIII of 2008 on basic conditions of economic advertising (esp. § 6);
• Act XC of 2005 on electronic freedom of information;
• Act C of 2003 on electronic communications (esp. § 155);
• 16/2011 opinion on EASA/IAB best practice recommendation for behavioral online advertising;
• NDPA recommendation on prior information data protection requirements.