Privacy Policy
| Data Controller: | Frendex Korlátolt Felelősségű Társaság (Frendex Kft.) |
| Registered office: | 2120 Dunakeszi, Szabadka utca 26, 4th floor, door 29, Hungary |
| Company registration number: | 13-09-246418 |
| Tax number: | 33024200-2-13 |
| Email: | hello@frendexapp.com |
| Website: | www.frendexapp.com |
The purpose of this Privacy Policy (hereinafter: Policy) is to inform data subjects about the processing of personal data carried out by Frendex Kft. (hereinafter: Data Controller) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act).
This Policy applies to all data processing activities carried out through the FRENDEX mobile application (iOS, Android), the www.frendexapp.com website, and the FRENDEX Partner Program.
1. Definitions
1.1 Personal data: any information relating to an identified or identifiable natural person (hereinafter: data subject).
1.2 Processing: any operation performed on personal data (collection, recording, storage, use, erasure, etc.).
1.3 Data Controller: Frendex Kft., the entity that determines the purposes and means of data processing.
1.4 Data Processor: any entity that processes personal data on behalf of the Data Controller.
1.5 Data subject: any natural person whose personal data is processed by the Data Controller (User, Provider, Partner).
1.6 Consent: a freely given, specific, and informed indication of the data subject's wishes.
2. Data processing activities
2.1 User registration and account management
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| Name (surname, first name) | Art. 6(1)(b) GDPR – contractual performance | Account creation, identification | 30 days after account deletion |
| Email address | Art. 6(1)(b) GDPR | Login, communication | 30 days after account deletion |
| Password (hashed) | Art. 6(1)(b) GDPR | Authentication | Deleted simultaneously with account |
| Profile picture (optional) | Art. 6(1)(a) GDPR – consent | Profile personalisation | Deleted simultaneously with account |
| Phone number (optional) | Art. 6(1)(a) GDPR | Two-factor authentication, contact | 30 days after account deletion |
| Location data | Art. 6(1)(b) GDPR | Display of nearby providers | Real-time only, not stored persistently |
2.2 Provider (service provider) registration and profile
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| Name, business name | Art. 6(1)(b) GDPR | Provider profile, identification | 30 days after account deletion |
| Email address, phone number | Art. 6(1)(b) GDPR | Login, communication, notifications | 30 days after account deletion |
| Service categories, description, prices | Art. 6(1)(b) GDPR | Service listing, search | Deleted simultaneously with account |
| Service area (address / zone) | Art. 6(1)(b) GDPR | Location-based search, map display | Deleted simultaneously with account |
| Profile picture, portfolio images | Art. 6(1)(b) GDPR | Provider profile presentation | Deleted simultaneously with account |
| Calendar data (Google/Apple Calendar) | Art. 6(1)(a) GDPR | Booking availability sync | Deleted upon sync disconnection |
| Subscription data | Art. 6(1)(b) GDPR | Service level determination | Accounting retention: 8 years |
| Ratings, reviews | Art. 6(1)(f) GDPR – legitimate interest | Quality assurance, transparency | Deleted simultaneously with account |
2.3 Booking and chat
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| Booking details (time, service type, status) | Art. 6(1)(b) GDPR | Booking management, fulfilment | 1 year after last booking |
| Chat messages | Art. 6(1)(b) GDPR | User-Provider communication | 30 days after account deletion |
| Push notification tokens | Art. 6(1)(a) GDPR | Sending notifications | Deleted upon withdrawal of consent |
2.4 FRENDEX Partner Program
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| Name, email, phone number | Art. 6(1)(b) GDPR | Partner identification, communication | Cooperation end + 30 days |
| City / region | Art. 6(1)(b) GDPR | Regional classification | Cooperation end + 30 days |
| Social media profiles, FB group links | Art. 6(1)(b) GDPR | Application review, suitability assessment | Cooperation end + 30 days |
| Motivational response | Art. 6(1)(b) GDPR | Application review | 90 days after review decision |
| Bank account number | Art. 6(1)(b) GDPR | Reward disbursement | Accounting retention: 8 years |
| Referral statistics (registrations, conversions) | Art. 6(1)(b) GDPR | Partner performance tracking | Cooperation end + 30 days |
| GTC acceptance fact and timestamp | Art. 6(1)(c) GDPR – legal obligation | Evidence in case of dispute | Cooperation end + 5 years |
2.5 Website visits and analytics
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| IP address (anonymised) | Art. 6(1)(a) GDPR – consent | Website usage analysis (Google Analytics 4) | GA4 default retention: 14 months |
| Cookie identifiers | Art. 6(1)(a) GDPR | Distinguishing visitors | Cookie lifetime: max. 13 months |
| Browser type, screen resolution, OS | Art. 6(1)(a) GDPR | Technical optimisation | GA4 default retention: 14 months |
| Page visits, session data | Art. 6(1)(a) GDPR | User experience improvement | GA4 default retention: 14 months |
2.6 Customer service and inquiries
| Data category | Legal basis | Purpose | Retention period |
|---|---|---|---|
| Name, email address | Art. 6(1)(f) GDPR – legitimate interest | Responding to inquiry | 1 year after inquiry |
| Content of the inquiry | Art. 6(1)(f) GDPR | Case evaluation, response | 1 year after inquiry |
3. Data Processors
The Data Controller engages the following data processors for the processing of personal data:
| Data Processor | Registered office | Activity | Data categories processed |
|---|---|---|---|
| Google Ireland Limited (Firebase Authentication) | Dublin, Ireland | User authentication | Email, password hash, UID |
| Google Ireland Limited (Cloud Firestore) | Dublin, Ireland | Database hosting (EU region) | All application data |
| Google Ireland Limited (Firebase Cloud Messaging) | Dublin, Ireland | Push notifications | Device tokens, message metadata |
| Google Ireland Limited (Cloud Functions) | Dublin, Ireland | Server-side logic | Processed application data |
| Google Ireland Limited (Google Analytics 4) | Dublin, Ireland | Web analytics | Anonymised IP, cookie ID, session data |
3.1 All personal data processed by the above data processors is stored within the European Union (EU region).
3.2 Google Ireland Limited is a subsidiary of Google LLC (USA). Google provides appropriate safeguards under Article 46 of the GDPR (Standard Contractual Clauses – SCC) to ensure the protection of personal data.
3.3 The Data Controller has entered into a Data Processing Agreement (DPA) with each data processor, setting out the terms of processing in accordance with Article 28 of the GDPR.
4. Data transfers
4.1 The Data Controller does not sell, lease, or share personal data with third parties for marketing purposes.
4.2 Personal data may only be transferred in the following cases:
- to the data processors listed in Section 3, for the purposes specified therein;
- upon request from a public authority or court, in order to comply with a legal obligation;
- on the basis of the data subject's explicit prior consent.
4.3 In the event of a transfer to a third country (outside the EEA), the Data Controller shall ensure appropriate safeguards under Chapter V of the GDPR (SCC, adequacy decision).
5. Cookies
5.1 The www.frendexapp.com website uses cookies. Cookies are small text files stored by the browser on the user's device.
5.2 Categories of cookies used:
| Cookie type | Purpose | Legal basis | Lifetime |
|---|---|---|---|
| Essential | Core website functionality, session management | Art. 6(1)(f) GDPR – legitimate interest | End of session |
| Analytical (Google Analytics 4) | Visitor statistics, usage pattern analysis | Art. 6(1)(a) GDPR – consent | Max. 13 months |
5.3 Analytical cookies are only placed with the data subject's prior, active consent (cookie banner).
5.4 Consent may be withdrawn at any time by modifying the cookie settings via the "Cookie settings" link in the website footer.
6. Data subject rights
Under the GDPR, data subjects have the following rights:
| Right | Description | GDPR reference |
|---|---|---|
| Right of access | The data subject may request information on whether their personal data is being processed and, if so, which data is being processed. | Article 15 |
| Right to rectification | The data subject may request the correction of inaccurate personal data or the completion of incomplete data. | Article 16 |
| Right to erasure | The data subject may request the erasure of their personal data ("right to be forgotten"), provided there is no other legal basis for processing. | Article 17 |
| Right to restriction | The data subject may request the restriction of processing under certain conditions. | Article 18 |
| Right to data portability | The data subject may request that their data be provided in a machine-readable format. | Article 20 |
| Right to object | The data subject may object to processing based on legitimate interest. | Article 21 |
| Withdrawal of consent | Where processing is based on consent, the data subject may withdraw consent at any time. | Article 7(3) |
6.1 Data subjects may exercise their rights by sending a request to info@frendex.hu. The Data Controller shall fulfil the request without undue delay, but no later than within 30 days.
6.2 In the case of complex or numerous requests, the deadline may be extended by a further 60 days, of which the data subject must be informed.
7. Data security
7.1 The Data Controller applies appropriate technical and organisational measures to protect personal data, in particular:
- encrypted data storage (encryption at rest) and data transmission (TLS/SSL);
- role-based access control;
- regular security audits;
- password hashing (bcrypt/scrypt);
- daily automated backups.
7.2 In the event of a personal data breach, the Data Controller shall act in accordance with Articles 33–34 of the GDPR: the supervisory authority shall be notified within 72 hours, and data subjects shall be informed where necessary.
8. Automated decision-making and profiling
8.1 The Data Controller does not employ solely automated decision-making that produces legal effects concerning the data subject or similarly significantly affects them (Article 22 GDPR) in any of the processing activities covered by this Policy.
8.2 The Platform may perform location-based filtering and ranking during use, which does not constitute automated decision-making within the meaning of Article 22 GDPR.
9. Protection of children's data
9.1 Use of the Platform is restricted to persons who have reached the age of 18. The Data Controller does not knowingly collect data from persons under 18 years of age.
9.2 If the Data Controller becomes aware that it is processing the data of a person under 18, such data will be erased without delay.
10. Remedies
10.1 Data subjects may address complaints to the Data Controller at info@frendex.hu.
10.2 Data subjects have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu
10.3 In the event of a violation of their rights, data subjects may bring proceedings before a court. The action may be initiated, at the data subject's choice, before the court with jurisdiction over their place of residence or habitual residence.
11. Amendments to this Policy
11.1 The Data Controller reserves the right to amend this Policy unilaterally. Data subjects shall be informed of any amendments via the Platform interface and/or by email prior to the effective date.
11.2 The amended Policy shall take effect on the date of publication, unless the text of the amendment specifies a different date.
12. Final provisions
12.1 This Policy takes effect on 15 April 2026.
12.2 Matters not regulated by this Policy shall be governed by the GDPR, the Info Act, and the applicable Hungarian legislation.