Our solutions

EurekaLab

About us

Select Language

Book an appointment

Privacy notice

Privacy notice

Privacy notice

Data Controller Information

Controller: Eureka Games Ltd. (registered office: 1062 Budapest, Andrassy street 91. II/11., Hungary).

For any data protection inquiries, you can contact us at hello@eureka.hu or call +36 30 220 3734 (contact person: Peter Kalmar, Data Protection Representative).

This Privacy Notice provides information about the personal data processing activities carried out by Eureka Games Kft.

Types of Personal Data We Collect

We only collect personal data that is necessary and relevant for our operations. This typically includes:

Contact Information: Name, email address, phone number, company name, job title, and any other data you voluntarily provide when contacting us. We usually receive this data when someone emails us, calls us, or fills out one of our contact forms (for example, via Calendly scheduling, Typeform/Google Forms, etc.)
Newsletter Subscription Data: If you subscribe to our newsletter, we collect your name and email address for sending the newsletter
Event Registration Data: Information collected when you sign up for our trainings, webinars, or other events – such as name, job title, workplace, email address, and any event-specific preferences. (Registration may occur through platforms like LinkedIn Events, Kajabi landing pages, or Zoom/Microsoft Teams/Google Meet registration forms)
Survey Feedback: Occasionally, we conduct online surveys (e.g., via Typeform or Google Forms) for customer satisfaction or needs assessment. Participants may voluntarily share opinions or responses. These could be considered personal data if the respondent is identifiable.
Technical Data and Cookies: When you visit our website, certain information about your device and browsing behavior may be collected automatically. This includes IP address, device and browser details, and data collected through cookies. By themselves, such data typically do not identify you by name, but an IP address or cookie ID may be considered personal data. (Please refer to our separate Cookie Policy for detailed information on cookies and similar technologies.)

Note: We do not collect any special categories of personal data (such as information about racial or ethnic origin, political opinions, religious beliefs, health, biometric or genetic data). We also do not target or knowingly collect data from individuals under 18 years old, as our services and content are intended for an adult business audience.

Data Controller Information

Controller: Eureka Games Ltd. (registered office: 1062 Budapest, Andrassy street 91. II/11., Hungary).

For any data protection inquiries, you can contact us at hello@eureka.hu or call +36 30 220 3734 (contact person: Peter Kalmar, Data Protection Representative).

This Privacy Notice provides information about the personal data processing activities carried out by Eureka Games Kft.

Types of Personal Data We Collect

We only collect personal data that is necessary and relevant for our operations. This typically includes:

Contact Information: Name, email address, phone number, company name, job title, and any other data you voluntarily provide when contacting us. We usually receive this data when someone emails us, calls us, or fills out one of our contact forms (for example, via Calendly scheduling, Typeform/Google Forms, etc.)
Newsletter Subscription Data: If you subscribe to our newsletter, we collect your name and email address for sending the newsletter
Event Registration Data: Information collected when you sign up for our trainings, webinars, or other events – such as name, job title, workplace, email address, and any event-specific preferences. (Registration may occur through platforms like LinkedIn Events, Kajabi landing pages, or Zoom/Microsoft Teams/Google Meet registration forms)
Survey Feedback: Occasionally, we conduct online surveys (e.g., via Typeform or Google Forms) for customer satisfaction or needs assessment. Participants may voluntarily share opinions or responses. These could be considered personal data if the respondent is identifiable.
Technical Data and Cookies: When you visit our website, certain information about your device and browsing behavior may be collected automatically. This includes IP address, device and browser details, and data collected through cookies. By themselves, such data typically do not identify you by name, but an IP address or cookie ID may be considered personal data. (Please refer to our separate Cookie Policy for detailed information on cookies and similar technologies.)

How We Collect Personal Data

Most of the personal data we process comes directly from the individuals (data subjects) themselves. Common ways we collect data include:

Direct Contact: When you reach out to us via email or phone, or when we meet in person (e.g., at business meetings or events), you provide your contact and any other relevant information. In these cases, you choose what information to share with us.
Online Forms: You may submit data through forms on our website or other online platforms (for example, a Calendly booking form, Typeform, or Google Forms). In such forms, you voluntarily provide the requested details (e.g., name, email, company when requesting a quote).
Newsletter Sign-up: You can subscribe to our newsletter via our website or other channels. During sign-up, you provide your name and email address, and we use a double opt-in process when required to ensure GDPR-compliant consent for the subscription.
Events and Conferences: If you participate in an event or training organized by us (or co-organized with partners), we collect the data you provide at registration (see Event Registration Data above). For example, you might sign up through a LinkedIn event page or register for a webinar via Zoom – in such cases, the respective platform also collects data under its own terms, and we receive the necessary details (like the attendee list) from that platform.
Automated Collection (Website Analytics): When you use our website, certain data may be collected automatically via cookies and tracking codes – for instance, through Google Analytics, Meta Pixel (Facebook), Hotjar, etc. These tools gather information about how you use our site (e.g., which pages you visited, what link you clicked to arrive, a portion of your IP address). We discuss this in more detail in the Analytics and Cookies section below and in our Cookie Policy. Importantly, all data provision is voluntary – you are not obliged to provide personal data. If you prefer not to share information (for example, if you seek only general information anonymously), you can choose to give minimal or no personal data. However, please note that certain services or interactions may require necessary data; if you choose not to provide this data, we may be unable to fulfill some requests or services.

How We Collect Personal Data

Most of the personal data we process comes directly from the individuals (data subjects) themselves. Common ways we collect data include:

Direct Contact: When you reach out to us via email or phone, or when we meet in person (e.g., at business meetings or events), you provide your contact and any other relevant information. In these cases, you choose what information to share with us.
Online Forms: You may submit data through forms on our website or other online platforms (for example, a Calendly booking form, Typeform, or Google Forms). In such forms, you voluntarily provide the requested details (e.g., name, email, company when requesting a quote).
Newsletter Sign-up: You can subscribe to our newsletter via our website or other channels. During sign-up, you provide your name and email address, and we use a double opt-in process when required to ensure GDPR-compliant consent for the subscription.
Events and Conferences: If you participate in an event or training organized by us (or co-organized with partners), we collect the data you provide at registration (see Event Registration Data above). For example, you might sign up through a LinkedIn event page or register for a webinar via Zoom – in such cases, the respective platform also collects data under its own terms, and we receive the necessary details (like the attendee list) from that platform.
Automated Collection (Website Analytics): When you use our website, certain data may be collected automatically via cookies and tracking codes – for instance, through Google Analytics, Meta Pixel (Facebook), Hotjar, etc. These tools gather information about how you use our site (e.g., which pages you visited, what link you clicked to arrive, a portion of your IP address). We discuss this in more detail in the Analytics and Cookies section below and in our Cookie Policy. Importantly, all data provision is voluntary – you are not obliged to provide personal data. If you prefer not to share information (for example, if you seek only general information anonymously), you can choose to give minimal or no personal data. However, please note that certain services or interactions may require necessary data; if you choose not to provide this data, we may be unable to fulfill some requests or services.

Purposes and Legal Bases for Processing

We collect and use personal data for specific, legitimate purposes. Below is a summary of what we use personal data for, and the legal basis under the GDPR for each:

Contact and Communication (Responding to Inquiries): If you contact us (by email, phone, or via a form), we use your provided information to respond to your request and for any necessary follow-up communication. Legal Basis: This is usually considered a step at the request of the data subject prior to entering into a contract, or preparation for a contract (GDPR Article 6(1)(b)). For example, if you ask us for a service proposal, we will use your information to prepare and provide that proposal.
Providing Quotes and Contracting: Following an inquiry, if you request a service, we will prepare a tailored offer and, if it proceeds, handle the data needed to conclude a service contract (such as company name, contact person’s name and contact details, billing information). Legal Basis: Contract performance (GDPR Article 6(1)(b)) – processing is necessary to draft and execute the contract with you.
Service Delivery and Business Communication: For clients with whom we have an ongoing contract, we process relevant personal data to deliver our services and maintain communication. This includes liaising with the client and their designated contact persons about training details, schedule changes, follow-ups, etc., using the necessary contact information. Legal Basis: Contract performance (GDPR Article 6(1)(b)), as this communication is part of delivering the service. In some cases, where we are dealing with personal data of individuals who are representatives or employees of our client, our legitimate interest in effective business communication may also be a basis (GDPR Article 6(1)(f)).
Sending Newsletters and Marketing Communications: For individuals who have explicitly consented (e.g., by subscribing to our newsletter or asking to receive updates during a quote request), we send periodic or occasional email newsletters about our company news and services. Legal Basis: Your consent (GDPR Article 6(1)(a)). You can withdraw this consent at any time – every newsletter email contains an easy unsubscribe link, and you can also request removal by contacting us. If you unsubscribe, we will stop sending you newsletters immediately.
Statistical Analysis and Service Improvement: We may analyze usage data (such as website visitation statistics via Google Analytics) in anonymized or aggregated form to improve our website and services. For these analytics, we only use data that does not identify you as an individual. If any analytics data could potentially identify you, we will only use it with your prior consent (for instance, via cookies). Legal Basis: Our legitimate interest in improving our services (GDPR Article 6(1)(f)). In cases where we use certain analytics cookies that can identify individuals, we rely on your consent (GDPR Article 6(1)(a)) obtained through the cookie consent mechanism.
Remarketing and Online Advertising: With your consent via our cookie banner, we may use cookies (e.g., the Facebook/Meta Pixel) to show targeted advertisements for our services to people who visited our website, when they later browse Facebook/Instagram or other partner sites. This practice is known as remarketing and helps us reach potentially interested audiences. Legal Basis: Consent, given by accepting the relevant cookies (GDPR Article 6(1)(a)). You can manage your cookie preferences at any time via our Cookie Policy controls.
Event Organization and Execution: If you sign up for a training, workshop, or similar event, we process the data necessary to organize and run that event (name, job title, email, etc.). This can include compiling participant lists, sending reminders about the event date/time, sharing login links for online sessions, and so on. Legal Basis: Contract performance (GDPR Article 6(1)(b)), since providing the event or training to you is part of the service you signed up for.
Customer Service and Complaint Handling: If a client or prospective client asks a question or lodges a complaint, we use their personal data (such as name, email, and the content of the question/complaint) to address the inquiry or resolve the issue. Legal Basis: Our legitimate interest in ensuring customer satisfaction and improving our services (GDPR Article 6(1)(f)), and in some cases compliance with legal obligations (GDPR Article 6(1)(c)) – for example, consumer protection laws may require handling of complaints.
Fulfilling Accounting and Legal Obligations: We process certain personal data because we are legally required to do so. For instance, when issuing invoices or maintaining our books, we must include personal data like names and addresses on invoices and keep those records for the period mandated by law. We retain issued invoices and related accounting documents for the duration specified by the applicable laws (see Data Retention below). Legal Basis: Compliance with a legal obligation (GDPR Article 6(1)(c)). For example, under the Hungarian Accounting Act (Section 169(2)), we must keep invoices and accounting records for at least 8 years.

If in the future we intend to process personal data for any new purpose not covered above, we will provide prior notice to the individuals concerned and, if necessary, seek your consent before such processing.

Purposes and Legal Bases for Processing

We collect and use personal data for specific, legitimate purposes. Below is a summary of what we use personal data for, and the legal basis under the GDPR for each:

Contact and Communication (Responding to Inquiries): If you contact us (by email, phone, or via a form), we use your provided information to respond to your request and for any necessary follow-up communication. Legal Basis: This is usually considered a step at the request of the data subject prior to entering into a contract, or preparation for a contract (GDPR Article 6(1)(b)). For example, if you ask us for a service proposal, we will use your information to prepare and provide that proposal.
Providing Quotes and Contracting: Following an inquiry, if you request a service, we will prepare a tailored offer and, if it proceeds, handle the data needed to conclude a service contract (such as company name, contact person’s name and contact details, billing information). Legal Basis: Contract performance (GDPR Article 6(1)(b)) – processing is necessary to draft and execute the contract with you.
Service Delivery and Business Communication: For clients with whom we have an ongoing contract, we process relevant personal data to deliver our services and maintain communication. This includes liaising with the client and their designated contact persons about training details, schedule changes, follow-ups, etc., using the necessary contact information. Legal Basis: Contract performance (GDPR Article 6(1)(b)), as this communication is part of delivering the service. In some cases, where we are dealing with personal data of individuals who are representatives or employees of our client, our legitimate interest in effective business communication may also be a basis (GDPR Article 6(1)(f)).
Sending Newsletters and Marketing Communications: For individuals who have explicitly consented (e.g., by subscribing to our newsletter or asking to receive updates during a quote request), we send periodic or occasional email newsletters about our company news and services. Legal Basis: Your consent (GDPR Article 6(1)(a)). You can withdraw this consent at any time – every newsletter email contains an easy unsubscribe link, and you can also request removal by contacting us. If you unsubscribe, we will stop sending you newsletters immediately.
Statistical Analysis and Service Improvement: We may analyze usage data (such as website visitation statistics via Google Analytics) in anonymized or aggregated form to improve our website and services. For these analytics, we only use data that does not identify you as an individual. If any analytics data could potentially identify you, we will only use it with your prior consent (for instance, via cookies). Legal Basis: Our legitimate interest in improving our services (GDPR Article 6(1)(f)). In cases where we use certain analytics cookies that can identify individuals, we rely on your consent (GDPR Article 6(1)(a)) obtained through the cookie consent mechanism.
Remarketing and Online Advertising: With your consent via our cookie banner, we may use cookies (e.g., the Facebook/Meta Pixel) to show targeted advertisements for our services to people who visited our website, when they later browse Facebook/Instagram or other partner sites. This practice is known as remarketing and helps us reach potentially interested audiences. Legal Basis: Consent, given by accepting the relevant cookies (GDPR Article 6(1)(a)). You can manage your cookie preferences at any time via our Cookie Policy controls.
Event Organization and Execution: If you sign up for a training, workshop, or similar event, we process the data necessary to organize and run that event (name, job title, email, etc.). This can include compiling participant lists, sending reminders about the event date/time, sharing login links for online sessions, and so on. Legal Basis: Contract performance (GDPR Article 6(1)(b)), since providing the event or training to you is part of the service you signed up for.
Customer Service and Complaint Handling: If a client or prospective client asks a question or lodges a complaint, we use their personal data (such as name, email, and the content of the question/complaint) to address the inquiry or resolve the issue. Legal Basis: Our legitimate interest in ensuring customer satisfaction and improving our services (GDPR Article 6(1)(f)), and in some cases compliance with legal obligations (GDPR Article 6(1)(c)) – for example, consumer protection laws may require handling of complaints.
Fulfilling Accounting and Legal Obligations: We process certain personal data because we are legally required to do so. For instance, when issuing invoices or maintaining our books, we must include personal data like names and addresses on invoices and keep those records for the period mandated by law. We retain issued invoices and related accounting documents for the duration specified by the applicable laws (see Data Retention below). Legal Basis: Compliance with a legal obligation (GDPR Article 6(1)(c)). For example, under the Hungarian Accounting Act (Section 169(2)), we must keep invoices and accounting records for at least 8 years.

Who Can Access Your Data (Recipients)

We strictly limit who has access to the personal data we handle. Only those persons or entities who need the data to fulfill the above-mentioned purposes are allowed access. We group the recipients as follows:

Internal Team: Within our company, only those employees who require access to personal data to perform their job duties can view or handle such data. For example, our sales and client relations staff will handle inquiry data, our trainers and project managers will access participant information during service delivery, and our administration/finance team will use data for invoicing and contracts. All employees operate under confidentiality and data protection obligations.
Data Processors and External Service Providers: In our operations, we rely on several external service providers (acting as data processors under the GDPR) to help with specialized tasks. These providers may process personal data on our behalf only to the extent necessary and strictly under our instructions, as governed by our data processing agreements (DPAs) with them. Our main data processor partners include:
Email and Office Tools (Cloud Services): We manage our corporate email accounts and documents using Google Workspace (provided by Google LLC). We also store certain files in Microsoft OneDrive (part of Microsoft Corporation’s services). These providers technically have access to our emails, calendars, and documents as part of their cloud services. (Privacy Policies: Google – see Google’s Privacy Policy; Microsoft – see Microsoft Privacy Statement.)
Customer Relationship Management (CRM) and Project Management: We keep track of client and partner contact details and sales processes in the Zoho CRM/Zoho Bigin system (offered by Zoho Corporation). For project tracking and coordination, we use Asana, an online project management tool (Asana, Inc.). These systems may contain information such as contact persons’ names, emails, company names, and summaries of communications. (Privacy Policies: Zoho – Zoho Privacy Policy; Asana – see Asana’s Privacy Statement on their website.)
Newsletter and Marketing Automation: We use the MailerLite platform to send out our newsletters and email campaigns (MailerLite is provided by UAB “MailerLite”, an EU-based company in Lithuania). Additionally, we share certain content and online course materials via the Kajabi platform (Kajabi LLC, USA). These services help us manage our subscriber lists and email distributions. Of course, if someone unsubscribes from the newsletter or requests deletion, we promptly remove their data from these systems. (Privacy Policies: MailerLite – MailerLite Privacy Policy; Kajabi – Kajabi Privacy Notice.)
Website Hosting and IT Infrastructure: Our website (eureka.hu) is hosted by Tárhely.EU Kft., a Hungarian hosting provider. Personal data submitted through our website (for example, information you enter in a contact form) is stored in a password-protected, encrypted database operated by Tárhely.EU. As our data processor, Tárhely.EU ensures appropriate security measures to protect the stored data. (Privacy Policy: Tárhely.EU – available on their website, in Hungarian.)
Appointment Scheduling: We occasionally offer online appointment scheduling using Calendly (Calendly LLC, USA). When you book a meeting through Calendly, the information you provide (name, email, and other booking details) is stored in Calendly’s system and then passed on to us (e.g., we receive an email notification of your booking). Calendly acts as a processor on our behalf, and we have a data processing agreement with them that ensures GDPR compliance – including the use of Standard Contractual Clauses for EU–US data transfers. Calendly LLC is also certified under the EU–US Data Privacy Framework program, indicating its adherence to EU-equivalent data protection standards. (Privacy Notice: Calendly Privacy Notice.)
Analytics and Tracking: To analyze our website’s traffic and usage, we use Google Analytics (Google LLC), and for marketing purposes we utilize the Meta Pixel (from Facebook/Meta Platforms, Inc.). We may also integrate Hotjar for anonymized tracking of user behavior on our site. These providers collect data via cookies or code snippets about our site visitors – for example, which pages were viewed, where a visitor clicked from, and partial IP address information. The data collected is processed in their systems and they provide us with aggregated reports (we do not see individual profiles from these tools). Importantly, any such analytics or marketing data collection only occurs with the user’s consent (through our cookie consent banner). (Privacy Policies: Google Analytics – see Google’s Privacy & Data practices for Analytics; Meta – see Meta’s Data Policy; Hotjar – see Hotjar Privacy Policy.)
Billing and Accounting: For issuing invoices, we use the Billingo online invoicing software (developed by Octonull Kft., Hungary). The Billingo system stores the data included on invoices, such as the client’s billing name and address (and tax ID if provided), along with invoice details. Billingo, as our processor, retains these invoicing data for the period required by law. In addition, we employ an external accounting firm (Margo 95. Bt.) to perform bookkeeping tasks. The accounting firm receives only the information necessary for their work (e.g., copies of invoices and relevant parts of contracts) and processes that data strictly for the duration mandated by legal requirements. The accounting firm is also considered a data processor; we have a contract in place with appropriate confidentiality and data protection clauses. (Privacy Policy: Billingo – available on Billingo’s website in Hungarian.)
Communication Platforms: For online meetings and virtual training sessions, we often use platforms such as Zoom (Zoom Video Communications, Inc.), Microsoft Teams (part of Microsoft’s services), or Google Meet (Google LLC). If you join a meeting or session via one of these platforms, please be aware that the platform will also process your personal data in accordance with its own privacy policy – this may include your name and email when logging in, and potentially audio/video data if the meeting is recorded. In these cases, the platform provider is an independent data controller for the data it processes. We receive only the information necessary for the meeting (for example, a list of participants or chat messages during the session). We do not record any online meeting or event without obtaining separate explicit consent from all participants. (Privacy Policies: Zoom – Zoom Privacy Statement; Microsoft – Microsoft Privacy Statement; Google Meet – covered under Google’s Privacy Policy.)
Other Partners (Subcontractors): If, in the course of providing our services, we engage any other subcontractors (for example, an external trainer, coach, or consultant), we may share personal data with them as needed to fulfill the contract. For instance, if we run a large training program and bring in an outside trainer to help, that trainer will receive the list of participants, their roles, and any other information necessary to carry out the training. In all such cases, we ensure there is a data processing agreement or confidentiality agreement in place with these partners, obliging them to handle personal data confidentially and in line with our instructions.
Authorities and Legal Obligations: We do not disclose personal data to any third party unless we are required to do so by law or an authoritative order. For example, if a regulatory authority or law enforcement (with proper legal authority) requests data – such as the Hungarian National Tax and Customs Administration (NAV) or a court – we are obligated to provide the requested information. In such cases, we will only share the data that is necessary and specifically requested, and we document these disclosures (e.g., by keeping a record of what data was handed over).

We guarantee that we do not sell your personal data or make it publicly available. All our data processor partners are bound by written agreements that ensure they can only use the data for our specified purposes, and they must delete or return the data to us once their services are completed or the agreement ends.

Who Can Access Your Data (Recipients)

Internal Team: Within our company, only those employees who require access to personal data to perform their job duties can view or handle such data. For example, our sales and client relations staff will handle inquiry data, our trainers and project managers will access participant information during service delivery, and our administration/finance team will use data for invoicing and contracts. All employees operate under confidentiality and data protection obligations.
Data Processors and External Service Providers: In our operations, we rely on several external service providers (acting as data processors under the GDPR) to help with specialized tasks. These providers may process personal data on our behalf only to the extent necessary and strictly under our instructions, as governed by our data processing agreements (DPAs) with them. Our main data processor partners include:
Email and Office Tools (Cloud Services): We manage our corporate email accounts and documents using Google Workspace (provided by Google LLC). We also store certain files in Microsoft OneDrive (part of Microsoft Corporation’s services). These providers technically have access to our emails, calendars, and documents as part of their cloud services. (Privacy Policies: Google – see Google’s Privacy Policy; Microsoft – see Microsoft Privacy Statement.)
Customer Relationship Management (CRM) and Project Management: We keep track of client and partner contact details and sales processes in the Zoho CRM/Zoho Bigin system (offered by Zoho Corporation). For project tracking and coordination, we use Asana, an online project management tool (Asana, Inc.). These systems may contain information such as contact persons’ names, emails, company names, and summaries of communications. (Privacy Policies: Zoho – Zoho Privacy Policy; Asana – see Asana’s Privacy Statement on their website.)
Newsletter and Marketing Automation: We use the MailerLite platform to send out our newsletters and email campaigns (MailerLite is provided by UAB “MailerLite”, an EU-based company in Lithuania). Additionally, we share certain content and online course materials via the Kajabi platform (Kajabi LLC, USA). These services help us manage our subscriber lists and email distributions. Of course, if someone unsubscribes from the newsletter or requests deletion, we promptly remove their data from these systems. (Privacy Policies: MailerLite – MailerLite Privacy Policy; Kajabi – Kajabi Privacy Notice.)
Website Hosting and IT Infrastructure: Our website (eureka.hu) is hosted by Tárhely.EU Kft., a Hungarian hosting provider. Personal data submitted through our website (for example, information you enter in a contact form) is stored in a password-protected, encrypted database operated by Tárhely.EU. As our data processor, Tárhely.EU ensures appropriate security measures to protect the stored data. (Privacy Policy: Tárhely.EU – available on their website, in Hungarian.)
Appointment Scheduling: We occasionally offer online appointment scheduling using Calendly (Calendly LLC, USA). When you book a meeting through Calendly, the information you provide (name, email, and other booking details) is stored in Calendly’s system and then passed on to us (e.g., we receive an email notification of your booking). Calendly acts as a processor on our behalf, and we have a data processing agreement with them that ensures GDPR compliance – including the use of Standard Contractual Clauses for EU–US data transfers. Calendly LLC is also certified under the EU–US Data Privacy Framework program, indicating its adherence to EU-equivalent data protection standards. (Privacy Notice: Calendly Privacy Notice.)
Analytics and Tracking: To analyze our website’s traffic and usage, we use Google Analytics (Google LLC), and for marketing purposes we utilize the Meta Pixel (from Facebook/Meta Platforms, Inc.). We may also integrate Hotjar for anonymized tracking of user behavior on our site. These providers collect data via cookies or code snippets about our site visitors – for example, which pages were viewed, where a visitor clicked from, and partial IP address information. The data collected is processed in their systems and they provide us with aggregated reports (we do not see individual profiles from these tools). Importantly, any such analytics or marketing data collection only occurs with the user’s consent (through our cookie consent banner). (Privacy Policies: Google Analytics – see Google’s Privacy & Data practices for Analytics; Meta – see Meta’s Data Policy; Hotjar – see Hotjar Privacy Policy.)
Billing and Accounting: For issuing invoices, we use the Billingo online invoicing software (developed by Octonull Kft., Hungary). The Billingo system stores the data included on invoices, such as the client’s billing name and address (and tax ID if provided), along with invoice details. Billingo, as our processor, retains these invoicing data for the period required by law. In addition, we employ an external accounting firm (Margo 95. Bt.) to perform bookkeeping tasks. The accounting firm receives only the information necessary for their work (e.g., copies of invoices and relevant parts of contracts) and processes that data strictly for the duration mandated by legal requirements. The accounting firm is also considered a data processor; we have a contract in place with appropriate confidentiality and data protection clauses. (Privacy Policy: Billingo – available on Billingo’s website in Hungarian.)
Communication Platforms: For online meetings and virtual training sessions, we often use platforms such as Zoom (Zoom Video Communications, Inc.), Microsoft Teams (part of Microsoft’s services), or Google Meet (Google LLC). If you join a meeting or session via one of these platforms, please be aware that the platform will also process your personal data in accordance with its own privacy policy – this may include your name and email when logging in, and potentially audio/video data if the meeting is recorded. In these cases, the platform provider is an independent data controller for the data it processes. We receive only the information necessary for the meeting (for example, a list of participants or chat messages during the session). We do not record any online meeting or event without obtaining separate explicit consent from all participants. (Privacy Policies: Zoom – Zoom Privacy Statement; Microsoft – Microsoft Privacy Statement; Google Meet – covered under Google’s Privacy Policy.)
Other Partners (Subcontractors): If, in the course of providing our services, we engage any other subcontractors (for example, an external trainer, coach, or consultant), we may share personal data with them as needed to fulfill the contract. For instance, if we run a large training program and bring in an outside trainer to help, that trainer will receive the list of participants, their roles, and any other information necessary to carry out the training. In all such cases, we ensure there is a data processing agreement or confidentiality agreement in place with these partners, obliging them to handle personal data confidentially and in line with our instructions.
Authorities and Legal Obligations: We do not disclose personal data to any third party unless we are required to do so by law or an authoritative order. For example, if a regulatory authority or law enforcement (with proper legal authority) requests data – such as the Hungarian National Tax and Customs Administration (NAV) or a court – we are obligated to provide the requested information. In such cases, we will only share the data that is necessary and specifically requested, and we document these disclosures (e.g., by keeping a record of what data was handed over).

International Data Transfers

We primarily store and process personal data within the European Union. However, some of our service providers are located outside the EU (notably in the United States), or may use servers located outside the EU. This means that in certain situations, your personal data might be transferred to, or accessed from, a country outside the European Economic Area (EEA). In particular, the following partners might involve international data transfers:

Google LLC (USA): (Services: Google Workspace, Google Drive, Google Meet, YouTube, Google Analytics) – Google operates a global cloud infrastructure. According to Google’s public statements, it has adhered to the new EU–US Data Privacy Framework and also employs the European Commission’s Standard Contractual Clauses (SCCs) as a transfer mechanism[48]. These measures are aimed at ensuring that data transferred to Google’s U.S. operations is protected in line with EU standards.
Meta Platforms, Inc. (USA): (Services: Facebook, Instagram, Meta Pixel) – Meta is headquartered in the U.S., so personal data collected via Meta integrations (like the Facebook Pixel on our site or if you interact with our Facebook/Instagram pages) may be transferred to the U.S. Meta relies on SCCs for such transfers, and after a 2023 fine in the EU, Meta has stated its commitment to compliance and has since also joined the EU–US Data Privacy Framework. (Note: Being part of the Data Privacy Framework means Meta is committed to EU-level data protection principles for relevant data transfers.)
Zoom Video Communications, Inc. (USA): (Service: Zoom meetings) – Data from using Zoom may be transferred to the U.S. Zoom has adopted SCCs and other safeguards to protect EU personal data when it’s transferred internationally.
Calendly LLC (USA): – As mentioned in the Appointment Scheduling section, Calendly participates in the EU–US Data Privacy Framework. This certification indicates that Calendly upholds EU-like data protection standards for data it handles in the U.S., providing an additional safeguard for cross-border data flows.
Kajabi LLC (USA): – Kajabi’s platform is based in the U.S., which means data (such as online course content or related user information) likely resides on servers in the U.S. Kajabi asserts that it operates in compliance with GDPR requirements according to its own policies. In practice, this typically means Kajabi also uses measures like SCCs and implements security controls for EU data.
Asana, Inc. (USA): – The Asana project management service by default stores customer data in the U.S. However, Asana now offers options for data residency, including EU data centers for certain customers. Asana covers its international transfers with GDPR-required mechanisms: it is listed as certified under the Data Privacy Framework and uses SCCs as needed. Asana’s statements note that European customers can opt to have data hosted in Europe, and that all transatlantic transfers are protected by appropriate legal safeguards.
OpenAI, Inc. (USA): – We may use the OpenAI ChatGPT service experimentally for some internal tasks (such as drafting content or administrative support). We are mindful that OpenAI’s infrastructure is in the U.S.. Importantly, we do not input any personal data (for example, any client-specific information) into ChatGPT. If we ever consider using such AI tools with sensitive information, we will only do so in an anonymized way or with the individual’s consent. OpenAI has published terms and information regarding its data handling and has committed to GDPR compliance in its services (For more details, see OpenAI’s documentation and OpenAI’s Privacy Policy.)

For all transfers outside the EU, we ensure that one of the safeguards permitted by the GDPR is in place. In practice, this means that either:

The recipient is certified under an EU-recognized adequacy framework that deems their data protection as sufficient (for instance, they have a valid certification under the EU–US Data Privacy Framework, as in the case of some providers above), or
We have signed the Standard Contractual Clauses (SCCs) with the non-EU service provider, which are standard data protection contract terms approved by the European Commission. Where necessary, we also supplement these SCCs with additional technical and organizational measures to enhance data security.

If you would like more information about international data transfers related to your personal data (for example, to see copies of the SCCs or details about other safeguards), you can contact us and we will be happy to provide further information. We continuously monitor developments in the law and guidance around international data transfers, and if needed, we will take additional steps to ensure your data remains protected.

International Data Transfers

Google LLC (USA): (Services: Google Workspace, Google Drive, Google Meet, YouTube, Google Analytics) – Google operates a global cloud infrastructure. According to Google’s public statements, it has adhered to the new EU–US Data Privacy Framework and also employs the European Commission’s Standard Contractual Clauses (SCCs) as a transfer mechanism[48]. These measures are aimed at ensuring that data transferred to Google’s U.S. operations is protected in line with EU standards.
Meta Platforms, Inc. (USA): (Services: Facebook, Instagram, Meta Pixel) – Meta is headquartered in the U.S., so personal data collected via Meta integrations (like the Facebook Pixel on our site or if you interact with our Facebook/Instagram pages) may be transferred to the U.S. Meta relies on SCCs for such transfers, and after a 2023 fine in the EU, Meta has stated its commitment to compliance and has since also joined the EU–US Data Privacy Framework. (Note: Being part of the Data Privacy Framework means Meta is committed to EU-level data protection principles for relevant data transfers.)
Zoom Video Communications, Inc. (USA): (Service: Zoom meetings) – Data from using Zoom may be transferred to the U.S. Zoom has adopted SCCs and other safeguards to protect EU personal data when it’s transferred internationally.
Calendly LLC (USA): – As mentioned in the Appointment Scheduling section, Calendly participates in the EU–US Data Privacy Framework. This certification indicates that Calendly upholds EU-like data protection standards for data it handles in the U.S., providing an additional safeguard for cross-border data flows.
Kajabi LLC (USA): – Kajabi’s platform is based in the U.S., which means data (such as online course content or related user information) likely resides on servers in the U.S. Kajabi asserts that it operates in compliance with GDPR requirements according to its own policies. In practice, this typically means Kajabi also uses measures like SCCs and implements security controls for EU data.
Asana, Inc. (USA): – The Asana project management service by default stores customer data in the U.S. However, Asana now offers options for data residency, including EU data centers for certain customers. Asana covers its international transfers with GDPR-required mechanisms: it is listed as certified under the Data Privacy Framework and uses SCCs as needed. Asana’s statements note that European customers can opt to have data hosted in Europe, and that all transatlantic transfers are protected by appropriate legal safeguards.
OpenAI, Inc. (USA): – We may use the OpenAI ChatGPT service experimentally for some internal tasks (such as drafting content or administrative support). We are mindful that OpenAI’s infrastructure is in the U.S.. Importantly, we do not input any personal data (for example, any client-specific information) into ChatGPT. If we ever consider using such AI tools with sensitive information, we will only do so in an anonymized way or with the individual’s consent. OpenAI has published terms and information regarding its data handling and has committed to GDPR compliance in its services (For more details, see OpenAI’s documentation and OpenAI’s Privacy Policy.)

For all transfers outside the EU, we ensure that one of the safeguards permitted by the GDPR is in place. In practice, this means that either:

The recipient is certified under an EU-recognized adequacy framework that deems their data protection as sufficient (for instance, they have a valid certification under the EU–US Data Privacy Framework, as in the case of some providers above), or
We have signed the Standard Contractual Clauses (SCCs) with the non-EU service provider, which are standard data protection contract terms approved by the European Commission. Where necessary, we also supplement these SCCs with additional technical and organizational measures to enhance data security.

Data Retention Periods

We do not keep personal data longer than necessary for the respective purposes. We determine a retention period for each category of data or purpose, as summarized below:

Inquiries and Prospective Client Data: If you request a quote or send us an inquiry but do not end up becoming a client, we will retain the personal data from that correspondence for 5 years. We found that within a 5-year period, it’s not uncommon for an interested person to reconnect or for a previously dormant conversation to resume. (If the nature of your inquiry suggests we should keep data longer – for example, a detailed bespoke proposal that might be relevant beyond 5 years – we will inform you about that extended retention separately.)
Contractual Client Data: If you become a client, we will retain your contract and related communications for the duration of the contract and thereafter for the period of the statute of limitations for civil claims – typically up to 5 years after the contract ends. This is to be prepared in case any legal claims or disputes arise between us. Some information (like internal reports or performance evaluations from the project) may be kept longer for our internal statistics or reference, but in those cases we will remove or anonymize any personal data if possible.
Billing and Accounting Records: Any personal data appearing on our issued invoices (such as billing name and address) will be retained for 8 years from the date of the invoice. This retention period is mandated by law – for example, under Hungary’s Accounting Act, invoices and accounting documents must be preserved for at least 8 years. The same 8-year requirement applies to other supporting documents for our bookkeeping (e.g. contracts, performance records that contain personal data relevant to financial records).
Business Contacts (CRM Database): If you are a contact person for one of our clients, partners, or leads, we will keep your contact information (name, email, phone number) in our CRM as long as the business relationship is active. If you ask us to delete your contact information, we will do so. We also proactively update or remove contact data if we discover it’s out of date (e.g., if emails to you bounce, or we learn you have left the company in question). We periodically (at least annually) review our CRM contacts and purge those that have been inactive or are no longer relevant for business purposes.
Newsletter Subscribers: If you have signed up for our newsletter, we will retain your subscription data (name and email) until you unsubscribe. If you unsubscribe, we will immediately remove your data from our mailing list and cease sending you newsletters. (In practice, we use MailerLite’s “Forget” function to fully erase your data from our email system, which permanently deletes your information in compliance with GDPR.)
Website Visitor Data (Cookies): For data collected via cookies and similar trackers, the retention depends on the type of cookie and the provider. We only set analytics and marketing cookies with your consent, and you can find detailed information about each cookie’s lifespan in our Cookie Policy. Generally speaking: Google Analytics cookies expire after 14 months unless you visit again (in which case the timer resets); Hotjar stores its collected data for up to 1 year; and Meta (Facebook) Pixel data is retained in identifiable form for up to 180 days by Meta, after which it’s aggregated or anonymized. These durations are subject to change by the providers, but you always have control – you can delete cookies from your own browser at any time, and you can change or withdraw your cookie consent on our site at any time.
Event Attendance Data: If you attend one of our events (such as a training workshop or webinar), we use your personal data to organize and carry out the event. After the event is over, if there’s no further legal need to keep your data, we will typically delete or anonymize event-related personal data within 2 years. For example, the registration list or attendance sheet will be disposed of after this period. An exception is if you gave us consent to contact you for future opportunities – in that case, we would move your data into our CRM or newsletter system (according to what you consented to) and continue to retain it under those uses (as described above).

When we carry out deletions, we follow our internal policies to ensure data is properly erased. For electronically stored data, we delete records in a manner that they cannot be restored. For any personal data held on paper (e.g., printed agreements), we perform secure destruction (such as shredding) once the retention period ends.

If you request deletion of your personal data and there is no other legal basis for us to keep it (for instance, no overriding law requiring retention), we will honor your request and delete the data. We aim to do this without undue delay, and in any case within one month of your request, and we will confirm to you once it’s done.

Data Retention Periods

We do not keep personal data longer than necessary for the respective purposes. We determine a retention period for each category of data or purpose, as summarized below:

Inquiries and Prospective Client Data: If you request a quote or send us an inquiry but do not end up becoming a client, we will retain the personal data from that correspondence for 5 years. We found that within a 5-year period, it’s not uncommon for an interested person to reconnect or for a previously dormant conversation to resume. (If the nature of your inquiry suggests we should keep data longer – for example, a detailed bespoke proposal that might be relevant beyond 5 years – we will inform you about that extended retention separately.)
Contractual Client Data: If you become a client, we will retain your contract and related communications for the duration of the contract and thereafter for the period of the statute of limitations for civil claims – typically up to 5 years after the contract ends. This is to be prepared in case any legal claims or disputes arise between us. Some information (like internal reports or performance evaluations from the project) may be kept longer for our internal statistics or reference, but in those cases we will remove or anonymize any personal data if possible.
Billing and Accounting Records: Any personal data appearing on our issued invoices (such as billing name and address) will be retained for 8 years from the date of the invoice. This retention period is mandated by law – for example, under Hungary’s Accounting Act, invoices and accounting documents must be preserved for at least 8 years. The same 8-year requirement applies to other supporting documents for our bookkeeping (e.g. contracts, performance records that contain personal data relevant to financial records).
Business Contacts (CRM Database): If you are a contact person for one of our clients, partners, or leads, we will keep your contact information (name, email, phone number) in our CRM as long as the business relationship is active. If you ask us to delete your contact information, we will do so. We also proactively update or remove contact data if we discover it’s out of date (e.g., if emails to you bounce, or we learn you have left the company in question). We periodically (at least annually) review our CRM contacts and purge those that have been inactive or are no longer relevant for business purposes.
Newsletter Subscribers: If you have signed up for our newsletter, we will retain your subscription data (name and email) until you unsubscribe. If you unsubscribe, we will immediately remove your data from our mailing list and cease sending you newsletters. (In practice, we use MailerLite’s “Forget” function to fully erase your data from our email system, which permanently deletes your information in compliance with GDPR.)
Website Visitor Data (Cookies): For data collected via cookies and similar trackers, the retention depends on the type of cookie and the provider. We only set analytics and marketing cookies with your consent, and you can find detailed information about each cookie’s lifespan in our Cookie Policy. Generally speaking: Google Analytics cookies expire after 14 months unless you visit again (in which case the timer resets); Hotjar stores its collected data for up to 1 year; and Meta (Facebook) Pixel data is retained in identifiable form for up to 180 days by Meta, after which it’s aggregated or anonymized. These durations are subject to change by the providers, but you always have control – you can delete cookies from your own browser at any time, and you can change or withdraw your cookie consent on our site at any time.
Event Attendance Data: If you attend one of our events (such as a training workshop or webinar), we use your personal data to organize and carry out the event. After the event is over, if there’s no further legal need to keep your data, we will typically delete or anonymize event-related personal data within 2 years. For example, the registration list or attendance sheet will be disposed of after this period. An exception is if you gave us consent to contact you for future opportunities – in that case, we would move your data into our CRM or newsletter system (according to what you consented to) and continue to retain it under those uses (as described above).

Children’s Data and Sensitive Personal Data

As noted earlier, we do not knowingly collect data from children under 18, and our services are directed to adults in a business context. We also do not process any special categories of personal data as defined by GDPR – for example, we won’t ask for or handle information about your health, ethnicity, political views, religious beliefs, sexual orientation, or similar sensitive data. In the unusual event that such sensitive information comes to us (for instance, if you voluntarily provide it in a communication), we will treat it with extra care and only retain it if absolutely necessary and with an appropriate legal basis.

(One specific scenario: the results of the CliftonStrengths personality test used in some of our workshops are considered personal data, but not “sensitive data” under GDPR. We address how we handle those results in the CliftonStrengths Data section below, ensuring they are kept confidential and only used for your personal development.)

CliftonStrengths Assessment Data

One of our services includes workshops and coaching built around the Gallup CliftonStrengths assessment (formerly known as StrengthsFinder). This involves handling data related to participants’ CliftonStrengths test results and reports. Because these results provide a profile of an individual’s personal characteristics, they are sensitive from the participant’s perspective (even if they are not classified as special category data under GDPR). We therefore follow a specific data handling practice for CliftonStrengths programs:

Registration and Taking the Test: Participants complete the CliftonStrengths assessment directly on Gallup, Inc.’s online platform. Each participant receives a unique invitation link from us (generated through Gallup’s system) that directs them to the Gallup Gallup Access (MyGallup) site. There, the participant creates their own Gallup account (providing details such as first name, last name, email – which can be a personal email – username, password, country, postal code) and must accept Gallup’s terms of use and privacy policy. The test itself is completed within this private Gallup account environment.
Data Storage Location: The CliftonStrengths test results and personalized reports are stored on Gallup’s system. According to Gallup’s privacy information, it stores data on servers in the United States and other regions, in compliance with applicable international data protection requirements. When participants register and take the assessment, they are providing their data directly to Gallup – thus, for the data in Gallup’s system, Gallup is an independent data controller responsible for that data. (For details, refer to Gallup’s own privacy and data protection materials.)
Eureka Games Kft.’s Access to Results: As the workshop facilitator, we (Eureka Games Kft.) receive access to the CliftonStrengths reports of participants, but strictly with the participants’ prior consent. Only individuals who need to see the reports for running the workshop (for example, the trainer/coach and possibly a program coordinator) will have access, and they act under our authority as data processors. We ensure that each of these persons is bound to confidentiality and they only access the data for the necessary duration and purpose – namely, to conduct the workshop and any agreed follow-up coaching sessions.
Use and Non-Disclosure of Results: We use the CliftonStrengths reports exclusively for the development of the participants during the workshop (and related coaching). We do not share the reports or test results with any third party. For example, if a participant’s employer sponsored the program, we will not give the employer copies of the participant’s personal Strengths report or test outcomes without the participant’s permission.
Legal Basis for Processing: Participation in a CliftonStrengths program is voluntary. The data processing related to it is based primarily on the participant’s consent (GDPR Article 6(1)(a)). In cases where the program is arranged by an organization for its employees, the processing may also be related to the performance of our contract with that organization (GDPR Article 6(1)(b)), as the organization engaged us to deliver the program to the participants. In practice, the participant gives consent to Gallup for administering the test and handling their data when they sign up on Gallup’s site, and they consent to our use of the results by registering for the program and agreeing to our Privacy Notice. By doing so, they allow us to utilize their Strengths results for their development process within the program.
Summary of Handling: We emphasize that we do not carry out any processing involving children or highly sensitive data. In the case of CliftonStrengths, the personal results are used solely to benefit the participants’ own development. They are handled in a strictly controlled and confidential manner – accessible only to authorized personnel under obligations of secrecy, and not disclosed beyond the context of the development program.

Children’s Data and Sensitive Personal Data

CliftonStrengths Assessment Data

Registration and Taking the Test: Participants complete the CliftonStrengths assessment directly on Gallup, Inc.’s online platform. Each participant receives a unique invitation link from us (generated through Gallup’s system) that directs them to the Gallup Gallup Access (MyGallup) site. There, the participant creates their own Gallup account (providing details such as first name, last name, email – which can be a personal email – username, password, country, postal code) and must accept Gallup’s terms of use and privacy policy. The test itself is completed within this private Gallup account environment.
Data Storage Location: The CliftonStrengths test results and personalized reports are stored on Gallup’s system. According to Gallup’s privacy information, it stores data on servers in the United States and other regions, in compliance with applicable international data protection requirements. When participants register and take the assessment, they are providing their data directly to Gallup – thus, for the data in Gallup’s system, Gallup is an independent data controller responsible for that data. (For details, refer to Gallup’s own privacy and data protection materials.)
Eureka Games Kft.’s Access to Results: As the workshop facilitator, we (Eureka Games Kft.) receive access to the CliftonStrengths reports of participants, but strictly with the participants’ prior consent. Only individuals who need to see the reports for running the workshop (for example, the trainer/coach and possibly a program coordinator) will have access, and they act under our authority as data processors. We ensure that each of these persons is bound to confidentiality and they only access the data for the necessary duration and purpose – namely, to conduct the workshop and any agreed follow-up coaching sessions.
Use and Non-Disclosure of Results: We use the CliftonStrengths reports exclusively for the development of the participants during the workshop (and related coaching). We do not share the reports or test results with any third party. For example, if a participant’s employer sponsored the program, we will not give the employer copies of the participant’s personal Strengths report or test outcomes without the participant’s permission.
Legal Basis for Processing: Participation in a CliftonStrengths program is voluntary. The data processing related to it is based primarily on the participant’s consent (GDPR Article 6(1)(a)). In cases where the program is arranged by an organization for its employees, the processing may also be related to the performance of our contract with that organization (GDPR Article 6(1)(b)), as the organization engaged us to deliver the program to the participants. In practice, the participant gives consent to Gallup for administering the test and handling their data when they sign up on Gallup’s site, and they consent to our use of the results by registering for the program and agreeing to our Privacy Notice. By doing so, they allow us to utilize their Strengths results for their development process within the program.
Summary of Handling: We emphasize that we do not carry out any processing involving children or highly sensitive data. In the case of CliftonStrengths, the personal results are used solely to benefit the participants’ own development. They are handled in a strictly controlled and confidential manner – accessible only to authorized personnel under obligations of secrecy, and not disclosed beyond the context of the development program.

Your Rights as a Data Subject

Under data protection laws (notably the GDPR), you have several rights regarding your personal data. You can exercise these rights at any time by contacting us (see Data Controller Information above). We will respond to your request without undue delay, and in any event within 1 month of receiving it (this deadline can be extended by up to 2 further months if necessary due to complexity or number of requests, but we would inform you of any extension). These rights include:

Right to Access: You have the right to ask us whether we are processing your personal data, and if so, to receive information on that data. This includes details about what specific data we have, the purposes of processing, the sources of the data, how long we plan to keep it, and who it has been shared with, among other details. You also have the right to obtain a copy of your personal data that we hold. We will provide the first copy of your data free of charge, either electronically or on paper. If you request further copies, we may charge a reasonable fee to cover administrative costs.
Right to Rectification: You have the right to request that we correct or update any of your personal data that is inaccurate or incomplete. If you become aware that something like your name or contact information we have on file is wrong, please let us know and we will fix it. Similarly, if we detect that data we hold is outdated or incorrect, we will reach out to update it – we appreciate your assistance in keeping your data up to date.
Right to Erasure: You can request that we delete your personal data in certain circumstances (“right to be forgotten”). This right applies, for example, if the data is no longer needed for the purpose it was collected; or if you initially consented to a processing and later withdraw that consent, and we have no other legal basis to continue; or if you object to a processing based on our legitimate interest and we have no overriding reason to continue; or if we processed your data unlawfully. If you request deletion, we will also notify any processors or recipients who have your data, where required. Please note that this right is not absolute – there are exceptions. For instance, if we are legally required to keep certain data (e.g., invoices for tax purposes), or if the data is needed for legal claims, we cannot immediately delete those. In such cases, we will inform you, and we will restrict the data from being used for any other purpose until it can be deleted.
Right to Restriction of Processing: You have the right to ask us to limit the processing of your data in specific situations. This means we would store the data but not use or process it further until the restriction is lifted. You might request restriction if: (a) you contest the accuracy of your data – we’ll restrict processing while we verify the accuracy; (b) you believe the processing is unlawful but you prefer the data not be deleted; (c) we no longer need the data, but you need us to keep it for the establishment, exercise, or defense of legal claims; or (d) you have objected to processing (see next bullet) and are awaiting verification of whether our grounds override yours. If processing is restricted, we will inform you before we lift the restriction and resume processing the data.
Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of your consent or a contract, you have the right to get that data in a structured, commonly used, machine-readable format (for example, a CSV file). You also have the right to request that we transfer that data directly to another service provider (where technically feasible). This right is designed to make it easier for you to reuse your data across different services.
Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests. If you file an objection, we must stop processing the data unless we have compelling legitimate grounds for the processing that override your rights and interests, or if we need to continue processing for the establishment, exercise, or defense of legal claims. Importantly, if your data is being processed for direct marketing purposes and you object, we will stop the processing for those marketing purposes immediately and without exception (this includes profiling related to direct marketing).
Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the processing that was based on it. Please note that withdrawing consent does not affect the lawfulness of processing we carried out before your withdrawal. For example, if you had consented to receive our newsletter and later opt out, it doesn’t invalidate the fact that we sent you newsletters while your consent was in effect – it just means we will stop sending them going forward. (As mentioned above, unsubscribing from our newsletter is an easy way to withdraw that particular consent.)

To exercise any of these rights, please contact us via the communication channels listed in the Data Controller Information section. It’s helpful (but not required) if you can mention the context of your relationship with us or provide the email address you used when interacting with us, so we can locate your data more efficiently. We will respond to your request as described (usually via email, unless you request another method). There is no fee for exercising your rights. However, if a request is manifestly unfounded or excessive – for example, if you make repetitive requests – we are allowed by law to charge a reasonable fee to cover administrative costs, or potentially to refuse the request in extreme cases. We would inform you if that situation arises.

Your Rights as a Data Subject

Right to Access: You have the right to ask us whether we are processing your personal data, and if so, to receive information on that data. This includes details about what specific data we have, the purposes of processing, the sources of the data, how long we plan to keep it, and who it has been shared with, among other details. You also have the right to obtain a copy of your personal data that we hold. We will provide the first copy of your data free of charge, either electronically or on paper. If you request further copies, we may charge a reasonable fee to cover administrative costs.
Right to Rectification: You have the right to request that we correct or update any of your personal data that is inaccurate or incomplete. If you become aware that something like your name or contact information we have on file is wrong, please let us know and we will fix it. Similarly, if we detect that data we hold is outdated or incorrect, we will reach out to update it – we appreciate your assistance in keeping your data up to date.
Right to Erasure: You can request that we delete your personal data in certain circumstances (“right to be forgotten”). This right applies, for example, if the data is no longer needed for the purpose it was collected; or if you initially consented to a processing and later withdraw that consent, and we have no other legal basis to continue; or if you object to a processing based on our legitimate interest and we have no overriding reason to continue; or if we processed your data unlawfully. If you request deletion, we will also notify any processors or recipients who have your data, where required. Please note that this right is not absolute – there are exceptions. For instance, if we are legally required to keep certain data (e.g., invoices for tax purposes), or if the data is needed for legal claims, we cannot immediately delete those. In such cases, we will inform you, and we will restrict the data from being used for any other purpose until it can be deleted.
Right to Restriction of Processing: You have the right to ask us to limit the processing of your data in specific situations. This means we would store the data but not use or process it further until the restriction is lifted. You might request restriction if: (a) you contest the accuracy of your data – we’ll restrict processing while we verify the accuracy; (b) you believe the processing is unlawful but you prefer the data not be deleted; (c) we no longer need the data, but you need us to keep it for the establishment, exercise, or defense of legal claims; or (d) you have objected to processing (see next bullet) and are awaiting verification of whether our grounds override yours. If processing is restricted, we will inform you before we lift the restriction and resume processing the data.
Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of your consent or a contract, you have the right to get that data in a structured, commonly used, machine-readable format (for example, a CSV file). You also have the right to request that we transfer that data directly to another service provider (where technically feasible). This right is designed to make it easier for you to reuse your data across different services.
Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests. If you file an objection, we must stop processing the data unless we have compelling legitimate grounds for the processing that override your rights and interests, or if we need to continue processing for the establishment, exercise, or defense of legal claims. Importantly, if your data is being processed for direct marketing purposes and you object, we will stop the processing for those marketing purposes immediately and without exception (this includes profiling related to direct marketing).
Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the processing that was based on it. Please note that withdrawing consent does not affect the lawfulness of processing we carried out before your withdrawal. For example, if you had consented to receive our newsletter and later opt out, it doesn’t invalidate the fact that we sent you newsletters while your consent was in effect – it just means we will stop sending them going forward. (As mentioned above, unsubscribing from our newsletter is an easy way to withdraw that particular consent.)

Remedies and Complaints

We hope to address any concerns you have about how we handle your data. However, if you believe we have violated data protection laws or your privacy rights, you have a few avenues for recourse:

Contacting Us First: We encourage you to reach out to us with any complaint or issue. We are committed to resolving problems in a fair and prompt manner. Your satisfaction with our data practices is very important to us, and we will do our best to address your concerns quickly and transparently. Often, a direct conversation can clear up misunderstandings or allow us to fix an issue to your satisfaction.
Lodge a Complaint with a Supervisory Authority: You have the right to file a complaint with the relevant data protection supervisory authority. In Hungary, this is the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, or NAIH)[106]. The contact details for NAIH are:
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Mailing Address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu [106]

If you choose to lodge a complaint, you should describe the situation and explain what outcome or action you expect from the authority. The supervisory authority will then investigate the matter and inform you of the result of your complaint.

Judicial Remedy (Court Action): If you believe your rights have been infringed by our data handling, you also have the right to take the matter to court. You can initiate a civil lawsuit against Eureka Games Kft.. Such a lawsuit can be filed in a Hungarian court, and you have the option to do so at the court of your place of residence or stay (i.e., you don’t necessarily have to file in the city where our company is based). The courts are required to handle data protection cases with priority. If the court finds that we violated your rights, it can order measures to rectify the situation.
Compensation and Damages: Under the GDPR and Hungarian law, if you suffer material or non-material damage as a result of an infringement of data protection laws by us or by one of our processors, you may be entitled to compensation. For instance, if our unlawful processing of your data caused you financial loss, you can claim damages; or if it infringed your personality rights (such as a violation of privacy causing you emotional harm), you may claim a penalty. We will be liable for any damage caused by our processing unless we prove that we were not responsible in any way for the event giving rise to the damage (for example, if a breach was entirely caused by an unforeseeable external event despite all security measures). If you intend to seek compensation, this would typically be pursued through the courts.

Important: Before resorting to formal remedies, we kindly suggest giving us a chance to address the issue. We value the trust you place in us and will make every effort to resolve any complaint amicably and swiftly. Transparency and lawfulness are the cornerstones of our data practices, and we want you to feel confident and satisfied with how we handle your information.

This Privacy Notice is effective from September 1, 2025. We may update this Notice from time to time. In the event of significant changes, we will notify you in an appropriate manner (for example, via email or through our website). The current version of the Privacy Notice will always be available on our website.

Remedies and Complaints

We hope to address any concerns you have about how we handle your data. However, if you believe we have violated data protection laws or your privacy rights, you have a few avenues for recourse:

Contacting Us First: We encourage you to reach out to us with any complaint or issue. We are committed to resolving problems in a fair and prompt manner. Your satisfaction with our data practices is very important to us, and we will do our best to address your concerns quickly and transparently. Often, a direct conversation can clear up misunderstandings or allow us to fix an issue to your satisfaction.
Lodge a Complaint with a Supervisory Authority: You have the right to file a complaint with the relevant data protection supervisory authority. In Hungary, this is the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, or NAIH)[106]. The contact details for NAIH are:
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Mailing Address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu [106]

Judicial Remedy (Court Action): If you believe your rights have been infringed by our data handling, you also have the right to take the matter to court. You can initiate a civil lawsuit against Eureka Games Kft.. Such a lawsuit can be filed in a Hungarian court, and you have the option to do so at the court of your place of residence or stay (i.e., you don’t necessarily have to file in the city where our company is based). The courts are required to handle data protection cases with priority. If the court finds that we violated your rights, it can order measures to rectify the situation.
Compensation and Damages: Under the GDPR and Hungarian law, if you suffer material or non-material damage as a result of an infringement of data protection laws by us or by one of our processors, you may be entitled to compensation. For instance, if our unlawful processing of your data caused you financial loss, you can claim damages; or if it infringed your personality rights (such as a violation of privacy causing you emotional harm), you may claim a penalty. We will be liable for any damage caused by our processing unless we prove that we were not responsible in any way for the event giving rise to the damage (for example, if a breach was entirely caused by an unforeseeable external event despite all security measures). If you intend to seek compensation, this would typically be pursued through the courts.

Contact

Wondering how it all works? Let’s talk.

Pick a time that works for you and someone from our team will answer all your questions.  
Your chosen slot will automatically appear in your calendar.

Got questions? Drop us a line!

hello@eureka.works

Phone

Quick question? Give us a shout!

(+36) 30 220 3734

Transparency

Terms and Conditions

Privacy Notice

Contact

Wondering how it all works? Let’s talk.

Pick a time that works for you and someone from our team will answer all your questions.  
Your chosen slot will automatically appear in your calendar.

Got questions? Drop us a line!

hello@eureka.works

Phone

Quick question? Give us a shout!

(+36) 30 220 3734

Transparency

Terms and Conditions

Privacy Notice

Contact

Wondering how it all works? Let’s talk.

Pick a time that works for you and someone from our team will answer all your questions.  
Your chosen slot will automatically appear in your calendar.

Got questions? Drop us a line!

hello@eureka.works

Phone

Quick question? Give us a shout!

(+36) 30 220 3734

Transparency

Terms and Conditions

Privacy Notice