Contact

Privacy Policy

KALU Creative Kft. Detailed Privacy Policy

Last Modified: 30 December 2025

1. GENERAL INFORMATION

KALU Creative Ltd. (“Data Controller” or “KALU Creative”) is engaged in content creation, marketing services, social media management, and influencer marketing. In connection with these activities, the Data Controller processes information considered “personal data” under Article 4(1) of EU Regulation 2016/679 (the “GDPR”) relating to its contractual partners, as well as their representatives, contacts, and other persons as defined in this privacy notice (“Notice”) (collectively: “data subjects”).

This Notice provides information about the processing of such personal data and the rights and remedies available to data subjects in relation to data processing.

It explains the purposes, legal bases, retention periods, and recipients of personal data, as well as other characteristics of our data processing activities. It also informs data subjects about their rights and remedies related to our data processing activities.

Please read this Notice carefully. If you have any questions or requests regarding data processing conducted by the Data Controller, please contact us at the following:

Data Controller Contact Information:
KALU Creative Ltd.
Registered office: 1025 Budapest, Szeréna út 39, Building 1, 1st Floor, Door 4
Company registration number: 01-09-415947
Email: [email protected]
Website: https://kalucreative.com/ (“Website”)

Important note: For data processing performed on behalf of clients, the client is considered the data controller, and KALU Creative acts as the client’s data processor. In all other cases, KALU Creative is the Data Controller. This Notice applies to data processing performed by KALU Creative as a Data Controller. For processing on behalf of clients, the client’s privacy notice applies.

This Notice should also be interpreted in line with relevant contractual terms in agreements with KALU Creative’s clients, partners, and subcontractors.

What qualifies as personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject). A natural person is identifiable if they can be identified directly or indirectly, particularly via an identifier such as a name, number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. Examples include the name, email, and contract-related data of a user, client, or partner representative.

Special categories of personal data
These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, and data concerning sexual life or orientation.

KALU Creative’s activities do not require the processing of such special data. Data subjects are requested not to provide it. If such data is received (e.g., unlawfully provided by another person), it will be deleted immediately.

Who may be considered a data subject?
KALU Creative may process the data of:

  • Clients, their authorized representatives, contacts related to the provision of services.

  • Extras and models in relation to the promotion of services; in such cases, clients are considered controllers, and KALU Creative acts as a processor.

  • Other partners (subcontractors, influencers), their representatives, and contacts in relation to contract performance.

  • Registrants and participants of KALU Academy and their contacts.

  • Persons contacting KALU Creative with inquiries, complaints, or claims.

  • Individuals related to marketing communications.

  • Applicants submitting materials for competitions, for evaluation purposes.

  • Data subjects involved in enforcing privacy rights, handling requests, and incidents.

  • Visitors to the Website, under the separate COOKIE POLICY.

How do we protect data subjects’ data?
We are committed to protecting personal data and ensure compliance with applicable laws. We follow these principles:

  • Only process personal data lawfully.

  • Process data only for specific, limited purposes and durations.

  • Take technical and organizational measures to ensure data security.

  • Assist data subjects in exercising their rights.

2. UPDATES AND AVAILABILITY OF THIS NOTICE

The Data Controller reserves the right to unilaterally modify this Notice. Changes may be made due to legislation, regulatory practices, business needs, new processing purposes, newly discovered security risks, or feedback from data subjects. Data subjects will be informed in advance where required.

3. SPECIAL DATA PROTECTION REQUIREMENTS

KALU Creative complies with the following legal requirements during data processing:

  • Accounting Act (“Sztv.”): Act C of 2000 on Accounting

  • Tax Administration Act (“Art.”): Act CL of 2017 on Tax Procedures

  • Information Act (“Infotv.”): Act CXII of 2011 on informational self-determination and freedom of information

  • GDPR: EU Regulation 2016/679

  • Electronic Commerce Act (“Elkertv.”): Act CVIII of 2001

Data may be collected from the data subject voluntarily, authorized third parties, or public sources. Those providing personal data must ensure proper authorization is in place. KALU Creative may verify legal bases for processing, such as requesting authorization or consent from the data subject.

4. DESCRIPTION OF SPECIFIC DATA PROCESSING ACTIVITIES

The scope of personal data, purposes, legal basis, retention periods, and other details are listed in the Annex Tables at the end of this Notice.

5. DATA PROCESSORS

Data processing tasks are performed by contractual partners acting as processors, including:

Sybell Informatika Ltd. – Website hosting
KBOSS.hu Ltd. – Invoicing services

Processors are required to provide sufficient guarantees that GDPR requirements are met. After processing, data is either returned or deleted unless legal obligations require storage.

6. TRANSFERS TO OTHER CONTROLLERS

Personal data may be shared with other data controllers, such as:

Skool.com, Inc. – platform provider for KALU Academy

Meta Platforms Ireland Limited – joint controller for social media pages (e.g., Facebook) and services, according to Meta’s Privacy Policy.

Transfers are based on GDPR Article 6(1)(f) – legitimate interest.

7. DATA SUBJECT RIGHTS AND REMEDIES

Rights include:

  • Access: Right to know if data is processed and details of processing.

  • Correction: Right to correct inaccurate data.

  • Erasure (“right to be forgotten”): Right to deletion under certain conditions.

  • Restriction of processing: Right to limit processing under certain circumstances.

  • Data portability: Right to receive data in a structured, machine-readable format and transfer to another controller.

  • Objection: Right to object to processing based on legitimate interest or direct marketing.

  • Complaint to supervisory authority: Right to file complaints with the relevant authority (in Hungary: NAIH – http://naih.hu)

  • Judicial remedies: Right to effective judicial remedy against decisions of the supervisory authority or the controller.

Requests must be processed without undue delay, normally within one month (extendable by two months if complex). Responses may be provided electronically.

Fees: Requests should generally be free, except for clearly unfounded or excessive requests, where reasonable fees may apply.

8. COOKIES

Information on cookies used on the Website is available in the COOKIE POLICY document.

ANNEX: TABLES PRESENTING SPECIFIC DATA PROCESSING OPERATIONS
Data processing related to statistics and models

Purpose of processing your data:
Processing the data of statistics and models for the purpose of promoting the services of the Data Controller, or those of its client (if relevant), and providing information about them (including, in particular: publication on websites, social media pages, video-sharing platforms (e.g., YouTube channel), through press and media, use by client-related companies or supporting partners in advertising campaigns or marketing activities). Data processing may also occur for reference purposes, as well as for the Data Controller’s participation in tenders and applications, or for internal training purposes.

Legal basis for processing your data:

  • For natural person partners: the Data Controller processes your data for the above purposes because it is necessary for the performance of the contract with you, or to take steps at your request before entering into the contract (GDPR Article 6(1)(b)). Additionally, processing of your image and voice recordings is based on your consent (Civil Code 2:48 § (1)).

  • If you act on behalf of a legal entity or other organization (e.g., your employer or a company where you are an executive officer), your data is processed based on the legitimate business interest of the Data Controller and the entity you represent (GDPR Article 6(1)(f)). The legitimate business interest is the establishment and proper performance of a contract between the Data Controller and the (potential) partner, and strengthening business relations.

  • The Data Controller also processes recordings of groups or public events based on legitimate interest (GDPR 6(1)(f), Civil Code 2:48 § (2)). The legitimate interest includes promoting the Data Controller and its clients, services, or contents, and enhancing business/professional reputation, campaign success.

  • Data may also be processed to comply with applicable tax and accounting obligations (GDPR 6(1)(c)), including data of children’s legal representatives (Civil Code 2:12 § (1), 2:14 § (1)). Children may exercise their data protection rights when they reach adulthood.

Are you obliged to provide your data?
You are free to decide whether to participate in campaigns or recordings organized by the Data Controller. In such cases, your data is processed to create and perform the relevant contract and to support/conduct the campaign. Additionally, your data is processed to fulfill legal obligations (including tax and accounting obligations). For children, data of their legal representatives is required by law.

What data do we process?
For contract performance, marketing organization, advertising and marketing services, or campaign support:

  • Name

  • Contact details (address, email, phone, position/authority if representing a legal entity)

  • Contract characteristics and related documentation

  • Data of the person or organization represented (if relevant)

  • For children: parental consent statements

  • Recordings of the individual (image and voice)

Data retention period:

  • Data processed for contract duration or campaign-related purposes is retained until the campaign ends or objection is raised (for legitimate interest-based processing).

  • Data processed for contract performance is stored for 5 years after contract termination (Civil Code 6:22 § (1)).

  • Data required for tax obligations: 5 years from the end of the calendar year in which tax reporting/payment was required.

  • Data required for accounting obligations: 8 years (Accounting Act §§168–169).

Who do we share your personal data with?

  • Partners providing website hosting, accounting, and invoicing services.

  • Clients, other partners (e.g., subcontractors), and their representatives in connection with contract performance.

Data processing related to KALU Academy

Purpose of processing your data:
Participation and registration in KALU Academy.

Legal basis for processing your data:

  • For natural persons: necessary for contract performance or steps at your request before the contract (GDPR 6(1)(b)).

  • For representatives of legal entities: legitimate business interest (GDPR 6(1)(f)), i.e., creation and performance of contracts and cooperation between parties.

Are you obliged to provide your data?
You may freely decide to register and participate. If registering on behalf of someone else, you may object to data processing (e.g., if contact person changes).

What data do we process?

  • Registration, subscription, contact person, participant data (name, email, employer, position), participation-related data, and technically necessary personal data.

Data retention period:

  • 5 years after contract termination (Civil Code 6:22 § (1)).

  • Registration and participation data not needed for contract proof are deleted within 30 days of registration deletion.

  • Data for tax/accounting obligations are retained as above (5 or 8 years).

Who do we share your personal data with?

  • SKOOL.COM, INC., accounting and invoicing service providers.

Data processing for job applicants

Purpose:
Managing applications for job openings, evaluating applications.

Legal basis:

  • Natural persons: necessary for contract performance or pre-contractual steps (GDPR 6(1)(b)).

  • Voluntary consent may allow retaining data to inform about similar positions (GDPR 6(1)(a)).

  • Legitimate interest allows retention for legal defense or protecting business/professional reputation (GDPR 6(1)(f)).

Are you obliged to provide your data?
You may freely apply for jobs. If applying, your data is processed to fill the position and evaluate applications.

What data do we process?

  • Data required for application evaluation, including CV and related documents (e.g., cover letter).

Data retention period:

  • Until the position is filled or the application is evaluated.

  • With consent, data may be retained up to 2 years for similar positions.

  • For legal defense, up to 5 years after application submission (Civil Code 6:22 § (1)).

Who do we share your personal data with?

  • Not applicable.

Data processing related to inquiries, complaints, and claims

Purpose:
Responding to inquiries and complaints, problem-solving, asserting or defending legal claims.

Legal basis:

  • Legitimate interest of the Data Controller (GDPR 6(1)(f)).

Are you obliged to provide your data?
No obligation, but if you submit an inquiry or complaint, relevant data is processed.

What data do we process?

  • Personal data of the person submitting the inquiry/complaint, contact data, content of the request, steps taken.

  • Data necessary for legal claims or defense, including identification data required by civil or enforcement law.

Data retention period:

  • 5 years from recording (Civil Code 6:22 § (1)).

Who do we share your personal data with?

  • Legal representatives and courts/authorities handling the case.

Data processing for marketing communication and newsletters

Purpose:
Sending marketing materials to clients and newsletter subscribers.

Legal basis:

  • Consent (GDPR 6(1)(a)).

  • Legitimate interest for former clients regarding similar services within 12 months (GDPR 6(1)(f)).

Are you obliged to provide your data?
No, but without consent, marketing materials cannot be sent. You can object to processing at any time.

What data do we process?

  • Name and email of the individual/organization, characteristics of previously used services.

Data retention period:

  • Until consent is withdrawn or objection is exercised.

Who do we share your personal data with?

  • Newsletter service provider.

Data processing for exercising data protection rights and incident management

Purpose:
Handling data subject requests, taking related measures, facilitating exercise of rights, managing incidents.

Legal basis:

  • Legal obligations (GDPR 6(1)(c)).

Are you obliged to provide your data?

  • May be necessary to handle requests, take measures, or investigate incidents.

What data do we process?

  • Request, name, and contact details of the data subject.

Data retention period:

  • 5 years from recording (Civil Code 6:22 § (1)).

Who do we share your personal data with?

  • Relevant data protection authorities and legal representatives if required.