Privacy Policy (GDPR)
Effective: 9 October 2025
This Privacy Policy ("Policy") provides detailed information, pursuant to Regulation (EU) 2016/679 (GDPR) and applicable Hungarian law, on how Bebők Bence, sole proprietor trading as SkillSwap, registered office: 1041 Budapest, Szigeti József utca 10. II/7a, company registration number: 61172506, tax number: 91453118‑1‑41 (the “Controller” or “we”) processes personal data when you use the SkillSwap online marketplace and related services ("Service").
In short: we process your personal data on the basis of contract performance (e.g., account, booking, subscription), legal obligations (billing), consent (newsletter, marketing cookies) or legitimate interests (fraud prevention, IT security). We protect your data with appropriate technical and organisational measures and retain it only for as long as necessary.
1. Controller and contact details
Controller: Bebők Bence, sole proprietor (SkillSwap)
Registered office: 1041 Budapest, Szigeti József utca 10. II/7a
Mailing address: 1041 Budapest, Szigeti József utca 10. II/7a
Email: hello@skillswap.hu
Phone: N/A
Website/domain: https://www.skillswap.hu
Representative: Bebők Bence – sole proprietor
Data protection officer: not appointed; please contact us at the above addresses.
2. Scope of the Policy
This Policy applies to all users of the Service (registered and guest), to providers/teachers using the Service, and to prospects, clients and contractual partners. The Service is provided from Hungary but is available within the European Economic Area. In case of cross‑border data transfers, see section 8.
3. Definitions
We use the terms "personal data", "processing", "processor", "controller", "EEA", "data subject" etc. as defined in Article 4 of the GDPR.
4. The Service and categories of data processed
In SkillSwap, users can create accounts, search for and book services, purchase credits, subscribe to Premium, use messaging and review functions. Payments are generally made via PayPal; invoicing is performed using the Számlázz.hu system. The main categories of data processed include:
- Identification and contact data: name, username, email address, phone number, billing and—if necessary—postal address.
- Account and profile data: password (stored only in encrypted form), profile picture, biography/skills, language preferences, favourites, notification preferences.
- Booking and marketplace data: searches, basket/bookings, service details, times, messages between parties, ratings and feedback.
- Subscription and credit transactions: package type, validity, transaction identifiers, fees and dates.
- Billing data: billing name/address, tax number (for businesses), invoice items and mandatory content.
- Payment data: payment status and identifiers (PayPal). We do not process bank card data; these are handled by the payment service provider.
- Technical and log data: device and browser information, IP address, login and security logs, cookies, analytics.
- Customer service data: inquiries, attachments, recordings (for telephone support), resolution notes.
5. Purposes, legal bases and retention periods
The table below summarises our main data processing activities. Where there is no legal obligation, retention lasts until the purpose is fulfilled and data is then deleted or anonymised.
| Purpose | Data processed | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Registration, account management | Identification and contact data, profile data | Art. 6(1)(b) – contract performance | Until account deletion + max. 6 months archived |
| Marketplace booking, fulfilment | Booking data, messages, reviews | Art. 6(1)(b) | Until contract performance + civil law limitation (usually 5 years) |
| Subscription and credit management | Package, transaction ID, status | Art. 6(1)(b) | Active subscription period + 5 years |
| Payment processing (PayPal) | Transaction metadata, status | Art. 6(1)(b) (contract) and PayPal’s own data processing | According to payment service provider rules; we keep only necessary records |
| Billing (Számlázz.hu) | Billing data | Art. 6(1)(c) – legal obligation (accounting) | 8 years (Accounting Act) |
| Customer service | Inquiry content, contact details | Art. 6(1)(b) or (f) – legitimate interest | 2 years from resolution |
| Security, abuse prevention | Logs, IP, events | Art. 6(1)(f) – legitimate interest | 6–24 months depending on incident |
| Assertion/defence of legal claims | Documentation of case | Art. 6(1)(f) | Until expiry of limitation periods (usually 5 years) |
| Newsletters, marketing | Name, email, preferences | Art. 6(1)(a) – consent | Until withdrawal |
| Analytics, performance measurement | Cookies, anonymous or pseudonymised identifiers | Art. 6(1)(a) – consent (for non‑essential cookies) | 6–26 months (depending on provider) |
We do not request or process special categories of personal data (GDPR Article 9). Please do not share such data on the platform.
6. Sources of data
We obtain personal data directly from you (registration, booking, forms, messages) or from contractual partners (e.g., payment service provider transaction notices). From public sources (e.g., company register) we obtain data only to the extent necessary for contracting.
7. Recipients, processors and independent controllers
Your data may be accessed to the extent necessary by the following:
7.1. Processors (acting on our behalf)
- Hosting/infrastructure provider: Rackhost Zrt. (Hungary) – 6722 Szeged, Tisza Lajos körút 41.; www.rackhost.hu; email: info@rackhost.hu; tax ID: 25333572‑2‑06; company registration: 06‑10‑000489
- Billing service provider: Számlázz.hu (KBOSS.hu Kft., Hungary) – invoicing and archiving
- Email/SMS provider: –
- Customer service/ticket system: –
- Analytics provider (if any): –
Processors are bound by contract and may not use your data for their own purposes.
7.2. Independent controllers
- PayPal – for payment processing. PayPal’s own privacy policy applies.
- Marketplace providers/teachers – when they request data from you to perform the service, they act as independent controllers (or in some cases joint controllers). Always read the provider’s own privacy notice.
- Authorities, courts – where we have a legal obligation.
8. International data transfers
Some recipients may be located outside the EEA (e.g., PayPal or cloud providers). We transfer data only if appropriate safeguards under the GDPR exist, in particular an adequacy decision (e.g., EU–US Data Privacy Framework) or the European Commission’s standard contractual clauses, with supplementary measures if necessary. Details are available on request.
9. Cookies and similar technologies
The website uses strictly necessary cookies for operation (e.g., session, login, security). We use statistical/analytics and marketing cookies only with your prior consent, which you can change or withdraw at any time in the cookie management interface.
Example table (sample):
| Category | Purpose | Example cookie | Lifetime |
|---|---|---|---|
| Necessary | session management | PHPSESSID | end of session |
| Preference | language setting | lang | 1 year |
| Statistics | measure visitors | _ga* | 6–24 months |
| Marketing | remarketing | _fbp | 3 months |
We may publish a detailed Cookie Policy separately.
10. Data security
We apply appropriate technical and organisational measures: TLS encryption, role‑based access, logging, regular updates and backups, permission management, two‑factor authentication for admin access, and data protection awareness training. In case of an incident we act in accordance with Articles 33–34 GDPR.
11. Processing of children's data
Our Service is not intended for individuals under the age of 16 (or the lower age limit applicable in your country). Registration of a minor requires the consent of a legal representative. If we become aware of an unauthorised account, we will delete it.
12. Rights of data subjects
Under the GDPR you have the following rights:
- Right of access – you can request information about the data processed.
- Right to rectification – correction of inaccurate data.
- Right to erasure – deletion of data in justified cases.
- Right to restriction – restriction of processing in disputed cases.
- Right to data portability – receive and transmit the data you provided in machine‑readable form.
- Right to object – object to processing based on legitimate interest and to direct marketing at any time.
- Withdrawal of consent – for processing based on consent you may withdraw at any time; this does not affect the lawfulness of processing prior to withdrawal.
Response time: we respond to your request within 1 month (extendable by a further 2 months if necessary, with reasons). Requests may be submitted via the contact details in section 1.
13. Automated decision‑making and profiling
We do not conduct automated decision‑making that produces legal effects or similarly significantly affects you. We may use recommendation systems and content personalisation to improve user experience—this is typically based on legitimate interests or consent and is not considered significant profiling under the GDPR.
14. Social media and external links
Data processing on our social media pages (e.g., Facebook, Instagram, LinkedIn, YouTube) is also governed by the rules of those platforms. Our website may contain links to external sites; we are not responsible for those sites.
15. Joint and independent processing on the marketplace
Service providers/teachers on the marketplace are usually independent controllers in relation to their clients. In certain processes (e.g., creating a booking) joint processing may occur; in that case the allocation of responsibilities is set out in a separate notice or agreement. You may submit your request to either party; we will cooperate to fulfil it.
16. Remedies
If you believe our processing of your data violates the GDPR, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH) or another supervisory authority, and you may also seek judicial remedy. Our contact details for queries are in section 1.
17. Updates to this Policy
We may update this Policy to reflect changes in our practices or legal requirements. We will post the updated version on our website and indicate the effective date. If the changes significantly affect you, we will provide notice.
Last updated: 2025‑10‑09