Privacy & Cookies Policy
Effective date: 5 August 2025
KrisztinaBerkes.com (“we”, “us”, “our”) respects your privacy. This notice explains what we collect, why, for how long, on what legal basis, with whom we share data, if we transfer data abroad, and what rights you have.
1) Controller & Contact
Controller: Berkes Krisztina
Registered address: 2097 Pilisborosjenő, Kevélyhegyi út 1., Magyarország
Privacy email: info@krisztinaberkes.com
Account deletion requests: contact@krisztinaberkes.com
Data Protection Officer: Not appointed.
2) What We Process, Why, Legal Bases, and Retention
| Purpose | Data categories | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Selling & delivering digital sheet music; account management | Name, email, account ID, purchased items, download/access logs | Contract (Art. 6(1)(b)) | For the life of the account; then delete/anonymize within 24 months, unless longer required by law |
| Payments & invoicing (via Paddle – Merchant of Record) | Name, email, billing address, payment metadata (no full card data), invoice details | Contract (Art. 6(1)(b)); Legal obligation (tax/accounting) (Art. 6(1)(c)) | 8 years for accounting records (Hungarian Accounting Act); then delete/archive |
| Newsletter/direct marketing | Email, name (optional), subscription status | Consent (Art. 6(1)(a)); Hungary requires opt-in for electronic marketing | Until withdrawal of consent or 24 months of inactivity |
| Authentication (Google SSO) | Email, first/last name, profile picture URL | Contract (Art. 6(1)(b)) | For the life of the account; delete on account deletion |
| Analytics (Google Analytics 4) | Device/browser info, on-site events, coarse location; identifiers via cookies | Consent (Art. 6(1)(a)) — disabled until you consent | Per GA settings; currently 14 months. GA4 doesn’t log/store IP addresses |
| Customer support & legal claims | Emails/messages, order data, logs needed to establish/defend claims | Legitimate interests (Art. 6(1)(f)) | For the limitation period (up to 5 years) or while a dispute is ongoing |
3) Sources of Data
Directly from you (checkout, account, newsletter, support) and—if you choose SSO—from your SSO provider.
4) Recipients/Processors
- Payments (Merchant of Record): Paddle – processes payments and issues invoices.
- Analytics: Google Analytics 4 (only with your consent).
- Hosting/CDN: Hetzner (Nuremberg Data Center, Germany – EEA).
- Email/newsletter infrastructure: self-hosted solution on HostingBázis (Hungary – EEA).
We do not sell personal data.
5) International Data Transfers
- United Kingdom (Paddle): EU adequacy currently permits transfers. If adequacy ends, we will use Standard Contractual Clauses (SCCs).
- United States (Google): Google participates in the EU–US Data Privacy Framework; where SCCs are used, we apply supplementary measures and Consent Mode.
6) Cookies & Similar Technologies
We use strictly necessary cookies (set without consent) and analytics cookies (set only with consent).
Strictly necessary (no consent):
_loginSession– user authentication/sessioncartId– cart functionality for visitorscode_verifier– PKCE/OAuth step during sign-inconsent.pref— stores your cookie/consent preferences so the site remembers your choices.
Category: Strictly necessary · Provider: KrisztinaBerkes.com (first-party) · Purpose: Remember whether you accepted/rejected analytics and apply that choice · Duration: up to 180 days (resets if you change your settings)
Analytics (consent-based, Google Analytics 4): _ga, _ga_<container-id> and related identifiers (exact names depend on your GA setup).
We also use localStorage key consent.v1 to mirror the same preference in your browser. This
isn’t a cookie, but we list it here for transparency. It contains only your Yes/No analytics choice and no identifier.
Our banner lets you Accept all, Reject all, or choose per category. Change your decision any time via the Cookie settings link in the footer. Non-essential cookies (e.g., analytics) require prior consent; strictly-necessary cookies do not.
Legal note: As a strictly necessary preference mechanism, consent.pref is set without
consent. Our legal basis for this processing is our legitimate interests (GDPR Art. 6(1)(f)) in remembering
your choices and complying with ePrivacy/GDPR requirements.
7) Your Rights
You may access, rectify, erase, restrict processing, object to processing based on legitimate interests, withdraw consent (e.g., unsubscribe), and exercise data portability where applicable. To exercise rights: email info@krisztinaberkes.com.
You may lodge a complaint with the Hungarian Supervisory Authority (NAIH): Nemzeti Adatvédelmi és Információszabadság Hatóság, 1055 Budapest, Falk Miksa utca 9–11.; Post: 1363 Budapest, Pf.: 9; Tel.: +36 (1) 391-1400; Email: ugyfelszolgalat@naih.hu; Web: naih.hu.
8) Security
We use appropriate technical and organisational measures (TLS encryption in transit; hardened hosting at Hetzner; access controls; least-privilege; vendor due-diligence and data-processing terms).
9) Children
Our site isn’t intended for children under 16. We do not knowingly process children’s data.
10) Deleting Your Account
Request deletion by emailing contact@krisztinaberkes.com. We delete accounts within 30 days, subject to retaining information we must keep by law (e.g., invoices for 8 years).
11) Changes
We’ll post updates here and change the “Effective date.” For material changes, we will provide on-site notice (and email account holders where appropriate).