Privacy Policy
Privacy Policy
Last updated:
1. Who We Are (Data Controller)
Budapest Keys operates the website at https://budapestkeys.com. We are a real estate consultancy helping international investors purchase property in Budapest, Hungary.
Legal entity: Downtown City Properties Kft.
Registered address: 1117 Budapest, Baranyai tér 13. 7. em. 1. ajtó
Contact: info@budapestkeys.com
2. Data We Collect
Information You Provide
- Contact form submissions: name, email address, phone (optional), investment budget, nationality, message
- Newsletter subscriptions: email address
- Quiz responses: budget range, investment intent, residency preference, nationality — not stored server-side unless you submit the contact form at the end
- Lead magnet requests: email address (to send download link)
Information Collected Automatically
- IP address (used for rate limiting and spam prevention; a one-way SHA-256 hash of the IP is stored as part of newsletter consent records for GDPR audit purposes — the original IP address is not retained; the hash is purged alongside the subscription record, 90 days after unsubscribing)
- Browser type and device type (via User-Agent, used for bot protection)
- Pages visited and time on site (via analytics — only with your consent)
- Referral source (where you came from before visiting this site)
We do not collect special categories of personal data as defined by GDPR Article 9 — including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, or sexual orientation.
3. How We Use Your Data
- To respond to your enquiry — we email your contact form submission to our consultant and send you an automatic confirmation
- To send newsletter — monthly Budapest market reports (you can unsubscribe at any time via the link in every email)
- To deliver lead magnets — one-time download links emailed to you
- To improve the website — analytics data (with consent) helps us understand which content is useful
- To prevent spam and abuse — rate limiting and cryptographic bot protection
4. Legal Basis (GDPR)
- Contract performance (Art. 6(1)(b)): Processing your enquiry requires your contact details; delivering a requested lead magnet (PDF guide) requires your email address to send the download link
- Legitimate interest (Art. 6(1)(f)): Bot protection and rate limiting are necessary for website security and service integrity. Our Legitimate Interest Assessment concluded that this processing is necessary to prevent abuse, that its impact on data subjects is minimal (only a transient SHA-256 hash of the IP address is processed server-side and not retained beyond 1 hour), and that no less intrusive means are equally effective
- Consent (Art. 6(1)(a)): Analytics and marketing cookies — you can withdraw consent at any time via "Cookie Settings" in the footer
- Consent (Art. 6(1)(a)): Newsletter subscription — you can unsubscribe at any time via the link in every email
5. Third-Party Services
We use the following third-party services on this website:
| Service | Purpose | Data shared | Privacy Policy |
|---|---|---|---|
| Google Tag Manager | Tag management (requires consent before firing tags) | None independently — manages other tags | policies.google.com/privacy |
| WhatsApp (Meta) | Direct messaging (when you click our WhatsApp button) | Your WhatsApp account data per Meta's policy | whatsapp.com/legal |
| Telegram | Direct messaging (when you click our Telegram link) | Your Telegram account data per Telegram's policy | telegram.org/privacy |
| Viber (Rakuten) | Direct messaging (when you click our Viber link) | Your Viber account data per Rakuten Viber's policy | viber.com/en/terms/viber-privacy-policy |
| WebSupport Mail | Transactional email delivery (contact form confirmations, newsletter, lead magnet download links) | Recipient email address, email subject, message body | Privacy Policy |
| WebSupport.sk | Web hosting — stores all website data on EU servers (Slovakia) | All website data stored on their infrastructure | websupport.sk/gdpr |
We have entered into Data Processing Agreements (DPAs) with all third-party processors listed above, as required by GDPR Article 28.
6. Data Retention
- Contact form submissions: Stored in our email inbox for up to 12 months, then deleted. A server-side copy is also kept in a log file for up to 90 days, then automatically purged
- Newsletter subscribers: Active subscription data stored until you unsubscribe. Unsubscribed records are automatically deleted after 90 days. Unconfirmed subscription requests (pending double opt-in confirmation) are automatically deleted after 7 days if the confirmation link is not clicked
- Bot protection tokens: Auto-deleted after 10 minutes via hourly cleanup cron
- Rate limit files: Auto-deleted after 1 hour via hourly cleanup cron
- Download tokens: Valid for 24 hours, then auto-deleted
- Analytics data: Per Google's/Meta's data retention settings (configurable in your account)
7. Your Rights (GDPR)
If you are located in the European Union or European Economic Area (EU/EEA) (or your local law grants equivalent rights), you have the following rights under GDPR Articles 15–22:
- Access (Art. 15): Request a copy of personal data we hold about you
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17) — "Right to be forgotten": Request deletion of your data. Automated erasure: newsletter subscriber data is purged 90 days after unsubscribing; server-side lead logs are purged after 90 days via automated cron job
- Restriction (Art. 18): Limit how we process your data
- Data portability (Art. 20): Receive your data in a machine-readable format (JSON or CSV)
- Object (Art. 21): Object to processing based on legitimate interests — in particular, you can opt out of direct marketing at any time
- Withdraw consent: Withdraw analytics/marketing consent at any time via "Cookie Settings" in the footer. For newsletter consent, use the unsubscribe link in any email
How to Submit a Data Subject Access Request (DSAR)
To exercise any of the rights above, please email us at info@budapestkeys.com with the subject line "Data Subject Request" and include:
- Your full name and email address (so we can identify your records)
- The specific right you wish to exercise (access, erasure, portability, etc.)
- Any additional details that help us locate your data (e.g., approximate date you submitted the contact form)
We will respond promptly and in any event within 30 days (extendable by a further 60 days for complex requests, with prior notice). There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
You also have the right to lodge a complaint with your local data protection authority. In Hungary: NAIH (naih.hu). In the EU, you may contact your national supervisory authority as listed on edpb.europa.eu.
8. Cookies
We use cookies for the following purposes:
| Cookie name | Category | Purpose | Duration | Provider |
|---|---|---|---|---|
cookie_consent |
Necessary | Stores your cookie consent preferences (localStorage primary, cookie fallback) | 1 year | This site |
maintenance_bypass |
Necessary | Allows authorised users to bypass maintenance mode | 24 hours | This site |
preferred_lang |
Necessary | Remembers your chosen display language so you are not redirected away from it on your next visit | 1 year | This site |
_ga |
Analytics (consent required) | Distinguishes unique users for Google Analytics | 2 years | |
_ga_* |
Analytics (consent required) | Stores session state for Google Analytics 4 | 2 years | |
_gid |
Analytics (consent required) | Distinguishes users for Google Analytics (short-term) | 24 hours |
You can manage your preferences at any time via .
9. International Data Transfers
Your data may be processed by the following non-EU services. All transfers to the USA comply with GDPR Chapter V via Standard Contractual Clauses (SCCs) as approved by the European Commission. Transfers initiated when you voluntarily click a third-party messaging button are made on the basis of your explicit action (GDPR Art. 49(1)(a)). Hosting is in Slovakia (EU) via WebSupport.sk — no international transfer applies for stored data.
- Google LLC (USA) — analytics and tag management (with your consent); transfer covered by SCCs
- Telegram FZ-LLC (UAE / global servers) — if you click our Telegram link and send a message, your Telegram account data is processed by Telegram under their own privacy policy; this transfer is initiated by your voluntary action
- Rakuten Viber (Japan / global servers) — if you click our Viber link and send a message, your Viber account data is processed by Rakuten Viber under their own privacy policy; this transfer is initiated by your voluntary action
- Meta Platforms, Inc. (USA) — if you click our WhatsApp button and send a message, your WhatsApp account data is processed by Meta under their own privacy policy; transfer covered by SCCs
Notice for Visitors from Turkey
If you are visiting from the Republic of Turkey, please note that Turkey's Personal Data Protection Law (KVKK — Law No. 6698, effective 7 April 2016) grants you rights regarding your personal data, including the right to learn whether your data is processed, to request information about it, to request rectification, deletion, or destruction, and to object to processing. You may also lodge a complaint with the Turkish Personal Data Protection Authority (KVKK — kvkk.gov.tr). To exercise your rights, contact us using the process described in Section 7.
Notice for Visitors from China, Vietnam, and Israel
If you are visiting from the People's Republic of China, please note that China's Personal Information Protection Law (PIPL, effective 1 November 2021) grants you rights similar to GDPR, including the right to access, correct, delete, and restrict processing of your personal information. To exercise these rights, contact us using the process described in Section 7.
If you are visiting from Vietnam, please note that Vietnam's Personal Data Protection Decree (Decree No. 13/2023/ND-CP, effective 1 July 2023) grants you rights regarding your personal data. You may also lodge a complaint with the competent Vietnamese authority — the Department of Cybersecurity and Hi-tech Crime Prevention, Ministry of Public Security (bocongan.gov.vn). To exercise your rights, contact us using the process described in Section 7.
If you are visiting from Israel, please note that Israel is recognised by the European Commission as providing an adequate level of data protection (adequacy decision). Israel's Privacy Protection Law (PPL) grants you rights regarding your personal data. To exercise these rights, contact us using the process described in Section 7.
Any personal data you submit via our contact form or newsletter is processed on servers located in the European Union (Slovakia) and is not transferred to any jurisdiction with data protection standards lower than those required by GDPR, unless you have explicitly consented to analytics services that transfer data to the USA (as described above), or you have voluntarily initiated contact via a third-party messaging app (as described above).
10. Children's Privacy
This website is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it immediately.
11. Automated Decision-Making
We do not make any automated decisions — including profiling — that produce legal or similarly significant effects on you. Our quiz tool generates a non-binding investor profile suggestion for informational purposes only; no automated decision is made based on this input.
12. Data Protection Officer
As a small real estate consultancy not conducting large-scale systematic processing, we are not required to designate a Data Protection Officer under GDPR Art. 37. For all data-related enquiries, contact us directly at the address below.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay as required by GDPR Art. 34. We will also report qualifying breaches to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of becoming aware of them, as required by GDPR Art. 33.
14. Changes to This Policy
We may update this policy. The "Last updated" date at the top will reflect any changes. Material changes will be communicated via the website banner.
15. Contact
Data controller: Downtown City Properties Kft.
Address: 1117 Budapest, Baranyai tér 13. 7. em. 1. ajtó
Email: info@budapestkeys.com
Website: https://budapestkeys.com
