Most browsers allow you to view active cookies on your computer, delete them individually, or block cookies from specific or all websites. Please note that if you delete all cookies, previously saved settings on the website will be lost, including your preference to opt-out of cookies, as this preference itself requires a specific cookie to function. For more information on how to disable cookies by adjusting your browser settings, please visit aboutcookies.org and cookiecentral.com/faq/.

With the exception of strictly necessary cookies, you may refuse or block all or specific cookies downloaded during your visit to the website.

You can modify settings for the Data Controller’s or any third-party website by changing your browser settings. Please note that most browsers automatically accept cookies. Therefore, if you do not wish to allow the use of cookies, you must explicitly disable them by clicking the “I do not allow” button in the pop-up window. If you refuse the use of cookies, you will still be able to visit our websites, but some functions may not work correctly. To view the content of a cookie, click on the cookie itself to open it. You will see a short string of text and numbers.

Operation and Significance of Cookies:

XSRF-TOKEN:

• Description: This is a security cookie designed to prevent Cross-Site Request Forgery (CSRF) attacks. This attack involves an unauthorized party sending a request (e.g., a POST request) to the site from a third-party site or program. If the request lacks this token, the system will reject it as an untrusted source. This eliminates a significant portion of potential attacks.

• If you refuse this cookie: Your requests will be discarded by the system. For example, if you wish to fill out a contact form but have not enabled this cookie, the system will terminate the connection due to an insecure source, preventing the normal use of services.

• Encryption: The cookie is hashed and generated by the server before every request, making it virtually impossible to forge. It does not reveal any information about the user, as it is not stored on the server side.

Data identified by cookies: The following data is never stored on the user’s computer. Only a hashed “token” of the cookie is stored locally, which allows the server to identify which data to access. This token identifies the following data on the server side:

• Session history: Previous page visited.

• Token: Generated from the characteristics of the user’s device. This is not suitable for personal identification because we do not store this information; it is hashed one-way. Every request is hashed regardless of the device, but if a request hash matches a previous hash, we know it belongs to the same session. This allows us to track sessions. (Multiple users may log in from the same device; in this case, the session is the same but the user is different, therefore the session is not suitable for individual identification).

• Referrer: The source from which the user arrived at the site. Data collected via cookies is managed by the operator.

DATA PROCESSING ON THE WEBSITE

Contact Details (Form)

If you send us a message via the form on the site or via e-mail, we process the following data:

• Data processed: Name, e-mail address, phone number, message text.

• Purpose of processing: Responding to inquiries, providing information about tours, scheduling appointments.

• Legal basis: Article 6(1)(a) of the GDPR (consent of the data subject), as the user voluntarily chose to contact the Data Controller.

• Duration of processing: Data is stored only until the purpose of the contact is fulfilled or for the legally required retention period (e.g., 3 years for complaint handling).

Information Regarding Ticket Purchases

Direct ticket sales do not take place on our website. Tickets for the Forest Gastro Express experience tour can be purchased via the external platform: visitmiskolc.jegyx1.hu.

• Note: When you click the ticket purchase button, you leave the erdeigasztroexpressz.hu site. The processing of data provided during purchase (e.g., billing name, address, bank card details) is the responsibility of the ticketing system operator under their own privacy policy. No data processing for this purpose occurs on this website.

Technical and Analytical Data (Cookies)

• Data processed: IP address, browser type, time spent on site, subpages visited.

• Purpose of processing: Ensuring the technical operation of the website, preparing statistical analyses to improve user experience.

• Legal basis: Article 6(1)(a) of the GDPR (consent of the data subject).

• Duration of processing: Cookie data is stored until deleted, for a maximum of one year.

DATA STORAGE AND SECURITY

The Data Controller takes all necessary technical and organizational measures to ensure data security:

• The website has an SSL certificate (encrypted channel).

• Data is stored on secure servers accessible only by authorized personnel.

• Access to your personal data is restricted to authorized employees and contracted partners involved in fulfilling the tasks related to the purpose of data processing.

DATA TRANSFER TO THIRD PARTIES

Data is not transferred to third parties for any purpose, including marketing. The Data Controller utilizes a data processor for website maintenance and hosting services: [Insert Name/Company of Hosting Provider].

LINKS TO EXTERNAL SITES

Our site may contain links to pages not operated by us (e.g., ticketing interface or social media). The Data Controller is not responsible for the content or privacy practices of these sites. We recommend reading the privacy policies on those websites as well.

RIGHTS OF THE VISITOR

The data subject may request the rectification, erasure, or restriction (blocking) of their personal data from the data controller. They may also request information regarding their data, its source, the purpose, legal basis, and duration of processing, as well as information on any data protection incidents.

• Right to withdraw consent: The data subject has the right to withdraw consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.

• Right of access: The subject may request information on what personal data is processed, on what legal basis, for what purpose, from what source, for how long, and to whom access was granted.

• Right to rectification: The subject may request the correction or completion of inaccurate or incomplete data.

• Right to restriction (blocking): The subject may request that their data be restricted while a legal claim is being established or while an objection is being evaluated.

• Right to object: The subject may object to the processing of their personal data. The controller must then prove compelling legitimate grounds for processing that override the interests of the data subject.

• Right to erasure (“Right to be forgotten”): The subject may request deletion if the data is no longer necessary, consent is withdrawn (and no other legal basis exists), the objection is justified, the processing was unlawful, or deletion is required by law.

Requests can be sent to: info@visitmiskolc.hu. The controller shall respond within 25 days. This may be extended by two months for complex cases, with prior notification. If a request is clearly unfounded or excessive, a reasonable fee may be charged or the request refused.

LEGAL REMEDIES

If you believe your rights have been violated, please contact us first. You may also contact the authority: National Authority for Data Protection and Freedom of Information (NAIH)

• Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary

• E-mail: ugyfelszolgalat@naih.hu

• Website: www.naih.hu

You also have the right to seek direct judicial remedy in court.