WW2 TOURS APPLICATION

PRIVACY POLICY

Effective date: 11/03/2024

1. Introduction

ThisPrivacy Policy (“Policy”) explains how we collect, use, and share information through our mobile platform, tells you in a transparent way what to expect us to do with your personal information when you use one of the services and governs the processing and transfer of personal data collected or processed by Bucket List Tours Ltd. (“Controller”, “Company”, “we”, “us” or “our”) when accessing or using our WW2 Tours mobile application or our services (respectively the “App” and “Service”). This Policy also explains our data collection practices that are applicable to any users of our App or our Services (“you” or “your”).

Please read the below details carefully and contact us before exercising your rights. Please note that the scope of this Policy is limited to information and data collected or received by the Controller through or in relation to your use of the App or Service. The Company is not responsible for the actions of third parties, the content of third-party websites, the use of information or data you provide to third parties or any products or services they may offer. Any link to third-party websites does not constitute our sponsorship of, or affiliation with, such third parties.

Primary applicable law: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)

2. Controller

Company: Bucket List Tours Ltd.

Registered office: H-1022 Budapest, Törökvész út 30/A.

Company registration number: 01-09-357561

Tax number: 27928301-2-41

EUID: HUOCCSZ.01-09-357561

Represented by: Ágnes Manhalder, Managing Director

Phone: +18554731999

Email: info@ww2blt.com

3. Definitions

“data subject”: any identified or identifiable natural person;

“personal data”: any information concerning the data subject;

“consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by any other clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“controller”:any natural or legal person or entity without a legal personality which, alone or jointly with others, determines the purpose of data processing, takes and implements the decisions concerning the processing (including the equipment used) or has those implemented by the processor, within the limits defined by law or by a legally binding act of the European Union;

“processing”:any operation or set of operations performed on data, regardless of the procedure used, in particular any collection, registration, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure or destruction, and prevention of further use of data, taking photographs, making audio or video recordings and recording physical characteristics suitable for identifying a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

“transfer”:the making available of data to a specific third party;

“processor”:a natural or legal person or entity without a legal personality which processes personal data on behalf of or under the instructions of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;

“third party”:a natural or legal person or entity without a legal personality other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, perform operations with the purpose of processing personal data;

“personal data breach”: a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transmission or disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“profiling”: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, health, personal preferences or interests, reliability, behaviour, location or movements;

“recipient”:the natural or legal person or entity without a legal personality to whom or to which personal data are disclosed by the controller or processor;

“EEA State”: a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;

“third country”: any state that is not an EEA state;

“international organisation”: means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

4. Processing guidelines

Personal data may only be processed for clearly specified, legitimate purposes, to exercise rights and meet obligations. All stages of the processing must meet the purpose of processing, and the collection and processing of the data must be fair and lawful (“lawfulness, fairness and transparency”)

Only personal data that is necessary for the purpose of the processing and is suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary for the purposes for which they are collected (“purpose limitation”)

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).

The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the period necessary for the purposes for which the data are processed (“accuracy”)

Personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The personal data will retain this quality during the processing as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the controller has the technical conditions necessary for such restoration (“storage limitation”)

The processing of personal data shall ensure an appropriate level of security for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures (“integrity and confidentiality”).

The Controller shall be responsible for, and be able to demonstrate compliance with, these guidelines (“accountability”).

5. Information

You can find here information regarding the purposes for which we process your personal data as well as our lawful basis for processing, and how it is technically processed.

5.1. Data that we collect

First of all, we collect information that you provide to us. We collect personal information that you voluntarily provide to us when you register to our Service, express an interest in obtaining information about us or our Service, when you subscribe to our newsletters, or otherwise when you contact us. The personal information that we collect depends on the context of your interactions with us and the App. The personal information we collect may include the following: names; email addresses; phone numbers. To provide our news we use MailChimp, which provides online tools that can be used to create, send, and manage emails. MailChimp may collect personal information, such as distribution lists which contain email addresses, and other information relating to those email addresses. For further information about the type of personal information MailChimp collects, refer to the MailChimp Privacy Policy.We are required to inform you that by subscribing to our newsletter: You consent to your personal information being collected, used, disclosed and stored as set out in MailChimp’s Privacy Policy and agree to abide by MailChimp’s Terms of Use. You understand and acknowledge that this service utilises a MailChimp platform, which is located in the United States of America (USA) and relevant legislation of the USA will apply. You may find their privacy notice link here: https://www.intuit.com/privacy/statement/

Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number), and the security code associated with your payment instrument. All payment data is stored by Stripe. You may find their privacy notice link here:https://stripe.com/gb/privacy.

Information automatically collected: Some information - such as device characteristics - is collected automatically when you visit or using our App. We automatically collect certain information when you visit, use or navigate the App. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, device name, country, location, information about who and when you use our App and other technical information. This information is primarily needed to maintain the security and operation of our App, and for our internal analytics and reporting purposes. The information we collect includes: Log and Usage Data, Device Data,Location Data

In details:

We may collect personal information such as your name, email address, phone number, and other contact information that you voluntarily provide to us when you interact with the Controller. This information may be collected when you sign up for our newsletter, fill out a contact form or sign up for one of our optional trips.

When you make a purchase, we provide you with third-party services for purchasing and your payment data (e.g. credit/debit card, billing information and delivery address) is not collected by us. Information about the user such as name, email address, telephone number and the purchased Service is retained by us for further action.

When you contact us through one of our customer helpdesks or customer support centres, we may collect and process the contents (including data) of your correspondence with us and/or your contact details.

We also collect certain technical and usage information such as your application data, access, session times and in-app purchases, device type, advertisements you see and interact with, and unique device ID (persistent/non-persistent). This information is useful to us for troubleshooting and helps us understand usage trends and improve and optimize the Services and your user experience. We and our marketing and outsourcing partners, affiliates, or analytics service providers use technologies to identify user's device and to "remember" things about your visit.

5.2. How we use the data

We process your information for purposes based on legitimate business interests, the fulfillment of the contract with you, compliance with our legal obligations, and/or your consent. The Company may use personal data for the following purposes: To provide and maintain our Service, including to monitor the usage of our App. For the performance of a contract: the development, compliance and undertaking of the purchase contract for the services. To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation. To accept payments from you; to defend or prosecute legal claims; to investigate or prosecute fraud; to conduct audits related to our interactions with you. To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information. To manage your requests. For other purposes: We may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, marketing and your experience.

We will process your personal data lawfully, fairly and in a transparent manner. We collect and process information about you only where we have a legal basis to do so/for doing so. This legal basis depends on services you use and how you use them, meaning we collect and use your information only where: it's necessary for the performance of an agreement to which you are a party or to take steps at your request before entering into such an agreement (for example, when we provide you with a service you request from us); it satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote our services, and to protect our legal rights and interests; you give us a consent to do so for a specific purpose; or we need to process your data in compliance with a legal obligation.

5.3. Data sharing and disclosure

We share and disclose information and/or data (including personal data) for the following purposes:

We disclose information and/or data when provided by law, for example in response to a court order or a subpoena, or in response to a law enforcement body's request. We also disclose information and/or data to third parties: (i) in connection with fraud prevention activities; (ii) where we believe it is necessary to investigate, prevent, or take action regarding illegal activities; (iii) in situations that can involve violations of our terms of use or other applicable rules and policies; (iv) to protect our rights and the rights and safety of third parties; and (v) as otherwise required by law.

We will transfer information and/or data regarding our users in the event of a business transaction, such as if we or one of our business units or our relevant assets are acquired by, sold to, or merged with another company or as part of a bankruptcy proceeding or a business reorganization.

Our agents and contractors have access to information and/or data regarding our users in order to carry out the services they are performing for us, such as, but not limited to, fulfilment, creation, maintenance, hosting, and delivery of products and services, marketing, processing of payments, email and order fulfilment, administration of contests, research and analytics, and customer service.

We share certain information and/or data regarding our users with third parties to provide advertising to you based on your interests.

5.4. Data retention

In general, we retain the personal data we collect for as long as it remains necessary for the purposes set forth above, all under the applicable regulation, or until you express your preference to optout, where applicable. Other circumstances in which we will retain your personal information for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or (iii) if we reasonably believe there is a prospect of litigation relating to your personal data. Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so.

5.5.Eligibility and children privacy

The Services are not intended for use by children (the phrase “child” shall mean an individual that is under the age defined by applicable law, which concerning the EEA is under the age of 16), and we do not knowingly process children’s information. We will discard any information we receive from a user that is considered a “child” immediately upon discovering that such a user shared information with us.

5.6. Your choices

Please note that if processing is performed based on the consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent and carried out before its withdrawal (Article 6 a) of the GDPR). You may opt out of our email newsletters by clicking the “unsubscribe” at the bottom of each newsletter and following the subsequent instructions. You may update the personal information that you provide directly to us at any time. You may be able to refuse or disable cookies by adjusting your mobile. You may also opt out of all communications by contacting us using the contact information.If you no longer wish to use our Services, you or your administrator may be able to deactivate your account.

6. International data transfers

Our products and services may be provided using resources and servers located in various countries around the world. Therefore your personal data may be transferred across international borders outside the country where you use our services, including to countries outside the European Economic Area (EEA) that do not have laws providing specific protection for personal data or that have different legal rules on data protection, for example, the United States of America. In such cases we ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law, for example, by using standard contractual clauses approved by the European Commission or relevant authorities (where necessary) and by requiring the use of other appropriate technical and organizational information security measures.

7. Security

We implement a variety of security measures to protect the safety of your information when you enter, submit, or access information in the App. The Controller ensures the security of data in proportion to risks, takes all the technical and organisational measures and develops the procedural rules required for compliance with the GDPR as well as other data protection and privacy rules. The Controller shall protect the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorised public disclosure or unauthorised access. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) if we discover a security incident related to your personal data.Given the nature of communications and information processing technology, we cannot guarantee that your information during transmission through the Internet or while stored on our systems or otherwise in our care will be absolutely safe from intrusion by others. You agree that we are not liable for disclosure of your information due to transmission errors, third-party access, or other reasons beyond our control.

8. Rights and exercising rights of data subjects

The rights listed in the points below can be exercised in an application submitted to the Controller. The Controller’s contact details can be found in Section 2 of the Policy. The Controller shall fulfil the data subject’s request without undue delay, but no later than one month after receipt of the request, unless this period is extended by up to two months in view of the complexity or the number of requests.

8.1. Information and access right

The data subject shall have the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed. If the data subject’s personal data are being processed, they have the right to receive detailed information about the processing of the personal data, including the categories of personal data processed in relation to the data subject. The Controller shall provide the data subject with a copy of the personal data undergoing processing. The information thereby provided is free of charge if the data subject has not yet submitted a request for information to the Controller for the same data set in the current year. For any further information requested by the data subject, the Controller may charge a reasonable fee based on administrative costs.

8.2. Right of rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. The Controller rectifies personal data if such are not in line with reality and personal data in line with reality are available. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

8.3. Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the Controller without undue delay the erasure of personal data concerning him or her. The Controller may fulfil this request if the personal data are no longer needed in relation to the purposes for which they were collected or otherwise processed. The data subject’s personal data must be erased if the data subject objects to the processing and there are no overriding legitimate grounds for the Controller or a third party for the processing. The Controller is required to erase the personal data if it illegally processed the personal data or if it is required for compliance with a legal obligation in Union or Member State law to which the Controller is subject. Please note that personal data may not be erased where it is necessary to comply with a legal obligation, to fulfil a legal obligation to retain personal data or to establish, exercise or defend a legal claim.

8.4. Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

- the Controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend legal claims; or the data subject has objected to the processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted as above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller shall communicate any rectification or erasure of personal data, or for them to be forgotten or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data were disclosed, unless this proves impossible or involves disproportionate effort.

8.5. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the Controller, provided the processing is based on consent and is carried out automatically. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right shall be without prejudice to the right to erasure. The mentioned right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. Exercising the right shall not adversely affect the rights and freedoms of others.

8.6. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on a legitimate interest or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, including profiling on those legal bases. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.

8.7. Right to take action against automated decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This provision shall not apply if the decision:

- is necessary for entering into, or performing, a contract between the data subject and the Controller;

- is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

- is based on the data subject’s explicit consent.

The Controller shall ensure that the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

8.8. Complaints and judicial redress

You have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information as the supervisory authority in relation to or in connection with the processing or to file a civil lawsuit against the Controller directly before the competent court.

Name: Hungarian National Authority for Data Protection and Freedom of Information

Registered office H-1055 Budapest, Falk Miksa utca 9-11

Correspondence to: H-1363 Budapest, Pf. 9.

Telephone: +36 1 391 1400

Fax: +36 1 391 1410

Email:ugyfelszolgalat@naih.hu

Website:http://www.naih.hu

The legal action may be launched at the court with jurisdiction for the residence or domicile of the data subject. Someone without legal capacity in the action may also be a party to the legal action. The supervisory authority may intervene in the action for the benefit of the data subject. However, before lodging a complaint or initiating any civil proceedings, it may be useful for the data subject to notify the Controller directly of his or her grievance by sending a non-formal request to any of the contact details of the Controller listed in this Policy.

9. Final provisions

The Controller is not able to check the validity of the data provided. The user shall be solely responsible for providing valid and current personal data. The user recording the data shall have legal authorization when entering the data of third parties.

We reserve the right to amend this Policy from time to time, at our sole discretion. The most recent version of the Policy will always be posted on the website. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to the Policy will become effective within 30-days upon the display of the modified Policy. We recommend you review this Policy periodically to ensure that you understand our most updated privacy practices.

If you have questions or comments about this notice, you may email us anytime at info@ww2blt.com.