Home
Products
Shops
Profile

Sign in

You need to sign in to view your profile.

Sign in
Home
Products
Shops
About Us
#Become Our Partner
Privacy
Terms of Use
General Terms

Menu

Become our partner!
Back

Privacy policy

Issuer: BLUETAC Kft.

Website: https://bestb4.hu

1. Controller details

Name: BLUETAC Kft.
Registered office: 6722 Szeged, Bécsi körút 23. A. ép. Fsz. 1. ajtó, Hungary
E-mail: support@bestb4.hu
Phone: +36 50 110 2191
Website: https://bestb4.hu

Hosting provider:
Tárhely.Eu Szolgáltató Kft. – https://tarhely.eu

Legal basis/framework:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Hungary, “Infotv.”)

2. General principles

The purpose of processing is to operate BestB4.hu and its subsystems (user, partner, store, employee), including identification, location-based product display, abuse prevention and the maintenance of IT security.

Legal bases:

  • consent (GDPR Art. 6(1)(a)),

  • contract performance (Art. 6(1)(b)),

  • legal obligation (Art. 6(1)(c)),

  • legitimate interests (Art. 6(1)(f)).

Data are stored on secure servers located in Hungary (Tárhely.Eu).
Third parties may access personal data only under a processor agreement or as independent controllers where indicated.

3. User registration and login

Processed data:

  • username: full name or nickname

  • e-mail address

  • password (hashed)

  • selected city / district

  • optionally: precise GPS location

  • cookie decision (cookie_policy)

Purpose: operate the user account; display nearby stores and products.
Legal basis: consent and/or contract performance.
Retention: until the account is deleted.

3.1. Google Sign-in (OAuth2)

When using “Sign in with Google”, the user is authenticated by Google LLC. The system receives only:

  • Google ID

  • e-mail address

  • display name

No further permissions are requested. The user’s password is not stored in the BESTB4 system; a password can be set later on the profile page if desired.
After Google login a remember_me cookie is issued automatically (see 6.1), so repeated login is not required.

Legal basis: consent (Art. 6(1)(a)) and contract performance (Art. 6(1)(b)).

3.2. Requesting reseller access (viewing wholesale offers)

Wholesale store catalogues are available only to resellers. To request access, the user submits the following via an on-site form to the selected wholesaler:

  • company name / business name,

  • tax number,

  • billing details (registered seat, billing address),

  • optional note: activity (e.g. corner shop, restaurant, etc.).

Legal basis: contract performance/pre-contractual steps (Art. 6(1)(b)) and legitimate interests of the Controller and the wholesaler (Art. 6(1)(f)) to protect pricing information and prevent abuse.
Recipients: the selected wholesale store, which receives and decides on the request.

Controller roles:

  • For the request workflow and storage of business data, BLUETAC Kft. acts as controller.

  • For assessing requests and managing the reseller relationship, the respective wholesaler acts as an independent controller.

Retention:

  • business data belong to the user’s profile and are kept until the user deletes them in their profile;

  • requests and decisions are recorded permanently in the system and are not deleted automatically;

  • if the user deletes their business data, those data will no longer be displayed to wholesalers in prior requests;

  • security logs (timestamp, IP, technical meta) are kept for 30 days.

Note: requests serve access control only and do not constitute a contract; payment and fulfilment always take place between the store and the reseller.

4. Partner registration and store management (partner.bestb4.hu)

Registration: contact person’s name, e-mail address, password (hashed).

After successful registration:

  • company (billing) name,

  • tax number,

  • billing address,

  • partner type (sole trader / multiple stores / chain) and business model (retail or wholesale),

  • optional: phone number, logo, verification document (PDF/JPG/PNG).

4.1. Purpose and handling of verification documents

Verification documents (e.g. company extract, sole-trader certificate, bank statement) are used solely to verify partner identity and prevent abuse; their purpose is to confirm that a legitimate business is registering.

Processing purposes include:

  • verifying the authenticity of company data;

  • confirming entitlement to upload products on behalf of stores;

  • preventing fake registrations and fraud;

  • ensuring unambiguous identification in case of authority requests.

Legal bases:

  • contract performance (Art. 6(1)(b)),

  • legitimate interests (Art. 6(1)(f)) — protecting platform integrity and user safety.

Documents are handled only by the Controller and are not shared with third parties. Files are stored outside the webroot, on encrypted storage, and are automatically deleted after 90 days. The system may keep limited file metadata (upload date, filename, MIME type) for a short period.

5. Store and employee data

Stores (stores.bestb4.hu):

  • store name,

  • address,

  • geographic coordinates (via Google API),

  • category, type,

  • cover image and logo (optional),

  • store e-mail, password (hashed),

  • opening hours (optional).

Employees (e.bestb4.hu):

  • employee name,

  • auto-generated identifier,

  • password (hashed).

Legal basis: contract performance.
Retention: for the term of the active contract; deletion/anonymisation thereafter.

6. Cookies, sessions and location data

The website uses cookies and session identifiers essential for operation. Non-essential (statistics/analytics) cookies are set only with consent.

6.1. Sessions and “Stay signed in”

  • User: session name: PHPSESSID, remember-me cookie: remember_me

  • Partner: session: BB4PARTNERSESSID, remember-me: owner_remember_me

  • Store: session: BB4STORESESSID, remember-me: shop_remember_me

  • Employee: session: BB4EMPSESSID, remember-me: employee_remember

All cookies are set with HTTPS, HttpOnly, SameSite=Lax (where applicable).
Remember-me cookies store encrypted tokens and no personal data.
A user may stay signed in on up to 5 devices.
Expiry: 180 days, auto-renewed with active use.

6.2. Two-factor authentication (2FA) (optional)

Available in partner and store systems.
6-digit one-time code, valid for 10 minutes; stored briefly as an SHA-256 hash.
Legal basis: legitimate interest (security).

6.3. Location and language cookies

city, latitude, longitude, radius — location & search radius (180 days – 1 year)
precise_location — sharing precise device location (1 year)
bb4_lang — language preference (hu/en, 1 year)
All cookies are Secure, SameSite=Lax, and contain no directly identifying data.

6.4. Non-essential cookies (with consent)

  • Google Analytics (_ga, _gid, _gat) — anonymous statistics

  • Stripe — fraud-prevention cookies during payment

Cookie banner options: “Essential only” and “Accept all cookies”.

7. Logging and security

The system logs:

  • login attempts,

  • password-reset attempts,

  • selected POST requests (for rate-limiting and brute-force protection).

Stored data: partially anonymised IP, timestamp, event.
Retention: 7–30 days.
Legal basis: legitimate interests (system security).
Only the Controller has access to the logs.

8. Third parties and data transfers

  • Tárhely.Eu Szolgáltató Kft. – processor (infrastructure)

  • Billingo Zrt. – independent controller (invoicing)

  • Stripe Payments Europe Ltd. – independent controller (payments)

  • Google LLC – independent controller (login, analytics)

Data may be transferred outside the EU (Google, Stripe). Such transfers rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards.

9. Retention and deletion

  • User data: until account deletion.

  • Partner/store data: until contract termination.

  • Verification documents: 90 days.

  • Logs: 7–30 days.

  • Cookies: 180 days – 1 year.

Account deletion
Accounts are deleted by the Controller upon request sent from the registered e-mail address.
Request: support@bestb4.hu

Process:

  • confirm the request,

  • verify identity,

  • soft-delete (immediate deactivation),

  • final deletion after 30 days,

  • billing data retained as required by law.

10. Data subject rights and remedies

Data subjects may request:

  • information/access,

  • rectification,

  • erasure,

  • restriction of processing,

  • objection to processing,

  • data portability.

The Controller responds within 30 days.

Supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
1363 Budapest, Pf. 9. • ugyfelszolgalat@naih.hu • +36 (1) 391 1400
https://www.naih.hu

11. Miscellaneous

  • The Controller does not share data with third parties for marketing purposes.

  • Push notifications rely on anonymous Firebase tokens only.

  • All data traffic is protected by HTTPS, with CSRF protection and rate-limiting in place.

  • Changes to this notice will be communicated on the website and/or by e-mail.