Privacy Policy

1. Introduction

DILO Kft. ("we", "us", "our") operates the DILO online car auction platform at www.dilo.hu (the "Platform"). We are committed to protecting your privacy and ensuring the security of your personal data.

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our Platform, in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Hungarian Data Protection Act (Act CXII of 2011), and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Platform, you acknowledge that you have read and understood this Privacy Policy. This Policy should be read together with our Terms of Service and Cookie Policy.

2. Data Controller

The data controller responsible for your personal data is:

DILO Kft.

1051 Budapest, Nador utca 21, Hungary

Data Protection Officer: dpo@dilo.hu

Privacy inquiries: privacy@dilo.hu

3. Personal Data We Collect

3.1 Data You Provide Directly

Account Information: Name, email address, phone number, password, profile picture
Identity Verification: Government-issued ID, proof of address (when required)
Vehicle Listing Data: Vehicle details, photographs, VIN, registration documents, descriptions you provide
Transaction Data: Bid amounts, purchase history, payment information
Communications: Messages with other users, support inquiries, feedback
Preferences: Notification settings, watchlist items, saved searches

3.2 Data Collected Automatically

Device Information: IP address, browser type, operating system, device identifiers
Usage Data: Pages visited, time spent, clicks, searches, auction participation
Location Data: Approximate location based on IP address (we do not collect precise GPS location without consent)
Cookies and Tracking: See our Cookie Policy for details

3.3 Data from Third Parties

Payment Processors: Transaction confirmations from Stripe
Social Login: Basic profile information if you sign in via Google or other social providers
Vehicle History Services: Vehicle history data when you authorize a check

4. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide our services: account management, auction participation, transaction processing, customer support.

Legitimate Interests (Article 6(1)(f) GDPR)

Processing for our legitimate business interests: fraud prevention, platform security, analytics and improvement, enforcing our terms, direct marketing to existing customers.

Legal Obligation (Article 6(1)(c) GDPR)

Processing required by law: tax records, anti-money laundering checks, responding to legal requests from authorities.

Consent (Article 6(1)(a) GDPR)

Processing based on your explicit consent: marketing communications, non-essential cookies, special categories of data (if any).

5. How We Use Your Data

5.1 Providing Our Services

Creating and managing your account
Enabling you to list vehicles and participate in auctions
Processing bids and transactions
Facilitating communication between buyers and sellers
Sending transactional notifications (bid confirmations, outbid alerts, auction endings)
Providing customer support

5.2 Safety and Security

Verifying user identities
Detecting and preventing fraud, shill bidding, and other abuse
Enforcing our Terms of Service
Protecting the security of our Platform

5.3 Improvement and Analytics

Analyzing how users interact with our Platform
Improving our services and user experience
Developing new features
Conducting research and analysis

5.4 Marketing and Communications

Sending promotional emails about new features and auctions (with your consent)
Personalizing content and recommendations
Displaying relevant advertisements
You can opt out of marketing communications at any time

6. How We Share Your Data

6.1 With Other Users

When you participate in auctions or list vehicles, certain information is visible to other users:

Your username/display name
Vehicle listing information you provide
Your bid activity (winning bidder identity may be shared with the seller)
Upon completing a transaction, contact details may be shared between buyer and seller

6.2 With Service Providers

We share data with trusted third-party service providers who assist us in operating the Platform:

Supabase: Database hosting and authentication (EU servers)
Stripe: Payment processing (PCI-DSS compliant)
Email providers: Transactional and marketing emails
Analytics providers: Website analytics
Cloud hosting: Website infrastructure

All service providers are bound by data processing agreements and can only use your data as instructed by us.

6.3 Legal Requirements

We may disclose your data when required by law or to:

Comply with legal obligations or valid legal process
Respond to requests from government authorities
Protect our rights, privacy, safety, or property
Enforce our Terms of Service
Protect against legal liability

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any change in ownership or use of your data.

7. International Data Transfers

We primarily store and process your data within the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

Adequacy Decisions: Transfers to countries with adequate data protection (as determined by the European Commission)
Standard Contractual Clauses: EU-approved contractual safeguards with our service providers
Binding Corporate Rules: Where applicable for multinational service providers

You can request a copy of the safeguards we use by contacting us at privacy@dilo.hu.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data: Retained while your account is active, plus 3 years after deletion for legal compliance
Transaction Data: 7 years for tax and accounting purposes
Communication Logs: 3 years from the date of communication
Marketing Preferences: Until you withdraw consent or delete your account
Analytics Data: Aggregated/anonymized data may be retained indefinitely

When data is no longer needed, we securely delete or anonymize it.

9. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Article 15)

Request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data when it's no longer necessary, you withdraw consent, or it was unlawfully processed. Note: We may retain some data for legal compliance.

Right to Restriction of Processing (Article 18)

Request that we limit how we use your data while a complaint is being resolved or accuracy is being verified.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format and transfer it to another service provider.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time for processing based on consent. This does not affect the lawfulness of processing before withdrawal.

Right Not to be Subject to Automated Decision-Making (Article 22)

Not be subject to decisions based solely on automated processing that significantly affect you. We do not currently make such decisions.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@dilo.hu. We will respond within 30 days (extendable by 60 days for complex requests). We may need to verify your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: All data transmitted via TLS/SSL encryption; sensitive data encrypted at rest
Access Controls: Role-based access; employees only access data as needed
Authentication: Secure password requirements; optional two-factor authentication
Monitoring: Regular security audits and vulnerability assessments
Incident Response: Procedures for detecting and responding to data breaches
Employee Training: Regular data protection training for staff

While we take security seriously, no system is 100% secure. We encourage you to use strong passwords and protect your account credentials.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the Hungarian Data Protection Authority (NAIH) within 72 hours
Notify affected individuals without undue delay if there is a high risk
Document the breach and remedial actions taken

12. Children's Privacy

Our Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@dilo.hu and we will delete it promptly.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Platform, analyze usage, and provide personalized experiences. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

14. Third-Party Links

Our Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Posting the updated policy on our Platform with a new "Last updated" date
Sending you an email notification for material changes
Displaying a prominent notice on our Platform

We encourage you to review this policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

16. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@dilo.hu. We will try to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In Hungary, this is:

Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH)

National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary

Phone: +36 1 391 1400

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu

If you are located in another EU member state, you may also contact your local supervisory authority.

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

DILO Kft.

1051 Budapest, Nador utca 21, Hungary

Privacy inquiries: privacy@dilo.hu

Data Protection Officer: dpo@dilo.hu

General support: support@dilo.hu

1. Introduction

2. Data Controller

The data controller responsible for your personal data is:

DILO Kft.

1051 Budapest, Nador utca 21, Hungary

Data Protection Officer: dpo@dilo.hu

Privacy inquiries: privacy@dilo.hu

3. Personal Data We Collect

3.1 Data You Provide Directly

Account Information: Name, email address, phone number, password, profile picture
Identity Verification: Government-issued ID, proof of address (when required)
Vehicle Listing Data: Vehicle details, photographs, VIN, registration documents, descriptions you provide
Transaction Data: Bid amounts, purchase history, payment information
Communications: Messages with other users, support inquiries, feedback
Preferences: Notification settings, watchlist items, saved searches

3.2 Data Collected Automatically

Device Information: IP address, browser type, operating system, device identifiers
Usage Data: Pages visited, time spent, clicks, searches, auction participation
Location Data: Approximate location based on IP address (we do not collect precise GPS location without consent)
Cookies and Tracking: See our Cookie Policy for details

3.3 Data from Third Parties

Payment Processors: Transaction confirmations from Stripe
Social Login: Basic profile information if you sign in via Google or other social providers
Vehicle History Services: Vehicle history data when you authorize a check

4. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide our services: account management, auction participation, transaction processing, customer support.

Legitimate Interests (Article 6(1)(f) GDPR)

Processing for our legitimate business interests: fraud prevention, platform security, analytics and improvement, enforcing our terms, direct marketing to existing customers.

Legal Obligation (Article 6(1)(c) GDPR)

Processing required by law: tax records, anti-money laundering checks, responding to legal requests from authorities.

Consent (Article 6(1)(a) GDPR)

Processing based on your explicit consent: marketing communications, non-essential cookies, special categories of data (if any).

5. How We Use Your Data

5.1 Providing Our Services

Creating and managing your account
Enabling you to list vehicles and participate in auctions
Processing bids and transactions
Facilitating communication between buyers and sellers
Sending transactional notifications (bid confirmations, outbid alerts, auction endings)
Providing customer support

5.2 Safety and Security

Verifying user identities
Detecting and preventing fraud, shill bidding, and other abuse
Enforcing our Terms of Service
Protecting the security of our Platform

5.3 Improvement and Analytics

Analyzing how users interact with our Platform
Improving our services and user experience
Developing new features
Conducting research and analysis

5.4 Marketing and Communications

Sending promotional emails about new features and auctions (with your consent)
Personalizing content and recommendations
Displaying relevant advertisements
You can opt out of marketing communications at any time

6. How We Share Your Data

6.1 With Other Users

When you participate in auctions or list vehicles, certain information is visible to other users:

Your username/display name
Vehicle listing information you provide
Your bid activity (winning bidder identity may be shared with the seller)
Upon completing a transaction, contact details may be shared between buyer and seller

6.2 With Service Providers

We share data with trusted third-party service providers who assist us in operating the Platform:

Supabase: Database hosting and authentication (EU servers)
Stripe: Payment processing (PCI-DSS compliant)
Email providers: Transactional and marketing emails
Analytics providers: Website analytics
Cloud hosting: Website infrastructure

All service providers are bound by data processing agreements and can only use your data as instructed by us.

6.3 Legal Requirements

We may disclose your data when required by law or to:

Comply with legal obligations or valid legal process
Respond to requests from government authorities
Protect our rights, privacy, safety, or property
Enforce our Terms of Service
Protect against legal liability

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any change in ownership or use of your data.

7. International Data Transfers

We primarily store and process your data within the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

Adequacy Decisions: Transfers to countries with adequate data protection (as determined by the European Commission)
Standard Contractual Clauses: EU-approved contractual safeguards with our service providers
Binding Corporate Rules: Where applicable for multinational service providers

You can request a copy of the safeguards we use by contacting us at privacy@dilo.hu.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data: Retained while your account is active, plus 3 years after deletion for legal compliance
Transaction Data: 7 years for tax and accounting purposes
Communication Logs: 3 years from the date of communication
Marketing Preferences: Until you withdraw consent or delete your account
Analytics Data: Aggregated/anonymized data may be retained indefinitely

When data is no longer needed, we securely delete or anonymize it.

9. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Article 15)

Request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data when it's no longer necessary, you withdraw consent, or it was unlawfully processed. Note: We may retain some data for legal compliance.

Right to Restriction of Processing (Article 18)

Request that we limit how we use your data while a complaint is being resolved or accuracy is being verified.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format and transfer it to another service provider.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time for processing based on consent. This does not affect the lawfulness of processing before withdrawal.

Right Not to be Subject to Automated Decision-Making (Article 22)

Not be subject to decisions based solely on automated processing that significantly affect you. We do not currently make such decisions.

How to Exercise Your Rights

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: All data transmitted via TLS/SSL encryption; sensitive data encrypted at rest
Access Controls: Role-based access; employees only access data as needed
Authentication: Secure password requirements; optional two-factor authentication
Monitoring: Regular security audits and vulnerability assessments
Incident Response: Procedures for detecting and responding to data breaches
Employee Training: Regular data protection training for staff

While we take security seriously, no system is 100% secure. We encourage you to use strong passwords and protect your account credentials.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the Hungarian Data Protection Authority (NAIH) within 72 hours
Notify affected individuals without undue delay if there is a high risk
Document the breach and remedial actions taken

12. Children's Privacy

13. Cookies and Tracking Technologies

14. Third-Party Links

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Posting the updated policy on our Platform with a new "Last updated" date
Sending you an email notification for material changes
Displaying a prominent notice on our Platform

We encourage you to review this policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

16. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@dilo.hu. We will try to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In Hungary, this is:

Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH)

National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary

Phone: +36 1 391 1400

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu

If you are located in another EU member state, you may also contact your local supervisory authority.

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

DILO Kft.

1051 Budapest, Nador utca 21, Hungary

Privacy inquiries: privacy@dilo.hu

Data Protection Officer: dpo@dilo.hu

General support: support@dilo.hu