Privacy Policy

Privacy principles for the use of the website, Privacy policy of the operator Boonshelf Kft.

Last modified: 30.10.2023.

1. General provision

The Boonshelf Ltd as the operator of www.boonshelf. com ("Website"), hereby informs visitors to the Website and users of the services provided through the Website ("User") of the scope of personal data processed in connection with the operation of the Website and the services provided through it, the identity and data of the controller and processor(s), the data processing practices, the organisational and technical measures taken to protect personal data, the means and possibilities for exercising the rights of the data subjects and other circumstances related to the processing of personal data.
This Privacy Notice applies to the use of the Website without registration and after registration, and also when the User contacts the Data Controller or the Data Controller contacts the User.

In case of any discrepancy or inconsistency between the English and Hungarian versions of this Privacy Policy, the Hungarian version of the contract shall prevail.

2. Identity and contact details of the controller

The data controller for the data processing operations carried out in connection with the operation of this Website and the services provided through it is Boonshelf Ltd. as the operator of the Website ("Controller").
Boonshelf Ltd.
Company registration number of the Data Controller: 01-09-422853
Address of the Data Controller: 1151 Budapest Lenvirág utca 53
E-mail address of the Data Controller: [email protected] 
Represented by Andrea Fulmer

3. Principles of data management

In order to protect and respect the privacy of the Users, the Data Controller shall manage the data processing related to the use of the Website and related services in accordance with the applicable legislation, in particular with Act CXII of 2011 on the right to information self-determination and freedom of information, Act CVIII of 2001 on certain aspects of electronic commerce services and information society services, Regulation (EU) 2016/679 of the European Parliament and of the Council and this Privacy Policy.

4. Purpose of data processing

The indirect purpose of the processing of data related to the use of the Website and related services is to connect Users, in particular for the purpose of providing support to NGOs, to sell their own products in order to facilitate the implementation of the support, and to make visible the support provided by Users to organisations.
The direct purpose of the processing is to enable the Data Controller: 

  • Provide information to Users through the Website,
  • Provide information to Users through the Website,
  • Provide users with access to the Website, register users and identify them, 
  • Provide for the exchange of messages between Users and the use of the messaging system,
  • send system messages and notifications in connection with the Service,
  • provide a newsletter service in connection with the Service,
  • ensure the possibility of contact and communication between the Service Provider and the User.

5. Legal basis for data processing

The processing is based on the User's voluntary, duly informed declaration, which includes the User's explicit consent to the use of his/her personal data. The legal basis for processing is the voluntary consent of the data subject in accordance with Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

By accessing the Website, the User declares that he/she has read and expressly accepts the version of this Policy in force at the time of access. However, the Data Controller reserves the right to unilaterally amend this Policy. Any modifications shall be effective against the User from the first visit following the publication of the modifications. In this respect, the User is recommended to consult this Notice on each visit in order to be informed of any amendments.

6. Scope of data processed, specific processing operations and information on data management

The collection and processing of personal data is based on the voluntary consent of the User using the Website and related services, which the User gives by completing the registration form and accepting the Privacy Policy.

The Data Controller is entitled to process and use the following data with the consent of the User 

  • User identification: name, email address, Facebook or Google account ID, profile picture (optional)
  • Identification of the advertising space: location, i.e. municipality or, in the case of the capital, district 
  • Personal data provided in messages exchanged with Users
  • The Controller does not verify the personal data provided to it. The User is solely responsible for the truthfulness and accuracy of the personal data.

7. Duration of Data Processing

The Controller shall process the personal data provided by the User for the period of time specified below in this Privacy Policy. The Service Provider shall permanently delete the personal data processed for the purpose of operating the Service upon the termination of the purpose of the processing or upon the User's request to that effect, and shall cease processing the data.

It is possible to unsubscribe from the Website at any time by going to the User's profile page. The User's profile will then be irreversibly removed, which will constitute a withdrawal of consent to the processing of the data. After deletion of the user account and withdrawal of consent, the Service will not be available for use and can only be used after re-registration.

Processing of personal data in relation to the newsletter service, the data controller will process your data provided when you subscribe to the newsletter until you unsubscribe from the newsletter by clicking on the "Unsubscribe" button at the bottom of the newsletter or by sending a request to [email protected]. If you unsubscribe, the Data Controller will no longer contact you with the newsletter. You may unsubscribe from the newsletter at any time free of charge and withdraw your consent.

The above provisions do not affect the fulfilment of legal (e.g. accounting) retention obligations, nor the processing of data on the basis of additional consents given during registration on the website or otherwise.

8. Data controllers and data transfers

Only the Data Controller is entitled to access the data.

The Service Provider does not forward personal data related to the operation of the Service to third parties, however, courts, prosecutors, investigative authorities, law enforcement authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law may request information, disclosure or transfer of data. On the basis of the request of these bodies, the Service Provider shall provide the personal data necessary for the purpose of the request, specifying the exact purpose and the scope of the data.

Hetzner Online GmbH provides the website hosting service for the Service Provider.

Company name: Hetzner Online GmbH 
Address: Industriestr. 25 91710 Gunzenhausen, Germany
E-mail address: [email protected]

The Data Controller uses the MailChimp newsletter sending and database management service to send its newsletters, whereby the data of subscribers to the newsletter - which is exclusively the email address of the user provided when subscribing to the newsletter - is stored on the servers of the external service provider as data processor for the purpose of sending the newsletter. Data of the external service provider:

Company name: The Rocket Science Group LLC
Location: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308
Contact: [email protected]

The Rocket Science Group LLC. is a registered member of the Privacy Shield Agreement between the United States of America and the Commission of the European Union, and therefore any transfer of data to it is presumed to be subject to a level of protection equivalent to that of the EU, and is not subject to any additional conditions.

9. Third party information

By visiting the Website and providing information about the services offered on the Website, the User declares and warrants that:

  • provide his/her own data
  • is over 18 years of age
  • is fully capable of providing the information

If the User is not entitled to provide the information on his/her own, he/she is obliged to obtain the consent of the third parties concerned (e.g. legal representative, guardian). In this context, the User shall consider whether the consent of a third party is necessary in connection with the provision of the information. The Controller shall not be liable in this context.

If a minor with limited capacity to act wishes to register on the Website, it is necessary to send a separate declaration including the consent of his/her legal representative to the e-mail address indicated in point ... below at the same time as the registration. Failing this, the registration of a minor with limited legal capacity is not valid. The registration will be cancelled.

The Data Controller will make all reasonable efforts to delete any information that has been unlawfully made available to it and will ensure that such information is not disclosed to or used by anyone else. In the event of unauthorised disclosure, data subjects may contact the Controller at the contact details provided at the beginning of this Notice.

10. Data security measures

The Data Controller ensures the security of Users' data by the following measures:

  • encrypted SSL / TSL communication;
  • by restricting access to the data (only those who need to access the data in order to achieve the above-mentioned purposes);
  • a closed IT system that cannot be accessed from outside by any other person.

Although the above measures guarantee a high level of data security, in order to safeguard data, increased attention is also required from Users, in particular in the choice and management of passwords, avoiding obvious login names (e.g. user) or passwords (e.g. 1,2,3,4, etc.), and regularly changing passwords and avoiding making them available to other persons.

For the security of the data, it should also be stressed that the Data Controller will never ask Users to send their passwords by e-mail or any other communication channel (for example: SMS). If the User receives such a request, please report it to the Data Controller as soon as possible in order to take the necessary legal action.

11. Rights and remedies of the data subject

The User may exercise the rights and remedies relating to data processing described in this Privacy Notice upon proof of his/her identity and connection to the data.

Amendment, deletion, blocking of data

The User may at any time modify his/her profile or personal data provided on the User Interface or request their deletion (except for mandatory data processing) on his/her profile page or by sending an e-mail to [email protected].

The Service Provider shall delete the User's personal data if the processing is unlawful; the purpose of the processing has ceased; or the statutory time limit for storing the data has expired; or the court or the National Authority for Data Protection and Freedom of Information has ordered it; or the processing is incomplete or incorrect - and this situation cannot be lawfully remedied - provided that deletion is not excluded by law.


The User has the right to request information from the Service Provider at any time about the personal data concerning him/her processed in connection with the Service by sending an email to [email protected]. Upon the User's request, the Service Provider shall provide information on the personal data processed in connection with the Service, the purpose, legal basis and duration of the processing, the legal basis and the recipient of any data transfer. The Service Provider shall provide the information requested by the User as soon as possible after the request is made, but not later than 30 days.

Objection to the processing of personal data

The User may object to the processing of his/her personal data, 

  • if the processing or transfer of the personal data is necessary solely for compliance with a legal obligation to which the Service Provider is subject or for the purposes of the
  • legitimate interests pursued by the controller, data importer or third party (except for mandatory processing);
  • where the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes; and
  • in any other case specified by law.

If the Service Provider determines that the User's objection is justified, it shall terminate the data processing and block the data.

If you have provided third party data for the use of the service, the Data Controller is entitled to claim damages against you. In such a case, the Data Controller shall provide all reasonable assistance to the competent authorities in order to establish the identity of the offending person.


If the User (or any other data subject) considers that he or she has suffered a breach of rights in relation to the processing of his or her personal data, he or she may apply to the competent court or initiate an investigation at the National Authority for Data Protection and Freedom of Information (National Authority for Data Protection and Freedom of Information, address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., E-mail: [email protected], website:

Logging data

During the use of the Website, the time of the visit to the Website and certain other events (for example: registration), the User's IP address and the address of the page viewed are recorded. These data are continuously logged by the system to prevent abuse, to generate statistics and to guarantee the proper functioning of the Website, and are kept together with the personal data relating to the event.

12. Cookies

The Data Controller uses cookies in certain areas of the Website. Cookies are files that store information on the User's hard drive or web browser. Cookies enable the Website to recognise if it has been visited by a User in the past. Cookies help the Data Controller to understand which parts of the Website are the most popular because they allow the Data Controller to see which pages Users access and how much time they spend there. By studying this information, the Data Controller can better tailor the Website to Users' needs and provide a more varied user experience.
When the User visits the Website, technical information may be automatically collected which does not allow the User to be identified. For example, the name of another website that directed the User to this website, the location of the access to the Website, the searches made on the Website. The collection of this information helps the Data Controller to identify the preferred search patterns of the Website users without using personal data. This information is used internally only. Anonymous or general data, from which the identity of the User cannot be identified, are not considered personal data and are therefore not covered by this Policy.
Cookies for analytics purposes help us to better understand our Users' behaviour, to know which parts of the site visitors have viewed and to improve the effectiveness of the service.
The cookie used is called a session ID, which identifies the User on the system, so if the User does not exit the user interface but closes the window they are currently in, they do not need to enter a password the next time they visit the site, because the system recognises the user profile. However, this could lead to the risk that other people using the same computer could see and manage the User's user interface. The Service Provider accepts no liability for the consequences of such cases. Therefore, this facilitation is only recommended to the User if the computer used is only accessible by the User.

13. External Service Providers

The Website also uses links to the websites of external service providers, which the Data Controller does not control or is not able to control. In relation to these websites, the operator of the external services or websites acts as data controller and the related data processing operations are governed by the privacy policy of these websites.