Privacy
Privacy Policy
This policy explains how Budapest Canvas collects and uses personal data when you browse the website, contact us, join the newsletter, or order hand-painted artwork.
Data controller
- Controller
- Biot.ai Lab Kft. (Biot.ai Lab Korlátolt Felelősségű Társaság)
- Company registration number
- 01-09-292218
- Tax/VAT number
- 25844584-2-43
- Registered seat
- 1095 Budapest, Mester utca 21. II. em. 24., Hungary
- Privacy contact
- [email protected]
- Customer support
- [email protected]
Effective date: 22 May 2026
We do not have a designated Data Protection Officer. Privacy requests should be sent to [email protected].
What we process
Orders and customer service
We process your name, email address, phone number, billing and shipping details, selected artwork, order value, order status, messages, and related support correspondence so we can create, sell, fulfil, deliver, and support your order.
Payments
Payments are handled by Revolut Bank UAB. We receive payment status, order identifiers, and information needed to reconcile the payment. We do not store full card details.
Contact, corporate, interior designer, and artist enquiries
When you submit a form, we process the contact details and message content you provide, plus basic technical context needed for delivery, spam prevention, and follow-up.
Newsletter
If you sign up for email updates, we process your email address and signup context so we can send Budapest Canvas news and artwork updates. You can unsubscribe by emailing [email protected].
Necessary site measurement
We record aggregate page-view information such as path, route pattern, and locale to understand whether the site is operating correctly. This does not include advertising identifiers, contact details, or free-text messages.
Analytics and advertising, only with consent
If you consent, we use analytics and advertising tools to measure visits, campaign performance, leads, and purchases. If you decline analytics consent, your order is not included in GA4 revenue reporting.
Legal bases
| Contract | Processing orders, payment status, shipping, customer service, and delivery of purchased artworks. |
|---|---|
| Legitimate interests | Operating a secure website, preventing abuse, keeping necessary operational records, and measuring aggregate site reliability. |
| Consent | Analytics storage, advertising storage, ad user data, ad personalization, Google Ads and Meta enhanced conversion data, newsletter analytics, and non-essential cookies. |
| Legal obligation | Accounting, tax, regulatory, and dispute-handling records. |
Consent categories
Analytics measurement and advertising controls are opt-in for EU and UK visitors. Advertising identifiers such as gclid, gbraid, wbraid, fbclid, _fbp, and _fbc are not intentionally stored or used unless advertising storage consent is granted.
| Necessary | First-party cart session cookie, server-side cart contents, checkout, security, locale, cookie preference storage, payment and order records, aggregate page-view route counts. |
|---|---|
| Analytics measurement | GA4 browser events through Google Tag Manager and server-side GA4 purchase/lead events. Users who deny analytics consent are not included in GA4 revenue reports. |
| Advertising controls | Advertising storage covers click IDs, Meta browser identifiers, and campaign attribution snapshots. Ad user data covers Google Ads conversion uploads, Meta Conversions API events, and enhanced conversion hashes. Ad personalization controls personalization signals. |
Processors and recipients
| Google Ireland Limited / Google LLC | Google Tag Manager, Google Analytics 4, Google Ads measurement and conversion reporting. |
|---|---|
| Meta Platforms Ireland Limited | Meta Pixel and Meta Conversions API measurement, matching, and advertising reporting. |
| Mailgun / Sinch Email | Transactional and newsletter email delivery using the EU region. |
| Revolut Bank UAB | Payment checkout, payment processing, fraud prevention, and payment status updates. |
| DigitalOcean | Production hosting, self-hosted PostgreSQL database, and backup storage through DigitalOcean Spaces. |
| Cloudflare | DNS, CDN, security, and traffic protection. |
| Magyar Posta, GLS, and DPD | Artwork delivery, shipment handling, and tracking where relevant. |
We do not currently use a CRM webhook provider or a separate error-monitoring provider. If that changes, this policy will be updated.
International transfers
We sell to customers and accept business enquiries globally. Some providers may process data outside Hungary or the European Economic Area. Where required, we rely on the provider's data processing terms, adequacy decisions, Standard Contractual Clauses, and other safeguards made available by those providers.
Retention
| Order, payment, fulfilment, and accounting records | Kept for the period required for tax, accounting, fulfilment, warranty, and dispute handling. |
|---|---|
| Contact form messages and lead records | Normally kept for up to 24 months unless the conversation becomes part of an order, contract, legal claim, or ongoing business relationship. |
| Newsletter records | Kept while you remain subscribed. Unsubscribe or suppression records may be retained as needed to respect withdrawal requests. |
| Consent preferences | Kept until changed or withdrawn, and as long as needed to demonstrate compliance. |
| Analytics attribution, click IDs, IP address, and user-agent fields on orders and leads | Scrubbed by default after 420 days. |
| Sent analytics outbox rows | Purged by default after 90 days. |
| Server and application logs | Stored on the production server and may be retained for up to 8 years where needed for security, audit, accounting, legal, or dispute purposes. |
Your rights
You can contact [email protected] to exercise your rights. Depending on the law and the context, you may ask us to:
- access the personal data we hold about you
- ask us to correct inaccurate data
- ask us to delete data where the law allows
- object to or restrict certain processing
- withdraw consent at any time for consent-based processing
- ask for a portable copy of data you provided
- complain to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Cookies and preferences
You can change analytics and advertising preferences from the Cookie Policy page at any time. Withdrawing consent does not affect processing that already happened while consent was valid, and it does not affect processing required for orders, accounting, security, or legal obligations.