Privacy Policy

A transparent summary of the processing of personal data related to the b2bemail (b2brelay.com) service — under Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

1. Data controller details

This notice concerns the data processing of the service operating under the b2bemail brand name (b2brelay.com). The data controller:

Name

Kapás Bence e.v. (sole trader)

Brand

b2bemail

Registered seat

4200 Hajdúszoboszló, Szívós utca 24

Mailing address

8600 Siófok, Kennedy Ferenc utca 13 A/1

Email

hello@b2brelay.com

Phone

+36 30 390 6392 (not a recorded line)

Website

https://b2brelay.com

Tax number

________-_-__

Registration number

________

Hosting provider

Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA)

DPO

The business does not appoint a data protection officer — there is no statutory obligation to do so.

2. General information

The business processes personal data within the data subject categories set out in this notice, strictly tied to the stated purposes. b2bemail is a B2B customer-acquisition system for European companies — we send outgoing cold-email campaigns only to business recipients (decision-makers working at companies, at their business email address); consumer (B2C) outreach to private individuals is not part of the service.

The business does not use automated decision-making or profiling within the meaning of GDPR Article 22. Human control sits behind every sending decision: the audit log documents this in a traceable way.

Providing data is voluntary on the client's part; however, without billing and contact data, the contract cannot be performed.

3. Legal bases for processing

b2bemail processes data on different legal bases for different categories of data subjects. The three main legal bases:

• Performance of a contract — GDPR Article 6(1)(b) — Processing the data of client companies and their contacts to perform the service agreement.
• Legitimate interest — GDPR Article 6(1)(f) — Business outreach to B2B recipients on the basis of a documented balancing test, and maintaining the do-not-contact list (DNC) and the audit log for accountability.
• Legal obligation — GDPR Article 6(1)(c) — Retention and processing required by accounting and tax-law rules (Accounting Act, VAT Act).
• Consent — GDPR Article 6(1)(a) — Voluntary completion of the contact form, and non-functional (analytics, marketing) cookies.

For legitimate-interest-based B2B outreach, a written legitimate-interest balancing test has been prepared, examining the balance between the rights and freedoms of data subjects and the business's commercial interest. The result of the test can be shared with the data subject on request.

4. Data processed and data subjects

The categories below summarize what data we process, for what purpose, on what legal basis, and for how long.

5. Cookies

The website uses functional cookies necessary for its operation. To measure traffic we use Google Analytics (GA4), which places cookies — but we load these only with the visitor's explicit consent. On the cookie banner shown the first time you open the site you can choose freely: with the “Only necessary” option, the analytics cookies stay switched off.

Cookie types used

• Functional cookies — Necessary for the basic operation of the website (e.g., language preference or remembering your cookie choice). Based on legitimate interest — they can be used without consent.
• Analytics cookies (Google Analytics) — We measure website traffic with Google Analytics (GA4), which places cookies (e.g., _ga, _gid). We load these only with the visitor's consent; without consent they are not activated. Consent can be declined on the cookie banner.
• Marketing/tracking cookies — We do not use any advertising or remarketing tracking cookies on the website.

A cookie consent given previously can be withdrawn at any time by clearing the site's stored data (local storage) in your browser, after which the site will ask again. In most browsers, cookies can also be fully disabled in the browser settings. Disabling non-functional cookies does not prevent you from using the site.

6. Who has access to the data

Personal data is accessed by the data controller (Kapás Bence e.v.) and by its employees and contractors under a contractual relationship — strictly to the extent necessary to perform their duties, and under a written confidentiality obligation.

Access is role-based: campaign operators can only access the data of the campaigns assigned to them, while the audit logs are available in an immutable, read-only format.

7. Data transfers and data processors

To operate the service, the business engages data processors in the following main categories. A written data processing agreement (DPA) is in place with every data processor; a dedicated DPA is also available to clients on request.

Transfers to third countries

If any of the engaged providers transfers data outside the EU/EEA, this takes place solely under the appropriate safeguards required by Chapter V of the GDPR (EU–US Data Privacy Framework certification, or the standard contractual clauses (SCC) approved by the European Commission).

8. Data subject rights

In relation to the processing, the data subject can exercise the following rights under the GDPR:

• Right to information — The data subject can request clear, easily accessible information about the key elements of the processing (who processes what, for what purpose, how, and from when until when).
• Right of access — The data subject can request confirmation as to whether their data is being processed and, if so, which of their data we process.
• Right to rectification — The data subject can flag inaccurate data and request its correction or completion.
• Right to erasure — The data subject can request the erasure of their data — within the limits of statutory retention obligations (e.g., accounting retention, the audit log).
• Right to restriction of processing — In certain cases — for example, disputed accuracy or an unresolved legal dispute — the data subject can request that the processing of their data be restricted.
• Right to data portability — The data subject can request to receive the data they have provided about themselves in a structured, machine-readable format (e.g., CSV, JSON) and to transmit it to another data controller.
• Right to object — The data subject can object at any time to processing based on legitimate interest. For B2B recipients, this is provided by the one-click unsubscribe link in every outgoing email — the objection takes effect immediately and globally via the do-not-contact list (DNC).
• Right to withdraw consent — The data subject can withdraw consent-based processing (e.g., analytics cookies, the contact form) at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand.

The data subject can exercise these rights by a statement addressed to the data controller, verbally, in writing, by post, or at the hello@b2brelay.com email address. The data controller provides a substantive response within 30 days at the latest of receiving the request.

9. Complaints and the supervisory authority

If the data subject has a complaint regarding the processing, we recommend contacting the data controller first — there are 30 calendar days to investigate and respond to the complaint. If, after receiving the response, the data subject still maintains the complaint, they can turn to a court or to the NAIH (Hungarian National Authority for Data Protection and Freedom of Information):

10. Amendments to this notice

The business reserves the right to amend this notice unilaterally. The version in effect at any given time is available on the business's website — at b2brelay.com/privacy. In the event of a material change, we also notify affected clients by email.

Effective from the date of publication.