Privacy Policy
How we collect, use and protect your personal data in accordance with GDPR.
Last updated: May 16, 2026
1. Data Controller
The following entity processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Hungarian data protection law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information).
- Full name: Lab2Label KorlĂĄtolt FelelĆssĂ©gƱ TĂĄrsasĂĄg
- Short name: Lab2Label Kft.
- Registered office: 1029 Budapest, Huba vezér utca 2/B, Hungary
- Company registration no.: 01-09-444315
- VAT number: 32819821-2-41
- Represented by: Hajdu Bence BalĂĄzs
- Email: contact@lab2label.eu
- Phone: +36 70 603 1083
2. Purpose and Scope of This Policy
This Privacy Policy provides detailed, plain-language information about data processing activities carried out on the Lab2Label Kft. website (lab2label.eu and lab2label.hu), including the quote request form, the internal admin system, analytics tools, and cookie management.
This policy applies to natural persons located in the European Union who visit the website or submit a quote request.
3. Principles of Data Processing
The Data Controller processes your personal data in accordance with the following GDPR principles:
- Lawfulness, fairness and transparency: Data is processed only on a valid legal basis and in a transparent manner.
- Purpose limitation: Data is collected for specified, explicit and legitimate purposes only.
- Data minimisation: Only data that is necessary for the purpose is processed.
- Accuracy: Data is kept up to date; inaccurate data is erased or corrected.
- Storage limitation: Data is kept only for as long as necessary.
- Integrity and confidentiality: Data is protected by appropriate technical and organisational measures.
- Accountability: The Data Controller is responsible for compliance and can demonstrate it.
4. Quote Request and Contact Form
When you fill in our quote request form, the following data may be processed:
- Full name (required)
- Email address (required)
- Phone number (optional)
- Company name (optional)
- Website or existing project link (optional)
- Selected primary service
- Related service interests
- Answers to service-specific questions
- Project status
- Desired timeline
- Estimated project budget (optional)
- Brief project description (required)
- Communication language
- Fact and timestamp of consent
- Submission timestamp
Purpose of processing: To process your enquiry, contact you for follow-up, ask clarifying questions and prepare a tailored business proposal.
Legal basis: GDPR Article 6(1)(b) (steps taken prior to entering into a contract) and GDPR Article 6(1)(f) (legitimate interest of the Data Controller in documenting business enquiries and preparing proposals).
5. Automated Confirmation Emails
Following submission of a quote request, the Data Controller sends an automated confirmation email to the address you provided, confirming receipt and facilitating further contact.
Legal basis: GDPR Article 6(1)(b) (pre-contractual steps) and GDPR Article 6(1)(f) (legitimate interest of the Data Controller).
The email is delivered on behalf of the Data Controller by the email service provider (Resend Inc.), acting as a data processor.
6. Internal Admin System (Lead Management)
To process quote requests, the Data Controller operates an internal administration system (admin panel). The following data and content may be stored within the system:
- All fields submitted via the quote request form
- Lead status (e.g. new, contacted, proposal sent)
- Internal notes and comments
- Activity log related to proposal preparation
- Assigned team member responsible for the lead
Access to the admin system is restricted to authorised employees and collaborators of the Data Controller, governed by role-based access control.
7. UTM, Referrer and Campaign Tracking Data
In order to measure the effectiveness of marketing and campaign activities, the Data Controller may record the following technical data alongside each quote request:
- UTM source (utm_source) â e.g. google, facebook
- UTM medium (utm_medium) â e.g. cpc, email
- UTM campaign name (utm_campaign)
- Referrer â the URL from which the visitor arrived
- Landing page â the page of the website first opened by the visitor
This data is stored in association with the quote request for the purpose of identifying the source of enquiries and measuring marketing effectiveness.
Legal basis: GDPR Article 6(1)(f) (legitimate interest of the Data Controller in measuring business performance and marketing effectiveness).
8. Website Usage and Analytics Data
When you visit the website, technical data (such as IP address, browser type, operating system, pages visited, and the time and duration of your visit) may be logged for analytics purposes.
Where the Data Controller uses Google Analytics, it is activated only with your prior consent. Data is processed by Google Ireland Limited on behalf of the Data Controller. Google's Privacy Policy governs the processing of Google Analytics data.
Legal basis: GDPR Article 6(1)(a) (consent).
9. Cookies and Consent Management
The website uses the following cookies:
| Category | Cookie name | Provider | Purpose | Expiry |
|---|---|---|---|---|
| Necessary | cookie_consent | Lab2Label | Stores cookie consent preferences | 12 months |
| Necessary | sb-[id]-auth-token | Supabase | Admin session management (authenticated admin users only) | Session |
| Analytics * | _ga, _ga_XXXXXXXX | Google Ireland Ltd | Distinguishes unique visitors and tracks session statistics | 2 years / 2 years |
| Marketing * | _fbp, _fbc | Meta Platforms Ireland Ltd | Measures Facebook/Instagram ad performance and remarketing | 90 days |
* Analytics and marketing cookies are activated only with your prior consent.
You may withdraw or update your consent at any time via the cookie preference centre available on the website.
Necessary cookies â legal basis: GDPR Article 6(1)(f) (legitimate interest â essential for the website to function properly).
Analytics and marketing cookies â legal basis: GDPR Article 6(1)(a) (consent).
10. Newsletter and Marketing Communications
The website does not currently offer a newsletter subscription. The Data Controller may only send direct marketing communications on the basis of the data subject's prior, explicit and freely given consent.
Should the Data Controller introduce a newsletter or other direct marketing service in the future, a separate privacy notice will be provided and, where required, a specific consent will be requested.
11. Data Processors and Third-Party Providers
The Data Controller engages the following data processors. Your personal data is not sold to third parties and is processed solely for the specified purposes under contract with each processor.
| Provider | Location | Role | Privacy policy |
|---|---|---|---|
| Vercel Inc. | USA | Website hosting and delivery | vercel.com/legal/privacy-policy |
| Supabase Inc. | USA | Database (storage of quote requests) | supabase.com/privacy |
| Resend Inc. | USA | Transactional email delivery (notifications, confirmations) | resend.com/legal/privacy-policy |
| Google Ireland Limited | Ireland / USA | Web analytics (Google Analytics, if enabled) | policies.google.com/privacy |
| Meta Platforms Ireland Ltd | Ireland / USA | Marketing measurement (Meta Pixel, if enabled) | facebook.com/privacy/policy |
12. International Data Transfers
Certain data processors (Vercel Inc., Supabase Inc., Resend Inc.) may process data outside the European Economic Area (EEA), including in the United States. In such cases, transfers are carried out under one of the following safeguards:
- An adequacy decision of the European Commission (e.g. EUâUS Data Privacy Framework, where applicable), or
- Standard Contractual Clauses (SCCs) approved by the European Commission.
Further details on the safeguards applied by each processor can be found in their respective privacy policies (see Section 11).
13. Data Retention Periods
The Data Controller retains personal data for the following periods:
| Data category | Retention period | Legal basis |
|---|---|---|
| Quote request and contact data | Up to 2 years from the last interaction | Legitimate interest |
| Data relating to concluded contracts | 5 years (general civil limitation period) | Legal obligation |
| Invoicing data (where invoiced) | 8 years | Legal obligation (accounting law) |
| Analytics data (Google Analytics) | 14 months (Google Analytics default setting) | Consent |
| Cookie consent record | 12 months | Legitimate interest |
| Admin activity logs | 12 months | Legitimate interest |
| Marketing consent | Until consent is withdrawn | Consent |
14. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
- Right of access (Art. 15): You may request information about what personal data we hold about you, for what purpose and on what legal basis.
- Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): You may request deletion of your data where processing is no longer necessary or consent has been withdrawn.
- Right to restriction of processing (Art. 18): In certain circumstances you may request that we only store, but not further process, your data.
- Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
- Right to object (Art. 21): You may object to processing, in particular where it is based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact us at contact@lab2label.eu. We will respond to your request within 30 days.
15. Complaints and Supervisory Authority
If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the Hungarian supervisory authority:
- Authority: Nemzeti Adatvédelmi és Informåciószabadsåg Hatósåg (NAIH)
- Website: www.naih.hu
- Address: 1055 Budapest, Falk Miksa utca 9â11., Hungary
- Postal address: 1363 Budapest, Pf. 9., Hungary
- Email: ugyfelszolgalat@naih.hu
- Phone: +36 1 391 1400
You also have the right to bring a claim before the competent courts under the GDPR and applicable national law.
16. Data Security
The Data Controller implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including:
- Encrypted HTTPS connections (SSL/TLS) across all pages of the website
- Restricted, authorisation-based access to the admin system
- Role-based access control (admin, editor, viewer)
- Secure authentication managed by Supabase Auth
- Server-side data validation and input sanitisation on all API endpoints
- Automatic rate limiting to prevent abuse (5 requests per IP per minute)
- Row-Level Security (RLS) to restrict database access at the record level
- Activity logging within the admin system
- Regular software updates and dependency management
17. No Automated Decision-Making
The Data Controller does not carry out automated decision-making or profiling based on your personal data. Every quote request and enquiry is reviewed and processed by a human team member.
18. Changes to This Policy
The Data Controller reserves the right to update this Privacy Policy as necessary. Users will be notified of material changes by email or by a prominent notice on the website. The effective date of any revision is always shown at the top of this page.
The current version of this policy is available at the Privacy Policy page of the website.