Skip to content
Legal

Privacy Policy

How we collect, use and protect your personal data in accordance with GDPR.

Last updated: May 16, 2026

1. Data Controller

The following entity processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Hungarian data protection law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information).

  • Full name: Lab2Label KorlĂĄtolt FelelƑssĂ©gƱ TĂĄrsasĂĄg
  • Short name: Lab2Label Kft.
  • Registered office: 1029 Budapest, Huba vezĂ©r utca 2/B, Hungary
  • Company registration no.: 01-09-444315
  • VAT number: 32819821-2-41
  • Represented by: Hajdu Bence BalĂĄzs
  • Email: contact@lab2label.eu
  • Phone: +36 70 603 1083

2. Purpose and Scope of This Policy

This Privacy Policy provides detailed, plain-language information about data processing activities carried out on the Lab2Label Kft. website (lab2label.eu and lab2label.hu), including the quote request form, the internal admin system, analytics tools, and cookie management.

This policy applies to natural persons located in the European Union who visit the website or submit a quote request.

3. Principles of Data Processing

The Data Controller processes your personal data in accordance with the following GDPR principles:

  • Lawfulness, fairness and transparency: Data is processed only on a valid legal basis and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit and legitimate purposes only.
  • Data minimisation: Only data that is necessary for the purpose is processed.
  • Accuracy: Data is kept up to date; inaccurate data is erased or corrected.
  • Storage limitation: Data is kept only for as long as necessary.
  • Integrity and confidentiality: Data is protected by appropriate technical and organisational measures.
  • Accountability: The Data Controller is responsible for compliance and can demonstrate it.

4. Quote Request and Contact Form

When you fill in our quote request form, the following data may be processed:

  • Full name (required)
  • Email address (required)
  • Phone number (optional)
  • Company name (optional)
  • Website or existing project link (optional)
  • Selected primary service
  • Related service interests
  • Answers to service-specific questions
  • Project status
  • Desired timeline
  • Estimated project budget (optional)
  • Brief project description (required)
  • Communication language
  • Fact and timestamp of consent
  • Submission timestamp

Purpose of processing: To process your enquiry, contact you for follow-up, ask clarifying questions and prepare a tailored business proposal.

Legal basis: GDPR Article 6(1)(b) (steps taken prior to entering into a contract) and GDPR Article 6(1)(f) (legitimate interest of the Data Controller in documenting business enquiries and preparing proposals).

5. Automated Confirmation Emails

Following submission of a quote request, the Data Controller sends an automated confirmation email to the address you provided, confirming receipt and facilitating further contact.

Legal basis: GDPR Article 6(1)(b) (pre-contractual steps) and GDPR Article 6(1)(f) (legitimate interest of the Data Controller).

The email is delivered on behalf of the Data Controller by the email service provider (Resend Inc.), acting as a data processor.

6. Internal Admin System (Lead Management)

To process quote requests, the Data Controller operates an internal administration system (admin panel). The following data and content may be stored within the system:

  • All fields submitted via the quote request form
  • Lead status (e.g. new, contacted, proposal sent)
  • Internal notes and comments
  • Activity log related to proposal preparation
  • Assigned team member responsible for the lead

Access to the admin system is restricted to authorised employees and collaborators of the Data Controller, governed by role-based access control.

7. UTM, Referrer and Campaign Tracking Data

In order to measure the effectiveness of marketing and campaign activities, the Data Controller may record the following technical data alongside each quote request:

  • UTM source (utm_source) — e.g. google, facebook
  • UTM medium (utm_medium) — e.g. cpc, email
  • UTM campaign name (utm_campaign)
  • Referrer — the URL from which the visitor arrived
  • Landing page — the page of the website first opened by the visitor

This data is stored in association with the quote request for the purpose of identifying the source of enquiries and measuring marketing effectiveness.

Legal basis: GDPR Article 6(1)(f) (legitimate interest of the Data Controller in measuring business performance and marketing effectiveness).

8. Website Usage and Analytics Data

When you visit the website, technical data (such as IP address, browser type, operating system, pages visited, and the time and duration of your visit) may be logged for analytics purposes.

Where the Data Controller uses Google Analytics, it is activated only with your prior consent. Data is processed by Google Ireland Limited on behalf of the Data Controller. Google's Privacy Policy governs the processing of Google Analytics data.

Legal basis: GDPR Article 6(1)(a) (consent).

9. Cookies and Consent Management

The website uses the following cookies:

CategoryCookie nameProviderPurposeExpiry
Necessarycookie_consentLab2LabelStores cookie consent preferences12 months
Necessarysb-[id]-auth-tokenSupabaseAdmin session management (authenticated admin users only)Session
Analytics *_ga, _ga_XXXXXXXXGoogle Ireland LtdDistinguishes unique visitors and tracks session statistics2 years / 2 years
Marketing *_fbp, _fbcMeta Platforms Ireland LtdMeasures Facebook/Instagram ad performance and remarketing90 days

* Analytics and marketing cookies are activated only with your prior consent.

You may withdraw or update your consent at any time via the cookie preference centre available on the website.

Necessary cookies — legal basis: GDPR Article 6(1)(f) (legitimate interest — essential for the website to function properly).
Analytics and marketing cookies — legal basis: GDPR Article 6(1)(a) (consent).

10. Newsletter and Marketing Communications

The website does not currently offer a newsletter subscription. The Data Controller may only send direct marketing communications on the basis of the data subject's prior, explicit and freely given consent.

Should the Data Controller introduce a newsletter or other direct marketing service in the future, a separate privacy notice will be provided and, where required, a specific consent will be requested.

11. Data Processors and Third-Party Providers

The Data Controller engages the following data processors. Your personal data is not sold to third parties and is processed solely for the specified purposes under contract with each processor.

ProviderLocationRolePrivacy policy
Vercel Inc.USAWebsite hosting and deliveryvercel.com/legal/privacy-policy
Supabase Inc.USADatabase (storage of quote requests)supabase.com/privacy
Resend Inc.USATransactional email delivery (notifications, confirmations)resend.com/legal/privacy-policy
Google Ireland LimitedIreland / USAWeb analytics (Google Analytics, if enabled)policies.google.com/privacy
Meta Platforms Ireland LtdIreland / USAMarketing measurement (Meta Pixel, if enabled)facebook.com/privacy/policy

12. International Data Transfers

Certain data processors (Vercel Inc., Supabase Inc., Resend Inc.) may process data outside the European Economic Area (EEA), including in the United States. In such cases, transfers are carried out under one of the following safeguards:

  • An adequacy decision of the European Commission (e.g. EU–US Data Privacy Framework, where applicable), or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

Further details on the safeguards applied by each processor can be found in their respective privacy policies (see Section 11).

13. Data Retention Periods

The Data Controller retains personal data for the following periods:

Data categoryRetention periodLegal basis
Quote request and contact dataUp to 2 years from the last interactionLegitimate interest
Data relating to concluded contracts5 years (general civil limitation period)Legal obligation
Invoicing data (where invoiced)8 yearsLegal obligation (accounting law)
Analytics data (Google Analytics)14 months (Google Analytics default setting)Consent
Cookie consent record12 monthsLegitimate interest
Admin activity logs12 monthsLegitimate interest
Marketing consentUntil consent is withdrawnConsent

14. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): You may request information about what personal data we hold about you, for what purpose and on what legal basis.
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): You may request deletion of your data where processing is no longer necessary or consent has been withdrawn.
  • Right to restriction of processing (Art. 18): In certain circumstances you may request that we only store, but not further process, your data.
  • Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing, in particular where it is based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at contact@lab2label.eu. We will respond to your request within 30 days.

15. Complaints and Supervisory Authority

If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the Hungarian supervisory authority:

  • Authority: Nemzeti AdatvĂ©delmi Ă©s InformĂĄciĂłszabadsĂĄg HatĂłsĂĄg (NAIH)
  • Website: www.naih.hu
  • Address: 1055 Budapest, Falk Miksa utca 9–11., Hungary
  • Postal address: 1363 Budapest, Pf. 9., Hungary
  • Email: ugyfelszolgalat@naih.hu
  • Phone: +36 1 391 1400

You also have the right to bring a claim before the competent courts under the GDPR and applicable national law.

16. Data Security

The Data Controller implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including:

  • Encrypted HTTPS connections (SSL/TLS) across all pages of the website
  • Restricted, authorisation-based access to the admin system
  • Role-based access control (admin, editor, viewer)
  • Secure authentication managed by Supabase Auth
  • Server-side data validation and input sanitisation on all API endpoints
  • Automatic rate limiting to prevent abuse (5 requests per IP per minute)
  • Row-Level Security (RLS) to restrict database access at the record level
  • Activity logging within the admin system
  • Regular software updates and dependency management

17. No Automated Decision-Making

The Data Controller does not carry out automated decision-making or profiling based on your personal data. Every quote request and enquiry is reviewed and processed by a human team member.

18. Changes to This Policy

The Data Controller reserves the right to update this Privacy Policy as necessary. Users will be notified of material changes by email or by a prominent notice on the website. The effective date of any revision is always shown at the top of this page.

The current version of this policy is available at the Privacy Policy page of the website.