Privacy Policy – A Kártya Application

Effective date: 1 January 2026

1. Data Controller

The operator of the A Kártya application and the Data Controller:

Data Controller: Kolozsvári Magyar Diákszövetség (represented by: Petra László);
Registered office: Avram Iancu St. 21, Cluj-Napoca, Romania;
Contact email: akartya@kmdsz.ro

2. Purpose and scope of this notice

This notice sets out the data processing principles and provides information regarding the processing of personal data of natural persons using the Application.

User types:
- Student Users;
- Service Provider Users (representatives of partners).

3. Categories of personal data processed and legal basis

3.1 Student Users:
- Email address – identification; consent (GDPR Art. 6(1)(a));
- Password (encrypted) – secure login; consent;
- Name – personalization; consent;
- Date of birth – identification; consent;
- University, faculty, programme/major, year of study, language of study, student registry number – identification; consent;
- Verification / proof of student status photo – one-time AI-based verification; explicit consent (GDPR Art. 9(2)(a));
- Usage data – personalised offers; consent;
- Location data – “nearby offers” feature; consent.

3.2 Partner (Service Provider) Users:
- Contact email + password (encrypted), phone number – consent;
- Business data (name, address, opening hours, logo) – operation of the service; legitimate interest (GDPR Art. 6(1)(f)).

4. Duration of data processing

Until automatic deletion of the user account (until the end of the new academic year following registration) or until consent is withdrawn.

5. Data security

We protect data with encryption, firewalls, TLS/HTTPS protection, and restricted access.

6. Data processors

The Data Controller uses only GDPR-compliant external service providers and private individuals, including:
- Individuals operating the application and reviewing student-status verification, with whom a data processing agreement is concluded;
- Server / database providers;
- AI verification provider;
- Email sending provider.

7. Data subject rights

The User has the right to:
- request information about the processing of their personal data;
- access their personal data;
- request rectification, erasure, or restriction of processing;
- withdraw consent at any time;
- exercise the right to data portability.

Requests can be submitted to:
akartya@kmdsz.ro

8. Remedies / complaints

In case of issues, the Data Controller can be contacted at akartya@kmdsz.ro.

ANSPDCP (Romanian Data Protection Authority)
Web: dataprotection.ro
Tel: +40 318 059 211

9. Amendments

This notice may be amended; users will be notified about changes within the application.