Privacy Policy
Last updated February 01, 2026
This Privacy Policy for KRITON Information Technology Kft., doing business as express-key.com ("we", "us", or "our"), explains how we collect, use, store, share, and otherwise process personal information when you use our website, customer account, checkout, payment, digital delivery, support, and related services.
For the purposes of this Privacy Policy, a Digital Access Product means any subscription code, premium access code, voucher, account upgrade, subscription-based access right, or similar digital credential sold by express-key.com for use with a third-party cloud storage service or digital platform.
Controller: KRITON Information Technology Kft.
Registered address: Egyenlőség utca 57, 7628 Pécs, Hungary
Company registration number: 02-09-087989
Privacy contact: [email protected]
Table of Contents
1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on?
4. When and with whom do we share your personal information?
5. Is your information transferred internationally?
6. How long do we keep your information?
7. Do we use cookies or similar technologies?
8. How do we keep your information safe?
9. Do we collect information from minors?
10. What are your privacy rights?
11. Do United States residents have specific privacy rights?
12. Do Canadian and Japanese residents have specific privacy rights?
13. Complaints to the Hungarian Supervisory Authority (NAIH)
14. Do we make updates to this notice?
15. How can you contact us about this notice?
16. How can you review, update, or delete your information?
1. What Information Do We Collect?
Personal information you provide to us
We collect personal information that you voluntarily provide when you create an account, place an order, purchase a Digital Access Product, contact support, request information, or otherwise interact with us.
Depending on your interaction with us, this may include:
- name;
- email address;
- username;
- password hash and authentication data;
- billing address;
- invoice and order data;
- customer-support messages and attachments you send to us;
- order identifiers, product identifiers, subscription/access information, and activation status.
We do not intentionally collect special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation.
Payment data
We process payment-related information necessary to initiate, confirm, reconcile, document, and support payments. This may include payment references, transaction identifiers, payment status information, payment method, amount, currency, payment date, and related order metadata.
Where payment services are provided by third-party payment service providers, those providers process payment data under their own terms and Privacy Policys. We do not store bank login credentials, full payment-card numbers, card security codes, or other sensitive payment authentication credentials.
Relevant third-party payment notices may include: finAPI GmbH and, where card payments are offered in checkout, SimplePay.
Information automatically collected
We automatically collect certain technical and log information when you visit or use our Services. This may include your IP address, browser type, device characteristics, operating system, language preferences, referring URLs, date and time stamps, pages viewed, actions taken on the website, session identifiers, error logs, and security logs.
This information is primarily needed to operate and secure the website, maintain sessions, prevent fraud and abuse, troubleshoot errors, and keep the checkout and digital delivery systems functioning.
Approximate location data. We may infer an approximate location, such as country or region, from your IP address, billing country, payment data, or device/browser metadata. We do not intentionally collect precise GPS-based location data through our website.
Information received from third parties
We generally collect personal information directly from you. We may also receive limited transaction, payment status, invoice, fraud-prevention, support, or activation-related information from payment service providers, banks, invoicing providers, platform/access providers, or technical service providers where necessary to operate the webshop, process orders, reconcile payments, deliver Digital Access Products, prevent fraud, or comply with legal obligations.
2. How Do We Process Your Information?
We process personal information for the following purposes:
- Account creation, authentication, and account management. We process account registration data, login credentials, account settings, account activity, and related technical data to create, maintain, secure, and support customer accounts.
- Order processing and digital delivery. We process order, account, email, product, payment status, and activation data to sell, deliver, activate, validate, and support Digital Access Products.
- Customer support. We process account, order, payment, activation, and communication records to respond to questions, complaints, refund requests, technical issues, and support requests.
- Administrative communications. We process contact and account data to send order confirmations, service messages, invoices, payment notices, account/security notices, and updates to our terms or policies.
- Payment confirmation and reconciliation. We process payment references, transaction identifiers, order metadata, payment status information, and related communications to match payments to orders, investigate failed, delayed, duplicate, or disputed payments, and maintain accurate transaction records.
- Invoicing, accounting, VAT, OSS, and statutory records. We process billing, invoice, tax, VAT, payment, and order records to comply with accounting, tax, VAT, and statutory recordkeeping obligations.
- Security, fraud prevention, and abuse prevention. We process technical logs, IP/device data, account activity, order records, payment metadata, and support records to secure the website, customer accounts, checkout, payment flow, and digital delivery systems.
- Chargebacks, disputes, and legal claims. We process relevant account, order, payment, communication, and technical records to handle complaints, payment disputes, chargebacks, legal requests, enforcement of our terms, and the establishment, exercise, or defence of legal claims.
- Cookies and consent management. We process cookie preferences and consent records to remember your privacy choices and comply with applicable cookie and privacy rules.
- Marketing or non-essential analytics, if used. We process personal information for marketing emails, advertising, or non-essential analytics only where we have a valid consent or another applicable legal basis.
3. What Legal Bases Do We Rely On?
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases where applicable:
| Processing activity | Legal basis |
|---|---|
| Account creation, login, authentication, account management, and account-related customer support | Performance of a contract or pre-contractual steps, Article 6(1)(b) GDPR |
| Order processing, sale, delivery, activation, validation, and support of Digital Access Products | Performance of a contract, Article 6(1)(b) GDPR |
| Payment confirmation, payment matching, payment reconciliation, and transaction troubleshooting | Performance of a contract, Article 6(1)(b) GDPR; legitimate interests for fraud prevention and dispute handling, Article 6(1)(f) GDPR |
| Invoicing, accounting, VAT, OSS, tax reporting, statutory recordkeeping, and cooperation with competent authorities | Legal obligation, Article 6(1)(c) GDPR |
| Website security, fraud prevention, abuse prevention, chargeback handling, enforcement of terms, troubleshooting, audit trails, and legal claims | Legitimate interests, Article 6(1)(f) GDPR |
| Non-essential cookies, marketing emails, targeted advertising, or non-essential analytics, if used | Consent, Article 6(1)(a) GDPR, unless another valid legal basis applies under applicable law |
Our legitimate interests include securing our website, accounts, checkout and digital delivery systems; preventing and investigating fraud, abuse, chargebacks and misuse; reconciling payments and resolving transaction problems; establishing, exercising or defending legal claims; troubleshooting service issues; preserving audit trails; ensuring business continuity; and maintaining reliable customer support. We rely on these interests only where they are not overridden by your interests, rights, and freedoms.
4. When and With Whom Do We Share Your Personal Information?
We disclose personal information only where necessary to operate the webshop, process and reconcile payments, issue invoices, deliver or activate Digital Access Products, provide customer support, comply with legal obligations, prevent fraud or abuse, or establish, exercise or defend legal claims.
We do not sell personal information. We do not share personal information for cross-context behavioural advertising unless this is expressly stated and the required opt-out or consent mechanism is provided.
Where a third-party service provider acts as our processor within the meaning of Article 28 GDPR, we use a data processing agreement or equivalent contractual terms requiring the provider to process personal information only on our instructions and to apply appropriate safeguards. Some recipients, such as banks, regulated payment institutions, tax authorities, legal advisers, or independent platform/access providers, may act as independent controllers and process personal information under their own legal obligations and Privacy Policys.
| Recipient category | Recipient / provider | Purpose |
|---|---|---|
| Website hosting and infrastructure | Hetzner Online GmbH and related infrastructure providers | Website hosting, server infrastructure, database operation, security logs, backups, technical maintenance |
| Invoicing and accounting | Számlázz.hu / KBOSS.hu Kft.; accountants and tax advisers | Invoice creation, invoice delivery, accounting, VAT/OSS records, tax compliance |
| Payment services and payment initiation | finAPI GmbH; SimplePay.hu, where card payments are offered; banks and payment account providers | Payment initiation, payment processing, payment confirmation, payment reconciliation, payment dispute handling |
| Email and customer communication providers | Email, hosting, and support infrastructure providers used by us | Transactional emails, order confirmations, invoice notices, support communication, account/security notices |
| Platform/access providers | Relevant third-party cloud storage or digital platform providers | Delivery, activation, validation, maintenance, or support of Digital Access Products purchased by you |
| Legal, tax, accounting, and compliance advisers | Professional advisers engaged by us | Tax compliance, accounting, legal claims, dispute handling, compliance review |
| Public authorities | Tax authorities, courts, regulators, law enforcement, and other competent authorities where legally required | Compliance with legal obligations, official requests, proceedings, audits, investigations, or legal claims |
| Business-transfer recipients | Potential or actual buyers, successors, investors, or advisers involved in a merger, acquisition, sale of assets, financing, restructuring, or similar transaction | Business transfer, corporate restructuring, financing, due diligence, or continuity of operations |
Where we request information needed to create an account, process an order, deliver or activate a Digital Access Product, issue an invoice, process or reconcile payment, or provide customer support, providing that information is necessary to enter into or perform the contract with you or to comply with our legal obligations. If you do not provide the required information, we may be unable to create or maintain your account, process your order, deliver the Digital Access Product, issue an invoice, confirm payment, or provide support.
We do not use personal information for automated decision-making that produces legal effects or similarly significant effects concerning you.
5. Is Your Information Transferred Internationally?
Our main servers are located in Germany and Hungary. Depending on the providers and services used, personal information may also be processed in other countries, including other EEA countries, Switzerland, the United Kingdom, the United States, or other countries where our payment, hosting, support, platform, or infrastructure providers operate.
Where personal information is transferred outside the EEA, UK, or Switzerland, we rely on an adequacy decision where available or on appropriate safeguards such as the European Commission's Standard Contractual Clauses, where required. Further information may be provided upon request where this is legally required and does not prejudice security, confidentiality, or third-party rights.
6. How Long Do We Keep Your Information?
We keep personal information only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data category | Retention period / criteria |
|---|---|
| Account data | For as long as your account exists, unless earlier deletion is required or later retention is necessary for legal, fraud-prevention, accounting, security, or dispute purposes. |
| Billing, invoice, accounting, VAT, OSS, and payment records supporting bookkeeping | At least 8 years in accordance with Hungarian accounting law, including Section 169 of Act C of 2000 on Accounting. These records may include invoice data, billing details, order identifiers, payment references, and documents directly or indirectly supporting our bookkeeping. We may retain them longer where required for an ongoing tax audit, legal dispute, accounting correction, or statutory proceeding. |
| Order and delivery records not required as accounting records | For as long as necessary for customer support, product delivery, fraud prevention, dispute handling, limitation periods, and legal claims. |
| Customer-support communications | Normally up to 3 years after closure of the request, unless longer retention is necessary for accounting, fraud prevention, disputes, chargebacks, legal claims, or statutory obligations. |
| Security logs, technical logs, error logs, and fraud-prevention records | Normally 30 to 90 days for routine logs, unless longer retention is necessary for security incidents, fraud prevention, abuse investigation, payment disputes, chargebacks, legal claims, or statutory obligations. |
| Cookie consent records | For as long as necessary to document your privacy choices and comply with applicable consent-management obligations. |
| Marketing consent records, if any | Until consent is withdrawn, plus any suppression records needed to respect opt-outs and demonstrate compliance. |
Some data, especially billing, invoice, accounting, VAT, fraud-prevention, dispute, and legal-claim records, may be retained after account deletion where required or permitted by law.
When we no longer have an ongoing lawful need to process personal information, we will delete or anonymise it. If deletion is not immediately possible, for example because data is stored in backup archives, we will securely store it and isolate it from further active processing until deletion is possible.
7. Do We Use Cookies or Similar Technologies?
We use strictly necessary cookies and similar technologies to operate the website, maintain sessions, secure checkout, remember privacy preferences, prevent abuse, and provide core functionality.
Non-essential cookies, including analytics, advertising, affiliate tracking, conversion tracking, pixels, or similar technologies, are used only where we have the required consent or another valid legal basis under applicable law. You can manage or withdraw cookie consent through the cookie banner or preference mechanism provided on the website, where applicable.
Your browser may also allow you to block, delete, or restrict cookies. Blocking strictly necessary cookies may affect the functionality of the website, checkout, account login, or digital delivery.
8. How Do We Keep Your Information Safe?
We use appropriate technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration, disclosure, or destruction. These measures may include access controls, encrypted transport, server security, logging, backups, restricted administrative access, and internal procedures.
No internet-based service or electronic storage system can be guaranteed to be completely secure. You should access our Services only in a secure environment and protect your account credentials.
9. Do We Collect Information From Minors?
We do not knowingly collect, solicit, or market to children under 18 years of age or the equivalent age as specified by law in your jurisdiction. By using the Services, you represent that you are at least 18 years old or the equivalent age as specified by law in your jurisdiction.
If we learn that we have collected personal information from a child in breach of this section, we will take reasonable steps to delete the information. If you believe that we may have collected such information, contact us at [email protected].
10. What Are Your Privacy Rights?
Depending on where you are located, you may have rights under applicable data protection laws. In the EEA, UK, Switzerland, and similar jurisdictions, these rights may include:
- the right to access your personal information;
- the right to obtain a copy of your personal information;
- the right to rectify inaccurate or incomplete information;
- the right to request deletion of personal information;
- the right to restrict processing;
- the right to object to processing based on legitimate interests;
- the right to data portability, where applicable;
- the right to withdraw consent where processing is based on consent;
- the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable;
- the right to lodge a complaint with a competent supervisory authority.
Withdrawing consent does not affect the lawfulness of processing before withdrawal and does not affect processing based on legal bases other than consent.
You can exercise your rights by contacting us through https://express-key.com/contact or by email at [email protected]. We may need to verify your identity before acting on your request.
If you request account deletion, we will delete or deactivate your account from active systems where possible. However, we may retain certain information where required or permitted for accounting, tax, fraud prevention, payment disputes, chargebacks, security, legal claims, or statutory obligations.
11. Do United States Residents Have Specific Privacy Rights?
If you are a resident of a US state with an applicable consumer privacy law, you may have additional rights regarding your personal information. These rights may include the right to know whether we process your personal information, access it, correct inaccuracies, delete it, obtain a copy, opt out of certain processing, and appeal a refusal to act on a request. These rights are subject to legal limitations and may not apply in every case.
We do not sell personal information. We do not share personal information for cross-context behavioural advertising unless this is expressly stated and the required opt-out or consent mechanism is provided.
Categories of personal information collected
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email address, billing address, account name, username, IP address, online identifiers | Yes |
| B. Customer records information | Name, contact details, billing information, limited payment-related information | Yes |
| C. Protected classification characteristics | Age, race, ethnicity, national origin, gender, marital status, similar demographic data | No |
| D. Commercial information | Transaction information, order history, purchase history, product/access records, payment status | Yes |
| E. Biometric information | Fingerprints, voiceprints, biometric identifiers | No |
| F. Internet or similar network activity | Website interactions, log data, pages viewed, actions taken on our website, browser/device data | Yes |
| G. Precise geolocation data | Precise GPS-based location or equivalent device location | No |
| H. Audio, electronic, visual, thermal, olfactory, or similar information | Call recordings, video, images, sensory records | No |
| I. Professional or employment-related information | Job title, work history, professional qualifications | No |
| J. Education information | Student records, education history | No |
| K. Inferences | Profiles or summaries about preferences or characteristics | No |
| L. Sensitive personal information | Special categories or sensitive personal information as defined by applicable law | No |
We have disclosed identifiers, customer records information, commercial information, and internet/network activity information to service providers and other recipients for the business purposes described in this Privacy Policy. The recipient categories are described in Section 4.
To exercise applicable US privacy rights, contact us at [email protected] or use https://express-key.com/contact. We may verify your identity and, where applicable, the authority of an authorised agent.
12. Do Canadian and Japanese Residents Have Specific Privacy Rights?
Canada
If you are located in Canada, you may have rights under Canadian privacy laws, including rights to access your personal information, request correction, withdraw consent where processing is based on consent, and challenge our handling of your personal information. We may refuse or limit a request where permitted by law, for example where retention is required for legal, accounting, fraud-prevention, dispute, or security reasons.
Our privacy contact for Canadian privacy requests is [email protected].
Japan
If you are located in Japan, you may have rights under Japan's Act on the Protection of Personal Information (APPI), including rights to request disclosure, correction, addition, deletion, suspension of use, erasure, or suspension of third-party provision where applicable under Japanese law.
We use personal information for the purposes described in this Privacy Policy, including account management, order processing, payment reconciliation, invoicing, delivery and activation of Digital Access Products, security, fraud prevention, customer support, and legal compliance.
To exercise rights under Japanese privacy law, contact us at [email protected].
13. Complaints to the Hungarian Supervisory Authority (NAIH)
If you are located in Hungary or believe that our processing of your personal data is subject to Hungarian law, you have the right to lodge a complaint with the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary
Postal address: 1363 Budapest, Pf. 9, Hungary
Phone: +36 1 391 1400
Email: [email protected]
Website: https://www.naih.hu
You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.
14. Do We Make Updates to This Notice?
We may update this Privacy Policy from time to time. The updated version will be indicated by the updated date at the top of this page. If we make material changes, we may notify users by posting a notice on the website, sending an account or email notice, or using another appropriate method.
15. How Can You Contact Us About This Notice?
If you have questions or comments about this Privacy Policy, contact our privacy contact:
KRITON Information Technology Kft.
Privacy Contact
Egyenlőség utca 57
7628 Pécs
Hungary
Email: [email protected]
16. How Can You Review, Update, or Delete Your Information?
You may request access to the personal information we process about you, request correction of inaccurate information, request deletion where applicable, object to certain processing, restrict processing, request portability where applicable, or withdraw consent where processing is based on consent.
Submit requests through: https://express-key.com/contact or by email at [email protected].
We will review and respond to requests in accordance with applicable law. We may need to verify your identity before acting on your request. Some requests may be refused or limited where retention or processing is required or permitted for accounting, tax, VAT, fraud prevention, payment disputes, chargebacks, security, legal claims, or other statutory obligations.
