NITROWISE LABS ZRT. – PRIVACY POLICY

This Privacy Policy (hereinafter: “Privacy Policy”) defines the data protection principles of NITROWISE LABS Zrt. (hereinafter: “Data Controller”), as well as the rules and security measures applied to the processing of personal data.

The Data Controller considers the rules, provisions, and obligations described in this Privacy Policy as binding upon itself, applies them throughout its operation, and declares that the data protection rules and procedures contained herein comply with applicable national and EU data protection laws.

The Data Controller declares that it considers the right to informational self - determination  -  especially with regard to personal data  -  of fundamental importance and takes all possible measures to ensure and enforce these rights.

The primary responsibility of the Data Controller is to define the scope of personal data it processes, the legal basis and purpose of the processing, the methods, means, and duration of the processing, to ensure compliance with data protection and data security requirements, and to prevent unauthorized access, alteration, disclosure, or use of personal data, as well as to ensure protection against deletion, damage, or destruction.

DATA CONTROLLER INFORMATION

Name of Data Controller: NITROWISE LABS ZÁRTKÖRŰEN MŰKÖDŐ RÉSZVÉNYTÁRSASÁG
Short company name: NITROWISE LABS Zrt.
Registered seat: 1117 Budapest, Gábor D. u. 4., Infopark C. building
Company registration number: 01 - 10 - 140842
Tax number: 27948110 - 2 - 43
Email: info@nitrowise.com
Phone: +36 70 391 0320
Data protection contact: Dr. Jolsvai Kinga
Data protection email: adatvedelem@nitrowise.com

MAIN LAWS GOVERNING DATA PROCESSING

The primary legislation applicable to the processing activities described in this Privacy Policy:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
• Act CXII of 2011 on the right to informational self - determination and on the freedom of information (Infotv.)
• Act V of 2013 on the Civil Code (Ptk.)
• Act C of 2000 on Accounting
• Act CL of 2017 on the Rules of Taxation
• Act CXXVII of 2007 on Value Added Tax

PURPOSE AND SCOPE OF THE POLICY

The purpose of this Policy is to transparently detail:

• the personal data processing activities conducted by the Data Controller,
• the purpose, legal basis, duration, and method of processing,
• the rights of data subjects and available remedies,
• the data processors engaged and the methods of data transfer,
• the data security measures applied.

Scope:
This Policy applies to:

• client and partner contact persons,
• website visitors,
• contractual partners,
• job applicants,
• employees (with supplementary rules),
• any natural person whose personal data is processed by the Data Controller.

DEFINITIONS

Data Processing: all processing operations carried out by a data processor acting on behalf of or under the instructions of the Data Controller. (Section 3, point 17 of the Infotv.)

Data Processor: any natural or legal person, or organisation without legal personality, who or which — within the framework and under the conditions set out in law or in a binding legal act of the European Union — processes personal data on behalf of or under the instructions of the Data Controller. (Section 3, point 18 of the Infotv.)

Data Processing (operation): any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making the data available, alignment or combination, restriction, erasure, or destruction. (GDPR Article 4(2))

Data Controller: the legal entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. (GDPR Article 4(7))

Data Transfer: making personal data accessible to a specific third party. Transfers to EEA member states or to EU institutions shall be considered equivalent to transfers within the territory of Hungary.

Data Protection Incident: any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. (Section 3, point 26 of the Infotv.)

Data Subject: any natural person who is identified or identifiable based on any information. (Section 3, point 1 of the Infotv.) A natural person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier (such as a name, identification number, location data, online identifier) or to one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Consent: the data subject’s voluntary, specific, informed and unambiguous indication of their wishes by which they, by a statement or by a clear affirmative act, signify agreement to the processing of personal data relating to them. (Section 3, point 7 of the Infotv.)

Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and genetic and biometric data processed for the purpose of uniquely identifying a natural person; health data; and personal data concerning a natural person’s sex life or sexual orientation.

Personal Data: any information relating to the Data Subject. (Section 3, point 2 of the Infotv.)

PRINCIPLES OF DATA PROCESSING

The Data Controller observes the following principles when processing personal data:

• personal data must be processed lawfully, fairly, and in a transparent manner for the Data Subject (lawfulness, fairness, and transparency);
• personal data must be collected only for specified, explicit, and legitimate purposes (purpose limitation);
• the scope of processed personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes of the processing (data minimisation);
• personal data must be accurate and, where necessary, kept up to date; inaccurate personal data must be corrected or erased by the Data Controller without delay (accuracy);
• personal data must be stored in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
• personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality);
• the Data Controller is responsible for and must be able to demonstrate compliance with the above principles (accountability).

LEGAL BASES OF PROCESSING

According to Article 6(1) of the GDPR, the processing of personal data is lawful only if and to the extent that at least one of the following conditions applies:

• the Data Subject has given consent to the processing of their personal data for one or more specific purposes [Article 6(1)(a) – processing based on consent];
• the processing is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract [Article 6(1)(b) – processing necessary for the performance of a contract];
• the processing is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6(1)(c) – processing necessary for compliance with a legal obligation];
• the processing is necessary in order to protect the vital interests of the Data Subject or of another natural person [Article 6(1)(d) – processing based on vital interests];
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller [Article 6(1)(e) – processing necessary for the performance of a task in the public interest];
• the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of personal data [Article 6(1)(f) – processing based on legitimate interest].

DATA PROCESSING ACTIVITIES

CONTACT REQUESTS

• Purpose of processing: contacting the Data Subject and maintaining communication.
• Legal basis of processing: the Data Subject’s consent (Article 6(1)(a) of the GDPR).
• Data subjects: individuals expressing interest or contacting the Data Controller for the purpose of initiating communication.
• Categories of personal data processed: name, telephone number, email address, any information voluntarily provided by the Data Subject during email or telephone communication, the Data Subject’s social media username/identifier, and technical data (e.g. the date and time of phone calls or emails sent/received, time of contact).
• Source of data: the Data Subjects.
• Retention period: until the purpose is achieved, or until consent is withdrawn or deletion is requested, or  -  if none of these occur  -  for a maximum of 1 year from the date of initial contact.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional note: Providing the data is necessary. Without the required data, the Data Controller is unable to establish contact with the Data Subject.

CONTRACT PERFORMANCE & COMMUNICATION

• Purpose of processing: preparing, concluding, and performing contracts between the Data Controller and its contractual partners; fulfilling legal obligations; and maintaining client relationships, communication, and cooperation.
• Legal basis of processing: performance of a contract, compliance with a legal obligation, and legitimate interest (Articles 6(1)(b), (c), and (f) of the GDPR).
• Data subjects: clients/partners.
• Categories of personal data processed: name, workplace, job title/position, telephone number, email address, address, signature, and any other information voluntarily provided to the Data Controller.
• Source of data: the Data Subject.
• Retention period: for the duration necessary to achieve the purpose of processing, but no longer than until the end of the 5th year following the performance or termination of the contract.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional note: The processing of the listed personal data is necessary for concluding and performing the contract, for ensuring the provision of services, and for maintaining communication and cooperation related thereto.

INVOICING

• Purpose of processing: issuing invoices and managing accounting records in accordance with the Accounting Act.
• Legal basis of processing: compliance with a legal obligation, pursuant to Section 159(1) of the VAT Act (Article 6(1)(c) of the GDPR).
• Data subjects: clients/partners.
• Categories of personal data processed: name, address, tax number, bank account number, registration number, registered seat, email address.
• Source of data: the Data Subject.
• Retention period: 8 years, in accordance with Section 169(1)–(2) of the Accounting Act.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional note: In the case of sole proprietors, invoices may contain personal data. Such data are retained in compliance with the requirements of the Accounting Act.
• Providing the data is mandatory under the applicable laws. If the data are not provided, the invoice cannot be accepted, and the Data Controller is unable to fulfil its invoicing obligations.

CLAIM MANAGEMENT

• Purpose of processing: taking all necessary actions to enforce the Data Controller’s legitimate claims and recover outstanding debts (e.g. identifying clients/partners, maintaining contact, enforcing legal claims).
• Legal basis of processing: the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR).
• Data subjects: individuals (clients/partners) against whom the Data Controller has outstanding claims.
• Categories of personal data processed: name, telephone number, email address, address, and any other information voluntarily provided to the Data Controller.
• Source of data: the Data Subject.
• Retention period: the statutory limitation period for enforcing claims (5 years), or the duration of any administrative, judicial, or other proceedings.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.

JOB APPLICATIONS (FOR A SPECIFIC POSITION)

• Purpose of processing: the data provided on the career website or otherwise (e.g. via email) are required for the Data Subject to apply for a specific job or position. The purpose of the processing is to enable the Data Controller to conduct the recruitment process necessary for establishing an employment relationship with the applicant; and, in the event of a successful application, to prepare the employment contract.
• Legal basis of processing: consent (Article 6(1)(a) of the GDPR).
• Data subjects: natural persons who provide personal data for the purpose of applying for a specific job or position.
• Categories of personal data processed: the applicant’s name, telephone number, email address, CV, and any other information voluntarily provided by the applicant during communication (e.g. qualifications, language skills, salary expectations, photograph, information about previous employers and job roles, work experience, etc.), as well as technical data (e.g. acceptance of the privacy notice, date of application).
• Source of data: the Data Subject.
• Retention period: until the point at which the establishment of the employment relationship is unsuccessful (i.e. the end of the recruitment process), or—with consent—for a maximum of 24 months.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• The Data Controller does not disclose the personal data obtained—except where required by law—for statistical or any other purposes, nor does it make such data public. Information regarding the evaluation of submitted applications and CVs is provided exclusively at the request of, and to, the applicant.
• The Data Controller may disclose applications and CVs to its contractual partners only at the explicit request and with the voluntary consent of the applicant.

APPLICATION TO HR DATABASE

• Purpose of processing: the data provided on the career website are required for inclusion in the Data Controller’s HR database so that, in the future, the Data Subject may receive job offers that correspond to their professional experience and qualifications.
• Legal basis of processing: consent (Article 6(1)(a) of the GDPR).
• Data subjects: natural persons who provide personal data for the purpose of being included in the Data Controller’s HR database.
• Categories of personal data processed: the Data Subject’s name, telephone number, email address, CV, and any other information voluntarily provided by the Data Subject during communication (e.g. qualifications, language skills, salary expectations, photograph, information regarding previous employers and job roles, work experience, etc.), as well as technical data (e.g. acceptance of the privacy notice, date of application).
• Source of data: the Data Subject.
• Retention period: until the Data Subject withdraws their consent, but no longer than 24 months.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional note: The Data Subject may apply to be included in the Data Controller’s database at any time via the career website, and may also apply for specific job postings. In the latter case, the Data Subject may voluntarily consent that, if they are not selected and no employment relationship is established, the Data Controller may retain the personal data provided during the application process in its HR database for the purpose of sending other suitable job offers corresponding to the applicant’s experience and qualifications - until the withdrawal of consent, but for no longer than 24 months, in accordance with applicable laws. In the absence of such consent, or if consent is withdrawn, or once the 24 - month retention period has expired, all personal data provided by the applicant will be fully and immediately deleted.

SOCIAL MEDIA INTERACTIONS

• Purpose of processing: the primary purpose of the content posted on social media platforms is to present the services provided by the Data Controller, to share and promote these services on social media, and for marketing activities. Through social media, Data Subjects can obtain information about the Data Controller’s services and related events.
• Legal basis of processing: the Data Subject’s consent (Article 6(1)(a) of the GDPR). By following the Company’s content or engaging with it in accordance with the terms of the social media platform, the Data Subject voluntarily consents to such interactions.
• Data subjects: individuals who voluntarily follow the Data Controller’s social media pages or content, respond to advertisements, or engage in interactions (e.g. sharing, liking, rating).
• Categories of personal data processed: name (including the username used on the social media platform), LinkedIn profile link, messages sent by the Data Subject through the social media platform, and interactions performed by the Data Subject (e.g. ratings or other actions).
• Source of data: the Data Subject.
• Retention period: until deletion is requested by the Data Subject.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional notes:

The Data Controller is present on the following social media platforms with a corporate profile, such as Facebook, LinkedIn, and Instagram.

The Data Controller does not record or process any personal data of users of these platforms in its internal database or system.

With respect to data processing carried out on social media platforms, the platform operator qualifies as an independent data controller. Information about the data processing performed by the respective social media platform is available directly on that platform.

EVENT REGISTRATION AND PARTICIPATION

• Purpose of processing: organising and conducting events (e.g. workshops, meetups, conferences, partner meetings), identifying and informing participants, arranging catering and other services, and taking into account allergies and dietary preferences to ensure participant safety. Additionally, maintaining communication related to the event (e.g. programme changes, feedback requests). The purpose may also include documenting the event through photographs and video recordings and using such materials for the Company’s communication and marketing purposes (e.g. social media, website, newsletters, internal corporate materials).
• Legal basis of processing: for “regular” data (name, contact details, workplace, etc.), the legal basis is the Data Subject’s consent (Article 6(1)(a) GDPR). For data relating to food allergies, dietary habits, or other special requirements, the legal basis is the Data Subject’s explicit consent (Article 9(2)(a) GDPR), provided via the registration form and acceptance of the related information. Providing such data is voluntary; failure to provide special-category data may only result in the Data Controller being unable to fully consider the participant’s specific needs. Processing of photographs and video recordings taken at the event also relies on the Data Subject’s consent (Article 6(1)(a) GDPR). Consent is voluntary and may be withdrawn at any time. Before recording begins, the Data Controller provides clear notice (e.g. icons, information on the registration page, posted signage).
• Data subjects: individuals who register for or participate in the events.
• Categories of personal data processed: name, workplace, job title, email address, telephone number, participation status (registered, confirmed, attended / did not attend), information on food allergies, dietary habits, or special requirements (e.g. gluten intolerance, lactose intolerance, vegetarian/vegan diet, etc.). Additionally, photographs and video recordings taken at the event in which the participant’s face, appearance, or other identifying features may be recognisable.
• Source of data: the Data Subject.
• Retention period: personal data processed for the purpose of event registration and execution are retained for up to 90 days after the event, after which the data are deleted or anonymised. Special-category data relating to allergies, dietary habits, and other specific needs are processed only until the date of the event and at most until 15 days after the event, after which they are deleted. If the participant voluntarily consents to receive information about future events, their contact details will be processed until consent is withdrawn. Consent may be withdrawn at any time without justification. Photographs and video recordings taken at the event are processed until consent is withdrawn. If such materials are published, the Data Subject may request removal or blurring of their image, and the Data Controller will comply without undue delay.
• Data transfers: in connection with organising and conducting the event, personal data may be transferred to certain data processors (e.g. the event venue operator for entry management and safety requirements). If the event involves multiple subsidiaries, other group members may receive the necessary data for organisational purposes (e.g. for joint conferences). Photographs and videos may be transferred to photographers or videographers engaged by the Company, and—if published—to social media platforms and website operators (e.g. Facebook, LinkedIn, YouTube). These entities act as independent data controllers under their own privacy policies.

BUSINESS CONTACT DATA IN HUBSPOT CRM

• Purpose of processing: the purpose of the processing is to establish and maintain contractual and business relationships, ensure regular communication, coordinate project and service delivery, and enforce or defend legal claims. The purpose of using the CRM system is to integrate sales and marketing activities and to ensure that client relationship management is transparent and manageable.
• Legal basis of processing: the legitimate interest of the Data Controller and its partners (Article 6(1)(f) GDPR), as maintaining business communication is an essential part of cooperation with partners. The Data Subject may object to processing based on legitimate interest at any time.
• Data subjects: potential clients, businesses reachable through marketing, companies, and other organisations.
• Categories of personal data processed: name, workplace, job title, business email address, telephone number, and notes or emails related to meetings and negotiations (where necessary).
• Source of data: the Data Subject.
• Retention period: the Data Controller processes contact persons’ data for as long as the business relationship exists or as long as there is a realistic prospect of further cooperation (e.g. based on negotiations, requests for proposals, business inquiries). If the business relationship ends, or if no meaningful communication takes place for more than 3 years, the data will be deleted. In the case of an objection-based deletion request, the Data Controller will delete the data without delay, unless retention is necessary for the establishment, exercise, or defence of legal claims.
• Data transfers: for data storage and CRM operation, the Data Controller uses HubSpot, Inc. as a data processor. HubSpot processes data in accordance with the GDPR applicable in the EU, based on contractual safeguards provided by HubSpot (e.g. EU-level data processing agreement, Standard Contractual Clauses – SCCs).
  Access to personal data is restricted to the Data Controller’s authorised employees and only for the purposes of business communication and sales. The Data Controller does not sell personal data and does not make it available to third parties for marketing or any other purposes of their own.

NEWSLETTERS / MARKETING COMMUNICATIONS

• Purpose of processing: advertising and marketing activities, and informing the Data Subject about the Company’s services.
• Legal basis of processing: the Data Subject’s consent (Article 6(1)(a) of the GDPR).
• Data subjects: potential clients, businesses reachable through marketing activities, companies, and other organisations.
• Categories of personal data processed: name, email address, telephone number, newsletter subscription status, message content, and the date/time of the message.
• Source of data: the Data Subject (the email address is obtained from the Data Subject based on consent, through newsletter subscription).
• In other cases, publicly available company databases may be used as a basis for sending marketing communications.
• Retention period: until the Data Subject requests deletion, withdraws consent, or for 30 days from the date of unsubscribing from the newsletter.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR.
• Additional note: Providing the data is necessary. Without the required data, the Data Controller cannot contact the Data Subject.

DATA PROCESSING RELATED TO REPORTS SUBMITTED THROUGH THE WHISTLEBLOWING SYSTEM

• Purpose of processing: investigating the validity of the report and remedying or terminating the behaviour that is the subject of the report; maintaining contact during the procedure; and fulfilling statutory obligations.
• Legal basis of processing: compliance with a legal obligation (Article 6(1)(c) GDPR), pursuant to Act XXV of 2023 on the rules relating to whistleblowing systems (operation of a whistleblowing system on a voluntary or mandatory basis), or the legitimate interest of fully complying with legal obligations (Article 6(1)(f) GDPR).
• Data subjects: any natural person who can be identified based on the data recorded in the report (e.g. the whistleblower, the person concerned in the report, witnesses).
• Categories of personal data processed: the data provided by the whistleblower in the report that enable their identification and allow for communication with them.
• Source of data: the Data Subject.
• Retention period:
  • in case of dismissal of the report: until deletion;
  • if no procedure is initiated: for the duration of the investigation, but no longer than 60 days;
  • if a procedure is initiated: for 5 years after the final closure of the proceedings initiated on the basis of the report.
• Data transfers: no data transfers take place pursuant to Articles 44–49 of the GDPR; however, where necessary, data may be transferred to authorities, courts, or legal representatives.
• Additional note: Providing the data is indispensable for conducting a lawful procedure, i.e. for investigating the issue and maintaining contact. Without such data, the complaint cannot be identified, and the procedure cannot be carried out.

CCTV SURVEILLANCE

A camera surveillance system operates at the entrance and in the common areas (in particular: main entrance, lobby, elevators) of the building in which the Company’s registered seat is located. The cameras are not operated by NITROWISE LABS Zrt., but by the owner/operator of the building, who acts as an independent data controller with respect to all data processing activities related to camera surveillance.

The Company has no access to the cameras installed in the building; it does not process, store, or transmit the recordings, nor does it exercise any technical or administrative control over them. The camera recordings are processed exclusively by the building owner/operator, for the purposes and under the conditions specified in their own privacy notice.

No camera surveillance is carried out in areas used by the Company in connection with its operations (on the office floor or inside the office), and the Company does not perform any such data processing activity.

Access to personal data contained in camera recordings may occur only in exceptional cases (e.g. legal disputes, security incidents, regulatory or law-enforcement procedures), in accordance with the building operator’s procedures, relevant legal requirements, or based on the data subject’s explicit and voluntary consent.

Information on the data processing related to the building’s camera surveillance, including the retention period of recordings and the rights of data subjects, is provided in a separate privacy notice published by the building operator.

WEBSITE VISITS, COOKIE MANAGEMENT, EXTERNAL SERVICES

The Data Controller uses cookies and external analytics/user-behaviour analysis services in order to maintain the operation of its website, measure its performance, and improve the user experience.
To this end, the Data Controller places small data files (“cookies”) or similar technologies on the device used by the website visitor (the user), enabling the browser to recognise the user’s computer and “remember” certain information related to the visitor. Cookies are also used to personalise content and advertisements, provide social media features, and monitor website traffic. Cookies may collect information about website usage, facilitate navigation on the website, and be used by the Data Controller for administrative purposes, such as measuring website traffic.

No cookie contains personal data that would enable anyone to contact the Data Subject via email, telephone, or traditional post.

Under the applicable laws, cookies may only be stored on the Data Subject’s device if they are strictly necessary, i.e. essential for the operation of the website—these are referred to as “necessary cookies.” All other types of cookies require the user’s consent.
The cookies currently used on the website can be viewed and configured in the pop-up window that appears upon entering the site.

The following section provides a detailed description of the data processing activities related to website usage and the service providers involved.

Categories of data processed

When visiting the website, the Data Controller - and its appointed data processors - may process the following technical data:

• IP address
• browser type and version
• operating system
• device type (e.g. mobile, tablet, PC)
• pages and subpages visited
• date and duration of the visit
• referrer URL
• cookie identifiers

These data are collected by the cookies required for the operation of the website, as well as by Google Analytics, Microsoft Clarity, and HubSpot.

Purpose of processing:

• ensuring the secure and stable operation of the website,
• analysing website traffic and user behaviour,
• improving the user experience and identifying errors,
• conducting performance measurements and generating statistics,
• supporting marketing activities based on aggregated data.

Legal basis of processing:

• necessary cookies: the legitimate interest of the Data Controller (Article 6(1)(f) GDPR);
• analytics, behaviour-analysis, and marketing cookies, as well as the use of Google Analytics, Microsoft Clarity, and HubSpot: the Data Subject’s consent (Article 6(1)(a) GDPR), which may be granted or withdrawn via the cookie banner.

The Data Controller uses the following categories of cookies:

1. Session cookies
   1. required for the basic functioning of the website;
   1. deleted when the browser is closed.
2. Persistent cookies
   1. used to remember user preferences;
   1. remain stored for a specified period or until manually deleted.
3. Analytical cookies (Google Analytics)
   1. used to create anonymous statistics about visitor behaviour.

• Behaviour-analysis cookies (Microsoft Clarity)
  • provide visual representations of user interactions and analyse navigation paths.

• Marketing / CRM cookies (HubSpot)
  • track form submissions, manage newsletters, support campaign automation, and track the viewing of documents and emails.

The use of cookies can be restricted or deleted at any time in the user’s browser settings.

Data transfers and third countries

Google LLC, Microsoft Corporation, and HubSpot Inc. are headquartered in the United States.

Therefore, — with consent — personal data may be transferred to a third country. Such data transfers occur exclusively with the following GDPR-compliant safeguards in place:

• EU–US Data Privacy Framework, or
• Standard Contractual Clauses (SCC), and
• additional technical and organisational safeguards (e.g. encryption, IP anonymisation).

Retention period of data processing

• session cookies: until the browser is closed;
• persistent cookies: 1–24 months, or until deleted by the user;
• analytics and Clarity data: 12–24 months depending on the service provider;
• HubSpot marketing cookies: up to 13 months.

DATA TRANSFERS

The Data Controller, for the purpose of achieving the data processing objectives defined in this Privacy Notice and for performing its tasks and complying with legal obligations, uses the services of third parties (hereinafter: “Data Processors”), whose services may involve the processing of personal data of Data Subjects.

The Data Processor performs data processing exclusively in accordance with the instructions of the Data Controller and in compliance with applicable legal requirements. The Data Processor’s access rights are strictly limited to what is necessary for the performance of its tasks and only to the extent required.

The Data Controller — on the legal basis of “performance of a contract” or “compliance with a legal obligation” — transfers data to the following entities acting as data processors or independent data controllers:

Data transfers may occur where justified and necessary, for example in the event of a statutory obligation, and may involve transfers to legal representatives, authorities, courts, or auditors.

The Data Controller does not transfer personal data to third countries or international organisations beyond the possible instances specified in this Privacy Notice.

SECURITY OF DATA PROCESSING

The Data Controller ensures compliance with data security requirements prescribed by applicable laws through technical and organisational measures, as well as by establishing internal procedures. The Data Controller protects all processed personal data with technical, physical, and administrative safeguards consistent with industry standards, ensuring the confidentiality, integrity, and availability of the data. In accordance with its internal policies and relevant data protection regulations, the Data Controller implements information security measures to protect the Data Subject’s personal data from unauthorised access, as well as from unauthorised alteration or deletion, and takes all necessary steps to prevent data damage or loss.

Personal data are stored at the registered seat of the Data Controller in both paper-based and electronic formats. The Data Controller ensures the physical protection of both forms of storage, and electronic data are additionally protected by password security.

To ensure the security of its IT systems, the Data Controller protects these systems with firewalls and uses antivirus and anti-malware software within the O365 environment to prevent internal and external data loss. The Data Controller performs daily backups of electronically stored data. These backups are stored on the Data Controller’s own server.

The Data Controller ensures that no unauthorised person may access, disclose, transmit, modify, or delete the processed data. Personal data may only be accessed by the Data Controller’s employees to the extent necessary for the performance of their duties, in accordance with designated procedures and access levels, as well as by any data processors engaged by the Data Controller. All persons who have access to personal data are bound by confidentiality obligations regarding the personal data of the Data Subjects.

DATA PROTECTION INCIDENT MANAGEMENT

The Data Controller takes all necessary measures to prevent personal data breaches. A personal data breach is any event resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that have been transmitted, stored, or otherwise processed. The Data Controller shall report any personal data breach to the National Authority for Data Protection and Freedom of Information without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects. The Data Controller maintains a record of all personal data breaches, together with the measures taken in connection with each incident. If the breach is serious (i.e. it is likely to result in a high risk to the rights and freedoms of the Data Subject), the Data Controller shall inform the Data Subject of the personal data breach without undue delay.

Any person who becomes aware of a personal data breach involving personal data processed by the Data Controller, as described above, may report the incident to the Data Controller using the contact details provided in this Privacy Notice.

RIGHTS RELATED TO DATA PROCESSING

Right to Request Information (pursuant to Articles 13–14 GDPR)

The Data Subject may request information in writing from the Data Controller regarding:

• which of their personal data are processed, for what purpose, on what legal basis, for how long, and from what source;
• whether the Data Controller uses any data processors, and if so, the name, address, and data processing activities of the processor;
• to whom, when, on what legal basis, and which personal data the Data Controller has granted access or transferred;
• the circumstances and effects of any personal data breach and the measures taken to remedy it.

The Data Controller shall respond to the Data Subject’s request within a maximum of 30 days, sending the information to the contact details provided in the request. If the request is submitted electronically, the Data Controller will, where possible, respond electronically as well.

Right of Access (pursuant to Article 15 GDPR)

The Data Subject has the right to obtain confirmation from the Data Controller as to whether their personal data are being processed. If such processing is taking place, the Data Subject has the right to access the personal data concerned.

The Data Controller shall provide a copy of the personal data undergoing processing—unless prevented by other legal restrictions. Where the request is submitted electronically, the information must be provided in a commonly used electronic format, unless the Data Subject requests otherwise.

Right to Rectification and Completion (pursuant to Article 16 GDPR)

The Data Subject may request in writing that the Data Controller modify any of their personal data (e.g. change their email address or postal contact details at any time, or request correction of any inaccurate personal data processed by the Data Controller).

Considering the purposes of data processing, the Data Subject has the right to request the completion of incomplete personal data.

The Data Controller shall comply with the request within a maximum of 30 days and will notify the Data Subject by email or letter using the contact details provided.

Right to Erasure (“Right to be Forgotten”) (pursuant to Article 17 GDPR)

The Data Subject may request in writing that the Data Controller delete their personal data without undue delay where one of the grounds set out in Article 17 of the GDPR applies.
The Data Subject has the right to obtain the erasure of personal data concerning them without undue delay if the data are no longer necessary for the purpose for which they were collected, if the Data Subject withdraws consent and there is no other legal basis for processing, if the Data Subject objects to processing and there are no overriding legitimate grounds, if the data have been unlawfully processed, or if the data must be erased in order to comply with a legal obligation.

Right to Restriction of Processing (pursuant to Article 18 GDPR)

The Data Subject may request in writing that the Data Controller restrict the processing of their personal data, by clearly marking the restricted nature of processing and ensuring that the data are stored separately from other data. The restriction shall remain in place for as long as the reason indicated by the Data Subject requires the retention of the data.

The Data Subject may request restriction, for example, if they believe that the data have been processed unlawfully, but the data are needed for the purpose of administrative or judicial proceedings they have initiated, and therefore the Data Controller should not delete the data until contacted by the authority or court. In this case, the Data Controller will continue to store the data until the authority or court makes contact, after which the data will be deleted.

The Data Subject may also request restriction if they dispute the accuracy of the personal data. In such cases, the restriction applies for the period necessary to enable the Data Controller to verify the accuracy of the data.

Restriction may further be requested if the Data Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise, or defence of legal claims.

Right to Data Portability (pursuant to Article 20 GDPR)

The Data Subject may request in writing to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format. The Data Subject is also entitled to transmit these data to another data controller without hindrance from the Data Controller, where:

• the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, or
• the processing is based on a contract pursuant to Article 6(1)(b) GDPR; and
• the processing is carried out by automated means.

Right to Object (pursuant to Article 21 GDPR)

The Data Subject may object in writing to the processing of their personal data carried out on the basis of the Data Controller’s or a third party’s legitimate interests pursuant to Article 6(1)(f) GDPR. In such cases, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to Withdraw Consent (pursuant to Article 7(3) GDPR)

The Data Subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent must be as easy to perform as the act of giving consent.

LEGAL REMEDIES AND ENFORCEMENT OPTIONS RELATED TO DATA PROCESSING

If the Data Subject believes that the Data Controller has not acted lawfully when processing their personal data, the Data Controller requests that the Data Subject first contact the Data Controller using the contact details provided in this Privacy Notice, so that the concern or claim can be addressed as quickly and effectively as possible.

1. Contacting the Data Controller – Submitting a Complaint

For any questions related to personal data processed by the Data Controller or to the exercise of the rights described in Section 10, the Data Subject may request information from the Data Controller’s designated data protection contact person at the following contact details:

• Email: adatvedelem@nitrowise.com
• Postal address: NITROWISE LABS Zrt., 1117 Budapest, Gábor Dénes u. 4., Infopark C. ép. (Please indicate “ADATVÉDELEM!” / “DATA PROTECTION!” on the envelope.)
• Designated contact person: Dr. Kinga Jolsvai

The Data Controller shall, without undue delay and within the legally prescribed time limits, investigate the matter, take appropriate action, and provide the Data Subject with information regarding their request for the exercise of rights, any objection, or complaint related to data processing.

If the request was submitted electronically, the Data Controller shall provide the information electronically whenever possible, unless the Data Subject requests otherwise.

If the Data Controller does not take action without undue delay—at the latest within the statutory deadline— it shall inform the Data Subject of the reasons for not taking action or refusing the request, and shall also inform the Data Subject of their right to initiate proceedings before a supervisory authority or a court.

If the Data Subject’s concern is not resolved with the assistance of the Data Controller, or if the Data Subject is dissatisfied with the Data Controller’s response, they may seek further redress through the following bodies.

• Initiating Proceedings Before a Supervisory Authority

The Data Subject may initiate an investigation or administrative procedure before the National Authority for Data Protection and Freedom of Information (NAIH) if they believe that a violation of their rights related to personal data processing has occurred or if such violation poses an imminent risk.

Contact details of NAIH:

• Address: 1055 Budapest, Falk Miksa utca 9–11.
• Website: http://naih.hu
• Postal address: 1363 Budapest, Pf.: 5.
• Telephone: +36-1-391-1400
• Fax: +36-1-391-1410
• Email: ugyfelszolgalat@naih.hu
  • Initiating Court Proceedings

If the Data Subject believes that the Data Controller has violated applicable data protection requirements when processing their personal data, they may bring the matter before a court to protect their rights. The case falls under the jurisdiction of the regional courts (törvényszék). The Data Subject may choose to initiate the proceedings before the regional court competent for their place of residenceorplace of stay. A list of regional courts is available at: www.birosag.hu/torvenyszekek.

MISCELLANEOUS

No automated decision-making, profiling, nor any transfer of personal data to third countries or international organisations takes place in connection with the processing of personal data described in this Privacy Notice. The Data Controller does not collect or process any “sensitive” or “special category” personal data for the purposes set out in this Privacy Notice.

This Privacy Notice applies to all individuals whose personal data are processed by the Company for the purposes described herein, and to anyone who provides their personal data to the Company. By transferring their personal data to the Company, the Data Subject accepts the provisions of this Privacy Notice and consents to the processing of their data in accordance with its terms. In cases where data are provided voluntarily by the Data Subject, the Data Controller processes such personal data based on the Data Subject’s consent.

If personal data relating to a Data Subject have not been provided directly by the Data Subject, the person supplying the data shall be responsible for ensuring the accuracy of the data, as well as for having appropriate authorisation from the Data Subject to disclose the data, and for informing the Data Subject of the provisions contained in this Privacy Notice.

The Data Controller reserves the right to unilaterally amend this Privacy Notice. The current version of the Privacy Notice is available on the Data Controller’s website.

Budapest, 21 September 2020
NITROWISE LABS Zrt.