PRIVACY NOTICE OF NITROWISE LABS ZRT.

This privacy notice (hereinafter: the “Privacy Notice”) sets out the data protection principles of NITROWISE LABS Zrt. (hereinafter: the “Controller”), as well as the data processing rules and protective measures applied by the Controller in relation to data qualifying as personal data.

The Controller considers the rules, provisions and obligations described in this Privacy Notice to be binding on itself and applies them in the course of its operations. The Controller further declares that the data protection rules and procedures described and applied in this document comply with the applicable national and European Union data protection laws.

The Controller declares that it considers the right to informational self-determination, particularly in relation to personal data, to be important, and takes all measures available to it to ensure compliance with, and enforcement of, these rights.

The Controller’s primary task is to determine the scope of the personal data it processes, the legal basis and purpose of the processing, the means, method and duration of the processing, and to ensure the enforcement of data protection and data security requirements, to prevent unauthorised access to personal data, the alteration of data and their unauthorised disclosure or use, and to ensure protection against deletion, damage and destruction.

1. DETAILS OF THE CONTROLLER

Name of the Controller: NITROWISE LABS ZÁRTKÖRŰEN MŰKÖDŐ RÉSZVÉNYTÁRSASÁG
Abbreviated company name of the Controller: NITROWISE LABS Zrt.
Registered office: 1117 Budapest, Gábor D. u. 4., Infopark C. ép., Hungary
Company registration number: 01-10-140842
Tax number: 27948110-2-43
Email: info@nitrowise.com
Telephone number: +36 70 391 0320
Data protection contact person: Dr. Kinga Jolsvai
Email address for data processing matters: adatvedelem@nitrowise.com

2. MAIN LEGISLATION APPLICABLE TO DATA PROCESSING

The main legislation applicable to the processing operations covered by this Privacy Notice is as follows:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”);
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the “Info Act”);
• Act V of 2013 on the Civil Code (Civil Code);
• Act C of 2000 on Accounting (Accounting Act);
• Act CL of 2017 on the Rules of Taxation (Art.);
• Act CXXVII of 2007 on Value Added Tax (VAT Act).

3. PURPOSE AND SCOPE OF THE NOTICE

The purpose of this Notice is to set out, in a transparent manner:

• the personal data processing activities carried out by the Controller;
• the purpose, legal basis, duration and method of the processing;
• the rights and legal remedies available to data subjects;
• the processors and data transfer solutions used;
• and the data security measures applied.

The scope of this Notice covers:

• contact persons of clients and partners;
• website visitors;
• contractual partners;
• job applicants;
• employees, supplemented by a separate policy;
• all natural persons whose personal data are processed by the Controller.

4. DEFINITIONS

Processing by a processor: the aggregate of processing operations carried out by a processor acting on behalf of, or on the basis of instructions from, the controller. (Section 3, point 17 of the Info Act)

Processor: a natural or legal person, or an organisation without legal personality, that processes personal data on behalf of, or on the basis of instructions from, the Controller within the framework and under the conditions laid down by law or by a binding legal act of the European Union. (Section 3, point 18 of the Info Act)

Processing: any operation or set of operations performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction. (Article 4, point 2 of the GDPR)

Controller: the legal person that determines, alone or jointly with others, the purposes and means of the processing of personal data. (Article 4, point 7 of the GDPR)

Data transfer: making personal data available to a specified third party. Transfers to EEA Member States and to the bodies of the European Union shall be regarded as transfers within the territory of Hungary.

Personal data breach: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised transmission or disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed. (Section 3, point 26 of the Info Act)

Data subject: a natural person who is identified or identifiable on the basis of any information. (Section 3, point 1 of the Info Act) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Consent: any freely given, specific, informed and unambiguous expression of the Data Subject’s wishes by which the Data Subject, by a statement or by other conduct clearly indicating their wishes, signifies agreement to the processing of personal data relating to them. (Section 3, point 7 of the Info Act)

Special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data and biometric data for the purpose of uniquely identifying natural persons, data concerning health and data concerning a natural person’s sex life or sexual orientation.

Personal data: any information relating to the Data Subject. (Section 3, point 2 of the Info Act)

5. PRINCIPLES

When processing personal data, the Controller takes the following principles into account:

• personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (lawfulness, fairness and transparency);
• personal data may be collected only for specified, explicit and legitimate purposes (purpose limitation);
• the scope of the data processed must be appropriate to the given processing purpose and limited to what is necessary for that purpose (data minimisation);
• personal data must be accurate and, where necessary, kept up to date; inaccurate personal data shall be rectified or deleted by the Controller without delay (accuracy);
• personal data must be stored in a form that permits identification of Data Subjects only for as long as is necessary for the purposes for which the personal data are processed (storage limitation);
• personal data must be processed in a manner that ensures appropriate security of the personal data by applying appropriate technical or organisational measures (integrity and confidentiality);
• the Controller is responsible for compliance with the above (accountability).

6. LEGAL BASES FOR PROCESSING

Pursuant to Article 6(1) of the GDPR, the processing of personal data is lawful only if and to the extent that at least one of the following applies:

• the Data Subject has given consent to the processing of their personal data for one or more specific purposes [Article 6(1)(a) — processing based on consent];
• processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract [Article 6(1)(b) — processing necessary for the performance of a contract];
• processing is necessary for compliance with a legal obligation to which the Controller is subject [Article 6(1)(c) — processing necessary for compliance with a legal obligation];
• processing is necessary in order to protect the vital interests of the Data Subject or of another natural person [Article 6(1)(d) — processing based on vital interests];
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller [Article 6(1)(e) — processing necessary for the performance of a public-interest task];
• processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of personal data [Article 6(1)(f) — processing based on legitimate interests].

7. DATA PROCESSING ACTIVITIES

7.1 Contact

• Purpose of processing: contacting and maintaining contact with the Data Subject.
• Legal basis of processing: consent of the Data Subject (Article 6(1)(a) of the GDPR).
• Data Subjects: persons who make enquiries or contact the Controller with the intention of establishing contact.
• Scope of data processed: name, telephone number, email address, data voluntarily provided by the Data Subject during communication by email or telephone, the Data Subject’s name or identifier used on social media platforms, technical data such as the date and time of telephone calls or emails sent/received and the time of contact.
• Source of data: Data Subjects.
• Duration of processing: until the purpose is achieved, until consent is withdrawn or until a deletion request is submitted, or, in the absence of all of the above, for a maximum of 1 year from the date of contact.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note: providing the data is necessary. Without providing the data, the Controller cannot contact the Data Subject.

7.2 Performance of contracts and contact management

• Purpose of processing: preparation, conclusion and performance of contracts between the Controller and the contractual partner; compliance with legal obligations; maintaining client relationships; communication; and ensuring cooperation.
• Legal basis of processing: performance of a contract, compliance with a legal obligation and legitimate interest (Article 6(1)(b), (c) and (f) of the GDPR).
• Data Subjects: client/partner.
• Scope of data processed: name, workplace, job title/position, telephone number, email address, address, signature, other data voluntarily disclosed to the Controller.
• Source of data: Data Subject.
• Duration of processing: for the period necessary for the purpose of processing, but at most until the end of the fifth year following the performance or termination of the contract.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note: the processing of the referenced personal data is necessary for the conclusion and performance of the contract, the provision of services and the related contact management and cooperation.

7.3 Invoicing

• Purpose of processing: issuing invoices and handling accounting records in accordance with the Accounting Act.
• Legal basis of processing: compliance with a legal obligation, having regard to Section 159(1) of the VAT Act (Article 6(1)(c) of the GDPR).
• Data Subjects: client/partner.
• Scope of data processed: name, address, tax number, bank account number, registration number, registered office, email address.
• Source of data: Data Subject.
• Duration of processing: 8 years pursuant to Section 169(1) and (2) of the Accounting Act.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note: in the case of sole traders, accounting records may contain personal data. These data are retained in accordance with the provisions of the Accounting Act.

Providing the data is mandatory under the applicable laws. Failure to provide the data means that the invoice cannot be accepted and the Controller cannot fulfil its invoicing obligation.

7.4 Claims management

• Purpose of processing: taking all measures required to collect the Controller’s lawful claims and receivables, such as identifying clients and partners, maintaining contact and enforcing legal claims.
• Legal basis of processing: legitimate interest of the Controller (Article 6(1)(f) of the GDPR).
• Data Subjects: persons, clients or partners against whom the Controller has an overdue claim.
• Scope of data processed: name, telephone number, email address, address, other data voluntarily disclosed to the Controller.
• Source of data: Data Subject.
• Duration of processing: the limitation period available for enforcing claims (5 years), and, in the case of administrative, judicial or non-contentious proceedings, the duration of such proceedings.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.

7.5 Applying for a vacancy/position on the careers website

• Purpose of processing: data provided on the careers website or otherwise transmitted to the Controller, for example by email, are required for the Data Subject’s application for a given job or position. The purpose of processing is to enable the Controller to conduct the recruitment procedure necessary for selecting the Data Subject, namely the applicant, for the establishment of an employment relationship with the Controller; and, if the application is successful and the applicant is selected, to prepare the employment contract.
• Legal basis of processing: consent (Article 6(1)(a) of the GDPR).
• Data Subjects: natural persons who provide data in order to apply for a given job or position.
• Scope of data processed: name, telephone number and email address of the applicant Data Subject, CV, and other data voluntarily provided by the Data Subject/Applicant during communication, such as qualifications, language skills, salary expectations, photograph, data relating to previous employers and previous positions, work experience, etc.; technical data such as acceptance of the Privacy Notice and the date and time of application.
• Source of data: Data Subject.
• Duration of processing: until the establishment of the employment relationship fails to materialise, meaning until the selection process is closed, or, with consent, for a maximum of 24 months.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Except in cases specified by law, the Controller does not transfer or disclose the data obtained for statistical or other purposes, and provides information relating to the assessment of submitted job applications and CVs exclusively at the Data Subject’s request and to the Data Subject.
• The Controller may disclose incoming job applications and CVs to the Controller’s contractual partner only at the applicant’s request and with the applicant’s voluntary consent.

7.6 Applying for inclusion in the database on the careers website

• Purpose of processing: data provided on the careers website are required for inclusion in the Controller’s HR database so that job offers matching the Data Subject’s professional experience and qualifications may be sent to the Data Subject in the future.
• Legal basis of processing: consent (Article 6(1)(a) of the GDPR).
• Data Subjects: natural persons who provide personal data in order to be included in the Controller’s HR database.
• Scope of data processed: name, telephone number and email address of the Data Subject, CV, and other data voluntarily provided by the Data Subject during communication, such as qualifications, language skills, salary expectations, photograph, data relating to previous employers and previous positions, work experience, etc.; technical data such as acceptance of the Privacy Notice and the date and time of application.
• Source of data: Data Subject.
• Duration of processing: until withdrawal of the consent declaration, but for no longer than 24 months.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note: the Data Subject may apply for inclusion in the Controller’s database at any time on the Controller’s careers website and may also apply for a specific vacancy or position advertised by the Controller. In the latter case, the applicant may voluntarily consent that, if they are not selected and the Controller does not establish an employment relationship with them, the Controller may continue to process the personal data provided during the application for the advertised vacancy, despite the unsuccessful application, in its HR database for the purpose of potentially sending another job offer matching the applicant’s professional experience and qualifications, in accordance with the applicable laws, until withdrawal of the applicant’s consent declaration, but for no longer than 24 months. In the absence of such consent, or upon withdrawal of the above consent declaration or expiry of the 24-month period, the personal data provided by the applicant shall be fully and immediately deleted.

7.7 Processing related to data provided on social media platforms

• Purpose of processing: the primary purpose of content placed on social media platforms is to present the services provided by the Controller and to share and market the Controller’s services on social media. Through social media platforms, Data Subjects may obtain information about the Controller’s services and events related to the Controller.
• Legal basis of processing: consent of the Data Subject (Article 6(1)(a) of the GDPR). Based on the terms of the social media platform, the Data Subject voluntarily consents to following and interacting with the Company’s content.
• Data Subjects: persons who voluntarily follow the Controller’s social media page or the content displayed on it, respond to advertisements or perform interactions, such as sharing, liking or rating.
• Scope of data processed: name, including the name used on the social media platform, LinkedIn profile link, messages sent by the Data Subject via the social media platform, and interactions by the Data Subject, such as ratings or other actions.
• Source of data: Data Subject.
• Duration of processing: until deletion at the Data Subject’s request.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note:

The Controller has a company profile on the following social media platforms, for example: Facebook, LinkedIn and Instagram.

The Controller does not record or process personal data relating to users of the relevant social media platform in its internal database or system.

In relation to processing carried out on a social media platform, the operator of the social media platform qualifies as an independent controller. The Data Subject receives information about processing by the relevant social media platform on that platform.

7.8 Processing of data of persons registering for events

• Purpose of processing: organising and holding events, such as workshops, meetups, conferences and partner meetings; identifying and informing participants; arranging catering and other services; taking allergies and dietary preferences into account in the interests of participant safety; maintaining contact in relation to the event, for example concerning programme changes or requests for feedback. Further, the event may be documented by photographs and video recordings, and such recordings may be used for the Company’s communication and marketing purposes, such as social media, website, newsletter and internal corporate materials.
• Legal basis of processing: for “normal” data, such as name, contact details and workplace, the consent of the Data Subject (Article 6(1)(a) GDPR); for data relating to food allergies and dietary habits, the explicit consent of the Data Subject (Article 9(2)(a) GDPR), which is given by providing the information on the registration form and accepting the relevant information. Providing such data is voluntary; failure to provide special-category data may at most result in the Controller not being able to fully take the Data Subject’s special needs into account. The processing of photographs and video recordings taken at the event is also based on the Data Subject’s consent (Article 6(1)(a) GDPR). Giving consent is voluntary and may be withdrawn at any time. Before recordings are made, the Controller provides clear information about the recording, for example through pictograms, the registration interface or displayed notices.
• Data Subjects: persons who register for and participate in events.
• Scope of data processed: name, workplace, position, email address, telephone number, attendance status (registered, confirmed, attended / did not attend), information relating to food allergies, dietary habits and special needs, such as gluten sensitivity, lactose intolerance, vegetarian/vegan diet, etc. In addition, photographs and video recordings taken at the event on which the Data Subject’s image, appearance or other identifiable personal features can be recognised.
• Source of data: Data Subject.
• Duration of processing: the Controller processes personal data processed for the purpose of registration for the event and holding the event for no longer than 90 days after the end of the event, after which the data are deleted or anonymised. Special-category data relating to food allergies, dietary habits and other special needs are processed exclusively until the date of the event, and for no longer than 15 days after the event has ended, after which they are deleted. If, after the event, the participant voluntarily consents to the organiser using the contact details provided to inform them about future events, such data shall be processed until withdrawal of consent. Consent may be withdrawn at any time without giving reasons. Photographs and video recordings taken at the event are processed by the Controller until withdrawal of consent. If recordings are published, the Data Subject may request the removal or masking of their image, and the Controller shall comply with such request without undue delay.
• Data transfer: in connection with organising and holding the event, the Controller may transfer personal data to certain processors, for example to the operator of the event venue with respect to data necessary for entry and security requirements. If the event involves several subsidiaries, other members of the group may receive the necessary data for organisational purposes, for example in the case of a joint conference. Photographs and video recordings may be transferred to a photography or videography service provider acting on behalf of the Company and, in the case of publication, to the operators of social media platforms and the website, such as Facebook, LinkedIn and YouTube. These entities act as controllers under their own privacy policies.

7.9 Processing of business contact data in the CRM called HubSpot

• Purpose of processing: the purpose of processing is to establish and maintain contractual and business relationships, maintain regular contact, coordinate projects and service provision, and enforce or defend legal claims. The objective pursued through the CRM system is to connect sales and marketing and to ensure that client relationships are transparent and manageable.
• Legal basis of processing: the legitimate interest of the Controller and the partner (Article 6(1)(f) GDPR), as business contact management is an essential part of cooperation with partners. The Data Subject may object to processing based on legitimate interest at any time.
• Data Subjects: potential clients, businesses, companies and other organisations that may be contacted for marketing purposes.
• Scope of data processed: name, workplace, position, business email address, telephone number, notes and emails relating to the content of negotiations and consultations, where necessary.
• Source of data: Data Subject.
• Duration of processing: the Controller processes contact persons’ data for as long as the business relationship exists or as long as there is a realistic possibility of further cooperation, for example on the basis of negotiations, requests for quotation or enquiries. If the business relationship ends or no substantive communication takes place with the Data Subject for more than 3 years, the data shall be deleted. In the event of a deletion request based on an objection, the Controller shall delete the data without delay, unless retention is necessary for the establishment, exercise or defence of legal claims.
• Data transfer: during processing, the Controller uses HubSpot, Inc. as a processor for storing the data and operating the CRM. HubSpot’s processing is carried out in accordance with the GDPR rules applicable in the EU, on the basis of contractual safeguards provided by HubSpot, such as an EU-level data processing agreement and standard contractual clauses (SCCs).

The Controller’s authorised employees may access the personal data exclusively for the purposes of business contact management and sales. The Controller does not sell personal data and does not make them available to third parties for marketing or other purposes of their own.

7.10 Sending newsletters / advertising messages / direct marketing enquiries

• Purpose of processing: advertising, marketing and informing the Data Subject about the Company’s services.
• Legal basis of processing: consent of the Data Subject (Article 6(1)(a) of the GDPR).
• Data Subjects: potential clients, businesses, companies and other organisations that may be contacted for marketing purposes.
• Scope of data processed: name, email address, telephone number, newsletter subscription, message and date/time of message.
• Source of data: Data Subject. The email address is obtained from the Data Subject on the basis of consent, through subscription.

In other cases, a public company database may be used as the basis for sending marketing notifications.

• Duration of processing: until deletion at the Data Subject’s request, until withdrawal of consent, or for 30 days from the date of unsubscribing.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place.
• Other note: providing the data is necessary. Without providing the data, the Controller cannot contact the Data Subject.

7.11 Processing related to reports submitted through the whistleblowing system

• Purpose of processing: investigating the validity of the report and remedying or terminating the conduct forming the subject of the report; maintaining contact during the procedure; and complying with statutory obligations.
• Legal basis of processing: compliance with a legal obligation (Article 6(1)(c) of the GDPR), having regard to Act XXV of 2023 on complaints, public interest disclosures and rules relating to the reporting of abuses (operation of a whistleblowing system on a voluntary or mandatory basis), or legitimate interest aimed at full compliance with a statutory obligation (Article 6(1)(f) of the GDPR).
• Data Subjects: every natural person who can be identified on the basis of data recorded in the report, such as the reporting person, the person concerned by the report or a witness.
• Scope of data processed: data provided by the reporting person during the report that enable identification and contact with them.
• Source of data: Data Subject.
• Duration of processing:
  • in the case of dismissal of the report: until deletion;
  • if no procedure is initiated: during the investigation, but for no longer than 60 days;
  • if a procedure is initiated: for 5 years after the final closure of the procedures initiated on the basis of the report.
• Data transfer: no data transfer under Articles 44–49 of the GDPR takes place; where necessary, data may be transferred to an authority, court or legal representative.
• Other note: providing the data is indispensable for the proper conduct of the procedure, meaning for the investigation of the grievance and for maintaining contact. Without such data, the complaint cannot be identified and therefore the procedure cannot be conducted.

7.12 Information on camera surveillance

A camera surveillance system operates at the entrance and in the common areas of the building serving as the Company’s registered office, including in particular the main entrance, lobby and elevators. The cameras are operated not by NITROWISE LABS Zrt., but by the owner/operator of the building, who is the independent controller for the data processing activity related to camera surveillance.

The Company has no access to the cameras installed in the building, does not process, store or transfer the recordings and does not exercise any technical or administrative control over them. The camera recordings are processed exclusively by the owner/operator of the building for the purposes and under the conditions set out in its own privacy notice.

No camera surveillance takes place in the areas related to the Company’s operations, meaning on the office floor or inside the office, and the Company does not carry out processing for such purposes.

Access to personal data in relation to camera recordings may occur only in exceptional cases, such as a legal dispute, security incident or authority procedure, in accordance with the procedure of the building operator, in compliance with the applicable laws, or in the case of explicit and voluntary consent.

Information on the processing relating to camera surveillance in the building, the retention period of the recordings and the provisions relating to data subject rights are contained in the separate privacy notice published by the building operator.

7.13 Visiting the website, cookie management and use of external services

In order to maintain the operation of the Controller’s website, measure its performance and improve user experience, the Controller uses cookies and external analytics/user behaviour analysis services.

The Controller places small data packages, so-called “cookies”, on the device used by website visitors, i.e. users, for browsing, or applies similar technologies in order for the browser to recognise the user’s computer and “remember” certain information relating to the website visitor, as well as to personalise content and advertisements, provide social media functions and monitor website traffic. Cookies may also be used to collect information about use of the website, to facilitate navigation on the website and for the Controller’s administrative purposes, such as measuring website traffic.

No cookie contains personal data that would enable anyone to contact the Data Subject by email, telephone or traditional postal mail.

Under the currently applicable laws, a cookie may be stored on the Data Subject’s device only if this is strictly necessary, meaning indispensable for the operation of the website; these are called “necessary cookies”. The use of all other types of cookies requires your consent. The cookies currently used on the website can be viewed and configured in the pop-up window displayed when entering the website.

The following section describes in detail the processing carried out during website use and the service providers used.

Scope of data processed

When visiting the website, the Controller, or the processors engaged by it, may process the following technical data:

• IP address;
• browser type and version;
• operating system;
• device type, such as mobile, tablet or PC;
• pages and subpages visited;
• date and duration of the visit;
• referring URL;
• cookie identifiers.

These data are collected by cookies necessary for the operation of the website and by the systems of Google Analytics, Microsoft Clarity and HubSpot.

Purpose of processing

• ensuring the secure and stable operation of the website;
• analysing traffic and user behaviour;
• improving user experience and identifying errors;
• carrying out performance measurements and preparing statistics;
• supporting marketing activity based on aggregated data.

Legal basis of processing

• cookies necessary for operation: legitimate interest of the Controller (Article 6(1)(f) GDPR);
• analytics, behaviour analysis and marketing cookies, as well as the use of Google Analytics, Microsoft Clarity and HubSpot: consent of the Data Subject (Article 6(1)(a) GDPR), which may be given or withdrawn in the pop-up cookie banner.

The Controller applies the following cookie categories:

1. Session cookies

• required for the operation of the website’s basic functions;
• deleted when the browser is closed.

2. Persistent cookies

• remembering user settings;
• remain for a specified period or until manually deleted.

3. Analytics cookies (Google Analytics)

• anonymous statistics on visitor behaviour.

https://policies.google.com/privacy?hl=en-US#europeanrequirements

4. Behaviour analysis cookies (Microsoft Clarity)

• visual presentation of user interactions and analysis of user journeys.

https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-cookies#what-cookies-does-clarity-set

5. Marketing / CRM cookies (HubSpot)

• tracking form submissions, newsletter management, campaign automation, and tracking the viewing of documents and emails.

https://knowledge.hubspot.com/privacy-and-consent/what-cookies-does-hubspot-set-in-a-visitor-s-browser

The use of cookies may be restricted or cookies may be deleted in the browser at any time.

Data transfer and third countries

Google LLC, Microsoft Corporation and HubSpot Inc. are established in the United States.

Therefore, personal data may, in the case of consent, be transferred to a third country. Data transfer takes place exclusively subject to the following GDPR-compliant safeguards:

• the EU–US Data Privacy Framework; or
• Standard Contractual Clauses (SCCs); and
• additional technical and organisational safeguards, such as encryption and IP anonymisation.

Duration of processing

• session cookies: until the browser is closed;
• persistent cookies: for 1–24 months, or until deleted by the user;
• analytics and Clarity data: 12–24 months, depending on the provider;
• HubSpot marketing cookies: maximum 13 months.

8. TRANSFER OF DATA

In order to achieve the processing purposes set out in this Privacy Notice, to perform its tasks and to comply with its statutory obligations, the Controller uses the services of third parties (hereinafter: “Processors”), which services may involve the processing of Data Subjects’ personal data.

Processors carry out processing in accordance with the Controller’s instructions and in compliance with the provisions of applicable laws. Processors’ access rights are strictly limited to the purpose of performing their tasks and to the extent necessary.

The Controller transfers data on the legal basis of “performance of contracts” or “legal compliance” to the following organisations and partners acting as processors or independent controllers:

Data may be transferred, where justified and necessary, for example in the event of a statutory obligation, to a legal representative, authority, court or auditor.

The Controller does not transfer personal data to a third country or international organisation beyond the possible cases indicated in this Privacy Notice.

9. DATA SECURITY

In the field of processing security, the Controller ensures compliance with the data security rules required by the applicable laws through technical and organisational measures and by establishing procedures. The Controller protects and ensures the confidentiality, integrity and availability of all personal data processed by applying technical, physical and administrative protection in line with industry-accepted standards. In accordance with its policies and the applicable data protection requirements, the Controller ensures, through information security measures, that the Data Subject’s personal data are protected, among other things, against unauthorised access, unauthorised alteration and deletion, and takes the necessary measures to prevent damage to the data.

Personal data are stored at the Controller’s registered office in paper form and electronically. The Controller ensures the physical protection of both paper-based and electronically stored data, and the latter are also protected by password protection.

In order to ensure the security of IT systems, the Controller protects the IT systems with a firewall and, in order to prevent external and internal data loss, uses antivirus and anti-malware software in the O365 system. The Controller makes daily backups of electronically stored data. The Controller stores the backups on its own server.

The Controller ensures that unauthorised persons cannot access, disclose, transmit, modify or delete the processed data. The processed data may be accessed only by the Controller’s employees, assigned according to job roles, to the extent necessary, in a specified manner and according to authorisation levels, and by the processors engaged by the Controller. Persons with access to personal data are subject to confidentiality obligations in relation to the Data Subject’s personal data.

10. MANAGEMENT OF PERSONAL DATA BREACHES

The Controller takes all measures to avoid personal data breaches. A personal data breach is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed. The Controller reports a personal data breach to the Hungarian National Authority for Data Protection and Freedom of Information without delay, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of Data Subjects. The Controller keeps records of personal data breaches, together with the measures related to each breach. If the breach is serious, meaning it is likely to result in a high risk to the rights and freedoms of the Data Subject, the Controller informs the Data Subject of the personal data breach without undue delay.

Any person who detects a personal data breach as described above in relation to personal data processed by the Controller may report it to the Controller using any of the contact details provided in this Notice.

11. RIGHTS RELATED TO DATA PROCESSING

11.1 Right to request information (based on Articles 13–14 of the GDPR)

The Data Subject may request information in writing from the Controller on:

• which of their personal data are processed, for what processing purpose, on what legal basis, for how long and from what source;
• whether a processor is used and, if so, the name and address of any processor and its activity related to processing;
• to whom, when, on what legal basis and regarding which personal data the Controller granted access or to whom it transferred the personal data;
• the circumstances and effects of any personal data breach and the measures taken to remedy it.

The Controller shall comply with the Data Subject’s request within no more than 30 days by sending a response letter to the contact details provided in the request. If the request is sent to the Controller electronically, the Controller’s response shall also, where possible, be provided electronically.

11.2 Right of access (based on Article 15 of the GDPR)

The Data Subject has the right to obtain confirmation from the Controller as to whether personal data concerning them are being processed and, where such processing is taking place, has the right to access the personal data processed.

The Controller shall provide the Data Subject with a copy of the personal data undergoing processing, unless this is prevented by another legal provision. If the Data Subject submitted the request electronically, the information shall be provided in a commonly used electronic format, unless the Data Subject requests otherwise.

11.3 Right to rectification and completion (based on Article 16 of the GDPR)

The Data Subject may request in writing that the Controller amend any of their personal data, for example the Data Subject may change their email address or postal contact details at any time, or may request that the Controller rectify any inaccurate personal data processed by the Controller.

Taking into account the purposes of the processing, the Data Subject has the right to request the completion of incomplete personal data.

The Controller shall comply with the request within no more than 30 days and shall inform the Data Subject by email or letter sent to the contact details provided by the Data Subject.

11.4 Right to erasure (based on Article 17 of the GDPR)

The Data Subject may request in writing that the Controller erase their personal data without undue delay where one of the grounds specified in Article 17 of the GDPR applies.

The Data Subject has the right to have the Controller erase the personal data concerning them without undue delay if the processing has no purpose, if the Data Subject has withdrawn their consent and there is no other legal basis for the processing, if in the case of an objection there are no overriding legitimate grounds for the processing, if the data have been unlawfully processed, or if the data must be erased for compliance with a legal obligation.

11.5 Right to blocking/restriction of processing (based on Article 18 of the GDPR)

The Data Subject may request in writing that the Controller block their personal data by clearly marking the restricted nature of the processing and ensuring that the data are handled separately from other data. Blocking shall last as long as the reason indicated by the Data Subject makes the storage of the data necessary.

The Data Subject may request the blocking of data, for example, if they believe that the Controller has processed the data unlawfully but, for the purposes of an authority or court procedure initiated by the Data Subject, it is necessary that the Controller not delete the data. In this case, until the authority or court contacts the Controller, the Controller shall continue to store the personal data and shall subsequently delete them. The Data Subject may also request blocking if they contest the accuracy of the personal data, in which case the restriction applies for the period enabling the Controller to verify the accuracy of the personal data. It may also be requested if the Controller no longer needs the personal data for processing purposes but the Data Subject requires them for the establishment, exercise or defence of legal claims.

11.6 Right to data portability (based on Article 20 of the GDPR)

The Data Subject may request in writing to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller without hindrance from the Controller, where:

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a), or
• the processing is based on a contract pursuant to Article 6(1)(b); and
• the processing is carried out by automated means.

11.7 Right to object (based on Article 21 of the GDPR)

The Data Subject may object in writing to the processing of their personal data under Article 6(1)(f) of the GDPR, where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercise or defence of legal claims.

11.8 Right to withdraw consent (based on Article 7(3) GDPR)

The Data Subject has the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It must be possible to withdraw consent as easily as it was given.

12. ENFORCEMENT AND LEGAL REMEDIES RELATED TO DATA PROCESSING

If the Data Subject considers that the Controller does not act lawfully in the processing of their personal data, the Controller requests that the Data Subject in all cases first communicate their comment or claim to the Controller, using the contact details indicated earlier in this Notice, in order to handle the comment as quickly and effectively as possible.

1. Contacting the Controller — complaint

In relation to personal data processed by the Controller and any questions concerning the exercise of the rights set out in Section 11, information may be requested from the Controller’s employee designated for data processing matters at the following contact details:

• Email: adatvedelem@nitrowise.com
• Postal address: NITROWISE LABS Zrt., 1117 Budapest, Gábor Dénes u. 4., Infopark C. ép., Hungary. Please indicate on the envelope: “DATA PROTECTION!”
• Designated employee: Dr. Kinga Jolsvai

In the event that the Data Subject exercises a right related to data processing, requests information related to data processing, or submits an objection or complaint related to data processing, the Controller shall investigate the matter without undue delay and within the period prescribed by the applicable laws, take measures in relation to the enquiry and provide information to the Data Subject concerning the matter.

If the Data Subject submitted the enquiry electronically, the Controller shall, where possible, provide the information electronically, unless the Data Subject requests otherwise. If the Controller does not take measures based on the Data Subject’s enquiry without delay, but at the latest within the statutory deadline, it shall inform the Data Subject of the reasons for the failure to take action or the refusal to comply with the request, and of the fact that the Data Subject may initiate court or authority proceedings in their case as set out below.

If the Data Subject’s issue is not resolved with the Controller’s cooperation and the Data Subject is not satisfied with the Controller’s response, the Data Subject may contact the following bodies.

2. Initiating authority proceedings

The Data Subject may initiate an investigation or authority proceedings before the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) in order to enforce their rights, on the grounds that an infringement has occurred in relation to the processing of their personal data or there is an imminent risk of such infringement.

Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:

• Registered office: 1055 Budapest, Falk Miksa utca 9-11., Hungary
• Website: http://naih.hu
• Postal address: 1363 Budapest, Pf.: 5., Hungary
• Telephone: +36-1-391-1400
• Fax: +36-1-391-1410
• Email: ugyfelszolgalat@naih.hu

3. Initiating court proceedings

If the Data Subject considers that the Controller has violated the applicable data protection requirements during the processing of their personal data, the Data Subject may also turn to a court for the protection of their data. The case falls within the jurisdiction of the regional courts. At the Data Subject’s choice, proceedings may also be initiated before the regional court competent according to the Data Subject’s place of residence or place of stay. Contact details of the regional courts are available at: www.birosag.hu/torvenyszekek.

13. MISCELLANEOUS

No automated decision-making, profiling or transfer of personal data to a third country or international organisation takes place in the course of the processing of personal data detailed in this Privacy Notice.

The scope of this Notice extends to everyone whose personal data are processed by the Company for the purposes set out in this Privacy Notice, or who makes their data available to the Company. By transmitting their personal data to the Company, the Data Subject acknowledges the provisions of this Notice and consents to the processing of their data in accordance with the Notice. In the case of voluntary provision of data by the Data Subject, the Controller processes the personal data with the Data Subject’s consent.

If personal data relating to the Data Subject were not provided to the Controller by the Data Subject, the person providing the data is responsible for the accuracy of the data, for having appropriate authorisation from the Data Subject in relation to the data provided, and for informing the Data Subject of the provisions of this Notice.

The Controller reserves the right to amend this Privacy Notice unilaterally. The current Privacy Notice is available on the Controller’s website.

Budapest, 21 September 2020

Date of latest amendment: 2 December 2025

NITROWISE LABS Zrt.