Privacy Policy (GDPR)

1. Scope of the Policy

1.1. This Policy applies to the processing of personal data of users, customers, representatives and authorised users of the Service.

1.2. The Service is intended primarily for professional (B2B) use. Personal data processed through the Service is typically limited to account, billing and technical usage data.

2. Roles and Definitions

• Controller: the entity that determines the purposes and means of the processing of personal data.
• Processor: an entity that processes personal data on behalf of the Controller.
• Personal Data: any information relating to an identified or identifiable natural person.
• User: a natural person using the Service, whether on their own behalf or as a representative of a legal entity.

In relation to personal data uploaded or provided by customers through the Service, Actegon Solutions Ltd. acts as a data processor, while the customer acts as the data controller. Such processing is governed by a separate Data Processing Agreement (DPA) executed between Actegon Solutions Ltd. and the customer in accordance with Article 28 GDPR.

3. Categories of Personal Data

The Controller may process the following categories of personal data:

• identification data (name, username);
• contact data (e-mail address);
• account and authentication data;
• billing and invoicing data;
• technical and usage data (IP address, log data, timestamps);
• support and communication records.

The Service is not intended for the processing of special categories of personal data under Article 9 GDPR.

4. Purposes and Legal Bases of Processing

4.1 Personal data is processed for the following purposes and legal bases:

4.2 Where processing is based on the Controller's legitimate interests pursuant to Article 6(1)(f) GDPR, such legitimate interests include ensuring the secure and reliable operation of the Service, preventing unauthorised access, misuse or fraud, maintaining system integrity, and providing effective customer support and communication.

4.3 The processing of personal data is not based on consent, except where specifically indicated (for example, if a User opts in to receive marketing communications). Users have the right to withdraw any consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.4 Provision of account and billing data is necessary for the conclusion and performance of the contract. Failure to provide such data may prevent the User from accessing or using the Service. Other personal data, such as support requests or optional contact information, may be provided voluntarily.

5. Data Processing in a Cloud Environment

5.1. Personal data is processed within a secure cloud infrastructure operated by the Controller and/or its authorised processors.

5.2. Data may be stored on servers located within the European Union or, where applicable, in third countries subject to appropriate safeguards in accordance with Chapter V GDPR.

5.3. When processing personal data on behalf of customers, Actegon Solutions Ltd. acts solely as a data processor in accordance with the relevant Data Processing Agreement.

6. Data Processors and Data Transfers

6.1. The Controller may engage data processors, including cloud infrastructure providers, hosting services and payment processors.

6.2. All processors are bound by data processing agreements compliant with Article 28 GDPR.

6.3. Where personal data is transferred outside the European Economic Area, the Controller ensures an adequate level of protection through standard contractual clauses or other lawful transfer mechanisms.

7. Data Retention

7.1 Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected and thereafter in accordance with applicable legal obligations.

7.2 The retention periods for specific categories of data are as follows:

• Account data: retained for the duration of the contract and 5 years thereafter.
• Billing data: retained for 8 years in accordance with Hungarian accounting laws.
• Log data: retained for up to 12 months, unless required for security investigations or legal obligations.

7.3 After the retention period expires, personal data will be securely deleted or anonymised so that it can no longer be used to identify an individual.

8. Data Subject Rights

Data subjects have the following rights under the GDPR:

• right of access (Art. 15);
• right to rectification (Art. 16);
• right to erasure (Art. 17);
• right to restriction of processing (Art. 18);
• right to data portability (Art. 20);
• right to object (Art. 21);
• right to lodge a complaint with a supervisory authority.

Requests may be submitted to the Controller using the contact details above.

9. Data Security

9.1. The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including access controls, encryption and logging.

9.2. The Controller regularly reviews and updates its security measures.

10. Automated Decision-Making

The Service does not involve automated decision-making or profiling within the meaning of Article 22 GDPR.

11. Changes to the Policy

The Controller reserves the right to amend this Policy. Changes shall become effective upon publication on the website or within the Service.

12. Contact and Supervisory Authority

Data subjects may lodge a complaint with the competent supervisory authority. In Hungary, this is the National Authority for Data Protection and Freedom of Information (NAIH).

Data Protection Officer: The Controller has not appointed a Data Protection Officer, as it is not required under Article 37 GDPR.