Introduction CreaTech Ai Solutions Kft. (2000 Szentendre, Szabadkai u. 2/A, tax number: 32556115-2-13, company registration number: 13-09-233998) (hereinafter: Service Provider, data controller) complies with the following regulation: In regard to the protection of natural persons with respect to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) THE EUROPEAN PARLIAMENT AND THE COUNCIL (EU) REGULATION 2016/679 (April 27, 2016), the following information is provided. This privacy policy regulates the data processing of the following pages/mobile applications: https://rocketwriter.ai The privacy policy is accessible from the following page: https://rocketwriter.ai/privacy-policyAmendments to the policy take effect upon their publication at the address above.

Data Controller and Contact Information Name: CreaTech Ai Solutions Kft.

Headquarters: 2000 Szentendre, Szabadkai u. 2/A Email: hello@rocketwriter.ai Phone: +36204014769

Definitions "personal data": any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; "data processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; "data controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; "data processor": a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller; "recipient": a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; "consent of the data subject": a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; "data protection incident": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Principles Relating to Processing of Personal Data Personal data shall be: processed lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness, and transparency"); collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ("purpose limitation"); adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation"); accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject ("storage limitation"); processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality"). The controller shall be responsible for, and be able to demonstrate compliance with, the principles set out above ("accountability").

Registration (User Account Creation)

1. Fact of data collection, scope of managed data, and the purpose of data processing: Personal Data Purpose of Data Processing Legal Basis Name Identification, serves secure entry into the user account. Article 6(1)(a) of the GDPR. Email address Contact, sending system messages, logging into the user account Article 6(1)(a) of the GDPR. Password Serves secure entry into the user account. Article 6(1)(a) of the GDPR. Date of registration/IP address at registration Execution of a technical operation. Article 6(1)(a) of the GDPR.

The email address does not need to contain personal data. 2. Scope of affected data subjects: all data subjects registered on the website/mobile application.

3. Duration of data processing, deadline for deleting data: Until the data subject requests deletion if any of the conditions specified in Article 17(1) of the GDPR are met. Personal data is immediately deleted upon cancellation of registration. The data controller shall inform the data subject about the deletion of any personal data provided by the data subject based on Article 19 of the GDPR, electronically. If the data subject's deletion request includes the email address provided, then the data controller will delete the email address following the notification.
4. Possible data controllers entitled to know the data, recipients of personal data: Personal data may be managed by the data controller's authorised employees based on the information provided in this notice.
5. Rights of data subjects concerning data processing: The data subject may request from the data controller access to, rectification, erasure, or restriction of processing of personal data concerning the data subject, and the data subject has the right to data portability, and to withdraw consent at any time.
6. Methods by which the data subject can initiate access to personal data, their deletion, modification, or restriction of their processing, or data portability: by mail at 2000 Szentendre, Szabadkai u. 2/A, by email at hello@rocketwriter.ai, by phone at +36204014769.
7. Legal basis for data processing: Article 6(1)(a) of the GDPR.
8. We inform you that data processing is based on your consent, or necessary for taking steps at your request prior to entering into a contract. you are obliged to provide personal data so that we can register you. the non-provision of data means that we cannot create a user account for you. withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Processing Related to Service Usage

1. Fact of data collection, scope of managed data, and the purpose of data processing: Personal Data Purpose of Data Processing Legal Basis First and last name Necessary for contact, to avail services, and for the issuance of a compliant invoice. Article 6(1)(b) of the GDPR. Email address Contact. Phone number Contact, more efficient coordination related to invoicing. Billing name and address Issuance of a compliant invoice, and for creating, determining content, modifying, monitoring the fulfillment of the contract, invoicing of fees arising from it, and for enforcing related claims. Article 6(1)(c) of the GDPR (legal obligation: Section 169(2) of the Act C of 2000 on Accounting) Date of subscription/registration Execution of a technical operation. Article 6(1)(b) of the GDPR. IP address at the time of subscription/registration Execution of a technical operation.

Neither the username nor the email address needs to contain personal data. 2. Scope of affected data subjects: All data subjects registered/using services on the website.

3. Duration of data processing, deadline for deleting data: Until the data subject requests deletion if any of the conditions specified in Article 17(1) of the GDPR are met. Personal data provided by the data subject is immediately deleted upon cancellation of registration. The data controller shall inform the data subject about the deletion of any personal data provided by the data subject based on Article 19 of the GDPR, electronically. If the data subject's deletion request includes the email address provided, then the data controller will delete the email address following the notification. Except for accounting documents, as they must be retained for 8 years based on Section 169(2) of the Act C of 2000 on Accounting. Contractual data of the data subject can be deleted after the expiration of the civil statute of limitations based on the data subject's deletion request. Accounting documents directly and indirectly substantiating bookkeeping (including ledger accounts, analytical, and detailed records) must be preserved in a readable form, searchable based on accounting records, for at least 8 years.
4. Possible data controllers entitled to know the data, recipients of personal data: Personal data may be managed by the data controller's sales and marketing employees, respecting the principles outlined above.
5. Rights of data subjects concerning data processing: The data subject may request from the data controller access to, rectification, erasure, or restriction of processing of personal data concerning the data subject, and the data subject has the right to data portability, and to withdraw consent at any time.
6. Methods by which the data subject can initiate access to personal data, their deletion, modification, or restriction of their processing, or data portability: by mail at 2000 Szentendre, Szabadkai u. 2/A, by email at hello@rocketwriter.ai, by phone at +36204014769.
7. We inform you that data processing is necessary for the performance of a contract and for making an offer. you are obliged to provide personal data so that we can fulfill your order. the non-provision of data means that we cannot process your order.

Contact

1. Fact of data collection, scope of managed data, and the purpose of data processing: Personal Data Purpose of Data Processing Legal Basis Name Identification Article 6(1)(a) of the GDPR. Email address Contact, sending response messages Phone number Contact Content of the message, if it contains personal data Necessary for responding

The email address does not need to contain personal data. 2. Scope of affected data subjects: All data subjects who send a message through the contact form.

3. Duration of data processing, deadline for deleting data: The data controller manages personal data until the purpose of data processing is achieved, but for no more than 2 years. If any of the conditions specified in Article 17(1) of the GDPR are met, data processing lasts until the data subject requests deletion.
4. Possible data controllers entitled to know the data, recipients of personal data: Personal data may be managed by the data controller's authorised employees.
5. Rights of data subjects concerning data processing: The data subject may request from the data controller access to, rectification, erasure, or restriction of processing of personal data concerning the data subject, and the data subject has the right to data portability, and to withdraw consent at any time.
6. Methods by which the data subject can initiate access to personal data, their deletion, modification, or restriction of their processing, or data portability: by mail at 2000 Szentendre, Szabadkai u. 2/A, by email at hello@rocketwriter.ai, by phone at +36204014769.
7. Legal basis for data processing: the data subject's consent, Article 6(1)(a) of the GDPR. If you contact us, you consent to us processing your personal data (name, phone number, email address) according to this policy.
8. We inform you that this data processing is based on your consent and is necessary for making an offer. you are obliged to provide personal data so that you can contact us. the non-provision of data means that you cannot contact the data controller. withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Newsletter, DM Activity

1. In accordance with Section 6 of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity, the User may expressly and beforehand consent to the Service Provider contacting them with advertisements and other mailings at the contact details provided at registration.
2. Furthermore, the Customer may consent, keeping the provisions of this notice in mind, that the Service Provider manage their personal data necessary for sending the advertisements.
3. The Service Provider does not send unsolicited advertisements, and the User may unsubscribe from the offers without limitation and justification, freely. In this case, the Service Provider deletes all personal data necessary for sending advertisement messages from its records and will not contact the User with further advertisements. The User can unsubscribe from the advertisements by clicking on the link in the message.
4. Fact of data collection, scope of managed data, and the purpose of data processing: Personal Data Purpose of Data Processing Legal Basis Name, email address. Identification, enabling subscription to the newsletter/promotional coupons. The data subject's consent, Article 6(1)(a) of the GDPR. In accordance with Section 6(5) of Act XLVIII of 2008. Date of subscription Execution of a technical operation. IP address at the time of subscription Execution of a technical operation.
5. Scope of affected data subjects: All data subjects who subscribe to the newsletter.
6. Purpose of data processing: sending advertising content electronic messages (email, SMS, push message) to the data subject, providing information about current information, products, promotions, new features, etc.
7. Duration of data processing, deadline for deleting data: until the withdrawal of the consent statement, i.e., until unsubscribing.
8. Possible data controllers entitled to know the data, recipients of personal data: Personal data may be managed by the data controller, as well as its sales and marketing employees, respecting the principles outlined above.
9. Rights of data subjects concerning data processing: The data subject may request from the data controller access to, rectification, erasure, or restriction of processing of personal data concerning the data subject, and may object to the processing of their personal data, and the data subject has the right to data portability, and to withdraw consent at any time.
10. Methods by which the data subject can initiate access to personal data, their deletion, modification, or restriction of their processing, or data portability, or objection: by mail at 2000 Szentendre, Szabadkai u. 2/A, by email at hello@rocketwriter.ai, by phone at +36204014769.
11. The data subject can unsubscribe from the newsletter at any time, freely.
12. We inform you that data processing is based on your consent and the service provider's legitimate interest. you are obliged to provide personal data if you want to receive a newsletter from us. the non-provision of data means that we cannot send you a newsletter. we inform you that you can withdraw your consent at any time by clicking to unsubscribe. withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Cookie Management

1. The so-called "cookie for password-protected sessions", "cookie necessary for the shopping cart", "security cookies", "Necessary cookies", "Functional cookies", and "cookies responsible for managing website statistics" do not require prior consent from the data subjects.
2. Fact of data collection, scope of managed data: Unique identification number, dates, times
3. Scope of affected data subjects: All data subjects visiting the website.
4. Purpose of data processing: Identification of users, tracking visitors, ensuring customized operation.
5. Duration of data processing, deadline for deleting data: Cookie Type Legal Basis for Data Processing Duration of Data Processing Session cookies (session), or other cookies essential for the operation of the website No data processing occurs with the use of the cookie. The period until the closure of the relevant visitor session, thus it remains on the computer only until the browser is closed. Statistical, marketing cookies Article 6(1)(a) of the GDPR 1 month - 2 years
6. Possible data controllers entitled to know the data: The personal data can be known by the data controller.
7. Rights of data subjects concerning data processing: Data subjects have the opportunity to delete cookies in the browser's Tools/Settings menu, generally under the Privacy settings.
8. Most browsers used by our users allow the setting of which cookies should be saved and also allow the deletion of (specified) cookies. If you restrict the saving of cookies on specified websites or do not permit third-party cookies, this can lead to our website no longer being fully usable under certain circumstances. Here you can find information on how to customize cookie settings for common browsers: Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu) Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies) Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn) Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

Use of Google Ads Conversion Tracking The data controller uses the online advertising program "Google Ads" and within its framework avails of the Google conversion tracking service. Google conversion tracking is an analytics service by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). When a User accesses a website via a Google ad, a cookie necessary for conversion tracking is placed on their computer. The validity of these cookies is limited, and they contain no personal data, thus the User cannot be identified through them. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the ad. Each Google Ads customer receives a different cookie, so they cannot be tracked through the websites of Ads customers. The information gathered using the conversion tracking cookies is used to generate conversion statistics for Ads customers who have opted for conversion tracking. Customers are thus informed of the total number of users who have clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not receive information that can personally identify users. If you do not want to participate in the tracking, you can reject this by disabling the installation of cookies through your browser settings. Thereafter, you will not be included in the conversion tracking statistics. According to Google Consent Mode v2, Google also uses two new types of cookies: ad_user_data and ad_personalization, which are based on the data subject's consent and relate to the use and sharing of data. Ad_user_data is used to provide consent for the use of user data for advertising purposes by Google. Ad_personalization controls whether the data can be used to personalize advertisements (e.g., remarketing). The data controller ensures the procurement and revocation of the appropriate consents through its cookie banner/panel. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Further information and Google's privacy statement are available at the following page: https://policies.google.com/privacy

Use of Google Analytics This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer to help analyze how users use the website. The information generated by the cookies about your use of this website is usually transferred to and stored on a Google server in the USA. If IP anonymization is activated on this website, Google will truncate your IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity for website operators, and to provide other services related to website activity and internet usage. Within the framework of Google Analytics, the IP address transmitted by your browser will not be associated with any other data held by Google. You can prevent the storage of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent Google from collecting and processing the data generated by the cookies and related to your use of the website (including your IP address) by downloading and installing the browser plugin available under the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Utilized Data Processors Hosting provider

1. Activity provided by the data processor: Hosting services
2. Name and contact details of the data processor: Hetzner Online GmbH, Industriestr. 25 91710 Gunzenhausen, Germany, +49 (0)9831 505-0, info@hetzner.com
3. Fact of data processing, scope of managed data: All personal data provided by the data subject.
4. Scope of affected data subjects: All data subjects using the website/mobile application.
5. Purpose of data processing: Making the website/mobile application available, proper operation.
6. Duration of data processing, deadline for deleting data: Until the termination of the agreement between the data controller and the hosting provider, or until the data subject requests deletion from the hosting provider.
7. Legal basis for data processing: Article 6(1)(c) and (f) of the GDPR, as well as Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Legitimate interest is the proper operation of the website, protection against attacks, fraud. Other data processors (if any) MailerLite (MailerLite Limited, 38 Mount Street Upper, Dublin 2, D02 PR89 Ireland), Billingo (1133 Budapest, Árbóc utca 6., +36-1/500-9491)

RECIPIENTS, WITH WHOM PERSONAL DATA IS SHARED (DATA TRANSFER) Online payment

1. Activity performed by the Recipient: Online payment
2. Name and contact details of the Recipient: PayPal Parent company: eBay Incorporated Headquarters: San Jose, California, USA Contact: https://www.paypal.com/hu Stripe Inc. web: https://stripe.com email

@stripe.com. Headquarters 185 Berry Street Suite 550. San Francisco, CA 94107

3. Fact of data processing, scope of managed data: Billing data, name, email address
4. Scope of affected data subjects: All data subjects choosing payment on the website.
5. Purpose of data processing: To facilitate online payments, confirm transactions, and protect users through fraud-monitoring.
6. Duration of data processing, deadline for deleting data: Until the online payment is processed.
7. Legal basis for data processing: Article 6(1)(b) of the GDPR. Data processing is necessary for the performance of online payments requested by the data subject.
8. Rights of the data subject: a. You can inquire about the circumstances of data processing, b. You are entitled to receive feedback from the data controller on whether the processing of your personal data is ongoing, and access all information related to the data processing. c. You are entitled to receive your personal data concerning you in a structured, commonly used, machine-readable format. d. You are entitled to request that the data controller rectify any inaccurate personal data concerning you without undue delay.

Social Media Fact of data collection, scope of managed data: Registered names on Twitter/Pinterest/Youtube/Instagram/TikTok etc. social media platforms, as well as the user's public profile picture. Scope of affected data subjects: All data subjects who have registered on Twitter/Pinterest/Youtube/Instagram/TikTok etc. social media platforms, and "liked" the Service Provider's social media page, or contacted the data controller through the social media platform. Purpose of data collection: Sharing and "liking" certain content elements, products, promotions of the website, or the website itself on social media platforms, following and promoting. Duration of data processing, deadline for deleting data, possible data controllers entitled to know the data, and rights of data subjects concerning data processing: Information about the source of the data, their management, and the method of transfer, and the legal basis can be found on the respective social media platform. Data processing occurs on the social media platforms, thus the duration, manner of data processing, and the options for deleting and modifying the data are regulated by the respective social media platform. Legal basis for data processing: the data subject's voluntary consent to the processing of their personal data on social media platforms. Facebook / Meta joint data processing The data controller has a profile related to the activity on Facebook / Meta. The statistical data processing on the Facebook social media page is the joint data processing of the Data Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin Ireland). The joint data processing agreement details are provided in the Page Insights Controller Addendum. The addendum is available at the following link: https://hu‐hu.facebook.com/legal/terms/page_controller_addendum The Data Controller only communicates via private message on the social media page if you contact us there.

1. Categories of data subjects the data subject who registered on the social media page and "liked" the Data Controller's profile page, the data subject who contacts the Data Controller via private message on the social media page.
2. Purpose of data processing The purpose of data processing on the Facebook social media page is to share and promote the Data Controller's activity and services. Data provided by the data subject in a private message can be used by the Data Controller to respond to the message, otherwise, the Data Controller does not collect data from or lift data from the social media platforms.
3. Legal basis for data processing Data processing is based on Article 6(1)(a) of the GDPR, the legal basis is the data subject's consent to the processing of their personal data on the Facebook social media page.
4. Scope of managed data data subject's registered name, data subject's public profile picture other public data provided or shared by the data subject on the social media page
5. Source of the managed personal data: The source of the managed data is the data subject.
6. Withdrawal of consent: You can withdraw your consent to data processing at any time, delete your post, comment. Data processing occurs through social media platforms operated by a third party. If you withdraw your consent, the Data Controller will delete the conversation with you. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Methods by which the data subject can initiate access to personal data, their deletion, modification, or restriction of their processing, or data portability: by mail at 2000 Szentendre, Szabadkai u. 2/A, by email at hello@rocketwriter.ai, by phone at +36204014769.
7. Duration of data processing until the withdrawal of the data subject's consent, if an exchange of messages occurs, then for 2 years.
8. Transfer of personal data, recipients, or categories of recipients: See GDPR Article 4(9). The Data Controller only exceptionally and based on legal obligations transfers the data subject's personal data to state authorities, law enforcement agencies - including especially courts, prosecutors, investigative authorities, and misdemeanor authorities, National Data Protection and Freedom of Information Authority - among others.
9. Possible consequences of failing to provide data If data provision fails, the data subject cannot get information about the Data Controller's activity, services through the Facebook social media page, send a message to the Data Controller via Facebook Messenger.
10. Automated decision-making (including profiling): Data processing does not involve automated decision-making, including profiling.
11. Joint data controller agreement with Facebook Ireland Ltd.: The Page Insights feature displays aggregate data that helps understand how people use the Facebook page. Facebook Ireland Limited ("Facebook Ireland") and the Data Controller are joint data controllers regarding the management of analysis data. The Page Insights addendum defines the responsibilities of Facebook and the Data Controller concerning the management of analysis data. Facebook Ireland undertakes the primary responsibility under the GDPR for the management of analysis data, and to comply with all relevant obligations under the GDPR concerning the management of analysis data. Furthermore, Facebook Ireland makes the extract of the Page Insights addendum available to all data subjects. The Data Controller ensures that it has an appropriate legal basis under the GDPR for managing analysis data, identifies the page data controller, and complies with all other relevant legal obligations. The sole responsibility of Facebook Ireland is the management of personal data in connection with the Page Insights function, except for data falling under the scope of the Page Insights addendum. The Page Insights addendum does not provide the Data Controller with the right to request personal data of Facebook users managed by Facebook Ireland, including page analysis data. The Data Controller cannot act on behalf of Facebook Ireland in fulfilling data protection inquiries and cannot respond. Customer Relations and Other Data Processing If a question arises or a problem occurs for the data subject while using our services, the data subject can contact the data controller in the ways provided on the website (phone, email, social media, etc.). The Data Controller deletes emails, messages, and data provided by phone, Meta, etc., along with the name and email address of the inquirer and other voluntarily provided personal data, within a maximum of 2 years from the provision of the data. Information about data processing not listed in this notice will be provided at the time of data collection. Exceptionally, upon inquiry by authorities, or based on legal authorization, other organizations' inquiries, the Service Provider is obliged to provide information, communicate data, transfer, or make documents available. In these cases, the Service Provider releases personal data to the inquirer – if the precise purpose and scope of the data have been specified – only to the extent necessary to achieve the purpose of the inquiry. Rights of data subjects
12. Right of access You have the right to obtain from the data controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the regulation.
13. Right to rectification You have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
14. Right to erasure You have the right to obtain from the data controller the erasure of personal data concerning you without undue delay, and the data controller has the obligation to erase personal data without undue delay where one of the specified conditions applies.
15. Right to be forgotten If the data controller has made the personal data public and is obliged to erase the personal data, the data controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
16. Right to restriction of processing You have the right to obtain from the data controller restriction of processing where one of the following applies: You contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defense of legal claims; you have objected to processing pending the verification whether the legitimate grounds of the controller override those of yours.
17. Right to data portability You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, (...)
18. Right to object In cases where data processing is based on legitimate interest or the performance of a task carried out in the public interest/exercise of official authority, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.
19. Objecting in the context of direct marketing If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This provision shall not apply if the decision: is necessary for entering into, or performance of, a contract between you and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or is based on your explicit consent. Time limits for action The data controller shall inform you about the actions taken on a request without undue delay and in any event within one month of receipt of the request. That period may be extended by two months where necessary, taking into account the complexity and number of the requests. The data controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data controller does not take action on your request, the data controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Data security The data controller and the data processor implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, including inter alia as appropriate: the pseudonymisation and encryption of personal data; ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Stored data must be protected in such a way that unauthorized persons cannot access them. In the case of paper-based data carriers, physical storage and filing systems are established, and in the case of electronically managed data, a central access control system is applied. The method of storing data by electronic means should be chosen so that deletion – also considering varying deletion deadlines – can be carried out after the expiration of the data deletion deadline or if otherwise necessary. The deletion must be irreversible. Paper-based data carriers must be disposed of using a document shredder or by using an external organization specializing in document destruction. In the case of electronic data carriers, the rules applicable to the disposal of electronic data carriers must be observed to ensure physical destruction or, if necessary, secure and irreversible deletion of data beforehand. The data controller implements the following specific data security measures: For the security of personal data handled on paper, the Service Provider applies the following measures (physical protection): Documents should be placed in a secure, well-lockable dry room. If personal data handled on paper are digitized, then the rules applicable to digitally stored documents must be applied The Service Provider's data handling employee must lock away the entrusted data carriers or lock the room where data handling occurs before leaving the room. Personal data can only be accessed by authorized personnel; third parties cannot access them. The Service Provider's building and premises are equipped with fire protection and asset protection equipment. IT protection The computers and mobile devices (other data carriers) used in data processing are owned by the Service Provider. The computer system containing personal data used by the Service Provider is protected by antivirus software. For the security of digitally stored data, the Service Provider applies data backups and archiving. Only personnel with appropriate authorization and designated personnel can access the central server machine. Access to data on computers is possible only with a username and password. Notification of the data subject about a data protection incident If a data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay. The notification provided to the data subject shall clearly and understandably describe the nature of the data protection incident and communicate the name and contact details of the data protection officer or other contact providing more information; describe the likely consequences of the data protection incident; describe the measures proposed or taken by the data controller to address the data protection incident, including, where appropriate, measures to mitigate its possible adverse effects. The data subject does not need to be informed if any of the following conditions are met: the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the data affected by the data protection incident, particularly those that render the data unintelligible to any person who is not authorised to access it, such as encryption; the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; providing information would involve disproportionate effort. In such a case, the data subjects shall instead be informed by public communication or a similar measure whereby the data subjects are informed in an equally effective manner. If the data controller has not yet informed the data subject of the data protection incident, the supervisory authority, having considered whether the data protection incident is likely to result in a high risk, may require the data subject to be informed. Reporting a data protection incident to the authority The data protection incident shall be reported by the data controller without undue delay, and where feasible, not later than 72 hours after having become aware of it, to the supervisory authority competent under Article 55, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Review in case of mandatory data processing If the duration of mandatory data processing or the need for its periodic review is not determined by law, local government regulation, or a mandatory legal act of the European Union, the data controller shall review at least every three years from the start of data processing whether the personal data processed by it or by a data processor acting on its behalf or under its authority is necessary for the realization of the purpose of data processing. The data controller shall document the circumstances and results of this review, retain this documentation for ten years following the performance of the review and make it available to the National Data Protection and Freedom of Information Authority (hereinafter: Authority) upon request. Opportunity for complaint In case of possible infringement by the data controller, a complaint can be lodged with the National Data Protection and Freedom of Information Authority: National Data Protection and Freedom of Information Authority 1055 Budapest, Falk Miksa utca 9-11. Mailing address: 1363 Budapest, Pf. 9. Phone: +36-1-391-1400 Fax: +36-1-391-1410 Email: ugyfelszolgalat@naih.hu Conclusion The preparation of this notice was mindful of the following legislation: Regulation (EU) 2016/679 of the EUROPEAN PARLAMENT AND THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (April 27, 2016); Act CXII of 2011 on the right of information self-determination and freedom of information (hereinafter: Infotv.); Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (especially § 13/A); Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers; Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity (especially § 6); Act XC of 2005 on electronic freedom of information; Act C of 2003 on electronic communications (specifically § 155); Opinion 16/2011 on the recommendation of EASA/IAB on best practices for online behavioural advertising; The recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of prior information.