PRIVACY POLICY

1. General Provisions, Contact Data

Your privacy is important to us; in relation to the data processing activities of N-Ware Informatikai és Tanácsadó Korlátolt Felelősségű Társaság ("N-WARE" or "Data Controller" or "Controller"), please read carefully this Privacy Policy that generally describes what personal information N-WARE processes, how it is processed, and for what purposes.

Identification data of the Data Controller:

Company name: N-Ware Informatikai és Tanácsadó Korlátolt Felelősségű Társaság
Address: Gömb u. 26. Budapest, 1139, HUNGARY
E-mail address: info@n-ware.hu

The definitions used in this Privacy Policy are subject to the provisions of Regulation 2016/679/EU ("GDPR").

2. Scope

This Privacy Policy contains provisions regarding the processing of data of software users, contractors, recipients of marketing messages, visitors to marketing events, and visitors to websites ("Data Subject").

This Privacy Policy also describes how we collect and use personal data and what choices and rights are available to users regarding our data processing. If you have questions or concerns regarding this Policy, please contact us at info@n-ware.hu

3. The Rights of Data Subjects

Data Subjects may exercise certain rights regarding the data processing by N-WARE, in particular:

Transparent information: Concurrently as the data is collected, the Data Subject shall be entitled to receive information from the Data Controller in a concise, transparent, intelligible, and easily accessible form, using clear and plain language about the following points:

persons who have access to their personal data
their rights as data subjects,
the possibility of filing a complaint,
the fact of data being transferred to a third country,
the possibility of filing a complaint,
all relevant data processing conditions

Access to data: Data Subjects shall be informed if their personal data is being processed; if such data processing is in progress, they are entitled to access their personal data and the conditions of data processing (purpose of data processing, categories of personal data, recipient(s) of personal data, duration of data management, where their personal data are collected, data subject rights).

Subject to data security requirements and to protect the rights of the Data Subject, the Controller shall verify the identity of the Data Subject and any person who wishes to exercise the right of access, therefore, any access to personal data is subject to an identification process.

Right to rectification: Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to be forgotten: Data Subject shall have the right to obtain from the Controller the deletion of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies.

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the Data Subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the Data Subject successfully objects to the processing,
the data have been unlawfully processed by the Controller, or the personal data must be erased in order to comply with a legal obligation.

Right to restriction of processing: The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims;
the Data Subject has objected to processing; pending the verification of whether the legitimate grounds of the Controller override those of the Data Subject.

Right to data portability: The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, if the processing is based on consent and the processing is carried out by automated means.

Right to object: Any requests to exercise Data Subjects’ rights can be directed to the Controller through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Controller as early as possible and always within one month.

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest of the Controller. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims. Data Subjects must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether the Controller is processing Personal Data for direct marketing purposes, Data Subjects may refer to the relevant sections of this Policy.

Automated individual decision-making, including profiling: The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her; except if the processing

is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;
is authorized by European Union or EU Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests;
is based on the Data Subject's explicit consent.

Right to judicial remedy: If the Data Subject considers that the Data Controller has infringed the applicable data protection laws by processing his or her personal data, he or she may

lodge a complaint with the supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information
- address: 1055 Budapest (Hungary), Falk Miksa utca 9-11.
- postal address: 1363 Budapest (Hungary), Pf. 9.
- e-mail: ugyfelszolgalat@naih.hu,
- website: www.naih.hu
(and/or) seeking a judicial remedy.

4. Technical and organizational security measures to ensure data security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

In order to ensure the confidentiality, integrity, availability, and resilience of processing systems and services, the Controller has classified its IT systems into risk classes based on the confidentiality of the data handled in them and their impact on Data Subjects, and has assigned information security controls to these classes according to their level of confidentiality.

The Controller undertakes to use of two-factor identification and password management (requiring and enforcing password complexity and password changes) related to its IT systems, thereby ensuring controls on access rights. The Controller ensures that only controlled devices shall have access to the corporate infrastructure and only persons whose knowledge of the data is essential for their work performance.

The Controller operates heterogeneous protection system against commonly used malware (bots, malware, spyware) on its computers and network devices. The Controller provides a secure access channel to corporate device systems and protection against malware and network attacks; moreover, deploys firewalls and other intrusion detection software and performs continuous monitoring. The Controller preserves technical logs of the systems whereby able to detect and reconstruct technical incidents.

The Controller shall have lockable server rooms and internal policies to ensure that the stored devices are accessible only to authorized persons. The Controller shall print documents containing personal data only in case of necessity and after the use of such documents, the physical documents shall be stored in lockable cabinets.

The Controller shall monitor the internet access and browsing activity from its network and devices and block access to unsafe sites, preventing any external attack. Automated systems may be used to filter emails containing spam, phishing, and malware.

The Controller shall educate its employees and partners to ensure the highest possible level of data security.

5. Data processing related to business inquiries and contracts

The purposes of the data processing	Personal data necessary for the purposes for which they are processed	Legal basis of the processing	The period for which the personal data will be stored
Assessing the business needs of clients. Management and administration during fulfillment of the clients’ inquiries.	Name, Company Name, Natural Person’s current role (position at his/her Company), Cell phone number, E-mail Address.	If user is a natural person, data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person, processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)).	One year after the fulfillment of the inquiry.
If a contract is concluded between the client and N-Ware, administering the orders and performing the contractual duties.	Name, Company Name, Natural Person’s current role (position at his/her Company), Cell phone number, E-mail Address.	If a user is a natural person, data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person, processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)).	Five years from the termination of the contractual relationship.
Billing Information	Invoice imaging and metadata thereof: Invoice Serial Number, Name, Company Name, Tax Number, Date, and Price (net and gross).	If a user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)).	Period governing the retention period of accounting documents: 8 years

The purposes of the data processing

Personal data necessary for the purposes for which they are processed

Legal basis of the processing

The period for which the personal data will be stored

Assessing the business needs of clients. Management and administration during fulfillment of the clients’ inquiries.

Name, Company Name, Natural Person’s current role (position at his/her Company), Cell phone number, E-mail Address.

If user is a natural person, data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)).

If the user is not a natural person, processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)).

One year after the fulfillment of the inquiry.

If a contract is concluded between the client and N-Ware, administering the orders and performing the contractual duties.

Name, Company Name, Natural Person’s current role (position at his/her Company), Cell phone number, E-mail Address.

If a user is a natural person, data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)).

Five years from the termination of the contractual relationship.

Billing Information

Invoice imaging and metadata thereof: Invoice Serial Number, Name, Company Name, Tax Number, Date, and Price (net and gross).

If a user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)).

If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)).

Period governing the retention period of accounting documents: 8 years

6. Data processing related to marketing

The purposes of the data processing	Personal data necessary for the purposes for which they are processed	Legal basis of the processing	The period for which the personal data will be stored
We provide news about our activity and novelty achievements to clients. These data are processed for direct marketing purposes to send advertisements to users, subscribers, and partners.	Name, E-mail address, Natural Person’s current role (position at his/her Company)	The legitimate interest of the Data Controller is to inform users and partners about the most important news of the products/services and direct marketing. (GDPR Article 6 (1) point f)	Until the existence of a contractual relationship between the Data Controller and the Data Subject.
We would like to build connections with interested clients, send marketing materials to them, and launch personalized advertising campaigns targeting them.	Name, E-mail address, Natural Person’s current role (position at his/her Company)	Data Subject’s consent (Article 6 (1) point a) GDPR.	Until the withdrawal of the Data Subject. The consent shall be renewed every three years.

7. Data processing related to HR-related data purposes

The purposes of the data processing	Personal data necessary for the purposes for which they are processed	Legal basis of the processing	The period for which the personal data will be stored
Selecting the most suitable candidate through job applications.	Data provided by the applicants: personal data necessary for the identification of the applicant, maintaining contact, as well as additional personal data possibly necessary to assess suitability for the advertised position and duties, which may be in particular: name, face picture, place and time of birth, telephone number, e-mail address, education, data on previous workplace and experience, salary and fee requests, any additional personal data voluntarily provided in the CV, motivation letter, etc.	Data Subject’s consent (Article 6 (1) point a) GDPR.	90 days after the end of the application.
Notifying applicants of new vacancies.	Data provided by the applicants: personal data necessary for the identification of the applicant, maintaining contact, as well as additional personal data possibly necessary to assess suitability for the advertised position and duties, which may be in particular: name, face picture, place and time of birth, telephone number, e-mail address, education, data on previous workplace and experience, salary and fee requests, any additional personal data voluntarily provided in the CV, motivation letter, etc.	Data Subject’s consent (Article 6 (1) point a) GDPR.	One year after the closure of the tendering procedure.

8. Contributor Processors

Where processing is to be carried out on behalf of a controller, the Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The Data Controller uses the services of the following partners (as Data Processors):

monday.com Ltd. (address: 6 Yitzhak Sadeh St., Tel-Aviv 6777506, Israel )

Providing cloud services and CRM system – in relation to data processing stipulated in sections 5, 6, 7

Microsoft Ireland Operations Limited (address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland)

Providing an e-mail service (Microsoft Office) – in relation to data processing stipulated in sections 5, 6, 7
Providing business and employment-focused social media platform (LinkedIn) – in relation to data processing stipulated in sections 5, 6, 7

Blackhole Group Kft. (address: 2721 Pilis Hét Vezér utca 21. Hungary)