Privacy policy

PRIVACY NOTICE

 

1. Introduction, Purpose of the Privacy Notice

The purpose of this Privacy Notice is to provide data subjects with transparent, clear and detailed information regarding the processing of personal data in connection with the use of the EU AI Act Compliance Evaluator, including, in particular, the purpose, legal basis and duration of the processing, the categories of personal data concerned, the persons authorized to access such data, as well as the rights of data subjects and the available remedies.

By issuing this Notice, the Controller complies with its prior information obligation relating to the processing of personal data as prescribed by Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: the “GDPR”).

 

2. Details of the Controller

Controller: AITIA INTERNATIONAL Informatikai Zártkörűen Működő Részvénytársaság (AITIA INTERNATIONAL IT Private Company Limited by Shares)

Registered seat: 1031 Budapest, Záhony street 7., Hungary

Company registration number: 01-10-045197

Email: aitia@aitia.ai

 

3. Definitions

  • processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law;
  • processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • personal data: any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • data subject: an identified or identifiable natural person to whom the personal data relate.
  • consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • recipient: a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
  • third party: a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • technical log data: technical information generated during the operation of the system which does not directly contain personal data, but may in certain cases be linked to the data subject (e.g. IP address, timestamp).

 

4. Specific Processing Activities

4.1. Registration and Purchase of Credits

In order to use the Service, registration (the “Registration”), i.e. the creation of a user account (the “User Account”), is required. The Service operates on a credit basis: the User may purchase credit packages through the Platform, entitling the User to perform a specified number of runs.

The User is entitled to delete the User Account at any time. Upon deletion of the account, the stored personal data shall be deleted in accordance with the deadlines set out in this Notice.

The provision of the following data is required for Registration and the purchase of Credits:

Categories of personal data processed

Purpose of processing

Legal basis of processing

Retention period

User Account data

Your name, email address and password.

Management of Registration, creation of the User Account, customer identification.

Performance of a contract pursuant to Article 6(1)(b) GDPR.

The Controller shall process the data provided until you delete your User Account, or for 5 years from the start of Suspension, whichever occurs earlier.

The type, status, start date and expiry date of the Subscription selected by you; your billing name, billing address, e-mail address and transaction identifier.

Administration and operation of credit purchases; performance of the credit purchase; processing of the payment related to the credit purchase through a payment service provider; documentation and administration of the payment.

The legal basis of processing is the performance of a contract (Article 6(1)(b) GDPR).

The Controller shall process the data provided until you delete your User Account, or for 5 years from the start of Suspension, whichever occurs earlier.

Billing data

Your name, e-mail address, billing address, transaction number, date and time, content of the accounting document, and, in the case of a VAT invoice, your tax number (if provided by you).

Issuance of accounting documents related to purchase transactions and their retention for the period prescribed by law.

Compliance with a legal obligation of the Controller (Article 6(1)(c) GDPR; Section 169 of Act CXXVII of 2007 on Value Added Tax; Section 169 of Act C of 2000 on Accounting).

For the period prescribed from time to time by the applicable tax and accounting laws.

 

4.2. Data Processed During a Run (Input and Output)

As set out in the General Terms of Use, following Registration and the purchase of Credits, the User may initiate AI-based compliance and risk assessment runs through the Platform (hereinafter: the “Run”).

During a Run, the User may upload documents, textual information or other data (the “Input”), on the basis of which the system automatically generates a textual risk assessment result and summary (the “Output”).

The following processing operations may take place during a Run:

Categories of personal data processed

Purpose of processing

Legal basis of processing

Retention period

Documentation uploaded by the User and textual questions submitted by the User (the “Input”), which may also contain personal data.

Processing of the question, generation of a legal informational response, ensuring the retrievability of previous questions.

Performance of a contract (Article 6(1)(b) GDPR).

The Output is stored for 7 days from the initiation of the Run, after which it is automatically deleted.

The text of the response generated by the Service (the “Output”), if the Input contained personal data.

Performance of the Service, ensuring the retrievability of previous questions.

Performance of a contract (Article 6(1)(b) GDPR).

The Output is stored for 7 days from the completion of the Run, after which it is automatically deleted.

 

4.3. Logging and System Security

Categories of personal data processed

Purpose of processing

Legal basis of processing

Retention period

Technical log data, in particular: timestamps of access and operational events, IP address, device and browser data, session information, system usage events, technical data relating to unsuccessful login attempts.

Ensuring the secure and reliable operation of the Platform, maintaining system integrity, prevention and investigation of misuse, troubleshooting, and protection of the Service.

The legitimate interests of the Controller in maintaining the secure and reliable operation of the Service and preventing misuse (Article 6(1)(f) GDPR).

As a general rule, for no longer than 30 days.

Date, method and version of acceptance of the Terms of Use; the date on which the Privacy Notice was acknowledged or made available, and the version applied.

Evidencing the conclusion and content of the contract, documenting that the data subject was properly informed, and fulfilling the Controller’s accountability obligations.

As regards the Terms of Use: performance of a contract and taking steps prior to entering into a contract (Article 6(1)(b) GDPR); as regards documenting the version of, and acknowledgement of, the Privacy Notice: the Controller’s legitimate interest in demonstrating data protection compliance and accountability (Article 6(1)(f) GDPR).

During the term of the contract and thereafter for the limitation period applicable to the enforcement of civil law claims.

 

 

4.4. Cookies

The Controller uses cookies and similar technologies on the website in order to ensure the proper operation of the website, improve user experience, and support statistical analysis and marketing activities.

The Website operates on the platform provided by Shopify International Ltd., which also uses cookies in order to ensure the technical operation of the webstore.

Shopify may use its own cookies in order to ensure the technical operation of the webstore, in particular for session management, operation of the shopping cart, ensuring a secure payment process, and analysing the operation of the platform.

A detailed list of the cookies used by Shopify and a description of their operation is available at: https://www.shopify.com/legal/cookies

The User may decide on the use of cookies through the cookie management interface displayed on the Website. Consent may be modified or withdrawn at any time.

The cookies necessary for the operation of the Website ensure, among other things, session management, operation of the shopping cart, security functions, and the technical execution of the payment process. Legal basis: Article 6(1)(f) GDPR – the legitimate interest of the Controller in the proper operation of the website.

Statistical cookies serve to analyse the use of the Website, while marketing cookies help display advertisements relevant to users. Legal basis: Article 6(1)(a) GDPR – the data subject’s consent.

 

5. Recipients of Personal Data, Categories of Recipients

Your personal data may be accessed by the Controller’s employees and the persons engaged by the Controller.

For the processing activities set out in this Notice, the Controller uses the following data processors (the “Processors”):

Name, registered seat and company registration number of the Processor

Processing activity carried out by the Processor

Categories of data processed by the Processor

Microsoft Ireland Operations Limited (Microsoft Azure)
70 Sir John Rogerson’s Quay
Dublin 2, D02 R296
Ireland

 

Shopify International Ltd.
2nd Floor, 1–2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland

Hosting services – technical operation of the Website and the chat interface

User Account data specified in Section 2.1 of this Notice

KBOSS.hu Kft. (Számlázz.hu)
1031 Budapest, Záhony utca 7/D., Hungary

Shopify International Ltd.
2nd Floor, 1–2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland

Billing system – issuance of invoices in compliance with Hungarian law

Technical conversion and transmission of billing data

Processing of online Subscription payments, initiation of invoicing

Billing data specified in Section 2.1 of this Notice; bank card data (the bank card data provided by you are not processed by the Controller)

6. Persons Authorised to Access the Data, Data Processors

Personal data may be accessed exclusively by:

  • employees of the Controller who have the appropriate authorisation and are bound by confidentiality obligations,
  • whose duties include providing access to the Service, administration and technical support.

The Controller ensures that access to personal data is granted in accordance with the principles of necessity and proportionality, exclusively to the extent indispensable for the performance of the relevant task.

Transfers of personal data to third countries shall take place only on the basis of an adequacy decision of the European Commission or appropriate safeguards, in particular the Standard Contractual Clauses (SCCs) adopted by the European Commission.

 

5. Rights of the Data Subject

The data subject shall be entitled, in connection with the processing of his or her personal data, to exercise the rights set out in this section pursuant to the GDPR. Requests for the exercise of data subject rights shall be fulfilled by the Controller within no more than one month from receipt.

When handling requests relating to the exercise of data subject rights, the Controller shall be entitled to verify the identity of the data subject.

6.1. Right to Information and Access

The data subject shall have the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed and, where that is the case, shall have the right to receive information, in particular, on:

  • the categories of personal data processed,
  • the purpose and legal basis of the processing,
  • the retention period of the personal data,
  • the recipients or categories of recipients of the personal data,
  • the possibilities for exercising data subject rights.

6.2. Right to Rectification

The data subject shall have the right to request that the Controller rectify inaccurate personal data concerning him or her without undue delay, and may also request the completion of incomplete personal data where justified by the purpose of the processing.

6.3. Right to Erasure (“Right to be Forgotten”)

The data subject shall have the right to request the erasure of personal data concerning him or her where:

  • the personal data are no longer necessary in relation to the purposes for which they were processed,
  • the data subject withdraws the consent forming the legal basis of the processing and there is no other legal basis for the processing,
  • the personal data have been processed unlawfully.

The right to erasure may not be exercised where the further processing of personal data is necessary for the establishment, exercise or defence of legal claims or for reasons of system security.

6.4. Right to Restriction of Processing

The data subject shall have the right to request the restriction of processing of his or her personal data where:

  • he or she contests the accuracy of the personal data (for the period necessary to verify the accuracy thereof),
  • the processing is unlawful but the data subject opposes the erasure of the data,
  • the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims,
  • the data subject has objected to the processing.

Where processing has been restricted, personal data may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims.

6.5. Right to Object

The data subject shall have the right to object to the processing of his or her personal data where the legal basis of the processing is the legitimate interests of the Controller.

In such case, the Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

6.6. Right to Withdraw Consent

The data subject shall have the right to withdraw his or her consent to the processing of personal data at any time.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

6.7. Right to Lodge a Complaint and Seek Judicial Remedy

The data subject shall have the right to lodge a complaint with the supervisory authority if he or she considers that he or she has suffered an infringement in connection with the processing of personal data, and shall also have the right to seek judicial remedy.

 

 

7. Complaint Procedure

The data subject may lodge a complaint with the supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11.
Postal address: 1363 Budapest, Pf. 9
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu