Privacy Policy | Zero Software Lab

The "Data Controller" or "Company" is committed to handling personal data with the utmost care. Accordingly, the Data Controller has established data processing, data processing, and data deletion regulations and internal systems in accordance with legal requirements to protect personal data, taking into account the activities it performs, the legal obligations applicable to it, and the nature of the legal relationships with its clients and partners.

The following information contains a detailed description of how and for what purpose the Data Controller processes your (hereinafter "Data Subject") personal data and what rights you have regarding the data processed by the Data Controller.

1. The Data Controller

Representative's name: Török Béla Electronic (e-mail) address: [email protected]

2. Legal regulations on data processing

The Data Controller, during its data processing activities, acts in accordance with the provisions of data protection laws applicable to the processing of personal data of natural persons. The Data Controller's data processing principles comply with the following legal regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR"); • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information ("Info Act"); • Act CVIII of 2001 on certain issues of electronic commerce services and information society services ("E-commerce Act"); • Act LXVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities ("Advertising Act"). For issues not regulated or not fully regulated in this notice, the provisions of the GDPR, the Info Act, and the other legal regulations listed above shall apply.

3. Modification of the Notice

The Data Controller reserves the right to unilaterally modify the Notice. The current valid Notice is available on the Website operated by the Data Controller.

4. Concepts, definitions

The following concepts are to be understood in the application of this Notice: • "data processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; • "processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; • "restriction of processing": the marking of stored personal data with the aim of limiting their processing in the future; • "controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; • "data transfer": making data accessible to a specific third party; • "data deletion": making data unrecognizable in such a way that its restoration is no longer possible; • "personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; • "recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; • "consent" of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; • "third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; • "Website": the Data Controller's website accessible at zerosoftwarelab.com and its additional web pages; • "legitimate interest processing": processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party; • "representative": a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation; • "profiling": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; • "relevant and reasoned objection": an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union; • "personal data": any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; • "contract performance processing": processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

6. Principles of data processing

The Data Controller applies the following basic principles during data processing: 5.1. Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject; 5.2. Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; 5.3. Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 5.4. Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 5.5. Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; 5.6. Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage; 5.7. Accountability: the controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

5. Cookie information

The Data Controller informs visitors to the Website that the use of the Website (in the absence of web contact) involves data collection and data processing through the use of anonymous user identifiers ("cookies") and their acceptance by the Data Subject. Cookies do not contain any personal data and are not suitable for identifying individual users. Cookies can be "persistent" or "temporary" cookies. Persistent cookies are stored by the browser until a specified time, provided that the user has not previously deleted them, but temporary cookies are not stored by the browser and are automatically deleted when the browser is closed. With the help of cookies, the browser becomes uniquely identifiable, the website remembers the user's actions and personal settings for a certain period of time (e.g. username, language, font size and other unique settings related to the website display), stores the fact and time of visiting a given page. This way, you don't have to re-enter them every time you visit our website or navigate to our website from another page. In general, "cookies" and other similar programs make it easier to use the website, help ensure that the website provides a real web experience and an effective source of information for visitors, and provide the website operator with the ability to monitor the operation of the site, prevent abuse and ensure the smooth and appropriate quality provision of services offered on the site.

Cookie types

Google Analytics

Description:

The Website uses the Google Analytics tool to collect and analyze data on how users use the Website. We use this data to compile reports and improve the Website. Data collection is done in a form that cannot be linked to individuals, for example, how many people used the Website, where they came from to the Website, and which web pages they viewed within the Website. The data collected in this way cannot be used to reach the user. To view Google's privacy policy, click here

Consent type:

User consent

Expiration:

Up to 2 years

Session ID (website language)

Description:

Session cookies enable the recognition of the language setting chosen by the user on the Website.

Consent type:

Acceptance required

Expiration:

Until session ends

Meta pixel

Description:

The Meta pixel is code that helps create reports on conversions on the website, build audiences, and provides the website owner with detailed analytics on how visitors use the website. The Meta remarketing pixel tracking code allows personalized offers and advertisements to be displayed to website visitors on Meta platforms. The Meta remarketing list is not suitable for personal identification.

Consent type:

User consent

Expiration:

Variable, according to Meta policy

Cookie-k kezelése

Cookie acceptance/blocking Accepting or enabling the use of "cookies" is not mandatory. You can refuse the use of cookies through the settings of your computer or other device used for browsing, or through the browser used to access the Website. In this case, some pages may not display properly, or the system may notify you in a message that cookies must be enabled to view the website. Without using cookies, we cannot guarantee the full use of the website for you. Name, headquarters, data processing task of Data Processors related to cookies: • Google LLC CA 94043 Mountain View 1600 Amphitheatre Parkway, United States of America, detailed information on analytical data processing: http://www.google.com/intl/en/policies/ Otherwise, technically recorded data are those data of the computer logging into the Website that are generated during browsing and that the Data Controller's system logs as an automatic result of technical processes (e.g. IP address, session ID). Due to the operation of the Internet, the automatically recorded data are automatically logged by the system without a separate statement or action by the user - with the use of the Internet. The Internet does not work without these automatic server-client communications. These data cannot be linked to other personal data - except in cases required by law. Only the Data Controller has access to the data. Log files that are automatically and technically recorded during the operation of the Website are stored for the time justified from the perspective of ensuring the operation of the Website. Purpose of data processing, scope of processed data, duration of data processing The Data Controller always processes personal data exclusively for a specific purpose, to the necessary extent, for the exercise of rights and the fulfillment of obligations. Data processing must comply with the purpose of data processing at all stages, data collection and processing must be fair and lawful. Personal data may only be processed to the extent and for the time necessary to achieve the purpose.

7. Contact

Activity:

Contacting the Data Controller through the "Contact" webpage or by sending an electronic letter to the e-mail address provided for contact

Data Subject:

The user using the Website's "Contact" function or the user sending the electronic letter

Personal Data Processed:

Name, email address, company name, phone number, tax number, as well as any other personal information provided by the user

Purpose of Processing:

Contact. Message handling, sending responses

Processing Duration:

Until the Data Subject withdraws consent

Legal Basis:

Voluntary consent of the Data Subject

8. Job application

Activity:

Filling positions advertised by the Data Controller

Data Subject:

Job applicants

Personal Data Processed:

Applicant's name, applicant's e-mail address, applicant's phone number, additional personal data provided in the CV (e.g. date of birth, photo, etc.)

Purpose of Processing:

Selection of potential candidates

Processing Duration:

Until written withdrawal of consent

Legal Basis:

Voluntary consent of the Data Subject

9. Offering, contracting, project implementation

Activity:

Services provided within the framework of the Data Controller's business activities

Data Subject:

Client employees, collaborators, project participants

Personal Data Processed:

Client (organization) name, client contact person's name, contact person's e-mail address, contact person's phone number

Purpose of Processing:

Communication related to offering, contracting, and projects, sending documents

Processing Duration:

Until written withdrawal of consent

Legal Basis:

Legitimate interest

10. Newsletter subscription

Activity:

Newsletters and service information sent by the Data Controller for marketing purposes

Data Subject:

Newsletter subscribers

Personal Data Processed:

Data Subject's name, Data Subject's email address

Purpose of Processing:

Electronic distribution of the Data Controller's marketing materials, promotion of events, sending newsletters and information to Data Subjects

Processing Duration:

Until written withdrawal of consent

Legal Basis:

Voluntary consent of the Data Subject

11. Rules of data processing

If data processing serves multiple purposes at the same time, consent must be given for all data processing purposes. If data processing is not for the fulfillment of contractual obligations, fulfillment of legal obligations, or based on legitimate interest, personal data may only be processed with the express consent of the Data Subject. The Data Subject has the right to withdraw consent at any time. However, the withdrawal of consent is only effective for data processing based on consent, it does not affect other data processing based on other legal grounds. The withdrawal of consent does not affect the lawfulness of data processing carried out before the withdrawal.

12. Access to data, data transfer

The Data Controller has established IT support appropriate to the purpose of data processing, which ensures that only those persons who need to process this data for the performance of activities can access personal data. Furthermore, if necessary based on the legal basis of data processing, the Data Controller is entitled or obliged to transfer or make available the data it processes to those entitled to it. The Data Controller may transfer the personal data it processes to service providers with whom the Data Controller has a contractual relationship, to the extent and for the duration necessary for the performance of these persons' tasks, but at most to the same extent and duration as the data processing specified above.

13. Data processor

The Data Controller is entitled to involve a data processor in the performance of data processing activities during the entire duration of the data in its possession. When using a data processor, the Data Controller contractually requires that the contracted data processor comply with GDPR provisions and maintain the required records for the protection of personal data. The Data Controller uses the following Data Processor(s) for the specified activities for processing personal data: The Data Controller does not use data processors. Data transfer may occur in the following cases: • to fulfill official or court data provision obligations; • in cases of data provision prescribed by law; • for the performance of a concluded contract or the fulfillment of obligations undertaken in connection with the contract, or for their control, if the given service is provided by the Data Controller jointly with another partner. • The Data Controller provides information about the recipients of data transfers upon request of the data subject. • The Data Controller ensures that the persons specified above process the data in compliance with the applicable data protection rules and legal provisions on confidentiality.

14. Data deletion

The Data Controller continues data processing to the extent and for the time specified by law or necessary for achieving the data processing purpose in accordance with the Data Controller's current Document Management Policy. When the data processing purpose ceases, the data is deleted or - if possible - anonymized in accordance with the principle of limited storage.

15. Data security

The Data Controller maintains during data processing • confidentiality: protects information so that only those authorized can access it; • integrity: protects the accuracy and completeness of information and processing methods; • availability: ensures that when an authorized user needs it, they can actually access the desired information and the related tools are available. The Data Controller, as a controller or data processor within its scope of activity, takes care of data security and takes those technical and organizational measures and establishes those rules that are necessary for the enforcement of GDPR and other data and confidentiality protection regulations. During data storage, the Data Controller ensures that unauthorized persons cannot access the data and that data confidentiality cannot be compromised during the entire duration of data processing. It protects data with appropriate measures especially against unauthorized access, modification, transmission, disclosure or deletion, or accidental damage, and against becoming inaccessible due to changes in the applied technology. During data processing, the Data Controller always pays attention to the appropriate level of data protection, which it ensures or has ensured through the introduction of various technical and organizational measures. These measures provide the level of protection required by the related risks and the nature of personal data, taking into account the current state of technology, the nature, scope, context and purposes of data processing, and the risk to the rights and freedoms of natural persons caused by varying probability and severity. For this purpose, the Data Controller uses such data processing systems and develops and applies such procedural rules that ensure that information can only be accessed by those for whom it is justified for the performance of activities, and minimize the possibility that anyone could use the information obtained during the performance of activities contrary to its purpose or in opposition to it, unlawfully.

17. Information on data security measures:

In case of a data protection incident, the Data Controller reports to the National Authority for Data Protection and Freedom of Information without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is unlikely to result in a risk to personal data. If the data protection incident that occurred involves high risk, the Data Controller is obliged to notify all users about this without undue delay.

18. Rights of the Data Subject and their enforcement possibilities

Based on applicable legislation, the following can be requested from the Data Controller: • Information of the Data Subject about the processing of their personal data; • rectification of the Data Subject's personal data; • deletion of the Data Subject's personal data (except for mandatory data processing); • requesting data portability; • objection to unauthorized data processing or data transfer; • initiating restriction of data processing; • initiating legal remedy. In case of violation of rights related to personal data processing, the Data Controller provides the following legal remedy possibilities for the Data Subject: • They can request information about the processing of their personal data and request rectification of their personal data. Upon request, the Data Controller provides information about the data it processes, the purpose, legal basis, duration of data processing, the name and address (headquarters) of the data processor and activities related to data processing, as well as who and for what purpose received or receives the data. The information is provided in writing, in an understandable form, within the shortest possible time from the submission of the request, but at most within 30 days, unless law establishes a shorter deadline. • The Data Subject's personal data is deleted: • if its processing is unlawful, • if the Data Subject requests it (except if data processing is based on mandatory legal provisions), • if the purpose of data processing has ceased, • if it is incomplete or • incorrect, and this state cannot be lawfully remedied, provided that deletion is not excluded by law, • if the legally specified deadline for data storage has expired, • if ordered by a court or the National Authority for Data Protection and Freedom of Information. • The Data Controller sends notification about rectification and deletion. Notification may be omitted if this does not violate the legitimate interest of the data subject in view of the purpose of data processing. • Within the framework of the right to restriction of data processing, the Data Subject is entitled to request restriction of personal data processed by the Data Controller, among others, if: • they dispute the accuracy of personal data, • data processing is unlawful, but the Data Subject opposes data deletion, • the purpose of data processing has been achieved, but the Data Subject requires personal data for the establishment, exercise or defense of legal claims, Within the framework of the right to data portability, the Data Subject is entitled to receive personal data processed by the Data Controller in a structured, commonly used, machine-readable format and to transmit this data to another controller; if: • the processing of personal data is based on the Data Subject's consent or is necessary for contract performance, and • data processing is carried out by automated means. Regarding personal data processed by the Data Controller based on the Data Subject's consent, they may withdraw their consent at any time, which does not affect the lawfulness of data processing carried out based on consent before the withdrawal. The Data Subject may object to the processing of their personal data if • data processing is necessary for the enforcement of the legitimate interests of the controller or a third party, • the exercise of the right to object is otherwise permitted by law. The Data Controller - with simultaneous suspension of data processing - examines the objection within the shortest possible time from the submission of the request, but at most within 30 days, unless law establishes a shorter deadline, and informs the requester about the result in writing. If the Data Controller establishes the justification of the objection, it terminates data processing - including further data collection and data transfer - and blocks the data, and notifies all those to whom the personal data affected by the objection was previously possibly transferred and who are obliged to take measures for the enforcement of the right to object. If you disagree with the Data Controller's decision, or if the Data Controller fails to meet the deadline prescribed in the Info Act, you may turn to court within 30 days from the communication of the decision or from the last day of the deadline.

19. National Authority for Data Protection and Freedom of Information (Supervisory authority)

National Authority for Data Protection and Freedom of Information

Regarding the processing of the Data Subject's personal data, a complaint can be filed with the National Authority for Data Protection and Freedom of Information (NAIH) (address: H-1055 Budapest, Falk Miksa street 9-11., mailing address: 1374 Budapest, P.O. Box 603.; Phone number: +36-1-391-1400; Fax: +36-1-3911410; E-mail: [email protected]), or with the data protection authority according to their citizenship or place of residence. If your rights have been violated, according to the provisions of data protection law, you may also turn to court independently of filing a complaint with NAIH. The proceedings may be initiated at the court with jurisdiction according to the Data Subject's permanent or temporary address, depending on the Data Subject's decision. Before initiating legal proceedings, it may be worthwhile to discuss the complaint with the Data Controller. The Data Subject's rights and legal remedy possibilities are regulated in detail by sections 14-18 and 21-23 of the Info Act, and articles 15-21 of the EU General Data Protection Regulation (GDPR).

Effective Date

Budapest, July 9, 2024