ZYNTERN.COM LTD.

PRIVACY POLICY

Effective: 17 May 2023.

1. General provisions

1. Purpose and scope of the Rules

   1. Purpose of the Rules

      1. This Privacy Policy (hereinafter referred to as "Policy") sets out the main data protection rules for the processing of personal data by Zyntern.com Kft. (hereinafter referred to as "Zyntern.com" or "Controller"), in particular the data protection requirements relating to data processing, data handling, data transfer and disclosure.

      2. The purpose of the Policy is to ensure the principle of lawful, fair and transparent data processing and the right of data subjects to information self-determination in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter "GDPR") and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter "the Act on Information Self-Determination and Freedom of Information").

      3. Please note that the controller of the personal data you have provided is Zyntern.com Kft. and its contact details are:

• Zyntern.com Ltd.

• Company registration number: 07-09-028850

• Tax number: 25776641-2-07

• Registered office: 8000 Székesfehérvár, Had utca 1-3. 315.

• Representative:Attila Balogi Managing Director

• E-mail address: [email protected]

• Website: www.zyntern.com

• Name and contact details of the Data Protection Officer: dr. Nóra Rónyai; [email protected]

(hereinafter referred to as "Controller" or "Zyntern.com").

4. The scope of the Policy covers all processing by Zyntern.com and processing on behalf of Zyntern.com of personal data of natural persons, including all types of processing, whether electronic or paper-based.

1. Scope of the Code and the data protection principles it applies

   1. This Policy applies to all users of Zyntern.com (hereinafter referred to as "User"). For the purposes of this Policy, a User is a Job Seeker Customer and a Job Advertiser within the meaning of the Terms and Conditions.

   2. The scope of the Policy covers all personal data processed in connection with Zyntern.com services, the entire range of data management and processing operations performed on them, regardless of the place of their creation, use, processing or the way they are presented.

   3. The Data Controller is entitled to unilaterally modify this Policy by informing the Users (by means of a notice on the Website). The amended provisions shall become effective for the User concerned upon the first use of the Zyntern.com website following the publication of the amendment to the Policy, except for amendments subject to the User's consent and unless otherwise provided for in these Rules.

   4. Data may only be obtained, stored and used for the purposes set out in this Policy and for other purposes as set out by law.

   5. Processing can only take place fairly and lawfully if there is a legal basis for it.

   6. The quantity and quality of the data must be proportionate to the purposes for which they are processed and must be suitable for the purposes specified in these Rules, but may not go beyond those purposes.

1. Data processors

The Data Controller uses the services of the following data processors on a contractual basis in the provision of the service:

Nature of data processing	Name	Headquarters	Contact:
Mail system provider; Google drive server provider; Google form provider	Google Cloud EMEA Ltd.	Velasco, Clanwilliam Place, Dublin 2, Ireland	https://support.google.com/policies/answer/9581826?hl=en&visit_id=637684992262947526-3953651252&rd=1
Hosting (web server) provider	Digital Ocean LLC	101 6th Ave New York, NY 10013	[email protected]
CRM system provider (customer registration and management system)	MiniCRM Zrt.	1075 Budapest, Madách Imre út 13-14.	+36 (1) 999 - 0402 [email protected]
Bulk mail service (system message, newsletter)	Twilio SendGrid (Twilio Ireland Limited)	25-28 North Wall Quay, Dublin 1, Ireland	[email protected]
Mass mailing plugin provider (specific target groups)	GMass, Inc.	401 N Wabash Ave Unit 63E Chicago, IL 60611, US	[email protected]
Personalised within the system message providers (pop-ups)	ProductFruits, Inc.	2035 Sunset Lake Road Newark, Delaware 19702	[email protected]
Web development service provider	Propagent Ltd.	2840 Oroszlány, Bánki Donát utca 49.	+36 34 560310 [email protected]
Billing system provider	Billingo Technologies Zrt.	1133 Budapest, Árbóc utca 6.	+36-1/500-9491 [email protected]
Accounting service provider	Benefit Consulting Ltd.	1064 Budapest, Vörösmarty utca 67.	(06 1) 411 1771 [email protected]
Use analytics provider	Hotjar Ltd.	Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta, Europe	+1 (855) 464-6788 [email protected]

3. Legal background to the Rules

   1. The legal basis for these Rules is the legislation in force at the time. The User's attention is drawn to the following legislation on data processing:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) ("GDPR")

• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information ("Infotv.")

• Act CVIII of 2001 on Certain Issues of Information Society Services ("the Act")

• Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Economic Advertising Activities ("Act XLVIII")

• Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct Marketing Purposes ("Dmtv")

4. Interpretative provisions

   1. For the purposes of the Rules:

      1. Data Subject: any specified natural person who is identified or identifiable, directly or indirectly, on the basis of personal data and whose personal data is processed by Zyntern.com.

      2. Data concepts:

         1. Personal data: any information relating to a data subject; a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person (personal data shall retain that quality during processing for as long as the link with the data subject can be established). The link with the data subject can be re-established if the controller has the technical conditions necessary for the re-establishment.)

         2. Special categories of data: a) personal data revealing racial or ethnic origin, national or ethnic minority, political opinions or political party affiliation, religious or philosophical beliefs, membership of an interest group, sex life; b) personal data concerning health, pathological addiction and personal data concerning criminal offences. Furthermore, genetic data, biometric data and health data as defined in the GDPR.

• Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contain specific information about the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person.

• Biometric data: any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of a natural person, such as facial image or dactyloscopic data.

• health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of the natural person.

1. Data subject's consent: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she gives his or her consent to the processing of personal data concerning him or her.

2. Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law.

4. Processing: the totality of processing operations carried out by a processor acting on behalf of or under the instructions of the controller.

5. Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

6. Transfer: making data available to a specified third party.

7. Disclosure: making the data available to anyone.

8. Data erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it.

9. Data destruction: the complete physical destruction of the data medium containing the data.

10. Filing system: a set of personal data, structured in any way - centralised, decentralised or structured according to functional or geographical criteria - which is accessible on the basis of specific criteria.

11. Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

12. Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.

13. User: the natural person seeking a job (Client or Jobseeker within the meaning of the GTCF) and the company and natural person (Customer within the meaning of the GTCF) who access and use the web portal available at the URL www.zyntern.com and the company and natural person (Customer within the meaning of the GTCF) who access and advertise a job on the web portal.

14. Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2. Providing a platform to facilitate job search

1. The aim of the platform

   1. Zyntern.com's service is aimed at providing a platform (hereinafter: Platform) for Clients looking for a job and for Customers offering a job.

      1. The Data Controller shall treat personal data that come to its knowledge confidentially and shall ensure security measures in accordance with point V of the Policy, which shall ensure their secure processing, balanced with the purpose of the processing and the scope of the data processed.

      2. By visiting the Web Portal, or by accessing, initiating the use of, or ordering the services or a part thereof, the User agrees, accepts and consents to provide data to Zyntern.com, and acknowledges, accepts and consents to the voluntary provision of certain personal data required for visiting certain parts of the Web Portal, for accessing certain services, and to the provision of such data by the User. Certain elements, functions and services of the Web Portal are only available to Users after registration or login. If the User decides not to provide the requested personal data, he/she acknowledges and accepts that he/she does not have access to certain parts of the Web Portal, certain services, certain elements of the services.

      3. We request and encourage that only persons over the age of 16 use and access the Web Portal and our services. By using the Web Portal and the Services, you represent and warrant that you are at least 16 years of age and that you have the right to consent to the processing of your personal data.

      4. The Web Portal and the individual services are used by the User for the Client's own job search, and by the Customer for the purpose of searching for a job. Otherwise, the User warrants that the consent of the data subject has been lawfully obtained for the processing of personal data provided and made available in the course of the service (e.g. sending website content, publishing user-generated content, etc.). The User is responsible for the User Content shared by the User.

      5. The Data Controller reserves the right to change or discontinue any element of the content, name, availability, appearance, content, theme or operation of the Web Portal at any time without prior notice. These changes do not affect the purposes of the processing of data listed here and the consent to the processing of data.

      6. All data processing is governed by the fact that the Data Controller shall not process the data deleted by itself or by the User after the deletion, and shall remove them from its database.

3. Data management

In the course of providing the service, the Data Controller carries out the following data processing, which are indicated separately for the sake of transparency, indicating the type of data processed, the purpose of processing, the legal basis of processing, the source of data, the recipients of processing and the duration of data storage.

1. Processing of data of jobseekers (Clients under the GSPC)

   1. Registration on Zyntern.com

Jobseekers can register on the Zyntern.com website by entering their name (first and last name), email address and a password of their choice under "Register for Jobs", or by registering via their Facebook profile or Google account. When registering via Facebook, the Data Controller will have access to the Client's name, profile picture and email address. When registering through a Google Account, the Customer will be given access to the name (first and last name) and email address of the Customer's selected Google Account. If the User does not register through a Facebook or Google account, the system will automatically send an email request to confirm the registration and the registration will only be finalised after this confirmation.

In the case of pending registration, the system will ask you to confirm the registration after 3 days, failing which the registration will be considered unsuccessful and the data will be deleted within 30 days.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Registration by e-mail	Name (first and last name) e-mail address password encrypted	Registering for the platform	Consent of the data subject	Contact	Hosting (web server) provider as data processor Bulk mail service provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	In the absence of confirmation of registration, 30 days after sending the reminder e-mail. If registration is confirmed, until the registration is cancelled or 60 months from the last registration in case of inactivity
Register with Facebook profile	Name Profile picture e-mail address password encrypted	Registering for the platform	Consent of the data subject	Affected and Facebook	Hosting (web server) provider as data processor Bulk mail service provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until registration cancellation or 60 months from the last registration in case of inactivity
Sign up with a Google Account	Name (first and last name) e-mail address password encrypted	Registering for the platform	Consent of the data subject	Affected and Google	Hosting (web server) provider as data processor Bulk mail service provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until registration cancellation or 60 months from the last registration in case of inactivity

2. Create a jobseeker profile

After registering, the Job Seeker must answer a few questions so that the Platform can notify them of job opportunities that match their interests: What fields are you interested in (select from the list); What opportunities are you looking for (select from the list); Preferred place of work - (required); Maximum hours per week - (required on the timeline); Full-time student status - (available, not available); Language skills - What languages do you speak? (Select language from list and enter level - more than one language can be entered).

After answering the questions, the Jobseeker has the possibility to fill in his/her profile by optionally providing: profile picture; introduction: free text option and uploading a youtube video in English and Hungarian); skills: IT (more selectable), Professional (more selectable), Competences, soft skills (more selectable); Education; Work experience; Hobbies, interests, extra activities (free text); Attachments (CV and portfolio upload option); Contact details (email address used during registration; phone number)

After entering the above information, the Jobseeker will have the possibility to download his/her CV from the system in both English and Hungarian.

The Jobseeker is entitled to delete/modify/add to the Profile Data at any time.

The Data Controller does not request the provision of specific data under the GDPR, please do not provide such data if possible. Accordingly, the Data Controller shall not be liable for any special data provided to it without your express request, and therefore please do not provide such data in the absence of an express request.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Create a jobseeker profile	The data indicated above (and any additional data voluntarily provided by the Jobseeker and recorded as part of the profile)	Create a jobseeker profile	Consent of the data subject	Contact	Hosting (web server) provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until registration cancellation and/or profile modification or deletion or 60 months from the last registration in case of inactivity

3. Apply for jobs

The Jobseeker's data will be made available to employers looking for employees in the following way: by applying for a job advertisement, the employer can view the data sheet without the email address and telephone number, and in case of a positive response from the employer, the complete data sheet with the email address and telephone number will be made available, including all personal data provided by the Jobseeker. By registering, providing his/her details and applying for a specific job advertisement (by clicking on the Apply button), the data subject explicitly consents to the recipient employer having access to his/her details. By applying for a job advertisement, the data subject expressly gives his/her consent to the transfer of his/her data to the employer concerned.

Depending on the Employer's settings, clicking on the Apply button may automatically redirect the User to the Employer's own recruitment platform, in which case the Employer's own data processing policies will apply to the processing of data following this redirection.

Please also note that if the application is made through Zyntern.com (i.e. the User is not redirected to the Employer's own recruitment platform), after positive feedback from Employers, and thus after the Job Seeker's profile has been fully understood, Employers, as independent data controllers, will process the personal data provided by Job Seekers, and the data processing policies of the advertising Employers will apply. The Jobseeker profile will be available to Employers on the Data Controller's system for a maximum period of 90 days.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Applying for a job	Data referred to in point 1.2.	Linking jobseekers and job advertisers	Consent of the data subject (given by clicking on the apply button)	Contact	Customers (as independent data controllers) for which the Jobseeker has applied for a job Hosting (web server) provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until consent is withdrawn (profile deleted) In case of inactivity up to 60 months from the last registration

4. Contacts, System messages, Notifications by individual preference, Featured career tips

The Data Controller is entitled to contact the Jobseeker for any of the purposes of data processing described above, in particular for the purpose of facilitating the job search, at any of the contact details provided by the Jobseeker during the period of data processing (Direct Contact). In addition, the Data Controller may at any time inform Users about the use of the system, news and any changes to it (System Messages). System Messages cannot be blocked. In addition, the User has the possibility to set in his search preferences whether and to what extent he would like to receive individual notifications, based on his preferences, immediately, daily or once a week, either within the system or by e-mail (e.g. individual notification of new job advertisements according to his search profile, employer feedback on job advertisements already posted, etc.), which can be modified or deleted by the User at any time.

In addition to the above, the User will receive as a separate email message Featured Career Tips (e.g. featured job postings, program opportunities, interesting blog content... etc.) where the search preferences of Job Seekers match the search preferences of the Customers concerned by the content. You can unsubscribe from the Featured Career Tips messages by using the unsubscribe link at the end of the email messages.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Direct contact	Name Phone number E-mail address	To communicate a message that directly affects the user.	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Mail system provider as data processor Google drive server provider as data processor Web development service provider as data processor	Until profile deletion In case of inactivity up to 60 months from the last registration
System messages	Name E-mail address	Communicate a message to all users	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Bulk mail service provider as data processor Web development service provider as data processor	Until profile deletion In case of inactivity, 60 months from the last registration
Notifications by individual preference	Name E-mail address Profile details	Send notifications according to individual preference	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Bulk mail provider as data processor Web development service provider as data processor	Until a custom setting is changed or until profile deletion In case of inactivity up to 60 months from the last registration
Featured career tips	Name e-mail address School education Preferred place of work Preferred areas of expertise	Send priority career tips	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Bulk mail plugin provider as data processor Bulk mail service provider as data processor Google drive server provider as data processor Web development service provider as data processor	Unsubscribe or Until profile deletion In case of inactivity, 60 months from the last registration

5. Registration for events

The platform also provides the possibility for Jobseekers to register for events organised by either the Data Controller or the Customers. By registering for an Event (by clicking on the Apply button), the Data Subject expressly consents to the recipient organiser having access to his/her data. By applying, you expressly consent to the transfer of your data to the organiser.

Depending on the settings made by the organizer, it may happen that by clicking on the Log me in button, the system automatically redirects the User to the organizer's own interface, in which case the data processing following this redirection is governed by the organizer's own data processing policies.

Please note that once the data has been submitted, the organisers, as independent data controllers, will process the personal data provided by the Jobseekers and will therefore be governed by the data processing policies of the organiser of the Event.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Registration for events	Name E-mail address Phone number	Registration for events	Consent of the data subject (given by clicking on the apply button)	Contact	The organiser as an independent data controller Hosting (web server) provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until consent is withdrawn (profile deleted) In case of inactivity, 60 months from the last registration

6. Reviews

From time to time, the Data Controller will ask Users to evaluate its services, either by using the "Feedback" function within the system or by clicking on the "Give feedback" button in the e-mail sent to Job Seekers, in order to improve the services based on these evaluations. The provision of reviews is entirely voluntary and the User will not suffer any disadvantage in the event of failure to provide them.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Short Reviews with the Feedback feature in the system	Name Rating pictogram (smiley) or the content of an evaluation your e-mail address	Evaluation of collection for service improvement	Data subject's consent (given voluntarily by using the Feedback function)	Contact	Use analytics provider as data processor Web development service provider as data processor	Up to 30 days after the evaluation of the assessment.
Reviews via Google form (sent by email)	When contacting a User: Name E-mail During user response: Name E-mail Text of the evaluation	Evaluation of collection for service improvement	Legitimate interest, service quality improvement Your consent (which you give by filling in the Google form)	Contact	Bulk mail provider as data processor Google form provider as data processor Web development service provider as data processor	When contacting a User: Until profile deletion In case of inactivity up to 60 months from the last registration During user response: Up to 30 days after the evaluation of the assessment.

7. Newsletter

The Data Controller sends regular information bulletins (e.g. event reports, blog articles, etc.) in a separate newsletter to the Users who subscribe to the newsletter. Subscription to the newsletter is entirely voluntary and Users will not suffer any disadvantage if they do not subscribe. Users can unsubscribe from the newsletter at any time by using the unsubscribe link at the end of the newsletter.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Newsletter	Name E-mail address	Send newsletter	Consent of the data subject	Contact	Bulk mail plugin provider as data processor Bulk mail provider as data processor Google drive server provider as data processor Web development service provider as data processor	Until you withdraw your consent (unsubscribe or delete your profile) In case of inactivity up to 60 months from the last registration

8. Sweepstakes:

From time to time, the Data Controller will announce competitions on its Facebook or Instagram pages, and the Data Controller will publish a separate privacy notice for each such competition.

2. Processing data of customers as employers who advertise jobs

   1. Registration and profile creation for companies, and billing-related data processing

Registration is required to use the system. During registration, in addition to the company data, the Customer is also required to provide the name of the natural person who registered as the primary contact person, as well as the business e-mail address and telephone number. During the registration process, the primary contact can register to the platform via his/her Facebook profile or Google account. When registering via Facebook, the Data Controller will have access to the User's name, profile picture and email address. When registering through a Google Account, the Data Controller will have access to the name (first and last name) and email address of the User's selected Google Account. If the User does not register through a Facebook or Google account, the system will automatically send an e-mail request to confirm the registration and the registration will only be finalised after this confirmation.

After the registration, it is possible to create a company profile, and within this profile, users with admin rights (as team members) can enter their data, the admin will be the actual users of the system.

Customers may publish job advertisements for a fee. It is possible to order the job advertisement via e-mail (in which case the Data Controller will send the order form to the Customer in response), or by indicating payment by bank transfer within the system (in which case the system will generate the order form for the Customer), or by choosing immediate payment by bank card within the system with the assistance of the payment service provider Barion Payment Zrt. (headquarters: 1117 Budapest, Irinyi József utca 4-20. 2. floor, hereinafter referred to as "Barion"). Barion's Privacy Policy is available here: https://www.barion.com/hu/adatvedelmi-tajekoztato/) The Data Controller will issue an invoice for the payment of the fee.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Registration	Company data (company name, company address/working address, can be changed later/, tax number, non-personal data, unless the company name contains the name of a natural person) Primary contact Name (first and last name), your e-mail address telephone number password encrypted	Registering for the platform	Consent of the data subject	Contact	Hosting (web server) provider as data processor Bulk mail service provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	In the absence of confirmation of registration, 30 days after sending the reminder email If registration is confirmed, until the registration is cancelled or 60 months from the last registration in case of inactivity
Register with Facebook profile	Company data (company name, tax number, non-personal data, unless the company name contains the name of a natural person) Primary contact Name (first and last name), your e-mail address telephone number During Facebook validation Name, Profile picture, Email address, password encrypted	Registering for the platform	Consent of the data subject	Affected and Facebook	Hosting (web server) provider as data processor Bulk mail provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	If registration is confirmed, until the registration is cancelled or 60 months from the last registration in case of inactivity
Registration With a Google account	Company data (company name, tax number, non-personal data, unless the company name contains the name of a natural person) Primary contact Name (first and last name), your e-mail address telephone number During Google validation Name (first and last name), email address password encrypted	Registering for the platform	Consent of the data subject	Affected and Google	Hosting (web server) provider as data processor Bulk mail service provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	If registration is confirmed, until the registration is cancelled or 60 months from the last registration in case of inactivity
Customer profile	Company data (non-personal data) Data of users with admin rights: name, company e-mail address and phone number	Registering for the platform	The consent of the data subject, in case of the admin who is entitled to create the profile, and legitimate interest, for all admin holders who are listed in the system	The data subject or the primary contact who is responsible for ensuring that the data subject is duly authorised to transfer the data of the admin	Hosting (web server) provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until registration cancellation or 60 months from the last registration in case of inactivity
Data related to order forms	For advertisements sent via e-mail: Company details: name, registered office, tax number, name of representative, contact name and contact details /phone, e-mail/ In the case of an advertisement sent within the system and paid by bank transfer: Company details: company name, address, tax number customer's e-mail address	Recording orders	Fulfilling a contractual obligation, taking the necessary steps to conclude a contract	Person concerned or the person placing the order	Mail system provider as data processor; CRM system provider as data processor Hosting (web server) provider as data processor Bulk mail service provider as data processor Google drive server provider as data processor Accounting service provider as data processor Web development service provider as data processor	Contractual/ 5 years from the end of the user relationship (general limitation period under the Civil Code)
Data related to credit card payments	In the case of payment by credit card, the system redirects you to the Barion payment interface, so we do not process bank data in connection with credit card payments, but we do share data with Barion for transaction identification and verification purposes (purchase amount, detailed cart contents, purchase date) and Barion will confirm the payment in accordance with its own privacy policy: https://www.barion.com/hu/adatvedelmi-tajekoztato/)	Provision of credit card payment facilities and processing of payments	Fulfilling a contractual obligation,	Contact	Barion Payment Zrt., as an independent data controller Hosting (web server) provider as data processor Bulk mail service provider as data processor Web development service provider as data processor	Contractual/ 5 years from the end of the user relationship (general limitation period under the Civil Code)
Billing data	Name/Company name (personal data only if the company name contains the name of a natural person and in the case of a self-employed Customer) registered office, tax number	Billing	Legislation: Accounting Act, § 165-169.	Contact	Accounting service provider as data processor Google drive server provider as data processor Billing system provider as data processor Web development service provider as data processor NAV as an independent data controller	Until the end of the 8th year following the year of issue of the invoice

2. Contacts and notifications

The Data Controller is entitled to contact the Customer for any of the purposes of data processing described above at any of the contact details provided by the Customer during the period of data processing (direct contact). Furthermore, the Data Controller may at any time inform the Users about the use of the System, news and any changes thereto (System Messages). System Messages cannot be blocked. In addition, the User has the possibility to set in his/her search preferences whether and to what extent he/she wishes to receive individual notifications and notification reminders, based on his/her preferences, immediately, daily or once a week, either through the System or by e-mail (e.g. individual notification of applicants for the Customer's job advertisement).

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Direct contact	Name Phone number E-mail address	To communicate a message that directly affects the user.	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Mail system provider as data processor Google drive server provider as data processor Web development service provider as data processor	Until profile deletion In case of inactivity, 60 months from the last registration
System messages	Name E-mail address	Communicate a message to all users	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Personalised within the system message provider as data processor Web development service provider as data processor	Until profile deletion In case of inactivity, 60 months from the last registration
Notifications by individual preference	Name E-mail address	Send notifications according to individual preference	Performance of a contractual obligation	Contact	Hosting (web server) provider as data processor Bulk mail provider as data processor Web development service provider as data processor	Until a custom setting is changed or until profile deletion In case of inactivity up to 60 months from the last registration

3. Newsletters:

The Data Controller sends regular information notices in a separate newsletter to those Customers who subscribe to the newsletter. Subscription to the newsletter is entirely voluntary and Users will not suffer any disadvantage if they do not subscribe. The User may unsubscribe from the newsletter at any time by using the unsubscribe link at the end of the newsletter.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Newsletter	Name E-mail address	Send newsletter	Consent of the data subject	Contact	Hosting (web server) provider as data processor Bulk mail provider as data processor Google drive server provider as data processor Web development service provider as data processor	Until you withdraw your consent (unsubscribe or delete your profile) In case of inactivity up to 24 months from last login

4. Reviews

From time to time, the Data Controller will ask Users to evaluate its services by means of a "Feedback" function within the system. The provision of ratings is entirely voluntary and the User will not suffer any disadvantage in the event of failure to provide such ratings.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Short Reviews with Feedback	Name Rating pictogram (smiley) or the content of an evaluation	Evaluation of collection for service improvement	Data subject's consent (given voluntarily by using the Feedback function)	Contact	Use analytics provider as data processor Web development service provider as data processor	Up to 30 days after the evaluation of the assessment.

3. Data processing applicable to all Users

1. Analyses for product development

The Service Provider monitors the use of the Platform by randomly selected Users (clicks, searches, scrolls, time spent on certain functions, filling in forms... etc.) using the Hotjar software application in order to improve the services based on the conclusions drawn from the User activity.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for processing	Source of data	Recipients of data processing	Duration of data storage
Hotjar user activity analysis	Hotjar unique user identifier (UUID) User identification data (name, e-mail address) User activity data	Analysis of user activity for service improvement	Legitimate interest in the service- development	Contact	Use analytics provider as data processor Web development service provider as data processor	6 months

2. Complaints handling

The Data Controller receives complaints about the services by e-mail ([email protected]). A record of the complaints will be kept in the cases provided for by law. All complaints received will be investigated and the data subject will be informed in writing of the outcome of the investigation.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Complaint received and response	Name Address Telephone number (optional) E-mail address Date Content of complaint	Complaints handling	Legislation:Consumer Protection Act § 17/A	Contact	Mail system provider as data processor Google drive server provider as data processor	3 years
Complaint- Protocol	Name, address Where, when and how to lodge a complaint, A detailed description of the complaint and a list of the documents, records and other evidence presented, Statement by the controller on its position regarding the consumer's complaint Place and time of recording of the minutes	Complaints handling	Legislation:Consumer Protection Act § 17/A	Contact	Mail system provider as data processor Google drive server provider as data processor In case of a regulatory control Consumer Protection Authority as a separate controller	3 years

3. Cookie information: LINK

4. Processing data of other business partners (not registered as Users)

   1. Like any other economic operator, the Data Controller also processes the data of persons (in the case of legal persons, the persons representing them) who have a supplier or service provider relationship with the Data Controller or wish to establish such a relationship, in the context of its activities, for the purpose of concluding and performing contracts and other related obligations (business development, procurement/sales organisation, invoicing/payment of invoices, etc.). The processing of data relating to contracts with suppliers and service partners is carried out on the one hand by means of paper copies of contracts and receipts/invoices and on the other hand by electronic data backup. Accounting documents are drawn up and managed in accordance with the relevant legal provisions.

In addition, in the course of its business development activities, the Data Controller manages publicly available contact details of potential customers and the contact details of these partners, and in order to ensure the transparency of its business development activities, the Data Controller keeps records of its business development activities in a CRM system.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
Data processing of a private contractual partner	Name Address mother's name EV registration number, tax number/ tax identification number) Business card details (where applicable) Bank account number (where applicable)	Identification of contracting partner, performance of contract	Performance of a contractual obligation	Contact	CRM system provider as data processor Mail system provider as data processor	In the case of personal data contained in the documents necessary to establish the content of the contract or to prove performance, 5 years after the termination of the contract (general limitation period). In other cases, personal data will be deleted immediately after the termination of the contract or the termination of the representative's capacity.
Data processing of a private contractual partner	E-mail address Phone number If a contact person is indicated: Contact name Your e-mail address Phone number schedule Business card details (where applicable)	Contacting the contracting partner	Performance of a contractual obligation - In the case of a contact other than a contractual partner: legitimate interest in ensuring contractual contact	Contact If a contact person is indicated, the data source is the contractual partner	CRM system provider as data processor Mail system provider as data processor	In the case of personal data contained in the documents necessary to establish the content of the contract or to prove performance, 5 years after the termination of the contract (general limitation period). In other cases, personal data will be deleted immediately after the termination of the contract or the termination of the representative's capacity.
Data processing of a private contractual partner	Billing data	Exhibition of evidence	Legislation: Accounting Act, §§ 165-169, VAT Act, § 169.	Contact	CRM system provider as data processor Mail system provider as data processor Billing system provider as data processor Accounting service provider as data processor Google drive server provider as data processor NAV as an independent data controller	8 years from the last day of the year in which the certificate is issued.
Processing of data of a contractual partner of a legal person	Name of the person representing the legal person His position is Business card (where applicable)	Identification of contracting partner, performance of contract	Performance of a contractual obligation	Contact	CRM system provider as data processor Mail system provider as data processor	In the case of personal data contained in the documents necessary to establish the content of the contract or to prove performance, 5 years after the termination of the contract (general limitation period). In other cases, personal data will be deleted immediately after the termination of the contract or the termination of the representative's capacity.
Processing of data of a contractual partner of a legal person	Contact name Your e-mail address Phone number schedule Business card (where applicable)	Contacting the contracting partner	Legitimate interest in ensuring contractual relations	Contact or, if different from the representative, the data source is the representative of the legal person	CRM system provider as data processor Mail system provider as data processor	In the case of personal data contained in the documents necessary to establish the content of the contract or to prove performance, 5 years after the termination of the contract (general limitation period). In other cases, personal data will be deleted immediately after the termination of the contract or the termination of the representative's capacity.

2. In addition, in the course of its business development activities, the Data Controller manages publicly available contact details of potential customers and the contact details of these partners, and in order to ensure the transparency of its business development activities, the Data Controller keeps records of its business development activities in a CRM system.

Description of data processing	Scope of data processed	Purpose of data processing	Legal basis for data processing	Source of data	Recipients of data processing	Duration of data storage
CRM database on business partners and business development activities	Company data (non-personal data) Contact details (name, position, company phone, e-mail address) Data relating to consultations, enquiries	Business development, monitoring business development, maintaining contacts	Legitimate interest	Publicly available company and contact details	CRM system provider as data processor Mail system provider as data processor	5 years after the last active communication in the case of a contractual relationship as described in the previous point, in the case of a non-contractual relationship as described in the previous point.

4. Data transmission

In connection with the transfer of data, the Company informs the Data Subjects of the following:

In the context of its service, the Data Controller shall, if the Job Seeker applies for an advertisement or event, transmit (make available) the Job Seeker's data to the advertiser/event organiser selected by the Job Seeker by displaying them in the system, based on the Job Seeker's authorisation as detailed in this Policy. Following the transfer, the advertiser/event organiser shall act in accordance with its own data management policy.

In addition:

- The Company may transfer personal data processed by it to the courts and authorities concerned in the course of and for the purpose of fulfilling its contractual obligations and enforcing its rights, depending on the nature of the case; in addition, the fulfilment of certain legal obligations may also involve the transfer of data (e.g. the transfer of the data content of invoices and receipts to the NAV, in the case of suspected money laundering, in the course of reporting, and in the course of official inspections, if necessary).

- The Company is also entitled to forward the data to courts and authorities for the enforcement of its own legitimate interests (data required for the reporting of suspected criminal offences, etc.).

- The Company is entitled to use data processors (hosting service providers, accountants, administrative service providers) to fulfil its obligations and enforce its rights, a list of which is provided at the beginning of these Rules.

- The Company will only transfer personal data to a territory outside the EEA (e.g. to a third country hosting service provider, customer) if the country concerned has an adequacy decision from the Commission or if the transfer is subject to adequate and appropriate safeguards, on which data subjects may request information from the Data Controller at any time and which are available in detail on the Commission's website https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

5. Security of data processing

The Data Controller shall ensure the security of personal data, the protection against unauthorised or unlawful processing, accidental loss, destruction or damage, including the confidentiality, integrity, availability and resilience of the IT systems and tools used to process personal data, by applying technical and organisational measures appropriate to the level of risk.

The Data Controller shall keep a record of the personal data concerned, the number and categories of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy the personal data breach, in order to monitor the measures taken in relation to the personal data breach and to inform the data subject, in accordance with its legal obligations under the GDPR.

6. Rights of data subjects

1. Right to information/access

• You may request information from the Data Controller on whether the Data Controller is processing your personal data by using the contact details provided above, by post or by email.

• If such processing is ongoing, you have the right to obtain from the Controller information about which personal data, on what legal basis, for what purposes, from what source and for how long it is processed, and to whom, when, under what law, to which personal data it has given access or to whom it has transferred your personal data, including in particular to third country recipients or international organisations.

• The Data Controller will respond to your request for information within a maximum of 30 days by letter or email to the contact details you have provided.

• You have the right to access your personal data by having the Data Controller send you the personal data concerned by post or email.

2. The right to rectification

• You may request, in writing or by email, through the contact details of the Data Controller set out above, that the Data Controller amend any of your personal data without delay, or request the completion of incomplete personal data, if you are unable to do so manually through the user interface. For example, you can change your e-mail address or password at any time.

• The Data Controller will comply with your request within a maximum of 30 days and will notify you by letter or email to the contact details you have provided.

3. The right to erasure/forgetting

• You may request, via the contact details of the Data Controller given above, by post or email, that the Data Controller delete your personal data without delay if one of the following grounds applies:

• your personal data are no longer necessary for the purposes for which they were processed by the Controller;

• You withdraw your consent on which the processing is based and there is no other legal basis for the processing;

• You object to the processing and there are no other legitimate grounds for the processing,

• your personal data have been unlawfully processed by the Data Controller;

• your personal data must be deleted in order to comply with the legal obligation applicable to the Data Controller;

• personal data were collected in connection with the provision of information society services to children.

• The Data Controller will comply with your request within a maximum of 30 days and will notify you by letter to the contact details you have provided.

• If the Controller has transferred your personal data to another party, the Controller will inform the other controllers/processors within 30 days that you have requested the deletion of a copy of your personal data.

4. Right to blocking/restriction of processing

• You may request the blocking of your personal data or the restriction of processing by the Data Controller through the contact details of the Data Controller given above, by post or by email, if one of the following conditions is met:

• You contest the accuracy of the personal data, in which case the blocking/restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data;

• the processing is unlawful and you object to the deletion of the data and instead request the restriction of their use;

• the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims; or

• You have objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller prevail over the legitimate grounds of the data subject.

• In the event of blocking/restriction of data, such personal data, except for storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests.

• The blocking/restriction lasts as long as the reason you have given requires the data to be stored.

5. The right to data portability

• You may request from the Data Controller, by post or email, via the contact details of the Data Controller given above, to receive personal data concerning you which you have provided to the Data Controller in a structured, commonly used, machine-readable format, and you have the right to transmit such data to another controller without hindrance from the Data Controller to which you have provided the personal data, if the processing is based on your consent or on a contract and the processing is carried out by automated means.

• In exercising your right to data portability, you have the right to request, where technically feasible, the direct transfer of personal data between controllers.

• The Data Controller will comply with your request within a maximum of 30 days and will notify you by letter to the contact details you have provided.

6. The right to protest

• You may object to the processing of your personal data based on the legitimate interests of the Controller or a third party at any time by contacting the Controller at the contact details provided above, by post or by email. In such a case, the Controller may no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

• You may object to the processing of your personal data for direct marketing purposes at any time by contacting the Data Controller at the contact details provided above, in writing or by email, in which case your data will no longer be processed for this purpose.

• You can also express your objection by clicking on the "unsubscribe from newsletter" button in the newsletters/recruitment mailings sent by the Data Controller via email, as a result of which the Data Controller will no longer send you newsletters/recruitment mailings.

7. Automated decision-making on individual cases, including profiling

• The Data Controller does not use decision-making based solely on automated processing, including profiling.

• If the Data Controller introduces in the future a decision-making procedure based on such processing, it will duly inform you in advance by email of the logic, method and substance of the decision used and will give you the opportunity to request human intervention by the Data Controller, to express your views or to object to the decision.

8. Enforcement possibilities in relation to data management

• If you are aware of unlawful processing, you should first send your complaint to the Data Controller before initiating legal proceedings, as this will give the Data Controller the opportunity to rectify the unlawful situation on its own initiative.

You can initiate an investigation by lodging a notification (complaint) with the supervisory authority, alleging that you have been subjected to, or are at imminent risk of being subjected to, a violation of rights in relation to the processing of your personal data. The name and contact details of the supervisory authority are as follows:

National Authority for Data Protection and Freedom of Information

Headquarters: 1055 Budapest, Falk Miksa utca 9-11

Postal address: 1363 Budapest, Pf.: 9.

E-mail: [email protected]

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Website: www.naih.hu

• You can bring a civil action in court if you experience unlawful processing. The court will have jurisdiction to hear the case. You can also choose to bring the case before the court of your place of residence. You can find a list of courts and their contact details at the following link: http://birosag.hu/torvenyszekek.

9. Right to withdraw consent

• If the Data Controller processes the User's data on the basis of the User's consent, the User has the right to withdraw his/her consent at any time. Such withdrawal shall not affect the lawfulness of the previous processing.

7. Review and amendment of the Rules

The circumstances of processing may change from time to time, and the Controller may decide at any time to add a new processing purpose to its ongoing processing, and therefore the Controller reserves the right to amend this Notice at any time.

If the processing of your personal data outside the purposes set out in this Policy becomes necessary and may be based on your consent, the Data Controller will in any case seek your specific consent after prior information.