Notice on data control and processing policy

Please study this document carefully in order to understand how the personal data concerning you collected by us is being processed and to get acquainted with your rights regarding the data processing.

Lombiq Technologies Ltd. (hereinafter: ’Company’ or ’Controller’) fully respects the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: ’GDPR’) and Act CXII on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: ’Privacy Act’) and is devoted to comply with the provisions of them.

The Company being data controller – in the meaning stipulated in Article 4 subparagraph 4 of the Regulation and Article 3 point 9 of the Info Act. – fully respects the private sphere of the persons who have provided personal data to the Company and is committed to protect the data collected.

We raise Your attention that the Company exclusively provides its services for persons being over 18 years, which fact will be expressly confirmed by You with accepting the present notice on our data control and processing policy.

In accordance with the above and pursuant to Article 13 of GDPR and Section 20 of the Privacy Act, the Company provides the following pieces of information on data processing and the related client’s rights:

Data of the Controller:

Company’s name: Lombiq Technologies Ltd.
Seat of business: Str. Podmaniczky 57. 2nd floor 14 door, Budapest, HU-1064
Website: https://lombiq.com

Contact and accessibilities:
Phone number: +3630/630-9690
Email address: crew@lombiq.com

Data Protection Officer:
Pursuant to Article 37 subparagraph 4 of the Regulation the Controller is not obliged to designate a data protection officer.

Data protection requests:
Should you wish to submit any request or enquiries concerning our data processing, you may submit it by post or electronically to the Company’s above-mentioned accessibilities.
Our replies shall be sent to your provided address without delay, but at the latest in 30 days, free of charge – except for multiple and unreasonable requests.

Processing of Data:
Data processors are and may exclusively be engaged for the purposes as detailed in the table attached as Appendix 1 being integral and inseparable part of this document.

Transfer of data to third countries and/or international organizations:
Transfer of data to third countries and/or international organizations as referred to in Chapter V of the Regulation exclusively takes place to such third countries which were granted an adequacy decision, therefore such data transfer shall not require any specific authorization.

Websites and applications operated by Controller:

1. Purposes of Data Processing:

The Controller processes data for the following purposes in compliance with the provisions of the GDPR – especially Article 6 – and the related Hungarian law – especially Section 4 of the Info Act:
a) related to the Controller’s business activities the data of the services’ beneficiaries are processed for compliance with a legal obligation to which the Controller is subject and to maintain customer relationship;
b) marketing activities for potential customers,
c) the processing of data of the employee and applicants,
d) the processing of the partners’ contact persons’ data,
e) the performance of the customer’s orders,
f) to facilitate inner administration.

2. Legal Grounds of Processing Your Data

The control and processing of your personal data are based on the following circumstances being the legal grounds of these activities:

a) Issuance of invoices complying with the accounting rules: legal ground Article 6 paragraph 1, point c) of GDPR.
b) Partner contacts: legal ground Article 6 paragraph 1, point f) of GDPR. Concerning the data of the partners’ employee the legal ground of the data processing: evaluation of interests. Controller’s legitimate interest is: business continuity.
c) Processing of employee’s data: legal ground Article 6 paragraph 1, point b) and c) of GDPR.
d) Processing of the contracted partners’ data: legal ground Article 6 paragraph 1, point b) of GDPR.
e) Marketing activities: legal ground Article 6 paragraph 1, point a) of GDPR. Controller for the performance of marketing activities operates Facebook, Twitter, LinkedIn and Youtube-sites as well, but Controller does not collect separate database, nor does profiling take place. (see for more details: the related line of Appendix 1, and the chapter on ‘Data management of third party providers’ of Appendix 2).
f) Online registration, subscription to newsletter, server logging, usage of ‘cookies’: legal ground Article 6 paragraph 1 point, a) of GDPR.

Tests on the evaluation of interests indicated in point b) could be claimed to be sent to you by your request submitted to our above email address.

Your consent to forwarding to you direct marketing emails may be withdrawn and the erasure or modification of your concerned personal data be requested at the above accessibilities of Controller or by clicking at the ‘unsubscribe’ link included in our newsletter.

Pease be informed that detailed information on logging of server(s) and usage of ‘cookies’ is provided in Appendix 2 on ‘Information on Server Logging and Usage of So-Called ‘Cookies’ being integral and inseparable part of this document.

3. Duration of Data Processing:

Due to legal obligations invoices shall be stored at least for 8 years after the issuance. The documents being the grounds for the invoices’ issuance shall be stored for 8 years. We may raise Your attention that accordingly the termination date of the given relation/transaction is deemed to be the end of the previous date applied to invoices as well.

Documents being the grounds of employment relationship shall be stored: for 50 years after their conclusion.

Data provided for maintaining partner contacts shall be stored: maximum 1 year after the termination of the relation.

Data related to the performance of Your orders, our services and contracts shall be stored until the termination of the given relation as indicated above.

We would like to raise Your attention to the fact that the pieces of information provided under 1-3) point concerning the personal data processing activities of Controller, are summarized in an overall and transparent way in the table attached as Appendix 1 being integral and inseparable part of this document.

4. Rights of You as Data Subject:

Please be informed that related to Your personal data, special rights are granted to You as data subject pursuant to Article 15-21 of GDPR.

Your rights as data subject include at least the followings:
a) Right of access:
Access to the data, the fact whether or not personal data concerning him or her are being processed whether or not personal data concerning him or her are being processed.

b) Right to rectification:
If a data concerned is inaccurate, you can request and have it promptly updated by us.

c) Right to erasure and the ’right to be forgotten’ (only if the data process is based on the data subject’s approval):

You have the right to obtain from Controller the erasure of personal data concerning you without undue delay if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, your consent subject to the data processing was withdrawn, the data processing is objected by you, the possibility of personal data have been unlawfully processed, or the erasure of the data concerned is necessary for compliance with a legal obligation, Controller shall without undue delay erase the data concerned.

The ‘right to be forgotten’ means that if you request the erasure of your data and Controller has made any of your personal data public, then Controller – taking account of available technology and the cost of implementation – shall take reasonable steps, including technical measures, to inform the controllers which are processing your personal data concerned that You have requested the erasure of by such controllers of any links to, or copy or replication of the data concerned.

d) Right to restriction of processing:

You have the right to obtain from Controller restriction of data processing where one of the following applies:
- You contest the accuracy of the personal data, in that case restriction applies for a period enabling Controller to verify the accuracy of the personal data concerned;
- the possibility of unlawful processing occurs and You oppose the erasure of the personal data and request the restriction of their use instead;
- although Controller no longer needs the personal data for the purposes of the processing, but they are required by You for the establishment, exercise or defence of legal claims;
- You have objected to processing, in that case restriction applies for the period during which it is verified whether the legitimate grounds of Controller may override those of You.

Please be informed that where data processing has been restricted due to the above reasons, such personal data shall, with the exception of storage, only be processed based on the following reasons:
- with Your consent, or
- for the establishment, exercise or defence of Controller’s legal claims, or
- for the protection of the rights of another natural or legal person, or
- for reasons of important public interest of the Union or of a Member State.

If You have obtained the restriction of data processing according to the above, Controller shall inform Your prior to the restriction being allegedly lifted.

Please note that Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with the above to each recipient to whom the personal data concerned have been disclosed, unless this proves impossible or involves disproportionate effort. You may also request Controller to inform You about those recipients and Controller shall without undue delay inform You about it.

e) You have the right to prohibit the usage of personal data for direct marketing purposes.

f) Right to data portability:
- You have the right to receive or claim the transmission of the personal data provided by You in a structured, commonly used and machine-readable format
- You have the right to have those data be transmitted to another controller or to prohibit such act.

g) You have the right to object the data processing.

h) Right to lodge complaint:
You have the right to lodge complaints about the data processing activities – in compliance with point 6) on available remedies – carried out by Controller before the competent lead data protection supervisory authority being in that case the Hungarian National Authority for Data Protection and Freedom of Information

5. Notification of a Personal Data Breach to the Supervisory Authority, Communication to You as Data Subject:

Please be informed that pursuant to Article 4 point 12) of GDPR ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the case of a personal data breach, Controller – in compliance with Article 33 of GDPR – shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Controller records any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

Controller – in compliance with Article 34 of GDPR – shall communicate the personal data breach to You and any alleged further data subjects without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of the concerned natural person(s) as You.

In addition to the above, Controller takes every possible measure to avert the personal data breach in the most efficient way and to ensure the protection of personal data at the highest level.

6. Further data processing activity:

We may provide specific information about our alleged further data processing activity prior to You providing the concerned data.

Please be informed that Controller could be requested by the court, prosecutor’s office, investigative authority, administrative authority, supervisory authority (Hungarian National Authority for Data Protection and Freedom of Information) or other entitled authorities to give information, provide or transfer data, or provide documents to the authorities.

Controller shall provide the requested data – in case the actual purpose and circle of the data concerned are clearly indicated by the authority –, however Controller may only provide such data in the circle and amount strictly necessary for fulfilling the purpose of the request.

7.) Storage of data, the security of data processing:

Controller’s IT-system is located at Controller’s seat of business, and the employee of Controller being data processors.


We may inform You that with providing your consent to the present document, You approve to and accept us to assign for the storage of the data processed the following further, third-party ,,cloud-based” service providers as data processors:

Please be informed, that the IT devices used for processing personal data are chosen and operated by Controller in a way that the data concerned shall be:
a) accessible for those having the right to access it (accessibility of data),
b) authentic and the authentication of it be ensured (trustworthiness of data processing),
c) the integrity of it could be confirmed (integrity of data),
d) be secured from unlawful access to it (confidentiality of data).

Controller protects the provided data with adequate measures specifically from unlawful access, modification, transfer, publication, erasure or alleged destruction, damage or turning inaccessible due to the change of the IT solutions applied. Controller applies adequate technical solutions – with the aim of protecting the data processed electronically in its databases – ensuring that the data stored could not be combined, nor directly linked to You or any other data subjects – except for fulfilling legal obligation(s).

Controller, taking into account the actually available technical solutions, applies such IT, organizational and operative solutions which may ensure efficient and adequate level of data protection against the risk emerging from data processing.

During processing data, Controller ensures:
a) secrecy of data: protects information from unlawful access and guarantees that only those entitled could access data,
b) integrity of data: protects the accuracy and completeness of data and the method of processing,
c) accessibility of data: Controller grants that the information and data, moreover the necessary measures could always be accessible for entitled users to access data.

Controller’s and its partners’ IT-systems are efficiently protected from IT-fraud, spying, sabotage, vandalism, fire or flood, furthermore PC viruses, hackers and attacks resulting the denial of providing services. Controller and the affected operators ensure security with applying data protection measures at the level of servers and applications as well.

We may raise Your attention that the electronical messages forwarded via the Internet are - irrespectively of the applied protocols (e-mail, web, ftp. etc.) – vulnerable against those technical threats which aim at the unfair activities, challenging contracts, or the disclosure or modification of information. Therefore, Controller takes all measures which could be reasonably expected from it to protect You from this. Our IT-systems are supervised in order to record any infringement of security and to provide evidence for any such event. The supervision of the concerned IT-systems also allows to check the actual efficiency of the measures applied.

9. Information on Remedies:

Please be informed that pursuant to Article 56 the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor. Therefore, as Controller’s seat of business is in Hungary, the Hungarian supervisory authority is entitled to proceed as lead supervisory authority. Accordingly, in general the Hungarian authorities and courts are entitled to proceed concerning the data control/processing activities of Controller.

The supervisory authority in Hungary is:

Hungarian National Authority for Data Protection and Freedom of Information:

  • address: HU-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
  • email address: ugyfelszolgalat@naih.hu

Judicial remedy:

Pursuant to the provisions of the Hungarian Code of Civil Procedure (Act CXXX of 2016) cases related to data protection fall within the scope of regional courts. Litigation depending from the plaintiff’s choice may be initiated before the regional court competent for the plaintiff’s permanent or habitual residence.

Right to compensation and liability:

Please be informed that in case You have suffered material or non-material damage as a result of an infringement of any data protection and processing legal obligation(s) – especially deriving from the above cited provisions of GDPR and Privacy Act – by Controller, You shall have the right to receive compensation for the damage suffered, moreover in case of violation of your rights relating to personality You may claim restitution as well from Controller or from the affected data processor(s).

Any controller involved in processing shall be liable for the damage caused by unlawful data processing. Affected data processors shall be liable for the damage caused by processing only if they have not complied with obligations of GDPR specifically directed to data processors or where they have acted outside or contrary to lawful instructions of Controller.

Controller or processor shall only be exempt from the above liability if it has been proven that it was not in any way responsible for the event giving rise to the damage.

10. Changes to the present privacy notice

Any subsequent substantive or material change(s) to this privacy notice shall be communicated to You prior to entering into force.

If the change to the information is indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon You, then that information should be provided to You well in advance of the change actually taking effect (e.g.: via email and/or pop-ups on our websites).
This is to ensure that You do not accidently “miss” the change and to allow You a reasonable timeframe for them to a) consider the nature and impact of the change and b) allegedly exercise Your rights concerning the change(s) (e.g. to withdraw consent or to object to the processing).

Please be informed that the following changes to this privacy notice should always be communicated to You: a change in processing purpose; a change to the identity of Controller; or a change as to how data subjects can exercise their rights in relation to the processing. Conversely, the following examples of changes to our privacy notice will not be considered substantive or material: corrections of misspellings, or stylistic, grammatical flaws.

Appendix 1 - Table on data control and processing

ActivityData ProcessedPurpose of Data ProcessingLegal Grounds of Data processingTransfer of Personal DataMethod and duration of data storage
Issuance of invoice and online payments Name, email address, address (if necessary tax number) issuance of invoice related to the services provided Article 6 paragraph 1, point c) of GDPR

For the issuance of the invoices the following online invoicing software will be used, and the data processed transferred to the following service provider:

Furthermore, the following services are used to store invoicing data:

The following services are used to handle online payments:

May we raise Your attention that the above data processors are GDPR-compliant.

At least 8 years subsequent to the issuance of the invoice
Accounting activity Name, email address, address (if necessary tax number) Issuance of invoice related to the services provided preparation of accounts Article 6 paragraph 1, point c) of GDPR

Accountant:

  • Cégnév/Company name: Indy 2000 Bt.
  • Székhely/Address: HU-1172 Budapest, Petri utca 37.
  • Email: indy11@t-online.hu

May we raise Your attention that the above data processors are GDPR-compliant.

At least 8 years subsequent to the issuance of the invoice
Contact data Name, email address (if necessary phone number and address) Clarification of service orders, handling alleged cancellation Article 6 paragraph 1, point a) of GDPR

May we raise Your attention that the above data processors are GDPR-compliant.

Until the revocation of consent
Sending newsletter Name, username, email address Recommendation, new services Article 6 paragraph 1, point a) of GDPR

May we raise Your attention that the above data processors are GDPR-compliant.

Until the revocation of approval
Registration data Name, email address Creation of client’s account Article 6 paragraph 1, point a) of GDPR

Web storage:

May we raise Your attention that the above data processors are GDPR-compliant.

Until the revocation of consent or the termination of relation as defined under point 3)
Server logging, data deriving from ‘cookies’ Application usage and error data, user session details During the visit of the website check and supervision of the operation of services, specification of user’s searches, individualization of services, hindering abuses Article 6 paragraph 1, point a) of GDPR
Section (3) of Article 13/A of the Act on E-Commerce

May we raise Your attention that the above data processors are GDPR-compliant.

Controller’s social media sites (Youtube, Twitter, Facebook, LinkedIn) are operated for the performance of marketing activities, but separate database, profiling or any such activity do not take place. May we raise Your attention that therefore concerning these sites the site provider shall be deemed as data controller.

Until the revocation of consent, but at the latest 26 months
Performance of services, orders or contracts Name, email address (phone number, postal address if necessary) Performance of service order Article 6 paragraph 1, points a), b) and f) of GDPR

May we raise Your attention that the above data processors are GDPR-compliant.

Until the termination of relation as defined under point 3) or the revocation of approval
Complaint-handling Name, email address (phone number, postal address if necessary) Handling of customers’ complaints Article 6 paragraph 1, point c) of GDPR
Article 17/A of Consumers Protection Act
  • Atlassian services: Bitbucket, Confluence, HipChat, Jira, Stride
    Used to store documents and other information on clients and team members, track software issues, exchange information within the Lombiq team.
    Website: https://www.atlassian.com/
    Company name: Atlassian Pty Ltd c/o Atlassian, Inc.
    Seat and postal address: 1098 Harrison Street
    San Francisco, CA 94103, USA
    Email: privacy@atlassian.com
    Privacy policy: https://www.atlassian.com/legal/privacy-policy
  • Box
  • Microsoft services

May we raise Your attention that the above data processors are GDPR-compliant.

until the termination of relation as defined under point 3)
Recalls Name, email address (phone number, postal address if necessary) Recalling faulty deliveries Article 6 paragraph 1, point c) of GDPR
Article 17/A of
Consumers Protection Act
  • Atlassian services
  • Box
  • Microsoft services

May we raise Your attention that the above data processors are GDPR-compliant.

until the termination of relation as defined under point 3)
Recording of Controller’s events Storage of the events’ pictures, videos, marketing future events Ensuring business continuity, marketing activity Article 6 paragraph 1, point c) of GDPR

May we raise Your attention that the above data processors are GDPR-compliant.

Until the revocation of consent

Appendix 2 - Notice on server logging and usage of 'cookies'

Please be informed that the following websites are operated by Lombiq Technologies Ltd. (hereinafter: ’Company’ or ’Controller’) in the frame of its business activity:

(hereinafter jointly referred as: ‘Lombiq websites’).

We may raise your attention that for the effective and optimal operation of Lombiq websites, cookies and other, such IT-solutions are used by the websites which may result in the processing of personal data related to You as it follows.

1.) Server logging of Lombiq websites

During the visit of Lombiq websites the users’ activities may be automatically logged by the server.

Purpose of data processing: during the visit of the website users’ data are recorded by the service provider in order to check and supervise the operation of services, specify and supplement visitors’ searches, individualize services and hinder alleged abuses.

Legal grounds of data processing: consent of data subject, Article 6 paragraph 1, point a) of GDPR, Section (3) of Article 13/A of the Act on E-Commerce.

Circle of data processed: identification number, date, time of the visit, address of the website concerned, IP-address of the user’s PC, type of the user’s operation system, web-browser.

Period of data storage: until the revocation of consent, but at the latest 26 months.

Please, be informed that the so-called ‘IP-address’ is a series of numbers, with the help of which the computers of all the internet users may be unequivocally identified. With the help of the IP-address, even the geographical location of the user may be determined. We inform you that neither the list of the visited websites, nor the date and exact time data are sufficient by themselves to identify the user, however linked to other data (e.g. those supplied during registration) they are sufficient to draw conclusions regarding the user.

Data management of third party providers:

The portals html code contains links coming from or pointing to an external server, which is independent of Controller. The server of the third party is directly connected to the user’s computer.

We would like to raise your attention that the third party providers of these links may collect user data (e.g. IP-address, browser or operating system data, mouse movement, the title of the visited page and the time of visit), due to the direct connection to their server and due to the direct communication with the user’s browser. The personalized content for the user is provided by the third-party server. The below listed controllers are able to provide detailed information about the processing of the data by the third-party server.

The third-party providers – accessible on the below listed addresses – during the visit of Lombiq’s given site(s) or during the usage of their embedded services may place small data packets on the user’s computer (so-called ‘cookies’), and collect the IP-address and other data of the user, and may display advertisements for the user’s in order to provide their services:

  • Facebook:
  • Youtube:
    • purpose: displaying videos
    • accessibility of privacy policy: https://policies.google.com/?hl=hu
    • Please be informed that You may watch Controller’s videos, which we upload to our YouTube page and embed to our websites. Please note that YouTube has its own cookie and privacy policies over which we have no control. Please be informed that the usage of cookies and any data collection will not take place by YouTube until you start to play an embedded video.
  • Twitter:
    • purpose: accessing social media features
    • accessibility of privacy policy: https://twitter.com/en/privacy
    • Please be informed that on the websites operated by Controller the above service provider is not authorized to collect data for marketing purposes.
  • LinkedIn

Controller uses the cookies and services of the below service providers on the Lombiq websites:

Detailed information on the data processing activity of the providers is available at the above addresses.

2.) ‘Cookie’ Policy of Lombiq websites:

Please be informed that, in order to be able to provide personalized services, the provider places a small data packet (so-called ‘cookie’) on the user’s computer during the visit of the website and reads it during a later visit. If the user’s browser sends a formerly saved cookie, the cookie provider has an opportunity to connect the user’s actual visit to their earlier visits, however only in terms of their own content.

The purpose of data processing:
Identification of the user, distinguishing users from each other, identification of the user’s actual session and storing of the provided data during the session, prevention of data loss, identification and tracking of users and performing web-analytics.

Legal grounds: the consent of the data subject, moreover Article 6 paragraph 1, point a) of GDPR, Section (3) of Article 13/A of the Act on E-Commerce.

Circle of the data processed: identification number, date and time of the visit, previously visited website.

Period of data storage:

  • Login cookie: until the revocation of consent, but at the latest 48 minutes from the login or if you selected “remember me” then 30 days.

Please be informed that ‘cookies’ with exact expiration date (‘permanent cookies’), are stored on the user’s computer until their validity time expires or are deleted by the user.

The third-party providers mentioned in the previous point may also use cookies for their own purposes. Information about the management of these cookies may be found on the websites of the data controllers/processors listed above.

Google as a third party may also use cookies for its own purposes. Information about Google’s cookie policy is found on the following url: https://policies.google.com/privacy 

We inform you, that the user can delete cookies from their own computer and can also disable cookies in their browser. Cookie handling is usually configurable via the Preferences/Settings menu in browsers, in the Privacy Policy/History/Individual Settings submenu with a title of Cookies/Tracing.

We inform you that further general information about cookies may be found on the following URL: https://en.wikipedia.org/wiki/HTTP_cookie