Privacy Policy

OCTO SERVICES Ltd.

DATA PROTECTION NOTICE

This notice has been issued by OCTO SERVICES Limited Liability Company (registered office: 8000 Székesfehérvár, Lövölde Street 30, 2nd floor, door 1, registering authority: Székesfehérvár Court of Justice Commercial Court, company registration number: 07-09-036746, tax number: 32847943-1-07, statistical number: 32847943-7491-113-07, electronic contact: info@octoapp.hu, represented by: Managing Director Dominik Molnár) as data controller – hereinafter: Data Controller – for the purpose of providing data subjects with the most important information regarding data processing in connection with the services provided by it, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – hereinafter: Regulation.

The comprehensive information regarding data processing is contained in this data protection notice issued by the Data Controller regarding the processing of personal data – hereinafter: Data Protection Notice.

In view of the types of services provided by the Data Controller, the Data Protection Notice is also applicable to legal relationships within which the Data Controller performs data processing. The rules of data processing apply mutatis mutandis to data processing.

1. General Provisions

1.1. The Data Protection Notice contains rules regarding the processing, handling, and transmission of personal data relating to natural person users – hereinafter: Data Subjects – of the services provided by the Data Controller – hereinafter: Service. The data processing covered by the Data Protection Notice is based on the legal relationship established between the Data Controller and Data Subjects regarding the provision of the Service.

1.2. The Data Controller informs Data Subjects that during the performance of the Service, all personal data that comes into the possession of the Data Controller will be recorded by the Data Controller.

1.3. The legal basis for data processing is the performance of a contract according to the Regulation, in which the Data Subject is one of the parties, or point b) of Section 5 (1) of Act CXII of 2011 on the Right to Informational Self-determination and Freedom of Information – hereinafter: Info Act. The legal basis for data processing is the contract concluded between the Data Controller and the User.

1.4. The provisions contained in the Data Protection Notice serve to fulfill the obligation specified in Article 13 of the Regulation, as well as in points a) of Section 14 and point a) of Section 15 (1) of the Info Act, by providing comprehensive information to Data Subjects on all matters specified therein regarding data processing.

1.5. Data processing extends to the following data relating to Data Subjects – hereinafter: Data:

− name,

− telephone number,

− email address

1.6. The purpose of data processing is to facilitate the easier clarification of possible disputes and to enable the Data Controller to provide the Service to Data Subjects at the highest level.

The purpose of data processing includes in particular:

− service performance,

− fee and cost accounting, invoicing,

− customer records management,

− own administrative and statutory document management.

1.7. Data processing and data processing based thereon may be carried out by the Data Controller and natural persons in employment or other legal relationship with it for work performance, as well as potential partners of the Data Controller cooperating in the provision of the Service. The persons specified in this subpoint are entitled to access the Data provided by the Data Subject to the Data Controller.

1.8. The Data Controller informs the Data Subject that, in view of the closing phrase of paragraph (91) among the introductory provisions of the Regulation, no impact assessment has been conducted and no data protection officer has been appointed.

1.9. Regarding concepts related to data processing, the definitions of the Regulation and the Info Act are applicable.

2. Method of Data Processing

2.1. With regard to point 1.3, Data Subjects acknowledge that the Data Controller collects, processes, and transmits their Data in the manner, for the purpose, and to the extent described in point 2 of the Data Protection Notice. Data provision is voluntary in all cases.

2.2. The Data Controller processes the personal data of Data Subjects for the purpose of providing the Service and fulfilling its obligations arising from its business activities, only to the extent and for the time necessary, in accordance with Article 5 of the Regulation and Section 4 of the Info Act. Data processing complies with these purposes and principles at all stages. The Data Controller does not misuse the Data that comes to its knowledge during its data processing activities in any way.

2.3. The Data Controller informs Data Subjects that it processes and stores the Data until the provision of the Service, and thereafter for five (5) years.

2.4. The Data Controller transfers Data to third parties only if it is in the interest of Data Subjects or if it is necessary for the Data Controller to fulfill its legal obligation. By signing the contract according to point 1.3, the Data Subject expressly consents to the transfer of their Data if the Data Controller deems that the interest of Data Subjects so requires. The Data Controller keeps a record of data transfers in all cases – based on Section 8 and Section 25/E (1) of the Info Act – which contains the time of transfer of Data relating to Data Subjects, the legal basis for data transfer – according to this subpoint –, the recipient of the data transfer, and the determination of the scope of transferred data, which information it retains for the period specified in the legislation prescribing data processing, but for at least five (5) years.

2.5. The Data Controller does not transfer Data Subjects' Data to third countries or international organizations – i.e., outside the European Union and EEA – except with the express approval of Data Subjects and according to conditions recorded in a written statement by the parties, with guarantees in accordance with the provisions of the Regulation and Sections 10-13 of the Info Act. The above restriction does not extend to cases covered by Article 45 of the Regulation, according to which if the purpose of data transfer is a country and/or international organization for which a valid so-called "adequacy decision" issued by the European Commission is in effect, no separate authorization is required for such data transfer.

2.6. The Data Controller does not use Data for the purposes of third parties and does not misuse them in any other way.

2.7. The Data Controller protects Data with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and becoming inaccessible.

2.8. The Data Controller informs Data Subjects that it does not make decisions based solely on automated data processing regarding Data Subjects. The Data Controller does not create profiles of Data Subjects based on available personal data.

2.9. The Data Controller – both as data controller and data processor – informs Data Subjects that it uses the cooperation of sub-

processors within the framework of its data processing and data processing activities.

3. Data Subject's Options During Data Processing

3.1. Data Subjects may request information about the processing of their Data, as well as request the correction, deletion, or blocking of their Data in the following ways:

− by mail: 8000 Székesfehérvár Lövölde Street 30. 2/1

− by email: info@octoapp.hu

3.2. Upon request by Data Subjects, the Data Controller provides information about the Data it processes, their source, the purpose, legal basis, and duration of data processing, as well as the legal basis and recipient of data transfer. The Data Controller provides the above information in writing, in an understandable form, free of charge, within the shortest possible time from the submission of the request (from its receipt), but at most within fifteen (15) days. The Data Controller may refuse to provide information only in cases specified in Section 16 (3) of the Info Act. In case of refusal to provide information, the Data Controller informs Data Subjects in writing which provision of the Info Act was the basis for refusing the information. In case of refusal to provide information, the Data Controller informs Data Subjects about the possibility of judicial remedy and recourse to the National Authority for Data Protection and Freedom of Information.

3.3. The Data Controller corrects Data if they do not correspond to reality and the personal data corresponding to reality is available to it.

3.4. The Data Controller deletes Data if their processing is unlawful, if Data Subjects request it, if the Data are incomplete or incorrect – and this condition cannot be legally remedied – provided that deletion is not excluded by law –, if the purpose of data processing has ceased or the legally specified deadline for storing the Data has expired, or if ordered by a court or the National Authority for Data Protection and Freedom of Information.

3.5. The Data Controller blocks Data if Data Subjects request it, or if based on available information it can be assumed that deletion would harm the legitimate interests of Data Subjects. Blocked Data may only be processed as long as the data processing purpose that excluded the deletion of Data exists.

3.6. The Data Controller marks the Data it processes if Data Subjects dispute its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Data cannot be clearly established.

3.7. The Data Controller has fifteen (15) days to delete, block, or correct Data. If the Data Controller does not fulfill Data Subjects' request for correction, blocking, or deletion, it communicates the reasons for refusal in writing or electronically with the consent of Data Subjects within fifteen (15) days of receiving the request. In case of refusal of a request for correction, deletion, or blocking, the Data Controller informs Data Subjects about the possibility of judicial remedy and recourse to the National Authority for Data Protection and Freedom of Information.

3.8. The Data Controller notifies Data Subjects and all those to whom it previously transferred the Data for data processing purposes about correction, blocking, marking, and deletion. The Data Controller omits notification if this does not harm the legitimate interests of Data Subjects with regard to the purpose of data processing.

Issued by: OCTO SERVICES Ltd.

Effective from: September 1, 2025

Updated on: 04/09/2025