GDPR Compliant•Version 1.0

Privacy Notice

Effective: 26 November 2025 • Last Updated: 26 November 2025

Data Controller

József Juhász (Hungarian private entrepreneur)
Katona József utca 14., Kecskemét, Hungary
Email: privacy@multicomply.com

1. Introduction

This Privacy Notice explains how József Juhász ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the MultiComply GDPR compliance platform ("Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Hungarian data protection laws.

This Notice applies to:

Visitors to multicomply.eu
Registered users of the Service
Customer contacts and billing representatives
Data subjects whose information you process using our Service

2. Data Controller Identity

Data Controller:
József Juhász
Private Entrepreneur (Egyéni vállalkozó)
Katona József utca 14.
Kecskemét, Hungary

Contact for privacy inquiries:
Email: privacy@multicomply.com
Phone: +36 [Your phone number]

Data Protection Officer (DPO)

József Juhász holds professional DPO certification. However, under GDPR Article 37, a formal DPO appointment is not required because we do not engage in:

Large-scale systematic monitoring of individuals; OR
Large-scale processing of special categories of personal data

3. Personal Data We Collect

3.1 Account Registration Data

When you create an account, we collect:

Data Category	Specific Data	Purpose	Legal Basis
Identity	Full name, job title, role	Account management, access control	Contract (Art. 6(1)(b))
Contact	Business email, phone	Communication, account recovery	Contract (Art. 6(1)(b))
Company	Company name, address, registration number, industry	Service provisioning, conflict checks	Contract (Art. 6(1)(b))
Authentication	Password (hashed), login timestamp, IP	Security, fraud prevention	Contract (Art. 6(1)(b))

3.2 Billing & Payment Data

Note: We do NOT store full credit card numbers. Stripe handles all payment card data securely.

3.3 Service Usage Data

When you use the Service, we collect:

Activity Logs: Login times, documents created, pages viewed, features used
Technical Data: IP address, browser type, device type, operating system
Performance: Page load times, error messages, API response times

3.4 Document Generation Data

IMPORTANT: We do NOT send your document content to any AI service. Document generation is purely template-based with mail-merge technology.

3.5 Cookies & Tracking

Cookie Name	Type	Purpose	Duration
`sb-access-token`	Essential	Authentication (Supabase)	Session
`sb-refresh-token`	Essential	Session persistence	7 days
`language-preference`	Functional	Remember language choice	1 year
`_ga`, `_gid`	Analytics (optional)	Google Analytics (if you consent)	2 years / 24 hours

Cookie Consent: We will ask for your consent before setting non-essential cookies. You can manage cookie preferences at any time via our Cookie Settings.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

Processing Activity	Legal Basis (GDPR Article 6)
Account management, service delivery	Contract performance (Art. 6(1)(b))
Billing, invoicing, payment	Contract performance + Legal obligation (Art. 6(1)(c))
Security monitoring, fraud prevention	Legitimate interests (Art. 6(1)(f))
Service improvement, analytics	Legitimate interests (Art. 6(1)(f))
Marketing emails (newsletters)	Consent (Art. 6(1)(a))
International data transfers	Consent (Art. 6(1)(a)) + SCCs

5. How We Use Your Personal Data

We use your personal data to:

Service Delivery

Create and manage your account
Authenticate your access to the Service
Generate documents based on your form answers
Store and version-control your generated documents
Process DSAR submissions from your data subjects
Calculate compliance scores and generate reports
Provide NAIH audit preparation tools

Billing & Administration

Process subscription payments
Generate invoices and receipts
Manage subscription renewals and cancellations
Comply with Hungarian tax reporting obligations (7-year retention)

Communication

Send transactional emails (password resets, account notifications)
Respond to your support requests
Send trial reminder emails and compliance alerts
Send marketing emails (only if you opted in)

Security & Fraud Prevention

Monitor login activity for suspicious behavior
Prevent unauthorised access to accounts
Detect and block automated bot attacks
Investigate security incidents

6. Third-Party Data Processors

We engage the following third-party processors to help deliver the Service:

6.1 Supabase (Database & Hosting)

Processor: Supabase Inc.
Services: PostgreSQL database, authentication, file storage
Data Processed: All user data, documents, form answers, activity logs
Data Location:
- Primary: EU servers (Germany/Ireland)
- Backup: US servers (encrypted)
Safeguards:
- Standard Contractual Clauses (EU Commission 2021/914, Module 2)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- ISO 27001, SOC 2 Type II certified
Privacy Policy: supabase.com/privacy

6.2 Resend (Transactional Emails)

Processor: Resend Labs Inc.
Services: Email delivery (account notifications, password resets, DSAR verification)
Data Processed: Recipient email address, name, email content
Data Location: EU servers only
Safeguards:
- EU-based infrastructure (no international transfers)
- TLS encryption for email delivery
- SPF, DKIM, DMARC authentication
Privacy Policy: resend.com/legal/privacy

6.3 Processor List

Current full processor list: multicomply.eu/subprocessors

Changes to processors: We will notify you 30 days before adding new processors. You may object to new processors, and if we proceed despite your objection, you may terminate your subscription without penalty.

6.4 What We Do NOT Use

✅ No AI services

We do NOT send your data to Anthropic Claude, OpenAI, or any other AI service for document generation. All documents are created using template-based mail-merge technology.

7. International Data Transfers

7.1 Transfers Outside the EU

Supabase US Backup: While Supabase's primary servers are in the EU, backup replication occurs on US servers. This constitutes an international data transfer under GDPR Chapter V.

Safeguards in place:

Standard Contractual Clauses (SCCs) – EU Commission Decision 2021/914, Module 2
Supplementary measures:
- End-to-end encryption (AES-256)
- Pseudonymisation where feasible
- Access controls limiting US personnel access
- Transparency reports on government data requests

Legal basis: Your consent (GDPR Article 49(1)(a)) + SCCs

7.2 No Other International Transfers

✅ Resend: EU-only (no transfers)

7.3 Your Rights Regarding Transfers

You may:

Withdraw consent to international transfers (may affect Service availability)
Request a copy of the Standard Contractual Clauses
Object to transfers (we will assess whether Service can be provided without transfers)

8. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Notice:

Data Category	Retention Period	Legal Basis
Account data	2 years after last login	Legitimate interests (reactivation)
Billing records	7 years after invoice date	Legal obligation (Hungarian tax law)
Generated documents	Until deletion OR 30 days after account closure	Contract performance
Activity logs	3 years	Legitimate interests (security audits)
DSAR submissions	3 years after completion	Legal obligation (GDPR accountability)
Support tickets	2 years after closure	Legitimate interests
Marketing consent	Until consent withdrawn	Consent

Deletion Process

Automated deletion: Cron jobs delete expired data monthly
Manual deletion: You can delete documents, ROPAs, DPIAs at any time via the Service
Account closure: 30-day grace period to download data, then permanent deletion

Exceptions to Deletion

We may retain data longer if:

Required by law (e.g., tax records, legal holds)
Needed to defend legal claims (until statute of limitations expires)
Anonymised for statistical purposes (no longer personal data)

9. Data Security Measures

We implement the following technical and organisational measures to protect your data (GDPR Article 32):

9.1 Technical Measures

Encryption:

✅ Encryption at rest (AES-256 for database, files)
✅ Encryption in transit (TLS 1.3 for all connections)
✅ Password hashing (bcrypt with salt)

Access Controls:

✅ Row-Level Security (RLS) policies in Supabase
✅ Role-based access control (admin/client/viewer roles)
✅ Multi-factor authentication (MFA) available
✅ Session timeout after 7 days of inactivity

Infrastructure:

✅ Daily automated backups (30-day retention)
✅ Disaster recovery plan (RTO: 4 hours, RPO: 24 hours)
✅ DDoS protection and rate limiting
✅ Security monitoring and intrusion detection

9.2 Limitations

No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. You acknowledge and accept the inherent risks of internet-based data transmission.

Your responsibilities:

Use strong, unique passwords
Enable MFA if available
Do not share account credentials
Report suspicious activity immediately
Keep your devices secure

10. Your Rights Under GDPR (Articles 15-22)

As a data subject, you have the following rights:

10.1 Right of Access (Article 15)

What: Obtain confirmation of whether we process your data and receive a copy
How: Email privacy@multicomply.com with subject "Data Access Request"
Timeline: Within 30 days (may extend to 60 days for complex requests)
Cost: Free for first request; reasonable fee for excessive/repetitive requests

10.2 Right to Rectification (Article 16)

What: Correct inaccurate or incomplete personal data
How: Edit your profile in account settings OR email privacy@multicomply.com
Timeline: Without undue delay (typically within 7 days)

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What: Request deletion of your personal data
How: Email privacy@multicomply.com with subject "Data Erasure Request"
Timeline: Within 30 days
Limitations: We may refuse if we need the data to comply with legal obligations (e.g., 7-year invoice retention)

10.4 Right to Restriction of Processing (Article 18)

What: Limit how we use your data (e.g., storage only, no active processing)
When: Accuracy contested, processing unlawful, data needed for legal claims, objection pending
Effect: We mark data as "restricted" and do not process (except storage or with your consent)

10.5 Right to Data Portability (Article 20)

What: Receive your data in a structured, machine-readable format (JSON, CSV)
How: Export via account settings OR email privacy@multicomply.com
Format: JSON (structured), CSV (tabular), PDF (human-readable)

10.6 Right to Object (Article 21)

What: Object to processing based on legitimate interests
Effect: We must stop processing unless we demonstrate compelling legitimate grounds that override your interests
Marketing emails: Unsubscribe link in every email (instant opt-out)

10.7 Rights Related to Automated Decision-Making (Article 22)

We do NOT conduct automated decision-making with legal effects or profiling. Template generation is automated but does NOT produce legal effects or significantly affect you, as documents must be reviewed by a lawyer before use.

10.8 Right to Withdraw Consent (Article 7(3))

What: Withdraw consent for processing based on consent (e.g., marketing, international transfers)
How: Click "unsubscribe" in emails OR email privacy@multicomply.com
Effect: Immediate cessation of processing
Note: Withdrawal does not affect lawfulness of processing before withdrawal

10.9 How to Exercise Your Rights

Email: privacy@multicomply.com
Subject Line: [Type of Request] (e.g., "Data Access Request")
Include: Your full name, email address registered with Service, description of request, proof of identity (if we cannot verify your account)

Response time: 30 days (may extend to 60 days for complex requests; we will notify you)

Refusal: If we refuse your request, we will explain why and inform you of your right to complain to NAIH.

11. Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the supervisory authority:

Hungarian Supervisory Authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
National Authority for Data Protection and Freedom of Information

Address: Szilágyi Erzsébet fasor 22/C, H-1125 Budapest, Hungary
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: naih.hu

When to complain:

We refuse your data subject request without valid reason
We fail to respond within legal timeframes
You suspect a data breach that we did not notify you about
You believe we process your data unlawfully

We encourage you to contact us first so we can attempt to resolve the issue directly. However, you have the right to complain to NAIH at any time.

12. Data Breach Notification

If we discover a personal data breach, we will:

12.1 Notification to NAIH (Article 33)

Timeline: Within 72 hours of becoming aware of the breach
Content: Nature of breach, categories and number of data subjects affected, likely consequences, measures taken

12.2 Notification to You (Article 34)

When required: If the breach is likely to result in high risk to your rights and freedoms
Timeline: Without undue delay
How: Email to your registered address
Content: Description in clear, plain language, contact point, likely consequences, measures to mitigate effects

12.3 Exceptions

We may NOT notify you if:

Appropriate technical protection was applied (e.g., data was encrypted and keys not compromised)
We took subsequent measures ensuring high risk no longer exists
Notification would require disproportionate effort (we would publish on website instead)

13. Children's Privacy

Age restriction: The Service is NOT intended for children under 16 years old (14 in Hungary under Act CXII of 2011).

No knowing collection: We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@multicomply.com and we will delete it immediately.

Parental consent: If processing children's data is necessary for your business (e.g., school records), YOU are responsible for obtaining valid parental consent under GDPR Article 8.

14. Cookies & Tracking Technologies

14.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide essential functionality and improve your experience.

14.2 Cookie Consent

When you first visit our website, we display a cookie banner asking for your consent to non-essential cookies.

Your choices:

✅ Accept All – All cookies enabled
❌ Reject All – Only essential cookies
⚙️ Cookie Settings – Choose specific categories

14.3 Managing Cookies

Change preferences anytime:

Click "Cookie Settings" in website footer
Adjust your browser settings to block cookies (may affect Service functionality)

For detailed cookie information, see our Cookie Policy.

15. Do Not Track Signals

Some browsers offer "Do Not Track" (DNT) signals. We do not currently respond to DNT signals because there is no industry-wide standard for interpretation.

If you do not want to be tracked:

Reject analytics cookies via our Cookie Settings
Use browser privacy modes or ad blockers
Disable JavaScript (may break Service functionality)

16. Changes to This Privacy Notice

16.1 When We Update

We may update this Privacy Notice to reflect:

Changes in data processing practices
New features or services
Legal or regulatory requirements
Feedback from users or NAIH

16.2 How We Notify You

Material changes: 30 days' email notice + banner on website
Minor changes: Updated "Last Updated" date + website posting

16.3 Material Changes Include

New categories of personal data collected
New purposes of processing
New third-party processors
Changes to international transfers
Reductions in data subject rights

16.4 Your Rights

You may:

Review updated Notice before it takes effect
Object to changes (contact privacy@multicomply.com)
Terminate your subscription if you disagree with material changes

Version history: multicomply.eu/privacy/changelog

17. Contact Us

Questions about this Privacy Notice or your data?

Privacy Inquiries

Email: privacy@multicomply.com
Subject: "Privacy Inquiry"

Data Subject Rights

Email: privacy@multicomply.com
Subject: [Request Type]
(e.g., "Data Access Request")

General Contact

József Juhász
Katona József utca 14.
Kecskemét, Hungary
info@multicomply.com

Complaint to DPA

NAIH
ugyfelszolgalat@naih.hu
naih.hu

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY NOTICE AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL DATA AS DESCRIBED HEREIN.

Document ID: MCOMPLY-PRIVACY-2026-01-01

Version: 1.0

Effective Date: 26 November 2025

Last Updated: 26 November 2025

GDPR Compliance: Articles 12-14 (Transparency), Articles 15-22 (Data Subject Rights), Article 32 (Security), Articles 33-34 (Breach Notification)