Privacy Notice

1. Introduction

1.1. Purpose of data processing

The purpose of this Privacy Notice (hereinafter: “Privacy Notice”) is for Doritas Kft., as data controller (hereinafter: “Data Controller”), to describe the data protection rules, procedures and safeguards applicable to all data processing activities of the Data Controller – in particular, to personal data obtained through the website operated by the Data Controller (nexorysolutions.eu, hereinafter: “Website”) – and to personal data used and processed within the Data Controller’s organisation.

The Data Controller also informs its customers, partners, and any natural or legal persons who have any legally relevant relationship with the Data Controller and become data subjects during the processing of their personal data, about the rules governing the processing of personal data, the safeguards and procedures applied, and the method of data processing.

1.2. Statement

The Data Controller considers the rules, provisions and obligations set out in this Privacy Notice to be legally binding upon itself and applies them in its operations, and declares that the data protection rules and procedures described and applied in this Privacy Notice comply with the applicable national and European Union data protection laws. The Data Controller further declares that it considers the right to informational self-determination important, especially with regard to personal data, and within its scope it takes all available organisational, operational, regulatory and technological measures to ensure compliance with and enforcement of these rights.

1.3. Availability of the Privacy Notice

The current version of the Privacy Notice is available at: https://nexorysolutions.eu/adatkezelesi-tajekoztato

The Data Controller may amend this Privacy Notice at any time, subject to publication and the obligation to inform data subjects.

The Data Controller provides information related to this Privacy Notice electronically. Questions regarding this Privacy Notice may be submitted by sending an e-mail to hello@nexorysolutions.eu.

2. Service provider details

2.1. Data Controller details

Name: Doritas Kft.
Registered office: 6791 Szeged, Vadliba street 17., Hungary
Tax number: 24744089-2-06
E-mail: hello@nexorysolutions.eu
Phone: +36307252035

The Data Controller stores incoming data protection inquiries for one (1) year.

2.2. Hosting provider details

Company name: Sybell Informatika Kft.
Registered office: 1158 Budapest, Késmárk str. 7/b 2nd floor 206., Hungary
Company registration number: 01-09-293034
Tax number: 25859502-2-42
EU VAT number: HU25859502
Data processing registration number: NAIH-83705/2018
E-mail: info@sybell.hu
Phone: +36 1 707 67 26
Representative of the Data Controller: Ferenc Szilvágyi
Data Protection Officer: Adrienn Gajdóczy

3. Definitions

Data processing: The performance of technical tasks related to data processing operations, regardless of the method and means used for the execution of the operations and the place of application, provided that the technical task is performed on the data.

Data processor: A natural or legal person, or an organisation without legal personality, who/which processes data on the basis of a contract concluded with the data controller – including a contract concluded pursuant to a legal requirement.

Data processing (processing of personal data): Any operation or set of operations performed on data, regardless of the procedure applied, in particular collection, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure and destruction, as well as preventing further use of the data; taking photographs, audio or video recordings; and recording physical characteristics suitable for identifying a person (e.g. fingerprint or palm print, DNA sample, iris image).

Data controller: A natural or legal person, or an organisation without legal personality, who/which alone or jointly with others determines the purposes of processing personal data, makes and implements decisions regarding processing (including the means used), or has a data processor carry out such processing on its behalf.

Data transfer: Making data accessible to a specific third party.

Erasure: Rendering data unrecognisable in such a way that its restoration is no longer possible.

Restriction of processing (blocking): Marking data with an identifier to limit further processing permanently or for a specific period.

Cookie: When the data subject visits the Website, a small file called a cookie is placed on their computer, which may serve various purposes. Some cookies are essential for the proper functioning of the Website (session cookies), while others collect information about Website usage (statistics) to make the Website more convenient and useful. Some cookies are temporary and disappear when the browser is closed, while persistent cookies remain on the device for a longer period.

For details, see Annex No. 1 (Cookie Notice).

Data subject/User: Any identified or identifiable natural person who can be identified directly or indirectly on the basis of personal data.

Third party: A natural or legal person, or an organisation without legal personality, who/which is not the data subject, the data controller or the data processor.

Consent: A freely given, specific and informed indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them (either comprehensively or limited to certain operations).

Special category of personal data: Personal data revealing racial origin, nationality, political opinion or party affiliation, religious or other philosophical beliefs, trade union membership, sexual life; personal data concerning health status, addictions; and criminal personal data.

Visitor: A natural person who loads the nexorysolutions.eu website in their browser.

Disclosure: Making data accessible to anyone.

Personal data: Any information relating to the data subject – in particular the data subject’s name, identification mark, and one or more factors specific to their physical, physiological, mental, economic, cultural or social identity – and any conclusion that can be drawn from the data relating to the data subject.

Objection: A statement by the data subject objecting to the processing of their personal data and requesting termination of processing and/or erasure of the processed data.

4. Data processed

4.1. Data processed for statistical purposes

Data subjects: Visitors of the Website.

Legal basis: In the case of an IP address, the Data Controller’s legitimate interest; otherwise, the data subject’s voluntary consent.

Purpose: Ensuring the intended and high-quality operation of the Website; monitoring and improving service quality; identifying malicious users attacking the Website; measuring traffic; statistical purposes.

Possible consequences of failure to provide data: Improper operation and development of the Website; improper development of products and services.

Data processed: Cookies; click meters (which in themselves do not qualify as personal data, i.e. the user cannot be identified from this information); information on interests, habits and preferences (browsing history).

Retention period: Personal data is stored for a maximum of 30 days.

4.2. Data related to online administration

Data subjects: Users who contact the Data Controller via the “Contact” menu or by e-mail to hello@nexorysolutions.eu.

Legal basis: The data subject’s voluntary consent.

Purpose: Responding to the data subject’s questions; sending a quotation; responding to comments and potential complaints.

Possible consequences of failure to provide data: Provision of the service / response is not possible.

Data processed: Name, e-mail address, phone number.

Retention period: 3 years.

4.3. Data related to online orders

Data subjects: Users who place an order on the Website.

Legal basis: Performance of a contract.

Purpose: Fulfilment of the order; issuing an invoice.

Possible consequences of failure to provide data: Fulfilment of the order is not possible.

Data processed: Name, e-mail address, billing address, phone number.

Retention period: For the period prescribed by applicable laws.

4.4. Data related to contractual relationships

Data subjects: Non-natural persons entering into a contractual relationship with the Data Controller for the performance of services.

Legal basis: Performance of a contract.

Purpose: Contracting; performance of the requested service.

Possible consequences of failure to provide data: Performance of the requested service is not possible.

Data processed: Name, e-mail address, phone number, billing address, mailing address, tax number, company registration number, date of conclusion of the contract.

Retention period: The duration of the contract or as determined by the contract and/or applicable laws.

4.5. Data related to invoicing

Data subjects: Non-natural persons entering into a contractual relationship with the Data Controller for the performance of services, and Users who place an order on the Website.

Legal basis: Fulfilment of invoicing obligations.

Purpose: Contracting; performance of the requested service.

Possible consequences of failure to provide data: Performance of the requested service is not possible.

Data processed: Name, e-mail address, phone number, billing address, mailing address, tax number, company registration number, date of conclusion of the contract.

Retention period: The duration of the contract or as determined by the contract and/or applicable laws.

4.6. Data related to newsletters

Data subjects: Users who subscribe to the newsletter list via the Website.

Legal basis: The data subject’s voluntary consent.

Purpose: Sending newsletters, including promotional electronic messages to the data subject; information about current updates, products, promotions, new features; educating data subjects.

Possible consequences of failure to provide data: Without providing an e-mail address, sending newsletters is not possible.

Data processed: Name, e-mail address.

Retention period: Until unsubscribing or a deletion request.

4.7. Data related to advertising

Data subjects: Visitors, and those data subjects who purchased a product or used a service from the Data Controller.

Legal basis: The data subject’s voluntary consent.

Purpose: Displaying interest-based advertisements to the data subject on a third-party platform (e.g. Facebook).

Possible consequences of failure to provide data: Less targeted ads; missing the advertisement of a product that interests the data subject.

Data processed: IP address, name, e-mail address.

Retention period: For IP addresses, the provisions set out in the “Cookie Notice” apply. For consent-based processing, until a deletion request.

4.8. (Technical) data stored by browser cookies

4.8.1. Technical data

Technical data are data that are generated and recorded mostly automatically during the operation of the Data Controller’s systems. Certain technical data are stored and, in some cases, logged automatically by the system without any specific declaration or action by the data subject. Technical data are not directly suitable for identifying the data subject; however, they may be linked with user data, making identification theoretically possible. The Data Controller does not create such links, except where required by law. Access to technical data is limited to the Data Controller and its data processors.

4.8.2. Purpose of cookies

An HTTP cookie is a small data package created by the server of the visited website with the help of the client’s web browser during internet browsing, on the occasion of the first visit (if enabled in the browser). Cookies are stored on the user’s computer in a location that depends on the browser type. During subsequent visits, the browser sends the stored cookie back to the web server along with various information about the client. Cookies enable the server to identify the user, collect information about them and prepare analyses. The main functions of cookies include:

collecting information about visitors and their devices;
remembering visitors’ individual settings that may be used e.g. during online transactions, so they do not need to be re-entered;
making the use of the website easier, more convenient and smoother;
making it unnecessary to re-enter data already provided;
generally improving the user experience.

By using cookies, the Data Controller carries out data processing, the main purposes of which are:

user identification;
identification of sessions;
identification of devices used for access;
storing certain provided data;
storing and transmitting tracking and location information;
storing and transmitting data required for analytics measurements.

4.8.3. Cookies used on the Website

A detailed description of cookies used on the Website is available at: https://nexorysolutions.eu/cookie-suti-tajekoztato/

4.8.4. Disabling cookies and setting cookie preferences

The data subject may set rules for certain types of cookies (e.g. not using cookies, disabling cookies, etc.) via the appropriate settings of the browser used. Information on selectively or generally disabling cookies can be found in the browser’s “Help” menu.

In most browsers, the “Help” function provides information on how to:

disable cookies in general;
set how cookies are accepted (automatic acceptance, ask one by one, etc.);
disable cookies individually;
delete cookies individually or in groups;
perform other cookie-related operations.

4.8.6. Further information about cookies

Further information about cookies used on the Website is available in the Cookie Notice: https://nexorysolutions.eu/cookie-suti-tajekoztato

5. Data processing principles and laws

5.1. General data processing principles

In the data processing activities listed under Section 4 of this Privacy Notice, the Data Controller processes personal data in all cases for the purpose indicated and on the legal basis indicated therein, in accordance with the laws listed in Section 5.2.

Personal data are processed in all cases based on legitimate interest, legal obligation, or the data subject’s voluntary consent. The data subject may withdraw consent at any time.

Due to legal obligations, in certain cases and under exceptional conditions, the Data Controller may be required to process, disclose, transfer or store personal data differently from what is described in the specific processing activities. In such cases, the Data Controller will ensure that data subjects are informed, provided that the relevant legal provisions allow this or do not expressly prohibit it.

5.2. Laws providing the legal basis for processing

The Data Controller processes personal data based on the following legislation:

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) (GDPR);
Act V of 2013 on the Civil Code (Hungary) (Ptk.);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
Act CVIII of 2001 on Electronic Commerce Services and Certain Issues of Information Society Services (especially Section 13/A);
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (especially Section 6);
Act XC of 2005 on Electronic Freedom of Information;
Act C of 2003 on Electronic Communications (especially Section 155);
Opinion No. 16/2011 on EASA/IAB recommendations on best practice for behavioural online advertising.

6. Data storage and security

6.1. Method of IT storage and logical security

The Data Controller processes personal data primarily on an appropriately built and protected IT system. During the operation of the IT system, it ensures an adequate level of the basic information security attributes of stored, processed and transmitted data, namely:

Integrity: the originality and immutability of the data are ensured;
Confidentiality: only authorised persons have access, and only to the extent of their authorisation;
Availability: data are accessible and available to authorised persons within the expected availability period; the necessary IT infrastructure is operationally available.

The Data Controller protects the processed data with a structured system of:

organisational and operational;
physical security; and
information security

safeguards. The system and levels of safeguards are designed and operated proportionally to the risks arising from threats to the protected data. From a data protection perspective, safeguards primarily aim to protect against accidental or intentional deletion, unauthorised access, intentional and malicious disclosure, accidental disclosure, data loss and data destruction.

7. Data transfer, data processing, and persons with access to data

Data may primarily be accessed by the Data Controller and its internal staff, to the extent permitted under the authorisation rules, the authorisation system and other internal policies. The Data Controller has certain operations and tasks performed by third-party data processors. Beyond those listed, the Data Controller does not publish the data and does not transfer them to other third parties.

Company name	Address	Activity	Role	Categories of transferred data

8. Rights of data subjects

8.1. General rights

In relation to their personal data processed by the Data Controller, the data subject may exercise, among others, the rights described below.

Data subjects may at any time request information in writing from the Data Controller about the manner of processing their personal data, indicate a request for erasure or rectification, and withdraw previously given consent using the contact details provided in Section 1.3.

The right to erasure cannot be exercised with respect to processing that is mandatory under law.

8.2. Right to information

Upon request, the Data Controller provides the data subject with the information listed in Articles 13 and 14 of the GDPR relating to the processing of personal data, as well as the information pursuant to Articles 15-22 and 34, in a concise and clear form.

8.3. Right of access (GDPR Article 15)

The data subject is entitled to receive confirmation from the data controller as to whether personal data concerning them are being processed. If processing is ongoing, the data subject has the right of access to the following information:

the personal data concerned;
the purpose(s) of processing;
the categories of personal data;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
the envisaged retention period;
the data subject’s right to rectification, erasure or restriction of processing, and to object to processing;
the right to lodge a complaint with a supervisory authority;
all available information on the source of the data;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject.

The Data Controller provides one (1) copy of the personal data undergoing processing to the data subject. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the Data Controller will provide the information in a commonly used electronic format (unless the data subject requests otherwise) within a maximum of 30 days from submission.

8.4. Right to rectification (GDPR Article 16)

The data subject has the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning them and has the right to have incomplete personal data completed, taking into account the purposes of processing.

8.5. Right to erasure (“right to be forgotten”) (GDPR Article 17)

The data subject has the right to request that the Data Controller erase personal data concerning them without undue delay, and the Data Controller is obliged to erase such personal data as soon as possible, but no later than within five (5) working days, if any of the following grounds apply:

the data were processed unlawfully (without legal authorisation or personal consent);
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground;
the data subject objects to the processing and there are no overriding legitimate grounds;
the personal data have been unlawfully processed;
the personal data must be erased to comply with a legal obligation under EU or Member State law applicable to the Data Controller;
the personal data were collected in relation to the offer of information society services.

Erasure cannot be requested where further processing is necessary:

for compliance with a legal obligation under EU or Member State law applicable to the Data Controller;
for exercising the right of freedom of expression and information;
for reasons of public interest;
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for reasons of public interest in the area of public health;
for the establishment, exercise or defence of legal claims.

8.6. Right to restriction of processing (GDPR Article 18)

At the data subject’s request, the Data Controller restricts processing where one of the following applies:

the data subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy;
the processing is unlawful and the data subject opposes erasure and requests restriction instead;
the Data Controller no longer needs the personal data for processing purposes, but the data subject requires them for legal claims; or
the data subject has objected to processing, pending verification whether the Data Controller’s legitimate grounds override those of the data subject.

During the restriction period, the Data Controller processes the restricted data only if and to the extent that:

the data subject has consented;
it is necessary for the establishment, exercise or defence of legal claims;
it is necessary to protect the rights of another natural or legal person;
it is necessary for reasons of public interest; or
it is necessary for important public interest reasons of the Union or a Member State.

8.7. Right to data portability (GDPR Article 20)

The data subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format, or to have those data transmitted by the Data Controller to another data controller. The Data Controller fulfils the request as soon as possible, but no later than within 30 days.

8.8. Right to object (GDPR Article 21)

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, including profiling. In such cases, the Data Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

8.9. Rights related to automated decision-making and profiling (GDPR Article 22)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

This right does not apply if:

processing is necessary for entering into, or performance of, a contract between the data subject and the Data Controller;
the data subject has explicitly consented;
it is authorised by law; or
it is necessary for the establishment, exercise or defence of legal claims.

8.10. Right to lodge a complaint

The data subject may lodge a complaint regarding any data processing activity of the Data Controller.

If the data subject detects an infringement of their rights during the processing of their personal data, they have the right to contact the data protection authority of their country and may also turn to court to lodge a complaint against the Data Controller’s data protection practice. The following options are available:

Contact the Data Controller directly by post or e-mail.
Submit a complaint to the supervisory authority, the National Authority for Data Protection and Freedom of Information (NAIH). Contact details: Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c. Phone: 06-1-391-1400. E-mail: ugyfelszolgalat@naih.hu
Turn to court in case of unlawful processing of data and/or breach of data security requirements. Under the law, the data subject may be entitled to compensation and/or damages for non-material harm. Information on courts is available at: www.birosagok.hu

Please feel free to contact us via the provided contact details before submitting a complaint to the competent data protection authority.

8.11. Right to withdraw consent

The data subject has the right to withdraw, in writing, their consent given to the Data Controller regarding their data at any time. In such case, the Data Controller immediately and permanently deletes all data processed in relation to the data subject that are not required by law to be retained and are not necessary for the establishment, exercise or defence of legal claims or other legitimate interests. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Method of data storage and safeguards

The Data Controller stores the data it processes – both in paper and electronic form – at its premises. An exception to the above is data stored by the Data Controller’s data processors, which are stored at the data processors’ registered offices.

The Data Controller uses an IT system that ensures that:

the immutability of data can be verified (data integrity);
authenticity is ensured (authenticity of processing);
data are accessible to authorised persons (availability);
and data are protected against unauthorised access (confidentiality).

Protection of data extends in particular to:

unauthorised access;
alteration;
transmission;
erasure;
disclosure;
accidental damage;
accidental destruction;
and becoming inaccessible due to changes in the applied technology.

To protect electronically processed data, the Data Controller applies a solution that provides an adequate level of security in accordance with the state of the art. In assessing adequacy, special emphasis is placed on the level of risk arising during processing. IT safeguards ensure that stored data cannot be directly assigned to or linked with data subjects (unless permitted by law).

During processing, the Data Controller ensures that:

authorised persons can access the data when they need it;
only persons entitled to do so can access the information;
the accuracy and completeness of information and the processing method are protected.

The Data Controller and any data processors it engages provide protection against fraud, espionage, viruses, intrusions, vandalism and natural disasters affecting their IT systems. The Data Controller (and/or the data processor) applies server-level and application-level protection procedures.

Messages transmitted to the Data Controller via the internet – in any form – are particularly exposed to network threats that may lead to modification of information, unauthorised access or other illegal activity. To prevent such threats, the Data Controller takes all measures that are reasonably possible and expected in line with the state of the art. The applied systems are monitored so that security deviations can be recorded, evidence for a security incident can be obtained, and the effectiveness of precautions can be examined.

10. Procedural rules

If a request pursuant to GDPR Articles 15-22 is received by the Data Controller, the Data Controller informs the data subject in writing as soon as possible, but no later than within 30 days, about the measures taken on the basis of the request.

If the complexity of the request or other objective circumstances justify it, the above deadline may be extended once by up to 60 days. The Data Controller informs the data subject in writing of the extension, together with the reasons for the delay.

The Data Controller provides the information free of charge, except where:

the data subject repeatedly requests information/measures with essentially unchanged content;
the request is manifestly unfounded; or
the request is excessive.

In the cases above, the Data Controller is entitled to:

refuse to act on the request; or
charge a reasonable fee based on the administrative costs of providing the information or communication or taking the requested action.

If the applicant requests that the data be provided on paper or on an electronic data carrier (CD or DVD), the Data Controller provides one copy of the data free of charge in the requested manner (unless the chosen platform would be technically disproportionately difficult). For each additional copy requested, the Data Controller charges an administration fee of HUF 500 per page / per CD-DVD.

The Data Controller notifies all persons to whom the personal data were previously disclosed about rectification, erasure or restriction carried out, unless such notification is impossible or would involve disproportionate effort.

Upon request, the Data Controller provides information on the persons to whom the data have been transferred.

The Data Controller responds to the request in electronic form, except where:

the data subject expressly requests a different form and this does not cause unjustifiably high additional costs to the Data Controller; or
the Data Controller does not know the data subject’s electronic contact details.

11. Compensation

If any data subject suffers material or non-material damage as a result of an infringement of data protection laws, they are entitled to claim compensation from the Data Controller and/or the data processor. If both the Data Controller and the data processor(s) are involved in the infringement, they are jointly and severally liable for the damage.

A data processor is liable for damages only if it has not complied with the obligations of data protection laws specifically directed to processors, or if it acted outside or contrary to the lawful instructions of the Data Controller.

The Data Controller and any data processors are liable only if they cannot prove that they are not in any way responsible for the event giving rise to the damage.

12. Legal remedies

12.1. Available remedies

If the data subject has any objection or problem related to the Data Controller’s data processing, they may request information, a remedy, or submit a complaint using the contact details provided in Section 2.2. If these are unsuccessful, the data subject is entitled to turn to court and/or contact the National Authority for Data Protection and Freedom of Information (NAIH).

12.2. Contact details of the National Authority for Data Protection and Freedom of Information (NAIH)

Name: National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Mailing address: 1363 Budapest, Pf.: 9, Hungary
Tel.: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

13. Cooperation with authorities

In the event of an authority’s request or another request based on a legal obligation, the Data Controller may be required or obliged to provide data. In such cases, the Data Controller strives to disclose only the amount and type of personal data that are strictly necessary to fulfil the data provision obligation.

14. Scope of the Privacy Notice

This Privacy Notice entered into force upon publication on the website www.nexorysolutions.eu, on 23 February 2026.

This Privacy Notice may be amended in the event of changes to applicable legislation. The Data Controller reserves the right to amend this Privacy Notice at any time within the framework of applicable laws. The Data Controller informs data subjects in all cases about amendments in accordance with the GDPR principle of transparency.

The Data Controller publishes the current version of this Privacy Notice on its website.