Privacy Notice

1. Introduction

This Privacy Notice ("Notice") explains how Bright Path Makers Kft. ("we", "us", "our") processes personal data in connection with:

• visitors of our websites,
• business contacts and representatives of our customers and partners,
• users and personal data processed within our SaaS products and related services.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Hungarian data protection laws.

This Notice applies regardless of the country of residence of the data subject (including non-EU customers).

2. Data Controller

Data Controller:

• Name: Bright Path Makers Korlátolt Felelősségű Társaság
• Registered seat: 1221 Budapest, Ady Endre út 89., Hungary
• Company registration number: 01-09-450726
• E-mail: info@brightpathmakers.com
• Website: https://brightpathmakers.com

3. Main Processing Activities Covered

This Notice covers three main categories of processing:

• Website visitors – data generated when you browse our websites.
• Business contacts – data relating to our customers’, prospects’ and partners’ contact persons (B2B context).
• Data inside our SaaS products – where, in most cases, our customer is the Data Controller, and Bright Path Makers acts as a Data Processor. This is further governed by a separate Data Processing Agreement (DPA).

4. Website Visitors

4.1 Categories of personal data

When you visit our website(s), we may process:

• IP address,
• date and time of visit,
• URLs visited and referrer URL,
• browser type and version, operating system,
• if you contact us via e-mail or contact form: your name, e-mail address and message content, and any other information you choose to provide.

We do not use cookies or similar tracking technologies on our public website(s) as of the date of this Notice.

4.2 Purposes and legal bases

Purposes:

• to operate, secure and improve our websites and online services,
• to troubleshoot, prevent abuse and ensure IT security,
• to respond to enquiries sent via e-mail or contact forms.

Legal bases:

• GDPR Article 6(1)(f) – legitimate interest (e.g. ensuring IT security, stable operation, troubleshooting),
• for enquiries and pre-contract communication: GDPR Article 6(1)(b) (steps prior to entering into a contract, where relevant) and/or GDPR Article 6(1)(f) (legitimate interest in maintaining business communication).

4.3 Retention period

• Log files and technical records: typically kept for 30 days for security and troubleshooting, unless a longer retention is required in the context of a specific incident.
• Enquiries (e-mail/contact form): kept for the duration of the communication and, where relevant, for the limitation period of potential legal claims (generally up to 5 years).

5. Business Contacts (B2B)

5.1 Categories of personal data

In the context of customer, prospect and partner relationships, we may process:

• name of the contact person,
• position / job title,
• company name,
• business e-mail address and telephone number,
• information about meetings, calls, e-mails, proposals and negotiations (communication history).

5.2 Source of the data

We typically receive your business contact data from you, your employer/organisation, or from publicly available business sources (e.g. company websites, LinkedIn).

5.3 Purposes and legal bases

Purposes:

• entering into and performing contracts with customers and partners,
• managing offers, negotiations and ongoing business communication,
• invoicing and accounting,
• enforcing or defending legal claims.

Legal bases:

• GDPR Article 6(1)(f) – legitimate interest (e.g. managing and maintaining business relationships, administration, enforcing/defending claims),
• GDPR Article 6(1)(b) – where the data subject is a contracting party (e.g. sole trader) or where processing is necessary to take steps at the request of the data subject prior to entering into a contract,
• GDPR Article 6(1)(c) – compliance with a legal obligation (e.g. statutory accounting and tax obligations).

5.4 Retention period

• Data in contracts, orders, invoices and related documents: retained according to statutory retention periods (e.g. 8 years for accounting documents under Hungarian law).
• Other business communication and contact data: kept for the duration of the business relationship and for the limitation period of legal claims (typically up to 5 years after the end of the relationship), unless a longer period is required by law.

6. Data Processed Inside Our SaaS Products

In our SaaS solutions, personal data is primarily processed as follows:

• Our customer (your organisation) is the Data Controller with respect to the data entered into the system.
• Bright Path Makers Kft. is the Data Processor, providing the technical platform and related services.
• For account administration, billing, and security operations relating to our own services, Bright Path Makers may act as Data Controller.

This relationship is governed by a Data Processing Agreement (DPA) concluded with each customer.

6.1 Typical data categories

Depending on configuration and customer use case, the system may process:

• user accounts (name, business e-mail, role/permissions, login events),
• contact persons linked to assets, services or incidents,
• personal data appearing in incident records, audit logs, risk registers or other documentation,
• notes or descriptions entered by the customer’s users.

The exact categories depend on what the customer chooses to store in the system.

6.2 Purposes and legal bases

Purposes:

• to provide and operate the SaaS products,
• to support customers in NIS2/AI governance/compliance, asset and incident management, audit and reporting,
• to maintain security, stability and performance of the service (backups, monitoring, logging).

Legal bases:

• The legal basis for processing personal data within the SaaS is determined by the customer as Data Controller (e.g. performance of employment or service contracts, legal obligation, legitimate interest, etc.).
• As Data Processor, we process such data only on the documented instructions of the customer, in line with GDPR Article 28.

6.3 Our main obligations as Data Processor (summary)

As Data Processor we commit to:

• process personal data only on the customer’s documented instructions;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (access control, encryption where applicable, backup, logging, secure development and operations);
• ensure that persons authorised to process personal data are bound by confidentiality;
• assist the customer in responding to data subject requests (access, deletion, etc.) where feasible;
• notify the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data;
• cooperate with supervisory authorities where required.

6.4 Sub-processors and international data transfers

We may use sub-processors (e.g. hosting providers, e-mail providers, logging or monitoring services) to support our SaaS operations.

Information about our sub-processors is available upon request at info@brightpathmakers.com (and, for SaaS customers, in the applicable DPA).

If personal data is transferred outside the EU/EEA, such transfers are carried out in compliance with Chapter V GDPR, for example based on:

• an adequacy decision of the European Commission, or
• appropriate safeguards such as Standard Contractual Clauses (SCCs).

7. Recipients of Personal Data

Depending on the context, personal data may be shared with:

• IT infrastructure and hosting providers,
• e-mail and communication service providers,
• external IT maintenance or security service providers (where engaged),
• accounting and legal advisors,
• authorities and courts, where we are legally obliged to do so or to enforce our rights.

In each case we ensure that the recipient only receives data which is strictly necessary for the given purpose and that appropriate safeguards are in place.

8. Data Security

We take data security seriously and apply appropriate technical and organisational measures, which may include:

• role-based access control and least-privilege principles,
• secure authentication and password policies,
• encrypted communication channels (e.g. TLS),
• secure configuration and hardening of infrastructure,
• regular backups with restricted access,
• logging and monitoring of key system activities,
• internal policies and staff training on information security and confidentiality.

The exact measures depend on the specific system and risk level and are continuously reviewed and improved.

9. Automated decision-making

We do not carry out automated decision-making (including profiling) that produces legal or similarly significant effects on data subjects.

10. Data Subject Rights

Under the GDPR, data subjects have several rights in relation to their personal data, including:

• Right of access – to obtain confirmation as to whether personal data concerning them is processed, and to receive a copy;
• Right to rectification – to have inaccurate personal data corrected and incomplete data completed;
• Right to erasure – in certain cases, to request deletion of personal data ("right to be forgotten");
• Right to restriction of processing – in specific circumstances;
• Right to data portability – where processing is based on consent or contract and carried out by automated means;
• Right to object – to processing based on legitimate interests;
• Right to withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).

Requests can be submitted via:

• E-mail: info@brightpathmakers.com

Important for SaaS data: where we act as Data Processor, data subject requests should primarily be addressed to our customer (the Data Controller). We support our customers in fulfilling such requests, in line with the DPA.

11. Complaints and Legal Remedies

If a data subject believes that their personal data is processed in breach of data protection laws, they may:

• lodge a complaint with the competent supervisory authority, in particular in the EU Member State of their habitual residence, place of work or place of the alleged infringement.

For our EU operations, the competent supervisory authority is in particular:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

• Address: 1055 Budapest, Falk Miksa utca 9–11., Hungary
• Website: https://www.naih.hu

Additionally, data subjects have the right to seek judicial remedy before the competent courts.

12. Changes to this Notice

We may amend this Privacy Notice from time to time, for example in case of:

• changes in applicable laws,
• changes in our services or internal processes,
• engagement of new service providers or sub-processors.

We will publish the updated version on our website and indicate the date of the latest revision.