Planning Poker (Gergely Bihary E.V.) (the „Company”) processes personal data in connection with the use of its website under https://planningpoker.live (the „ Website”) moreover, in connection with its other economic activities according to the conditions of the present privacy policy (the „ Policy”). The subjects of the processing are the (1) visitors and/or users of the Website, (2) the users of the Service, the (3) other contractual partners.

If you do not wish to provide your personal information as required on the Website, you acknowledge that you may not be able to access the Service of the Company or any of its elements.

1. General conditions:

1.1 The data controller:

– name: Gergely Bihary E.V

– Company registry Nr.: 68867193-6201-231-01

– Registered at: Budapesti Iparkamara

– Contact:

o registered seat: 1028, Budapest, Kevélyhegyi utca 12/a.

o represented by: Gergely Bihary

o telephone: + 36 30 518 5825

o e-mail: hello@planningpoker.live

o website: www.planningpoker.live

1.2 Purpose of the Policy

The purpose of this Policy is to ensure – by following the following rules in respect of the processing of personal data – the protection of the personal data of the natural persons concerned, the respecting of the privacy of the data subjects concerned and of their freedom of personal data self-determination, in order to safeguard the data from accidental or purposeful harm, disclosure or access to unauthorized persons.

The purpose of the Policy is also to inform the data subjects before the processing of data on the method of the data handling of the Company and the facts, rights and obligations related to data processing. To this end, the Company shall make this Policy available to the data subjects on a continuous basis on its website (see point 1.1).

1.3 The scope of the Policy

The material scope of the Policy extends to all types of personal data processed by the Company, irrespective of their source, their date or their form.

The personal scope of the Policy extends to all contractual partners of the Company (clients, suppliers), the users of the Service, the clients of the Company and the visitors of its Website. The scope does not include the processing of the personal data of the Companies employees.

1.4 Legal background

– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

– Act CXII. of 2011 on the right to information self-determination and information freedom (Infotv.)

1.5 The principles of processing

In the course of its data processing activities, the Company ensures that the Hungarian and EU legal principles governing the processing of personal data are always enforced, namely:

– the processing of personal data is conducted lawfully and fairly, in a way that is transparent to the data subject (principles of legality, fairness and transparency);

– the collection and management of personal data can only be done for a clear and legitimate purpose (purpose limitation principle);

– the processed data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

– the data is accurate and, where necessary, kept up to date, personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of “accuracy”);

– the storage of personal data may take place only for the time necessary to achieve the purpose of data processing (principle of storage limitation); and

– that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

– The Company shall always maintain a data controlling system that enables it to demonstrate that its data controlling activities comply with the above principles (accountability principle).

2. Information on data processing activities carried out by the Company

2.1 Data processing activities in connection with the registration on the Website

Purpose : Providing users with registration-related services available on the Website.

Legal basis: The consent of the data subject.

Categories of personal data: The personal data provided by the user / recipient of the website when registering on the Website, namely nickname, email address, username  of the data subject.

Duration of the storage of personal data: Until the consent is withdrawn, or otherwise no longer than a period of up to 1 year from the last date of activity.

The Company does not undertake data transfers.

2.2 Use of Cookies

Purpose: The Company uses cookies in order to ensure the effective operation of the Website, to the provision of the Services and functions, to improve the browsing experience and to measure the visitor data of the website, to enhance the user experience and to improve the Service. Cookies are short text files that are stored by the viewed websites on the user’s computer. There are permanent cookies stored by the computer for a specific time, provided that the user has not previously deleted and temporary cookies that are not stored by the computer and will be automatically deleted when the browser is closed.

Types of cookies used by the Company:

1. Cookies for the effective operation:

Purpose: The so-called ce_session cookies help the site to function, by storing the name of the registered users on the site to facilitate re-login and easier handling of the page.

Legal basis: legitimate interest of the Company on the effective operation of the Website and the continuity of its business.

2. Third parties, statistical cookies

Google Analytics, is a tool developed by Google Inc., (1600 Amphitheater Parkway, Mountain View, CA 94043, USA), and used worldwide, a so-called cookie used by third parties, that registers users’ activity on the site, anonymously, that is, without identifying and without the identifiability the specific user. With Google Analytics, the Company can receive visitor information and statements that can help enhance the Company’s website or services. Such data may include the number of visitors to the website; information about where, from what other website, how did the visitor arrive; which pages of the website, what order they viewed, etc. Learn more about Google Analytics cookies on this link.

The user can block / disable cookies by configuring the settings of its browser, but in this case the user will need to consider that many features of the site it is visiting or even the whole site will not be available or used until it re-enables the use of cookies.

Please note that if cookies are blocked, many features of the Website or even the entire Website will not be available or useable until the cookies are re-enabled, that is, the blocking is not resolved.

For the most frequently used browsers, how to block cookies is described in the following websites:

Mozilla Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

Microsoft Internet Explorer: http://windows.microsoft.com/hu-hu/windows-vista/block-or-allow-cookies

Google Chrome: https://support.google.com/chrome/answer/95647?hl=hu

Apple Safari: https://support.apple.com/hu-hu/guide/safari/manage-cookies-and-website-data-sfri11471/mac

The sites, information and accessories available on these above links are completely independent of the Website and its service provider, so the Company assumes no liability whatsoever with respect to their availability or use.

2.3. Data processing activities conducted in connection with the provision of planning poker voting/estimation service

Purpose: The Company processes the personal data provided by its users during registration to provide the Service

Legal basis: The processing of personal data is necessary for the performance of the contract between the Company and the Data Subject (in this regard, the data subject that uses the Service).

Categories of personal data: In this regard, the Company processes the full name of the users. When invited to a game, only a nickname is required, which can be a fictional name as well.

The users may sign up for permanent or paid accounts, in which case their e-mail address, full name and invoicing details are processed. In case the Data Subject signs up for a Subscription, we will collect the basic data about the subscription. Payment is made through third party platforms, credit card details are not processed by Us.

Storage period: The financial data related to the provision of the Service will be retained for 8 years from the date of issuance of the accounting certificate under Act C of 2000 on Accounting. Other personal data will be retained for 5 years from the date of performance of the Service or termination of the contract.

2.4 The processing of the contact information of the Companies’ contractual partners

Purpose: The contact details of employees, senior officers (business partners, suppliers) of the Company, are processed by the Company in order to maintain contacts, fulfill obligations and exercise rights.

Legal basis: the legitimate interest of the Company. We establish that our legitimate interest to contact our contractual partners in order to facilitate contracting, communication or other purposes supersedes the rights to privacy of our respective contractual partner.

The Company’s legitimate interest : the processing of data is based on the legitimate interest of the Company to facilitate continuous liaison between its contractual partners and the Company in order to promote and monitor the contractual relationship between the Company and the contractual partner. The Data Subject is allowed to object to data processing at any time.

Categories and source of personal data: Personal data supplied by the contractual partner, therefore name, contact information, position.

Retention period: 5 years from the termination of the contract between the contracting partner and the Company. For accounting purposes relevant documents, under Act C of 2000 on Accounting, at least 8 years.

The Company does not conduct data transfers.

3. Data transfers to foreign countries, data processing, persons handling personal data

3.1 The Company does not transmit data to third parties (non-EEA).

3.2 In case of the performance of specific tasks related to data processing the Company undertakes to only involve such other data processors – based on the conditions of individual data processing agreements entered into with each partner – who can supply assurances of their expertise, reliability and availability of resources to provide a service that meets the requirements of the GDPR regarding data security and organizational measures.

The data processors used by the company are listed in point 2.

The data processors perform their data processing activity entrusted to them in the name of the Company as a data controller. After performing the data processing service, the data processor deletes or returns all personal data to the controller, unless otherwise provided by law.

4. Technical and organizational measures ensuring the security of the processing:

According to Article 32 (1) GDPR the Company as a data controller and the data processors employed must carry out the appropriate technical and organizational measures in order to guarantee an adequate level of data security to the extent of the risk of data processing. In doing so, the data controller shall take particular account of the risks arising from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data processed, stored or transmitted.

The data controller shall take the following technical / organizational measures:

The computing system of the Company and the place of data retention are the most secure webserver providing cloud services. Access to the data requires a password and multi-factor authentication that is only known to the authorized employees / owners and is changed at short intervals. The Company keeps up-to-date its antivirus system and security software / procedures to ensure an adequate level of protection against computer fraud, burglaries, and attacks.

The Company shall monitor and investigate all incidents that impact the usage of the service. It shall strive to keep its software components up-to-date and its employees trained to the highest standards of secure software development. In case of an incident, the Company shall validate the scope and impact on its users. In case of leakage of sensitive information, it shall immediately inform its affected users and take the necessary steps to mitigate the incident.

The Company shall keep all of its dependencies and infrastructure up-to-date. It shall always validate the security practices of services it depends on and should regularly check their validity. It should, where possible, employ automatic tools that keep its dependency tree up-to-date.

5. Rights and procedures of the Data Subject

5.1 Right to be informed

The Data Subject is entitled to always receive adequate information from the Company with the content specified in Articles 13-14 and 34. of the GDPR. Such information is provided by the company in a clear, intelligible, transparent and easily accessible form, in writing, including an electronic format.

5.2 Right of Access

The Data Subject is entitled to receive confirmation by the Company on the performance of data processing of its personal data, and if such processing is being performed, than the Data Subject is entitled to access such data and receive information on their contents as set forth by Article 15 GDPR: on the data processing’s purpose, categories of personal data, the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, the envisaged period for which the personal data will be stored, the data subjects’ rights, the right to lodge a complaint by the relevant authority, the source of the data and the existence of an automated processing. The Company operates a so-called Data Subject Access Portal for the handling of such requests.

5.3 Right to rectification

The Data Subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her.

5.4 Right to erasure

The Data Subject shall have the right to obtain from the Company the erasure of personal data concerning him or her without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– the Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;

– the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

– the personal data have been unlawfully processed;

– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

– the personal data have been collected in relation to the offer of information society services for children.

The Data Subject may not request the deletion of personal of data and the Company is not required to delete the data if data processing is necessary for the purposes of Article 17 (3) of the GDPR, in particular if (i) it is necessary to exercise the right to freedom of opinion and the right of access to information, or (ii) it is necessary for the compliance with, enforcement of obligations under EU or Hungarian law applicable to the Company, or if it is necessary for the establishment, exercise and defence of legal claims.

5.5 Right to restriction of processing

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Data Subject may restrict the processing if:

– the accuracy of the personal data is contested by the Data Subject, for a period enabling the Company to verify the accuracy of the personal data;;

– the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

– the Company no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

– the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject.

5.6 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company, where:

a) the processing is based on consent or on a contract; and

b) the processing is carried out by automated means.

5.7 Right to withdraw consent

The Data Subject shall be entitled to withdraw his or her previously given consent at any time, however the withdrawal of the consent does not affect the legality of the previous data processing.

5.8 Exercise of the Data Subject’s rights

The Data Subject can exercise its rights listed in point 5. of the present Notice by submitting a request via e-mail to hello@planningpoker.live.

The Company is obliged to promote the exercise of its rights, in which it will do its utmost to eliminate and/or rectify any breach of the law. If the Company has reasonable doubts about the identity of the Data Subject, he or she may request further information to confirm the identity of the Data Subject.

The Company informs the Data Subject of any measures taken following his or her inquiry, without undue delay, but in any event within one month from the receipt of the request. If necessary, eg. due to the complexity or large number of requests, this deadline may be extended by another two months. Upon request electronically, the Company shall, if possible, electronically provide the information, in the absence of any other requirement of the Data Subject.

If the Company does not consider it reasonable to take action, it shall inform the Data Subject without undue delay and at the latest within one month of the receipt of the request of the Data Subject, indicating the reasons for the failure to act and providing information that the Data Subject may file a complaint with the competent supervisory authority and may exercise turn to court proceedings as well.

In the scope of enforcement of the law, the Company fulfills its information provision obligation and other acts at its own expense. If the request of the Data Subject is clearly unjustified or exaggerated due to its particularly repetitive nature, the Company may charge a reasonable fee or deny the action based on the request.

5.9 Right to lodge a complaint

If you do not agree with our procedures regarding your personal data or you have any complaints regarding the handling of your personal information, you may contact the supervisory authority:

– Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) (“Hungarian Data Protection and Information Freedom Authority”)

-  Falk Miksa utca 9-11, 1055 Budapest, Hungary

– Telephone: 1-391-1400

– fax: 1-391-1410

– E-mail: ugyfelszolgalat@naih.hu

– website: www.naih.hu

5.10 Right to court proceedings

In the event of a violation of the rights of the Data Subject, it may file a complaint against the data controller’s action within the ever-applicable legal framework. The Data Subject is also entitled to initiate proceedings before the competent court of domicile or residence.

7. Most important terms used in the present Notice

data subject: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly;

personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

genetic data: means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

biometric data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

data concerning health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;;

objection: a statement of the data subject, in which he or she objects to the processing of his or her personal data, and requests the termination of processing and/or the deletion of personal data;

controller: the natural or legal person who determines the purposes and means of the processing of personal data;

data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Budapest, 2022.08.02