Data Processing Information

The purpose of this data processing notice is to transparently set out the data processing practices and data protection rules of the drcrm.hu online CRM system operated by Syneo International Kft. (hereinafter: "Data Controller"). The notice provides guidance to data subjects—in particular, users of the system, customers, and partners—regarding the following:

● what types of personal data we collect and process,

● the purpose and legal basis of data processing,

● how long we retain the data,

● who may be the recipients of the data,

● as well as what rights data subjects may exercise under the GDPR and domestic legislation.

As a data controller, our primary obligation is to treat the personal data we receive as confidential and to do everything in our power to ensure its security. This information notice has been prepared in accordance with the following legislation:

● Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),

● Act CXII of 2011 on the right to informational self-determination and freedom of information (Info tv.),

● Act V of 2013 on the Civil Code (Ptk.),

● as well as related Hungarian and EU legislation.

2. Description of the service

Drcrm.hu is a cloud-based CRM (Customer Relationship Management) system accessible via the internet, which aims to provide Hungarian businesses – sole traders, companies, civil organizations, and private individuals with tax numbers – with a solution for managing their customer relationships, sales processes, and partner data.

To use the service, users must register in the system, during which they create their own account. This gives them access to customer management, sales, and contact functions, as well as additional services.

When using the system, the processing of personal data is unavoidable, in particular:

● user data provided during registration and account use,

● data related to customers and partners (name, contact details, company data, contact history),

● data communicated during customer service communications,

● Data provided for newsletters or market research.

Although the service is primarily intended for the management of company data, in certain cases this data may relate to natural persons (e.g., sole traders, contact persons), and is therefore considered personal data.

3. Terms used in this information sheet

The following key terms apply to data processing and the use of this information notice:

Data subject: a natural person whose personal data is affected by data processing.

Personal data: any information that can be used to identify the data subject directly or indirectly (in particular name, email address, telephone number, tax number, bank account number).

Data controller: the legal entity that determines the purpose and means of data processing, in this case Syneo International Kft., 9700 Szombathely, Kürtös utca 5., company registration number: 18 09 115488, tax number: 32173394-2-18, Marcell Szakács.

Data processor: a natural or legal person who performs technical or administrative tasks on behalf of the data controller (e.g., hosting provider, mailing system).

Data processing: any operation performed on personal data (collection, recording, storage, transmission, deletion, etc.).

Consent: a voluntary and unambiguous expression of the will of the data subject, based on adequate information.

Data breach: unauthorized access, loss, alteration, or disclosure of personal data.

These terms shall be interpreted in accordance with the definitions set out in Article 4 of the GDPR.

4. Data processing principles

The Data Controller shall process all personal data in accordance with the GDPR and the principles of the Info Act. Within this framework:

1. Legality, fairness, and transparency – our data processing always complies with the law, and we provide clear and understandable information to data subjects.

2. Purpose limitation – we collect data only for specified, explicit, and legitimate purposes, and we do not process it in a manner incompatible with those purposes.

3. Data minimization – we only process data that is strictly necessary to achieve the stated purpose.

4. Accuracy – we ensure that personal data is accurate and up to date; we correct or delete incorrect data.

5. Limited storage – we only retain data for as long as necessary for the purposes of data processing.

6. Integrity and confidentiality – we protect personal data against unauthorized access, modification, or loss through technical and organizational measures.

7. Accountability – The Data Controller is responsible for the lawfulness of data processing and is able to demonstrate this.

5. Data processing activities

Below, we describe in detail what personal data we process when you use the drcrm.hu online CRM service, for what purpose, on what legal basis, and for how long.

5.1. Registration and creation of user account

Scope of data processed:

● name, email address, password, date of birth (when usingaccount.hu )

● billing details: company name, tax number, EU tax number, registered office/address (country, postal code, city, street, house number, building, floor, door),

● bank account number, registration number,

● Contact telephone number.

Purpose of data processing:

Creating and maintaining a user account in order to enable the user to access the services of drcrm.hu. Based on the data provided during registration, we can ensure the operation of the system and access to CRM functions, as well as maintain contact.

Legal basis:

Consent of the data subject (GDPR Article 6(1)(a)).

Retention period:

● 6 months for unconfirmed registrations.

● For verified accounts, 10 years from the last login or until a request for deletion is made.

5.2. Using the CRM program

Scope of data processed:

● Name, email address, telephone number, address details, company name, tax number, contact details, other data recorded about customers and partners (e.g., comments, communication history, sales status, contract information).

Purpose of data processing:

Providing CRM services, managing customer relationships, tracking sales and business processes, and storing and organizing data recorded by users.

Legal basis:

Performance of a contract (GDPR Article 6(1)(b))

Retention period:

● Until the contract expires or until the user deletes it.

5.3. Contact and customer service (email, chat)

Scope of data processed:

● name, e-mail address,

● additional data voluntarily provided by the data subject (e.g., information provided in customer service inquiries, chat log content).

Purpose of data processing:

Maintaining contact with users, providing customer service assistance, handling complaints.

Legal basis:

● Consent of the data subject (Article 6(1)(a) of the GDPR),

● or legitimate interest (GDPR Article 6(1)(f)) in order to ensure customer service communication.

Retention period:

Until the data subject requests deletion, but for a maximum of 5 years (general civil law limitation period).

5.4. Management of contact details

Scope of data processed:

● name, email address, phone number.

Purpose of data processing:

If the user provides the details of their accountant or other contact person rather than their own details, these details will be used to ensure contact can be maintained.

Legal basis:

Consent of the data subject (GDPR Article 6(1)(a)) or legitimate interests of the parties (GDPR Article 6(1)(f))

(1) f).

Retention period:

Until the data subject requests deletion, but for a maximum of 5 years.

5.5. Newsletter service

Scope of data processed:

● name, email address, IP address.

Purpose of data processing:

Informing users about new features, developments, promotions, and related legislative changes on drcrm.hu.

Legal basis:

Consent of the data subject (Article 6(1)(a) of the GDPR).

Retention period:

Until the data subject unsubscribes or requests deletion.

Note:

We use an external service provider (e.g., newsletter software) to send newsletters, which acts as a data processor. The exact details of the service provider will be published later in the information sheet.

5.6. User feedback and market research

Scope of data processed:

● name, e-mail address,

● other data provided by the data subject during the feedback process.

Purpose of data processing:

In order to improve the quality of our services, we occasionally provide users with questionnaire surveys or online feedback options.

Legal basis:

Consent of the data subject (Article 6(1)(a) of the GDPR).

Retention period:

Until the data subject requests deletion, but for a maximum of 5 years.

5.7. Requests from authorities

Scope of data processed:

Data requested in the official inquiry (e.g., court, investigating authority).

Purpose of data processing:

Compliance with legal obligations.

Legal basis:

Compliance with a legal obligation (GDPR Article 6(1)(c)).

Retention period:

The time required to fulfill the request.

6. Profiling and automated decision-making

Within the scope of the drcrm.hu service, we do not use automated decision-making processes or profiling that would have legal effects on the data subject or significantly affect them.

When sending newsletters, we may send personalized content based on users' interests or system usage habits, but this is solely for the purpose of providing more relevant information and does not constitute automated decision-making within the meaning of the GDPR.

7. Data processors and external service providers used

In providing the service, the Data Controller uses data processors to perform certain technical tasks. Data processors process personal data exclusively on the basis of the Data Controller's instructions and in accordance with the law.

Possible data processors:

Hosting provider: DigitalOcean

Name and address of service provider:

DigitalOcean, LLC

101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA

EU representation: DigitalOcean Germany GmbH, Frankfurt am Main, Germany

Purpose of data processing:

Technical operation of the drcrm.hu website and services, hosting and database services, backup creation.

Scope of data processed:

Personal data stored in user accounts, log data, IP addresses, connection metadata.

Place of data processing:

Frankfurt (Germany, within the EU).

Legal basis for data processing:

GDPR Article 6(1)(b) – processing necessary for the performance of a contract.

Data transfer to third countries:

This does not happen if the data is processed exclusively within the EU (Frankfurt).

Web analytics: Google Analytics (GA4)

Name and address of service provider:

Google Ireland Limited

Gordon House, Barrow Street, Dublin 4, Ireland

Purpose of data processing:

Analysis of website traffic and user behavior, collection of statistical data for the purpose of service improvement.

Scope of data processed:

IP address (in anonymized form), device and browser information, visit and behavior data, referring websites.

Place of data processing:

Primarily within the EU, but data may be transferred to the United States.

Legal basis for data processing:

GDPR Article 6(1)(a) – consent of the User (acceptance of the cookie banner).

Data transfer to third countries:

It is possible, provided that an adequate level of protection is ensured under the EU–US Data Privacy Framework.

Name and address of service provider:

Google Ireland Limited

Gordon House, Barrow Street, Dublin 4, Ireland

Purpose of data processing:

Authenticate users and simplify sign-in with Google accounts.

Scope of data processed:

Google account ID, name, email address, optional profile picture.

Legal basis for data processing:

GDPR Article 6(1)(b) – data processing necessary for the provision of the service (performance of a contract).

Data transfer to third countries:

Possible to the United States, within the framework of the EU-US Privacy Shield.

Email provider: Mailgun

Name and address of service provider:

Mailgun Technologies, Inc.

112 E Pecan St #1135, San Antonio, TX 78205, USA EU representation: Sinch Email, Ireland

Purpose of data processing:

Forwarding system messages, password reset and registration emails, and other notifications to users.

Scope of data processed:

Email addresses, message subject lines, sending and delivery data, and message content.

Legal basis for data processing:

GDPR Article 6(1)(b) – processing necessary for the performance of a contract.

Data transfer to third countries:

It is transferred to the United States under the EU-US Data Privacy Framework, with appropriate safeguards in place.

We carefully select all data processors and enter into written agreements with them, setting out their data protection obligations.

The drcrm.hu website and related web application use cookies to improve user experience, ensure functionality, and perform statistical analysis.

Cookies are small data files that are stored on your computer or other device by your browser. Some cookies are essential for the technical functioning of the website ("necessary cookies"), while others serve statistical or marketing purposes.

The use of necessary cookies is essential for the provision of the service, therefore the user's consent is not required for these.

However, the use of cookies for analytical and marketing purposes requires the user's prior consent, which can be given or withdrawn using the cookie management tool (cookie banner) displayed on the website.

List of cookies used on the website

Cookie name	Its purpose, what data it has access to	Lifespan	Required for the website to function ?	Own or third party ?	Other comments
drcrm_session	Identifies the user's session; provides access to session data stored on the server (e.g., email, user ID, login status).	120 days	Yes	My own cookie	Long-lasting cookie, the Required for the "persistent login" feature.
XSRF TOKEN	CSRF protection: the server verifies the authenticity of requests based on the token stored in the cookie; the token is a random identifier and does not contain any personal data.	Until browser is closed (session)	Yes	My own cookie	Security cookie.
necessary_coo	The user stores cookie settings and data necessary for basic operation (e.g., login status, security settings).	365 days	Yes	My own cookie	A essential for operation.

analytics_cook	It collects statistical data on visitor behavior (e.g., number of page views, traffic sources) in anonymous form.	365 days	No	Own and third party (Google Analytics)	May only be placed with consent.
marketing_coo	Manages data for marketing and advertising purposes (e.g., campaign effectiveness, areas of interest, remarketing).	365 days	No	My own cookie	We only use it with your consent.

Managing and deleting cookies

Users can disable or delete cookies at any time in their browser settings. Cookie management guides for the most commonly used browsers:

● Google Chrome

● Mozilla Firefox

● Microsoft Edge

● Safari

By deleting already saved cookies, user data can also be removed.

Please note that if you disable the necessary cookies, certain functions of drcrm.hu will not work or will only work to a limited extent.

Legal basis for cookies

Necessary cookies: GDPR Article 6(1)(b) – data processing necessary for the performance of a contract or in order to provide a service.

Analytical and marketing cookies: GDPR Article 6(1)(a) – data processing based on user consent.

9. Data security

The Data Controller considers the protection of personal data to be of paramount importance and applies technical and organizational measures to ensure the confidentiality, integrity, and availability of the data.

These include in particular:

● encrypted communication channels (HTTPS, TLS),

● Secure, encrypted storage of passwords

● regular data backups,

● Restriction and logging of access rights

● confidentiality obligations of employees and partners,

● Continuous monitoring and updating of IT systems.

Our goal is to prevent unauthorized access, loss, alteration, or disclosure of personal data.

10. Data Protection Officer

Under current legislation, the Data Controller is not currently required to appoint a data protection officer. Should this become mandatory in the future, or should the Data Controller wish to appoint such an officer voluntarily, their contact details will be updated in this notice.

Currently, you can contact us regarding data protection matters at the following addresses: Email: adatvedelem@drcrm.hu

Postal address: Syneo International Kft., 9700 Szombathely, Kürtös utca 5.

11. Rights of data subjects

Data subjects may exercise their rights under the GDPR at any time in relation to the processing of their personal data:

Right of access – The data subject has the right to obtain information about whether we process their personal data and, if so, what data, for what purpose, on what legal basis, from what source, for how long, and to whom we transfer it. Upon request, the data subject may receive a copy of the data.

Right to rectification – The data subject may request that we correct or supplement any inaccurate or incomplete data in order to keep it up to date.

Right to erasure (“right to be forgotten”) – The data subject has the right to request the erasure of their personal data if its processing is no longer necessary or if they have withdrawn their consent and there is no other legal basis for processing. However, erasure cannot be requested for data that we are required to retain by law (e.g., invoices for 8 years).

Right to restriction of processing – In certain cases, the data subject may request that we only store their personal data and not use it in any other way (e.g., in the event of a dispute over the accuracy of the data or during a legal dispute).

Right to data portability – The data subject may request to receive the data recorded about them in a structured, widely used, machine-readable format, or to have it transferred to another data controller, if this is technically feasible.

Right to object – The data subject may object to the processing of their personal data if it is based on our legitimate interest (e.g., newsletter, market research). In such cases, we will cease processing the data unless there is a compelling legal reason that takes precedence.

Withdrawal of consent – If data processing is based on consent, the data subject may withdraw their consent at any time. The withdrawal applies to the future and does not affect the lawfulness of previous data processing.

The Data Controller shall comply with requests without undue delay, within 30 days at the latest.

12. Legal remedies

If the data subject feels that their rights have been violated by the Data Controller, the following remedies are available:

1. Submit your complaint directly to the Data Controller using the contact details provided.

2. Submitting a complaint to the National Authority for Data Protection and Freedom of Information (NAIH):

Headquarters: 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, Pf. 9.

Phone: +36 (1) 391-1400

Email: ugyfelszolgalat@naih.hu Website: www.naih.hu

3. Enforcement through the courts: the data subject may bring a civil action before the court with jurisdiction over their place of residence or place of stay.

2026.02.11.

Syneo International Ltd.