IVFinfo.AI

Data Protection and Data Security Policy

This Data Protection and Data Security Policy (hereinafter: Policy) of Spring Molecular Diagnostics Limited Liability Company (headquarters: 1112 Budapest, Görbe utca 6.; Company registration number: 01-09-411972; Tax number: 32206494-2-43; e-mail: questions@ivfinfo.ai; web: www.ivfinfo.ai) as Data Controller Regulations.

The Data Controller considers it important to respect and enforce the rights of its customers and all other affected natural persons (hereinafter: Data Subjects) related to data processing, and therefore hereby informs the Data Subjects that during its data processing, the substantive and procedural rules of Hungarian law in force, the Data Protection and Data Security Regulations in force at all times , as well as other internal regulations.

The purpose of these Regulations is to define and adhere to the basic principles and provisions regarding the handling of the data of natural persons who come into contact with the Data Controller in order to ensure that the privacy of natural persons is protected in accordance with the relevant legal regulations and official resolutions.

The data is handled in accordance with the provisions of these Regulations, CXII of 2011 on the right to self-determination of information and freedom of information. is carried out in accordance with the provisions of the Act (hereinafter: Infotv.). The Data Controller is Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Directive 95/46/EC ("General Data Protection Regulation", "GDPR") informs the Data Subjects below regarding the management of their personal data.

The Data Controller acknowledges the content of these Regulations as binding on itself and undertakes to ensure that its data management related to its service meets the requirements set out in these Regulations.

LEGAL RULES RELATING TO DATA PROTECTION

During its data management practices, Spring takes into account the relevant laws in force at all times. The data management principles published in these Regulations are in accordance with the following legislation:

LXVI of 1992 law - on the registration of citizens' personal data and residential address;

CXIX of 1993 Act – on the management of name and address data for the purpose of research and direct business acquisition (DM Act);

CVIII of 1994 Act - on certain issues of electronic commercial services and services related to the information society;

XLVIII of 1995 Act - on the basic conditions and certain limitations of economic advertising activity (Grt.)

CXII of 1996. Act - on the right to self-determination of information and freedom of information

XLVII of 1997 Act on the management and protection of health and related personal data

BASIC PRINCIPLES

The basic principles defined in the GDPR are implemented in Spring's data management behavior as a minimum requirement.

The basic principles contained in the GDPR are as follows:

1. a) Principle of legality, fair procedure and transparency

2. b) The principle of being tied to a goal

3. c) Principle of saving data

4. d) Principle of accuracy

5. e) Principle of limited storability

6. f) Principle of integrity and confidentiality

7. g) Principle of accountability

CONCEPTS

Personal data

Any specific data identified on the basis of personal data or linked to - directly or indirectly - an identifiable natural person (hereinafter: Data Subject) - in particular the Data Subject's name, identification mark, and one or more physical, physiological, mental, economic, cultural or social characteristics of the Data Subject knowledge - as well as the conclusion about the Data Subject that can be drawn from the data.

Contribution

The Data Subject's voluntary and decisive declaration of will, which is based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data - in full or covering certain operations.

Protest

The Data Subject's statement objecting to the processing of his personal data and requesting the termination of data processing or the deletion of processed data.

Data controller

A natural or legal person, or an organization without legal personality, who independently or together with others determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented by the data processor commissioned by it.

Data handling

Regardless of the procedure used, any operation performed on the data or the set of operations, including in particular the collection, recording, recording, organization, storage, alteration, use, query, transmission, disclosure, alignment or connection, locking, deletion and destruction of the data, as well as preventing its further use, taking photographs, audio or video recordings, and identifying the personrecording of physical characteristics (e.g. fingerprint or palm print, DNA sample, iris image).

Data transfer

Making the data available to specific third parties.

Disclosure

Making the data available to anyone.

Data deletion

Making data unrecognizable in such a way that their recovery is no longer possible.

Data processing

Performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data.

Data processor

A natural or legal person, or an organization without legal personality, who processes data on the basis of a contract with the data controller - including the conclusion of a contract based on the provisions of the law.

Data handling

Personal data can be processed if

1. a) the person concerned consents to it, or

2. b) it is ordered by law or - based on the authorization of the law, within the scope specified therein - by a decree of the local government for a purpose based on public interest (hereinafter: mandatory data management).

Personal data can only be processed for specific purposes, in order to exercise rights and fulfill obligations. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal.

Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.

LEGAL BASIS AND LEGALITY OF DATA MANAGEMENT

1. In all cases, the Data Controller informs the Data Subject of the legal basis for data management in these Regulations and in the Data Protection Information Sheet, if necessary in another document (e.g. consent statement, consent statement or other information sheet).

2. In accordance with the purposes of each data management, the specified data management is legal if and to the extent that at least one of the following is fulfilled:

3. a) the Data Subject has given his prior and voluntary consent to the processing of his personal data for one or more specific purposes;

4. b) if the Data Subject is unable to give his consent due to his incapacity or other unavoidable reasons, then to the extent necessary to protect his own or another person's vital interests, as well as to eliminate or prevent a direct threat to the life, physical integrity or property of persons, while the obstacles to consent exist the Data Subject's personal data can be processed;

5. c) data management is also legal if data management is necessary to protect the vital interests of the Data Subject or another natural person;

6. d) data management is lawful if data management is necessary for the performance of a contract in which the Data Subject is one of the parties, or it is necessary to take steps at the Data Subject's request prior to the conclusion of the contract;

7. e) the data management is lawful if the data management is necessary to fulfill the legal obligation of the data controller;

8. f) data management is lawful if the data management is in the public interest or is necessary for the execution of a task carried out in the framework of the exercise of public authority granted to the data controller;

9. g) data processing is lawful if data processing is necessary to assert the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data, especially if the Affected child.

10. Prior and express consent can only be considered legally acceptable if all three content requirements are met, i.e.

11. a) volunteering,

12. b) definiteness (unambiguity) and

13. c) also completes information.

14. In case of voluntary, explicit provision of data by the Data Subject, the Data Controller processes the personal data with the consent of the Data Subject.

15. Voluntary consent, as consent, should also be understood as the behavior by which the Data Subject accepts that the present Regulations automatically apply to him.

16. It must clearly follow from the consent that the Data Subject consents to data management. If the data management is based on the Data Subject's consent, in case of doubt, the Data Controller must prove that the Data Subject has consented to the data management operation.

17. If the Data Subject gives his consent in the context of a written statement that also applies to other matters, the request for consent must be presented in a way that is clearly distinguishable from these other matters, in an understandable and easily accessible form, with clear and simple language.

18. The Data Controller hereby informs the Data Subjects that the Data Subjects have the right to withdraw their consent at any time.

19. Withdrawal of consent does not affect the person based on the consent, who withdraws it the legality of data management before the end of the year, so the revocation only applies to the future and has no retroactive effect.

20. If the processing of personal data is mandated by law, data processing is mandatory. The Data Controller informs the Data Subject in detail about this in these Regulations and other regulations, which are to be considered annexes to these Regulations and to be interpreted together with them.

21. In the case of mandatory data processing, if the Data Subject fails to provide data, the Data Controller is obliged to refuse the service/data processing.

22. In all cases, the Data Controller informs the Data Subject of the legal basis for data management in these Regulations.

CERTAIN ACTIVITIES AFFECTED BY DATA MANAGEMENT

Data management is broken down into the following elements:

1. Registration of customer data when ordering the service on the website of the Data Controller

2. Website visit data

3. Information service

4. Invoicing

5. --

6. Online payment

7. Presence on social media sites

8. Newsletter subscription

9. Complaint handling

The individual elements of data management and their characteristics are described in detail below.

1. When ordering the Customer's data registration service on the Data Controller's website

The data controller keeps a record of the Customer's data for an electronic order, into which the Customer enters the processed data himself.

1.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

1.2. Legal basis for data management

Data management is based on voluntary consent, a condition for becoming a Customer. Starting with the application of the GDPR, the legal basis for data management is Article 6 1. b. the second round of point (data processing is necessary to take steps at the request of the Data Subject prior to the conclusion of the contract).

1.3. Circle of Stakeholders

Every natural person who is a customer or wants to be a customer of the Data Controller.

1.4. Scope of managed data

Name* (for identification purposes), e-mail address* (for contact purposes), previous orders (for statistical purposes), payment method (for the purpose of monitoring financial performance), discount (purpose of granting, checking, withdrawal).

Regarding the data marked with *, the Data Controller draws attention to the fact that if the data subject does not provide them to the Data Controller, the Data Controller cannot provide the service.

1.5. Purpose of data management

Facilitating smooth communication and ensuring the ordered service.

1.6. Duration of data management

2 years from the last purchase

1.7. The data management process

The Customer delivers the Data Subject's data to the Data Controller.

The data is entered manually by the Customer on the interface created for this purpose of the electronic web store for the purpose of registration and ordering. (www.infinfo.ai)

The Customer of the service voluntarily consents to the fact that, if he provides his contact information, the Data Controller will contact him through it in order to keep his data up-to-date.

Data is communicated to a third party: on the payment interface, with regard to the stripe module used on the website.

1.8. Method of data management

Electronic.

1.9. The source of the data

Directly from the Contact.

1.10. Data processing

The data controller uses the following data processors to fulfill the order:

Stripe Inc (registered office: Stripe Inc. Company Address: 510 Townsend Street San Francisco California 94103.) for online payment activity.

2. Website visit data

Data controller, in view of the provisions of § 155, paragraph 4 of Act C of 2003, according to which "Data may be stored on a subscriber's or user's electronic communication device only based on the consent of the concerned user or subscriber following clear and complete information - including the purpose of data management - , or to access the data stored there" provides the following information regarding the analytical tools it uses, i.e. cookies.

2.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

2.2. Legal basis for data management

Data management is based on voluntary consent.

2.3. Circle of Stakeholders

All natural persons who visit the Website of the Data Controller.

2.4. Scope of managed data

We would like to inform you that these cookies cannot personally identify the visitor.

Cookies record and manage the following data about you, your computer, or the device you use for browsing: your IP address, the type of browser, the characteristics of the operating system of the device used for browsing (for example, type, set language ), the exact time of the visit, the address of the page previously visited, the page, subpage, function or service used, and the time spent on the page.

2.5. Purpose of data management

The data controller uses cookies for the following purposes:

1. a) Absolutely necessary cookies

You can do without such cookies for the proper functioning of this website. Without accepting these cookies, the Data Controller cannot guarantee that the website will function as expected, nor that the user will have access to all the information the user is looking for. These cookies do not collect personal data from the Data Subject or data that can be used for marketing purposes. Absolutely necessary cookies are, for example, performance cookies, which collect information about whether the website is working properly and whether there are any errors in its operation. By indicating possible errors, they help the Data Controller to improve the website, and indicate which are the most popular parts of the website.

1. b) Functional cookies

These cookies ensure a consistent appearance of the website tailored to the needs of the data subject and remember the settings chosen by the data subject (for example: color, font size, layout).

1. c) Targeted cookies

Targeted cookies ensure that the advertisements appearing on the website are tailored to the interests of the person concerned. The website primarily contains advertisements related to the services and products provided by the Data Controller and serves to facilitate access to more favorable offers for the data subject (e.g. IP address).

1. d) The cookie also helps to improve the ergonomics of the website, to create a user-friendly website, in order to enhance the online experience of visitors. Cookies are small text files that can be used by a specific website to make the user experience more efficient. According to the law, cookies can be stored on your device if this is absolutely necessary for the website to function.

2. Data related to the provision of information services

3.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

3.2. Legal basis for data management

Voluntary consent of the person using the information service, legal provision.

3.3. Circle of Stakeholders

Affected are all natural persons identified or - directly or indirectly - identifiable on the basis of any specified personal data, whose data is managed by the Data Controller, and who order the examination and evaluation of the sample from the Service Providers.

3.4. Scope of managed data

Personal data processed for the purpose of providing information.

3.5. Purpose of data management

Implementation of information service

3.6. Duration of data management

Retention period until consent withdrawn. XLVII of 1997 Act § 30

3.7. The data management process

Data management is done during registration and login and during use.

3.8. Method of data management

Electronically.

3.9. The source of the data

Directly from the person concerned.

4. Invoicing

4.1. Data of data controllers

Spring Molecular Diagnostics Kft. (independently)

4.2. Legal basis for data management

Mandatory data management, essential for service provision. CXXVII of 2007 on general sales tax determines the invoicing regulations. Act (hereinafter: VAT Act), as well as the decrees issued under the authority of this Act.

4.3. Circle of Stakeholders

All natural persons who placed an order with the Data Controller through their online store.

4.4. Scope of managed data

Personal data processed for invoicing purposes: family and first name*; billing address*.

If the data marked with * is not communicated, no contractual relationship will be established between the Data Controllers and the Data Subject, since the data controllers cannot even issue an invoice.

4.5. Purpose of data management

Fulfilling legal obligations, issuing invoices.

4.6. Duration of data management:

In the case of the data on the invoice, it is the 8th year. Act C of 2000 § 169

4.7. The data management process

The Customer provides the indicated data when placing the order via the Service Provider's website. After that, the Service Provider issues an invoice to the Customer, which it delivers to the Customer at the same time as the package.

4.8. Method of data management

Electronically and on paper.

4.9. The source of the data

Directly from the Contact.

4.10. Data processing

In relation to invoicing, the Data Controller uses the following data processor:

Stripe

5. Parcel delivery

Not happening.

6. Online payment

6.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. does not handle data related to online payment, however, the Customer must provide the data for payment via its website.

6.2. Legal basis for data management

Data management is based on voluntary consent.

6.3. Circle of Stakeholders

All natural persons who have placed an order with the Data Controller through their online store and pay the price of the order online.

6.4. Scope of managed data

In connection with the implementation of product sales and service provision as a data management purpose, data related to purchases made on the Internet is transferred to Stripe. They are transmitted through the ó bank card acceptance network for the purpose of financial processing of the transaction, transaction security and transaction monitoring. The scope of transmitted data: last name, first name, delivery address, billing address, telephone number, e-mail address, data related to payment transactions. Our company does not store payment-related data, it is entered directly for the payment, to which only Stripe has access.

6.5. Purpose of data management

Payment of the order.

6.6. Duration of data management

According to Stripe policy.

6.7. The data management process

The Customer registers his order and the data required for online payment of the order through the Service Provider's website.

6.8. Method of data management

Electronically.

6.9. The source of the data

Directly from the Contact.

6.10. Data processing

For online payment, the Data Controller uses the following data processor: Stripe Inc.

7. Presence and marketing on social media sites

The Data Controller is available on social media on the following pages:

Facebook: www.facebook.com/ivfinfo

Instagram: www.instagram.com/ivfinfo

7.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

7.2. Legal basis for data management

Data management is based on voluntary consent,

7.3. Circle of Stakeholders

All natural persons who voluntarily follow, share and like the social pages of the Data Controller, especially the page on the facebook.com social page or the content appearing on it.

7.4. Scope of managed data

1. a) public name of the Data Subject - identification

2. b) public photo of the Data Subject - identification

3. c) public e-mail address of the Data Subject - contact

4. d) the Data Subject's message sent via the social media site - the basis for maintaining contact and responding

7.5. Purpose of data management

The use of social media sites, especially the Facebook page, and through it, contacting and maintaining contact with the Data Controller, and other actions permitted by the social media site.

7.6. Duration of data management

Until deleted at the request of the data subject.

7.7. The data management process

The Data Controller publishes images of its products and service prices on its social media pages, especially on its Facebook page, as well as related information and information, the Data Controller's services, etc. The data controller can connect the Facebook page to other social networking sites in accordance with the rules of the social networking site facebook.com, so publication on the Facebook site must also be understood as publishing on such connected social networking sites.

The Data Subject can receive information about the data management of the given social media site on the given social media site, accordingly, information about the data management of the Facebook site can be obtained at www.facebook.com. The purpose of the presence on social portals, especially Facebook, and related data management is to share, publish, and market the content on the website on social media.

7.8. Method of data management

Electronically

7.9. The source of the data

Directly from the person concerned

7.10. Data processing

The data manager does not use a data manager for data management related to the social media site.

8. Sending a newsletter

8.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

8.2. Legal basis for data management

Data management is based on voluntary consent

8.3. Circle of Stakeholders

All natural persons who subscribe to the Newsletter service on the Data Controller's website.

8.4. Scope of managed data

(User)name* (for identification purposes), e-mail address* (for contact purposes).

8.5. Purpose of data management

Sending a newsletter to the subscriber, conducting marketing activities, informing the Subscriber about the Data Controller's products and services.

8.6. Duration of data management

Until deletion at the request of the data subject.

8.7. The data management process

The Data Subject can subscribe to the newsletter before or during the use of the services, or in some other way.

Subscription to the newsletter is based on voluntary consent.

Scope of those affected: All natural persons who wish to be regularly informed about the Data Controller's news, promotions and discounts, and therefore subscribe to the newsletter service by entering their personal data.

The purpose of data processing related to sending newsletters is to provide the recipient with full general information about the Data Controller's latest promotions, events, news, and changes to notification services.

The newsletter is sent only with the prior consent of the person concerned.

The Data Controller and the Data Controller's data processor only manage the personal data collected for this purpose until the data subject unsubscribes from the newsletter list.

The person concerned can unsubscribe from the newsletter at any time, based on the request at the bottom of the electronic mails and sent to the email address questions@ivfinfo.ai.

The data manager keeps statistics on the reading of the sent newsletters, with the help of clicks on the links in the newsletters.

Data is not disclosed to third parties.

8.8. Method of data management

Edge ktronic.

8.9. The source of the data

Directly from the Contact.

8.10. Data processing

For newsletters, the Data Controller uses the services of MailChimp (512 Means St Suite 404 Atlanta, GA 30318 USA), which stores the data on www.mailchimp.com until the consent to data management is revoked.

9. Complaint handling

9.1. Data of Data Controllers

Spring Molecular Diagnostics Kft. (independently).

9.2. Legal basis for data management

Data management is based on voluntary consent, it starts with voluntary consent, but based on GDPR Article 6 (1 para. c), data management is necessary to fulfill the legal obligations of the data controller in the CLV of 1997 on Consumer Protection. according to § 17/A (7) of the Act

9.3. Circle of Stakeholders

All natural persons who wish to communicate their complaint orally or in writing. Persons who submit a complaint to the Data Controller regarding the purchased service, product, or the Data Controller's conduct.

9.4. Scope of managed data

For identification purposes, name and date of receipt of the complaint, for contact purposes, e-mail address, billing/mailing address, telephone number; for the purpose of investigating the complaint, the complained product/service, attached documents, the complaint itself.

9.5. Purpose of data management

The purpose of data management is to identify the person concerned and the complaint.

9.6. Duration of data management

Duration of data management: The data manager manages the record of the complaint and the copy of the response for 5 years from the date of their recording.

9.7. The data management process

The Data Controller ensures that the data subject can submit a complaint in writing (by post or electronic mail) regarding the ordered service, or even the behavior, activities or omissions of the Data Controller.

9.8. Method of data management

Electronically and/or on paper.

9.9. The source of the data

Directly from the Contact.

9.10. Data processing

Data is not disclosed to third parties, except in the case of an official request.

Requests to authorities may arise in the following cases and in relation to the authorities.

1. a) In the event of a violation of the right to self-determination, you may contact the following authority:

National Data Protection and Freedom of Information Authority

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

www: http://www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

1. b) In the event of a violation of your rights related to content that offends, hates, or excludes minors, rectification, the rights of a deceased person, or damage to your reputation, you may contact the following authority:

National Media and Communications Authority

1015 Budapest, Ostrom u. 23-25.

Mailing address: 1525. Pf. 75

Phone: (06 1) 457 7100

Fax: (06 1) 356 5520

E-mail: info@nmhh.hu

1. c) The Data Subject may go to court in the event of a violation of his rights. The court acts out of sequence in the case. The Data Controller is obliged to prove that the data management complies with the provisions of the law.

2. d) In the event that the Data Controller violates the privacy rights of the data subject by unlawfully handling the data subject's data or violating data security requirements, the data subject may demand a compensation fee from the Data Controller.

DELETION OF PERSONAL DATA

1. Spring Molecular Diagnostics Kft. deletes personal data if its processing is illegal, the purpose of data processing has ceased, or the statutory period for storing the data has expired, as ordered by the court or the data protection commissioner.

2. The Data Subject may request the deletion of his/her personal data, for which the request must be sent by e-mail to questions@ivfinfo.ai or by post to Spring Molecular Diagnostics Kft., 1139 Budapest, Röppentyű u. You can request it by sending a letter to address 48. The Organization will delete the data within 15 working days from the receipt of the legal request for deletion, otherwise it will contact the applicant.

ENFORCEMENT OPTIONS

1. The Data Subject may request the Data Controller to provide information on the management of his personal data, to correct his personal data, and to delete or block his data. The Data Subject may object to the processing of his personal data.

2. At the Data Subject's request, the Data Controller provides information about the managed data, the purpose, legal basis, and duration of the data management.

3. Although the employees of Spring Molecular Diagnostics Kft. do their best to ensure that data management is safe, transparent and legal, it is a natural part of the process to prepare for possible emergency situations. A data protection incident occurs when a security incident affects the data, the obligation of confidentiality, accessibility or integrity may be violated. If this occurs and the incident is likely to pose a risk to the rights and freedom of the Data Subjects, without undue delay, no later than 72 hours after the data protection incident became known to the Data Controller, the Data Controller must report the incident to the supervisory authority at the following address.

National Data Protection and Information Office Authority

1125 Budapest, Szilágyi Erzsébet fasor 22/C;

postal address: 1530 Budapest, Pf.: 5.,

telephone: +36 (1) 391 1400;

e-mail: ugyfelszolgalat@naih.hu; www.naih.hu)

VALIDITY

These Regulations are valid from April 20, 2023 until withdrawn.

THE RIGHT TO CHANGE

The Data Controller declares that it reserves the right to change these Regulations, which may take place in the event of a change in the relevant legislation or other internal processes and procedures.