Data Protection and Data Security PolicyThis Data Protection and Data Security Policy (hereinafter: Policy) of Spring Molecular Diagnostics Limited Liability Company (headquarters: 1112 Budapest, Görbe utca 6.; Company registration number: 01-09-411972; Tax number: 32206494-2-43; e-mail: questions@ivfinfo.ai; web: www.ivfinfo.ai) as Data Controller Regulations.The Data Controller considers it important to respect and enforce the rights of its customers and all other affected natural persons (hereinafter: Data Subjects) related to data processing, and therefore hereby informs the Data Subjects that during its data processing, the substantive and procedural rules of Hungarian law in force, the Data Protection and Data Security Regulations in force at all times , as well as other internal regulations.The purpose of these Regulations is to define and adhere to the basic principles and provisions regarding the handling of the data of natural persons who come into contact with the Data Controller in order to ensure that the privacy of natural persons is protected in accordance with the relevant legal regulations and official resolutions.The data is handled in accordance with the provisions of these Regulations, CXII of 2011 on the right to self-determination of information and freedom of information. is carried out in accordance with the provisions of the Act (hereinafter: Infotv.). The Data Controller is Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Directive 95/46/EC ("General Data Protection Regulation", "GDPR") informs the Data Subjects below regarding the management of their personal data.The Data Controller acknowledges the content of these Regulations as binding on itself and undertakes to ensure that its data management related to its service meets the requirements set out in these Regulations.LEGAL RULES RELATING TO DATA PROTECTIONDuring its data management practices, Spring takes into account the relevant laws in force at all times. The data management principles published in these Regulations are in accordance with the following legislation:LXVI of 1992 law - on the registration of citizens' personal data and residential address;CXIX of 1993 Act – on the management of name and address data for the purpose of research and direct business acquisition (DM Act);CVIII of 1994 Act - on certain issues of electronic commercial services and services related to the information society;XLVIII of 1995 Act - on the basic conditions and certain limitations of economic advertising activity (Grt.)CXII of 1996. Act - on the right to self-determination of information and freedom of informationXLVII of 1997 Act on the management and protection of health and related personal dataBASIC PRINCIPLESThe basic principles defined in the GDPR are implemented in Spring's data management behavior as a minimum requirement.The basic principles contained in the GDPR are as follows:1. a) Principle of legality, fair procedure and transparency2. b) The principle of being tied to a goal3. c) Principle of saving data4. d) Principle of accuracy5. e) Principle of limited storability6. f) Principle of integrity and confidentiality7. g) Principle of accountabilityCONCEPTSPersonal dataAny specific data identified on the basis of personal data or linked to - directly or indirectly - an identifiable natural person (hereinafter: Data Subject) - in particular the Data Subject's name, identification mark, and one or more physical, physiological, mental, economic, cultural or social characteristics of the Data Subject knowledge - as well as the conclusion about the Data Subject that can be drawn from the data.ContributionThe Data Subject's voluntary and decisive declaration of will, which is based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data - in full or covering certain operations.ProtestThe Data Subject's statement objecting to the processing of his personal data and requesting the termination of data processing or the deletion of processed data.Data controllerA natural or legal person, or an organization without legal personality, who independently or together with others determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented by the data processor commissioned by it.Data handlingRegardless of the procedure used, any operation performed on the data or the set of operations, including in particular the collection, recording, recording, organization, storage, alteration, use, query, transmission, disclosure, alignment or connection, locking, deletion and destruction of the data, as well as preventing its further use, taking photographs, audio or video recordings, and identifying the personrecording of physical characteristics (e.g. fingerprint or palm print, DNA sample, iris image).Data transferMaking the data available to specific third parties.DisclosureMaking the data available to anyone.Data deletionMaking data unrecognizable in such a way that their recovery is no longer possible.Data processingPerforming technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data.Data processorA natural or legal person, or an organization without legal personality, who processes data on the basis of a contract with the data controller - including the conclusion of a contract based on the provisions of the law.Data handlingPersonal data can be processed if1. a) the person concerned consents to it, or2. b) it is ordered by law or - based on the authorization of the law, within the scope specified therein - by a decree of the local government for a purpose based on public interest (hereinafter: mandatory data management).Personal data can only be processed for specific purposes, in order to exercise rights and fulfill obligations. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal.Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.LEGAL BASIS AND LEGALITY OF DATA MANAGEMENT1. In all cases, the Data Controller informs the Data Subject of the legal basis for data management in these Regulations and in the Data Protection Information Sheet, if necessary in another document (e.g. consent statement, consent statement or other information sheet).2. In accordance with the purposes of each data management, the specified data management is legal if and to the extent that at least one of the following is fulfilled:3. a) the Data Subject has given his prior and voluntary consent to the processing of his personal data for one or more specific purposes;4. b) if the Data Subject is unable to give his consent due to his incapacity or other unavoidable reasons, then to the extent necessary to protect his own or another person's vital interests, as well as to eliminate or prevent a direct threat to the life, physical integrity or property of persons, while the obstacles to consent exist the Data Subject's personal data can be processed;5. c) data management is also legal if data management is necessary to protect the vital interests of the Data Subject or another natural person;6. d) data management is lawful if data management is necessary for the performance of a contract in which the Data Subject is one of the parties, or it is necessary to take steps at the Data Subject's request prior to the conclusion of the contract;7. e) the data management is lawful if the data management is necessary to fulfill the legal obligation of the data controller;8. f) data management is lawful if the data management is in the public interest or is necessary for the execution of a task carried out in the framework of the exercise of public authority granted to the data controller;9. g) data processing is lawful if data processing is necessary to assert the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data, especially if the Affected child.10. Prior and express consent can only be considered legally acceptable if all three content requirements are met, i.e.11. a) volunteering,12. b) definiteness (unambiguity) and13. c) also completes information.14. In case of voluntary, explicit provision of data by the Data Subject, the Data Controller processes the personal data with the consent of the Data Subject.15. Voluntary consent, as consent, should also be understood as the behavior by which the Data Subject accepts that the present Regulations automatically apply to him.16. It must clearly follow from the consent that the Data Subject consents to data management. If the data management is based on the Data Subject's consent, in case of doubt, the Data Controller must prove that the Data Subject has consented to the data management operation.17. If the Data Subject gives his consent in the context of a written statement that also applies to other matters, the request for consent must be presented in a way that is clearly distinguishable from these other matters, in an understandable and easily accessible form, with clear and simple language.18. The Data Controller hereby informs the Data Subjects that the Data Subjects have the right to withdraw their consent at any time.19. Withdrawal of consent does not affect the person based on the consent, who withdraws it the legality of data management before the end of the year, so the revocation only applies to the future and has no retroactive effect.20. If the processing of personal data is mandated by law, data processing is mandatory. The Data Controller informs the Data Subject in detail about this in these Regulations and other regulations, which are to be considered annexes to these Regulations and to be interpreted together with them.21. In the case of mandatory data processing, if the Data Subject fails to provide data, the Data Controller is obliged to refuse the service/data processing.22. In all cases, the Data Controller informs the Data Subject of the legal basis for data management in these Regulations.CERTAIN ACTIVITIES AFFECTED BY DATA MANAGEMENTData management is broken down into the following elements:1. Registration of customer data when ordering the service on the website of the Data Controller2. Website visit data3. Information service4. Invoicing5. --6. Online payment7. Presence on social media sites8. Newsletter subscription9. Complaint handlingThe individual elements of data management and their characteristics are described in detail below.1. When ordering the Customer's data registration service on the Data Controller's websiteThe data controller keeps a record of the Customer's data for an electronic order, into which the Customer enters the processed data himself.1.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).1.2. Legal basis for data managementData management is based on voluntary consent, a condition for becoming a Customer. Starting with the application of the GDPR, the legal basis for data management is Article 6 1. b. the second round of point (data processing is necessary to take steps at the request of the Data Subject prior to the conclusion of the contract).1.3. Circle of StakeholdersEvery natural person who is a customer or wants to be a customer of the Data Controller.1.4. Scope of managed dataName* (for identification purposes), e-mail address* (for contact purposes), previous orders (for statistical purposes), payment method (for the purpose of monitoring financial performance), discount (purpose of granting, checking, withdrawal).Regarding the data marked with *, the Data Controller draws attention to the fact that if the data subject does not provide them to the Data Controller, the Data Controller cannot provide the service.1.5. Purpose of data managementFacilitating smooth communication and ensuring the ordered service.1.6. Duration of data management2 years from the last purchase1.7. The data management processThe Customer delivers the Data Subject's data to the Data Controller.The data is entered manually by the Customer on the interface created for this purpose of the electronic web store for the purpose of registration and ordering. (www.infinfo.ai)The Customer of the service voluntarily consents to the fact that, if he provides his contact information, the Data Controller will contact him through it in order to keep his data up-to-date.Data is communicated to a third party: on the payment interface, with regard to the stripe module used on the website.1.8. Method of data managementElectronic.1.9. The source of the dataDirectly from the Contact.1.10. Data processingThe data controller uses the following data processors to fulfill the order:Stripe Inc (registered office: Stripe Inc. Company Address: 510 Townsend Street San Francisco California 94103.) for online payment activity.2. Website visit dataData controller, in view of the provisions of § 155, paragraph 4 of Act C of 2003, according to which "Data may be stored on a subscriber's or user's electronic communication device only based on the consent of the concerned user or subscriber following clear and complete information - including the purpose of data management - , or to access the data stored there" provides the following information regarding the analytical tools it uses, i.e. cookies.2.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).2.2. Legal basis for data managementData management is based on voluntary consent.2.3. Circle of StakeholdersAll natural persons who visit the Website of the Data Controller.2.4. Scope of managed dataWe would like to inform you that these cookies cannot personally identify the visitor.Cookies record and manage the following data about you, your computer, or the device you use for browsing: your IP address, the type of browser, the characteristics of the operating system of the device used for browsing (for example, type, set language ), the exact time of the visit, the address of the page previously visited, the page, subpage, function or service used, and the time spent on the page.2.5. Purpose of data managementThe data controller uses cookies for the following purposes:1. a) Absolutely necessary cookiesYou can do without such cookies for the proper functioning of this website. Without accepting these cookies, the Data Controller cannot guarantee that the website will function as expected, nor that the user will have access to all the information the user is looking for. These cookies do not collect personal data from the Data Subject or data that can be used for marketing purposes. Absolutely necessary cookies are, for example, performance cookies, which collect information about whether the website is working properly and whether there are any errors in its operation. By indicating possible errors, they help the Data Controller to improve the website, and indicate which are the most popular parts of the website.1. b) Functional cookiesThese cookies ensure a consistent appearance of the website tailored to the needs of the data subject and remember the settings chosen by the data subject (for example: color, font size, layout).1. c) Targeted cookiesTargeted cookies ensure that the advertisements appearing on the website are tailored to the interests of the person concerned. The website primarily contains advertisements related to the services and products provided by the Data Controller and serves to facilitate access to more favorable offers for the data subject (e.g. IP address).1. d) The cookie also helps to improve the ergonomics of the website, to create a user-friendly website, in order to enhance the online experience of visitors. Cookies are small text files that can be used by a specific website to make the user experience more efficient. According to the law, cookies can be stored on your device if this is absolutely necessary for the website to function.2. Data related to the provision of information services3.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).3.2. Legal basis for data managementVoluntary consent of the person using the information service, legal provision.3.3. Circle of StakeholdersAffected are all natural persons identified or - directly or indirectly - identifiable on the basis of any specified personal data, whose data is managed by the Data Controller, and who order the examination and evaluation of the sample from the Service Providers.3.4. Scope of managed dataPersonal data processed for the purpose of providing information.3.5. Purpose of data managementImplementation of information service3.6. Duration of data managementRetention period until consent withdrawn. XLVII of 1997 Act § 303.7. The data management processData management is done during registration and login and during use.3.8. Method of data managementElectronically.3.9. The source of the dataDirectly from the person concerned.4. Invoicing4.1. Data of data controllersSpring Molecular Diagnostics Kft. (independently)4.2. Legal basis for data managementMandatory data management, essential for service provision. CXXVII of 2007 on general sales tax determines the invoicing regulations. Act (hereinafter: VAT Act), as well as the decrees issued under the authority of this Act.4.3. Circle of StakeholdersAll natural persons who placed an order with the Data Controller through their online store.4.4. Scope of managed dataPersonal data processed for invoicing purposes: family and first name*; billing address*.If the data marked with * is not communicated, no contractual relationship will be established between the Data Controllers and the Data Subject, since the data controllers cannot even issue an invoice.4.5. Purpose of data managementFulfilling legal obligations, issuing invoices.4.6. Duration of data management:In the case of the data on the invoice, it is the 8th year. Act C of 2000 § 1694.7. The data management processThe Customer provides the indicated data when placing the order via the Service Provider's website. After that, the Service Provider issues an invoice to the Customer, which it delivers to the Customer at the same time as the package.4.8. Method of data managementElectronically and on paper.4.9. The source of the dataDirectly from the Contact.4.10. Data processingIn relation to invoicing, the Data Controller uses the following data processor:Stripe5. Parcel deliveryNot happening.6. Online payment6.1. Data of Data ControllersSpring Molecular Diagnostics Kft. does not handle data related to online payment, however, the Customer must provide the data for payment via its website.6.2. Legal basis for data managementData management is based on voluntary consent.6.3. Circle of StakeholdersAll natural persons who have placed an order with the Data Controller through their online store and pay the price of the order online.6.4. Scope of managed dataIn connection with the implementation of product sales and service provision as a data management purpose, data related to purchases made on the Internet is transferred to Stripe. They are transmitted through the ó bank card acceptance network for the purpose of financial processing of the transaction, transaction security and transaction monitoring. The scope of transmitted data: last name, first name, delivery address, billing address, telephone number, e-mail address, data related to payment transactions. Our company does not store payment-related data, it is entered directly for the payment, to which only Stripe has access.6.5. Purpose of data managementPayment of the order.6.6. Duration of data managementAccording to Stripe policy.6.7. The data management processThe Customer registers his order and the data required for online payment of the order through the Service Provider's website.6.8. Method of data managementElectronically.6.9. The source of the dataDirectly from the Contact.6.10. Data processingFor online payment, the Data Controller uses the following data processor: Stripe Inc.7. Presence and marketing on social media sitesThe Data Controller is available on social media on the following pages:Facebook: www.facebook.com/ivfinfoInstagram: www.instagram.com/ivfinfo7.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).7.2. Legal basis for data managementData management is based on voluntary consent,7.3. Circle of StakeholdersAll natural persons who voluntarily follow, share and like the social pages of the Data Controller, especially the page on the facebook.com social page or the content appearing on it.7.4. Scope of managed data1. a) public name of the Data Subject - identification2. b) public photo of the Data Subject - identification3. c) public e-mail address of the Data Subject - contact4. d) the Data Subject's message sent via the social media site - the basis for maintaining contact and responding7.5. Purpose of data managementThe use of social media sites, especially the Facebook page, and through it, contacting and maintaining contact with the Data Controller, and other actions permitted by the social media site.7.6. Duration of data managementUntil deleted at the request of the data subject.7.7. The data management processThe Data Controller publishes images of its products and service prices on its social media pages, especially on its Facebook page, as well as related information and information, the Data Controller's services, etc. The data controller can connect the Facebook page to other social networking sites in accordance with the rules of the social networking site facebook.com, so publication on the Facebook site must also be understood as publishing on such connected social networking sites.The Data Subject can receive information about the data management of the given social media site on the given social media site, accordingly, information about the data management of the Facebook site can be obtained at www.facebook.com. The purpose of the presence on social portals, especially Facebook, and related data management is to share, publish, and market the content on the website on social media.7.8. Method of data managementElectronically7.9. The source of the dataDirectly from the person concerned7.10. Data processingThe data manager does not use a data manager for data management related to the social media site.8. Sending a newsletter8.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).8.2. Legal basis for data managementData management is based on voluntary consent8.3. Circle of StakeholdersAll natural persons who subscribe to the Newsletter service on the Data Controller's website.8.4. Scope of managed data(User)name* (for identification purposes), e-mail address* (for contact purposes).8.5. Purpose of data managementSending a newsletter to the subscriber, conducting marketing activities, informing the Subscriber about the Data Controller's products and services.8.6. Duration of data managementUntil deletion at the request of the data subject.8.7. The data management processThe Data Subject can subscribe to the newsletter before or during the use of the services, or in some other way.Subscription to the newsletter is based on voluntary consent.Scope of those affected: All natural persons who wish to be regularly informed about the Data Controller's news, promotions and discounts, and therefore subscribe to the newsletter service by entering their personal data.The purpose of data processing related to sending newsletters is to provide the recipient with full general information about the Data Controller's latest promotions, events, news, and changes to notification services.The newsletter is sent only with the prior consent of the person concerned.The Data Controller and the Data Controller's data processor only manage the personal data collected for this purpose until the data subject unsubscribes from the newsletter list.The person concerned can unsubscribe from the newsletter at any time, based on the request at the bottom of the electronic mails and sent to the email address questions@ivfinfo.ai.The data manager keeps statistics on the reading of the sent newsletters, with the help of clicks on the links in the newsletters.Data is not disclosed to third parties.8.8. Method of data managementEdge ktronic.8.9. The source of the dataDirectly from the Contact.8.10. Data processingFor newsletters, the Data Controller uses the services of MailChimp (512 Means St Suite 404 Atlanta, GA 30318 USA), which stores the data on www.mailchimp.com until the consent to data management is revoked.9. Complaint handling9.1. Data of Data ControllersSpring Molecular Diagnostics Kft. (independently).9.2. Legal basis for data managementData management is based on voluntary consent, it starts with voluntary consent, but based on GDPR Article 6 (1 para. c), data management is necessary to fulfill the legal obligations of the data controller in the CLV of 1997 on Consumer Protection. according to § 17/A (7) of the Act9.3. Circle of StakeholdersAll natural persons who wish to communicate their complaint orally or in writing. Persons who submit a complaint to the Data Controller regarding the purchased service, product, or the Data Controller's conduct.9.4. Scope of managed dataFor identification purposes, name and date of receipt of the complaint, for contact purposes, e-mail address, billing/mailing address, telephone number; for the purpose of investigating the complaint, the complained product/service, attached documents, the complaint itself.9.5. Purpose of data managementThe purpose of data management is to identify the person concerned and the complaint.9.6. Duration of data managementDuration of data management: The data manager manages the record of the complaint and the copy of the response for 5 years from the date of their recording.9.7. The data management processThe Data Controller ensures that the data subject can submit a complaint in writing (by post or electronic mail) regarding the ordered service, or even the behavior, activities or omissions of the Data Controller.9.8. Method of data managementElectronically and/or on paper.9.9. The source of the dataDirectly from the Contact.9.10. Data processingData is not disclosed to third parties, except in the case of an official request.Requests to authorities may arise in the following cases and in relation to the authorities.1. a) In the event of a violation of the right to self-determination, you may contact the following authority:National Data Protection and Freedom of Information AuthorityAddress: 1125 Budapest, Szilágyi Erzsébet fasor 22/cPhone: +36 (1) 391-1400Fax: +36 (1) 391-1410www: http://www.naih.hue-mail: ugyfelszolgalat@naih.hu1. b) In the event of a violation of your rights related to content that offends, hates, or excludes minors, rectification, the rights of a deceased person, or damage to your reputation, you may contact the following authority:National Media and Communications Authority1015 Budapest, Ostrom u. 23-25.Mailing address: 1525. Pf. 75Phone: (06 1) 457 7100Fax: (06 1) 356 5520E-mail: info@nmhh.hu1. c) The Data Subject may go to court in the event of a violation of his rights. The court acts out of sequence in the case. The Data Controller is obliged to prove that the data management complies with the provisions of the law.2. d) In the event that the Data Controller violates the privacy rights of the data subject by unlawfully handling the data subject's data or violating data security requirements, the data subject may demand a compensation fee from the Data Controller.DELETION OF PERSONAL DATA1. Spring Molecular Diagnostics Kft. deletes personal data if its processing is illegal, the purpose of data processing has ceased, or the statutory period for storing the data has expired, as ordered by the court or the data protection commissioner.2. The Data Subject may request the deletion of his/her personal data, for which the request must be sent by e-mail to questions@ivfinfo.ai or by post to Spring Molecular Diagnostics Kft., 1139 Budapest, Röppentyű u. You can request it by sending a letter to address 48. The Organization will delete the data within 15 working days from the receipt of the legal request for deletion, otherwise it will contact the applicant.ENFORCEMENT OPTIONS1. The Data Subject may request the Data Controller to provide information on the management of his personal data, to correct his personal data, and to delete or block his data. The Data Subject may object to the processing of his personal data.2. At the Data Subject's request, the Data Controller provides information about the managed data, the purpose, legal basis, and duration of the data management.3. Although the employees of Spring Molecular Diagnostics Kft. do their best to ensure that data management is safe, transparent and legal, it is a natural part of the process to prepare for possible emergency situations. A data protection incident occurs when a security incident affects the data, the obligation of confidentiality, accessibility or integrity may be violated. If this occurs and the incident is likely to pose a risk to the rights and freedom of the Data Subjects, without undue delay, no later than 72 hours after the data protection incident became known to the Data Controller, the Data Controller must report the incident to the supervisory authority at the following address.National Data Protection and Information Office Authority1125 Budapest, Szilágyi Erzsébet fasor 22/C;postal address: 1530 Budapest, Pf.: 5.,telephone: +36 (1) 391 1400;e-mail: ugyfelszolgalat@naih.hu; www.naih.hu)VALIDITYThese Regulations are valid from April 20, 2023 until withdrawn.THE RIGHT TO CHANGEThe Data Controller declares that it reserves the right to change these Regulations, which may take place in the event of a change in the relevant legislation or other internal processes and procedures.