Privacy Policy

Controller: Avenir Facility Management Kft. Legal name: Avenir Facility Management Szolgáltató Korlátolt Felelősségű Társaság Registered office: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary Company registration number: 01-09-328046 Company court: Court of Registration of the Budapest-Capital Regional Court (1051 Budapest, Nádor u. 28., Hungary) Tax ID: 26395124-2-41 EU VAT ID: HU26395124 Date of incorporation: 31 July 2018 Email: info@afm.hu Phone: +36 70 316 8218 Website: https://www.afm.hu

Representative: Attila Kovács, Managing Director Email: info@afm.hu Phone: +36 70 312 5868

The Controller has appointed a Data Protection Officer pursuant to GDPR Article 37(1)(b) and (c). Data Protection Officer: Fanni Csegény Email: dpo@afm.hu Phone: +36 70 622 6242 Postal contact: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary The Data Protection Officer can be contacted regarding questions relating to data processing and the exercise of data subject rights. Notification to NAIH has been completed pursuant to Section 25/L of the Hungarian Infotv. Remedies are described in a separate section.

In the contact process on the www.afm.hu website, we carry out the following processing activities: 4.1. Handling of contact and quote requests Personal data processed: full name, company name, email address, phone number, area of interest, and personal data recorded in the message text. Purpose of processing: receiving the enquiry, handling the quote request, responding, and the related business communication. Legal basis: GDPR Article 6(1)(b), where the quote request is necessary for steps to be taken prior to entering into a contract with the data subject as a prospective contracting party, for example in the case of a natural person or sole trader. GDPR Article 6(1)(f), where the data subject acts as a contact person of a legal person or organisation. In such cases, the Controller's legitimate interest is the handling of business contact, the preparation of the offer, and the maintenance of B2B client communication. Retention period: in the case of an unsuccessful quote request, no more than 12 months from the last contact, unless a longer retention period is necessary for the establishment or defence of legal claims. Where a contract is concluded: the data necessary for the preparation, performance or enforcement of the contract may be processed as part of the contractual documentation until the general limitation period expires, calculated from the termination of the contract or the due date of the relevant claim. Under the general rule of Section 6:22 of the Hungarian Civil Code, this is 5 years. For accounting documents, the retention period is 8 years, on the basis of Act C of 2000 on Accounting. 4.2. Abuse prevention and website security Personal data processed: log data related to the technical use of the contact form, in particular IP address, timestamp, browser and device information, and the technical identifiers of the submission. Purpose of processing: technical prevention of the abusive use of the contact form. Legal basis: GDPR Article 6(1)(f). The Controller's legitimate interest is the secure operation of the website and the form, and the prevention of unauthorised or mass submissions. Retention period: no more than 30 days from recording, unless a longer retention period is necessary due to a security incident or a legal claim. 4.3. Contractual administration following a successful quote request Personal data processed: the contact person's name, position, email address and phone number, and the personal data provided by the contact person during the communication. Purpose of processing: preparation and performance of the contract, keeping in contact, performance certification, and administration related to invoicing and the enforcement of claims. Legal basis: GDPR Article 6(1)(b), where the data subject acts as the contracting party. In the case of a contact person of a legal person or organisation, GDPR Article 6(1)(f), where the Controller's legitimate interest is the maintenance and performance of the contractual business relationship. Retention period: until the general limitation period expires, calculated from the termination of the contract or the due date of the relevant claim, as a general rule 5 years. For accounting documents, 8 years under the Accounting Act.

Please do not submit special-category data, criminal-offence data, classified data, trade secrets, or detailed private-life information about third parties via the contact form. The Controller does not request and does not process such data in the website's contact process. If a submitted message contains such data, the Controller may delete the data not necessary for handling the enquiry, or may ask the data subject to resubmit the enquiry without such data.

To operate the website and the contact process, the Controller engages data processors. The data processors act on the Controller's instructions. The Controller keeps records of the data-processor terms and the data-transfer safeguards; the data subject may request further information about their content. 6.1. Resend - Plus Five Five, Inc. Role: transactional email delivery. Registered office: 2261 Market Street #5039, San Francisco, CA 94114, USA Place of processing: EU Frankfurt (sending region) Safeguard for third-country transfer: the Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914, i.e. SCCs, pursuant to GDPR Article 46(2)(d), together with supplementary technical and organisational measures. 6.2. Vercel - Vercel Inc. Role: hosting, edge/CDN service and server-side logging. Registered office: 440 N Barranca Avenue #4133, Covina, CA 91723, USA Place of processing: EU edge regions (configured) Safeguard for third-country transfer: at the time this Policy was prepared, Vercel Inc. appears on the EU-U.S. Data Privacy Framework list; transfers may therefore take place on the basis of the adequacy decision under GDPR Article 45. 6.3. Neon (an affiliate of Databricks, Inc.) - Neon, LLC Role: PostgreSQL database service. Registered office: 160 Spear Street, Suite 1300, San Francisco, CA 94105, USA Place of processing: EU AWS Frankfurt (eu-central-1) Safeguard for third-country transfer: the Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914, i.e. SCCs, pursuant to GDPR Article 46(2)(d), together with supplementary technical and organisational measures. 6.4. Google Analytics 4 (GA4) - Google Ireland Limited / Google LLC Processor / provider: Google Ireland Limited / Google LLC, as applicable under the contractual and service terms for Google Analytics. Service: Google Analytics 4 (GA4). Purpose: consent-based aggregated analysis of website traffic and usage. Data categories: online identifiers, such as cookie identifiers, IP addresses, device identifiers, client identifiers and technical browsing event data. Restriction: Avenir does not send names, email addresses, phone numbers, company names, message text or free-text form content to Google Analytics. Legal basis: GDPR Article 6(1)(a) - consent.

Some of the service providers engaged to operate the website are located outside the European Economic Area, in particular providers with a U.S. background. In such cases, the Controller transfers personal data only where an appropriate safeguard under the GDPR is available. Such safeguards may include in particular: - an adequacy decision of the European Commission, for example under the EU-U.S. Data Privacy Framework; - the Standard Contractual Clauses (SCCs) adopted by the European Commission; - supplementary technical and organisational measures. When Google Analytics is used, data may be transferred to or accessed by Google group entities or subprocessors outside the European Economic Area. According to Google's published information, the Data Privacy Framework and/or Standard Contractual Clauses may be relevant safeguards for such transfers. The applicable safeguards should be assessed based on Google's current data processing terms and transfer frameworks. For more detailed information on how the EU-U.S. Data Privacy Framework works and on how to verify the certification of U.S. providers, see the information of the European Data Protection Board: https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-individuals_v2_en.pdf

The website uses analytics cookies or similar technologies only on the basis of the user's consent. Analytics is currently performed using Google Analytics 4 (GA4). Analytics does not start before consent is given. If analytics is rejected, Google Analytics does not load. Analytics events do not include name, email address, phone number, company name, message text or free-text form content. Technical solutions necessary for the operation and security of the contact form do not serve advertising-related tracking. The user may change the choice through Cookie settings. The website currently does not use Google Tag Manager, LinkedIn Insight Tag or other marketing tracking pixels.

The data subject may exercise their rights through the contact details provided in this Policy. Right of access The data subject has the right to request information from the Controller as to whether their personal data are being processed. If such processing is taking place, they are entitled to know which of their personal data the Controller processes, on what legal basis, for what processing purpose and for how long. The data subject is further entitled to be informed about: to whom, when, on what legal basis and to which of their personal data the Controller has granted access, or to whom it has transferred the personal data; the source of their personal data; and whether the Controller applies automated decision-making or profiling. The Controller provides a copy of the personal data undergoing processing free of charge on the first occasion at the data subject's request. For further copies, a reasonable fee based on administrative costs may be charged. Right to rectification The data subject may request that the Controller modify or correct a personal datum. If the data subject can credibly demonstrate the accuracy of the corrected data, the Controller fulfils the request within one month at the latest and notifies the data subject accordingly. Right to restriction of processing (blocking) The data subject may request that the Controller restrict the processing of their personal data where: they contest the accuracy of the data; the processing is unlawful but the data subject opposes erasure; the Controller no longer needs the data but the data subject requires them for the establishment, exercise or defence of legal claims; or the data subject has objected to the processing, for the period during which it is established whether the Controller's legitimate grounds override those of the data subject. Right to object The data subject may object at any time, on grounds relating to their particular situation, to processing based on GDPR Article 6(1)(f). In such a case, the Controller must demonstrate that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or that the processing relates to the establishment, exercise or defence of legal claims. Right to erasure ("right to be forgotten") The data subject may request the erasure of their personal data where: the data are no longer needed; they have objected to the processing and there is no overriding legitimate ground; the Controller processes the data unlawfully; or the data must be erased under a legal or EU provision. Right to data portability Where the legal basis of processing is the performance of a contract or steps taken prior to entering into a contract, and the processing is carried out by automated means, the data subject may request to receive the personal data they have provided in a structured, commonly used, machine-readable format. Withdrawal of consent In the contact process, the Controller does not primarily process data on the basis of consent. If any future processing were based on consent, the data subject would be entitled to withdraw it at any time.

The Controller does not apply automated decision-making within the meaning of GDPR Article 22, and does not carry out profiling, on the basis of the personal data provided through the website.

The Controller responds to data-subject requests without undue delay, but within one month at the latest from receipt of the request. Where necessary, taking into account the complexity and the number of requests, this period may be extended by a further two months. The Controller informs the data subject of any such extension within one month. In order to meet data-security requirements and to protect the data subject's rights, the Controller is entitled to verify that the request was indeed submitted by the data subject or their authorised representative. If there are reasonable doubts concerning the identity of the data subject, the Controller may request additional information necessary for identification, pursuant to GDPR Article 12(6). If a request is manifestly unfounded or excessive, in particular due to its repetitive character, the Controller may charge a reasonable fee or refuse to act on the request, pursuant to GDPR Article 12(5).

For any question or complaint relating to data processing, the data subject may first turn to the Controller or the Data Protection Officer. Supervisory authority: National Authority for Data Protection and Freedom of Information (NAIH) Address: Falk Miksa utca 9-11, 1055 Budapest Postal address: P.O. Box 9, 1363 Budapest Phone: +36 1 391 1400 Email: ugyfelszolgalat@naih.hu Web: https://www.naih.hu The data subject may also turn to the courts. At the data subject's choice, the action may be brought before the regional court (törvényszék) of their place of residence or stay.

The Controller records and investigates data breaches and, where necessary, takes the notification and communication steps required by the GDPR. If the breach is likely to result in a risk to the rights and freedoms of natural persons, the Controller notifies NAIH without undue delay and, where feasible, within 72 hours. If the breach is likely to result in a high risk to data subjects, the Controller also informs the data subjects.

To ensure the security of processing, the Controller applies in particular the following measures: data minimisation, encrypted data transmission and storage, access restriction, identity and access management, logging, backups, vulnerability management, an incident-handling process, and organisational data-protection and information-security measures. The Controller holds ISO 9001 and ISO/IEC 27001 certifications, which support documented, controlled and continuously improved operation.

The Controller reserves the right to modify this Policy. The version in force at any given time is available at https://www.afm.hu. The Controller provides appropriate notice of any material modification on the website.