GENERAL INFORMATION ON DATA PROCESSING ON THE WEBSITE OF XENOVEA LTD

DATA PROCESSING THROUGH THE WEBSITE

In accordance with the principle of transparency as set out in Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter referred to as "GDPR"), XENOVEA Ltd. provides the following information to the natural persons concerned. The purpose of this document is to provide you, as the natural person concerned (hereinafter referred to as "Data Subject"), with clear and detailed information about all the facts relating to the processing of your data.

1. Processing of personal data

XENOVEA Ltd. (registered office: 6726 Szeged, Jobb fasor 23. B. ép.; company registration number: 06-09-021259; hereinafter referred to as "XENOVEA", "Data controller" or "we") is the controller of the personal data processed under this Privacy Policy and as such is responsible for ensuring that the processing is carried out in accordance with the applicable law. By visiting our website, you agree that XENOVEA processes your personal data in accordance with the following provisions.

2. Purpose and legal basis for processing

Data Subjects can provide information and data about themselves on the Website (see details under point 11) in the following ways:

Information provided to the Data Controller in connection with the use of the Website, in connection with the visit to the Website and its use (see section 2.1)

2.1. Processing of data in connection with the use of the Website

Data management process

Scope of data processed

Duration of data processing

Purpose of data processing

Legal basis for processing

1) Data management process: Data collected when you visit and use this website

Scope of data processed: Technical data such as the IP address of the Data Subject, date and time of visit, browser address type of browser, the address of the website viewed and the previously visited website, which is automatically logged by the system on logging in and logging out.
Duration of data processing: 30 days from the date of logging
Purpose of data processing: Development of the website and services. This data is not capable of identifying the Data Subject.
Legal basis for processing: Voluntary consent of the Data Subject (Article 6(1)(a) GDPR)

2) Data management process: Accounting and bookkeeping operations

Scope of data processed: For individuals: surname, first name, address, telephone number, email address. For companies: company name, company registration number, tax number, address, contact name, telephone number, email address.
Duration of data processing: 8 years from invoice issue
Purpose of data processing: Processing of invoices for the payment of services ordered
Legal basis for processing: Compliance with a legal obligation (Article 6(1)(c) GDPR): Act C of 2000 on Accounting

3) Data management process: Request for quotation

Scope of data processed: Name, company name, email address, phone number, type of services, number of samples.
Duration of data processing: Maximum 8 years from the date of the request for a quote
Purpose of data processing: Request a quote for a service
Legal basis for processing: Voluntary consent of the Data Subject (Article 6(1)(a) GDPR)

4) Data management process: Customer service, complaint handling

Scope of data processed: Name, e-mail address, telephone number, time and method of contact, any attached document(s)
Duration of data processing: The audio recordings and written documents in the contact 1 year after the contact was made
Purpose of data processing: Ensuring effective complaint handling, ensuring the broadest possible representation of the customer's interests, customer service quality improvement
Legal basis for processing: Legitimate interest of the Data Controller (Article 6(1)(f) GDPR) or fulfilment of a legal obligation (Article 6(1)(c) GDPR): Article 17/A(7) of Act CLV of 1997 on Consumer Protection.

5) Data management process: Data processing for marketing purposes

Scope of data processed: Unique identifier (generated in the background), name (required), phone number, email address, city, workplace, date created, IP address, browser type
Duration of data processing: Until the Data Subject's request for erasure
Purpose of data processing: Informing the Data Subject about the services, products and activities of the Data Controller; carrying out marketing activities
Legal basis for processing: Voluntary consent of the Data Subject (Article 6(1)(a) GDPR)

2.1.1. Cookie management

XENOVEA places a small data package, a so-called cookie, on the Data Subject's computer and reads it back during a subsequent visit in order to provide a personalised service. If the browser returns a previously saved cookie, the cookie management service provider has the ability to link the Data Subject's current visit to previous visits, but only with respect to its own content.

Typical cookies are so-called "password-protected session" cookies, security cookies.

Session cookies: are automatically deleted after the Data Subject's visit. These cookies are used to make the Website work more efficiently and securely, and are therefore essential to enable certain features of the Website or certain applications to function properly.

Persistent cookie: a persistent cookie is also used by XENOVEA to provide a better user experience (e.g. to provide optimised navigation). These cookies are stored for a longer period of time in the browser's cookie file. The duration of this cookie will depend on the settings of the Data Subject's web browser.

Data processed: IP address, date and time of visit.

Data Subjects: all Data Subjects visiting the website.

Purpose of the processing: to distinguish the Data Subjects from each other, to identify the current session of the users, to store the data provided during the session, to prevent data loss.

Duration of data processing: the duration of data processing is until the end of the visit to the websites in the case of session cookies, and up to 30 days in other cases.

2.1.2. Delete cookies

The Data Subject has the right to delete the cookie from his/her computer or to disable the use of cookies in his/her browser. You can usually manage cookies by going to the Tools/Preferences menu of your browser and selecting Privacy/Preferences/Custom Preferences, under the menu item Cookies, Cookies or Tracking.

The Website may contain information that comes from third parties, advertising service providers that are not related to the Data Controller. These third parties may also place cookies, web beacons on the Data Subject's computer or collect data using similar technologies in order to send advertising messages to the Data Subject in connection with their services. In such cases, the data processing is governed by the data protection standards set by these third parties and the Data Controller does not assume any responsibility for such processing. The Website may also contain links to external servers (not managed by the Data Controller or its Data Processors) and the sites accessible through these links may place their own cookies or other files on your computer, collect data or request personal information. The Data Controller excludes all liability for these. No personal data will be collected and processed and used to identify and contact the Data Subject. XENOVEA's advertisements may be displayed on websites operated by external service providers (e.g. Google). These third party service providers use cookies to store that the Data Subject has previously visited the Data Controller's Website and, based on this information, display ads to the Data Subject in a personalised manner (i.e. remarketing).

2.1.3. Cookies set by Google Analytics

Google Analytics is an analytics service provided by Google Inc. ("Google"). Google Analytics uses cookies stored on your computer to analyse your interactions with the website. The legal basis for the processing for web analytics purposes is the voluntary consent of the website user. Cookies for analytics purposes are anonymised and aggregated data which make it difficult, but not impossible, to identify the computer. The analytical information collected by Google Analytics cookies is transmitted to and stored by Google on its servers. Google processes this information on behalf of XENOVEA in order to evaluate users' browsing habits, compile reports on website usage frequency and provide XENOVEA with other services related to website usage. The IP address transmitted via the browser in the context of Google Analytics will not be combined with other data by Google. Google Analytics uses cookies for analytical purposes. More information about the cookies used by Google Analytics can be found at the following link:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage#analyticsjs

2.1.4. Google Adwords

The Website uses Google Adwords remarketing tracking codes. This is so that visitors to the site can be targeted by remarketing ads on websites in the Google Display network. The remarketing code uses cookies to tag visitors. Website users can disable these cookies by visiting the Google advertising settings manager and following the instructions there. They will then no longer receive personalised offers from the service provider. More information about the cookies used by Google can be found at the following link:

https://policies.google.com/technologies/ads

Google's privacy statement is available at the following link:

https://policies.google.com/privacy

2.2. Other information

The Data Controller shall not use the personal data provided for purposes other than those set out above. The disclosure of personal data to third parties or public authorities is possible, unless otherwise provided by law, with the prior explicit consent of the Data Subject. In all cases where the Data Controller intends to use the data provided for purposes other than those for which they were originally collected, depending on the legal basis for such use, the Data Subject shall be informed thereof and shall obtain his or her prior explicit consent or be given the opportunity to oppose such use. The Data Controller will process the personal data for the duration of the purpose of the processing, in particular for the duration of the legal relationship with the Data Subject (at the end of which period the data relating to the Data Subject will be deleted), or until the Data Subject requests the deletion of his/her data or withdraws his/her consent.

The processing is carried out automatically by electronic means as follows: the data are recorded and processed by the computer system. The automated data processing does not involve profiling or any other process which would result in an evaluation of the personal characteristics of the data subjects, but is used solely for the management of the interface for the booking of the appointment.

3. Data processors

Data processor: Wix.com LTD

Headquarters: Yunitsman 5 Tel Aviv Israel

VAT ID: EU442008451

Activity: hosting service provider

4. Data transmission

In the absence of an express legal provision, the Data Controller shall only disclose to third parties data that can be used to identify the Data Subject with the express consent of the Data Subject concerned.

5. Rights of the Data Subject

5.1 Information and access to personal data

The Data Subject has the right to access his or her personal data held by XENOVEA and information about the processing thereof, to request at any time, to check what data XENOVEA holds about him or her and to have access to the personal data. The Data Subject shall submit his/her request for access to the data to XEBOVEA in writing and the Data Controller shall provide the requested data in writing (by electronic means or by post) and shall not provide any oral information in this context. In case of exercise of the right of access, the information shall include the following data:

the scope of the data processed;
the purpose, time and legal basis of the processing in relation to the scope of the data processed;
to whom the data have been or will be further transmitted;
indication of the source of the data.

The Data Controller shall provide the Data Subject with a paper or electronic copy of the personal data free of charge for the first time. For additional copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject requests a copy by electronic means, the information shall be provided to the Data Subject by the Data Controller by email in a commonly used electronic format. Following the information, if the Data Subject does not agree with the processing and the accuracy of the data processed, he or she may request the rectification, integration, erasure or restriction of the processing of personal data concerning him or her, as set out in point 5.2, or object to the processing of such personal data, or initiate the procedure set out in point 5.4.

5.2. Right to rectification and integration of personal data processed

Upon the Data Subject's request, XENOVEA shall, without undue delay, correct inaccurate personal data provided by the Data Subject in writing or complete incomplete data with the content indicated by the Data Subject. The Data Controller shall inform any recipient to whom it has disclosed the personal data of the rectification or completion, unless this proves impossible or involves a disproportionate effort. It shall inform the Data Subject of the data of such recipients if he or she so requests in writing.

XENOVEA informs the Data Subjects that the Company does not verify the accuracy of the personal data provided. The party providing the data is solely responsible for the correctness of the data provided.

5.3. Right to restriction of processing

The Data Subject shall have the right to obtain, upon written request, restriction of processing by the Data Controller if:

the Data Subject contests the accuracy of the personal data. In this case, the restriction shall apply for the period of time necessary to allow the Data Controller to verify the accuracy of the personal data;
The processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;
the Data Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims;
The Data Subject objects to the processing, in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.

The Data Controller shall inform the Data Subject at whose request the processing has been restricted in advance of the lifting of the restriction of processing.

5.4 Right to erasure

At the Data Subject's request, the Data Controller shall delete the personal data concerning the Data Subject without undue delay if one of the specified grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Data Controller;
The Data Subject withdraws the consent on the basis of which the processing was carried out and the processing is no longer necessary for the purposes for which it was intended no other legal basis for the processing;
the Data Subject objects to the processing on grounds relating to his or her particular situation and there are no legitimate grounds for the processing,
The Data Subject objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling, where it is related to direct marketing
the personal data are unlawfully processed by the Data Controller;
personal data have been collected in connection with the provision of information society services directly to children.

The Data Subject may not exercise his or her right to erasure or blocking where the processing is necessary

for the exercise of the right to freedom of expression and information;
on grounds of public interest in the field of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the exercise of the right of erasure would make such processing impossible or seriously impair it; or
for the establishment, exercise or defence of legal claims

5.5. Right to data portability

Data portability allows the Data Subject to obtain and further use his/her "own" data that he/she has provided to the Data Controller's system, for his/her own purposes and through different service providers. In all cases, the right is limited to the data provided by the Data Subject, no other data portability is possible (e.g. statistics, transaction data, etc.). The Data Subject will receive the personal data used in the subscription process in a structured, commonly used, machine-readable format, he/she has the right to transfer it to another data controller, he/she may request direct transfer of the data to the other data controller - if technically feasible in the Data Controller's system. The Data Controller shall only comply with a request for data portability on the basis of a request sent by email or post. In order to comply with the request, the Data Controller must ensure that the Data Subject who is entitled to exercise the right to data portability actually intends to exercise it.

To do this, the Data Subject must provide in his or her request the data that allow him or her to be identified. These data include at least: name, email address, billing name, address, telephone number (depending on the service used). The Data Subject may request the portability of only the data that he or she has directly provided in the course of using certain services as defined in point 2.The exercise of this right does not automatically entail the deletion of the data from the Data Controller's systems, and the Data Subject may continue to use the Data Controller's services after exercising this right. Data will be deleted only if the Data Subject explicitly requests it.

5.6. Objection to the processing of personal data

The Data Subject may object at any time to the processing of his or her personal data, including profiling, on grounds relating to his or her particular situation, and the Data Subject has the right to object at any time to the processing of personal data concerning him or her for direct marketing purposes, including profiling. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed by the Data Controller for such purposes.The Data Subject can object in writing (by email or post) or by newsletter, in the case of any notification letter sent to him or her, by clicking on the unsubscribe link in the letter.

5.7. Deadline for fulfilling the request

The Data Controller shall inform the Data Subject of the measures taken without undue delay, but in any event within one month of receipt of any request pursuant to points 5.1 to 5.6. Where necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months, but in that case the Data Controller shall inform the Data Subject within one month of receipt of the request, stating the reasons for the delay.If the Data Subject has submitted the request by electronic means, the Controller shall provide the information by electronic means, unless the Data Subject requests otherwise.

6. Law enforcement options

The Data Subject may exercise his or her rights by sending a request by email or post. No rights can be exercised by telephone.You can exercise your rights by contacting us at the following contact details:

Name: XENOVEA Ltd.

Address for correspondence: 6726 Szeged, Jobb fasor 23. B. ép.

Email address: info.xenovea@gmail.com

The Data Subject cannot enforce his or her rights if the Data Controller proves that he or she is not in a position to identify the Data Subject. Where the Data Subject's request is manifestly unfounded or excessive (in particular in view of its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to act. The burden of proof shall lie with the Data Controller.

If the Data Controller has doubts as to the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the applicant. If the Data Subject does not agree with the decision of the Data Controller, he or she may, on the basis of the Info.tv., the Regulation and the Civil Code (Act V of 2013), turn to the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11.; www.naih.hu) or assert his or her rights before a court.

7. Handling data breaches

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The Data Controller shall keep a register for the purposes of monitoring the measures taken in relation to the personal data breach, informing the supervisory authority and informing the Data Subject, which shall include the scope of the personal data affected by the breach, the number and type of data subjects, the date of the breach, the circumstances of the breach, its effects and the measures taken to remedy the breach.

If the Data Controller considers that an incident presents a high risk to the rights and freedoms of Data Subjects, it shall inform the Data Subject and the supervisory authority of the personal data breach without undue delay and within 72 hours at the latest.

8. Links

XENOVEA Ltd. is not responsible for the content, data and information protection practices of external websites that can be accessed from the Website as a jumping off point. If XENOVEA Ltd. becomes aware that a page or link it has linked to violates the rights of third parties or the applicable laws, it will immediately remove the link from the Website.

9. Data security

The Data Controller undertakes to ensure the security of the data, to take technical and organisational measures and to establish procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require all third parties to whom it transfers or discloses data on the basis of the Data Subject's consent to comply with the requirement of data security. The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The processed data may only be accessed by the Data Controller, its employees and its data processor(s) and shall not be disclosed by the Data Controller to third parties not entitled to access the data.

The Data Controller shall make every reasonable effort to ensure that the data are not accidentally damaged or destroyed. The Data Controller shall also impose the above commitment on its employees involved in the processing activities. The Data Subject acknowledges and accepts that, in the event of providing his/her personal data on the Website, despite the fact that XENOVEA Ltd. has state-of-the-art security measures in place to prevent unauthorized access to or disclosure of the data, the data cannot be fully protected on the Internet.

In the event of unauthorized access or disclosure despite our efforts, XENOVEA Ltd. shall not be liable for any such acquisition or unauthorized access or for any damages to the Data Subject resulting therefrom. In addition, the Data Subject may also provide his or her Personal Data to third parties who may use it for unlawful purposes or in unlawful ways. Under no circumstances will the Data Controller collect sensitive data, i.e. data revealing racial or ethnic origin, membership of national or ethnic minorities, political opinions or political parties, religious or philosophical beliefs, membership of an interest group, health, pathological or sexual life or criminal records. For data security reasons, it is important that when using the Internet in public places on shared computers, you should always log out of the website after use. If you are visiting our site from your own computer, you may remain logged in for a period of time, depending on your application. In this case, you should also be careful to ensure that strangers cannot access your computer and carry out transactions (subscriptions, applications, etc.) on your behalf.

10. Other provisions

The Data Controller reserves the right to unilaterally amend this Privacy Notice by giving prior notice to the Data Subjects via the www.xenovea.com Website. After the amendment has entered into force, the Data Subject shall, unless he/she objects, accept the amended Privacy Notice by continuing to use the Website or the Services.

11. Domain addresses operated by the data controller (Website):

- xenovea.com

XENOVEA LTD

Effective: 2024-03-01