Legal document

Privacy Notice

Information on data processing related to the AVA-Stabilis Kft. website, contact forms and services

Effective date: 10 June 2026

1. Introduction

This Privacy Notice (the “Notice”) provides information on the data processing carried out by AVA-Stabilis Kft. (the “Controller”). The Notice applies to website visitors, contact-form users, consultation requesters, pilot prospects, business partners and contractual clients.

The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and applicable Hungarian legislation.

2. The Controller

The Controller is not obliged to appoint a Data Protection Officer (DPO) under applicable law; for data protection matters it can be reached via the contact details above.

3. Categories of personal data

Based on the use of the website and on contact, the Controller may typically process the following data:

• name;
• work email address;
• phone number;
• organization name;
• role / position;
• organization type;
• area of interest / content of the message;
• date of contact;
• content of communication;
• business or operational information voluntarily provided during consultation or pilot preparation;
• billing data, if a contract is concluded or an invoice is issued;
• technical data: IP address, browser and device data, visit time, cookie data, if such data is collected.

The Controller does not request or process personal data that is not necessary for the above purposes. The Controller does not request special categories of data (e.g. health, religious or ethnic data).

4. Purposes of processing

• handling inquiries;
• scheduling consultation;
• preparing proposals;
• preparing pilots;
• conclusion and performance of contracts;
• invoicing and compliance with legal obligations;
• client relationship management;
• service improvement;
• operation and security of the website;
• sending a newsletter only if such a service is actually available and the data subject has separately consented to it.

5. Legal bases

The Controller may carry out processing on the following GDPR legal bases:

• the consent of the data subject (Art. 6(1)(a) GDPR);
• steps prior to entering into a contract or performance of a contract (Art. 6(1)(b) GDPR);
• compliance with a legal obligation, e.g. accounting obligations (Art. 6(1)(c) GDPR);
• the legitimate interest of the Controller or a third party, e.g. contact management, business administration, website security (Art. 6(1)(f) GDPR);
• separate consent for a newsletter, should such a service be introduced.

6. Pilot and read-only data processing

During a pilot or operational diagnostic project, AVA-Stabilis works based on a data framework agreed separately with the client. The service follows a read-only principle: AVA-Stabilis analyzes the necessary data, exports, reports, logs, status data or other operational traces, but does not modify the client's live systems, does not take over operations and does not write back into client systems unless separately agreed in writing.

The following principles apply to pilot and diagnostic data processing:

• use of anonymized or aggregated data where possible;
• data minimization: processing only the data necessary for the assessment;
• purpose limitation: data is used solely for the agreed purpose;
• restricted access, limited to the relevant team members;
• the option of a non-disclosure agreement (NDA) or a separate data-processing agreement;
• client data and pilot outputs are not made public.

7. Processors

AVA-Stabilis Kft. may use processors for website hosting, email services, invoicing, accounting or business administration. The current list of processors is made available by the Controller through an update to this Notice or upon request.

8. Data transfers

• The Controller transfers personal data to third parties only with an appropriate legal basis.
• Authority requests are fulfilled in accordance with applicable law.
• International transfers (to third countries) take place only with appropriate safeguards under the GDPR.
• Client data and pilot results are disclosed only with the client's explicit permission, or in anonymized / demonstration form.

9. Data security

The Controller applies technical and organizational measures proportionate to the risk in order to protect personal data and confidential business information. In particular:

• access control, limited to the relevant team members;
• data minimization;
• logging where appropriate;
• protection of business secrets and confidential information;
• handling of data breaches in line with the GDPR and, where required, notification.

10. Cookies

The website may use technically necessary cookies to ensure proper operation. If analytics or marketing cookies are introduced, AVA-Stabilis will provide a separate cookie notice or consent mechanism where required.

11. Data subject rights

Under the GDPR, the data subject is entitled to the following rights:

• right of access;
• right to rectification;
• right to erasure (“right to be forgotten”);
• right to restriction of processing;
• right to data portability;
• right to object;
• right to withdraw consent at any time;
• right to lodge a complaint with the supervisory authority.

The data subject may exercise these rights via: info@ava-stabilis.com. The Controller will examine and respond to the request within the time limit set by the GDPR.

12. Supervisory authority

13. Automated decision-making

• The AVA-Stabilis website and contact process do not apply solely automated decision-making, including profiling.
• The diagnostic service is decision-support in nature: it does not automate or replace the client's decisions.

14. Amendments

The Controller is entitled to update this Notice unilaterally. The version in force at any given time is available on the website and takes effect upon publication.

Related documents: Terms of Use · Data Processing Framework