Privacy Policy

Last updated: 2023-03-26

for SaaS First, provided by GBD Software as a Service Private Limited Company

Who are we, as the Data Controller?

How do we collect your Personal Data?

Why we collect your Personal data - Record of processing activities

How do we protect your Personal Data?

How long do we use Personal Data for?

Cookies

Sensitive Data

Use of Services by Minors

Sharing information with others

Third parties that provide services

Other Uses and Disclosures

What are your data protection rights?

How to contact Us?

Annexes

 

Please read this privacy policy („Privacy Policy”) carefully to understand how the Data Controller uses the Personal Data (“PD”) we collect from you when you visit or use our Website.

The aim of this Privacy Policy is to inform you about the data processing activities as required by Articles 13 and 14 of the GDPR.

Articles 13 and 14 of the GDPR are about providing transparent information to Customers about how their PD are collected, used, consulted or otherwise processed. 

The main difference between them is that Article 13 applies when PD are collected from the Customer, while Article 14 applies when PD are obtained not from the Customer. 

This means that Article 13 requires providing privacy information at the time of obtaining the data, while Article 14 requires providing it within a reasonable period after obtaining the data or at least before further processing.

This Privacy Policy applies when we are acting as a data controller with respect to the following PD of our Website Visitors, our User and our Customers.

 

Who are we, as the Data Controller?

The Data Controller, who determines the purpose and manner in which your PD is used, is GBD Software as a Service Private Limited Company, a company incorporated under the laws of Hungary, seated: Szikra tanya 93., Lakitelek, 6065, Hungary. Tax number: HU27325162, Company Reg. Number: 03-10-100682 (hereinafter referred to as: “Data Controller”, Provider”, „Service Provider”, „we”, or „us”). See further definitions as per our Terms of Service.

 

How do we collect your Personal Data?

We collect Personal Data (“PD”) from the following main sources:

  1. Firstly we collect PD from the visits on our website, 
    1. either with scripts (Javascript), which runs at the moment a Customer visits the website of a User for the first time, and every time after each visit. In case new or modified data is found, the script refreshes that data in our Customer database. Our Users insert the script of our chatbot into their website in order to use and provide our services to their Customers. You are able to recognize a website like this where you see our chat in the corner of your browser window,
    2. or cookies (see our Cookie Policy for details)
  2. Secondly, by collecting data of our Users who decide to register on our Website.
  3. Thirdly, by storing the data of our Customers as Data Processors, based on mutually binding Data Processing Agreements (DPAs), which are required to consent to before it is possible for our Users to use any of our Services.
  4. Fourthly, when a User tries the demo of our AI-Bot, it crawls the provided website address and its content for data about the business, but also possibly any PD the User provided there, unknown to us.
  5. Fifthly, from any omnichannel inbox (e.g. SaasFirst chatbot modules) integrated into our Users’ websites.
  6. Sixthly, as we forward the data from our chatbots to OpenAI (ChatGPT), it analyzes this data and provides us and our customers with feedback by compiling customer data and creating personal customer profiles. These profiles help our Users to target Customers more personally, taking their mood, behavior and emotions into consideration.

 

Why we collect your Personal data - Record of processing activities

The main goal of our data collection is to provide our Users with PD of their Customers, in order to help them run email, chat, popup and browser push marketing campaigns and to use our AI-chatbot service to provide customer support to them.

Our users are able to filter this database in detail in our system in order to send targeted chat, popup, email marketing or browser push notifications to you.

 

Even though not legally required by Article 30 GDPR based on the size of our Company, we are maintaining a Record of processing activities („ROPA”), in order to inform our Customers and the Customers of our transparent handling of PD.

You shall find the ROPA as Appendix 1 of this Privacy Policy.

This Privacy Policy and our ROPA contains the provision of all data required by the aforementioned GDPR articles.

 

In our case, the information to be provided where PD are collected from the Customer (Article 13 GDPR) refers to our Users), while the information to be provided where PD have not been obtained directly from the Customer refers to the PD of our Customers, as their PD is provided to us by our Users.

 

The GDPR requirements we are fulfilling by giving transparent information are the following:

  1. Where PD relating to a Customer are collected from the Customer, the controller shall, at the time when PD are obtained, provide the Customer with all of the following information:
    1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
    2. the contact details of the data protection officer, where applicable;
    3. the purposes of the processing for which the PD are intended as well as the legal basis for the processing;
    4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
    5. the recipients or categories of recipients of the PD, if any;
    6. where applicable, the fact that the controller intends to transfer PD to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

 

By accessing or using the Website or the Services, you undertake to understand this Privacy Policy about the collection, transfer, storage, disclosure, and use of your PD as described below. Our Services also incorporate privacy controls which affect how we will process your PD. Please refer to the title “What are your data protection rights” for a list of rights with regard to your PD and how to exercise them. 

This Policy may change from time to time. If there is a major change in our Privacy Policy which would substantially affect or is likely to substantially affect Customers and their rights, we are going to notify our Users based on the DPAs, in their respective user accounts.



How do we protect your Personal Data?

In order to avoid unauthorized use of PD and to avoid misuse of such data, Provider has taken comprehensive technical and operational safety measures. Our safety procedures have regularly been controlled and improved in harmony with technological development, such as:

  • We protect the security of your information while it is being transmitted by using secure connection;
  • We use computer safeguards such as firewalls to keep this data safe;
  • We only authorize access to employees and trusted partners who need it to carry out their responsibilities;
  • We regularly monitor our systems for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security; and
  • We will ask for proof of identity before we share your PD with you.
  • We rely on payment service providers for all our payment processing: in terms of credit card information, we only
  • store the last 4 digits of someone's card in our database.

Please be aware, though, that despite our efforts, no security measures are perfect or impenetrable. We cannot ensure, and do not warrant or guarantee, that the information you transmit to the Provider will remain secure, nor do we guarantee that this information will not be accessed, disclosed, altered, destroyed or used in an unauthorized manner.

If we learn of a security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. If you have any questions about the security of your personal information, please contact us as indicated in the ‘Contact Us’ section below.

The PD that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by companies operating outside the EEA who work for us or for one of our service providers. If we do this we ensure that your privacy rights are respected in line with this Privacy Policy.

How long do we use Personal Data for?

We will not keep your PD longer than we need to, and we will only use your PD for the purposes set out in this Privacy Policy and ROPA. We will always keep your PD in accordance with applicable legal and regulatory requirements.

In case we process your Personal Data based on your consent Provider will keep your PD until you withdraw your consent given to the data processing. Once you withdraw your consent, we will delete your data permanently.

Without withdrawing your consent we will keep your Personal Data for up to 1 year following we stopped providing you with our services.

In case we process your Personal Data based on our legitimate interest, we will terminate the processing and delete your Personal Data as soon as we have no further legitimate interest for the processing.

Cookies

We use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Policy.

Sensitive Data

We ask that you not send us, and you not disclose, on or through the Services or otherwise to us, any Sensitive Personal Data (e.g., any government-issued identification number; credit or debit card details or financial account number, with or without any code or password that would permit access to the account; or information on race, religion, ethnicity, sex life or practices or sexual orientation, medical or health information, genetic or biometric information, biometric templates, political or philosophical beliefs, political party or trade union membership, or information on any judicial or administrative proceedings).

Use of Services by Minors

The Services are not directed to individuals under the age of sixteen (16), and we request that they not provide Personal Data through the Services.

Sharing information with others

In certain situations, Provider may share your PD with third parties. 

 

These companies may only process personal information pursuant to our instructions and in compliance both with this Privacy Policy and other applicable confidentiality and security measures and regulations.

 

Specifically, we do not permit these companies to use any personal information we share with them for their own marketing purposes or for any other purpose than in connection with the services they provide to us.

Third parties that provide services

Please see the Annex of Processors as an appendix to this Privacy Policy.

These companies may only process personal information pursuant to our instructions and in compliance both with this Privacy Policy and other applicable confidentiality and security measures and regulations.

Specifically, we do not permit these companies to use any personal information we share with them for their own marketing purposes or for any other purpose than in connection with the services they provide to us.

Other Uses and Disclosures

We will use and disclose Personal Data as we believe to be necessary or appropriate: 

  • to comply with applicable law, including laws outside your country of residence;
  • to comply with legal process;
  • to respond to requests from public and government authorities, including authorities outside your country of residence and to meet national security or law enforcement requirements;
  • to enforce our terms and conditions;
  • to protect our operations of our business, assets or stock,
  • to protect the rights, privacy, safety or property of us, you or others; and
  • to allow us to pursue available remedies or limit the damages that we may sustain.

 

We may use and disclose Other Data for any purpose, except where we are not allowed to under applicable law.

What are your data protection rights?

Provider would like to make sure you are fully aware of all of your data protection rights. Every Customer is entitled to the following:

The right to express and withdraw your consent - If we ask for consent to process your Data, you can always choose to give it or not. We inform you about the right to withdraw your consent before giving consent. In our Service, we never ask for one consent for different Personal Data processing operations.

Withdrawal of your consent is effective upon execution, and it does not affect the lawfulness of processing based on the consent before you withdraw it. You can always withdraw your consent without detriment. It may, however, render you unable to use some of the features of the Service.

If you no longer wish to receive emails from us, you can use the unsubscribe link at the bottom of any of our communications, or by sending a letter to:  GBD Software as a Service Private Limited Company at: Szikra tanya 93., Lakitelek, 6065, Hungary.

For information on your choices related to Cookies and Other Data, please read our Cookie Policy.

The right to access – You have the right to request the Provider for copies of your Personal Data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that the Provider correct any information you believe is inaccurate. You also have the right to request the Provider to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Provider erase your Personal Data, under certain conditions.

The right to restrict processing – You have the right to request that Provider restrict the processing of your Personal Data, under certain conditions.

The right to object to processing – You have the right to object to Provider’s processing of your Personal Data, under certain conditions.

The right to data portability – You have the right to request that Provider transfer the data that we have collected to another organization, or directly to you, under certain conditions.

We have designated a Data Protection Officer – dr. Hám-Szabó Boglárka Barbara (DPO), who you can reach out to about anything related to your Personal Data processing. You can easily contact our DPO. If you would like to exercise any of these rights, please contact us at our email: [email protected]

You also have the right to apply and the right to lodge a complaint with a supervisory authority - You have the right to complain to a supervisory authority concerning the processing of your Personal Data. The supervisory authority in Hungary is the National Authority for Data Protection and Freedom of Information (NAIH). You can contact them at:

Address: H-1055 Budapest, Falk Miksa utca 9-11. 

Telephone: +36 1 391 1400 

Email: [email protected] 

Website: http://www.naih.hu/

 

How to contact Us?

If you have any questions about Provider’s Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us: Email us at:  [email protected],  or write to GBD Consulting and Services Private limited company by shares at Szikra tanya 93., Lakitelek, 6065, Hungary.

 

Annexes

Annex 1 - Record of processing activities

Annex 2 - List of data processors