Request for

Effective: 30 January 2024.

This is a user-friendly summary of - and not a substitute for - the law-friendly privacy notice on the following pages.

Who we are
Company name: MiniCRM Zrt.
Address: 1075 Budapest, Madách Imre út 13-14.
Email: help@minicrm.hu
Phone: +36 (1) 999 - 0402

What do we do?
We will respect your rights and try to meet your requests within the time limits set by law. We will treat your data as we expect others to treat our own data.

As a Hungarian company, we provide a cloud-based customer management system. Protecting your personal data is a top priority for us. In the past - before GDPR - we aimed to comply with German data protection rules, which are stricter than those in Hungary.

Your data will be protected, moved through encrypted channels and never sold to anyone else, never used for any purpose other than that for which you provided it.

We have a website, we measure usage, we log for security reasons, we have online marketing with targeted campaigns, we manage your data, we help you as a data processor with a CRM solution.

If you ask, we will release your data after identification. If you ask, we will delete your data.

Our services
Website

We use Matomo Analytics to log those who visit our website to optimise the visitor experience, using a "first party cookie". As Matomo Analytics is installed on our own server, the data stored by this technology is not accessible to third parties. We only store the history of your visit to the site and the identifiers of the devices and operating systems used. IP addresses or physical addresses of users are not stored. When you visit the website, Facebook and Google Ads cookies are placed in your browser, you may later see MiniCRM ads through these providers. This data is deleted after 90 days.

Newsletter

You can subscribe to our newsletter by entering your email address and name. We'll email you about new features, free training opportunities and customer management tips. We include a link to unsubscribe in every email, so you can unsubscribe at any time if you change your mind. Your data will be stored for 365 days after the last interaction.

Free workshop

If you sign up for our free workshop by providing your name, email address, phone number, we will inform you through these channels. Our consultants will contact you at the contact details you provide to arrange a workshop date and, if you are interested, to demonstrate the system and help you learn about it. We will email you with information about new features, free training opportunities and ideas for customer management. If at any time you indicate you've had enough, we'll stop looking; if you ask, your details will be deleted. Otherwise, your data will be stored for 365 days after the last interaction.

Free test system

If you would like to try our software, you can start a free trial at any time by entering your name, email address and phone number. Our consultants will contact you at the contact details you provide to demonstrate the system and help you get to know it. We'll email you with information about new features, free training opportunities and customer management tips. If at any time you indicate you've had enough, we'll stop looking; if you ask, we'll delete your data. Otherwise, we'll keep your contact details and notes in our own CRM system for 365 days from our last contact.

To use our software, you must accept our Terms and Conditions when you register.

System usage is logged for security reasons. Data is retained at varying levels of detail for 365 days.

We will permanently delete the customer data that you have entered into your test system as a data processor within a maximum of 90 days after the test system is closed (this is the maximum time you have to start a subscription without re-entering your data in the test system).

Subscribe at

If you subscribe to our MiniCRM service, we will treat your data in a similar way as for free trial accounts (see above). We will keep your contact details and notes in our own CRM system for 3 years from the last contact.

Due to legal requirements, we will keep some of your personal data and the data contained in the invoices issued for a period of time that complies with the applicable legislation (minimum 10 years, maximum 15 years from the date of the last invoice).

Detailed Privacy Notice
In drafting the provisions of this notice (the "Notice"), the Company has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council of 29 June 2016 on the General Data Protection Regulation (the "GDPR"), Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (the "Information Act") and Act V of 2013 on the Civil Code (the "Civil Code").

The processing is based on the voluntary, prior and duly informed consent of the natural persons representing the Users, which includes the express consent of the Users to the use of the Personal Data provided by them and the Personal Data generated about them when using the System. In the case of processing based on consent, the User has the right to withdraw his/her consent at any time, without prejudice to the lawfulness of the processing prior to the withdrawal.

By providing the data provided during registration, each User also assumes responsibility for the fact that only the company he/she represents, as a User, will use the System's services from the e-mail address and using the data provided. With regard to this assumption of responsibility, any liability in connection with accesses made from an e-mail address and/or data provided shall be borne solely by the User who registered the e-mail address and provided the data.

The User warrants that the consent of the natural person concerned has been obtained lawfully for the processing of personal data (e.g. content entered by the User, etc.) provided or made available by the User in the course of using the System Services. All responsibility for User Content uploaded and shared by the User on the System rests with the User.

In addition to the User's voluntary consent, the legal basis for the processing of Data within the framework of the System's services or in connection therewith may be the Data Controller's substantial legitimate interest and the provision of fundamental rights to information and expression, within the limits set by law.

Name of data controller
Company name: MiniCRM Zrt.
Full name of the company: MiniCRM Szolgáltató és Kereskedelmi Zártkörűen Működő Részvénytársaság
Address: 1075 Budapest, Madách Imre út 13-14.
Email: help@minicrm.hu
Phone: +36 (1) 999 - 0402
Website: https://www.minicrm.hu/
Company registration number: 01-10-047449
EU VAT number: EN 23982273
Data management registration number: NAIH-64809/2013
The term MiniCRM® is a registered word mark of the Office for Harmonisation in the Internal Market (OHIM). View certificate.

Declaration of consent to the processing of my personal data
I give my voluntary and explicit consent to the processing of the data I have provided when visiting, subscribing, registering on MiniCRM's electronic platforms (https://www.minicrm.hu, https://www.minicrm.io, https://www.minicrm.ro, https://www.minicrm.eu, Facebook ads, Google ads) and when creating the MiniCRM test system for the free trial period.

By providing my personal data, I declare that I am 18 years of age or older and that I have the legal capacity to act. I represent a legal person or other unincorporated organisation and I am an authorised person entitled to represent the person or organisation I represent and to give the consent required for the processing and processing of data in accordance with this notice.

I declare that I will not provide MiniCRM with any special personal data, neither during registration nor later in any form. Examples of sensitive personal data include, but are not limited to, racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data that can identify an individual; health data; or data concerning sexual life or sexual orientation.

I hereby declare that I will not provide MiniCRM with any personally identifiable number - examples without exhaustiveness: passport number, ID number, identity card number, address card number, driving licence number.

I declare that I will only record and enter my customers' data via the MiniCRM software interface created for this purpose. I will not send them by email either to the central (help@minicrm.hu) or to the direct email address of a MiniCRM employee.

I declare that I only grant access to my MiniCRM system to MiniCRM staff via the "Invite a consultant" function, I never record them as "normal" users.

With my consent, I acknowledge that MiniCRM may send me promotional mailings, information, event invitations and telephone enquiries related to its activities.

I may withdraw my consent to the processing of my data at any time by the means indicated in the privacy notice, for example by sending a request to help@minicrm.hu.

Legal basis based on legitimate business interest
If you fill in the form and indicate your interest in MiniCRM, your application will be considered as a contract preparation. In this case, the legal basis for processing your Personal Data will already be a legal basis based on legitimate business interest according to the GDPR Regulation. From this changed legal basis, your rights and the processing of your Personal Data will not change, the only difference is that during the preparation of the contract, unless you request the termination of the process, we will continue to process your Personal Data for the purpose and for the purposes of the preparation of the contract.

In case of subscription, contractual legal basis
If you subscribe to MiniCRM, you subscribe to our product according to the terms and conditions detailed in the General Terms and Conditions. In this case, the legal basis for processing your Personal Data will already be a contractual legal basis under the GDPR Regulation. This change of legal basis does not change your rights and the processing of your Personal Data, it only means that during the contract period, even if you withdraw your consent to use the free version, we will continue to process your Personal Data for the purposes and in the interest of the performance of the contract.

As soon as the contract is fulfilled or terminated, the legal basis for your processing will change again and your Personal Data will no longer be processed on the basis of law.

After termination or performance of the contract by law
We are required by law to continue to process your Personal Data in relation to the information on the account.

Whistleblowing system
Data management related to the operation of the whistleblowing system and the investigation of whistleblowing:

MiniCRM processes the identity and contact information of the whistleblower and other information that the whistleblower provides in the whistleblower notification under Act XXV of 2023 (which requires us to establish a whistleblower notification system and to investigate and record the notifications received) in order to comply with Act XXV of 2023. Thus, the data processed include: the name, e-mail address, telephone number (optional), address (optional) of the notifier, description of the act complained of, witnesses (optional), name, address (optional), position (optional) of the person concerned by the notified case (optional), special and criminal personal data necessary for the investigation of the notification (optional). The legal basis for the processing is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR.

MiniCRM will delete personal data obtained during the operation of the whistleblowing system and the investigation of whistleblowing reports after 1 year, unless the investigation has resulted in an administrative or criminal proceeding. In the latter case, MiniCRM will delete the data within 90 days of the final conclusion of the proceedings.

MiniCRM will ensure that the personal data of the notifier and of the person concerned by the notification are not disclosed to persons other than the authorised persons. Access to the personal data processed is only allowed to persons authorised by their duties, strictly within the limits of their respective responsibilities and the performance of those duties.

Your rights
You have the following rights. We must respond to your request for these rights within a maximum of 1 month under GDPR. We will do our best to respond much sooner.

Right to information
You can ask us to inform you about the personal data we process. You can request access to this data.

The Personal Data you entered in your account can be viewed on your profile page.

You can ask for information in writing at any time by sending a registered letter with advice of delivery to our address or by sending an e-mail to help@minicrm.hu. We will consider a request for information sent by mail to be authentic if we can clearly identify you from the request sent.

Requests for information sent by email will only be considered authentic if sent from your registered email address, but this does not preclude us from identifying you in other ways for security reasons before providing the information.

The request for information may include the data we process, the source of the data, the purpose, legal basis and duration of the processing, the names and addresses of any data processors, the activities related to the processing and, in the case of transfers of Personal Data, who has received or is receiving your data and for what purposes.

Right of access
If you request to be informed whether your Personal Data is being processed, you may, if you answer yes, have access to the purposes of the processing, categories of data, recipients, duration of storage, data subjects' rights, remedies, data sources, automated decision-making, data transfers abroad.

Right of rectification
You may request rectification or amendment of your Personal Data at any time by writing to us by registered letter with acknowledgement of receipt sent to our address or by email to help@minicrm.hu. Taking into account the purpose of the processing, you may request that incomplete Personal Data be completed.

Right to be forgotten (Right to erasure)
You may request the erasure of your Personal Data that we process. Deletion may be refused (i) for the exercise of the right to freedom of expression and information, or (ii) where the processing of Personal Data is in the public interest (as authorised by law); and (iii) for a legitimate private interest (to establish, exercise or defend legal claims).

In all cases, we will inform you of any refusal to cancel a request for cancellation, stating the reasons for the refusal. Once the request for erasure of personal data has been complied with, the previous (erased) data can no longer be restored.

Newsletters can be unsubscribed via the unsubscribe link in the newsletter.

Right to restriction of processing
You can request that we restrict the processing of your Personal Data if you dispute the accuracy of the Personal Data we process. In this case, the restriction will apply for a period of time that allows us to verify the accuracy of the Personal Data.

We will mark the Personal Data we process if you dispute its accuracy or correctness, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.

You may also request that we restrict the processing of your Personal Data if the processing is unlawful but you object to the erasure of the Personal Data processed and instead request the restriction of its use.

You may exercise this right even if the purpose of the processing has been fulfilled, but you require the processing of your data for the establishment, exercise or defence of legal claims.

If you object to the processing, we will restrict the processing of your Personal Data for a period of time until it is determined whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Right to data portability
You may request that the Personal Data you provide to us and that we process in an automated way is transferred to you and/or transferred to another data controller in a structured, commonly used, machine-readable format (XML/XLS/CSV) provided by MiniCRM software.

The right to object
You may object to the processing of your Personal Data (i) if the processing is necessary for the sole purpose of complying with a legal obligation to which we are subject or for the purposes of our legitimate interests; (ii) if the processing is for direct marketing, public interest surveys or scientific research; or (iii) if the processing is carried out for the performance of a task carried out in the public interest.

We will investigate the lawfulness of the objection and, if the objection is found to be justified, we will terminate the processing and block the Personal Data processed, and notify the objection and the action taken on it to all those to whom the Personal Data affected by the objection was previously disclosed.

Purpose of data processing
Protection of your rights.
Identification of you, contact with you.
Identification of your entitlements.
Customization of the system and marketing messages sent to you. Providing targeted, relevant messages based on your interests, industry, company type, decision criteria and job role.
Customer support, advice, product demonstrations, answering questions.
Statistics, analysis, decision preparation. Based on this, coordinating content development and product development to create features that are actually used, content that is actually read.
Software product development, secure operation.
Providing services, service quality and security conditions as agreed in the general terms and conditions.
Complying with our legal obligations.
Enforcing our legitimate business interests.
MiniCRM is considered as Data Controller for its own customers (information requests, requests for quotes), for its employees and for its website (registration, login, newsletter, cookies). For our customers, we are Data Processors for the data they record in our CRM System, in accordance with the provisions of the GTC.

MiniCRM in its role as data processor

You may not make any decision on the merits of the processing.
You may process Personal Data that you have received only in accordance with the controller's (User's) instructions and may not process it for your own purposes.
You must store and retain Personal Data in accordance with the controller's (User's) instructions.
Data processed
We process the data you provide:

Name
Email
Phone number
Website
LinkedIn/Facebook profile link
Billing address, location
We log data for security reasons:

Page viewed/function
Browser cookie
We build profiles for marketing purposes:

What problem are you looking for a solution to, why do you need CRM?
What are your main decision criteria?
The profile is built based on the information you provide. Our aim is that you find the messages we send you really interesting and relevant. We also don't like to receive generic messages that are not addressed to us.

We target and build newsletters manually using manually created filters based on profile data. No automated data processing decisions are made in the process.

We log our calls:

Call meta data (who-when-whom you spoke to)
Calls to a central number are recorded after an automatically scanned message is played for quality assurance reasons (in case of complaints and randomly selected calls, managers listen back and coach the customer service team to improve their skills)
We store the data you enter in MiniCRM as a data processor. The scope of this data depends on the fields you create and it is your responsibility what data you record in them.

Name of sub-processors
Server hosting service:

Name: Telekom Rendszerintegráció Zrt. - T-Systems Cloud & DataCenter
Address: 1097 Budapest, Könyves Kálmán körút 36.,
Phone: 1400
E-mail: info@t-systems.hu
Website: http://www.t-systems.hu/
Data stored: system logs, data stored in CRM system.
Operations: rack cabinet service, Internet connection insurance, electricity insurance.
Email and document management, calendar, phone contacts, table synchronization, targeted advertising:

Name: Google Ireland Limited
Address: Gordon House, Barrow Street, Dublin 4, Ireland
Phone: N/A
Email: N/A
Website: https://www.google.com/
Data stored: correspondence, individual contracts and offers, calendar entries, telephone contacts, data split into tables based on filters, individual user identifiers, visitor ID cookie.
Operations: email service, document management, calendar service, synchronisation of phone contacts between devices, online spreadsheet manager, retargeting.
Retargeting:

Name: Meta Platforms Ireland Limited
Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Phone: N/A
E-mail: N/A
Website: https://www.facebook.com/
Data stored: website visit data, unique user identifiers, visitor ID cookie.
Operations: retargeting.
Calendar, telephone contacts:

Name: Apple Inc
Address: Apple Park, 1 Apple Park Way, Cupertino, California, U.S.
Phone: +1 800 220325
E-mail: N/A
Website: https://www.apple.com/
Data stored: calendar entries, phone contacts.
Operations: calendar service, synchronization of phone contacts between devices.
Encrypted static data, data backups:

Name: Amazon Web Services EMEA SARL
Address: 38 AVENUE JOHN F. KENNEDY, L-1855 LUXEMBOURG
Phone: N/A
E-mail: N/A
Website: https://aws.amazon.com/
Data stored: encrypted static files, encrypted backups.
Operations: static storage provisioning (S3), content delivery network (CloudFront), secondary operating platform.
Customer service call centre operation, call recording:

Name:
Address: 1095 Budapest, Lechner Ödön fasor 6, 7th floor
Phone: +36 1 8 555 111
E-mail: support@arenimtel.com
Website: https://arenimtel.com/hu/
Stored data: customer service call meta data, recorded calls.
Operations: call routing, call centre service, call recording.

Name: Yettel Hungary Zrt.
Address: 2045 Törökbálint, Pannon út 1.
Phone: (+36) 20 930 4000
E-mail: adatvedelem@yettel.hu
Website: https://www.yettel.hu/
Stored data: customer acquisition call meta data, recorded calls.
Operations: call routing, call centre service, call recording.
Bulk SMS service:

Name: Opennetworks Ltd.
Address: 1125 Budapest, Kiss Áron utca 9.
Phone: +36 1 999 6000
E-mail: info@opennet.hu
Website: http://www.opennet.hu/
Stored data: phone number, SMS message content and meta data
Operations: bulk SMS service for all MiniCRM customers.
International bulk SMS service:

Name: LINK Mobility Poland Sp. z o.o.
Address: Gliwice, Ul. Toszecka 10, 44-100, Poland
Phone: +48 32 7 201 200
E-mail: support@smsapi.com
Website: https://www.smsapi.com/
Stored data: phone number, SMS message content and meta data
Operations: international bulk SMS service for all MiniCRM customers.
Accounting:

Name: Finacont Service and Consulting Ltd.
Address: 1062 Budapest, Aradi u. 16. 2. 2. floor 2.
Phone: +36 1 345 0092
E-mail: finacont@finacont.com
Website: https://finacont.com/
Stored data: buyer and seller data on invoice, invoice items, invoice details.
Operations: bookkeeping, preparation of statutory reports and returns.
Online data service (invoice calculator):

Name: National Tax and Customs Administration (NAV)
Address: 1134 Budapest, Dózsa György út 128-132.
Phone: +36 1 412 5400
E-mail: ebpavig@nav.gov.hu
Website: https://www.nav.gov.hu/
Stored data: buyer and seller data on invoice, invoice items, invoice details.
Operations: online data reporting from invoicing module, data analysis, risk analysis, official control.
Web analytics on the website
Please note that to measure the traffic on the www.minicrm.hu website and monitor the behaviour of its visitors, to generate statistics and optimise the effectiveness of your advertising, we use Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel.

These programs place so-called cookies in your browser, which store unique user identifiers. As a visitor to the MiniCRM Website, you authorise the use of Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel. You also consent to the monitoring and tracking of your behavior and to the use of all services provided by these programs.

In addition, you have the option to opt-out of future cookie recording and storage at any time, as described below. Please be informed that the settings and use of Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel. are in full compliance with the requirements of the Data Protection Authority.

Matomo Analytics does not use cookies from third parties. It is installed on the MiniCRM server and the data collected is only accessible by MiniCRM. Matomo Analytics is configured so that it does not collect IP addresses. The data stored are the source page when you access the MiniCRM website, the pages visited on the MiniCRM website, the device and the operating system used. This data does not allow the identification of individuals.

Matomo Analytics
MiniCRM uses Matomo Analytics primarily to generate statistics, including measuring the effectiveness of its campaigns. By using the program, MiniCRM mainly obtains information on the number of visitors to its Website and the time spent on the Website. The program recognises the visitor and can therefore track whether the visitor is a returning or new visitor, and it can also track the path the visitor has taken on the Website and where they have accessed.

Google Ads Remarketing
MiniCRM collects DoubleClick cookie data in addition to the usual data when using the Google Ads Remarketing program. The DoubleClick cookie is used to use the remarketing service, which primarily ensures that visitors to the MiniCRM Website are subsequently exposed to MiniCRM advertisements in free advertising spaces. MiniCRM's advertisements are also displayed on Internet sites by third-party service providers, such as Google. MiniCRM and third-party service providers, such as Google, use both their own cookies and third-party cookies (such as the DoubleClick cookie) to track users' previous visits to the Website and to optimise and display advertisements.

Google Ads conversion tracking
The purpose of Google Ads conversion tracking is to allow MiniCRM to measure the effectiveness of Google Ads ads. This is done by means of cookies placed on the User's computer, which are kept for 30 days.

Facebook Pixel
MiniCRM uses the Facebook Pixel to increase the effectiveness of Facebook ads for the purpose of building a remarketing list. This allows third-party providers such as Facebook to display ads on websites after a visit to the Website. Remarketing lists are not personally identifiable. They do not contain any personal data of the visitor, they only identify the browser software. By using these lists, MiniCRM users will be excluded from viewing advertisements/ displayed advertisements that promote the service they are already using.

Disable cookies
If you want to manage your cookie settings or disable the feature, you can do so in your browser. This option can be found under cookies/cookies/tracking feature placements, depending on the browser toolbar. You can usually go to Tools > Settings > Privacy settings to configure which tracking features you enable/disable on your computer.

Principles of Data Processing
The Data Controller shall process Personal Data in accordance with the principles of good faith and fairness and transparency, as well as in accordance with the applicable laws and the provisions of this Privacy Policy.
The Data Controller shall use Personal Data necessary for the use of the Services only with the consent of the User concerned and only for the purposes for which they are collected.
The Data Controller shall process Personal Data only for the purposes set out in this Privacy Policy and the applicable laws. The scope of the Personal Data processed shall be proportionate to the purpose of the processing and shall not go beyond it (data economy).
The Personal Data of a person under the age of 18 will not be processed by MiniCRM as a business software provider.
The Data Controller will not transfer the Personal Data it processes to third parties other than the Data Processors specified in this Notice and, in certain cases referred to in this Notice, to third party service providers. An exception to the provision of this clause is the use of data in aggregated statistical form, which may not contain any other form of data that can identify the User concerned, and therefore does not constitute Processing or transfer of data.
The Data Controller may, in certain cases - official judicial or police requests, legal proceedings for infringement or reasonable suspicion of infringement of copyright, property rights or other rights, or for the purpose of prejudicing the interests of the Data Controller, endangering the provision of the Services, etc. -
The Data Controller's system may collect data on the activity of Users, which cannot be linked to other data provided by Users at the time of registration, nor to data generated by the use of other websites or services.
The Data Controller shall notify the User concerned and all those to whom it has previously disclosed the Personal Data for the purpose of Processing of the rectification, restriction or deletion of the Personal Data processed by it. The notification may be omitted if this does not prejudice the legitimate interests of the data subject with regard to the purpose of the processing.
The Controller shall ensure the security of the Personal Data, take technical and organisational measures and establish procedural rules to ensure that the recorded, stored and processed data are protected and to prevent their accidental loss, unlawful destruction, unauthorised access, unauthorised use and unauthorised alteration, unauthorised disclosure or dissemination. The Data Controller invites all third parties to whom it transfers Personal Data to comply with this obligation.
In view of the relevant provisions of the GDPR, the Data Controller is not obliged to appoint a Data Protection Officer.
The Data Controller is responsible for compliance with the Principles.
Confidentiality
MiniCRM will keep the data recorded confidential and will make every effort to ensure the security of the data, using it as necessary for the proper functioning of the Website. This includes, but is not limited to, sending emails and SMS to you and to the contact details you have provided, in which case the message will be sent via the service provider.

MiniCRM will never sell or lend your personal data to third parties for marketing purposes. MiniCRM may disclose your personal data and other relevant information in response to a subpoena, court order or legal process.

Furthermore, MiniCRM may assert or exercise its legal rights and defend itself against legal actions.

In order to ensure the secure management of data, MiniCRM selects the IT tools used to manage the data in such a way that, during the operation, the data managed are only accessible to MiniCRM as the authorised person, the authenticity of the data is preserved, no changes are made to the recorded data outside the process of the data recorder, and the recorded data are protected against unauthorised access.

The data processed by MiniCRM may be disclosed in response to a request from a public authority or a court, or in accordance with legal requirements, of which MiniCRM will inform its users in a newsletter, provided that this does not conflict with the request from a public authority or a court, or with the relevant legal requirement.

Access to personal data by our staff
We only grant our staff access to personal data we process that is strictly necessary for the purposes of their work. All access is logged, and access to the data extraction function is strictly limited.

The personal data recorded in your own MiniCRM system is not visible to our sales, consulting, customer service and development staff. If you give a member of our staff access to your system via the "Invite a consultant" function, they will only see your settings, not the data you have recorded.

When a system is migrated to a test or development environment for integration development or debugging, it can only extract data in a channel where the data in the live environment is corrupted during backup. Thus, in test and development environments, personal data in the system (e.g. name, email, phone number, address) is replaced by randomly generated characters.

Data backups are created using two-key encryption. This way, employees who have access to the backup file cannot access the backed up data, due to the lack of a key - stored offline - for decryption.

Only the narrowest necessary group - the team running the live servers - has access to servers containing live data. All access is strictly logged after 3-factor authentication - VPN key, SSH key, user password.

Data security
Data security is a complex issue for systems handling sensitive business data. At MiniCRM, we have internal policies and processes to ensure that data security and privacy requirements are met in all areas:

Data security
Network security
Data separation
Availability
Data backup, disaster recovery
Identity and access control
Security-aware software development
All data stored in MiniCRM is physically located within the European Union or in a country considered as data protection equivalent by the GDPR and is subject to the EU data protection directives.

When external integrations are activated (e.g. Google Calendar), the data concerned may be transferred outside the EU, and therefore the system will ask for prior consent from users when these integrations are activated.

Technology
MiniCRM regularly updates all the software used to protect against known attack surfaces at all levels (Staff devices, Server operating system, Virtualization layer, Guest operating system, Application).

Our servers are located in one of the most secure data centres in Europe (Dataplex / Magyar Telekom). We use a redundant and scalable infrastructure, where no single point/device is out of service.

Encrypted backups are made daily, automatically and transferred to other data centres to ensure data recovery in the event of a disaster.

We follow accepted industry solutions such as the Open Web Application Security Project (OWASP) and the Cloud Security Alliance Cloud Controls Matrix (CCM).

Access protection
Physical access to the infrastructure is severely limited. Proper identification is required in all cases.

MiniCRM was built from the ground up as a multi-user service, with the entire platform and infrastructure providing logical separation of data. The use of external identification services (Single-Sign-On) is supported (Google Account, OpenID).

Network security
Multiple layers of firewall protection separate the servers that store your data from the outside world. Only dedicated load balancing servers have Internet connectivity. Application servers and data storage servers operate on a separate internal network, with an intermediate firewall/load balancing layer providing connectivity.

The live/test/integration test/development environment is hosted on a separate network.

Multiple levels of intrusion and phishing attack alerts protect your stored data. Unused services, protocols and software are removed. All our servers are built from minimal foundations, with only the necessary software installed.

The effectiveness of our processes and internal rules is verified through external security audits.

Availability
Business application availability is critical. Our infrastructure of dozens of quality servers ensures that the failure of a single component does not lead to the loss of service.

A containerised architecture is not only advantageous from a security point of view, individual services can be automatically moved between servers, ensuring continuous availability and balancing the different workloads at different times.

MiniCRM offers a minimum 99.9% availability guarantee in the contract. The planned availability of the infrastructure used is 99.99% per month. An independent external monitoring service will measure monthly availability between 99.98% and 99.99%, counting any outages during the announced nightly maintenance times as outages.

Data backup and disaster recovery
All data recorded in MiniCRM is mirrored in near real-time across multiple storage devices and multiple servers. Distributed, redundant data storage ensures that the failure of individual hardware devices does not lead to data loss.

Automatic backups are made daily and encrypted for transmission to a data centre outside Hungary.

All daily backups are tested automatically. Databases are loaded from backup on a dedicated server and a thorough, multi-step process is run through the restored systems. The testing system collects the logs and analyses the expected test results. A daily report is sent to the operations team.

Identification and access control
All access is only possible through designated user accounts to ensure traceability.

User accounts are protected by strong passwords, and password strength is ensured by rules built into the application. All passwords are stored as strongly encrypted, one-way "salted" hash values.

User accounts can be managed by users with administrator rights in the client system.

The accounts are protected against password attempts by an automated blocking system, which will block both the IP address and the user account after several incorrect login attempts.

Two-factor authentication
Users can enable two-factor authentication. In such a case, MiniCRM will ask for an additional security code when logging in from a new device with a valid email address and password. This can be an SMS or TOTP (Google Authenticator) code.

Security-aware software development
Security is not an afterthought, it is an integral part of our development processes. New developers receive detailed training to ensure they are properly aware of data security and privacy issues.

There are several layers to the application architecture and the platform has built-in protection against the most common attack surfaces/modes.

After each modification, tests, automated integration tests and static code analysis tools are automatically run to ensure quality.

Security-sensitive code sections are monitored separately, and changes affecting these sections can be incorporated into the next version after a mandatory code review.

Reliability
In addition to data security and availability, it is of paramount importance that users trust the solution as a record-keeping system. Based on both objective and subjective criteria.

A Registry system is expected to be a credible source of the data elements and information it manages. It is possible to track who-when-what was recorded, modified or printed.

Rules defined during development ensure the validity of the data and the integrity of the relationships between the interrelated data.

Up-to-date technology
No extra upgrade/tracking/development fees, we always provide a system that supports the latest technologies.

Not only do we constantly update the software running on our servers, but also the "building blocks" of the framework that are visible to users. This ensures that solutions delivered once will still work years later on the browser/notebook/mobile device combinations that are current at the time.

Scales automatically
MiniCRM is not only fast at start-up, with a dozen users and a couple of thousand records. As the data accumulates and the number of users grows, the platform automatically allocates more resources to meet demand.

Duration of data processing
We process your data with a predefined limitation period for each set of data processed in accordance with the GDPR.

As a rule of thumb, detailed security logs are stored for 90 days and other security logs for 365 days.

Personal data for 365 days after the last contact, except where a longer period is required by law or contract.

For a detailed description of each of the data categories, data processing purposes and data retention periods, please see the section "Our Services".

Transfers
We are entitled and obliged to transfer to the competent authorities any Personal Data that we have available to us and that we lawfully hold, and that we are required by law or by a final and binding administrative order to transfer. The Data Controllers shall not be held liable for such transfers and the consequences thereof.

If we transfer the operation or use of our service, in whole or in part, to a third party, we may transfer some or all of the Personal Data we process to that third party without your consent, but with your prior informed consent, provided that such transfer does not put you in a less favourable position than the data processing rules set out in the current version of this Notice. In the event of a transfer under this paragraph, you will be given the opportunity to object to the transfer before the transfer takes place. In the event of an objection, the transfer of your data under this paragraph will not be possible.

For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, which shall include the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

Updating the Notice, monitoring changes in legislation
The Notice is continuously reviewed and updated by the Data Controller in accordance with changes in the legal environment and the requirements of the authorities. You can find the current Notice in the "Data Processing Notice" section of the MiniCRM website.

Further questions/answers
You can request information about data management and/or processing at any time by sending an email to help@minicrm.hu.

You can contact the National Authority for Data Protection and Freedom of Information directly with complaints about data processing (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

If your rights are violated, you can take legal action. The court has jurisdiction to hear the case. You can choose to bring the case before the court of your place of residence or domicile. We will inform you of the possibilities and means of redress available to you.

Definitions
Processing: any operation or set of operations which is performed on Personal Data, regardless of the method used, in particular the collection, recording, organisation, structuring, storage, adaptation, alteration, use, consultation, access, consultation, use, disclosure, transmission, dissemination or otherwise making available, disclosure, alignment or combination, restriction, erasure and destruction of Personal Data.

Personal Data or Information: any data or information that allows a natural person representing a User to be identified, directly or indirectly, or that allows such person to enter data into the System.

Processor: a service provider who processes Personal Data on behalf of the controller. For the System Services referred to in this Notice, the Data Processor is MiniCRM and the sub-processors are the sub-processors identified in this Notice.

System: the CRM system operated by the Data Controller, Internet sites and sub-sites of these websites.

GDPR: Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation").

Budapest, 30 January 2024.