Privacy Policy

Controller: [LEGAL ENTITY NAME, e.g. Pro Plate Ltd.] Registered seat: [POSTCODE City, Street No., Hungary] Tax number: [TAX ID] Company / sole-trader registration number: [REGISTRATION NUMBER] Privacy contact: [NAME] — [EMAIL] Phone: [+36 ...] The Controller is not required to designate a Data Protection Officer (DPO) under GDPR Article 37, as its processing does not meet the thresholds set therein. For privacy-related questions, please contact the privacy contact above.

Processing is based on the following: • Regulation (EU) 2016/679 (GDPR) • Hungarian Act CXII of 2011 on Informational Self-Determination (Infotv.) • Hungarian Act CVIII of 2001 on Electronic Commerce Services (Ekertv.) • Hungarian Act C of 2000 on Accounting (for invoice retention) The Controller ensures that processing is lawful, fair, transparent, purpose-limited, data-minimized, accurate, storage-limited, and adequately secured.

a) Customer data (name, email, phone, billing address, restaurant name) • Purpose: contract conclusion, performance, communication, invoicing • Legal basis: GDPR Art. 6(1)(b) — performance of contract; for invoicing Art. 6(1)(c) — legal obligation b) Payment data (via Stripe; the Controller does not see card data) • Purpose: collection of fees • Legal basis: GDPR Art. 6(1)(b) c) Uploaded photos (source material and AI-enhanced output) • Purpose: performing the Service • Legal basis: GDPR Art. 6(1)(b) • Note: photos do not normally contain personal data; if they would (e.g. an image of kitchen staff), please do not upload them. d) Lead data (publicly available restaurant information — name, address, phone, email, photos — sourced from Google Maps via Outscraper) • Purpose: business outreach, offering services • Legal basis: GDPR Art. 6(1)(f) — legitimate interest (B2B outreach to hospitality businesses). The legitimate-interest balancing test is available on request. • Source: publicly available business registries and Google Maps. Disclosed pursuant to GDPR Art. 14. e) Email correspondence and contact form submissions • Purpose: replying, providing offers • Legal basis: GDPR Art. 6(1)(b) (pre-contractual measures) or 6(1)(f) legitimate interest f) Cookies and website analytics • Purpose: operating the website; optionally measuring usage • Legal basis: strictly necessary cookies — Art. 6(1)(f); analytics/marketing cookies — Art. 6(1)(a) consent • [IF USING ANALYTICS (e.g. Vercel Analytics, Google Analytics): list them here and obtain consent via a cookie banner.]

• Customer and billing data: 8 years, pursuant to Section 169 of the Hungarian Accounting Act (Act C of 2000) • Uploaded source photos: 90 days after order fulfillment (to allow revision requests), then deleted • AI-enhanced output: available for download for 12 months; thereafter archived or deleted by the Controller • Lead data: up to 24 months from the last contact attempt, or until earlier deletion upon request • Email correspondence: 3 years (legitimate interest, dispute resolution)

The following processors are involved in providing the Service. The Controller has (or will have, before the end of the pilot phase) data processing agreements in place with them under GDPR Art. 28: • Vercel Inc. (USA) — website hosting. Transfers from the EU to the US under the EU-US Data Privacy Framework / Standard Contractual Clauses (SCC). • Stripe Payments Europe Ltd. (Ireland) — payment processing. • Resend, Inc. (USA) — transactional email. Basis: SCC. • Airtable, Inc. (USA) — database and CRM. Basis: SCC / DPF. • Inngest, Inc. (USA) — background job scheduling (follow-up emails). Basis: SCC. • kie.ai / Kling AI (USA, or contracting party's seat) — AI image enhancement and video generation. Uploaded photos are kept only as long as necessary; the Controller does not authorize their use for model training. • Google LLC (USA) — Gemini API for image classification and caption generation. Basis: SCC / DPF. • Outscraper LLC (USA) — retrieval of publicly available restaurant data (lead phase only). • Cloudflare, Inc. (USA) — [IF ENABLED] R2 object storage for enhanced images. Basis: SCC. • [ACCOUNTANT NAME / FIRM] — bookkeeping and document handling (billing data only). The full and current list is available on request at [CONTACT@PROPLATE.ME].

Several processors are based outside the European Economic Area (typically in the United States). Such transfers occur only with the following safeguards: • For processors certified under the EU-US Data Privacy Framework, the European Commission's adequacy decision (GDPR Art. 45) • Otherwise, Standard Contractual Clauses adopted by the European Commission (SCC, GDPR Art. 46(2)(c))

As a data subject, you have the following rights: • Right of access (GDPR Art. 15) • Right to rectification (GDPR Art. 16) • Right to erasure / "right to be forgotten" (GDPR Art. 17) • Right to restriction of processing (GDPR Art. 18) • Right to data portability (GDPR Art. 20) • Right to object to processing based on legitimate interest (GDPR Art. 21) — particularly for cold outreach • Right to withdraw consent where processing is based on consent (GDPR Art. 7(3)) To exercise these rights, please contact [CONTACT@PROPLATE.ME]. The Controller will substantively respond within 30 days of receipt. In justified cases, this period may be extended by a further 60 days, of which you will be informed.

If you believe that the processing of your data infringes the GDPR or Hungarian data protection law, you may lodge a complaint with the Hungarian supervisory authority: National Authority for Data Protection and Freedom of Information (NAIH) Address: H-1055 Budapest, Falk Miksa utca 9–11. Postal address: H-1363 Budapest, Pf. 9. Phone: +36 (1) 391-1400 Email: ugyfelszolgalat@naih.hu Web: naih.hu You may also seek judicial remedy. At your option, proceedings may be initiated before the regional court of your place of residence or stay.

In line with GDPR Art. 32, the Controller applies the following technical and organizational measures: • Encrypted transport (HTTPS / TLS) • Authenticated administrative interfaces • Access restriction (only authorized persons have access) • Regular backups • Pre-selection review of processors for GDPR compliance In case of a personal data breach likely to result in a high risk to the rights of data subjects, the Controller will notify NAIH within 72 hours and, where appropriate, inform the affected data subjects.

The Controller uses AI-based technology to enhance photos. These do not constitute automated decision-making producing legal effects on the data subject under GDPR Art. 22 — they serve solely to create the visual content ordered by the Customer.

The Controller reserves the right to amend this Notice unilaterally. Amendments take effect upon publication on proplate.me/privacy. In case of material changes, registered Customers will be notified at the email address provided.