Privacy Notice
1. Introduction
The developer and rights holder of magyarkozlony.ai (the "Service") is Chain Advisory Kft.; the co-operator is Erba 96 Kft. (jointly the "Controllers", "we").
The purpose of this notice is to inform you how we collect, use, store and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and Hungarian data-protection law (Act CXII of 2011). Chain Advisory Kft. and Erba 96 Kft. act as joint controllers under Article 26 GDPR.
2. Controller information
Developer and rights holder: Chain Advisory Kft. — Registered seat: 1037 Budapest, Táborhegyi út 18/f — Company reg. no.: 01-09-326168 — Tax no.: 26361518-2-41
Joint controller and operator: Erba 96 Kft. — Registered seat: 1142 Budapest, Stubnyai utca 4. — Company reg. no.: 01-09-561901 — Tax no.: 12175590-2-42 — EU VAT no.: HU 12175590
Email: [email protected] Website: https://magyarkozlony.ai
Data Protection Officer (DPO): Erik Árokszállási — [email protected]
3. Scope of personal data processed
Registration and account data: full name, email, hashed password, language and interface preferences.
Service usage data: sign-in timestamps, query history, generated reports, IP address, browser identifier, device information.
Billing data: company or individual name, billing address, tax ID (for corporate users) — only for users with a paid plan.
Communications data: emails with customer support, feedback, complaints.
The Service does NOT collect or process documents uploaded by the User — it queries only its own indexed public corpus (Magyar Közlöny, the Fundamental Law, etc.).
4. Purposes and legal bases of processing
Creating and managing a user account — Performance of a contract (Art. 6(1)(b) GDPR) — Retention: until account deletion.
Providing the Service (AI-powered legal-text search) — Performance of a contract — Retention: until account deletion.
Customer support — Legitimate interest (Art. 6(1)(f) GDPR) — Retention: 2 years.
Invoicing and accounting — Legal obligation (Art. 6(1)(c) GDPR) — Retention: 8 years (Hungarian accounting law).
Service improvement (anonymised usage data) — Legitimate interest — Retention: anonymised, unlimited.
Security, abuse prevention — Legitimate interest — Retention: 1 year.
Marketing communication — Explicit consent (Art. 6(1)(a) GDPR) — Retention: until consent is withdrawn.
5. Processors and third parties
We rely on the following data processors to operate the Service; each is bound by a GDPR-compliant Data Processing Agreement.
Hosting: Hetzner Online GmbH (Germany) — Purpose: Service infrastructure — Data location: EU (Germany) — Privacy: https://www.hetzner.com/legal/privacy-policy
AI provider: Amazon Web Services EMEA SARL (AWS Bedrock) — Purpose: processing natural-language queries (Anthropic Claude models) — Region: eu-central-1 (Frankfurt, Germany) — DPA: https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf — Privacy FAQ: https://aws.amazon.com/compliance/data-privacy-faq/
Data-privacy guarantees for AWS Bedrock: • No model training: User data — prompt or response — is NOT used to train AI models. • No data retention: input and output are NOT retained after processing. • EU-only processing: all AI processing happens in the eu-central-1 region; data does not leave the EU. • Encrypted transport: all traffic between the Service and AWS is protected with TLS 1.3.
CDN and DDoS protection: Cloudflare, Inc. — Purpose: serving the website, DDoS mitigation — Privacy: https://www.cloudflare.com/privacypolicy/
Agentic architecture: the Service uses specialised AI agents (query, report generator, chart generator, etc.). The agents operate only on the User's request and within the Service's boundaries; the AI has no access to the User's own databases or files.
6. Your rights
Under GDPR you have the following rights:
Right of access (Art. 15): you can request information about the data we process about you and obtain a copy.
Right to rectification (Art. 16): you can request correction of inaccurate or completion of incomplete data.
Right to erasure — "right to be forgotten" (Art. 17): you can request deletion when the data is no longer needed, your consent is withdrawn, or you object to processing.
Right to restriction (Art. 18): in certain cases you can request that processing be restricted temporarily.
Right to data portability (Art. 20): you can request your data in a structured, machine-readable (JSON) format and transmit it to another controller.
Right to object (Art. 21): you may object to processing based on legitimate interest.
Rights related to automated decision-making (Art. 22): you have the right not to be subject to a decision based solely on automated processing.
To exercise your rights please contact our DPO at [email protected]. We respond to requests within 30 days; the deadline may be extended by a further 60 days for complex cases.
7. Data security
To protect your data we apply the following technical and organisational measures:
Encryption: data is stored encrypted (AES-256) and transmitted over encrypted channels (TLS 1.3).
Isolated environments: user sessions are logically separated; only the relevant User can access their own data.
Access control: strict access rules, password policy, optional multi-factor authentication.
Regular backups: daily automated backups with redundant storage.
Security audits: regular vulnerability scans, dependency updates.
Incident response: documented procedure for data-protection incidents; notification of affected users and the NAIH per Articles 33–34 GDPR.
User responsibility: use a strong, unique password. The User alone is liable for any damage resulting from disclosing the password to a third party.
8. Cookies
The Service uses only strictly necessary and functional cookies. We do NOT set marketing, analytics or advertising cookies.
Strictly necessary: Better-Auth sign-in session cookie (maintains the secure session; expires after 30 days or on sign-out); Better-Auth CSRF token (protects the sign-up / sign-in form).
Functional / browser storage: NEXT_LOCALE (selected language, HU/EN); theme localStorage (light / dark preference); mk_cookie_consent localStorage (records that the cookie notice was dismissed).
Third-party cookies: Cloudflare's CDN proxy may set its own operational cookies (cf_*) — these are not used for identification. Google Analytics, Facebook Pixel and similar tracking tools are NOT used.
9. Children's data
The Service is intended for natural and legal persons aged 18 or over. We do not knowingly collect data from persons under the age of 16. If we become aware of such processing we delete the data immediately.
10. Changes to this notice
We reserve the right to amend this Privacy Notice. We inform Users of changes through the Service or by email. Material changes are communicated at least 30 days before they take effect.
11. Right to lodge a complaint
If you consider that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) — Address: 1055 Budapest, Falk Miksa utca 9-11. — Postal: 1363 Budapest, Pf. 9. — Phone: +36 1 391 1400 — Email: [email protected] — Web: https://naih.hu
You may also seek judicial remedy if you believe the processing of your personal data is unlawful.
12. Contact
For data-protection questions please contact us:
Chain Advisory Kft. — 1037 Budapest, Táborhegyi út 18/f Erba 96 Kft. — 1142 Budapest, Stubnyai utca 4.
General: [email protected] Privacy (DPO): [email protected] — Erik Árokszállási