Privacy Policy
Version 1.0 · Effective 2026-07-05
Controller
Egységmester Kft., 2330 Dunaharaszti, Gyóni Géza köz 8., hello@practicalapps.studio. No Data Protection Officer is appointed (not required for our processing).
1. What we process, why, and on what basis
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account data (name, work email, company, country) | Provide the Service | Art. 6(1)(b) contract | Account life + 30 days |
| Matching profile (CPV, keywords, geo, value band, languages) | Matching & digest | Art. 6(1)(b) | Account life; dismissed matches 90 days |
| Billing & subscription status | Plan management | Art. 6(1)(b), (c) | Statutory periods |
| Payment/card data | Purchase execution | Processed by Stripe as merchant of record — Stripe acts as an independent controller for the payment transaction; we never receive full card data. See Stripe's privacy notice at checkout. | Per Stripe |
| Public TED notice data (may include buyer contact persons) | Tender matching & display, with source attribution | Art. 6(1)(f) — legitimate interest (operating a tender-alert service over public open data) | Per TED reuse norms; refreshed daily |
| B2B outreach targets (company, country, won CPV, one business contact address from the company's own website, provenance) | One relevant B2B introduction + max one follow-up | Art. 6(1)(f) — see our Legitimate Interest Assessment; absolute opt-out (Art. 21(2)) | Never-contacted: purged in 90 days; contacted: purged/anonymised 12 months after our last message; suppression list kept permanently (hash only) to honour your opt-out |
| Service logs, ingest/fetch logs | Security, accountability | Art. 6(1)(f) | 12 months |
2. Sources
Directly from you; from TED (Publications Office of the EU — public procurement notices; "Source: TED, Publications Office of the EU"); for outreach, from your company's own public contact page (the exact page is disclosed in the message you receive).
3. Recipients / processors
Hostinger (EU hosting); Stripe (payments — merchant of record, partially independent controller); Resend, Inc. (USA) / Hostinger (EU) (email delivery); OpenAI, L.L.C. / Google (Gemini) (summarisation of public notice text only — no customer personal data is sent). We do not sell personal data and do not use it for third-party advertising.
4. Transfers
Data is hosted in the EU. Where a provider processes data in the US (e.g. Stripe), transfers rest on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
5. Your rights
Access, rectification, erasure, restriction, portability, objection (Arts. 15–21). Objection to direct marketing is absolute and one-click — use the unsubscribe link in any outreach or digest email; we then keep only a suppression hash so we never contact you again. You may also object to any processing based on legitimate interests on grounds relating to your particular situation (Art. 21(1)); we then stop unless we demonstrate compelling legitimate grounds. Complaints: NAIH (Hungary, naih.hu) or your local supervisory authority. Contact: hello@practicalapps.studio — we respond within one month.
6. No automated decisions
We make no automated decisions producing legal effects (Art. 22). Matching output is informational only.
7. Security
TLS in transit, encrypted backups, least-privilege access, EU-hosted infrastructure, no card data on our systems (merchant-of-record model).
8. Cookies
The product uses only strictly necessary cookies/storage: session/auth cookie, admin session cookie (httpOnly) and functional preferences — no advertising cookies, no cross-site tracking. Strictly necessary cookies require no consent (ePrivacy Art. 5(3); HU Eht. 155.§(4)). If cookie-less first-party analytics (Umami) is enabled, it is anonymous and sets no cookies. Checkout runs on Stripe surfaces; Stripe sets its own cookies under its own policy (disclosed at checkout). No marketing tag is present; none may be added without prior opt-in consent tooling and an update to this policy.