Privacy Policy

Version 1.0 · Effective 2026-07-05

Controller

Egységmester Kft., 2330 Dunaharaszti, Gyóni Géza köz 8., hello@practicalapps.studio. No Data Protection Officer is appointed (not required for our processing).

1. What we process, why, and on what basis

DataPurposeLegal basisRetention
Account data (name, work email, company, country)Provide the ServiceArt. 6(1)(b) contractAccount life + 30 days
Matching profile (CPV, keywords, geo, value band, languages)Matching & digestArt. 6(1)(b)Account life; dismissed matches 90 days
Billing & subscription statusPlan managementArt. 6(1)(b), (c)Statutory periods
Payment/card dataPurchase executionProcessed by Stripe as merchant of record — Stripe acts as an independent controller for the payment transaction; we never receive full card data. See Stripe's privacy notice at checkout.Per Stripe
Public TED notice data (may include buyer contact persons)Tender matching & display, with source attributionArt. 6(1)(f) — legitimate interest (operating a tender-alert service over public open data)Per TED reuse norms; refreshed daily
B2B outreach targets (company, country, won CPV, one business contact address from the company's own website, provenance)One relevant B2B introduction + max one follow-upArt. 6(1)(f) — see our Legitimate Interest Assessment; absolute opt-out (Art. 21(2))Never-contacted: purged in 90 days; contacted: purged/anonymised 12 months after our last message; suppression list kept permanently (hash only) to honour your opt-out
Service logs, ingest/fetch logsSecurity, accountabilityArt. 6(1)(f)12 months

2. Sources

Directly from you; from TED (Publications Office of the EU — public procurement notices; "Source: TED, Publications Office of the EU"); for outreach, from your company's own public contact page (the exact page is disclosed in the message you receive).

3. Recipients / processors

Hostinger (EU hosting); Stripe (payments — merchant of record, partially independent controller); Resend, Inc. (USA) / Hostinger (EU) (email delivery); OpenAI, L.L.C. / Google (Gemini) (summarisation of public notice text only — no customer personal data is sent). We do not sell personal data and do not use it for third-party advertising.

4. Transfers

Data is hosted in the EU. Where a provider processes data in the US (e.g. Stripe), transfers rest on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

5. Your rights

Access, rectification, erasure, restriction, portability, objection (Arts. 15–21). Objection to direct marketing is absolute and one-click — use the unsubscribe link in any outreach or digest email; we then keep only a suppression hash so we never contact you again. You may also object to any processing based on legitimate interests on grounds relating to your particular situation (Art. 21(1)); we then stop unless we demonstrate compelling legitimate grounds. Complaints: NAIH (Hungary, naih.hu) or your local supervisory authority. Contact: hello@practicalapps.studio — we respond within one month.

6. No automated decisions

We make no automated decisions producing legal effects (Art. 22). Matching output is informational only.

7. Security

TLS in transit, encrypted backups, least-privilege access, EU-hosted infrastructure, no card data on our systems (merchant-of-record model).

8. Cookies

The product uses only strictly necessary cookies/storage: session/auth cookie, admin session cookie (httpOnly) and functional preferences — no advertising cookies, no cross-site tracking. Strictly necessary cookies require no consent (ePrivacy Art. 5(3); HU Eht. 155.§(4)). If cookie-less first-party analytics (Umami) is enabled, it is anonymous and sets no cookies. Checkout runs on Stripe surfaces; Stripe sets its own cookies under its own policy (disclosed at checkout). No marketing tag is present; none may be added without prior opt-in consent tooling and an update to this policy.