Privacy Policy

1.           Preamble

XAPT Szoftver Tanácsadó Kft. (hereinafter referred to as “XAPT” or “we” or “our”) and each of its subsidiaries are strongly committed to protecting personal data. This privacy notice is pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); and Act CXII of 2011 on the Right of Information Self-Determination and Freedom of Information. The privacy notice applies to the processing of personal data in relation to XAPT’s and websites.

2.          Data Controller

Name of the controller: XAPT Szoftver Tanácsadó Kft.

Registered seat and mailing address: 1118 Budapest, Rétköz utca 5.

Incorporation number: 01-09-688936

Authorised representative: dr. Schvarcz Zoltán, managing director

E-mail address:

3.          Data Processing Principles

XAPT ensures that the personal data is

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness, transparency);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
  • accurate and, where necessary, kept up to date (accuracy);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

4.         Purposes and Legal Basis of the Processing

4.1.  Purposes for Processing

The purposes (and specific legal bases) for XAPT’s processing may be:

  • Communicating with Business Partners about XAPT’s products, services and projects, e.g. by responding to inquiries or requests providing technical information about products or services (Contract Performance (Article 6 (1) (b) GDPR); Legitimate Interest (Article 6 (1) (f) GDPR));
  • Planning, performing and managing the (contractual) relationship with Business Partners; e.g. by delivering products and services, processing payments, performing accounting, auditing, billing and collection activities, providing support services (Contract Performance (Article 6 (1) (b) GDPR); Compliance with Legal Obligations (Article 6 (1) (c) GDPR));
  • Identifying and sourcing talent, processing and managing applications for roles at XAPT, sending e-mail notifications and other announcements, screening and selecting talent (through interviews and assessments) (Consent, if voluntarily provided (Article 6 (1) (a) GDPR); Legitimate Interest (Article 6 (1) (f) GDPR));
  • Administrating and performing market analysis, sweepstakes, contests, or other customer activities or events (Consent, if voluntarily provided (Article 6 (1) (a) GDPR); Legitimate Interest (Article 6 (1) (f) GDPR));
  • Conducting customer satisfaction surveys and direct marketing activities (Consent, if voluntarily provided (Article 6 (1) (a) GDPR); Legitimate Interest (Article 6 (1) (f) GDPR));
  • Maintaining and protecting the security of XAPT’s services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities (Legitimate Interest (Article 6 (1) (f) GDPR));
  • Ensuring compliance with legal obligations (such as record keeping obligations), Business Partner compliance screening obligations (to prevent white-collar or money laundering crimes), and our policies or industry standards (Compliance with Legal Obligations (Article 6 (1) (c) GDPR); Legitimate Interest (Article 6 (1) (f));
  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims (Compliance with Legal Obligations (Article 6 (1) (c) GDPR); Legitimate Interest (Article 6 (1) (f) GDPR)).

4.2. Legal Basis of the Processing

The legal basis for XAPT’s processing may be:

  • The data subject’s consent to the processing pursuant to Article 6 (1) (a) General Data Protection Regulation;
  • Exercising rights and performing obligations under any contract XAPT makes with the data subject pursuant to Article 6 (1) (b) General Data Protection Regulation;
  • Compliance with legal obligations pursuant to Article 6 (1) (c) General Data Protection Regulation; and/or
  • Legitimate interests of XAPT pursuant to Article 6 (1) (f) General Data Protection Regulation.

5.          Categories of Personal Data

XAPT generally processes the following categories of personal data:

  • Personal details (e.g. name, age/date of birth, gender, country of residence);
  • Contact details (e.g. e-mail, telephone number, postal address);
  • Professional details (e.g. employer name, position);
  • CV, experience, education, academic and professional qualifications;
  • Further information necessarily processed in a project or contractual relationship with XAPT or voluntarily provided by the Business Partner, such as personal data relating to orders placed, payments made, requests, and project milestones.

6.         Recipients of the Personal Data

XAPT and each of its subsidiaries may receive personal data as necessary for the processing purposes described above. Depending on the categories of personal data and the purposes for which the personal data has been collected, different internal departments within XAPT may receive your personal data. Moreover, other departments within XAPT may have access to certain personal data on a need to know basis.

Certain third party service providers will receive personal data to process such data under appropriate instructions (“Processors”) as necessary for the processing purposes described here, such as Cloud service providers, Website Analytics service providers, or other service providers who support XAPT in maintaining our relationship with the data subjects. The Processors are subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.

XAPT uses the services of the following data processors:

  • Microsoft Corporation, Microsoft Ireland Operations Limited (cloud services);
  • Google LLC (website analytics services);
  • Hotjar Ltd (website behaviour analytics services);
  • LinkedIn Corporation (talent sourcing).

XAPT may transfer – in compliance with applicable data protection law – personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. XAPT will not disclose personal data to third parties for advertising or marketing purposes or for any other purposes without the data subjects’ prior consent.

7.          International Data Transfers

In the event that XAPT transfers personal data outside the European Economic Area, XAPT ensures that personal data is protected in a manner which is consistent with the GDPR. XAPT transfers personal data to external recipients outside the European Economic Area only if the recipient has (i) entered into EU Standard Contractual Clauses with XAPT or (ii) implemented Binding Corporate Rules in its organization. Data subjects may request further information about the safeguards implemented in relation to specific transfers by contacting

8.         Duration of the Processing

XAPT will not retain personal information longer than necessary to fulfil the purposes for which it is processed, including the security of our processing complying with legal and regulatory obligations (e.g. audit, accounting and statutory retention terms), handling disputes, and for the establishment, exercise or defence of legal claims in the countries where we do business (i.e. Hungary, United States, Canada, Australia).

XAPT typically erases contracts, communications and business letters containing personal data, or redacts personal data from such documents, 5 (five) years after their termination or creation, as such data may be subject to statutory retention requirements, which often require retention of up to 5 (five) years.

9.         Rights of the Data Subject

Pursuant to the GDPR, data subjects have the right to (i) request access to their personal data; request rectification of their personal data; (iii) request erasure of their personal data; (iv) request restriction of processing of their personal data; (v) request data portability; and/or (vi) object to the processing of their personal data.

If the processing is based on consent, in accordance to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR, the data subject is entitled to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Data subject rights may be exercised by a written request through the contact details set forth in Section 2. of this privacy notice. XAPT shall comply with a request for the exercise of the rights of the data subject within one month of receipt. The date of receipt of the request is not included in the deadline. XAPT may, if necessary, extend this time limit by a further two months, taking into account the complexity of the request and the number of requests received. XAPT shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receipt of the request.

If the data subject considers that XAPT has breached applicable data protection requirements, the data subject may lodge a complaint with the data protection regulatory authority responsible for enforcement of data protection law in the country where the data subject normally resides or works, or in the place where the alleged infringement occurred.

The data subject may lodge a complaint in Hungary with the National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9, e-mail:, website:, or may go to court, and the court shall hear such cases as a matter of priority. In this case, the data subject may bring the action before the regional court having territorial jurisdiction over his domicile (permanent address) or place of residence (temporary address), or the seat of XAPT, according to his choice.

10.     Data Security

XAPT has implemented generally accepted standards of technology and operational security in order to protect personal data from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal data; such individuals have agreed to maintain the confidentiality of this information.

Although XAPT uses appropriate security measures once XAPT has received the data subject’s personal data, the transmission of data over the internet (including by e-mail) is never completely secure. XAPT endeavours to protect personal data but cannot guarantee the security of data transmitted to or by us.


11.      Imprint

Information as per Section 4 of Act CVIII of 2001 on electronic commerce services and on certain issues related to the information society services.

Name of the service provider: XAPT Szoftver Tanácsadó Korlátolt Felelősségű Társaság

Registered seat: 1118 Budapest, Rétköz utca 5.
E-mail address:
Company register court: Fővárosi Törvényszék Cégbírósága
Company registration number: 01-09-688936
VAT ID: 12491643-2-43
Web hosting provider: SiteGround (registered seat: 901 N Pitt St Ste 325, Alexandria, VA 22314-1459)
+1 (305) 744 5901