In force from 30 May 2026
Privacy Policy
1. Controller
Controller: Summa Technologiae Korlátolt Felelősségű Társaság
Short name: Summa Technologiae Kft.
Registered address: 1023 Budapest, Lublói utca 4. 2. em. 6., Hungary
Company registration number: Cg. 01-09-331681
Tax number: 26551939-2-41
Contact e-mail: [email protected]
Website: summotive.com
The Controller processes Personal Data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and other applicable legislation.
Data Protection Officer: The Controller is not required to appoint a Data Protection Officer under Article 37 GDPR (the Controller does not carry out large-scale Processing of special categories of data and does not engage in systematic monitoring of Data Subjects). Data protection enquiries may be directed to the contact details above.
2. Definitions
The following terms bear the meaning assigned to them in Article 4 GDPR:
- Personal Data: any information relating to an identified or identifiable natural person.
- Data Subject: the natural person to whom Personal Data relate.
- Processing: any operation performed on Personal Data (collection, recording, storage, transmission, erasure, etc.).
- Processor: a natural or legal person that Processes Personal Data on behalf of the Controller.
- Consent: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they signify agreement to the Processing of their Personal Data.
- Personal Data Breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
3. Principles of Processing
The Controller applies the following principles under Article 5 GDPR:
- Lawfulness, fairness and transparency: Personal Data are Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
- Purpose limitation: Personal Data are collected for specified, explicit and legitimate purposes and not Processed in a manner incompatible with those purposes.
- Data minimisation: Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes of Processing.
- Accuracy: Reasonable steps are taken to ensure Personal Data are accurate and, where necessary, kept up to date.
- Storage limitation: Personal Data are kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes of Processing.
- Integrity and confidentiality: Personal Data are Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
- Accountability: The Controller is responsible for, and is able to demonstrate compliance with, all of the above principles.
4. Processing Activities
4.1 E-mail enquiries
When a Data Subject contacts the Controller at [email protected], the following Processing takes place:
| Aspect | Detail |
|---|---|
| Personal Data | Sender’s e-mail address; name (if provided by the Data Subject); message content |
| Purpose | Responding to the business enquiry; preparing a potential contractual relationship |
| Legal basis | Article 6(1)(b) GDPR: Processing necessary for steps taken at the request of the Data Subject prior to entering into a contract; and/or Article 6(1)(f) GDPR: legitimate interests of the Controller - see below |
| Retention | 3 years from the end of the business relationship; or erased without undue delay upon a valid erasure request |
| Provision of data | Voluntary; without the data the Controller cannot respond to the enquiry |
Legitimate interests assessment (Article 6(1)(f) GDPR): Where Processing is based on the Controller’s legitimate interests, the Controller has assessed that those interests are not overridden by the fundamental rights and freedoms of the Data Subject. Responding to and maintaining records of business correspondence constitutes a legitimate economic interest that Data Subjects can reasonably anticipate, and does not impose a disproportionate burden on them.
Automated decision-making and profiling: The Controller does not carry out automated decision-making or profiling in relation to e-mail enquiry data (Article 22 GDPR).
4.2 Necessary cookies (cc_cookie)
To operate the cookie-consent banner and to record consent preferences, the Controller uses the cc_cookie cookie set by the vanilla-cookieconsent library.
| Aspect | Detail |
|---|---|
| Personal Data | Visitor’s cookie consent settings (accept/reject value, timestamp) |
| Purpose | Retaining the Data Subject’s cookie preferences; demonstrating compliance with legal obligations |
| Legal basis | Article 6(1)(c) GDPR: compliance with a legal obligation (transparency requirement under Section 155 Eht.); and Article 6(1)(f) GDPR: legitimate interests of the Controller in maintaining a record of consent |
| Retention | 12 months |
| Provision of data | The cookie is placed automatically on first visit; no prior consent is required as it is necessary and based on legitimate interests |
4.3 Appointment booking (Calendly)
The “Book a call” link on the website opens the external Calendly scheduling platform in a new browser tab (calendly.com/summotive-info/30min). Calendly acts as an independent data controller in respect of the data it collects; the Controller engages Calendly as a Processor only within the scope of the engagement.
| Aspect | Detail |
|---|---|
| Personal Data | First and last name; e-mail address; selected appointment time; optional notes |
| Purpose | Scheduling a telephone or online meeting with a prospective client |
| Legal basis | Article 6(1)(b) GDPR: Processing necessary for steps taken at the request of the Data Subject prior to entering into a contract |
| Processor | Calendly, LLC - 271 17th Street NW, Suite 1000, Atlanta, GA 30363, USA |
| Retention | 3 years from the end of the business relationship; or erased without undue delay upon a valid erasure request |
| Provision of data | Voluntary; without the data the booking cannot be completed |
| Automated decision-making | None |
Calendly’s own privacy notice is available at calendly.com/privacy.
5. Processors
The Controller engages the following Processors. Each Processor acts only on the Controller’s instructions pursuant to a data processing agreement under Article 28 GDPR.
| Processor | Registered address | Role | Contractual basis |
|---|---|---|---|
| Namecheap, Inc. | 4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA | Web hosting (Apache server) | Data Processing Addendum |
| Calendly, LLC | 271 17th Street NW, Suite 1000, Atlanta, GA 30363, USA | Appointment scheduling platform | Data Processing Agreement (calendly.com/legal/data-processing-agreement) |
Personal Data are not disclosed to any other third party except in response to a lawful authority request or with the Data Subject’s consent.
6. International Data Transfers
Both Processors are established in the United States of America, outside the European Economic Area. The appropriate safeguards for transfers are as follows under Article 46 GDPR:
Namecheap, Inc.: Transfers are effected on the basis of the European Commission’s Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914/EU, incorporated into Namecheap’s Data Processing Addendum.
Calendly, LLC: Transfers are effected on the basis of the Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914/EU, incorporated into Calendly’s Data Processing Agreement, available at calendly.com/legal/data-processing-agreement.
Pursuant to Article 46(3) GDPR, any Data Subject may request a copy of the applicable SCCs from the Controller at [email protected].
The Controller monitors developments relating to the EU-U.S. Data Privacy Framework (Commission Decision 2023/1795) and will update this notice accordingly.
7. Rights of Data Subjects
Under Chapter III GDPR and the Infotv., Data Subjects have the following rights:
7.1 Right of access (Article 15 GDPR)
The Data Subject may obtain confirmation as to whether their Personal Data are being Processed and, if so, obtain a copy together with the information specified in Article 15(1)-(2) GDPR.
7.2 Right to rectification (Article 16 GDPR)
The Data Subject may request the rectification of inaccurate Personal Data without undue delay, and the completion of incomplete Personal Data.
7.3 Right to erasure (Article 17 GDPR)
The Data Subject may request erasure of their Personal Data where the purpose of Processing has ceased, Consent has been withdrawn, Processing is unlawful, or erasure is required to comply with a legal obligation. The right to erasure is not absolute and may be limited where Processing is based on a legal obligation or public interest ground.
7.4 Right to restriction of Processing (Article 18 GDPR)
The Data Subject may request restriction of Processing where the accuracy of the data is contested, Processing is unlawful but the Data Subject opposes erasure, the Controller no longer needs the data but the Data Subject requires them for legal claims, or the Data Subject has objected pending verification of the Controller’s legitimate grounds.
7.5 Right to data portability (Article 20 GDPR)
The Data Subject may receive Personal Data Processed on the basis of Consent or contract, in a structured, commonly used and machine-readable format, and may request direct transmission to another controller where technically feasible.
7.6 Right to object (Article 21 GDPR)
The Data Subject may object at any time to Processing based on legitimate interests. Upon receipt of an objection, the Controller must cease Processing unless it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject.
7.7 Right to withdraw Consent (Article 7(3) GDPR)
Where Processing is based on Consent, the Data Subject may withdraw Consent at any time. Withdrawal does not affect the lawfulness of Processing carried out before withdrawal.
7.8 Exemption from automated decision-making (Article 22 GDPR)
The Controller does not subject Data Subjects to any decision based solely on automated Processing, including profiling, which produces legal effects or similarly significantly affects them.
7.9 Exercising rights
Rights may be exercised by contacting the Controller:
- E-mail: [email protected]
- Post: Summa Technologiae Kft., 1023 Budapest, Lublói utca 4. 2. em. 6., Hungary
The Controller will respond within one month of receipt of the request. Where necessary, that period may be extended by a further two months, of which the Data Subject will be informed within the initial one-month period.
8. Supervisory Authority and Remedies
8.1 Right to lodge a complaint
Pursuant to Article 77(1) GDPR, the Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The Data Subject is therefore not limited to the Hungarian supervisory authority.
Competent Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
(National Authority for Data Protection and Freedom of Information)
Address: Falk Miksa utca 9-11., 1055 Budapest, Hungary
Postal address: Pf. 9., 1363 Budapest, Hungary
E-mail: [email protected]
Tel.: +36 (1) 391-1400
Website: naih.hu
8.2 Right to an effective judicial remedy
Pursuant to Article 79 GDPR, the Data Subject has the right to an effective judicial remedy against the Controller or Processor where they consider that their rights have been infringed. Proceedings may be brought before the courts of the Member State where the Controller is established, or before the courts of the Member State of the Data Subject’s habitual residence (Infotv. Section 22).
9. Data Security
In accordance with Article 32 GDPR, the Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- the website operates over HTTPS (TLS encryption);
- server access is protected by password controls and access restrictions;
- data processing agreements are in place with all Processors.
In the event of a Personal Data Breach, the Controller will notify the competent supervisory authority within 72 hours pursuant to Article 33 GDPR. Where the Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Controller will also notify the affected Data Subjects without undue delay (Article 34 GDPR).
10. Amendments
The Controller reserves the right to amend this privacy notice. The date of the current version is indicated in the header of this page. In the event of material changes, the Controller will notify Data Subjects by appropriate means.
11. Contact
For all data protection enquiries and to exercise your rights:
E-mail: [email protected]
Post: Summa Technologiae Kft., 1023 Budapest, Lublói utca 4. 2. em. 6., Hungary
This notice has been prepared in accordance with Regulation (EU) 2016/679 (GDPR), Hungarian Act CXII of 2011 (Infotv.), and Act C of 2003 (Eht.). Last reviewed: 2026-05-30.