Privacy Policy

Legal name: Avenir Facility Management Szolgáltató Korlátolt Felelősségű Társaság Court-registered short form: Avenir Facility Kft. Marketing name: Avenir Facility Management Kft. Company registration number: 01-09-328046 — Court of Registration of the Budapest-Capital Regional Court Tax ID: 26395124-2-41 EU VAT ID: HU26395124 Date of incorporation: 31 July 2018 Registered office: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary General contact: info@afm.hu · +36 70 316 8218 Web: https://www.afm.hu

Authorised representative: Attila Kovács, Managing Director Email: info@afm.hu Phone: +36 70 312 5868 Questions, requests, and complaints regarding data protection may be addressed directly to the contact details above.

The Controller has appointed a Data Protection Officer in accordance with GDPR Article 37(1)(b) and (c). The Data Protection Officer acts as a contact point for data subjects and the supervisory authority in data-protection matters. Data Protection Officer: Fanni Csegény Email: dpo@afm.hu Phone: +36 70 622 6242 Postal contact: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary The Controller has notified NAIH of the appointment pursuant to Section 25/L of the Hungarian Infotv. Data subjects may contact the Data Protection Officer directly with data-protection questions, requests or complaints. This does not affect their right to lodge a complaint with the supervisory authority or to seek judicial remedy as set out in section 11.

In the contact flow on the www.afm.hu website, we process personal data for the following purposes: 4.1. PURPOSE — Processing of contact / quote requests Personal data processed: full name, company name, email address, phone number, area of interest, message content. Purpose: processing of quote requests, contacting the data subject, preparation of an offer. Legal basis (B2B dual-path): GDPR Art. 6(1)(b), where the request is necessary for steps to be taken at the data subject's request prior to entering into a contract (natural person / sole trader). GDPR Art. 6(1)(f), where the data subject acts as a contact person of a legal person or other organisation. The Controller's legitimate interest in the latter case: handling business contact, preparing offers, maintaining B2B client communication. Retention: • Where the request does not result in a contract: 12 months from the last meaningful contact. • Where a contract is concluded: data necessary for preparing, performing or enforcing claims may be processed as part of the contractual file until the general statute of limitations runs out (Hungarian Civil Code § 6:22 default rule: 5 years). • Accounting documents: 8 years (Hungarian Accounting Act § 169(2)). • Requests containing data not necessary, excessive, special-category or criminal-conviction data are erased or anonymised by the Controller without undue delay. 4.2. PURPOSE — Abuse prevention and website security Personal data processed: IP address, request timestamp, user-agent string, honeypot field value, rate-limit counter. Purpose: filtering of spam and bot submissions, mitigation of denial-of-service traffic. Legal basis: GDPR Art. 6(1)(f) — legitimate interest in secure operation. Retention: technical log 30 days (rolling); rate-limit counter 1 hour (in memory only). 4.3. PURPOSE — Contractual administration and business correspondence following a successful quote request Personal data processed: contact-person details, content of business correspondence, contractual documents. Legal basis: GDPR Art. 6(1)(b) (performance of contract) and (c) (compliance with legal obligation). Retention: 5 years from completion (Civil Code § 6:22) + 8 years (Accounting Act § 169(2)). 4.4. EXCLUSION OF PURPOSE — Special, criminal-conviction and third-party data are not processed via the web form The Controller does not request and does not intend to process via the contact form on the website special categories of data within the meaning of GDPR Art. 9, criminal-conviction data within the meaning of GDPR Art. 10, classified data, trade secrets, or detailed private-life, health, family, employment, financial or criminal-conviction information about third parties. Please do not submit such data via the form. In matters relating to private investigation, CCTV monitoring, access control, security incidents or any other higher-risk processing, the Controller acts under a separate engagement contract and dedicated data-protection notice. If a data subject or third party submits such data via the web form, the Controller examines it only to the minimum extent necessary for handling the request and, where necessary, erases, anonymises, or routes it into a separate processing flow without undue delay.

The Controller engages the following data processors for the operation of the https://www.afm.hu website. A written Data Processing Agreement (DPA) is in place with each. 5.1. Plus Five Five, Inc. ("Resend") — transactional email delivery Registered address: 2261 Market Street #5039, San Francisco, CA 94114, United States Activity: forwarding contact-form messages to the Controller. Processing situation: per the provider's public information, customer data may also be stored in the United States; the technical configuration of any email-sending region does not constitute fully EU-only data storage. Data Processing Agreement (Art. 28): a written DPA is in place. Safeguard for third-country transfers: where active DPF certification applies, the GDPR Art. 45 adequacy decision; secondarily, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 under GDPR Art. 46, together with supplementary measures. 5.2. Vercel Inc. — hosting, edge/CDN service and server-side logging Registered office: 440 N Barranca Avenue #4133, Covina, CA 91723, United States Activity: serving the website, edge/CDN infrastructure, server-side request logging. Processing situation: static content and edge services may be operated through global infrastructure; the region of server-side functions is configurable (vercel.json: fra1). The Controller endeavours to use EU regions, but transfer to or access from third countries cannot be excluded. Data Processing Agreement (Art. 28): a written DPA is in place. Safeguard for third-country transfers: where active DPF certification applies, GDPR Art. 45 adequacy decision; secondarily, SCCs under Art. 46 and supplementary measures (encrypted transmission, access restriction, region configuration). 5.3. Neon, LLC (an affiliate of Databricks, Inc.) — PostgreSQL database service Contracting service provider: Neon, LLC (an affiliate of Databricks, Inc. since the May 2025 acquisition). Registered address: 160 Spear Street, Suite 1300, San Francisco, CA 94105, United States. Activity: PostgreSQL database service (storage of news, certifications, contact-form logs). Database region: AWS Frankfurt / eu-central-1. Data Processing Agreement (Art. 28): a written DPA is in place. Safeguard for third-country transfers: the active DPF certification of Databricks, Inc. covers Neon, LLC as an affiliate (GDPR Art. 45); secondarily, SCCs under Art. 46 and supplementary measures.

In operating the website and contact system, the Controller engages data processors that are entities incorporated in the United States, belong to a U.S. corporate group, or use U.S.-based sub-processors. The Controller endeavours to ensure that, where technically and contractually possible, data storage and database management take place in regions within the European Union. However, the Controller does not represent that all processing operations take place exclusively within the European Economic Area. Transfer of data to a third country, or access from a third country, may particularly arise in connection with email forwarding, hosting, technical operations, support, troubleshooting, logging, sub-processor activity or statutory obligations of the provider. In the case of providers incorporated in the United States or belonging to a U.S. corporate group, certain U.S. laws may impose government access or data-disclosure obligations under particular circumstances. Such laws include in particular Section 702 of the Foreign Intelligence Surveillance Act and the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act"). The legal safeguards for third-country transfers — depending on the provider, the legal entity and the data flow — may include: a) Adequacy decision under GDPR Art. 45: where the U.S. recipient holds an active EU-U.S. Data Privacy Framework (DPF) certification, the transfer may rely on the DPF and the European Commission's adequacy decision. b) Standard Contractual Clauses under GDPR Art. 46: where the DPF does not apply, or as supplementary or fallback safeguard, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 may be used. c) Supplementary technical and organisational measures: in particular data minimisation, encrypted data transmission, access restriction, identity and access management, logging, sub-processor control, region configuration and regular review of provider DPAs. The Controller reviews the data-protection safeguards, DPF status, DPA and sub-processor list of the engaged data processors at least annually, and upon any significant change of provider. The data subject may request further information on the applicable transfer safeguards at info@afm.hu.

Cookie audit pending — the Controller will finalise the full cookie inventory by means of a DevTools audit following deployment and will update this section based on the actual cookie inventory. In its current operation, the https://www.afm.hu website does not use any analytics, marketing, retargeting or profiling cookies. Where strictly necessary technical cookies or similar technologies are used for the operation of the website, they are used solely for ensuring the operation, security, and abuse-prevention of the website. Such technologies do not serve marketing or analytical purposes. The Controller regularly reviews cookie usage. If analytical or marketing cookies are introduced, the Controller will update this Policy in advance and apply a consent-management solution where required.

In respect of personal data processed in the contact flow on https://www.afm.hu, the data subject has the following rights under the GDPR: a) Right to information (Arts. 13-14) — to read this Privacy Policy. b) Right of access (Art. 15) — to request a copy of the data processed. c) Right to rectification (Art. 16) — to have inaccurate data corrected or supplemented. d) Right to erasure (Art. 17, "right to be forgotten") — under specified conditions. e) Right to restriction of processing (Art. 18). f) Right to data portability (Art. 20) — in a structured, machine-readable format. g) Right to object (Art. 21) — to processing based on legitimate interest, both at purpose 4.1 (data of B2B contact persons processed under GDPR Art. 6(1)(f)) and at purpose 4.2 (abuse prevention under GDPR Art. 6(1)(f)), including profiling. h) Rights related to automated decision-making (Art. 22) — see section 9. Right to withdraw consent (Art. 7(3)): as the Controller does not rely on consent as a legal basis in the https://www.afm.hu contact flow, this right does not apply here.

No automated decision-making and no profiling (GDPR Art. 22) takes place in the https://www.afm.hu contact flow. Incoming requests are processed individually and manually by the Controller's staff.

You may exercise your rights as follows: Email: info@afm.hu (subject: "Data protection request") Post: Avenir Facility Management Kft., Királyok útja 291, building B, door 15, 1039 Budapest, Hungary The Controller responds to such requests within one month at the latest, in accordance with Art. 12(3) GDPR. Where justified (taking into account the complexity or volume of requests), this period may be extended by a further two months, of which we shall inform the data subject within one month of receipt of the request. Where there are reasonable doubts as to the identity of the requesting person, the Controller may request additional information necessary for identification (Art. 12(6)). Exercise of rights is free of charge for the data subject, except where the request is manifestly unfounded or excessive (Art. 12(5)).

If you consider that the Controller's processing infringes the GDPR or the Infotv., you may lodge a complaint with: a) The supervisory authority: National Authority for Data Protection and Freedom of Information (NAIH) Address: Falk Miksa utca 9-11, 1055 Budapest, Hungary Postal address: P.O. Box 9, 1363 Budapest, Hungary Phone: +36 (1) 391-1400 Email: ugyfelszolgalat@naih.hu Web: https://www.naih.hu b) The courts: pursuant to Art. 79 GDPR, the data subject may seek judicial remedy before the court competent at their place of residence or habitual stay, or at the seat of the Controller (in this case: the Budapest-Capital Regional Court / Fővárosi Törvényszék).

Pursuant to Art. 33 GDPR, the Controller will notify NAIH of any personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of data subjects. In the event of high risk, data subjects will also be notified directly (Art. 34).

The Controller holds an ISO/IEC 27001:2022 Information Security Management System certification within the scope defined in the certificate. Certificate number: 988960032 Issuer: MARTON Szakértő Iroda Kft. Validity: 27 April 2026 – 26 April 2029 Information about the scope of the certificate is available on request. Technical and organisational security measures are determined and regularly reviewed by the Controller in accordance with Art. 32 GDPR, using a risk-based approach, in particular: data minimisation, encryption in transit and at rest, access control and identity-and-access management, logging and incident detection, and regular security review and testing.

The Controller reserves the right to modify this Policy unilaterally. Modifications take effect upon publication at https://www.afm.hu/en/adatvedelem. Material changes may be the subject of a separate notice. The currently effective text of this Policy is always available at the URL above. Earlier versions are archived by the Controller and made available upon request. Version history: • Version 1.0 — Effective: 28 April 2026. First publication (launch of https://www.afm.hu). Earlier versions: none.