Privacy Policy

Kortave ("Kortave", "we", "us", "our") is a compliance automation service operated by a sole trader (egyéni vállalkozó) registered in Hungary. We operate the website at kortave.eu (and kortave.com) and provide automated EU regulatory compliance services to business customers across the European Union.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Kortave is the data controller for personal data collected through this website and its associated services.

Data controller contact: Kortave, Hungary. Email: ···

As a sole trader operating exclusively within the EU and not engaged in large-scale or high-risk processing, Kortave is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. All data protection enquiries are handled directly by the controller at the address above.

We collect the following categories of personal data when you interact with our website or services:

2.1 Data you provide directly

• —Name and email address — when you submit a contact form, request information, or sign up for early access.
• —Company name and job title — provided voluntarily during enquiry or onboarding forms.
• —Payment information — processed entirely by Paddle.com as Merchant of Record. We never receive, store, or process your card or payment details directly. Paddle acts as an independent data controller for all payment transactions.
• —Communications — emails and messages you send to our contact addresses.

2.2 Data collected automatically

• —IP address and approximate geolocation (country level) — recorded by Cloudflare as part of standard request handling and security protection.
• —Browser type, operating system, and device type — collected via standard HTTP headers.
• —Pages visited and referring URL — basic access logs retained for security purposes.
• —Language preference — stored locally in your browser to remember your selected display language.

2.3 Data we do NOT collect

• —We do not use third-party advertising or behavioural tracking technologies (no Meta Pixel, Google Ads tags, or similar).
• —We do not sell personal data to any third party.
• —We do not use fingerprinting for tracking purposes.
• —We do not collect sensitive categories of personal data within the meaning of GDPR Article 9.

We rely on the following lawful bases under GDPR Article 6:

• —Contract (Art. 6(1)(b)): Processing necessary to provide you with our services under a customer agreement — including account management, service delivery, and billing.
• —Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and protection of our systems and users — balanced against minimal data impact (IP-level logging only). We also rely on legitimate interests for direct marketing to business contacts, as described in detail in Section 5 below.
• —Consent (Art. 6(1)(a)): Where you have explicitly opted in to receiving marketing communications. You may withdraw consent at any time by emailing ··· or using the unsubscribe link in any email. Withdrawal does not affect the lawfulness of processing before withdrawal.
• —Legal obligation (Art. 6(1)(c)): Where processing is required by applicable Hungarian or EU law, including tax, accounting, and anti-money-laundering obligations.

• —To provide, operate, and maintain our compliance automation services.
• —To communicate with you about your enquiry, account, billing, and service updates.
• —To send marketing communications where you have given explicit consent.
• —To protect our systems from fraud, abuse, and security incidents via Cloudflare.
• —To facilitate payment processing through Paddle.com, who act as Merchant of Record and independent data controller for all transactions.
• —To comply with applicable Hungarian and EU legal obligations.

Kortave contacts representatives of companies that we believe may benefit from our compliance services. This section explains how that processing works and constitutes the information notice required by GDPR Article 14 where personal data has not been obtained directly from you.

5.1 What data we process

• —Name, job title, and professional role.
• —Company name, industry, company size, and business location.
• —Business contact details (professional email address) and public professional profile URL.

5.2 Where the data comes from

We obtain this data exclusively from publicly available professional sources: public professional networking profiles (such as LinkedIn), company websites, public business registers and directories, and general search engines. We do not purchase data from brokers, and we do not process data from non-public sources.

5.3 Legal basis

This processing is based on our legitimate interest in direct marketing to business contacts (GDPR Art. 6(1)(f)). Recital 47 GDPR expressly recognises direct marketing as a legitimate interest. Our balancing assessment rests on the facts that we process only business-context data in minimal categories, obtained from sources where the individual has made it publicly available in a professional capacity, with no sensitive data and a simple, immediate way to object.

5.4 Your right to object

You may object to this processing at any time, and for direct marketing the right to object is absolute (GDPR Art. 21(2)–(3)). Reply "opt out" to any email from us, or write to ···. We will stop processing immediately, delete your prospect record, and add your email address to a suppression list whose sole purpose is to ensure you are never contacted again.

5.5 Retention

Prospect records that do not lead to a business relationship are deleted or irreversibly anonymised no later than 12 months after our last contact. Suppression-list entries are retained indefinitely, as retaining them is necessary to honour your objection.

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The following table sets out our principal retention periods and their legal bases:

When retention periods expire, data is permanently deleted or rendered irreversibly anonymous in accordance with GDPR Article 5(1)(e). We do not archive personal data beyond these periods.

We use a limited number of third-party service providers to operate our services. Each sub-processor is bound by a data processing agreement meeting the requirements of GDPR Article 28(3). The following table lists our current sub-processors, their role, location, and applicable transfer mechanism where data is processed outside the EEA:

Our primary application servers are located in Nuremberg, Germany, ensuring that the principal processing of personal data takes place within the European Economic Area (EEA). For transfers to the United States (principally Cloudflare), we rely on both the adequacy decision for the EU–US Data Privacy Framework and Standard Contractual Clauses as a belt-and-suspenders safeguard, ensuring continuity of protection regardless of any future adequacy decision review.

An up-to-date list of sub-processors, including any additions or replacements, is available on request at ···. We will notify active customers of any material sub-processor changes in accordance with GDPR Article 28(2).

Under GDPR Chapter III (Articles 15–22), you have the following rights regarding your personal data. These rights are enforceable without charge and we will respond within one calendar month of a verified request (extendable by a further two months where requests are complex or numerous, with prior notice — GDPR Art. 12(3)):

• —Right of access (Art. 15): Receive a copy of all personal data we hold about you, along with information about how and why it is used.
• —Right to rectification (Art. 16): Have inaccurate or incomplete data corrected without undue delay.
• —Right to erasure (Art. 17): Request deletion of your personal data, subject to any overriding legal retention obligations (e.g. accounting law).
• —Right to restriction (Art. 18): Require us to pause processing in certain circumstances (e.g. while accuracy is disputed or an objection is being assessed).
• —Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (applies to automated processing on the basis of consent or contract).
• —Right to object (Art. 21): Object at any time to processing based on legitimate interests, or to direct marketing. Direct marketing objections are absolute and require no balancing assessment.
• —Right not to be subject to solely automated decisions (Art. 22): We do not make decisions that produce legal or similarly significant effects on individuals using automated processing alone, without human involvement.

To exercise any of these rights, contact us at ··· with a description of your request. We may ask you to verify your identity before acting, in accordance with GDPR Article 12(6).

Right to lodge a complaint (Art. 77): If you are unsatisfied with how we handle your request or with our data processing practices generally, you have the right to lodge a complaint with a supervisory authority in your Member State of habitual residence, place of work, or place of the alleged infringement. As a Hungarian-registered controller, our lead supervisory authority under the one-stop-shop mechanism (GDPR Article 56) is:

We use a minimal set of browser storage technologies:

• —Strictly necessary — language preference: Your language preference is stored in browser localStorage to avoid repeated prompting. No personal data is transmitted to our servers for this purpose. This falls outside the scope of the ePrivacy Directive as it does not access or store data on your terminal device in a way that requires consent.
• —Infrastructure cookies (Cloudflare): Cloudflare sets strictly necessary cookies (__cf_bm, cf_clearance) for bot detection and DDoS mitigation. These do not track you across websites and are not used for advertising or profiling purposes.
• —No analytics cookies: We do not deploy Google Analytics, Hotjar, Plausible, or any other behavioural analytics tool that would require consent under ePrivacy or GDPR.
• —No advertising cookies: We do not use any advertising, retargeting, or remarketing cookies.

Because we do not deploy non-essential cookies requiring consent, no cookie consent banner is currently required under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive) as transposed into Hungarian law. If our cookie practices change, we will implement a fully compliant consent mechanism before any non-essential cookies are set.

We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with GDPR Article 32 and the principle of data protection by design and by default (GDPR Article 25):

• —All data in transit is encrypted using TLS 1.2 or higher.
• —Network-layer protection is provided by Cloudflare, including DDoS mitigation and Web Application Firewall (WAF).
• —Access to personal data is restricted to the data controller on a strict need-to-know basis.
• —Paddle.com handles all payment data within their PCI DSS Level 1 certified environment as Merchant of Record.
• —Where AI tools process personal data, outputs are subject to human review before transmission to customers or third parties.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the NAIH within 72 hours of becoming aware of it (GDPR Article 33) and, where the breach is likely to result in a high risk, will communicate directly with affected individuals without undue delay (GDPR Article 34).

Our services are directed exclusively at business users and professionals. They are not intended for, nor do we knowingly collect personal data from, individuals under the age of 18. If we become aware that personal data has been inadvertently collected from a child, we will delete it promptly and without undue delay.

Kortave uses artificial intelligence tools to assist with the delivery of its compliance automation services. Specifically, AI-assisted processing may be involved in:

• —Drafting and reviewing compliance document templates and bespoke regulatory outputs on behalf of customers.
• —Classifying and categorising incoming data subject requests by type and urgency.
• —Generating regulatory summaries and analysis that inform our service outputs.
• —Automated correspondence drafting subject to human review.

Kortave's compliance documentation platform is not a high-risk AI system. It does not fall within any category listed in Annex III of the EU AI Act (Regulation (EU) 2024/1689). Kortave provides a B2B technical tooling service that assists organisations with preparing regulatory documentation — it does not make decisions about natural persons in areas such as employment, credit, education, law enforcement, or essential services. Accordingly, the high-risk obligations under Articles 9–15 of the EU AI Act do not apply to Kortave's own system.

When AI processes personal data as part of delivering our services, such processing is always subject to human review before any output is transmitted to or acted upon by a customer or third party. We do not engage in solely automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22(1). We do not use your personal data to train third-party AI models or to improve the underlying AI model without your separate, explicit consent.

The AI tools we use either operate within the European Economic Area or are subject to appropriate international transfer mechanisms as described in Section 7 above. AI-generated outputs that contain personal data are subject to the same retention, security, and data subject rights standards as all other personal data under this policy.

In the spirit of the transparency obligations under EU AI Act Article 50 and GDPR recital 60, we are committed to answering questions about how AI contributed to any output or decision affecting you. Contact us at ···.

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. For material changes, we will provide at least 14 days' prior notice via the email address associated with your account (for existing customers) and by updating the "last updated" date at the top of this page. We will maintain a changelog of substantive amendments on request. Your continued use of our services after a change takes effect constitutes acceptance of the revised policy, to the extent permitted by applicable law.