Privacy policy

Data Processing Principles:

  • Personal data is only collected and processed in accordance with applicable laws and EU regulations.

  • Direct marketing letters (newsletters) are only sent out if a special consent is provided. However, system messages can be sent without a consent.

  • Data is stored as safely as possible.

  • Personal data is transferred to third parties only in accordance with a prior consent.

  • Information on the data stored on persons can be requested by the Data subjects in writing by e-mail: [email protected]

  • The erasure of personal data can be requested any time at [email protected]
    For more detailed information, please read the Data Processing Guide carefully.

Privacy Policy and Information on the Processing of Personal Data

Apptum Hungary Ltd. (seat: H- 1052 Budapest, Deák Ferenc tér 3. II. em.; company registration number: 01-09-338308; tax number: 25309722-2-41; “Apptum”) as Data controller recognizes the content of this Privacy Policy as binding and covenants to comply with all undertakings of this document and the prevailing laws in the course of its data processing activities related to the site it operates in particular the requirements laid down in Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR"), Act CXII of 2011 CXII on Informational Self-Determination and Freedom of Information (hereinafter referred to as "Privacy Act"), Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as “e-Commerce Act”) and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial (“Commercial Act”).
Apptum specifies its data processing principles and presents its expectations for itself as a Data controller here below.

1. The Purpose of Data Processing

Apptum maintains and operates web portals (hereinafter referred to as: “Websites”) under the trade name of Heurio: https://www.heurio.co; https://heurio.app, a Google Chrome Extension under the trade name of Heurio - UX Check & Visual Feedback Tool (hereinafter referred to as: “Chrome Extension”) and processes personal data in order to:

  • provide a service to its users through the Websites and the Chrome Extension (hereinafter referred to together as: “Platforms”) to ensure that registered users (hereinafter referred to as “Users”) can do website reviews and manage web projects with ease, provide their relevant data and register themselves in a database (hereinafter referred to as “User database”) for the purpose of using the services offered by the Platforms and if they have any questions related to the Platforms, they can contact the Data controller (hereinafter referred to as “Customer Service”) directly, and

  • send newsletters with information on the benefits of the services and promotions offered on the Platforms, as well as the new functions and other relevant information on the Platforms, to visitors who have registered for the newsletter on the Websites (hereinafter referred to as “Subscribers”) if such visitors, pursuant to Section 6, paragraph (1) of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity, provided their separate consent during the registration process or registered into the designated database (hereinafter referred to as “Newsletter database”) of Apptum including advertising in electronic or other form (hereinafter referred to as “Direct marketing”).

Subscribers, Users or any other Visitors (Unregistered Users) to the Platforms are collectively referred to as “Data subjects” while related databases are referred to as “Databases on data subjects” in this Privacy Policy.

Pursuant to Article 8, paragraph (1) of the GDPR, the consent and approval of the legal representative or guardian is required for the registration and subscription of a User who has not reached the age of 16 or has a limited capacity to act, or, in the absence thereof, the registration of the minor or limited capacity User cannot be accepted by the Data controller and will be deleted. The Data controller shall make reasonable efforts to verify if such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.

Data recorded in the Databases of Data subjects is processed by Apptum solely in accordance with this Privacy Policy and is not transferred or disclosed to any third party, except in cases where such access or transfer is required by law, authority or court, or referred to in this Privacy Policy.

Data subjects explicitly accept the terms of this Privacy Policy by using or registering on the Websites and by using the Chrome Extension, furthermore, voluntarily consent to the processing of their personal data in accordance with this Privacy Policy.

2. The Legal Grounds of Data Processing

The legal ground for processing the data provided by Data subjects to the Databases accessible on the Platforms, unless otherwise mentioned in the present Privacy Policy, is the Data subject's voluntary consent.

Where personal data have been recorded with the consent of the data subject, the Data controller shall, in the absence of a provision to the contrary in law, process the data provided for the purpose of fulfilling his/her legal obligation or the legitimate interests of the data controller, or a third party, if the enforcement of that interest is proportionate to the restriction of the right to the protection of personal data without further consent, and may also process the personal data after the withdrawal of the consent by the data subject.

3. Personal Data Processed by Apptum, Data Transfer and Duration of Data Processing

Apptum declares that pursuant to Article 9 of the GDPR, its processing of personal data does not include special categories of personal data, such personal data is not being processed.

3.1. User Database

The User Database is only accessible through the Platforms after registration. Apptum processes the following data of the User after a successful registration.

[Registration] Mandatory information to be provided by the User:

  • name,

  • e-mail address,

  • user type (Project or product manager / Designer / Researcher / Engineer or Developer / QA tester / Marketing & Sales / Entrepreneur / Other)

  • source (Friend, link to blog post, etc.).

Optional data provided by the User at its sole discretion:

  • image.

[Use] Other automatically processed data related to the use of the Platforms:

  • date of registration,

  • location of Users,

  • the full content and date of the projects,

  • the full content and date of comments,

  • the full content and date of suggestions,

  • the full content and date of notes,

  • the name and URL of the project website.

[Share] During the operation of the Platforms the Users can share comments, ideas, notes of projects (through share link or invitation) with anyone; automatically processed data related to the share option is the following:

  • date of the invitation,

  • password of the share link (if any),

  • date of the share link.

The processing of this data is based on the voluntary consent of the Users under Article 6, paragraph (1) of the GDPR, compulsory data required for the performance of a contract concluded between Apptum and the User, the legal grounds of the data processing in this respect are the provisions of Article 6, paragraph (1), item b) of the GDPR. The provision of data by the User is essential for registering on the Websites, so the provision of data is a prerequisite for the conclusion of a contract. Sharing comments, ideas or notes of a project is optional for the Users, so the processing of the related data is neither a prerequisite for the use of the Platforms, nor for the conclusion of the contract.

3.2. Transmission of user data

In the course of processing data of the User's Database, Apptum shall have the right to transfer or disclose data of the Users recorded during the miscellaneous use of the Platforms, specified under this item to the other Users of the Platforms or the public.

The Users and all Unregistered Users shall be obliged to keep the personal data transferred to them confidential, they shall not be entitled to transfer it to third parties, nor shall they be entitled to process them for their own purposes.

All the data accessible on the Platforms, including the shared data, is called disclosed data in case the sharing was through sending an invitation, therefore such data is accessible for other Users and also Unregistered Users with the relevant hyperlink, whereas the data made accessible to someone through “share link” (i.e. only the User receiving the share link can access such data) is called transferred data.

[Transfer of Data]

Owners and Editors of Projects may invite other Users as Editors or Viewers of the Project.

A/ Viewers

Upon accepting the invitation as Viewer by the User, the following data will be transferred to the Viewer:

  • the full content and date of the projects,

  • the full content and date of comments,

  • the full content and date of suggestions,

  • the full content and date of notes,

  • the name and URL of the project website,

  • the name and profile picture of any other Users of the Project.

B/ Editors

Upon accepting the invitation as Editor by the User, the following data will be transferred to the User:

  • the full content and date of the projects,

  • the full content and date of comments,

  • the full content and date of suggestions,

  • the full content and date of notes,

  • the name and URL of the project website,

  • the name, e-mail address and profile picture of any other Users of the Project.

Following personal data of the Editor will be transferred to other Users of the Project:

  • the name and profile picture of the Editor,

  • the full content and date of any comments, suggestions and notes provided by the Editor.

The transfer of the aforementioned data of the User shall remain in effect as long as he/she is a member of the project group. The User may leave the Project any time, in which case his/her personal data will no longer be accessible to the members of the project group. However, any comments, suggestions, notes of the User leaving the Project will remain accessible without showing the name, profile picture and e-mail address of the formal member of the Project as long as the Project is not deleted by the Owner.

[Data disclosed]

Users may decide to ensure the accessibility of the Project for Unregistered Users via share links.

In case the Project is accessible via share link, any Unregistered User receiving the share link may access the Project, therefore following personal data of the Users of the Project will be disclosed to them:

  • the full content and date of the projects,

  • the full content and date of comments,

  • the full content and date of suggestions,

  • the full content and date of notes,

  • the name and URL of the project website,

  • the name, e-mail address and profile picture of any other Users of the Project.

Unregistered Users are not allowed to provide any personal data to the Project, therefore no personal data of Unregistered Users will be disclosed.

3.3. Newsletter database

Data subjects can subscribe to the Newsletter Database on the Websites by providing a separate consent during user registration, and any other forms intended for newsletter sign-up (no User registration is required for subscribing to the Newsletter Database), Apptum processes the following data of the User after the successful subscription.

Mandatory information to be provided by the Subscriber:

  • name,

  • e-mail address

Other automatically processed data related to the Newsletter subscription:

  • the date and time of the subscription.

The processing of this data is based on the voluntary consent of the Subscriber pursuant to Section 6, paragraph (1) of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity and Article 6, paragraph (1), item a) of the GDPR. The provision of data by the Subscriber is not essential for registering on the Websites or using the Platforms, so the provision of data is not a prerequisite for the conclusion of a contract.

3.4. The legal grounds of data processing

Apptum processes the data uploaded by the Data subject during or after the registration on the Platforms for the period of the purpose of the data processing, by automatically deleting the data subject's registration as well as any related data and documents uploaded upon the receipt of a relevant request from the Data subject in accordance with this item on the rights of the Data subject related to the data processing and optional remedies contained herein.

Data recorded in connection with unconfirmed or interrupted registration user requests will be deleted automatically.

If the User does not access the Platforms for one (1) year, upon decision of Apptum he/she could be sent a warning message and after thirty (30) days of the message his/her personal data will be automatically deleted if the User fails to login during this period.

In respect of data that is automatically recorded and processed in connection with the use of the Platforms, Apptum processes the data as long as the User's legal relationship exists, but upon termination of the user relationship, such data will also be erased.

3.5. Unregistered User Information and Application of "cookies"

During the visit of the Websites, the Websites places and retrieves small data packets, so-called “cookies” on the IT tool of the Data subject.

Google Analytics

The following types of Google Analytics cookies will be applied on the Websites: "utma", "utmb", "utmc", "utmt” and "utmz" (for detailed information on cookies used by Google Analytics on this web site, please visit: this page).

The listed cookies are used for the purpose of identifying and collecting the following statistical data on the visitors the Websites:

  • search engine, keyword, or link used to land on the Websites ("utmz cookie"),

  • how many times the Data subject visited the Websites ("utmb" cookie),

  • how long the Data subject stayed on the Websites ("utma cookie"),

  • when the Data subject first visited the Websites ("utmc" cookie).

In addition to the foregoing, some cookies protect the Websites from overload ("utmt" cookie), and some cookies used by Google Analytics capture the IP address of the IT tool used by the data subject for analytical, statistical and security purposes. Data is stored on the IT tool of the Data subject.

Therefore, independent measurement and auditing of Websites traffic and other web analytics data is provided by Google Analytics servers as external providers using the cookies listed above. For more information on the measurement of data, go to www.google-analytics.com for detailed information. Google's privacy policy can be found at: here.  Data transmitted from the web portal to Google Analytics servers are not suitable for the direct identification of the User concerned, only the IP address of the IT device can be identified.

Google Analytics

The Websites uses Google Adwords and Facebook remarketing codes. Remarketing codes use cookies to tag site visitors.

The installed cookie will allow Apptum to display product and service-related advertisements to the Data subjects, and later on other websites in the Google Display network or on Facebook.

These cookies may be disabled at any time and the advertisements can be customized on the Google Ad Settings interface.

The Data subject provides his/her consent to the use of cookies by clicking on the “Accept” button on the pop-up window or by proceeding within the Websites (by clicking on any link or menu item).

Other cookies

The Websites may use other cookies as well. More detailed information about other cookies and cookie consent is accessible through the pop-up window appearing at the homepage of the Webites.

4. Data of Apptum as a Data Controller, Scope of Persons Entitled to Data Processing

Name: Apptum Hungary Ltd.

Represented by: Bartha Zoltán, Managing Director

Address: H- 1052 Budapest, Deák Ferenc tér 3. II. em.

E-mail: [email protected]

Company registration number: 01-09-338308

tax number: 25309722-2-41

In respect of the data provided by the Data subjects on the Platforms, the representatives and employees of Apptum are entitled to process such data, whose duties are related to the fulfillment of any purposes of data processing.

5. Method of Storage of Personal Data, Data Processors

Websites server:  Microsoft Magyarország Kft. (Data Processing Guide: Open).

Please note that your data is processed electronically in online databases. The technical background of the databases is provided by Apptum in cooperation with the following providers as data processors:

  • Twilio Inc. (Data Processing Guide: Open) as the provider of the newsletter sending system;

  • Microsoft Magyarország Kft. (Data Processing Guide: Open) as the provider of Microsoft Azure cloud computing platform;

  • Mixpanel Inc. (Privacy Policy: Open) as the provider of the product analysis system;

  • Hotjar Limited (Privacy Policy: Open) as the provider of the product analysis system;

  • Intercom Inc. (Privacy Policy: Open) as the provider of the messaging platform (chat box);

  • Google Inc. (Privacy Policy: Open) as the provider of the Google Analytics system; as well as

  • Facebook Inc. (Privacy Policy: Open) as the provider of Facebook Custom Audiences advertising platform,

  • Pipedrive OU (Data Processing Guide: Open) as the provider of the Sales Customer-Relationship-Manager (CRM) system.

  • Software Developer Contractors of Apptum.

  • Sales and Marketing Service Provider Contractors of Apptum

The Data controller warrants that data processing will be carried out in full compliance with applicable data protection laws and that the data controller shall take all necessary measures to ensure data security and data protection, the data processing activities it performs meets all the legal requirements for data security.

6. The Safety of Data Processing

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

The Data controller and Data processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

7. Data Protection Officer

The controller shall designate a data protection officer in any case where the core activities of the controller consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and Article 10.

Apptum informs all Data subjects that it does not process data under Articles 9 and 10 of the GDPR, and that the core activity of the Data controller is to operate the User and Newsletter databases. These activities do not require regular and large-scale monitoring of the Data subjects.

Therefore, Apptum as Data controller does not appoint a Data Protection Officer, but its decision is reviewed every calendar year according to the current state of data processing.

8. Announcement of a Personal Data Breach and Notification of the Data Subject

Apptum shall notify the competent supervisory authority of all personal data breach cases without undue delay, and, if possible, at the latest 72 hours after receipt of information thereof, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons.

If a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, Apptum shall inform the Data Subject of the personal data breach without undue delay.

In the notification provided to the Data Subject, Apptum will explain the nature of the personal data breach in a clear and comprehensible manner and shall provide at least the information and measures provided for in Article 34, paragraph (2) of the GDPR.

The Data subject does not need to be notified by Apptum of the personal data breach if any of the following conditions are satisfied:

  • the Data Controller has implemented appropriate technical and organizational protection measures and those measures were applied to the data concerned by the personal data breach, in particular measures, which make data impossible to interpret for persons with unauthorized access to personal data;

  • the Data Controller has taken measures after the personal data breach that ensure that the high risk posed to the rights and freedoms of the Data subject is no longer likely to be realized;

  • the notification would require a disproportionate effort. In such cases, the Data subjects shall be informed by means of publicly disclosed information, or similar measures shall be taken to ensure the notification of Data subjects with equal efficiency.

9. Rights of Data Subject Relating to Data Processing and Possible Legal Remedies

The Data Subject shall have the right to access as set forth in Articles 12 to 22 of the GDPR and the right to notification, under which Apptum is obliged to inform the Data subject of its rights under GDPR, of personal data breach cases and of the information contained in Articles 13 and 15 of the GDPR.; and

  • the right to data portability, the right to rectification and erasure, and the right to object.

  • Accordingly, the Data controller

  • informs the Data subject about the processing of its personal data, including the data processed by the data subject or the data processor he or she has authorized, their source, the purpose, legal grounds, the duration of the data processing, the name and address of the data processor and its activities related to data processing, the circumstances, effects and measures taken to prevent the personal data breach (if any) and, in the case of transfer of the personal data of the Data subject, the legal grounds and the recipient of the transfer; and

  • rectifies, erases or locks the personal data provided by the Data subject (the Data subject may also perform the erasure of its data as indicated during the registration, and may also request the erasure through the Customer Service of the Data controller).

Notification on rights

The controller shall take appropriate measures to provide any information related to the completion of the tasks referred to above in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. Oral information may be provided upon the request of the Data subject, provided that his or her identity has been verified.

The Data controller shall facilitate the exercise of data subject rights. The Data controller shall provide information on action taken on a request under Articles 15 to 22 to the Data subject without undue delay and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the Data controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The controller shall provide the aforementioned information, notification and measures specified in Article 13 of the GDPR free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Information and access to personal data

The controller shall make the information referred to in Article 13, paragraph (1) to (2) of the GDPR available to the Data subject upon receipt of the personal data.

The Data subject shall have the right to obtain from the Data controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information set forth in Article 15, paragraphs (1) to (2) of the GDPR (right of access by the data subject).

The Data controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data subject, the controller may charge a reasonable fee based on administrative costs. Where the Data subject makes the request by electronic means, and unless otherwise requested by the Data subject, the information shall be provided in a commonly used electronic form.

Right to data migration

Pursuant to Article 20 of the GDPR, the Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability).

Right to rectification, erasure and object

The Data Subject has the right to withdraw his/her consent to data processing without any justification for the future. Pursuant to Articles 16 to 18 of the GDPR, the Data subject shall have the right to rectification, to be forgotten (erasure) and to restrict data processing.

The Data subject shall have the right to obtain from the Data controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to Article 6, paragraph (1), item a) of the GDPR, and where there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Hungarian law to which the controller is subject.

Pursuant to Article 21 of the GDPR, the Data subject shall have the right to object to processing of personal data concerning him or her.  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing.

Right to remedy

The Data subject shall send its requests and notifications via e-mail to Apptum to [email protected] or via mail to H- 1052 Budapest, Deák Ferenc tér 3. II. em.

In case of exercising his/her rights related to the processing of his/her personal data, in case of refusal of the request or notification sent to the data controller or the Data controller’s failure to act upon them, the Data subject may turn to the National Authority for Data Protection and Freedom of Information (NAIH) or to court pursuant to the provisions of the GDPR and the Privacy Act.

In addition, the Data subject

  • shall have the right to turn to court in order to enforce its rights in the case of violation of the processing of his/her personal data,

  • shall receive compensation for the for damage caused by unlawful processing of his/her personal data or the breach of data security requirements, and

  • may claim a grievance fee due to the infringement of his/her privacy rights by the unlawful processing of his/her data or violation of data security requirements

Pursuant to Articles 77 to 82 of the GDPR.

The Data subject is entitled to all rights, remedies and other claims provided by law, set forth in the GDPR and the Privacy Act.

Apptum Hungary Kft.

Last edited on 31 Oct 2023.

By clicking “Accept all”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.