Privacy Policy

Margyn Analytics Platform

Effective Date: November 1, 2025
Last Updated: February 17, 2026

---

1. Data Controller Information

Company Name: Interactic Media Korlátolt Felelősségű Társaság (Limited Liability Company)
Short Name: Interactic Media Kft.
Headquarters: 1143 Budapest, Eleonóra u. 8. 4/3, Hungary
Company Registration Number: 01-09-388500
Tax Number: 10580242-2-42
EU Tax Number: HU10580242
Contact: support@margyn.io
Website: https://margyn.io

Data Protection Contact: Máté Schubert
Email: support@margyn.io

Note: Interactic Media Kft. is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37, as it is not a public authority and does not carry out large-scale systematic monitoring. We provide assistance with data protection questions through the above contact details.

---

2. Legal Framework

This Privacy Policy is based on the following legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR)
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary)
• Act CVIII of 2001 on Electronic Commerce Services and Information Society Services (Hungary)
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Hungary)

Supervisory Authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu

---

3. Data Controller Status

IMPORTANT: Interactic Media Kft. acts as a data processor through the Margyn Analytics platform.

This means:

• You (the Customer company) are the data controller for end-users' (customers, employees) personal data
• We (Interactic Media Kft.) only process this data according to your instructions
• You remain the owner and responsible controller of the data

Data Processing Agreement: By using our Service, you agree to enter into a Data Processing Agreement with us in accordance with GDPR Article 28. The Data Processing Agreement (DPA) is automatically accepted upon acceptance of the Terms of Service. The full DPA text is available at: docs/legal/dpa-en.md

---

4. Platform User Data (B2B Users)

4.1. Data Categories Collected

Data collected during registration and account management:

• Name (first name, last name)
• Email address
• Company name
• User password (irreversibly encrypted)
• Account creation date
• Last login timestamp
• Chosen language and timezone preferences

Additional profile data (optional):

• Phone number
• Job title
• Profile picture
• Last seen timestamp
• Account status information

Consent data:

• GDPR consent given status and timestamp
• Marketing communications consent
• Data processing consent

Data automatically logged during use:

• IP address
• Browser type and version
• Operating system
• Pages and features visited
• Clicks and interactions
• Session ID
• Access timestamps

4.1.1. Session Tracking

Data stored during session tracking:

• Session identifier - Maintaining login
• IP address - Security, fraud prevention
• Device information - Technical compatibility assurance
• Browser type - Proper display
• Operating system type - System requirements verification
• Country - Regional analysis (not precise location)
• Session timestamps - Activity tracking, security verification
• Organization identifier - Access management

Legal basis: Legitimate interest (GDPR Article 6(1)(f)) - Security, fraud prevention, technical compatibility
Data retention: 12 months - for security and troubleshooting purposes

4.1.2. Waitlist Registration

Data collected during waitlist registration:

• Email address - Contact, sending notifications
• IP address - Abuse prevention, stored briefly
• Technical data - Browser and device compatibility
• Marketing parameters - Campaign effectiveness measurement (source)
• Language preference - Communication personalization
• Registration source - Channel identification
• Additional context - Registration circumstances

Abuse prevention: Rate limiting applied to prevent automated registrations and abuse

Legal basis: Consent (GDPR Article 6(1)(a))
Data retention: Until service launch or unsubscribe
IP retention: 15 days (abuse prevention)

4.1.3. Invitations and Access Management

User invitation system:

• Invitee email addresses (pre-registration)
• Invitation tokens - Secure access
• Inviter user ID (invited_by) - Audit trail
• Invitation messages - Optional context
• Expiration dates - Security measure

Beta access codes:

• Beta access codes - Early access control
• Usage tracking - Access management
• Validity periods - Time-limited access

Legal basis: Legitimate interest (GDPR Article 6(1)(f)) - Access control, security
Data retention: 90 days after expiration

4.2. Legal Basis for Data Processing

Data Type	Legal Basis (GDPR)	Justification
Registration data	Article 6(1)(b) - Contract performance	Essential for service delivery
Usage statistics	Article 6(1)(f) - Legitimate interest	Service improvement and security
Marketing communications	Article 6(1)(a) - Consent	Only with explicit consent
Billing data	Article 6(1)(c) - Legal obligation	Hungarian Accounting Act (8-year retention)

4.3. Data Retention Periods

Data Type	Retention Period	Justification
Registration data	5 days after account deletion	Recovery option
Billing data	8 years	Accounting Act requirement
IP addresses (logging)	15 days	Security incident investigation, fraud prevention
Usage logs	12 months	Security incident investigation
Marketing consent	Until consent withdrawal	GDPR Article 7(3)
Session data	12 months	Security and troubleshooting purposes
Invitation data	90 days after expiration	Security purposes, access control
Waitlist data	Until service launch or unsubscribe	Marketing, onboarding purposes
AI operation logs (Gemini, Claude)	Indefinite	Organizational analytics, cost tracking - deleted upon request or organization termination
Billing events (Stripe webhook)	Indefinite	Audit purposes, legal obligation (8 years for accounting data)
Sentry error data	90 days	Sentry default data retention policy
PostHog analytics data	12 months	Usage analysis, service improvement
Upstash cache data	15 minutes - 24 hours	TTL depending on key type (transient storage)

---

5. Customer End-User Data (E-commerce Shoppers, Employees)

5.1. Data Processor Role

The following end-user data may be processed through our platform:

For e-commerce platforms:

• Customer names
• Email addresses
• Order data (amount, products, date)
• Customer identifier (anonymous hash)

For HR/personnel costs:

• Employee names (optional)
• Salary/cost data
• Job title (optional)

IMPORTANT: We process this data only according to Customer instructions:

• Data owner: Customer company
• Data controller: Customer company
• Data processor: Interactic Media Kft.

5.2. Data Processing Purposes

• Generate analytical reports for the Customer
• Calculate business metrics (revenue, profit, efficiency)
• Trend analysis and forecasts
• Display dashboards and charts

5.3. Data Processing Location

Server location: European Union (Frankfurt, Germany)
Provider: Supabase Inc. (EU infrastructure)

International data transfer: NONE - all data remains within the EU.

5.4. E-commerce Platform Integrations

The Service automatically retrieves and processes the following data from e-commerce platforms connected by the Customer (e.g., Shopify, UNAS):

Shopify integration:

• Order data (order number, amount, date, status)
• Product information (name, price, cost price, inventory)
• Customer data (name, email - only per Customer instruction)
• Shipping information (methods, fees)

UNAS integration:

• Order data (order number, amount, date, status)
• Product information (name, price, inventory)
• Customer data (name - only per Customer instruction)

API access:
The Service reads data through platform-specific APIs (OAuth 2.0 authorization). The Provider does not store API keys or passwords, only secure OAuth tokens.

Data responsibility:
For end-user data from e-commerce platforms, the Customer is the data controller, the Provider is the data processor. Obtaining end-user consent is the Customer's responsibility.

---

6. Detailed Data Processing Flows

6.1. Subscription and Payment

Subscription process:

1. Customer selects a subscription plan
2. Provides billing information (company name, address, tax number)
3. Provides payment information directly to Stripe (secure plugin)

Payment data processing:
The Provider does not store or see bank card data. Payment information is provided by the Customer directly to Stripe through an embedded, Stripe-operated payment form.

Stripe details:

• Company: Stripe Payments Europe, Limited
• Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
• Registration Number: 533780
• Website: https://stripe.com
• Stripe Privacy Policy: https://stripe.com/privacy

Information received from Stripe:

• Payment successful/failed status
• Transaction identifier
• Payment amount and currency
• Last 4 digits of card (for verification)

More about Stripe's operations and data processing: https://stripe.com/privacy

Billing data:

• Retention period: 8 years (Hungarian Accounting Act requirement)
• Company name, address, tax number
• Subscription type, fee, period
• Invoice number, issue date

6.2. Customer Support and Assistance

Contact channels:

• Email: support@margyn.io

Data processed during customer support inquiries:

• Name (from User profile)
• Email address (for contact)
• Subject and content of inquiry
• Attached files (screenshots, logs)
• IP address and timestamp (for security)

Purpose of processing: Contract performance (GDPR Article 6(1)(b))

Data retention:

• During active case handling
• Closed cases: 12 months (for claims, enforcement)
• Automatic deletion thereafter

Third-party involvement:
We do not currently use external providers for customer support. All inquiries are handled by our internal team.

6.3. System Messages and Email Communications

The Service sends the following automatic system messages during use:

Transactional emails (mandatory, cannot unsubscribe):

• Registration confirmation
• Password reset link
• Subscription activation/renewal
• Invoice delivery
• Account deletion confirmation

Notification emails (optional, can be disabled):

• New feature announcements
• Important Service updates
• Security notifications

Email sending provider:

• Company: Resend Labs, Inc.
• Address: 440 N Barranca Ave #7938, Covina, CA 91789, USA
• Website: https://resend.com
• Data center: USA (AWS)
• Data protection: GDPR-compliant, Standard Contractual Clauses (SCC)

Data transmitted to Resend:

• Recipient email address
• Recipient name (if provided)
• Email subject and content
• Attachments (if any)

Data retention at Resend:
Resend retains email delivery logs for 30 days, then automatically deletes them. Email content is not stored long-term.

6.4. AI Image Generation and Business Analysis

The Service uses artificial intelligence for image generation and business metrics analysis:

Google Gemini AI service:

• Provider: Google Ireland Limited (Google Gemini AI)
• Website: https://ai.google.dev
• Privacy Policy: https://policies.google.com/privacy

AI functions used:

• Image generation and analysis: Product image analysis and description, marketing text generation, image variation creation, creative suggestion recommendations
• Business metrics analysis: Profit metrics explanation, trend interpretation, business insights generation

Data transmitted to AI:

• Uploaded product images (for image generation feature)
• User-written prompt texts
• Selected style settings
• Aggregated business metrics (statistics only, no personal data)

Anthropic Claude AI service:

• Provider: Anthropic PBC
• Website: https://www.anthropic.com
• Privacy Policy: https://www.anthropic.com/privacy

AI functions used:

• In-depth business metrics analysis
• Outlook generation
• Detailed explanations and recommendations

Data transmitted to AI:

• Aggregated business metrics (revenue, profit, margins)
• Cost components and campaign performance indicators
• DOES NOT include customer personal data - only aggregated statistics

AI Operations Logging:
We log all AI requests and responses in detail with the following information:

• Organization identifier
• Operation type (business analysis, report generation, image generation)
• AI provider used
• Resources consumed (token count, cost)
• Operation duration
• Operation metadata - request and response content
• Status and error messages
• Timestamps

Data Retention (AI logs): Indefinite - for organizational analytics and cost tracking purposes. Deleted upon organization termination or upon request.

Important guarantees:

• AI services are only used if the Customer explicitly activates the respective AI feature
• Google and Anthropic do not store data sent via API to train models
• Copyright for AI-generated content belongs to the Customer

Data flow:
Data sent to AI features is temporarily processed on US servers (Google and Anthropic), then the response returns to our EU servers. AI providers delete the data after processing.

Automated Decision-Making:
AI analyses provide recommendations and insights, but final business decisions are always made by you. We do not employ automated decision-making per GDPR Article 22.

Consent withdrawal:
The Customer can disable AI features at any time in Settings, preventing any future data transmission to AI providers.

---

7. Data Transfers and Data Processors (Subprocessors)

7.1. Data Processors We Use

The Provider uses the following external data processors to deliver the Service:

Database and application hosting:

• Company: Supabase Inc.
• Address: 970 Toa Payoh North #07-04, Singapore 318992
• Data center: EU (Frankfurt, Germany)
• Email: support@supabase.io
• Website: https://supabase.com

Web application hosting:

• Company: Vercel Inc.
• Address: 340 S Lemon Ave #4133, Walnut, CA 91789, USA
• Data center: EU (Frankfurt, Germany)
• Email: privacy@vercel.com
• Website: https://vercel.com

Payment service:

• Company: Stripe Payments Europe, Limited
• Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
• Registration Number: 533780
• Data center: EU infrastructure
• Email: privacy@stripe.com
• Website: https://stripe.com

Invoicing service:

• Company: Szamlazz.hu Kft.
• Address: 6000 Kecskemét, Kurucz köz 1/A, Hungary
• Registration Number: 03-09-122584
• Data center: Hungary
• Email: info@szamlazz.hu
• Website: https://www.szamlazz.hu
• Privacy: https://www.szamlazz.hu/adatvedelem

Email service:

• Company: Resend Labs, Inc.
• Address: 440 N Barranca Ave #7938, Covina, CA 91723, USA
• Data center: USA (AWS infrastructure)
• Email: support@resend.com
• Website: https://resend.com
• Data protection: Resend's data processing is GDPR-compliant, based on Standard Contractual Clauses (SCC)

AI image generation and analysis:

• Company: Google Ireland Limited
• Address: Gordon House, Barrow Street, Dublin 4, Ireland
• Service: Google Gemini AI
• Data center: EU and USA
• Email: support-ireland@google.com
• Website: https://ai.google.dev
• Data protection: Google's data processing is GDPR-compliant, based on Standard Contractual Clauses (SCC)

Sentry (Error Tracking and Performance Monitoring):

• Company: Functional Software, Inc. (Sentry)
• Headquarters: San Francisco, USA
• Server Location: Frankfurt, Germany (eu.sentry.io)
• Email: support@sentry.io
• Website: https://sentry.io
• Data protection: GDPR-compliant, Standard Contractual Clauses (SCC)
• Purpose: Application error tracking, performance monitoring, debugging
• Data Transferred: Error messages, technical information, user context (email address, user ID, IP address), session replay (limited sampling, increased on errors), performance metrics, user interaction tracking, device and browser information
• Session Replay: Records user interactions (clicks, scrolling, form fields) to reproduce steps leading to errors. High-risk data processing
• Data Retention: 90 days (Sentry default policy)

Anthropic Claude AI (Artificial Intelligence Analysis):

• Company: Anthropic PBC
• Headquarters: San Francisco, USA
• Server Location: USA
• Email: privacy@anthropic.com
• Website: https://www.anthropic.com
• Data protection: GDPR-compliant, Standard Contractual Clauses (SCC)
• Purpose: AI-powered business metrics analysis, report generation, explanations
• Data Transferred: Aggregated business metrics (revenue, profit, margins), cost components, campaign performance indicators, product margin data - DOES NOT include customer personal data
• AI Service Used: Anthropic Claude (current model version)
• AI Operations Logging: Organization identifier, operation type, resources consumed, cost, operation duration, status - Stored indefinitely for organizational analytics and cost tracking
• Anthropic Privacy: Anthropic does not use data sent via API to train models
• Automated Decision-Making: AI analyses provide recommendations only; final decisions are always made by you (not automated decision-making per GDPR Article 22)

Slack (Team Collaboration and Report Delivery):

• Company: Slack Technologies, LLC (owned by Salesforce)
• Headquarters: San Francisco, USA
• Server Location: USA
• Email: feedback@slack.com
• Website: https://slack.com
• Data protection: GDPR-compliant, Standard Contractual Clauses (SCC)
• Purpose: Automated report delivery, system alerts, team notifications
• Data Transferred: OAuth workspace tokens, webhook URLs, business metrics and report content, organization identifiers, system monitoring alerts

Upstash Redis (Caching and Rate Limiting):

• Company: Upstash, Inc.
• Headquarters: USA
• Server Location: EU (Frankfurt)
• Email: support@upstash.com
• Website: https://upstash.com
• Purpose: API rate limiting, caching, request deduplication
• Data Transferred: IP addresses (rate limit counters), request counters, temporary cache data, session tokens (transient storage)
• Data Retention: 15 minutes - 24 hours TTL (depending on key type)
• Data Residency: EU (Frankfurt server)

Tinybird (Analytics Data Warehouse):

• Company: Tinybird
• Headquarters: Spain
• Server Location: EU
• Email: support@tinybird.co
• Website: https://www.tinybird.co
• Purpose: Dashboard metrics processing, accelerating analytical queries
• Data Transferred: Aggregated business metrics, dashboard statistics, time-series data - DOES NOT include customer personally identifiable information
• Data Retention: Duration of organizational subscription

Railway (Application Hosting and Background Jobs):

• Company: Railway Corp.
• Headquarters: USA
• Server Location: Configurable (EU regions in use)
• Email: team@railway.app
• Website: https://railway.app
• Purpose: Application deployment, background job execution (sync services)
• Function: Alternative hosting platform to Vercel, primarily for enterprise sync services

SzámlaBridge (Invoice Intermediary Service):

• Provider: SzámlaBridge
• Headquarters: Hungary (Hungarian service)
• Purpose: Generate Hungarian invoices and forward to Számlázz.hu
• Data Flow: Margyn → SzámlaBridge → Számlázz.hu
• Data Transferred: Invoice data (customer name, address, amount, line items)
• Data Retention: 8 years (Hungarian accounting law)
• Legal Basis: Legal obligation (GDPR Article 6(1)(c))

A Data Processing Agreement (DPA) is in effect between the Provider and all data processors.

Engaging new data processors: In case of engaging a new data processor, we inform Customers in advance via email.

7.2. Data Transfer to Third Countries

For certain services, personal data may be transferred outside the European Union to the United States of America:

United States:

1. Sentry - Functional Software, Inc.

   • Server Location: EU (Frankfurt), but US company
   • Data Processing: Primarily within EU, but company registered in USA
   • Safeguard: Standard Contractual Clauses (SCC)
   • Note: PII data transfer (email, IP address, user ID)

2. Anthropic Claude - Anthropic PBC

   • Data Processing: USA
   • Safeguard: Standard Contractual Clauses (SCC)
   • Note: Anthropic does not use API data for model training
   • Data Transferred: Only aggregated business metrics, no personal data

3. Google Gemini AI - Google Ireland Limited

   • Data Processing: EU and USA
   • Safeguard: Standard Contractual Clauses (SCC)
   • Google provides GDPR-compliant data processing
   • Data Transferred: Product images, business metrics (aggregated)

4. Resend - Resend Labs, Inc.

   • Email service servers operated by AWS USA infrastructure
   • Safeguard: Standard Contractual Clauses (SCC)
   • Data enjoys protection provided by GDPR provisions
   • Data Transferred: Email addresses, names, message payload

5. Slack - Slack Technologies, LLC

   • Data Processing: USA
   • Safeguard: Standard Contractual Clauses (SCC)
   • Data Transferred: Business reports, organizational metrics

6. Upstash - Upstash, Inc.

   • Company: USA, but servers in EU region
   • Data Residency: EU (Frankfurt)
   • Note: Data physically remains within EU

7. Railway - Railway Corp.

   • Company: USA
   • Server Location: Configurable (EU regions in use)
   • Note: Data residency configured in EU

European Union:

• Tinybird - Spain (EU member state, no additional safeguards required)
• Supabase - Servers in EU (Frankfurt), no third country transfer
• Stripe Payments Europe - Ireland (EU member state)
• Számlázz.hu - Hungary (EU member state)

For future data transfers:

• Prior notification to Customers
• Application of Standard Contractual Clauses (SCC)
• Compliance with EU Commission adequacy decisions

---

8. Processing Third-Party Data

IMPORTANT: It is the Customer's responsibility to only provide or upload personal data to the Service for which they have the appropriate legal basis and consent.

Third-party data:
If the Customer provides or uploads personal data of third parties (e.g., customers, employees, suppliers) to the Service, the Customer must:

• Obtain necessary consents from third parties
• Inform third parties that their data will be processed
• Ensure third parties are aware of this Privacy Policy

Provider's limitation of liability:
The Provider is not responsible for unlawful processing of third-party data if:

• The Customer did not obtain appropriate consents
• The Customer did not properly inform third parties
• The Customer uploaded data they were not authorized to use

If a third party legitimately objects to the processing of their data and credibly proves this, the Provider will immediately delete the data and inform the Customer.

---

8.1. Google Ads Data

When you connect Google Ads to Margyn, we access and store the following data:

Data We Collect:

• Campaign performance metrics (impressions, clicks, spend, conversions)
• Ad account information (account ID, name, currency, timezone)
• Campaign names and structure
• Demographic performance data (age, gender, device breakdowns)

How We Use This Data:

• Calculate advertising ROI and return on ad spend (ROAS)
• Display advertising performance in your dashboard
• Determine net profit margins after accounting for advertising costs
• Identify which campaigns drive profitable vs unprofitable sales
• Enable trend analysis and historical reporting

Actions We May Perform (Only When You Request):

• Pause or resume campaigns when you click the action button
• Adjust campaign budgets when you enter a new budget amount

We Do NOT:

• Create new campaigns or ads without your explicit request
• Modify ad creative, targeting, or bidding strategies automatically
• Share your Google Ads data with third parties
• Access Google Ads accounts you haven't explicitly connected
• Make any automated changes without your direct action

Data Security:

• OAuth tokens are encrypted at rest using industry-standard encryption
• Data is only accessible to the account owner who connected the integration
• Access is isolated per user account with strict permission controls
• We comply with Google's API Services User Data Policy
• Full technical details available in Section 11 (Data Security)

Revoking Access:
You can revoke our access to your Google Ads data at any time by:

1. Disconnecting the integration in Margyn Settings → Integrations
2. Revoking access directly at https://myaccount.google.com/permissions

Data Retention:

• Historical advertising data is retained for trend analysis and reporting
• When you disconnect, we stop syncing but retain historical data for your records
• You can request full data deletion per Section 10 (Data Subject Rights)
• Deleted data is permanently removed within 30 days

Legal Basis:

• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide advertising analytics services
• Legitimate Interest (GDPR Art. 6(1)(f)): Historical data retention for business continuity and your own records

---

8.2. Facebook/Meta Ads Data

When you connect Facebook/Meta Ads to Margyn, we access and store the following data:

Data We Collect:

• Ad campaign performance metrics (impressions, clicks, spend, conversions)
• Ad account information (account ID, name, currency, timezone)
• Campaign and ad set structure
• Demographic performance breakdowns (age, gender, location)
• Page engagement metrics (when Facebook Pages are connected)

How We Use This Data:

• Calculate advertising ROI and return on ad spend (ROAS)
• Display advertising performance in your dashboard
• Determine net profit margins after accounting for advertising costs
• Identify which campaigns and demographics drive profitable sales
• Show correlation between organic and paid social media reach
• Enable trend analysis and historical reporting

Actions We May Perform (Only When You Request):

• Pause or resume campaigns and ad sets when you click the action button
• Adjust campaign budgets when you enter a new budget amount

We Do NOT:

• Create new campaigns or ads without your explicit request
• Modify ad creative or targeting automatically
• Share your Meta Ads data with third parties
• Access ad accounts you haven't explicitly connected
• Make any automated changes without your direct action

Data Security:

• OAuth tokens are encrypted at rest using industry-standard encryption
• Data is only accessible to the account owner who connected the integration
• Access is isolated per user account with strict permission controls
• We comply with Meta's Platform Policy and Platform Terms
• Full technical details available in Section 11 (Data Security)

Revoking Access:
You can revoke our access to your Meta Ads data at any time by:

1. Disconnecting the integration in Margyn Settings → Integrations
2. Revoking access directly at https://www.facebook.com/settings?tab=business_tools

Data Retention:

• Historical advertising data is retained for trend analysis and reporting
• When you disconnect, we stop syncing but retain historical data for your records
• You can request full data deletion per Section 10 (Data Subject Rights)
• Deleted data is permanently removed within 30 days

Legal Basis:

• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide advertising analytics services
• Legitimate Interest (GDPR Art. 6(1)(f)): Historical data retention for business continuity and your own records

Facebook Lead Ads (Optional Feature):
If you use our optional Lead Ads feature, we additionally access:

• Lead form submissions (name, email, phone, custom fields)
• Form names and structure
• Submission timestamps

This data is used solely to:

• Import leads into Margyn for CRM purposes
• Calculate cost per lead (CPL) metrics
• Track lead → customer conversion rates
• Display leads in your admin interface at /admin/facebook-leads

---

9. Consent Withdrawal

How to withdraw your consent:

The Customer may withdraw consent given for using the Service at any time, without justification, through the following methods:

1. Account settings:

• After login: Settings → Privacy
• Toggles for enabling/disabling individual consents

2. Email unsubscribe:

• Every marketing email contains an "Unsubscribe" button
• Automatic unsubscription upon click

3. Via email:

• Send a message to support@margyn.io
• Specify which consent you wish to withdraw
• Effective within 48 hours

4. Cookie settings:

• Cookie banner → Manage settings
• Any optional cookie can be disabled

Important notes:

• Consent withdrawal does not affect the lawfulness of processing prior to withdrawal
• Withdrawing certain consents (e.g., user account data) may limit or prevent Service usage
• Mandatory processing (contract performance, legal obligation) cannot be withdrawn

---

10. Data Subject Rights

10.1. Rights Granted Under GDPR

Right of access (GDPR Article 15):
You may request information about which personal data we process about you.

Right to rectification (GDPR Article 16):
You may request correction or completion of inaccurate or incomplete data.

Right to erasure / "Right to be forgotten" (GDPR Article 17):
You may request deletion of your data if:

• The data is no longer needed for the original purpose
• You withdraw your consent
• We processed your data unlawfully
• Legal obligation requires it

Exception: Billing data cannot be deleted for 8 years (Hungarian Accounting Act).

Right to data portability (GDPR Article 20):
You may request your data in machine-readable format (JSON, CSV).

Right to object (GDPR Article 21):
You may object to processing based on legitimate interest (e.g., marketing).

Rights related to automated decision-making (GDPR Article 22):
Our platform does NOT use automated decision-making with profiling.

10.2. Exercising Your Rights

How to exercise your rights:

1. Email: support@margyn.io
2. After login: Account settings → Privacy
3. In writing: 1143 Budapest, Eleonóra u. 8. 4/3, Hungary

Response deadline: 30 days (GDPR Article 12)
Cost: Free (we may charge for manifestly unfounded or excessive requests)

10.3. Right to Lodge a Complaint

If you believe we have violated your data protection rights, you may lodge a complaint with:

NAIH (National Authority for Data Protection and Freedom of Information):

• Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
• Phone: +36 (1) 391-1400
• Email: ugyfelszolgalat@naih.hu
• Online reporting: https://naih.hu/panaszuegyintezes

Through court:
You may initiate civil proceedings in the court of your place of residence (GDPR Article 79).

---

11. Data Security

11.1. Technical Measures

Encryption:

• In transit: TLS 1.3 (HTTPS)
• At rest: AES-256 encryption (Supabase)
• Passwords: Irreversibly encrypted

Access control:

• Role-based permission management (owner, admin, analyst, viewer)
• Two-factor authentication (2FA) support
• Row Level Security (RLS) in Supabase

Backups:

• Automatic daily backups (Supabase)
• 30-day backup history
• Geo-redundancy within the EU

11.2. Organizational Measures

• Internal data protection policies
• Employee confidentiality agreements
• Regular security audits
• Incident response plan

11.4. Platform Administrator Features

Admin Impersonation

Platform administrators may temporarily access user sessions for technical support and troubleshooting purposes:

Purpose: Technical support, troubleshooting, user training, customer service assistance

Logging: All admin access is logged:

• Who (admin user ID)
• When (timestamp)
• Which user session (affected user)
• What actions were performed (audit log)

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - ensuring service quality and security

Restrictions:

• Only when necessary
• For minimal duration
• Only authorized administrators
• Strict access rules

Notification: Users will be informed of admin access upon request (audit log viewing)

Data Security: Admin access occurs through encrypted channels, all actions are logged

11.3. Data Breach Management

In case of a data breach (data leak, unauthorized access):

NAIH notification:

• Deadline: Within 72 hours (GDPR Article 33)
• Content: nature of breach, number of affected persons, expected consequences, measures taken

Data subject notification:

• If the breach poses a high risk to data subject rights
• In clear and plain language
• Recommended measures (e.g., password change)

Documentation:

• We record every incident
• Annual report prepared for management

11.5. Data Protection Impact Assessment (DPIA)

We have conducted data protection impact assessments for the following high-risk processing activities on the platform:

Assessed Activities:

• Session recording and replay (Sentry Session Replay, PostHog Session Recording)
• Systematic user behavior tracking (PostHog automatic tracking, Sentry interaction trails)
• AI-powered business data analysis (Claude, Gemini metrics analysis)
• Transfer of personal identifiers to third countries (USA - Sentry, Anthropic, Slack)

Risk Mitigation Measures:

• Session replay with limited sampling (lower rate for normal usage, higher on errors)
• IP address anonymization where possible
• Data minimization - only necessary data transferred
• Encrypted data transfer (TLS 1.3)
• Standard Contractual Clauses with all US-based providers
• Regular data protection audits
• User consent requested for high-risk processing

DPIA Documentation: Full DPIA documentation is available upon request at support@margyn.io.

---

12. Cookie Usage

12.1. Cookie Categories

Strictly necessary cookies:

• Session ID (maintaining login)
• CSRF token (security)
• Language and timezone preferences

Analytics cookies (with consent):

• Google Analytics: page visit analysis
• Vercel Analytics: performance measurement

Marketing cookies (with consent):

• Meta Pixel: retargeting campaigns
• Google Ads: conversion tracking

12.2. Cookie Management

Requesting consent:

• Cookie banner appears on visit
• Optional cookies only activate with consent
• Can be modified at any time in settings

Deleting cookies:

• Browser settings → Delete cookies
• Account settings → Cookie settings → Revoke all

Cookie lifetime:

• Session cookies: Deleted on browser close
• Persistent cookies: Maximum 12 months

Detailed information:
For detailed cookie handling, see the Cookie Policy document: Cookie Policy

---

13. Data Processing Register (GDPR Article 30)

Interactic Media Kft. maintains detailed records of all data processing activities:

• Categories of data processed
• Purposes of processing
• Categories of data subjects
• Recipients of data transfers
• Deadlines
• Technical and organizational measures

Access: Available to NAIH upon request.

---

14. Protection of Children's Data

Our Service is not available to persons under 18 (B2B platform).

If we learn that a person under 18 has registered, we immediately delete their data.

---

15. Privacy Policy Updates

Updates:

• Major changes: Email notification 30 days in advance
• Minor changes: Website update + dashboard notification

Version control:

• All versions remain available in archive
• With version number and date marking

Last update: January 28, 2026

---

16. Contact

Data protection inquiries:

Email: support@margyn.io
Phone: [Optional]
Postal address: 1143 Budapest, Eleonóra u. 8. 4/3, Hungary

Official inquiries, complaints:
Please send in writing to:
Interactic Media Kft.
1143 Budapest, Eleonóra u. 8. 4/3, Hungary
Marked "Data Protection Request"

---

Appendices

Appendix 1: Data Processing Agreement template (DPA)
Appendix 2: Subprocessor list
Appendix 3: Data retention table
Appendix 4: NAIH complaint filing guide

---

Interactic Media Kft.
Budapest, November 1, 2025

---

Declaration

This Privacy Policy was prepared based on the following official sources:

• Full GDPR text: https://eur-lex.europa.eu/eli/reg/2016/679/oj
• NAIH guidelines: https://naih.hu/adatvedelem
• Hungarian Information Act: https://net.jogtar.hu/jogszabaly?docid=a1100112.tv
• NAIH data processor guide: https://naih.hu/adatfeldolgozas-gdpr

Disclaimer: This document does not constitute legal advice. For specific legal questions, consult a data protection expert or attorney.