1 Contracting Parties and Terms

The present cloud computer contract (hereinafter Contract) and general terms and conditions (hereinafter GTC) regulates the access of Bitluck cloud computing selling platform (Platform), Party2 Website (hereinafter Website) and other Party2 services (hereinafter Services). The user (hereafter Party1) can access and use the Platform, Website, Services only in case that Party1 fully agrees and abide by all terms of present Contract and GTC.

Party1 is user of the Platform of the Party2.

Company Name: Bluck Company Limited Liability Company Business Registration Number: 01-10-046111 Tax number: HU26638478 Headquarter: Hungary, Budapest, 2310 Szigetszentmiklós,

ÁTI-Sziget Ipari Park 12 as a Party2 (hereinafter the Party2, collectively, the Parties).

2 Subject of the contract

Party2 allows Party1 to perform cloud computing on the Party2 equipment. To access the Platform Party1 should register an account on the Party2 Website. Party1 independently selects the cloud computing plan of necessary calculations on the Party2's Website from the list of the plans published (price list). Parties agreed to measure cloud computing power in terrahesh.

3 Duration of the contract

Contract Duration: Party1 independently selects the validity period from the plans publishedon the Party2 Website.

4 Fees

The tariff plans list is available on the Website. Party1 choose the tariff on the Website of Party2 according to the price list.

Regular fee payable according to payment schedule: The above amounts do not include VAT. The All interaction according to the payment schedule, price is conducted in the personal account of Party1 on the Party2 Website.

5 Additional Terms

The general terms and conditions of the services, the rights and obligations of the Party1 and the Party2 are contained in the GTC on the Party2's Website. By signing this contract, the Party1 certifies that he / she has read and understood the provisions contained therein and accepted them. The current version can be viewed at www.bitluck.com

as a Party1 hereby certifies that:

a) Party1 is has full civil capacity;

b) Party1 accepts and use the Services provided by Party2 in accordance with applicable laws and regulations and policies in Party1's country of residence/country and does not violate Party1 obligations to any other third Party.

c) Party1 finds that when Party1 is unable to commit to the provisions of paragraphs a, b of this section due to changes in facts or laws and regulations, Party1 will immediately stop using the services provided by Party2 and inform Party2 to stop the service through customer service channel. After terminating the service, Party1 uses the Party2 service Right to terminate Party1 consent immediately: In this case, Party2 is under no obligation to transmit any unprocessed or unfinished services to Party1 or any third Party.

For the registration data provided by the Party1, the Party1 agrees:

a) Provide legal, truthful, accurate and complete information;

b) If there is any change in the Party1's details, update the Party1's information in time. If the registration information provided by the Party1 is illegal, untrue, inaccurate or incomplete, the Party1 shall bear all the corresponding responsibilities and consequences.

c) Party2 reserves the right to impose restrictions on the account based on the information provided, to suspend or terminate the use of Party2 cloudcomputing power services;

d) The number of accounts per beneficiary is limited to 1;

e) That is, Party1 order is a request to Party2 for the cloud computing service. It does not mean that Party2 has accepted Party1 order. Party2 reserves the right to refuse to accept the Party1's order. If we accept Party1's order, a binding contract ("Cloud Computing Contract") is generated on behalf of Party2 and Party1 for the cloud computing service agreed upon in the order, the plan is associated with Party1's account. Prior to this, the order was considered pending, and Party2 reserves the right to refuse to accept the order and refuse to accept the Party1's payment;

f) For compliance purposes such as KYC (know your customer) and/or anti-money laundering, Party2 reserves the right to request the Party1 to provide PII (Personally Identifiable Information) and/or financial information from the account owner;

g) Agrees to the processing of personal data and accepts the privacy policy;

h) Party1 will need to enter Party1's username and password when using certain features in the services provided by Party2. If Party1 are unable to access Party1's account for reasons such as forgotten Party1's password, Party2 reserves the right to request specific information, including personally identifiable information, including but not limited to: proof of identity; proof of residence; telephone number /Email proof of ownership and any identifiable activity on the Website, such as transaction ID, order number, withdrawal amount, etc.; however, Party1 promise that Party1 will not share Party1\s username and / or password with others or allow any other third Party the use Party1'sParty2 is not responsible for the improper use of Party1's account or password by Party1 or any other third Party and for the consequences and losses. If Party1 believe that Party1's username and/or password are known to others or that Party1r account has been used by someone else, Party1 should notify Party2 immediately.

By signing this contract and any attachment, the Party1 declares that he / she has read the terms and conditions of the Contract, read the GTC and Privacy Policy and acknowledges the terms and conditions of the contract and Privacy Policy .

General terms and Conditions


1. These GTC both to Contract regulate access and conditions of Bitluck cloud computing.

2. Customer service of the Party2

Customer Service is available through the Party2's official working hours.
Telephone: +36 1 5566789
Web: www.bitluck.com
E-mail: info@bitluck.com

3. Subject of the service

The Bluck KFT., company registration # 13-09-197711 (hereinafter: Party2) provides the service specified in the cloud computing Contract (hereinafter: Contract) to the Party1 in accordance with the terms and conditions of the Contract, the tariff plan list and this GTC.

4. Acceptance of GTC

By signing the Contract between the Party2 and the Party1, the Party1 agrees and accepts it regards the provisions of this GTC as binding. In the absence of this, the Party1 accepts the invoice and considers the provisions of this GTC as binding. In this case, the Contract concluded between the parties shall be deemed to be an electronically concluded Contract, for which the electronic commerce services and the CVIII of 2001 on certain aspects of information society services are subject to the Contract. Articles 5 and 6 of the Act. The Contract is made between remote customers
Government Decree 1999 / II.5.

5. Rights and Obligations of the Party2

5.1. The Party2 is obliged to provide the cloud computing specified in the Contract with an annual availability of 99.5%. The availability calculation does not include pre-announced maintenance, outages due to system development, and breakdowns caused by extraordinary events (as per article 11 of the GTC) outside the Party2's control.

5.2. The Party2 is obliged to provide the ordered services within 8 working days of the payment of the order fee. Exceptions are the services provided by an additional third-party partner that are relayed by The Party2 to the Party1.

5.3. The Party2 shall provide free technical support for the use of the ordered service. The Party2 provides support only in case of problems with the professional operation of the Party2 environment. The programming and professional issues on the Party1 side are not the competence of the Party2.

5.4. The Party2 shall be entitled to invoice the Party1 the fees specified as per selected by Party1 service plan. Billing is done at the beginning of the current period. The first invoice is issued by the Party2 upon order, which the Party1 is obliged to fulfill within 72 hours upon signing of the Contract.

5.5. Party2 has the right to change any conditions under the Contract except for the cost of prepaid and the volume of services provided, which will became effective from the end of the current period.

5.6. The Party2 shall have the right to amend the General Terms and Conditions without delay, but shall provide the Party1s with prior written information by e-mail address specified by Pparty1 in its profile.

5.7. The Party2 shall protect the data provided by the Party1 on the Party2's servers with due care, but shall not be liable for the data or for any consequential damages resulting from the loss of data.

5.8. The Party2 shall have the right, subject to prior notice, to verify the origin of the personal data stored on its servers.

5.9 If the Party1 is unable to verify that the personal data stored on the Party2's servers is managed in accordance with applicable laws, in this case, the Party2 shall be entitled to delete personal data and shall be entitled to terminate the service with immediate effect.

5.10. The Party2 shall be entitled to include the Party1's data in the register, but may not transfer it to a third party without the written consent of the Party1. An exception is the statutory obligation to provide data and the provision of data to the debt collection company in the case of an account holding.

5.11. The Party2 reserves the right to make changes to the server environment without prior notice, if required by the security vulnerability of the programs that make up the server environment or the security incident affecting the system.

5.12. The Party2 shall assume financial liability up to the amount of the fee paid to him.

5.13. Party2 is exempt from liability for partial or complete failure to fulfill obligations under this Contract, caused by the circumstances of force majeure arising after its conclusion, including natural disasters; natural and industrial disasters; Act of terrorism; hostilities; civil unrest; adoption of acts containing prohibitions or restrictions on activities by state authorities or local authorities. The Party2 shall not be liable for any loss of profit, service interruption, loss of information, termination of Computer Performance for reasons beyond the Party2's interests, political or governmental damages.

6. Rights and Obligations of the Party1

6.1. The Party1 is entitled to use the services he has ordered 24 hours a day, 365 days a year as per tariff plan selected.

6.2. The Party1 to use the service must have aт operational PC and a stable Internet connection.

6.3. The Party1 shall use the ordered services in a proper manner, otherwise the Party2 shall have the right to suspend the service or to terminate the Contract with immediate effect. The Party1 shall be liable for damages resulting from incorrect or incorrect use.

6.4. The Party1 shall keep the identifiers necessary for the use of the service secret, and the Party1 shall be liable for any damage arising from unauthorized use, especially the user passwords.

7. Settlement method

7.1. The Party1 shall pay the fee specified in the Party1's exclusive Contract or, in the absence thereof, in the tariff plan used. The Party2 shall send the original of the completed invoice to the Party1 electronically (by e-mail). As the current invoicing rules do not require the traditional invoice to be produced to be signed or stamped. A copy of the invoice is also stored by the Party2. The invoice will not be sent automatically by post, but the Party2 will also send the Party1 to the specified postal address on request, and will request postal fee compensation. The invoice issued is not an e-invoice, there is no electronic signature or time stamp. The Party1 undertakes to transfer the service fee to the Party2 or to settle it in cash until the due date of the invoice.

7.2. In case of late payment, access to the service is suspended. Renewal of the service takes place after the debt is paid off on the next day after receipt of payment by the Party2. In case of non-payment within 30 days - the Contract will be terminated.

7.3. The Party2 shall not be obliged to store the data files owned by the Party1 on its servers after the termination of the Party1 Contract or in the case of an account over 60 days.

7.4. The Party1 acknowledges that the Party2 shall not be liable for any direct or indirect damages resulting from the suspension of service due to the account keeping.

8. Scope of the Contract

8.1. The Party2 shall provide the Party1 with the services specified in this GTC for the period specified in the Contract. The services are ordered personally, online via the Party2's Website forms.

8.2. If the Party1 terminates the fixed-term Contract, the Party1 shall be obliged to pay to the Party2 the fee due up to the termination of the Contract in a single amount. Termination can only be done in writing by post or e-mail. The Contract cannot be terminated retroactively.

8.3. Both parties are entitled to terminate the Contract with immediate effect if the other party breaches the Contract.

8.4. Normal termination of the Contract does not relieve you of any obligations (eg payment obligation) incurred up to the date of termination.

9. Contract performance

The performance of the Contract is fulfilled by making the service available, regardless of whether the Party1 actually used the service.

10. Fault reporting, defective performance

10.1. The Party1 shall immediately notify by e-mail if a fault is detected (fault report) or there is an objection to the Party2's performance. Any unusual phenomenon due to which the Party1 is unable to use the service, access to the software, or malfunction of the supervised device is a fault.

10.2. The Party2 shall acknowledge receipt of the Error Report by e-mail to the Party1.

10.3. The Party1 is required to provide a detailed description of the error, to accurately record the displayed error messages and to provide the information necessary for reproduction. The Party2 is required to begin remedying the defect within a maximum of 24 hours from the date of submission of the notice, and is obliged to complete the repair within a reasonable time and the reasonable time expected by the Party2.

10.4. The period of time that elapsed due to changes in circumstances with which any party could not count or due to force majeure events shall not count towards the deadline for repairs.

10.5 The Party1 shall cooperate with the Party2 in the course of troubleshooting and shall provide the Party2 with any support and declaration required by the Party2 to remedy the defect. Party1's error report may be made during the Party2's official working hours, primarily by e-mail at info@bitluck.com e-mail address. In urgent, exceptional cases, or in the absence of an Internet connection, the application may be made by tel # published on Party2 Website. Error reporting outside of Party2's business hours shall be considered as a notification received in the first hour of the next business day. In the general case, the commencement of the fault repair begins within a maximum of 24 hours from the announcement. In case of a high-priority problem (eg failure of servers) the Party1 may demand the immediate commencement of work (within a few hours in practice) as much as possible.

11. Force major

11.1. For the purposes of this Contract, the Parties shall regard as events of force majeure events occurring after the conclusion of the Contract, which are extraordinary, unforeseeable and not forfeited by the Parties. If any party is prevented due to a force majeure event, it shall notify the other Party in writing within 3 working days of the occurrence of the event, specifying the detailed circumstances of the force majeure event and its undoubted evidence that it was unavoidable for delaying or obstructing the Contract. obligations under this Regulation. Liability for damage arising from failure to notify this notice shall lie with the defaulting Party. The same notice shall contain the estimated duration of the force majeure event, the force majeure event shall not render the performance of the Contract impossible, but delay it, the performance deadline shall be extended by at least the duration of the delay caused by the force majeure event. The form of the force majeure event that makes the performance of the Contract impossible is governed by the rules of impossibility.

12. Confidentiality

12.1. The Parties acknowledge that the confidentiality of all data, procedures, methods, documents or other information relating to the other Party is of fundamental interest to the Party. In view of this, the Parties are obliged to treat this information as confidential and to do their best to ensure that third parties - in particular competitors of each other - do not have access to the information obtained in the performance of their duties.

12.2. The Parties undertake to treat the facts and data that have come to their knowledge in the course of their duties as business secrets, confidentiality, they have become aware of this Contract and its fulfillment - or during its duration - the owners of the other Party, the other Party and its activities, any information, information, procedure, method, detail, or essence concerning the content of this Contract, as business secrets, and, even after the termination of this legal relationship, is preserved as a business secret, which may not be used for its own benefit or for the benefit of a third party.

12.3. The Party may not disclose to any third party or authority, or disclose any information that leads to or may lead to the disclosure of such information, without the prior and prior written permission of the other Party, or to the information obtained. Parties acknowledge that violation of these obligations may result in a crime of business secrecy. The Parties undertake to treat the content of this Contract as confidential, not to disclose it and to provide information to a third party if the Parties have given their prior written consent. The Parties shall ensure and verify the correctness and reliability of the information which they wish to disclose and disclose in a manner consistent with the provisions of this Contract. They shall seek the opinion of the other Party beforehand.

13. Data Protection

13.1. The Party2 shall treat personal data provided in the framework of voluntary disclosure of information confidential and it shall only use those to the extent necessary for the identification of the Party1 and for the successful provision of the Services.

13.2. By concluding the Agreement the Party1 expressly gives its consent to the use of its personal data.

13.3. The Party2 shall immediately delete the personal data of the Party1 upon request. The duration of the data storage is 8 years following the termination of the Agreement.

13.4. The confidential data control is a first-rate requirement for the Party2.

The Party2 only makes available these data to authorities and courts in line with the applicable laws. The Party1 acknowledges that the data provided by him/her can only be treated as personal data based on legal provisions.

13.5. The detailed provisions relating to data protection and information safety can be found in the Data Protection and Information Safety Policy.

14. Termination or amendment of the Contract

14.1. The Contract may only be amended by the Parties in writing (including email) which shall be an integral part of the Contract. Any part of the Contract may be amended at the will of both Parties.

14.2. In case of early termination of the Contract on the initiative of the Party1, the prepayment is not refunded

14.3. The Parties agree that any dispute arising under or in connection with the Contract shall be settled amicably by direct negotiation. If the Party1 and the Party2 are unable to resolve their dispute in relation to the Contract in a peaceful manner within 30 days of the commencement of direct negotiations, the exclusive jurisdiction of the Central District Court of Buda for final settlement of the case.

15. Other Provisions

15.1. All notifications between the parties must be made in writing, in particular via e-mail, but this does not exclude notifications by post.

15.2. The Parties accept the correspondence sent by email in writing. E-mail addresses assigned to contact: e-mail addresses provided by the Party2 on it's Website.
The e-mail address of the person specified as the contact person of Party1 in the profile of Party1 on the Website. The Parties also accept communication from other e-mail addresses in writing, but any dispute or request for payment shall be sent to the designated addresses.

15.3. The amounts in the Contracts and GTC are indicated in US Dollar, unless otherwise indicated, net prices, do not include the current VAT.

15.4. The Party2's official working hours are Monday to Thursday from 09:00 to 18:00
Friday 09: 00-16: 00 (CET)Saturday, Sunday and public holidays: closed

15.5 Party2 identify the Contracting party related to the rules of the law and know your customer rules as well as preventing money laundering and terrorism financing law.

15.5. Under no circumstances will the Party2 be liable for any incidental, consequential or consequential damages, defaults, loss of business or profits. The Party2 is responsible for any damage he / she has deliberately caused. The Party2 shall not be liable for the lack of performance, defective quality or performance of the Products made by the Party1 based on the incorrect operation of the Assets provided by the Party1, and for the quality defect of the Products made by the Party1. The Party2 shall not be held liable for any deficiencies arising from the fact that the Party1 is operating an inappropriately trained staff on a system within or under the scope of the Contract, or fails to comply with the required technologies, laws, regulations, instructions, and does not properly use the available tools. The Party2 shall not be liable for any delay or omission in the performance of his/her duties if it occurs for a reason beyond reasonable control.

15.7. In matters not covered by this GTC and the Treaties, the laws of Hungary and the European Union, in particular the Civil Code and the Act LXXVI of 1999 on Copyright, are not applicable and the Hungarian Internet standards in force.

Budapest 16. 08. 2019

PRIVACY AND CONFIDENTIALITY POLICY

Effective from: 3 July 2019



I GENERAL PROVISIONS

1 Purpose and scope of the policy

This policy (" Policy") lays down rules related to the protection of natural persons with regard to processing personal data and rules related to the free movement of personal data. This Policy shall apply for specific data processing activities as well as for issuing directives and notices regulating data processing. In order to comply with the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Info Act) as well as the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, Bluck Kft. ("Controller") has drawn up this Policy and regards it as authoritative and obligatory to apply at all times in the course of its activities.

This purpose of this Policy is to harmonize the provisions of the Controller's other internal regulations on data processing in order to protect the fundamental rights and freedoms of natural persons and to guarantee the proper processing of personal data. Another important purpose of this Policy is to ensure that the Controller's employees should be able to lawfully process the personal data of natural persons by getting acquainted with and observing this Policy.

The subjective scope of this Policy covers:

• All of the Controller's employees, workers, sub-contractors as well as persons maintaining a contractual or other relationship with the Controller and dealing with data processing and having access to the data processed by the Controller under a specific legal title;

• Data flow towards the employed data processors and – unless otherwise agreed – the activities of such data processors;

• Data flow towards the recipients of transferred data;

• Data transferred by the Controller to, or exchanged with other controllers or third parties affecting personal data, as well as the activities of controller partners.

The objective scope of this Policy covers all data processing, data transfer and information transfer regarding all personal data processed, controlled or influenced by the Controller as well as all other activities related to the protection of data processing constituting the subject matter of such data processing and information transfer as well as all data processing operations regardless of the place of emergence and processing as well as the form of appearance.

The objective scope of the Policy covers all personal data that are processed, stored or transferred by the Controller electronically or in another manner – e.g. on paper – or accessed by the Controller in some manner.

2 Applicable regulations and internal regulatory documents

Data processing is governed by the following, effective laws, which may be modified from time to time. Should any of the laws change, the change required by the effective law shall be considered in the given part of the Policy and the Controller shall take the required actions to modify the policy within the shortest time possible.

Key legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation),

• Act V of 2013 on the Civil Code (hereinafter: "Civil Code"),

• Act I of 2012 on the Labour Code (hereinafter: "LC"),

• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: „Info Act"),

• Act C of 2000 on Accounting

3 Definitions

Should there be any deviation between the following terms and the legal definitions, the definition specified by law shall apply.

• data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• data processor: means a natural or legal person who processes personal data on behalf of the Controller;

• personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

• consent by the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which s/he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.

• restriction of processing: the marking of stored personal data with the aim of restricting their processing in the future;

• registration system: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

• data protectionincident: a violation of security that results in incidental or unlawful annihilation, loss, change, authorized publication of, and unauthorized access to transferred, stored data or data processed in another manner.

4 Eventual differences between certain rules and directives

The Company acts as a Controller with regard to certain services specified below and as a data processor with regard to some other services. The data processing activities shall be governed by the contracts – and their annexes – concluded with the Controller. In the event of any difference, the provisions of the laws shall be authoritative, except for cases where deviation is permitted by law. In such cases this Privacy and Confidentiality Policy and the contract signed with the Controller shall be decisive.

5 The basic principles of data processing

Personal data may only be processed for a specific purpose, in order for rights to be exercised and obligations to be fulfilled. Data processing shall at all stages comply with the purpose of data processing, the data shall be collected and processed in a fair and lawful manner. Only those personal data may be processed that are indispensable, and are suitable for fulfilling the objective of data processing. Personal data shall be processed only to the extent and for the period required for achieving the purpose, in compliance with this Policy.

Before starting data processing, the data subject shall be given unambiguous and detailed information on all the facts related to processing his/her data, in particular on the purpose and the legal basis of data processing, on the person authorised to carry out the data processing, on the duration of data processing, whether the Company as Controller processes the personal data of the data subject by virtue of article 6 (5) of the Info Act as well as on who is authorised to have access to the data. Information shall also be given on the rights and legal remedies of the data subjects in connection with data processing.

Accountability: The Controller shall be responsible for, and be able to demonstrate compliance with the following basic principles. Should the Company act as a data processor, it shall fully promote the fulfilment of the basic principles and their accountability.

(1) Legitimacy, fairness and transparency

The Company shall process personal data lawfully, fairly and in a manner transparent for the data subject.

2) Purpose limitation

Data may only be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes.

(3) Data minimization

The data processing shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed.

(4) Accuracy

The data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.

(5) Storage limitation

Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject.

(6) Integrity and confidentiality

Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.



6 Lawfulness of processing

From 25 May 2018, personal data processing shall be lawful only if and to the extent that at least one of the following applies:

1 a) the data subject has given appropriate, informed and voluntary consent to the processing of his or her personal data for one or more specific purposes;

2 b) data processing is needed for contractual fulfilment where the data subject is one of the parties, or it is needed for taking actions upon request by the data subject prior to signing the contract;

3 c) data processing is necessary for compliance with a legal obligation to which the Controller is subject

4 d) data processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5 e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

6 f) data processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Data processing in specific cases is explained in details in paragraph II.7.




7 Data processing

The Company, as a Controller, employs data processors: employees, workers, sub-contractors who accepted this Policy and are obliged to confidentiality.

We inform our Clients that the following personal data stored in the user account of Bluck Kft, (2310 Szigetszentmiklós, ÁTI-Sziget Ipari Park 12.) in the user database of www.bitluck.com website and will be handed over to OTP Mobil Ltd. (H-1093 Budapest, Közraktár u. -32.) and is trusted as data processor. The data transferred by the data controller are the following: client's name, client's ID number, client's bankcard number, the time of payment.

The nature and purpose of the data processing activity performed by the data processor in the SimplePay Privacy Policy can be found at the following link: http://simplepay.hu/vasarlo-aff

8 Data transfers

The Company transfers the client's data to its partners. Special notification may be requested about the transfers. The company reserves the right to transfer data in a third country (for example: Russia, Japan etc.)

9 Right to legal remedy

The managers of the Company shall continuously check the compliance with the privacy laws and the internal regulations.

The Company's managers may review the internal regulations, minutes and records related to document management and data processing to check that the statutory data processing order is duly observed.



Supervisory authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság

(Hungarian National Authority for Data Protection and Freedom of Information)

1125 Budapest, Szilágyi Erzsébet fasor 22/C

In the case where legal remedy is needed at court: regional courts have power and competence with the proviso that the regional court with territorial competence at the residence of the data subject shall also be entitled to proceed.

II DETAILED RULES

1 Transferring personal data

With regard to contracts to be concluded with persons or organizations dealing with data processing for and on behalf of the Company, the Company shall ensure that the privacy requirements and guarantees are integrated in the text of the contract.

The Company's Client may store the applicants' materials until the purpose is achieved, in compliance with the relevant and effective laws, thus specifically with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information („Info Act") and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation - GDPR), such materials shall be processed confidentially and lawfully and exclusively for the purpose of filling the job position in question, in connection with the specific vacancy already available upon the use, such materials shall not be disclosed or made accessible to third parties once the job has been filled.

The Company and the Company's Client are obliged, and they warrant to fully cooperate in order to fulfil the applicants' requests, to respond to requests as well as with regard to eventual authority and/or court proceedings.

2 Reporting complaints / claims

Reporting claims to the Company:

The Company may provide the opportunity to report service-related claims in several manners: in writing, via e-mail. If the Company provides the opportunity to submit claims via e-mail, claims sent from the e-mail address – and exclusively from that e-mail address – provided to the Company earlier in connection with the given Service shall be regarded as a claim received from the data subject.

If data processing by the Company is not based on the data subject's consent but it was initiated by a third party through abuse, the data subject may request erasure of the personal data relevant to him/her that was disclosed by another person and s/he may request information about the data processing whilst properly verifying his/her personal identity and his/her relationship with the personal data.

In the event of death of the data subject, any close relative of the data subject or the person who gained benefits by way of a last will and testament may request erasure of data on the applicant or the Client or the potential Client whilst verifying his/her relationship with the data subject and may request data transfer by presenting the death certificate or sending a copy of it to the customer service address of the Service.

The Controller has 30 days for complaint management, but the Controller does its best to respond to each complaint or claim within the shortest time possible.

3 The data subject's rights and their enforcement

RIGHT OF THE DATA SUBJECT TO RECEIVE NOTIFICATION

The Controller primarily receives personal data from the data subjects, the Controller shall – upon request - provide the data subjects with the following information:

• Person and contacts of the Controller and its representative;

• Contacts of the data protection officer of the Controller:

• The purpose of the planned data processing and the legal basis for data processing;

• The categories of personal data concerned;

• Recipients of the personal data and recipient categories; information, if any, specified in the GDPR about transferring personal data to third countries;

• The period for which the personal data will be stored, or if it is not possible, the criteria used to determine that period;

• The Controller's legitimate interest if interest weighing is the legal basis of data processing;

• The fact that the data subject may request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object processing as well as the right to data portability;

• In the case of data processing based on consent, the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

• The right to lodge a complaint with NAIH as the supervisory authority;

• Source of the personal data and, in a given case, whether the data come from a publicly available source;

• The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

• Exercising the right to provide information may only be refused in cases set forth in article 14 (5) of the GDPR.

RIGHT OF ACCESS BY THE DATA SUBJECT

In response to the request by the data subject the Controller shall notify the data subject whether his/her personal data are being processed. If such data processing is in progress, the following information can be given upon request:

• the purposes of data processing:

• the categories of personal data concerned;

• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

• the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

• the right to lodge a complaint with a supervisory authority;

• where the personal data are not collected from the data subject, any available information as to their source;

• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

If requested separately, the Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

RIGHT TO RECTIFICATION AND ERASURE

Upon request by the data subject, the Controller shall rectify the relevant incorrect personal data without unreasonable delay and - taking into account the purposes of the processing – supplements the deficient personal data upon request by the data subject, e.g. by means of providing a supplementary statement.

Upon request by the data subject, the Controller shall delete the relevant personal data without unreasonable delay if

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

• the data subject objects to data processing and there is no lawful, prioritized reason for data processing or the data subject objects to using his/her data for direct marketing;

• processing the data subject's personal data is unlawful;

• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

• the personal data have been collected in relation to the offer of information society services to children.

The Controller shall communicate any rectification or erasure of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate efforts. The Controller shall inform the data subject about those recipients if requested by the data subject.

RIGHT TO LIMIT DATA PROCESSING

Upon request by the data subject, data processing by the Controller shall be limited if

• the accuracy of the personal data is contested by the data subject, in this case the limitation covers a period enabling the Controller to verify the accuracy of the personal data;

• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the Controller no longer needs the personal data for data processing but the data subject needs them to submit, enforce or protect legal claims;

• the data subject has objected to data processing for legitimate interest or for public purpose; in this case the limitation shall refer to the period until it is established whether the legitimate grounds of the Controller override those of the data subject.

The Controller shall communicate any limitation of data processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate efforts. The Controller shall inform the data subject about those recipients if requested by the data subject.



RIGHT TO DATA PORTABILITY

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Controller if

• data processing is based on the consent or contract under the GDPR as a legal basis, or

• processing is carried out by automated means,

• excluding and limiting the right to data portability shall be governed by the provisions of the GDPR.

RIGHT TO PROTEST

The data subject is entitled to protest at any time against processing his/her personal data for a public purpose or a legitimate interest, for reasons related to his/her own situation, also including profiling. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

At the latest at the time of the first communication with the data subject, this right shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.



4 Incident management as a Controller

The data processing incident shall be reported by the Controller to the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) without unreasonable delay, if possible, within 72 hours at the latest. The report shall be made in the form and manner as may be specified by the authority (e.g. on the platform indicated by the authority or on a hot line). If the data protection authority provides no platform, the report shall be made with its obligatory elements.

• If the data processing incident probably involves no risk for the rights and freedoms of natural persons, the report does not have to be made. This decision shall be made by the managing director, in consideration of all circumstances of the case.

• The Controller registers the data protection incidents, indicating the facts related to the data processing incident, their impacts and the actions taken for remedy. If the supervisory authority prescribes obligatory content elements for registering incidents, the incident registration table shall be drawn up with that content.

• The Controller shall notify the data subject about the data processing incident without unreasonable delay if the data processing incident probably involves a high risk for the rights and freedoms of natural persons. This decision shall be made by the managing director in consideration of all circumstances of the case, and s/he shall prepare a memorandum thereof.

• The data subject does not have to be notified if

◦ The Controller took appropriate technical and organizational actions and these actions were applied for the data affected by the data processing incident, especially actions – e.g. applying encryption – that make the data uninterpretable by persons not authorized to access the personal data; or

◦ After the data processing incident the Controller took further actions to guarantee that the high risk affecting the data subject's rights and freedoms will presumably not take place in the future; or

◦ The notification would require disproportionate efforts, and in such a case the data subjects shall be notified through publicly disclosed information, or similar actions shall be taken to ensure that the data subjects are informed in a similarly effective manner.

5 Data security rules

All data must be protected through appropriate measures, with special regard to unauthorized access, modifications, transfer, disclosure, deletion or destruction as well as accidental destruction and damage, furthermore against becoming inaccessible due to a change in the applied technology.

When specifying and taking actions aimed at serving data security, the Company shall take into consideration the current technical development level. From among the several possible data processing solutions, the Company has to select the one that provides a higher protection level of personal data, unless it would represent a disproportionate difficulty for the Company.

With a view to enforce the data security rules, the required actions shall be taken for the security of personal data both processed manually as well as stored and processed on a computer.

The following basic principles must be taken into account when working out the specific security actions:

• Awareness: All users shall get acquainted with the security methods and procedures at least at a basic level in order to raise confidence in the IT systems.

• Responsibility: The responsibility of the IT system owners, the supporting staff and the data subject with regard to security shall be clear and unambiguous.

• Proportionality: The security levels and actions shall be appropriate for, and proportionate with the value of the protected systems and reliability requirements, with the costs of enhancing security as well as with the weight and the probability of potential damage arising from violating the security.

• Risk-proportionate security actions

• Timeliness: Security must be frequently reconsidered and updated according to the changes in the potential risks and consequences arising from violating the security. (Risk analysis – risk management)

• Integration: Coherent and integrated security approach is required with regard to all elements of an information system.

• Reaction ability: All participants shall cooperate in order to prevent the violation and the injury of security and to provide fast response to violation.

6 Managing physical danger sources

The physical protection system must be prepared for avoiding unauthorized access and the operators of the "infocommunication" infrastructure must be prepared for detecting and averting them as well as for preventing the unauthorized use of the devices.

The current anti-virus client is installed at each work station, and the periodical updates are downloaded and installed (with special regard to virus definitions).



7 Specific data processing actions

Website visitors

With regard to article 155 (4) of Act C of 2003, which says that "data may only be stored on subscribers' or users' electronic communications terminal devices, and data stored on such only accessed on the basis of the concerned user or subscriber's consent following clear and full scope - also extending to the purpose of data processing - information provision to them", the Controller provides the following information about the analytic devices used by it, i.e. cookies.

The Controller uses the following cookies for the following purposes:

Indispensable cookies

Such cookies are indispensable for proper website operation. Without accepting these cookies the Controller cannot guarantee the proper operation of the website and that the users will access all information searched by them. These cookies do not collect personal data from the data subjects or data that can be used for marketing purposes.

Indispensable cookies are e.g. the performance cookies that collect information as to whether the website is operating properly and whether there are errors in its operation. By indicating eventual errors they help the Controller to improve the website and they also indicate the most popular parts of the website.

Functionality cookies

These cookies provide for website appearance consistent with the data subject's needs and they remember the settings selected by the data subject (e.g.: colour, font size, layout).

The cookie also helps to improve the ergonomic design of the website, to make the website user-friendly and to enhance the visitors' online experience.

Management of Client data

Managing Client data means data processing carried out in order to provide the services of the Controller. The purpose of data processing is that the services of the Controller are provided effectively and contractually, by keeping proper contacts. In this case, the Controller will mainly store the data (name, address, phone number, e-mail address) of the contact person laid down in the contract or the order between the Controller and the Client in question. The legal basis of data processing is the fulfilment of the contract between the Controller and the Client.

The processed data are the personal data laid down in the contract between the Controller and the data subject, mainly the name, phone number, e-mail address, address at work of the contact person.

The Client data are accessed exclusively by the Controller's managing director as well as the Controller's associates and sub-contractors.

The Client data shall be processed confidentially, and the Client's personal data may not be accessed by persons other than those mentioned above.

The data may be processed until the date of contractual fulfilment or for 8 years based on Article 169 (2) of Act C of 2000 on Accounting.

Processing sub-contractor data

The purpose of data processing is to process data indispensable for keeping contacts with contracted sub-contractors. Data processing is based on the contract concluded by the Controller and the sub-contractor.

Scope of the processed data: personal data laid down in the contract between the Controller and the sub-contractor involved, mainly the name, phone number, e-mail address, address of the contact person.

The personal data of the sub-contractors may be accessed by the Company's management, its associates and the accountant in charge.

The data may be processed until the date of contractual fulfilment or for 8 years based on Article 169 (2) of Act C of 2000 on Accounting.

Processing employee data

When establishing employment, the employee provides the Controller with his/her personal data required for establishing employment, for exercising the employment-related rights and fulfilling the employment-related obligations. Apart from these data, the Controller shall not collect and not process employee data. The legal basis of personal data processing is the employee's consent and the Labour Code.

The processed personal data are as follows:

• Personal data specified in the act on the order of taxation,

• Personal data specified in the act on social insurance provisions and on their coverage,

• Personal data specified in the act on obligatory health insurance provisions.

The data may be accessed by the Controller's managing director and the accountant in charge.

If deemed necessary, the Controller may send its employees for an obligatory medical check-up every year. The medical aptitude document issued based on the check-up shall be delivered to the Controller but – apart from the employee's personal data – it may only feature information as to whether the employee is suitable or unsuitable for taking the job. Accordingly, the Controller shall not process any sensitive data on the employees either for the medical aptitude test or for other purposes.

The data are stored until the last day of the 6th calendar year following the year of termination of the employment, except where the legal regulations specify a longer period.





8 Closing provisions

This Policy shall enter into effect on the day following its approval by the Controller's managing director, the former privacy policy shall simultaneously become ineffective and its forms and sample declarations may not be used any further.

Budapest, 3 June 2019

Solovev Kirill Sergeevich, managing director

Bluck Kft.