Privacy Policy – IPMFlow.com

Effective Date: 2025.05.10.

1. Introduction

Trapshop Kft. (hereinafter: “Provider”, “Data Controller”) is committed to protecting the personal data of users (hereinafter: “User”, “Data Subject”) of the IPMFlow.com website (hereinafter: “Website” or “Service”). The purpose of this Privacy Policy (hereinafter: “Policy”) is to transparently and understandably inform Users about what personal data the Provider processes, for what purpose, on what legal basis, how long it stores them, who can access them, and what rights Users have in relation to data processing.

During data processing, the Provider acts in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act).

2. Data Controller’s details and contact information

Name: Trapshop Kft.
Registered Office: H-8797 Batyk, Fő utca 34.
Company Registration/Registration Number: 2009078346
Tax Number: 32050547-2-20
Representative: Havasi Balázs Archibald
E-mail: info@ipmflow.com

3. Definitions

Personal data: any information relating to an identified or identifiable natural person (‘data subject’).
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, destruction).
Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (in this case, Trapshop Kft.).
Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

4. Scope of personal data processed, purpose, legal basis and duration of data processing

The Provider processes personal data for the following purposes, on the following legal bases and under the following conditions:

4.1. Website Visit, Cookies

Purpose of data processing: Ensuring the functionality of the Website, improving user experience, analysing Website traffic, security measures.
Scope of data processed: IP address (anonymised in the case of Analytics), browser type, operating system, date and time of visit, pages viewed, cookie identifiers.
Legal basis for data processing:

• For essential (technically indispensable) cookies: Article 6(1)(f) of the GDPR (the Data Controller’s legitimate interest in ensuring the proper functioning of the website).
• For analytical, statistical cookies (e.g., Google Analytics): Article 6(1)(a) of the GDPR (the Data Subject’s consent, given via the cookie banner).
  Duration of data processing: Depending on the type of cookie, until the browser is closed (session cookies) or for a longer period (persistent cookies), but at most for the period specified in the cookie notice, or until consent is withdrawn.

Use of Google Analytics:

• This website uses Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”). Google Analytics uses “cookies” to help analyse how the website is used.
• The information generated by the cookies about the User’s use of the website (including the anonymised IP address) may be transmitted to and stored by Google on servers, occasionally outside the European Economic Area (EEA) (e.g., USA). The Data Controller has activated IP anonymisation, so Google will truncate the User’s IP address within the EEA.
• The full IP address will only be transmitted to and truncated there in exceptional cases. Google will use this information on behalf of the Data Controller to evaluate the use of the Website, to compile reports on website activity, and to provide other services relating to website and internet usage.
• The IP address transmitted by Google Analytics will not be associated with any other data held by Google.
• The User can disable the storage of cookies through their browser settings. The User can prevent the collection and processing of data by Google by downloading and installing the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout?hl=en
• More information about Google’s data processing practices can be found here: https://policies.google.com/privacy?hl=en

4.2. Registration and User Account Management

Purpose of data processing: User identification, creation and management of user accounts, enabling the provision of the Service, contacting the User regarding their account.
Scope of data processed: Name, email address, password (encrypted), registration date, last login date, IP address.
Legal basis for data processing: Article 6(1)(b) of the GDPR (creation and performance of a contract for the provision of the Service).
Duration of data processing: As long as the user account exists, or until the User requests the deletion of their account. After account deletion, data necessary for fulfilling legal obligations (e.g., accounting documents) will be retained for the period prescribed by law.

4.3. Provision of the Service (Use of IPMFlow Tools)

Purpose of data processing: Ensuring the operation of IPMFlow intelligent pest management tools (e.g., Risk Assessment module), processing data entered by the User, generating analyses and reports, including the provision of AI (Google Gemini) based functions.
Scope of data processed: Data provided by the User within the scope of the Service, particularly (but not limited to):

• Site data: Facility name, description, environmental risk factors (water, green areas, neighbours, waste), seasonal factors, general comments and measures.
• Location data: Location name, description, risk category, service intervals, list of potential pests, description of indicator system, quantity of traps, structural/hygiene/entry point risks, location-specific comments and measures.
• Assessment data: Assessment date, identified pest, type and description of hazard, probability and severity values, calculated risk level, proposed/implemented measures, assessment comments.
  Legal basis for data processing: Article 6(1)(b) of the GDPR (performance of a contract for the provision of the Service). By registering and using the service, the User accepts that the entered data will be processed by the Provider for the purpose of operating the service.

AI (Google Gemini) based data processing:

• Some functions of the Service (e.g., report generation) operate with the help of artificial intelligence (Google Gemini, via the OpenRouter API).
• Data entered by the User into the relevant modules (see “Scope of data processed” above) are transmitted to the Google Gemini service for processing (e.g., generating report text).
• The Data Controller ensures the secure storage and handling of API keys and other authentication data through appropriate technical measures.
• AI-generated results (e.g., reports) are stored in the Service’s system in association with the User’s account.
• The Data Controller declares that it does not use the data entered by the User to train its own AI models without the User’s explicit, prior consent. The data is transmitted to the Google Gemini API solely for the purpose of performing the requested operation (e.g., report generation). The processing of data received by Google via the API, including its possible use for the development of Google’s own services or the training of its models, is subject to Google’s current privacy policies and terms of service, about which the User can find information on Google’s platforms.
• Important: It is the User’s responsibility to ensure that the data entered into the Service does not contain unnecessary or unlawfully processed personal data (e.g., names of third-party employees if there is no appropriate legal basis for their processing).
• The legal basis for AI processing is also Article 6(1)(b) of the GDPR (performance of a contract), as AI functions are part of the ordered Service.
  Duration of data processing: For data entered by the User, as long as the user account is active, or until the User deletes the specific data (e.g., site, assessment) from the system. If the account is deleted, this data will also be deleted, unless a legal obligation (e.g., proof in case of a dispute) requires longer retention.

4.4. Subscription Management and Billing

Purpose of data processing: Managing subscription packages, collecting fees (in the future), billing, contacting regarding financial matters. (Currently, this purpose is of limited relevance during the trial period, but necessary for the future.)
Scope of data processed: Name, email address, subscription package details, transaction data (in the future), billing name and address, tax number (if necessary).
Legal basis for data processing: Article 6(1)(b) of the GDPR (performance of a contract) and (c) (fulfilment of a legal obligation, e.g., accounting law).
Duration of data processing: As long as the subscription exists, or for the retention period prescribed by accounting law (currently 8 years).

4.5. Newsletter, Direct Marketing (DM) Activities

Purpose of data processing: Sending electronic messages (e-mail) containing advertisements, promotions, information about new functions, products to subscribers.
Scope of data processed: Name, email address, subscription date, IP address at the time of subscription.
Legal basis for data processing: Article 6(1)(a) of the GDPR (the Data Subject’s voluntary, explicit consent), and Section 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities.
Duration of data processing: Until consent is withdrawn (unsubscription), or until the newsletter service ceases.
Unsubscription: The User can unsubscribe from the newsletter at any time, free of charge and without restriction, by clicking the unsubscribe link in the newsletters or through the Data Controller’s contact details. After unsubscribing, the Data Controller will delete the User’s data from the newsletter database.

4.6. Contact, Customer Service

Purpose of data processing: Responding to inquiries from Users (e.g., email, phone, contact form), providing assistance, complaint handling.
Scope of data processed: Name, email address, phone number, subject and content of the inquiry, date, IP address (in case of a form).
Legal basis for data processing: Article 6(1)(a) of the GDPR (consent – by contacting), (b) (in case of an inquiry related to contract performance) or (f) (legitimate interest – responding to general interest).
Duration of data processing: Until the matter is resolved, or depending on the nature of the inquiry (e.g., in case of a complaint, for the retention period prescribed by law).

5. Use of Data Processors

The Data Controller uses data processors to provide the service and to fulfil its legal obligations. Data processors do not make independent decisions and are only entitled to act according to the contract concluded with the Data Controller and the instructions received.

Name	Activity	Privacy Policy
Rackhost Zrt.	Hosting the Website and related databases.
Billingo Technologies Zrt.	Online invoicing.	https://www.billingo.hu/adatkezelesi-tajekoztato
Stripe Payments Europe, Ltd.	Secure processing of online payments.	https://stripe.com/privacy
Bithuszárok Bt. (Listamester)	Sending newsletters to subscribers.	https://listamester.hu/felhasznalasi-feltetelek.php
Kutyavilág Kft.	Fulfilling the Data Controller’s accounting and tax obligations.
Google Ireland Limited (Google Analytics)	Creating website traffic statistics.	https://policies.google.com/privacy?hl=en
Google (Google Gemini service via OpenRouter)	Generating text content (e.g., reports) based on User-inputted data.	Google: https://policies.google.com/privacy?hl=en, OpenRouter: https://openrouter.ai/privacy

6. Data transfer to a third country

Personal data may be transferred to a so-called “third country” outside the European Economic Area (EEA) in the following cases:

• Google Analytics: During data processing by Google, data (anonymised IP address and browsing data) may be transferred to the USA. Google ensures the lawfulness of data transfers by applying Standard Contractual Clauses (SCCs).
• Google Gemini (OpenRouter API): When using AI functions, data entered by the User may be transferred to Google’s servers, which may also be located outside the EEA (e.g., USA). The Data Controller relies on the data protection guarantees and mechanisms provided by Google and OpenRouter (e.g., SCCs) to ensure the lawfulness of the data transfer.
  The Data Controller takes all reasonable steps to ensure that an adequate level of protection for personal data is provided during data transfers in accordance with GDPR requirements.

7. Data Security

The Data Controller implements appropriate technical and organisational measures to ensure a level of data security appropriate to the risk. Such measures include, among others:

• Regular updating and maintenance of the website and servers.
• Use of SSL encryption on the Website.
• Encrypted storage of passwords (hash).
• Restriction and management of access rights.
• Secure storage of API keys.
• Regular security backups.
• Incident management plan.

8. Rights of Data Subjects

The User (Data Subject) has the following rights in relation to data processing:

• Right of access: You can request information on whether the processing of your personal data is ongoing, and if so, you can access the processed data and details of the processing.
• Right to rectification: You can request the correction of inaccurate personal data or the completion of incomplete data.
• Right to erasure (“right to be forgotten”): You can request the erasure of your personal data if it is no longer needed for the purpose for which it was collected, if you withdraw your consent (and there is no other legal basis), if you object to the processing (and there are no overriding legitimate grounds), if the data has been unlawfully processed, or if it must be erased due to a legal obligation.
• Right to restriction of processing: You can request the restriction of processing if you contest the accuracy of the data, if the processing is unlawful but you oppose erasure, if the Data Controller no longer needs the data but the Data Subject requires it for legal claims, or if you have objected to processing (pending verification).
• Right to data portability: You are entitled to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format, and to transmit this data to another data controller (if the processing is based on consent or contract and is carried out by automated means).
• Right to object: You can object to the processing of your personal data if the processing is based on legitimate interest (Article 6(1)(f) of the GDPR) or public authority, including profiling. You can also object to data processing for direct marketing purposes.
• Right to withdraw consent: If data processing is based on consent (e.g., newsletter, analytical cookies), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: If you believe that the processing of your personal data infringes GDPR requirements, you can lodge a complaint with a supervisory authority.

Hungarian supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

9. Exercising rights

The Data Subject can submit requests related to their rights listed in section 8 via the following contact details:

• By e-mail: info@ipmflow.com
• By post: Trapshop Kft., H-8797 Batyk, Fő utca 34.
  The Data Controller will inform the Data Subject of the measures taken within one month of receiving the request at the latest. If necessary, this deadline may be extended by a further two months, taking into account the complexity of the request and the number of requests. The Data Controller will inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

10. Protection of children’s personal data

The Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a person under 16 without verification of parental consent, we will take the necessary steps to delete the data.

11. Amendment of the Policy

The Data Controller reserves the right to unilaterally amend this Privacy Policy. Users will be notified of amendments via the updated Policy published on the Website and, if necessary, by e-mail. We recommend that you regularly check the current version of the Policy.