Privacy Notice

PDS Hungary Kft. (Tarifize) - Version 1.0

Effective Date: June 1, 2026
Last Updated: June 1, 2026

This Privacy Notice explains how PDS Hungary Kft. (“Tarifize”, “we”, “us”, or “our”) as the provider of the “Tarifize” software and website (“Service” or “Service Platform”) collects, uses, shares, and protects personal data when you interact with our website, platform, and services as a business customer, prospective customer, or site visitor.
We provide this information to ensure full transparency and compliance with Regulation (EU) 2016/679 (“GDPR”) and Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (“Infotv.”).
We believe it is essential that you clearly understand what happens to your data and what choices and rights you have before using our services. Please read this notice carefully, and feel free to contact us with any questions.

1. Who We Are and How to Contact Us

PDS Hungary Kft. is the data controller for the personal data described in this Privacy Notice.
• Registered name: PDS Hungary Kft.
• Registered seat: 1052 Budapest, Deák Ferenc tér 3 MEYER LEVINSON emelet, Hungary
• Company registration number: 01-09-441819
• Privacy contact email: jozsef.dulai@tarifize.com
• Website: https://www.tarifize.com
If you have questions about this Privacy Notice or wish to exercise your data subject rights, please contact us at jozsef.dulai@tarifize.com.

2. When We Act as Controller vs. Processor

As Controller: We act as data controller when we process personal data for our own business purposes, such as managing your account, billing, marketing, website analytics, sales/CRM activities, security logging, and customer support. This Privacy Notice covers these controller activities.
As Processor: When you use the Service Platform to process customs documents and related data, we act as a data processor on your behalf. In that role, we process personal data only according to your documented instructions. The terms of that processing relationship are governed by our Data Processing Addendum (DPA), which forms part of the Terms & Conditions and/or Software License Agreement. This Privacy Notice does not cover processing we perform as a processor. Please refer to the DPA for those details.

3. Categories of Personal Data We Collect

As controller, we may collect and process the following categories of personal data:
• Account and identity data: name, job title, company name, business email address, phone number, login credentials (hashed passwords).
• Billing and payment data: billing address, VAT number, payment card details (processed via third-party payment provider; we do not store full card numbers), invoice history.
• Communications data: emails, support tickets, chat logs, call records relating to customer support or sales inquiries.
• Usage and technical data: IP address, browser type and version, device identifiers, operating system, login timestamps, pages visited, features used, session duration.
• Cookie and analytics data: data collected through cookies and similar technologies (see Section 13).
• Sales and CRM data: interaction history, meeting notes, proposal records, pipeline status.
• Security and compliance data: access logs, authentication records, security event data, fraud prevention indicators.
• Marketing data: marketing preferences, newsletter subscription status, event attendance records, content download history.

4. Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis. The table in Appendix A provides a detailed matrix. In summary:
4.1. Performance of a Contract (Article 6(1)(b) GDPR)
• Creating and managing your Service account and subscription.
• Providing, maintaining, and improving the Service.
• Processing billing and payments.
• Providing customer support.
• Communicating service-related notices (e.g., maintenance, security alerts).
4.2. Compliance with Legal Obligations (Article 6(1)(c) GDPR)
• Maintaining accounting and tax records.
• Responding to lawful requests from regulatory or judicial authorities.
• Fulfilling anti-money laundering (AML) or sanctions-screening obligations where applicable.
4.3. Legitimate Interests (Article 6(1)(f) GDPR)
We rely on legitimate interests where we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
• Security monitoring and fraud prevention (interest: protecting our platform and all users; balance: limited to necessary security data, access restricted, regular review).
• Product analytics and service improvement using aggregated/pseudonymised data (interest: improving service quality; balance: data minimised and pseudonymised where feasible).
• Sales outreach and relationship management with existing or prospective B2B contacts (interest: growing and maintaining customer relationships; balance: limited to business contact data, opt-out always available).
• Enforcing our Terms and protecting our intellectual property.
You may object to processing based on legitimate interests at any time (see Section 10).
4.4. Consent (Article 6(1)(a) GDPR)
• Sending marketing communications (newsletters, product updates, event invitations) where consent is required.
• Setting non-essential cookies and similar tracking technologies.
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5. AI-Specific Transparency

Tarifize uses artificial intelligence and machine-learning technologies to provide customs tariff classification and related services.
EU AI Act Compliance & Transparency: We design and operate the system in alignment with the EU AI Act requirements, including transparency obligations. Users are hereby explicitly informed that they are interacting with an AI-driven system when utilizing our classification and extraction tools.
Human-in-the-Loop Framework (GDPR Article 22 Alignment): The Service Platform functions strictly as an AI-assisted decision support tool. The software generates automated classification recommendations, but all final tariff codes and customs data must be explicitly reviewed, verified, and approved by a human user (e.g., the customer's customs broker). The platform does not perform fully automated decision-making that produces legal or similarly significant effects under Article 22 of the GDPR without human intervention.
No training on personal data as Controller: In our capacity as data controller, we do not use your personal data (or the personal data of any Data Subject) to train, fine-tune, or improve our AI/ML models. Model training, where performed, uses only properly licensed, anonymised, or synthetic datasets.
Non-personal telemetry and benchmarking: We may use non-personal, aggregated, or anonymised telemetry data derived from platform usage for benchmarking, statistical analysis, and product improvement. Since this data is completely anonymised and cannot identify you or any individual, the Processor retains an unrestricted, perpetual right to use it for product development, and no opt-out is available, as authorized under the Main Agreement and the DPA.
Processor role and AI: When we process personal data on your behalf as a data processor (inside the Service), the Data Processing Addendum (DPA) governs all AI-related processing operations. In particular, we do not use Controller-controlled personal data to train our models without the Controller’s explicit, documented instructions.

6. Sources of Personal Data

We obtain personal data from the following sources:
• Directly from you: when you register, subscribe, contact support, attend events, or interact with our website.
• From your organization: your employer or organisation may provide your business contact details when setting up an account.
• Automatically: through cookies, server logs, and analytics tools when you use our website or Service.
• Third-party sources: business contact databases, publicly available company registries, referral partners, and marketing platforms (always limited to business contact data).

7. Recipients and Categories of Recipients

We may share personal data with the following categories of recipients, strictly on a need-to-know basis:
• Group companies: affiliates of the Controller for internal administration and shared services.
• Cloud infrastructure providers: hosting, compute, and storage (EU-based data centres).
• Payment processors: for billing and subscription management.
• CRM and sales tools: for managing customer relationships and communications.
• Email and communication providers: for transactional and marketing emails.
• Analytics providers: for website analytics (anonymised/pseudonymised where possible).
• Professional advisors: legal, accounting, and audit firms, under professional confidentiality obligations.
• Regulatory authorities: where required by law.
All third-party recipients are bound by data processing agreements and/or equivalent contractual safeguards. A list of current Sub-processors is available at the Service Platform and may be requested from jozsef.dulai@tarifize.com.

8. International Transfers of Personal Data

We primarily store and process personal data within the European Economic Area (EEA). Where a transfer of personal data to a country outside the EEA is necessary, we ensure that appropriate safeguards are in place:
• Adequacy decisions: transfers to countries for which the European Commission has issued an adequacy decision require no further safeguards.
• Standard Contractual Clauses (SCCs): where no adequacy decision applies, we use EU SCCs (Module 2: Controller to Processor, or Module 1: Controller to Controller, as applicable) approved by Implementing Decision (EU) 2021/914.
• Transfer Impact Assessments (TIA): prior to relying on SCCs, we conduct and document a TIA to evaluate the legal framework of the recipient country and implement supplementary measures where necessary.
You may request a copy of any relevant TIA or SCC documentation by contacting jozsef.dulai@tarifize.com. Copies may be redacted to protect commercially sensitive or third-party confidential information that does not affect the data protection assessment.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following are our standard retention periods:

Data Category

Retention Period

Rationale

Account data

Duration of subscription + 90 days post-termination

Contract performance; deletion per DPA Section 14

Billing/invoicing records

8 years from transaction date

Hungarian tax and accounting law (Act C of 2000)

Support communications

3 years from resolution

Legitimate interest (quality/disputes)

Security/access logs

12 months (rolling)

Security monitoring; regulatory compliance

Marketing data (consented)

Until consent withdrawal + 30 days processing

Consent-based; suppression list retained indefinitely

Cookie/analytics data

As specified in Cookie Notice (max 13 months)

Consent / legitimate interest

CRM/sales data

Duration of relationship + 3 years

Legitimate interest (follow-up)

AI processing logs (controller)

12 months

Auditability and compliance; fully anonymized or deleted upon expiry.

Upon termination of the Main Agreement, personal data processed in the Service (processor role) will be deleted or returned in accordance with the DPA: active systems within 90 calendar days, and backups will be overwritten in accordance with our standard backup retention and rotation cycles. A deletion certificate is available on request.

10. Your Rights and How to Exercise Them

Under the GDPR, you have the following rights in relation to your personal data:
• Right of access (Article 15): obtain confirmation of whether we process your data and request a copy.
• Right to rectification (Article 16): have inaccurate data corrected.
• Right to erasure (Article 17): request deletion where processing is no longer necessary.
• Right to restriction (Article 18): restrict processing in certain circumstances.
• Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent (Article 7(3)): withdraw consent at any time without affecting prior lawful processing.
• Right not to be subject to automated decision-making (Article 22): not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
How to exercise your rights: Submit your request to jozsef.dulai@tarifize.com. We will respond within one (1) month of receipt. This period may be extended by two further months where necessary, considering the complexity and number of requests. We will inform you of any such extension within the first month.
Identity verification: We may ask you to verify your identity before processing your request, to protect against unauthorised access.
Fees: Exercising your rights is free of charge. However, we may charge a reasonable fee or refuse to act where requests are manifestly unfounded or excessive (particularly if repetitive).

11. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Hungary is:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
• Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
• Phone: +36 (1) 391-1400
• Email: ugyfelszolgalat@naih.hu
• Website: https://www.naih.hu
Judicial Remedy: You are also entitled to bring legal proceedings against the Controller before a court. In Hungary, such lawsuits fall under the jurisdiction of the Regional Courts (Törvényszék). You may choose to initiate this legal action either before the Budapest Regional Court (Fővárosi Törvényszék), which has jurisdiction over the registered seat of PDS Hungary Kft., or before the Regional Court competent for your own place of residence or temporary stay. You can find the list and jurisdiction areas of the Hungarian Regional Courts on the official website: https://birosag.hu/birosag-kereso.
We encourage you to contact us first at jozsef.dulai@tarifize.com so that we can attempt to resolve your concern before you escalate to a supervisory authority.

12. Security of Personal Data

We implement appropriate technical and organisational measures in accordance with Article 32 GDPR to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Key measures include:
• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control with multi-factor authentication for privileged access.
• Centralised logging and real-time security monitoring.
• Regular vulnerability scanning and annual penetration testing.
• Data segregation between tenants at application and database layers.
• Regular backups with tested disaster recovery procedures.
• Personnel confidentiality agreements and annual security awareness training.
• Secure software development lifecycle (SDLC) with code review and security testing.
For a complete description of our Technical and Organisational Measures, please refer to Annex II of the Data Processing Addendum.

13. Cookies and Similar Technologies

Our website uses cookies and similar tracking technologies. We categorise cookies as follows:
• Strictly necessary cookies: required for the website to function (e.g., session management, security). No consent required.
• Analytics cookies: help us understand how visitors use our website. Set only with your consent.
• Marketing/advertising cookies: used to deliver relevant advertising and track campaign effectiveness. Set only with your consent.
• Functional cookies: enable enhanced functionality and personalisation. Set only with your consent.
You can manage your cookie preferences at any time through our Cookie Consent tool available on the website. For full details, please refer to our separate Cookie Notice, accessible via the website footer.

14. Marketing Communications

Where you have given consent (or where we are permitted under applicable law to contact existing customers about similar products), we may send you marketing communications about Tarifize products, features, events, and industry insights.
Unsubscribe: Every marketing email contains an unsubscribe link. You may also email jozsef.dulai@tarifize.com at any time to opt out.
Right to object: You have the right to object to direct marketing at any time (Article 21(2) GDPR). Upon objection, we will cease processing your data for direct marketing purposes without undue delay.
Opting out of marketing does not affect service-related communications (e.g., security alerts, billing notices, contractual updates).

15. Children

Our Service is a B2B platform designed for use by business professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact jozsef.dulai@tarifize.com.

16. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will:
• update the version number and effective date at the top of this document;
• notify you via email or prominent notice on our website at least fourteen (14) days before the changes take effect (for material changes); and
• maintain a change log (see below) for transparency.
Your continued use of the Service after the effective date of an updated Privacy Notice indicates that you have read and understood the updated Privacy Notice.

Change Log

  • Version: v1.0
  • Date: June 1, 2026
  • Summary of Changes: Initial version.

17. Contact Details

For any questions, concerns, or requests relating to this Privacy Notice or your personal data, please contact us:
• Email: jozsef.dulai@tarifize.com
• Postal address: PDS Hungary Kft., 1052 Budapest, Deák Ferenc tér 3., Hungary
• Subject line (recommended): “Privacy Inquiry” or “Data Subject Request”