Privacy Policy

1. Introduction and Scope

This document sets out the Privacy Policy and Data Retention Policy for Adhoc Support CIC, referred to as “we” or “us”. Adhoc Support CIC is a UK Community Interest Company (company number 16306685), registered at Unit A30 Longridge Road, Ribbleton, Preston, England, PR2 5NA. We operate the websites adhocsupport.org (English) and hu.adhocsupport.org (Hungarian). This policy applies to all personal data processed by Adhoc Support CIC in connection with our services, whether you interact with us via our UK or Hungarian website.

Data Controller: For the purposes of data protection law, Adhoc Support CIC is the “data controller” of your personal data. This means we determine how and why personal data is processed. We have appointed a Data Protection Officer, Mr Geza Koczian, to oversee our privacy compliance. If you have any questions about this policy or your personal data, you can contact him at dataprotection@adhocsupport.org.

EU Representative (in accordance with Article 27 of the EU GDPR): As we are a UK-based company providing services to individuals within the European Union, we have appointed an official representative in the EU to act as our point of contact for data protection matters. If you are within the EU, you may contact our EU Representative with any questions or to exercise your data protection rights. Our appointed EU Representative is Mr. Zoltan Petrasovits. You can contact him via our Data Protection Officer at dataprotection@adhocsupport.org (please state that your query is for the attention of the EU Representative).

Regulatory Registration and Accountability: Adhoc Support CIC is registered as a data controller with the UK Information Commissioner’s Office (ICO) under registration number ZB910118. Our primary technology provider, WebshopCompany Ltd., is also a registered data controller with the ICO under number ZB303099. This public registration underscores our commitment to accountability and compliance with UK data protection law.

Regulatory Compliance: We are committed to protecting your privacy in line with all applicable laws:

• In the UK, we comply with the UK General Data Protection Regulation (UK GDPR) as incorporated in the Data Protection Act 2018.
• In the European Union (for our EU-based users and operations), we comply with the EU GDPR (Regulation (EU) 2016/679).
• In Hungary, we additionally adhere to the provisions of Act CXII of 2011 (the “Info Act”) on the Right of Informational Self-Determination and Freedom of Information, which is Hungary’s implementation of GDPR.

This policy is designed to meet the requirements of all the above laws. Terms like “personal data”, “processing”, “controller”, etc., have the same meanings as defined in the GDPR and the Info Act. We will reference specific legal provisions (Articles and Sections) throughout this policy to show our compliance obligations (for example, you will see references such as Article 5(1)(e) UK GDPR or Section 2 of the Info Act). We also take into account guidance from regulatory bodies such as the UK Information Commissioner’s Office (ICO), the European Data Protection Board (EDPB), and the Hungarian NAIH in interpreting these laws.

By using our websites or services, or by providing your personal data to us, you acknowledge that you have been informed of this Privacy Policy. We may provide additional privacy notices on specific forms or services (for example, a short notice on a contact form or e-signature form) – those are intended to summarize key points of this full policy and obtain any necessary consent.

2. What Data We Collect

We practice data minimisation: we only collect personal data that we truly need for the purposes stated. Below we describe the categories of data we collect, with examples of specific data fields, and explain the purpose and legal basis for each.

2.1 Data You Provide Directly

These are details you knowingly provide to us, typically via forms on our sites or through correspondence:

• Contact and Identity Information: When you fill out a support request form, contact us via email, or register for an account/service (if applicable), we may collect your name, email address, phone number, postal address, or other contact details. We use this information to communicate with you and to provide the support or service you requested. Legal basis: Usually performance of a contract or pre-contractual steps (Article 6(1)(b) GDPR) – for example, if you ask us to assist you or sign up for a service, we need to use your contact details to respond or deliver that service. In cases where no formal contract applies (e.g. general inquiries), we rely on our legitimate interest in responding to you (Article 6(1)(f)), as you would reasonably expect us to use your information to reply. In some instances, we may ask for your consent (Article 6(1)(a)) for optional activities, such as subscribing to a newsletter (we will always make such consent optional and you can withdraw it anytime).
• Form Submission Details: If you submit information through our online forms to initiate a complaint or request support, we collect the data you enter into the form. We use this to evaluate and action your specific request. Legal basis: The processing of this data is necessary for the performance of a contract (Article 6(1)(b) GDPR), as you are requesting us to provide you with our complaint resolution service. Where a form includes an option for a non-essential activity (e.g., to receive future updates), we will rely on your explicit consent for that specific purpose, ensuring it is freely given, specific, informed and unambiguous.
• Electronic Signature Data: We provide electronic document signing through our website (using the WP E-Signature by ApproveMe plugin) in compliance with the UK Electronic Identification and Trust Services Regulation (2019 Exit Regulations) and the EU eIDAS Regulation (EU) No 910/2014. When you electronically sign a document with us, we collect and securely store your signature (image or cryptographic data), your name and email as signer, the date/time of signing, your IP address at the time of signing, and other technical metadata (such as browser/device info and unique entry/document ID). We generate a full audit trail for every signature to establish authenticity and integrity, providing legal evidence that you signed it. Before signing, you must provide verifiable identity information (e.g. name and email), and your explicit consent to the process is always required. Where necessary, we may use additional security steps (such as unique links or authentication codes) to confirm your identity. All e-signature data is encrypted and stored securely for as long as needed to prove validity and resolve any disputes. Access is strictly limited to authorised staff, all access is logged and audited, and our e-signature processes are reviewed at least annually and after any legal or system changes to ensure continued compliance with UK and EU law. The DPO oversees these processes and reports any significant findings to management. Your signature data is never used for any purpose other than legal validation, compliance, and record-keeping. Legal basis: Signing a document is typically part of fulfilling a contract (Article 6(1)(b)), or it may be done with your explicit consent for that process (Article 6(1)(a)). The collection of audit trail information (like IP) for e-signatures is in our legitimate interest and often a legal necessity for compliance (e.g., to ensure the signature is legally binding and to prevent fraud). Rest assured, this data is only used for verification and record-keeping related to your signature; we do not use it for any other purposes.

2.2 Data Collected Automatically (Technical Information)

When you use our websites or services, certain data is collected automatically by our systems for security, technical, and analytical purposes. This includes:

IP Address: Whenever you interact with our site (e.g., submit a form or sign a document), our server logs your device’s IP address. An IP address can identify the approximate location of a device and is considered personal data under GDPR. We use IP addresses strictly for security and fraud prevention, such as detecting multiple submissions, preventing abuse of our services, or investigating suspicious activities. Legal basis: Legitimate interests (Article 6(1)(f) GDPR). We have a legitimate interest in protecting our services from malicious or fraudulent activity, and processing IP addresses is necessary to that end. GDPR Recital 49 explicitly recognizes that processing personal data for network and information security constitutes a legitimate interest of the data controller. Importantly, we do not use IP addresses to profile you or determine your identity – the use is purely defensive and technical.

Geolocation (Derived from IP): We may derive an approximate geographic location from your IP address (known as “entry_geolocation” in our system). This is typically limited to city or country level. We do this to understand where our services are being accessed from (for example, to display the website in the correct language or to comply with region-specific legal requirements). Legal basis: Legitimate interests (Article 6(1)(f)), as this information helps us provide an appropriate service (e.g., our Hungarian site to Hungarian users) and guard against fraud (unusual locations can indicate unauthorized access). This geolocation data is not precise and not used to profile you – we do not track your movements or exact address, it’s only used at session time for the above purposes.

Form and System Metadata: Our web forms and e-signature system generate certain metadata for each entry:

• A form ID or entry ID (form_id) to uniquely identify the submission or document in our database.
• Timestamps (date and time) of when you submitted a form or signed a document.
• User agent information (user_meta), which can include technical details like your browser type, operating system, and device, as well as possibly a session identifier. This is standard information that web browsers send to servers.

We collect this metadata to maintain an audit trail and troubleshoot any technical issues. For example, knowing the browser version can help us replicate and fix a bug you encountered; the timestamp is crucial for record-keeping; the unique ID helps us retrieve your submission if you have questions. Legal basis: Legitimate interests (Article 6(1)(f)), as these background data points are necessary for the reliable operation of our service and security auditing. Collecting such metadata has a very limited privacy impact and is an expected part of using any online service (most users reasonably expect that a service will log basic technical info). We ensure this data is only used internally and only for technical purposes – never for marketing or profiling.

Cookies and Similar Technologies: Our websites use only essential cookies. We do not use any advertising or tracking cookies. The essential cookies (if any) might include session cookies to keep you logged in or remember your preferences as you navigate the site. Any such cookies are strictly necessary for the function of the site, and our legal basis for using them is legitimate interest. For more information, see our Cookie Policy.

2.3 Data We Do Not Collect

Children’s Data

Our services are strictly intended for adults aged 18 and over. We do not knowingly collect, process, or retain personal data from children, in line with GDPR Article 8, (p.37) and EDPB Guidelines (Section 7.1, pp.25–30). To ensure this:

• Age Verification: All forms and interactions require users to actively confirm that they are over 18 before proceeding. Registration, account creation, or access to our services by anyone under 18 is strictly prohibited. Any attempted registration by a person stating an age under 18 will be rejected and not processed.
• Parental Consent: As we do not permit children to use our services or register, we do not process children’s data and do not seek parental consent. If, despite these controls, we inadvertently receive data from a child, we will delete it immediately and, where possible, notify the parent or guardian.
• Data Minimisation: We do not design, market, or structure our services to attract or retain children’s data. Any accidental collection of children’s data is minimised by default and such data is not retained or processed for any purpose.
• Transparency: We provide a clear, prominent notice in all relevant forms and privacy information that our services are for adults only and that no children’s data is knowingly collected. Our privacy policy and consent language are written in clear, plain language, and we make it easy for parents/guardians to contact us to request deletion.
• Ongoing Monitoring: We regularly review registration and usage data to ensure compliance with this policy and applicable laws. Our DPO reviews these controls at least annually and after any changes in law, technology, or our services. Any incidents involving accidental receipt of children’s data are logged and reviewed for continual improvement.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at dataprotection@adhocsupport.org and we will promptly remove all such data.

We also do not collect special category personal data (also known as sensitive data) unless you voluntarily provide it and it is necessary for a specific service (which is very unlikely in our context). Special category data includes details like your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, biometric or genetic data, and sexual orientation. We have no need for such data in our normal operations, and we actively avoid collecting it. Please refrain from providing any sensitive personal information in any support requests or documents you submit to us. In the rare case that you do provide us such information (e.g., you mention health or other sensitive details in a support request), we will treat it with extra care and security. Unless we have a clear legal basis to retain it (such as your explicit consent or a legal requirement), we will delete sensitive information from our records.

Finally, as stated in the summary, we do not engage in any automated decision-making or profiling with your personal data. Profiling means analyzing or predicting aspects of your behavior, preferences, or personality (GDPR Article 4(4)), and automated decision-making means making a decision solely by automated means without human involvement (Article 22). We confirm that all decisions involving your data (if any) – such as approving support, evaluating requests, etc. – involve human review. You will not be subject to decisions with legal or significant effects based solely on algorithms.

3. How We Use Your Data (Purposes and Legal Bases)

Under data protection laws, we must have a valid lawful basis for each use of your personal data and we must use the data for specific, explicit and legitimate purposes (GDPR Articles 5(1)(a)-(b) and 6). We have already alluded to the purposes and bases in Section 2, but here we consolidate them to be clear:

3.1 Legitimate Interest Assessment (LIA)

As required by Article 6(1)(f) of the GDPR, Adhoc Support CIC sometimes processes your personal data where it is necessary for the purposes of legitimate interests pursued by us or a third party, provided that such interests are not overridden by your rights and freedoms. This sub-section sets out our approach to identifying, documenting, and regularly reviewing these legitimate interests in accordance with the UK ICO’s Legitimate Interests Guidance and relevant EDPB Guidelines (2/2019 and 05/2020).

Identification of Legitimate Interests

We pursue legitimate interests such as:

• Service operation and communications
• Security and fraud prevention
• Audit trails for e-signatures and transactions
• Improvement of services
• Enforcement and legal rights (See details in subsequent sections.)

Our LIA Process:

For each use of data based on legitimate interests, we document a three-part assessment:

1. Purpose Test: Is there a genuine, lawful, and clearly articulated legitimate interest?
2. Necessity Test: Is the processing necessary for this purpose, and is there no less intrusive way?
3. Balancing Test: Do your rights, freedoms, and reasonable expectations override our interest? This includes special safeguards and a stricter test for children and vulnerable individuals (EDPB Guidelines, Section 7.1, pp.25-30).

A summary of each balancing test and its outcome is recorded and available on request. High-level outcomes are provided in this policy.

Review and Oversight:

• LIA assessments are reviewed at least annually, or sooner if the nature or purpose of the processing changes.
• The DPO (Geza Koczian) oversees the LIA process, advises on necessity and proportionality, and ensures compliance with the ICO Accountability Framework.

Transparency and Your Rights:

• We inform you here and at the point of data collection about processing based on legitimate interests.
• You may object to any processing based on legitimate interests at any time (GDPR Article 21).
• We will stop processing for that purpose unless we demonstrate compelling legitimate grounds or the processing is for legal claims.

Roles and Responsibilities:

• DPO (Geza Koczian): Oversees LIA, maintains records, reviews outcomes.
• Senior management: Ensures LIAs are performed before new processing under legitimate interests.
• Staff: Must consult the DPO if processing may require an LIA.

The following explains the specific ways in which we use your personal data and the corresponding legal bases for each processing activity. Where we rely on legitimate interests as the lawful basis, this is always subject to the Legitimate Interest Assessment (LIA) framework described above.

Providing Services and Support: The main reason we collect data is to provide the services or assistance you have requested from us. This includes responding to inquiries, providing ad-hoc support or consulting, facilitating transactions or agreements, and delivering any other services described on our sites. Legal bases: Contract (Article 6(1)(b)) – if you are our client or user requesting a service, using your data is necessary to perform our contract with you or to take pre-contract steps at your request. Where no contract exists (for example, you ask a question via the contact form without any payment or formal agreement), we rely on legitimate interest (Article 6(1)(f)) to use your data in order to reply, since it’s beneficial to both you and us to communicate in this context, and you would expect this use. In some cases, we may also rely on consent(6(1)(a)), especially if you filled a general form explicitly consenting to our use of your details to contact you.

Electronic Contracting (E-Signatures): If you participate in an electronic signing of a document through our platform, we use your personal data to facilitate and record that signing. This is part of delivering a contractual service (e.g., signing an agreement or form that is necessary for the service). Legal bases: Contract (6(1)(b)) – carrying out the signing process you’ve agreed to. In addition, maintaining the audit trail and verification data(name, IP, timestamp, etc.) is in our legitimate interest (6(1)(f)) and often a legal obligation to ensure the signed document is valid in case of any disputes. For instance, to comply with electronic signature laws and standards, we must retain evidence of the signing process.

Communication and Notifications: We may use your contact information to send you administrative communications – for example, to confirm we received your request, to update you on the status of a support ticket, or to inform you of changes to our terms or policies. These communications are not marketing; they are necessary for customer service and legal compliance (e.g., informing you about privacy policy updates). Legal bases: Legitimate interest for customer service communications (as it’s important we keep you informed about your requests), and legal obligation for certain notices (for instance, GDPR requires us to inform you of significant changes to how we process your data).

Security and Fraud Prevention: We use technical data (IP addresses, logs, etc.) to protect our websites, systems, and users. This includes detecting and blocking cyber-attacks (e.g., DDoS or hacking attempts), preventing spam or misuse of our forms, and ensuring the integrity of our services. As noted earlier, GDPR explicitly acknowledges that processing personal data for network and information security is a legitimate interest of organizations. We only process what is strictly necessary for these purposes in accordance with Recital 49 of the GDPR, which might include measures to prevent unauthorized access and attacks. Legal basis: Legitimate interests (6(1)(f)). We’ve balanced this use against your privacy rights and determined it does not disproportionately impact you (it actually benefits you by keeping your data safe). We do not use this data for any purpose beyond security monitoring and incident response.

Legal Compliance and Enforcement: We will use and retain personal data where necessary to comply with legal obligations (Article 6(1)(c)). For example:

• Record-Keeping: Company and tax laws require us to retain certain transactional data (like invoices, payment records, and related personal details of customers or donors) for a set period. In the UK, companies must keep accounting records for at least six years after the end of the financial year. Hungarian law similarly mandates retention (generally eight years for accounting documents). To ensure compliance across jurisdictions, we keep such records for 8 years (details in the Data Retention section). During that time, we may process those records (which could include your name or address on an invoice) if needed for audits or financial reporting.
• Compliance with Court Orders or Regulatory Requirements: If we are subject to a legal requirement to disclose data (e.g., a court subpoena or a request from a regulatory authority), we will process and share data to the extent we are compelled by law.
• Enforcing Our Terms or Defending Legal Claims: If needed, we may use personal data to investigate and address breaches of our agreements or to defend ourselves in legal disputes. For instance, if there is a dispute about a contract you signed, we may review the communications and documents involved (which contain personal data) to resolve it. This falls under either legal obligation or our legitimate interest in establishing or exercising our legal rights.

Internal Analytics and Service Improvement: We may use de-identified or aggregated information about how users interact with our site (e.g., number of form submissions per month, common support request topics) to improve our services. When doing so, we either anonymize the data or use it in a way that doesn’t identify any individual. General website analytics, if performed, would be done using self-hosted tools to avoid sharing data with third parties. Legal basis: Legitimate interests – to improve our offerings. However, we do not use invasive analytics or any that track individuals’ behavior across other sites.

We will never use your personal data for new purposes that are incompatible with the original purposes described above without first updating this policy and, if necessary, obtaining your consent. We do not engage in any kind of direct marketing as of the date of this policy. If that ever changes, we will ensure we have appropriate consent or other lawful basis.

4. Data Retention Policy – How Long We Keep Data

We retain personal data for no longer than is necessary for the purposes for which it was collected, in accordance with the storage limitation principle of GDPR (Article 5(1)(e)). This means that once data is no longer needed, we will either delete it or anonymize it (so it can no longer be linked to you). Our approach is to define specific retention periods for various categories of data, taking into account legal requirements and business needs, and to regularly review the data we hold and erase or anonymize data that is outdated.

Below is an overview of our retention periods for different types of data:

• Support Inquiries and General Communication: If you contact us for support or with questions (and you are not yet a customer or have no further formal engagement with us), we retain the communication (and any personal data within it) for up to 1 year after resolving your inquiry. We find one year sufficient in case you follow up or have related questions, but not longer than necessary. After that, we delete the inquiry records. Legal basis for retention: It is in our legitimate interest to keep a record of recent communications (to refer back for context, improve our service, or defend against any potential disputes), but we limit it to a year to respect your privacy (Article 5(1)(e) GDPR requires that personal data not be kept longer than necessary).
• Account or Service Data: (This applies if users have accounts or ongoing services with us.) For any personal data associated with a user account or ongoing service subscription, we retain it for as long as the account is active or the service is provided. If you deactivate your account or terminate the service, we will remove or anonymize personal data associated with your account within 3 months of closure, except for data we must retain for legal reasons (see next bullet points). Example: If you had an online account profile with contact info, we would delete that info within 3 months after you cancel the account. Legal basis: Contract performance(we keep it during the contract) and legitimate interest (short period after termination to ensure a smooth wind-down and handle any post-termination issues).
• Electronic Signature Records: When you sign a document electronically through our system, we generate an audit log (including your name, signature, IP, timestamp, document ID). These records may be attached to the signed document itself. We will retain the signed documents and their audit logs for up to 6 years (from the date of signing or the end of the contract, whichever is later), unless a longer period is required by law. This 6-year period aligns with typical contract legal claim periods in the UK (e.g., a contract under seal has a limitation period of 6 years). If a document you signed is related to a transaction or agreement, we keep it as evidence in case of any future dispute. Legal basis: Legitimate interest in being able to enforce or verify contracts, and in some cases legal obligation if the contract falls under statutory record requirements. We do not keep these indefinitely; after 6 years, such records will be securely deleted or archived in an anonymized fashion (unless there’s an ongoing legal issue that necessitates retaining specific ones longer).
• Financial and Transactional Records: As mentioned, we are legally required to keep financial records (e.g., invoices, payment details, donation records) for 8 years from the end of the financial year they relate to. This is to comply with UK and Hungarian company law and tax regulations. This data is kept securely and access is restricted. Legal basis: Legal obligation (Article 6(1)(c)).
• Website Server Logs: Our web server automatically logs technical information (like IP addresses, pages visited, browser type, timestamps) for security and troubleshooting. These logs are retained for a short period, typically between 7 and 30 days, after which they are automatically deleted. We only use these logs for security analysis (e.g., investigating suspicious activity) or to diagnose technical problems. Legal basis: Legitimate interest (network and information security).
• Consent Records: Where we rely on your consent to process data (e.g., for a specific form submission or service), we will keep a record of your consent (what you consented to, when, and how) for as long as we are processing the data based on that consent, and for a short period thereafter (e.g., up to 1 year) to demonstrate compliance if needed. If you withdraw consent, we will stop processing for that purpose and delete the data (unless another legal basis applies, like a legal obligation to retain it). Legal basis: Legal obligation (to demonstrate compliance with GDPR’s consent requirements).

Data Deletion and Anonymisation: Once the retention period expires, personal data is either securely deleted from our systems (e.g., using methods that prevent recovery) or it is fully anonymized. Anonymized data is no longer personal data because it cannot be used to identify you, and we may use such anonymized data for statistical analysis or service improvement without further notice. We have procedures in place to ensure that data is reviewed and disposed of in line with these retention periods. Our DPO oversees this process.

If you have any questions about our data retention practices, or if you wish to request deletion of your data (subject to legal limitations), please contact our DPO.

5. Data Security – How We Protect Your Data

We take the security of your personal data very seriously. In line with GDPR Article 32 (“Security of Processing”), we have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This means we protect data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our measures include:

• Secure Hosting: All our data, including website files, databases, and e-signature records, is hosted on secure servers located in an ISO 27001 certified data centre in Falkenstein, Germany (operated by Hetzner Online GmbH). ISO 27001 is an internationally recognized standard for information security management systems. The data centre has robust physical security, redundant power and cooling, and fire protection systems.
• Encryption: We use encryption to protect data both in transit and at rest where appropriate.
  • In Transit: All connections to our websites (adhocsupport.org and hu.adhocsupport.org) are secured using HTTPS with TLS encryption (Transport Layer Security). This means any data you send to us (e.g., via a form) or receive from us is encrypted between your browser and our server, preventing eavesdropping.
  • At Rest: Sensitive data stored in our databases (such as e-signature details or personal information from forms) is protected by database-level security and access controls. While we don’t publicly detail all our specific encryption methods for security reasons, we ensure that stored data is appropriately secured against unauthorized access.
• Access Controls: Access to personal data within Adhoc Support CIC is strictly limited to authorised personnel who need access to perform their job duties (e.g., support staff responding to your inquiry, or our DPO for compliance oversight). We use role-based access controls and strong passwords. All access to sensitive systems is logged and monitored.
• Firewalls and Intrusion Prevention: Our servers are protected by firewalls and other security measures to prevent unauthorized network access and to detect or block malicious traffic.
• Regular Security Reviews and Updates: We regularly review our security practices and update our systems and software (including security patches) to protect against known vulnerabilities. Our DPO is involved in overseeing these reviews.
• Data Minimisation: As stated earlier, we only collect the data we need, which reduces the amount of data at risk.
• Staff Training: Our staff are trained on data protection principles and security best practices.
• Incident Response Plan: We have a plan in place to deal with any suspected personal data breach. In the event of a breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (e.g., the ICO) within 72 hours, and if the risk is high, we will also notify you without undue delay, as required by GDPR Articles 33 and 34.

While we strive to use commercially acceptable means to protect your Personal Data, remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. We cannot guarantee its absolute security, but we are committed to implementing and maintaining high standards of data security to protect your information.

6. Data Sharing and Third Parties

We are committed to keeping your personal data confidential. We do not sell, rent, or trade your personal data with any third parties for marketing purposes. We will only share your personal data in the limited circumstances described below, and always with appropriate safeguards.

• For the Purpose of Complaint Resolution: To fulfill our service to you, it may be necessary to share relevant details of your complaint with the organization you are complaining about. This is essential for us to mediate and seek a resolution on your behalf. We will only share the minimum information necessary to achieve this purpose. The lawful basis for this sharing is the performance of our contract with you. We will inform you before any such sharing occurs.
• Service Providers (Data Processors): As a matter of principle, Adhoc Support CIC aims to be self-sufficient in its data processing to maintain maximum control and security.
  • Hosting Provider: Our website and all associated data are hosted by Hetzner Online GmbH in Germany. Hetzner acts as a “data processor” on our behalf, and we have a Data Processing Agreement (DPA) with them that complies with GDPR Article 28.
  • E-Signature Platform: We use a self-hosted solution. This means all e-signature data remains on our own servers and is not sent to the software provider (ApproveMe) or any other third party.
  • Other Third-Party Processors: We currently do NOT use any other third-party data processors for personal data collected through our primary services. All core operations are handled on our own secure infrastructure.
• Legal Requirements: We may be required to disclose your personal data if compelled by law, such as in response to a court order or a binding request from a law enforcement agency or regulatory body. We will only do so to the extent legally required.
• To Protect Our Rights or Others: We may disclose personal data if we believe it’s necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, or potential threats to the safety of any person.
• Business Transfers (Hypothetical): In the unlikely event of a business transfer or acquisition, user information may be transferred to a third party, who would be bound to respect this Privacy Policy.
• With Your Explicit Consent: Other than the above, we will not share your personal data with any third party for any other purpose without your explicit, prior consent.

We ensure that any third party we share data with is contractually bound to protect your data in accordance with GDPR standards. We conduct due diligence on our processors to ensure they have adequate security measures in place.

7. International Data Transfers

Your personal data is primarily processed and stored within the European Economic Area (EEA) and the United Kingdom (UK).

• Our main servers, operated by Hetzner Online GmbH, are located in Falkenstein, Germany (EEA).
• Adhoc Support CIC operates from the UK and Hungary (EEA).

We do not transfer your personal data outside of the UK/EEA to any country that does not ensure an adequate level of data protection as recognized by the UK government and the European Commission, unless appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision).

As of the date of this policy:

• No routine transfers outside UK/EEA: We do not routinely transfer personal data collected from our users to countries outside the UK or EEA. All our core processing (hosting, e-signatures, support) occurs within this region.
• Adequacy Decisions: The UK has an adequacy decision from the EU, and the EU has an adequacy decision for the UK. This means data can flow freely between the UK and the EEA without needing additional safeguards, as both regions are deemed to provide equivalent levels of data protection.

If, in the future, we were to use a service provider based outside the UK/EEA (which is not currently planned for core personal data), we would ensure that such transfers are lawful under GDPR. This would typically involve:

• Confirming if the recipient country has an “adequacy decision” from the UK government or European Commission.
• If not, implementing appropriate safeguards, such as approved Standard Contractual Clauses (SCCs) along with a Transfer Impact Assessment (TIA) to ensure the protection is practically effective in the recipient country.
• In very limited circumstances, relying on a specific derogation under GDPR Article 49 (e.g., your explicit consent for a specific transfer, or if the transfer is necessary for a contract with you), but this would not be for routine transfers.

We will always be transparent about where your data is processed. If our practices change regarding international transfers, we will update this policy and inform you.

8. Your Data Protection Rights

Under data protection law (UK GDPR, EU GDPR, and the Hungarian Info Act), you have several important rights regarding your personal data. We are committed to upholding these rights. They include:

• The right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the information in this Privacy Policy. (GDPR Articles 13 and 14)
• The right of access: You have the right to obtain access to your personal data (if we are processing it) and certain other information (similar to that provided in this Privacy Policy). This is often known as a “Data Subject Access Request” or DSAR. (GDPR Article 15)
• The right to rectification: You are entitled to have your personal data corrected if it is inaccurate or incomplete. (GDPR Article 16)
• The right to erasure: This is also known as “the right to be forgotten” and, in simple terms, enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not an absolute right and only applies in certain circumstances (e.g., if the data is no longer necessary for the purpose it was collected, or if you withdraw consent and there’s no other legal ground for processing). (GDPR Article 17)
• The right to restrict processing: You have rights to “block” or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further. (GDPR Article 18)
• The right to data portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies to data you provided to us, where processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means. (GDPR Article 20)
• The right to object to processing: You have the right to object to certain types of processing, including processing based on our legitimate interests. If you object, we must stop processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims. (GDPR Article 21)
• The right to withdraw consent: If we are relying on your consent as the legal basis for processing your personal data, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. (GDPR Article 7(3))
• Rights related to automated decision-making and profiling: As stated earlier, we do not engage in automated decision-making or profiling that would have legal or similarly significant effects on you. However, you have the right not to be subject to such decisions if they were to occur. (GDPR Article 22)

How to Exercise Your Rights:

To exercise any of these rights, please use the appropriate contact details below. The primary contact for all data protection matters is our Data Protection Officer (DPO).

• Data Protection Officer: Mr Geza Koczian
• Email: dataprotection@adhocsupport.org
• Postal Address: Adhoc Support CIC, Attn: DPO, Unit A30 Longridge Road, Ribbleton, Preston, England, PR2 5NA.

If you are based in the European Union, you also have the right to contact our EU Representative directly:

• EU Representative: Mr. Zoltan Petrasovits
• Contact Method: Please direct your correspondence via our DPO’s office at dataprotection@adhocsupport.org, stating that it is for the attention of the EU Representative to ensure it is handled correctly.

When you contact us to exercise your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. There is usually no fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

9. Complaints

We take your privacy concerns seriously. If you have any questions or complaints about how we handle your personal data, we encourage you to contact our Data Protection Officer (DPO), Mr Geza Koczian, in the first instance at dataprotection@adhocsupport.org. We will do our best to resolve your concerns.

However, if you are not satisfied with our response, or if you believe our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority.

• In the United Kingdom (UK): The supervisory authority is the Information Commissioner’s Office (ICO).
  • Website: ico.org.uk/make-a-complaint/
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
• In Hungary: The supervisory authority is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH – National Authority for Data Protection and Freedom of Information).
  • Website: naih.hu (Online case initiation is available)
  • Email: ugyfelszolgalat@naih.hu
  • Address: 1055 Budapest, Falk Miksa utca 9-11.
  • Postal address: 1363 Budapest, Pf. 9.
  • Phone: +36 (1) 391-1400
• For other EU countries: If you are based in another EU country, you can lodge a complaint with your local data protection supervisory authority. You can find a list of EU national data protection authorities on the European Data Protection Board (EDPB) website.

We would appreciate the chance to deal with your concerns before you approach a supervisory authority, so please contact us first.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes, we will revise the “Last Updated” date at the bottom of this policy. If we make any material changes (i.e., changes that significantly affect how we process your personal data or your rights), we will provide a more prominent notice. This might include posting a notice on our website homepage or, if we have your contact details and the change is significant, sending you a direct notification (e.g., by email) before the change becomes effective. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy (where consent is not the basis for processing).

11. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy, our data protection practices, or if you wish to exercise your rights, please contact our Data Protection Officer: