Privacy policy
Effective: 21 June 2026
This English text is a courtesy translation. The legally binding version is the Hungarian one; in case of any discrepancy, the Hungarian text prevails.
1. Data controller
Mészáros János egyéni vállalkozó (sole trader, Hungary), operator of operex.eu and the OPEREX application (the “Controller”).
Contact: marketing@operex.eu
The Controller acts as a controller for its own Subscriber data (the businesses that order OPEREX and their users), and as a processor for the operational data the Subscriber enters into the system — including the personal data of the Subscriber’s employees appearing in the shift log, event log and tasks. The details of the processing relationship are set out in the Data Processing Agreement (DPA).
2. Personal data processed
Subscriber (account) data — Controller acting as controller
- Contact name, email address, phone number
- Business name, address, tax number (for invoicing)
- User account data: email, password hash, role, sign-in logs
Operational data — Controller acting as processor (the Subscriber is the controller)
- Identifiers of the Subscriber's employees: name, job title/role, account ID
- Shift-log and event-log entries and their authorship (who recorded what, and when)
- Acknowledgements of management orders, task statuses and justifications
- Append-only audit trail (immutable record of every entry and status change)
Special category data: an incident or near-miss entry may exceptionally contain health-related data (e.g. a description of an injury). The Subscriber, as controller, decides on the purpose and legal basis for these; OPEREX stores them solely on the Subscriber’s instruction, as a technical service provider.
Technical data
- IP address and session data (security, troubleshooting)
- Data voluntarily provided via the contact form (name, email, message)
Payment data: the Controller stores no card data. The payment and billing provider has not yet been selected. OPEREX is in a pilot / early-access phase — there is no live paid subscription yet. The payment provider, together with the related billing and data-processing terms, will be added to this document before paid billing goes live.
3. Legal basis for processing
- Performance of a contract (GDPR Art. 6(1)(b)) — providing the service to the Subscriber
- Legitimate interest (GDPR Art. 6(1)(f)) — system security, abuse prevention, service improvement
- Legal obligation (GDPR Art. 6(1)(c)) — accounting and tax obligations
- Consent (GDPR Art. 6(1)(a)) — enquiries made via the contact form
- The legal basis for operational (processed) data is the responsibility of the Subscriber as controller (e.g. employment, legal obligation, legitimate interest)
4. Processors (sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server, hosting; runs the self-hosted database, authentication and file storage | EU (Germany) |
| Resend Inc. | Sending transactional and notification emails | US (EU-U.S. Data Privacy Framework) |
| Payment processor | Provider selection in progress — see section 2 | — |
The database, authentication and file storage run as self-hosted Supabase, operated by the Controller, on the Hetzner server above — so no separate cloud provider has access to them. For dedicated (Business) or on-premise (Enterprise) deployments the set of processors may differ; this is governed by the relevant individual contract.
5. Data retention
- User account data: for 30 days after the account / subscription ends (for export and reactivation), then deleted
- Operational data (shift log, events, audit trail): per the Subscriber’s instruction, taking into account the retention obligations applicable to them (occupational safety, industrial, ISO 45001)
- Billing data: 8 years under the Hungarian Accounting Act
- Contact messages: for as long as needed to handle the enquiry
6. Your rights
- Right of access — a copy of the data we process about you
- Right to rectification — correction of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to data portability — in a machine-readable format
- Right to restriction and to object (against legitimate-interest processing)
To exercise your rights, write to marketing@operex.eu; we respond without undue delay and within 30 days at the latest.
If your data is part of the operational data entered into the system by a Subscriber (your employer or the business engaging you), please direct related requests primarily to that Subscriber (as controller); OPEREX will forward the request and act on the Subscriber’s instruction.
7. Data security
- Encrypted transport (TLS), HSTS
- Tenant isolation via Row-Level Security (RLS), reinforced in the data-access layer
- Append-only (immutable) audit trail
- Role-based access control (RBAC)
- Data within the EU (Germany); regular backups and updates
8. International data transfer
Personal data is stored primarily within the European Economic Area (EEA, Germany). Transfers outside the EEA take place only with the safeguards under Chapter V of the GDPR: Resend Inc. (US) provides adequate protection under the EU-U.S. Data Privacy Framework.
9. Lodging a complaint
If you believe that the processing of your data infringes the GDPR, you may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).
NAIH · 1055 Budapest, Falk Miksa utca 9-11., Hungary · naih.hu · ugyfelszolgalat@naih.hu