Privacy Policy
This Privacy Policy describes how personal data is processed in connection with the connectors.hu service (the "Service"), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR") and the Hungarian Act CXII of 2011 on the right to informational self-determination and on freedom of information (the "Privacy Act").
1. Data Controller
Name: Szota Szabolcs, sole proprietor (Hungarian: egyeni vallalkozo)
Registered seat: 3152 Nemti, Kossuth ut 67., Hungary
Tax number: 66269458-1-32
Contact email: szabolcs@aiamindennapokban.hu
Website: https://connectors.hu
(hereinafter: the "Controller")
The Controller has not appointed a data protection officer, as the conditions set out in Article 37(1) of the GDPR are not met. Data-protection enquiries can be addressed to the email address above.
2. Categories of Data Processed
2.1. Registration and Account Management
| Data | Source | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Email address | Provided by User | Account identification, communication | Performance of the contract (GDPR Art. 6(1)(b)) | Until account deletion + 30 days |
| Password (hashed) | Provided by User | Authentication | Performance of the contract | Until account deletion |
| OAuth account identifier | OAuth provider | Simplified sign-in | Performance of the contract | Until account deletion |
2.2. Connector Credentials
The Service offers unified access to Hungarian and international business systems (e.g. NAV Online Invoice, Billingo, MiniCRM, UNAS, fal.ai, Wise). External credentials provided by the User (API keys, technical-user passwords, OAuth tokens) are processed as follows:
- stored using industry-standard AES-256-GCM encryption, with client-side envelope encryption,
- encryption keys are kept within the Service's runtime environment, isolated from the source code,
- decrypted in memory only for the duration of the corresponding MCP call.
Legal basis: performance of the contract (GDPR Art. 6(1)(b))
Retention: until account deletion or revocation by the User.
2.3. Usage Logs
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| MCP call timestamp, tool name, response time | Debugging, rate-limit enforcement, capacity planning | Legitimate interest of the Controller (GDPR Art. 6(1)(f)) | 30 days |
| Hashed IP address | Abuse prevention | Legitimate interest | 30 days |
| Error log (stack trace, request id) | Bug fixing | Legitimate interest | 90 days |
The Controller has conducted a legitimate-interest assessment and concluded that the processing of the above data does not disproportionately affect the User's rights and interests, and is necessary for secure operation of the Service.
2.4. Billing Data (if applicable)
During the public beta, the Service is free of charge; the Controller does not process billing data. If the Service moves to paid plans, this Policy will be supplemented with a section on billing data processing (in particular regarding Stripe or another payment service provider).
2.5. Cookies and Local Storage
The Service uses the following types of cookies and local-storage entries:
- Necessary: session cookie, language preference, dark-mode setting. Processed without consent (Privacy Act section 6(1)(b)) because they are essential to the operation of the Service.
- Analytics: anonymous usage statistics. Loaded only with the User's explicit consent.
- Marketing: third-party content and tracking. Loaded only with the User's explicit consent.
Consent can be withdrawn at any time via the "Cookie settings" link in the footer.
3. Processors
The Controller uses the following processors to operate the Service. The list is current; before any new processor is engaged, this Policy will be updated.
| Processor | Activity | Location | Reference |
|---|---|---|---|
| Supabase, Inc. (Singapore + EU region) | Database, authentication, Edge Function execution, file storage | EU region (eu-central-1) | https://supabase.com/privacy |
| Resend Operations, Inc. (USA) | Transactional email (confirmation, password reset, magic link, security notifications) | EU + USA | https://resend.com/legal/privacy-policy |
| Netlify, Inc. (USA) | Static website hosting and CDN | EU + USA | https://www.netlify.com/privacy/ |
| GitHub, Inc. (USA, Microsoft subsidiary) | Source-code storage (no personal data) | USA | GitHub Privacy |
Transfers to non-EU processors are covered by GDPR Article 46 Standard Contractual Clauses and the processors' Data Processing Agreements.
4. Data Transfers
The Controller transfers the User's personal data to third parties only:
- to the processors listed in section 3, for the purpose of their activity,
- where required by law, in response to requests from authorities (e.g. NAV, courts),
- with the User's explicit consent.
External credentials provided by the User (NAV, Billingo, etc.) are used exclusively to fulfil MCP calls initiated by the User's own AI agent. The recipient of the data is in every case the relevant external provider (e.g. the NAV API), and processing there is governed by that provider's privacy policy.
5. Rights of the Data Subject
Under Articles 15-22 of the GDPR, the User (data subject) has the following rights:
- Access: information about which personal data the Controller processes about them.
- Rectification: correction of inaccurate data.
- Erasure ("right to be forgotten"): deletion of data, except where processing is based on a legal obligation.
- Restriction of processing: in certain cases (e.g. disputed accuracy), suspension of processing.
- Data portability: receipt of the data in a structured, machine-readable format.
- Objection: objection to processing based on legitimate interest.
- Withdrawal of consent: at any time, with no effect on the lawfulness of past processing.
Requests are accepted by the Controller at szabolcs@aiamindennapokban.hu and are fulfilled within 30 days of receipt. The Controller may extend this deadline by up to 60 days where necessary, with prior notice to the User.
6. Security Measures
- Encryption at rest: external credentials are AES-256-GCM encrypted with client-side envelope encryption.
- Encryption in transit: TLS 1.2 or above on all Service endpoints.
- Access control: row-level access policies; the User can only access their own data.
- Audit log: critical operations of the Service are logged.
- Key rotation: encryption keys can be rotated as needed, with re-encryption of stored records.
- Incident response: in the event of a personal-data breach the Controller notifies the Hungarian Data Protection Authority (NAIH) within 72 hours and, if the incident carries a high risk, also notifies the affected data subjects.
7. Data Retention
The Controller retains personal data only for as long as necessary for the relevant purpose, as set out in section 2. Following deletion of the account:
- registration and credential data are deleted within 30 days,
- usage logs are deleted on a rolling 30-day basis,
- error logs are deleted on a rolling 90-day basis.
Data that the Controller is required by law (e.g. accounting obligations) to retain is kept for the period prescribed by the relevant legislation.
8. Right to Complaint
In the event of a violation of data-protection rights, the User may lodge a complaint:
- with the Controller: szabolcs@aiamindennapokban.hu
- with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Postal address: 1363 Budapest, Pf. 9.
- Email: ugyfelszolgalat@naih.hu
- Phone: +36 1 391-1400
- Web: https://naih.hu
- with the competent Hungarian court, at the data subject's election, at the court of their place of residence or stay.
9. Amendments to this Policy
The Controller reserves the right to amend this Policy unilaterally. Changes are communicated within the Service; for material changes, registered Users receive prior email notice. Previous versions are available on request at szabolcs@aiamindennapokban.hu.
Version history:
v1.0, 17 May 2026, Initial publication.