Privacy Notice – Quarma360 Performance Evaluation Platform
Effective date: 12 November 2025 | Last updated: 25 June 2026 | Version: 2.1
1. General Provisions
1.1. Scope of this Notice
This Privacy Notice (hereinafter: the Notice) describes the data processing activities performed in connection with the use of the Quarma360 performance evaluation platform (hereinafter: the Platform) operated by NW Business Korlátolt Felelősségű Társaság (registered seat: 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó, company registration number: 03-09-138461, tax number: 32576340-2-03; hereinafter: the Controller or Company).
1.2. Characteristics of the Platform
The Platform is a B2B (business-to-business) SaaS (Software as a Service) solution that enables organisations to carry out 360-degree, competency-based performance evaluations of their employees. The purpose of the Platform is to measure, monitor and document employee performance in an objective way, providing a basis for decisions on remuneration, promotion, development and other HR-related matters.
The Platform is available both as a web application (accessible through a browser) and as a native mobile application for iOS and Android devices, distributed via the Apple App Store and Google Play. The mobile application provides the same evaluation functionality as the web version and additionally processes a limited set of device-specific data (push notification tokens, on-device biometric authentication and login-approval data) described in Sections 4.2.6, 5.2, 7.1 and 11.6 of this Notice. The data-handling practices disclosed in the app stores' privacy labels (Apple "Privacy Nutrition Labels" and the Google Play "Data Safety" section) are consistent with this Notice.
1.3. Legal compliance
The Controller undertakes to ensure that all processing of personal data fully complies with the General Data Protection Regulation of the European Union (GDPR – Regulation (EU) 2016/679), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), and all other applicable data protection legislation.
1.4. Categories of data subjects
This Notice applies to the following categories of data subjects:
- B2B client representatives and contact persons of organisations using the Platform,
- employees taking part in performance evaluations,
- visitors of the Platform’s public website.
2. Identification and Contact Details of the Controller
2.1. Details of the Controller
| Data | Details |
|---|---|
| Name | NW Business Korlátolt Felelősségű Társaság |
| Registered seat | 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó |
| Postal address | 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó |
| Company registration number | 03-09-138461 |
| Tax number | 32576340-2-03 |
| EU VAT number | HU32576340 |
| Registering court | Company Court of the Kecskemét Tribunal |
2.2. Contact details of the person responsible for data protection
| Data | Details |
|---|---|
| Name | Bálint Zeller (Managing Director) |
| E-mail address | [email protected] |
| Phone number | +36 70 265 2651 |
2.3. General contact options
| Data | Details |
|---|---|
| E-mail address | [email protected] |
| Available languages | Hungarian, English |
| Response deadline | 30 days (may be extended by an additional 60 days in justified cases) |
2.4. Data Protection Officer
The Controller is not obliged to appoint a separate Data Protection Officer (DPO) as the conditions set out in Article 37(1) of the GDPR are not met. Data protection responsibilities are performed by the Managing Director.
3. Clarification of Data Protection Roles
3.1. Definition of controller and processor
Controller (Article 4(7) GDPR): a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor (Article 4(8) GDPR): a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
3.2. Roles in the use of the Platform
In relation to employee performance evaluation:
- Controller: the organisation (employer) using the Platform, which determines the purposes, data scope and methods of performance evaluation of its employees.
- Processor: NW Business Kft. (Quarma360), which processes the employees’ personal data solely on behalf of and in accordance with the documented instructions of the employer, within the technical operation of the Platform.
In relation to the provision of the B2B service:
- Controller: NW Business Kft., which independently determines the purposes and means of managing customer relationships.
3.3. Allocation of responsibilities
Based on the above roles, the employer is responsible for ensuring that the processing of employees’ personal data is based on an appropriate legal basis and complies with the applicable legislation. NW Business Kft., as processor, acts in accordance with the employer’s written instructions and does not independently determine the purposes of processing.
4. Categories of Personal Data Processed
4.1. Personal data of organisational contact persons
For the conclusion and performance of contracts relating to the use of the Platform, the Controller processes the following personal data of the contact persons of organisations:
| Category | Data processed | Mandatory |
|---|---|---|
| Personal identification data | full name, e-mail address, phone number | Yes |
| Organisation data | company name, registered seat, tax number, EU VAT number, company registration number | Yes |
| Billing information | billing address, bank account number | Yes |
| Technical system data | IP address, browser type and version, device identifiers | Automatic |
4.2. Personal data of employees
For the purpose of carrying out the performance evaluation process, the Controller, as processor, processes the following personal data of employees:
4.2.1. Basic personal and organisational identification data
| Data type | Content |
|---|---|
| Personal identification data | full name, e-mail address (corporate or private) |
| Organisational data | position/title, organisational level, organisational unit/department, name of line manager, names of subordinates, net salary (optional) |
4.2.2. Performance evaluation data (data generated on the Platform)
- competency scores (on a 0–100 scale),
- self-assessment results,
- peer evaluations (in anonymised form),
- manager evaluations (in anonymised form),
- subordinate evaluations (in anonymised form),
- manager rankings (in anonymised form),
- historical performance data per evaluation period,
- performance category (Bonus/Malus classification) (M04–M01, A00, B01–B10 scale).
4.2.3. Bonus/Malus calculation data
- performance category,
- multipliers applied,
- net monthly income (only if the employer uses the Platform’s automatic bonus calculation functionality).
4.2.4. Behavioural telemetry and trust data
If the employer has not disabled the Platform’s AI telemetry function, the following data may be collected:
- time taken to complete evaluations,
- number and frequency of answer changes,
- length of breaks during completion,
- trust score (0–20 scale),
- trust index (0–100% scale),
- flags indicating suspicious behaviour,
- type of device used (desktop, mobile device).
4.2.5. Technical system data
- IP addresses,
- session identifiers,
- cookie identifiers,
- browser fingerprint data,
- system log entries.
4.2.6. Mobile application data (native iOS/Android app only)
When an employee uses the native mobile application, the following additional data may be processed:
| Data type | Content / purpose |
|---|---|
| Push notification token | A device-specific push token (Firebase Cloud Messaging token) together with the device platform (iOS/Android), used solely to deliver in-app and push notifications (e.g. evaluation reminders, login-approval requests, account-related alerts). The token contains no message content and does not identify the device owner outside the Platform. |
| Biometric login flag | A flag indicating whether the user has enabled biometric unlock for the app on a given device. The biometric data itself (fingerprint, Face ID) is processed exclusively on the device by the operating system and is never transmitted to or stored by the Controller — see Section 11.6. |
| Login-approval data | For two-factor login confirmation initiated from the app, a short-lived approval record containing a one-time code, the IP address and the browser/device identifier (user agent) of the login attempt, so that the user can verify and approve or reject the sign-in. These records expire automatically after a short period. |
| Sign in with Apple identifier | Where the employee logs in using "Sign in with Apple", a pseudonymous Apple subject identifier and, where Apple's private e-mail relay ("Hide My Email") is used, a relay e-mail address, used solely to identify and authenticate the user account. |
4.3. Strict anonymisation mode and disabling AI telemetry
4.3.1. Operation of strict anonymisation mode
The Platform allows the employer to enable a strict anonymisation mode at organisational level. Once enabled, the system does not store the identifier of the employee completing the evaluation in the database, not even for analytical purposes.
4.3.2. Automatic disabling of AI telemetry
Strict anonymisation mode automatically disables AI telemetry functionalities, as these require the storage and analysis of behavioural data.
4.3.3. Data not collected in strict anonymisation mode
When strict anonymisation mode is active, the processing of behavioural telemetry described in Section 4.2.4 does not take place; consequently, the system does not perform fraud detection activities.
4.3.4. Independent deactivation of AI telemetry
The AI telemetry function can also be deactivated independently of the strict anonymisation mode. In this case the user identifier is stored, but the behavioural data set out in Section 4.2.4 is not collected.
4.3.5. Responsibility for configuration
The above settings can be changed only by the employer’s administrator and are the employer’s responsibility. The Controller, acting as processor, only operates the Platform in accordance with the configuration set by the employer.
4.4. Data of website visitors
For visitors of the Platform’s website, the Controller collects the following data:
- IP address,
- browser type and version,
- operating system type,
- time stamps of visits,
- URLs of pages viewed,
- language preferences.
Marketing analytics data collection (e.g. Microsoft Clarity): takes place only with the explicit consent of the visitor and may include the recording of heatmaps, session replays and click patterns.
5. Purpose and Legal Basis of Processing
5.1. General principles
The Controller processes personal data only for specified, explicit and legitimate purposes. The legal basis for processing is one of the legal bases listed in Article 6(1) of the GDPR.
5.2. Processing purposes, legal bases and retention periods
| Purpose of processing | Legal basis (Article 6 GDPR) | Retention period |
|---|---|---|
| Carrying out 360-degree performance evaluations | (f) – legitimate interest of the employer | duration of the employment relationship + 3 years, then anonymisation |
| Measuring and monitoring competencies | (f) – legitimate interest of the employer | duration of the employment relationship + 3 years, then anonymisation |
| Bonus and malus calculation | (b) – performance of a contract, or (f) – legitimate interest | duration of the employment relationship + 3 years, then anonymisation |
| Detection of abuse (fraud detection) | (f) – integrity of the evaluation system | end of evaluation period + 1 year |
| Provision of SaaS services to organisations | (b) – performance of a contract | for the duration of the contract + 30 days |
| Invoicing and payment handling | (b) – performance of a contract; (c) – legal obligation | 8 years (accounting obligations) |
| Customer support and technical assistance | (b) – performance of a contract | for the duration of resolving the issue + 1 year |
| System security and prevention of abuse | (f) – legitimate interest; (c) – legal obligation | 1 year |
| Marketing analytics | (a) – consent | until withdrawal of consent, but no longer than 2 years |
| Sending push and in-app notifications (mobile app) | (b) – performance of a contract; (f) – legitimate interest in operating the service | until logout, app uninstallation or token invalidation |
| Biometric and app-based login, two-factor login approval (mobile app) | (b) – performance of a contract; (f) – legitimate interest in account security | biometric flag/device registration: until the device is removed or logout; login-approval records: short-lived (until expiry) |
5.3. Legitimate interest assessment
Where the legal basis for processing is legitimate interest (Article 6(1)(f) GDPR), the Controller has carried out a Legitimate Interest Assessment (LIA). The results can be summarised as follows:
- Legitimate interest of the employer: measuring and improving employee performance, creating an objective and transparent remuneration system, and ensuring the efficient functioning of the organisation.
- Reasonable expectations: employees can reasonably expect to be subject to performance evaluations in the context of their employment, provided that they receive adequate prior information about such evaluations.
- Proportionality: data collection is necessary and proportionate to the purpose, limited to work-related performance, and appropriate technical and organisational measures protect the data, while data subjects can exercise their rights.
- Legitimate interest in fraud detection: protecting the reliability and integrity of the evaluation system is in the common interest of both the employer and employees.
5.4. Employer’s responsibility for providing a legal basis
5.4.1. Legal bases to be ensured by the employer
With regard to employee performance evaluation, it is the employer’s responsibility to ensure that an appropriate legal basis exists. This may, in particular, be:
- Article 6(1)(b) – performance of the employment contract, where performance evaluation forms an integral part of the contract or is necessary for determining remuneration,
- Article 6(1)(f) – legitimate interest of the employer, supported by a legitimate interest assessment,
- Article 6(1)(c) – compliance with a legal obligation, where performance evaluation is required by law or a collective agreement.
5.4.2. Prohibited legal basis – consent
The Controller draws attention to the fact that, as a general rule, consent under Article 6(1)(a) GDPR is not an appropriate legal basis for data processing in the context of employment, in view of the imbalance of power between employer and employee.
6. Automated Decision-Making and Use of Artificial Intelligence
6.1. General provisions
6.1.1. Use of AI-based systems
The Platform uses artificial intelligence (AI)-based analysis to support the performance evaluation process. The AI features are built on specially configured language models operating within the Microsoft Azure OpenAI Service (EU region).
6.1.2. Application of Article 22 GDPR
The AI-based processing falls within the scope of Article 22 of the GDPR, which regulates automated decision-making, including profiling.
6.2. Content of AI-based automated decision-making
6.2.1. Calculation of trust score
The AI-based system automatically assigns a trust score (0–20 scale; trust index: 0–100%) to certain evaluations based on the analysis of completion behaviour. The calculation takes into account, among other things:
- completion times and timing patterns,
- number and frequency of answer changes,
- consistency of answers,
- statistical outliers.
6.2.2. Automatic determination of performance thresholds
The system uses an AI-based algorithm to suggest thresholds for performance categories (bonus/malus levels) based on the statistical distribution of scores. In doing so, the system considers:
- the distribution of scores of the employees evaluated,
- the organisation’s historical evaluation data,
- configuration parameters defined by the employer.
6.2.3. Characteristics of automated decision-making
- the decision-making is based on deterministic algorithms,
- decisions are made according to strict, predefined rules and mathematical formulas,
- the algorithms are documented and auditable,
- the logic of decision-making can be explained to the employer.
6.3. Limitation of automated decision-making and human review
6.3.1. No “solely automated” decision-making
The AI-based automated decision-making does not qualify as “solely automated decision-making” within the meaning of Article 22(1) GDPR, because:
- the employer’s administrator or manager can review, modify or disregard the AI-generated results at any time,
- no employee may suffer adverse employment consequences solely on the basis of an AI-generated trust score,
- the final decision is always taken by a human (administrator or manager).
6.3.2. Data subject rights related to automated decision-making
The employee, as data subject, has the right to:
- request human intervention in respect of automated decision-making,
- express their point of view regarding the automated decision,
- contest the automated decision,
- request an explanation of the logic and main criteria underlying the automated decision-making.
6.4. Pseudonymisation and data protection during AI processing
6.4.1. Data minimisation towards Azure OpenAI Service
Data transmitted to the Microsoft Azure OpenAI Service is pseudonymised. The AI model does not receive access to the following data:
- name of the data subject,
- e-mail address,
- specific job title or position,
- net income,
- any other data that directly identifies the individual.
6.4.2. Types of data transmitted to Azure OpenAI Service
In general, the following data is transmitted to the Azure OpenAI Service:
- pseudonymised user identifiers (e.g. “user_123”),
- numeric competency scores,
- timing data (in seconds),
- behavioural metrics in numeric form,
- aggregated statistical data.
6.4.3. Data retention within Azure OpenAI Service
Azure OpenAI Service does not use the data for model training purposes. Request log data is retained only for a limited period (generally no longer than 30 days) for operational, security and abuse prevention purposes.
6.5. Options for disabling AI functionalities
6.5.1. Employer’s rights
The employer’s administrator may at any time:
- disable the AI-based trust score calculation,
- disable telemetry data collection,
- enable strict anonymisation mode, which automatically disables all AI telemetry functions.
6.5.2. Functionality without AI
Disabling AI functions does not render the core evaluation features of the Platform unusable. The performance evaluation process can be fully carried out without AI.
6.6. Data Protection Impact Assessment (DPIA)
6.6.1. Conducting a DPIA
The Controller has carried out a Data Protection Impact Assessment (DPIA) under Article 35 GDPR for the AI-based functionalities of the Platform.
6.6.2. DPIA result
The DPIA concluded that, with the implementation of appropriate technical and organisational measures (pseudonymisation, option for human review, opt-out options, limited retention periods), the residual risk can be reduced to an acceptable level.
7. Processors and International Data Transfers
7.1. List of processors
In accordance with Article 28 GDPR, the Controller enters into Data Processing Agreements (DPAs) with the following processors:
| Processor | Registered seat | Activity | DPA status |
|---|---|---|---|
| Microsoft Ireland Operations Ltd. (Azure OpenAI Service) | Dublin, Ireland | AI-based analysis, support for trust score calculation | Available |
| Barion Payment Zrt. | Budapest, Hungary | online payment transaction processing | Available |
| Billingo Technologies Zrt. | Budapest, Hungary | automatic invoicing | Available |
| Amazon Web Services EMEA SARL | EU region (Frankfurt) | encrypted backups (AWS S3) | Available |
| Websupport Magyarország Kft. | Budapest, Hungary | VPS hosting, server infrastructure | Contract in place |
| Cloudflare, Inc. | USA (with EU servers) | DNS, CDN, DDoS protection | Available |
| Google Ireland Ltd. | Dublin, Ireland | OAuth login, related Google services | Available |
| Microsoft Ireland Operations Ltd. | Dublin, Ireland | OAuth login, Microsoft Clarity | Available |
| Google Ireland Ltd. / Google LLC (Firebase Cloud Messaging) | Dublin, Ireland / USA | delivery of push notifications to mobile devices | Available |
| Apple Inc. | USA | "Sign in with Apple" authentication; distribution of the iOS application via the App Store | Available |
| SÁMÁN & SÁMÁN Bt. | 6500 Baja, Hungary | accounting services | Contract in place |
| Raiffeisen Bank Zrt. | Budapest, Hungary | banking services, payment transactions | Contract in place |
7.2. International data transfers (third countries)
7.2.1. General provision
In some cases, personal data may be transferred to countries outside the European Economic Area (EEA), in particular to the United States of America. Such international data transfers take place only in compliance with Articles 44–49 GDPR and subject to appropriate safeguards.
7.2.2. Microsoft Azure OpenAI Service
For Azure OpenAI Service, data processing generally takes place within the EU region (e.g. Frankfurt). The service is used in such a way that AI processing remains, as far as possible, within the EEA. Where a transfer to a third country is nevertheless required (for example, in the context of Microsoft support), the legal basis relies on Standard Contractual Clauses (SCCs) and additional safeguards provided by Microsoft.
7.2.3. Google, Microsoft (Clarity), Cloudflare, Apple and other providers
For Google Ireland Ltd. / Google LLC (including Firebase Cloud Messaging), Microsoft Ireland Operations Ltd., Cloudflare Inc. and Apple Inc., personal data may also be transferred outside the EEA, in particular to the United States. This applies, for the mobile application, to the transmission of push notification tokens to Firebase Cloud Messaging and to "Sign in with Apple" authentication data. In these cases:
- Standard Contractual Clauses (SCCs) are used as the primary safeguard,
- providers may hold an EU–US Data Privacy Framework (DPF) certification where applicable,
- the principle of data minimisation applies: only the minimum data necessary for the service is transferred (for push notifications, only a device token and the notification content; no evaluation data is sent to the notification provider).
7.2.4. DPAs and SCCs
Upon request, the Controller will provide data subjects with a summary of the main content of the data processing agreements and the Standard Contractual Clauses used.
8. Retention Periods and Anonymisation
8.1. General retention principles
The Controller retains personal data only for as long as necessary to achieve the purposes of processing, taking into account legal requirements, limitation periods and the legitimate interests of data subjects and the Controller.
8.2. Detailed retention periods
| Category | Retention period | Legal basis |
|---|---|---|
| Data relating to active organisational contracts | for the duration of the contract | Article 6(1)(b) GDPR |
| Data relating to closed organisational contracts (excluding invoices) | 30 days from termination of the contract | Article 5(1)(e) GDPR |
| Employee data from closed evaluation periods | duration of the employment + 3 years, then anonymisation | Article 6(1)(f) GDPR |
| Anonymised performance data | indefinitely (no longer personal data) | Recital 26 GDPR |
| Invoices and accounting documents | 8 years | Section 169 of Act C of 2000 on Accounting |
| Payment transaction data | 5 years | Section 6:22 of the Hungarian Civil Code |
| Audit logs and security logs | 1 year | Article 6(1)(f) GDPR |
| Customer support communication | duration of resolving the issue + 1 year | Article 6(1)(b) GDPR |
| Marketing cookie data | until consent is withdrawn, but no longer than 2 years | Article 6(1)(a) GDPR |
| Mobile device push tokens and device registrations | until logout, app uninstallation or token invalidation | Article 6(1)(b) and (f) GDPR |
| Login-approval records (mobile two-factor confirmation) | short-lived; deleted/expired shortly after the login attempt | Article 6(1)(f) GDPR |
| Backups (AWS S3) | 15 days rolling retention | Article 6(1)(f) GDPR |
8.3. Anonymisation process
8.3.1. Triggering anonymisation
Three years after the end of an employment relationship, the Controller carries out irreversible anonymisation of the former employee’s performance evaluation data.
8.3.2. Personal data to be deleted
- full name,
- e-mail address,
- phone number,
- position/title,
- net income,
- name of organisational unit/department.
8.3.3. Data remaining in anonymised form
- pseudonymised user identifier (e.g. “user_789”),
- numeric competency scores,
- dates of evaluation periods,
- general category of organisational level (manager/middle manager/employee) without name,
- aggregated statistical data.
8.3.4. Legal status after anonymisation
After anonymisation, data no longer falls within the scope of the GDPR, as the data subject cannot be identified from it and cannot be made identifiable by reasonable means.
8.4. Backups and deletion of data
8.4.1. Operation of the backup system
The Controller creates full database backups twice a day, stored in a 15-day rolling cycle.
8.4.2. No deletion flags in backups
The backup system does not use separate deletion flags. If personal data is deleted from the live database, it may remain in older backups for up to 15 days, after which the oldest backup is overwritten and the data is permanently removed.
8.4.3. Execution of erasure requests
Upon a request for erasure, the data subject’s personal data is deleted from the live system without undue delay. Copies remaining in backups are retained for no longer than 15 days solely for disaster recovery purposes.
8.4.4. Compliance with Article 17 GDPR
This mechanism does not prevent the exercise of the right to erasure under Article 17 GDPR, as backup data is not subject to active processing and is used only for IT security purposes.
9. Rights of Data Subjects
9.1. General provisions
Data subjects have extensive rights regarding the processing of their personal data under Articles 15–22 GDPR. The Controller takes all necessary measures to ensure that these rights can be exercised easily, transparently and within a reasonable time.
9.1.1. Free of charge
Exercising data subject rights is generally free of charge. The Controller may charge a reasonable fee or refuse to act on the request only in the case of manifestly unfounded or excessive requests, in particular due to their repetitive character.
9.1.2. Response deadline
The Controller responds to data subject requests without undue delay and in any event within one month. In justified cases this period may be extended by a further two months, in which case the data subject will be informed of the reasons for the delay.
9.2. Right of access (Article 15 GDPR)
The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed and, if so, access to the personal data and certain supplementary information (purposes, categories, recipients, retention periods, rights, source of data, existence of automated decision-making, guarantees for third-country transfers).
Upon request, the Controller provides a copy of the personal data being processed in PDF, JSON or Excel format. The first copy is provided free of charge; for additional copies, a reasonable fee based on administrative costs may be charged.
9.3. Right to rectification (Article 16 GDPR)
The data subject has the right to obtain the rectification of inaccurate personal data and the completion of incomplete personal data. The Controller will act on such requests without undue delay.
9.4. Right to erasure – “right to be forgotten” (Article 17 GDPR)
The data subject has the right to obtain the erasure of personal data concerning them where, among other things, the data is no longer necessary for the purposes for which it was collected, consent is withdrawn and there is no other legal basis, the data subject objects to processing and there are no overriding legitimate grounds, the processing is unlawful, or erasure is required by law. The right to erasure is not absolute; in particular, the Controller may retain certain data to comply with legal obligations, accounting rules or for the establishment, exercise or defence of legal claims.
During the employment relationship, performance evaluation data is generally not subject to erasure at the request of the employee, as processing is based on the employer’s legitimate interest. However, three years after the termination of employment, the data is automatically anonymised.
9.5. Right to restriction of processing (Article 18 GDPR)
The data subject has the right to obtain restriction of processing where they contest the accuracy of the data, the processing is unlawful and the data subject opposes erasure, the Controller no longer needs the data but the data subject requires it for legal claims, or the data subject has objected to processing and the verification of legitimate grounds is pending. During restriction, personal data may, apart from storage, be processed only with the data subject’s consent or for legal claims or for the protection of the rights of another person or important public interest.
9.6. Right to data portability (Article 20 GDPR)
The data subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller where processing is based on consent or contract and carried out by automated means. The Controller currently provides data portability in CSV and JSON formats; the automated export function is under development. Until then, the requested data is provided manually within 30 days.
9.7. Right to object (Article 21 GDPR)
The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on legitimate interests. In such a case, the Controller will no longer process the data unless it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for legal claims.
The data subject may object at any time to processing of personal data for direct marketing purposes, including profiling related to such direct marketing.
9.8. Rights related to automated decision-making (Article 22 GDPR)
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. In relation to the Platform’s AI functionalities, decisions are not solely automated: the final decisions are always made by humans, and the data subject can request human review.
9.9. Right to lodge a complaint (Article 77 GDPR)
The data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR.
Supervisory authority in Hungary:
| Data | Details |
|---|---|
| Name | National Authority for Data Protection and Freedom of Information (NAIH) |
| Postal address | 1530 Budapest, Pf.: 5. |
| Address | 1055 Budapest, Falk Miksa utca 9–11. |
| Phone | +36 (1) 391-1400, +36 30 683 5969 |
| [email protected] | |
| Website | https://naih.hu |
The Controller encourages data subjects to contact the Controller first (at [email protected]) before lodging a complaint so that issues can be resolved amicably where possible.
9.10. Right to an effective judicial remedy (Article 79 GDPR)
The data subject has the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data. Proceedings may be brought before the courts of the Member State where the Controller or processor has an establishment or where the data subject has their habitual residence.
10. Employer’s Responsibilities and Obligations
10.1. Employer as controller
With regard to the performance evaluation of employees, the organisation using the Platform (employer) is the controller within the meaning of Article 4(7) GDPR. The employer is responsible for the legal basis of processing, for the provision of adequate information and for ensuring data subject rights.
10.2. Obligations before starting to use the Platform
10.2.1. Prior information (Articles 13–14 GDPR)
Before using the Platform, the employer must inform employees in writing about, among other things, the purpose and legal basis of performance evaluations, the categories of data processed, retention periods, the identity and role of NW Business Kft. as processor, the rights of data subjects, the possibilities for lodging complaints, and the use, configuration and opt-out options of AI analysis and telemetry.
10.2.2. Internal policy
The employer should adopt a performance evaluation policy or amend existing internal policies to describe the purpose, frequency and process of evaluations, the competencies assessed, how results are used (bonuses, promotions, development plans), and the possibilities for employee feedback and appeal.
10.2.3. Determining the legal basis
The employer must decide on which legal basis performance evaluations are carried out (performance of employment contract, legitimate interest or legal obligation). If legitimate interest is used, a legitimate interest assessment must be performed.
10.2.4. Prohibited legal basis – consent
The employer may not rely, as a general rule, on employee consent as the legal basis for performance evaluation, since the imbalance of power between employer and employee means consent is typically not considered freely given.
10.2.5. Prohibition of processing certain categories of data and age limits
- the employer must ensure that persons under 16 years of age are not entered into the system (Article 8 GDPR),
- processing of special categories of personal data under Article 9 GDPR (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation) for performance evaluation purposes is prohibited,
- net income data is required only if the employer activates the Platform’s automatic bonus calculation function.
10.2.6. Procedures for handling data subject rights
The employer must establish internal procedures for handling employees’ requests to exercise their rights (access, rectification, erasure, restriction, objection) and for cooperation with the Controller in responding to such requests.
10.3. Technical and data protection configuration decisions
The employer’s administrator decides, during configuration of the Platform, on the following:
- whether AI telemetry is enabled or disabled,
- whether strict anonymisation mode is enabled,
- whether the bonus/malus system is used and how net salary data is processed,
- whether the multi-level organisational structure (departments, units) is used.
The employer is responsible for informing employees in advance about these decisions.
10.4. Continuous data protection obligations
The employer must ensure that data provided by the Platform is used only in a lawful and proportionate manner, is not shared with unauthorised third parties, and that data retention and anonymisation rules are respected. AI-generated results must not be used as the sole basis for adverse employment decisions, and employees must be enabled to exercise their data protection rights.
11. Data Security Measures
11.1. General principles
In accordance with Article 32 GDPR, the Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to the rights and freedoms of data subjects.
11.2. Technical security measures
11.2.1. Network and transmission security
- all data transmission is protected by SSL/TLS encryption (HTTPS, TLS 1.2 or higher),
- Cloudflare DDoS protection,
- rate limiting for API and web requests,
- IP whitelisting for certain administrative functions,
- Fail2Ban or similar IP blocking mechanism after repeated failed login attempts.
11.2.2. Data storage and encryption
- passwords stored using strong hashing algorithms (e.g. bcrypt),
- backups encrypted with AES-256 on AWS S3 storage,
- outgoing e-mail traffic protected by TLS (mail.quarma360.com SMTP).
11.2.3. Access protection
- two-factor authentication (2FA) via e-mail codes and, in the mobile app, via push-based login approval with one-time code matching,
- OAuth 2.0 integration with Google and Microsoft identity providers, and "Sign in with Apple" in the mobile app,
- optional biometric unlock (fingerprint / Face ID) in the mobile app, performed entirely on the device by the operating system,
- automatic session timeouts,
- CSRF protection on all forms,
- strong password requirements (minimum 8 characters, upper and lower case letters, numbers).
11.2.4. Application-level security
- validation and sanitisation of all user inputs,
- protection against XSS attacks,
- protection against SQL injection (prepared statements, use of ORM),
- role-based access control (RBAC).
11.3. Organisational security measures
11.3.1. Restricted access rights
| User level | Access |
|---|---|
| NW Business Kft. | full system-level access for technical maintenance and support; access to internal client organisation data only upon explicit client request for troubleshooting purposes |
| Admin (organisation) | access limited to the organisation’s own data |
| Manager (department head) | access limited to data of their own department (if multi-level department management is enabled) |
| CEO | access to aggregated results; access to detailed individual evaluations depends on the organisation’s internal rules |
| Employee | access limited to their own aggregated results (as configured by the employer) |
11.3.2. Monitoring and auditing
- audit trail: logging of key operations (logins, data changes, data exports) with user identifier and time stamp,
- system logs retained for 1 year,
- telemetry-based monitoring for suspicious behaviour (if telemetry is enabled).
11.3.3. Handling data breaches
- person responsible for incident management: Bálint Zeller (Managing Director, responsible for data protection),
- 72-hour notification to the NAIH where a breach is likely to result in a risk to the rights and freedoms of natural persons,
- direct communication to data subjects in the event of high risk,
- incident log, post-incident analysis and implementation of corrective measures.
11.3.4. Staff training
The Controller’s staff receive continuous training in data protection and information security and are bound by confidentiality obligations. Access rights are reviewed regularly.
11.4. Backups
The Controller uses the Laravel Spatie Backup package to perform automatic backups.
| Parameter | Details |
|---|---|
| Frequency | twice daily |
| Retention period | 15 days rolling backup |
| Storage location | Amazon Web Services (AWS) S3, EU region (Frankfurt, eu-central-1) |
| Encryption | AES-256 at rest |
| Restore testing | at least quarterly |
11.5. Cookies
11.5.1. Strictly necessary cookies (no consent required)
| Cookie name | Purpose | Expiry |
|---|---|---|
| laravel_session | maintaining the session, login state | after 2 hours of inactivity |
| XSRF-TOKEN | CSRF protection | 2 hours |
| remember_web_* | “Remember me” functionality | 1 year |
| locale | storing language preference | 1 year |
| org_id | storing organisational context | end of session |
11.5.2. Marketing cookies (consent required)
| Cookie name | Purpose | Expiry |
|---|---|---|
| _clck | Microsoft Clarity – user identification, session tracking | 1 year |
| _clsk | Microsoft Clarity – session data | 1 day |
| CLID | Microsoft Clarity – long-term user identification | 1 year |
Cookie settings can be managed via the “Cookie settings” menu in the website footer. Strictly necessary cookies do not require consent; marketing cookies are only used with the explicit consent of the visitor.
11.6. Mobile application (native iOS/Android app)
11.6.1. Device permissions used
The native mobile application requests only the device permissions strictly necessary for its functionality:
- Notifications – to deliver push notifications (evaluation reminders, login-approval requests, account-related alerts). Notifications can be disabled at any time in the device settings.
- Biometric authentication – where the user chooses to enable biometric unlock, the app uses the device's biometric API (Touch ID / Face ID / fingerprint).
The application does not access the device's camera, photos, microphone, contacts, location or files, and does not use any advertising identifier (IDFA / Android Advertising ID). The application does not perform third-party advertising or cross-app tracking.
11.6.2. On-device biometric processing
Biometric authentication is handled entirely by the device's operating system. The Controller never receives, sees or stores the user's biometric data (fingerprint or facial geometry); the app only receives a yes/no confirmation from the operating system and stores a flag indicating that biometric unlock is enabled for that device. Biometric unlock can be disabled at any time in the app or in the device settings.
11.6.3. Push notifications
Push notifications are delivered through Firebase Cloud Messaging (Google). Only a device-specific push token and the notification content (e.g. "You have a new evaluation to complete") are transmitted to the notification provider; no performance-evaluation data is sent to the provider. See Sections 4.2.6, 7.1 and 7.2.3.
11.6.4. App store distribution and privacy disclosures
The application is distributed via the Apple App Store and Google Play. The privacy disclosures provided in these stores (Apple "Privacy Nutrition Labels" and Google Play "Data Safety") are consistent with this Notice. Account deletion can be requested directly from within the application (profile / account settings) in accordance with the app stores' account-deletion requirements, in addition to the data subject rights described in Section 9.
12. Data Protection Impact Assessment (DPIA)
12.1. Obligation to perform a DPIA
The Controller has performed a Data Protection Impact Assessment under Article 35 GDPR, considering that the Platform involves large-scale processing of employee performance data, behavioural telemetry, AI-based profiling and elements of automated decision-making.
12.2. Identified risks and mitigating measures
| Risk | Likelihood | Impact | Mitigating measure |
|---|---|---|---|
| Data breach | Low | High | HTTPS, encryption, 2FA, DDoS protection, access control |
| Azure OpenAI data processing | Medium | Low–medium | pseudonymisation, EU region usage, SCCs, limited retention |
| Unfair automated decisions | Low | Medium | human review, option to disable AI functionalities |
| Infringement of employee privacy | Medium | Medium | focus on workplace performance only, access restrictions, anonymisation after 3 years |
| Unauthorised internal access | Low | High | RBAC, audit trail, regular review of access rights |
| Data loss | Very low | High | multiple daily backups, redundant storage, regular restore tests |
12.3. Residual risk
Following the implementation of mitigating measures, the residual risk is assessed by the Controller as low to medium and acceptable. Prior consultation with the supervisory authority under Article 36 GDPR has not been required.
12.4. Review of the DPIA
The Controller undertakes to review the DPIA on a regular basis, in particular following major system changes, data breaches, legislative changes or upon recommendation by the supervisory authority, but at least every two years.
13. Amendments, Contact, Governing Law
13.1. Amendments to this Notice
The Controller reserves the right to amend this Notice at any time in line with changes in services, technologies, legal obligations or business practices.
In the case of material changes (e.g. engagement of a new processor, new functionality significantly affecting processing), the Controller will notify registered users at least 30 days before the changes take effect (by e-mail and/or in-platform notifications).
13.2. Contact
For data protection enquiries, requests or complaints, you can contact the Controller at the following contact details:
| Data | Details |
|---|---|
| Data protection responsible person | Bálint Zeller (Managing Director) |
| [email protected] | |
| Phone | +36 70 265 2651 |
| General support | [email protected] |
| Postal address | NW Business Kft., Data Protection Responsible,6500 Baja, Szabadság út 79. 2. emelet 9. ajtó, Hungary |
13.3. Governing law and disputes
This Notice and the Controller’s data processing activities are governed by Hungarian law and directly applicable EU legislation, in particular the GDPR.
In the event of a dispute, the data subject should first attempt to settle the matter amicably with the Controller. If this is not successful, the data subject may lodge a complaint with the NAIH or bring an action before a court having jurisdiction according to their place of residence or habitual residence, or the Controller’s registered seat.
13.4. Final provisions
This Notice enters into force on 12 November 2025.
This Notice is drawn up in Hungarian and English. In the event of discrepancies between the language versions, the Hungarian version shall prevail.
14. Quick Reference Table
| Question | Answer |
|---|---|
| Controller | NW Business Kft., 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó |
| Contact | [email protected], +36 70 265 2651 |
| Location of data storage | EU (Hungary, Slovakia, Frankfurt – AWS S3) |
| AI provider | Microsoft Azure OpenAI Service (EU region, with pseudonymised data) |
| Third countries | Google, Microsoft, Cloudflare – SCC + DPF, data minimisation |
| Retention (employee data) | employment + 3 years, then anonymisation |
| Invoice retention | 8 years (accounting law) |
| Net income storage | yes, only if bonus calculation is enabled; encrypted, for HR purposes |
| Exercising data subject rights | send request to [email protected] (30-day response period) |
| NAIH complaint | [email protected], https://naih.hu |
| Cookie management | “Cookie settings” menu in the website footer |
| Mobile apps | native iOS and Android apps (Apple App Store, Google Play); same functionality as the web version |
| Push notifications | via Firebase Cloud Messaging (Google); device token only, no evaluation data; can be disabled in device settings |
| Biometric login | optional; processed on-device by the operating system; biometric data never transmitted or stored |
| AI usage | automated analysis with deterministic algorithms, human review and opt-out options |
| Strict anonymisation mode | available; disables all AI telemetry |
| Backup retention | 15-day rolling backups; deleted data may remain in backups for up to 15 days |
| DPIA | completed, last review: 12 November 2025 |
Thank you for reading our Privacy Notice. If you have any questions, please contact us at [email protected].