DATA PROTECTION

DATA MANAGEMENT INFORMATION

This privacy notice ("Factsheet") is to enable the data controller to carry out the Brickery Homes project ("Project"), a website for the sale and advertising of residential, storage and carport-type properties (www.brickeryhomes.hu ), contact e-mail address (in particular, but not limited to hello@brickeryhomes.hu and the vevoszolgalat@brickeryhomes.hu) in relation to the processing of personal data ("Contact"), to inform them of the principles of data processing and of the possibilities to exercise their rights.

In compiling this Information Notice, the Data Controller has applied the General Data Protection Regulation 679/2016/EU ("GDPR"), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information ("Infotv."), Act CVIII of 2001 on certain aspects of electronic commerce services and information society services ("Ekertv."), Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities ("Grt.") and the provisions of Act V of 2013 on the Civil Code ("Civil Code") and the provisions of these laws shall apply to the provisions not specifically set out therein.

1. Name and contact details of the controller

The personal data is collected by the property owner and project investor, Lynx Real Estate Kft ("Investor", 1133 Budapest, Váci út 110.), acting on behalf of and on behalf of the Hungarian Real Estate Investment Ltd.

Head office: 1133 Budapest, Váci út 110.

Phone: (+36-1) 688-1700

E-mail: info@mibportal.hu

Internet: www.mibportal.hu

2. Principles of data management

The Data Controller shall develop its data management practices and procedures in accordance with the following principles:

2.1 Lawfulness, fairness and transparency: the Data Controller shall process the data only lawfully, fairly and in a transparent and disclosable manner to the Data Subject.

2.2 Purpose limitation: the Data Controller collects the Data Subject's data only for the purposes set out in point 4 and does not process them in a way incompatible with those purposes.

2.3.Data economy: the Data Controller will only process data that are relevant for the purposes indicated above and will only process them to the extent necessary.

2.4 Accuracy: the Data Controller will take all reasonable steps to ensure that only accurate and up-to-date personal data about the Data Subject is processed and will correct inaccurate data without undue delay.

2.5. Limited storage: the Data Controller will store personal data only for the period strictly necessary and lawful for the purposes set out in this Notice.

2.6 Integrity and Confidentiality: the Data Controller shall ensure that appropriate technical or organisational measures are in place to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

3. Rights of the Data Subject

In relation to the personal data, the Data Subject has the following rights as set out in each article of the GDPR:

3.1 You may withdraw your consent to the processing based on your consent at any time, in the same way as you have given it, but such withdrawal shall not affect the lawfulness of the processing that took place before the withdrawal of consent (Article 7(2)).

3.2 You may request access to personal data concerning you (Article 15).

3.3 You have the right to request the correction of personal data concerning you by the Data Controller, who is obliged to correct them without undue delay. Taking into account the purposes of the processing, the Data Subject also has the right to request the completion of incomplete personal data, including by means of a supplementary declaration (Article 16).

3.4. the right to obtain from the Controller the erasure of personal data concerning him/her (Article 17).

3.5. the right to request the restriction of the processing of personal data concerning him/her (Article 18).

3.6 You have the right to request information from the Controller about the recipients who have been notified by the Controller in connection with the rectification, erasure or restriction of personal data (Article 19).

3.7 He/she has the right to the processing of personal data relating to him/her (Article 20).

3.8. the right to object to the processing of personal data concerning him/her by the Controller (Article 21).

3.9 The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22).

3.10. The right to prompt, clear and comprehensible information from the Data Controller in the event of a personal data breach (Article 34).

4. Purpose, legal basis, duration, scope of data processed

4.1. Contacting and maintaining contact

The Company sells real estate by potential buyers filling in the contact form on the website, by applying to the e-mail addresses and telephone numbers indicated on marketing interfaces, or from third party service providers (such as, but not limited to: ingatlan.com, otthonterkep.hu, ujotthon.hu, koltozzbe.hu)), to assess the needs of the data subjects, to prepare and send them personalised offers and, on this basis, to establish the contact prior to the conclusion of the sales contract, the following data are necessary in advance for the purposes of the contact, which the Data Controller processes for the following purposes, legal basis and duration.

PURPOSE OF PROCESSING	LEGAL BASIS FOR PROCESSING	THE SCOPE OF THE DATA PROCESSED	DURATION OF PROCESSING
To contact and maintain contact with a person interested in a specific property or in projects carried out by the Data Controller.	Voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR.	full name, phone number, email address, interests, message concerned, access IP address.	10 working days from the withdrawal of consent.

4.2. Newsletters

If the Data Subject consents by ticking this option on the website, the Data Controller will send newsletters for direct marketing or information purposes to the email address provided during registration. The purpose of the processing is to regularly send to the Data Subjects who subscribe to the electronic newsletter electronic newsletters presenting and promoting the Data Controller and its services and other information on the real estate market, housing culture, financing and support options and other information of public interest, through which the Data Controller Company contacts natural persons via direct-to-consumer channels, sending advertising material and information related to its activities, with the aim of promoting its own brand, boosting its commercial activities and serving the needs of the data subject as fully as possible. The related data processing concerns the following data and is carried out for the following period.

PURPOSE OF PROCESSING	LEGAL BASIS FOR PROCESSING	THE SCOPE OF THE DATA PROCESSED	DURATION OF PROCESSING
Sending information on other real estate development projects of the Data Controller, market news.	Voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR.	full name, email address.	10 working days from the date of withdrawal of consent or until the termination of the newsletter service.

4.3. "Cookies"

The website uses anonymous user identifiers, so-called "cookies", to provide a personalised service. A cookie is a series of signals, information files, which are placed on a user's computer by service providers to allow a website to record information about a user's browsing habits (e.g. to store user preferences and settings; to help with login; to display personalised ads and to analyse the functioning of the website). However, the sequence of signals stored in a cookie is only capable of recognising the user's computer and cannot identify the user individually.

The content of the cookies is securely protected against access by third parties by means of a high level of encryption, the cookies do not contain viruses and do not cause damage to the Data Subject's computer.

When you first visit the website, a notice will pop up at the bottom of the screen informing you that the site uses cookies, which you can accept by clicking on the "Accept" button, and therefore the legal basis for the processing of all types of cookies is the GDPR.6. For all types of cookies, the legal basis is Article 6(1)(a) of the GDPR, the data subject's voluntary consent and, in the case of cookies used for performance measurement, targeting or advertising, Article 6(1)(f) of the GDPR, the legitimate interests of the Data Controller to improve its IT system, to compile anonymised statistics and analyses, to boost its commercial activities and to promote its brand to a wider audience. In the absence of consent, or in the event of withdrawal of consent previously given, the website will not place cookies on the user's device.

We classify the cookies used on our sites into the following categories:

Strictly necessary cookies (session/session cookies)

These cookies are necessary for browsing the website, using its functions and to remember the actions you have taken on the site. They are always valid only during a given visit, they are automatically deleted from the computer at the end of the session or when the browser is closed, no personal data relating to the user is recorded, only the data and activity that occur during the session on the website.

Cookies for measuring performance

The website's traffic and web analytics data are analysed by the Data Controller using Google Analytics cookies in order to develop and improve the website according to the visitors' habits. These cookies cannot specifically identify visitors, collect anonymous information, record IP address, website path, time and duration of the visit and are stored for up to 2 years.

Functional cookies

They make the website easier and more enjoyable to use, aiming to ensure a higher quality of operation, provide personalised services, enhance the user experience so that the cookie information does not have to be repeatedly accepted. No personal data relating to the user will be recorded, only the data and activity occurring during the session spent on the website, which will be stored for a maximum of one month.

Cookies used for targeting or advertising

Their aim is to provide visitors with information that may be of interest or relevance to them through their search or website visit history. These cookies also do not specifically identify visitors, collect anonymous information, record IP address, website path, time and duration of the visit and are stored for up to 2 years.

Third shot of cookies

During the use of the website, cookies from 3rd parties (in particular, but not exclusively, from Facebook, Google, Hotjar servers) may be placed on the data subject's device to facilitate the sharing of content on social networking sites, the creation of visitor statistics and other marketing activities. These cookies cannot specifically identify the visitors, they record the IP address, the website path, the time and duration of the visit and are stored for up to 2 years. If the browser returns a previously saved cookie, the cookie management service provider has the possibility to link the user's current visit to previous visits to websites where the cookie of the external service provider is used. The Data Controller is not responsible for the content and operation of other external websites and does not control third party sites.

These cookies are only sent by the Data Controller when you visit certain subpages and are only used to store the fact and time of your visit to that subpage. The website also uses Google AdWords remarketing cookies to target visitors with relevant ads on pages in the Google Display network.

To ensure the proper and user-friendly operation of websites, most browsers automatically accept cookies, which can be deleted, restricted or disabled by the user in the browser settings. The processing based on the legitimate interest of the Data Controller concerns personal data, the recording of which is normal in the operation of information technology systems. The logging of the system is automatic and data is processed manually only in the event of an IT incident. Due to the significant number of unauthorised access attempts to the administration interface of the Website and attacks aimed at preventing the operation of the Website, the legitimate interest of the operating domain owner, in addition to the above, is to prevent access to the networks used for attacks, to filter and block unauthorised access attempts. The legitimate interest in the processing of the data outweighs the potential risks associated with the processing of the User's data, according to the interest balancing test of the Data Controller.

4.4. Recipients of personal data

As a general rule, the Data Subject's personal data may be disclosed to the Data Controller's staff (employees or other persons employed or engaged in other employment relationships and support staff) to the extent necessary for the performance of their tasks. The sharing of personal data with this category of recipients is indispensable for the purposes of the processing as set out above.

In exceptional and justified cases, the following categories of addressees, among others, may also be entitled to access personal data to the extent necessary in cases arising in the context of the operation of the Data Controller:

law firms or individual lawyers representing the Data Controller in the performance of their duties in the framework of their mandate, based on the need for professional resolution of disputes and preparation of transactions,
the persons providing the IT and telecommunications support to the Data Controller, employed in the course of their duties, whether in the context of a contract or other legal relationship, given that they are responsible, inter alia, for the operation of the records detailed above, and therefore access to the data is essential (in particular, but not exclusively, Meloditech Kft, 1133 Budapest, Váci út 110, company registration number: 01-09-385593, tax number: 29274873-2-41, and United Consult Zrt., 1117 Budapest, Dombóvári út 26, company registration number: 01-10-141235, tax number: 29139727-2-43),
the controller's respective accounting firm or the controller's respective auditor, in the course of their duties, inevitably have access to certain data to enable or verify compliance with the controller's accounting and company law obligations
companies in a legal relationship with the Data Controller for marketing, process control, organisational and other operational reasons, who ensure the operation of marketing activities and records, so that access to their data is essential (in particular, but not exclusively, In-Management Service Provider Ltd, Váci út 110, 1133 Budapest, company registration number: 01-10-142114, tax number: 32138616-2-41, and Ingressus Kft., company registration number: 13-09-133711, tax number: 14043411-2-13, 2366 Kakucs, Fő utca 155).

Furthermore, the Data Controller will only disclose the personal data of the Data Subject to public authorities, state bodies (prosecution, court, police, investigative authority, tax authority, law enforcement authority, etc.), only upon explicit request or in the case of reasonable suspicion of a criminal offence, in the context of the fulfilment of the legal obligations incumbent upon him/her (including under Act CL of 2016 on the General Administrative Procedure, Act CL of 2017 on the Taxation Procedure, Act XC of 2017 on Criminal Procedure and Act CXXX of 2016 on the Civil Procedure).

The persons listed in the preceding paragraphs are bound by confidentiality obligations and by the obligation to comply with the applicable data protection laws, and receive appropriate training from the Data Controller on the proper handling of the data. Processors shall not take any substantive decisions regarding the processing of personal data, shall process personal data of which they become aware only in accordance with the instructions of the Controller and shall not process personal data for their own purposes. In addition, the recipients or processors are subject to their own data protection rules, for which the Data Controller is not responsible.

In the event that the Data Subject wishes to enter into a contract in relation to the real estate advertised by the Data Controller, the Data Controller is entitled to transfer the Data Subject's personal data necessary for the conclusion of the contract to the companies cooperating in the framework of real estate developments coordinated by the Data Controller. The Data Controller shall separately inform the Data Subjects of the exact recipient of the personal data and the circumstances of the transfer. In all cases where the Data Controller intends to use the data provided for purposes other than those for which they were originally collected, the Data Subject shall be informed without delay and shall obtain his or her prior explicit consent or shall be given the opportunity to oppose such use. The Data Controller's IT system may collect data about the Data Subject's activity, which cannot be linked to data generated by users when using other websites or services.

5. Data security

The Data Controller is committed to processing personal data in the course of its operations only if it is necessary and justified for the performance of its activities and the purpose of the processing cannot be achieved in any other way. The Data Controller undertakes to process the personal data of the Data Subject in an accurate, lawful, fair and transparent manner. The Data Controller shall design and implement the processing operations in a way that ensures the protection of the Data Subject's privacy when applying the GDPR and other rules applicable to data processing.

The Data Controller shall ensure the security of the data, take the technical and organisational measures and establish the procedural rules necessary to enforce the GDPR and other data protection rules.

The personal data processed are stored on paper or electronically in the IT systems provided by the Data Controller or the person indicated in this Notice, at the headquarters of the company or the operator or on servers rented by them. The Data Controller shall ensure that the personal data of the Data Subject are adequately protected by appropriate information security measures against unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, or accidental destruction or damage, and against inaccessibility due to changes in the technology used. The IT systems and networks of the controller and its partners are protected against computer fraud, computer viruses, computer intrusions and attacks leading to denial of service, as are the archives where personal data are stored on paper, which are protected by a camera system and a guard service. The operator ensures security at server and application level, with daily data backups. To avoid data breaches, the Data Controller takes all possible measures, access to personal data stored in locked computer registers is restricted to authorised persons only, as access to the system is based on a username and password provided by the Data Controller, and paper storage is in a secure building in a locked room, protecting personal data from unauthorised access. This solution ensures that data cannot be accessed by anyone other than those authorised to access it.

The Data Controller shall select and operate the IT tools used for the processing of personal data in the course of providing the service in such a way that the processed data is: accessible to those authorised to access it (availability), authenticity and authentication are ensured (authenticity of data processing), its integrity is verifiable (data integrity), and it is protected against unauthorised access (data confidentiality).

The Data Controller does not verify the personal data provided by the Data Subject, and the Data Subject is solely responsible for their correctness. When providing his/her e-mail address, the Data Subject shall be responsible for ensuring that he/she is the only one using the services from the e-mail address provided. If the Data Subject provides personal data to the Data Controller by using the services of a third party service provider (e.g. through a social media platform, advertising engine, intermediary site), the processing of the data may be subject to the privacy policy and other terms of use of the service concerned. In this regard, the Data Controller shall not be liable.

The personal data submitted in the contact form and subsequently processed are stored and consent (subscriptions and unsubscriptions) are recorded electronically on the IT systems provided by the Data Controller or the person indicated in this Notice, in particular in the context of the Google Cloud service (operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, electronic contact: https://cloud.google.com/privacy/gdpr) and in the Salesforce system and, in the case of processing based on voluntary consent to subscribe to marketing and advertising newsletters, in MailChimp software (operated by The Rocket Science Group, LLC, headquarters: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA, e-mail contact: https://mailchimp.com/contact), and in the case of contracts, in the JIRA system (operator: Ingressus Ltd.) and in the password-protected, closed IT system of the Data Controller stored in Microsoft-based records and software (Excel, Word, Outlook format).

6. Remedies

In the event of unlawful processing, the Data Subject may in the first instance contact the Data Controller's contact person by post to the Data Controller's headquarters (1133 Budapest, Váci út 110.) or by e-mail to the following address: info@mibportal.hu

In the event of failure of the consultation with the Data Controller, the Data Subject may bring a civil action against the Data Controller. The court having jurisdiction and competence to hear the lawsuit is determined by Act CXXX of 2016 on the Code of Civil Procedure. The lawsuit may also be brought before the court of the Data Subject's place of residence, at the Data Subject's option.

Without prejudice to the right to other legal remedies, each Data Subject also has the right, if he or she considers that the processing of personal data concerning him or her infringes the GDPR, to lodge a complaint with the supervisory authority of the Controller in the manner published by the Controller:

National Authority for Data Protection and Freedom of Information (NAIH)

address: 1055 Budapest, Falk Miksa utca 9-11

postal address: 1363 Budapest, Pf.: 9.

your e-mail address: ugyfelszolgalat@naih.hu

telephone number: +36 (1) 391-1400

fax number: +36 (1) 391-1410

website: www.naih.hu

The Data Controller publishes this Notice in electronic form on the website www.albion32.hu or sends it in electronic form to the e-mail address provided by the Data Subject at the start of any processing, thereby fulfilling its obligation to provide information under the GDPR.

The Data Controller reserves the right to amend this Policy unilaterally, with effect from the date of the amendment, by giving the Data Subject adequate prior notice. This may be necessary in particular, but not limited to, where required by changes in legislation, data protection authority practices, business or process organisation needs, new processing purposes, newly identified security risks or feedback from data subjects.

Dated: Budapest, 2025.04.17.

Version number: 1.0.