Privacy Policy

1. Identification of the Data Controller

Name of the Data Controller: DualWing Forestry Limited Liability Company (hereinafter: the “Data Controller”)
Registered office: 9730 Kőszeg, Bem József Street 4.
Company registration number: 18-09-116394
Tax number: 32830693-2-18 / HU32830693
Representative: Fekete Gellért
E-mail: info@dualwingforestry.hu
Website: https://www.dualwingforestry.hu

The Data Controller processes personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and the guidelines issued by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

2. Scope and Applicability of this Notice

This Privacy Notice provides detailed information about the personal data processing activities carried out by the Data Controller, including their purposes, legal bases, duration, the rights of data subjects, and available remedies. This Notice is valid for an indefinite period of time. The current version is always available on the website.

Scope of data subjects: clients, partners, customers, website visitors, employees, subcontractors, and any natural persons whose personal data are processed by the Data Controller in the course of its activities.

3. Categories of Personal Data Processed and Methods of Collection

The table below provides an overview of the categories of data, methods of collection, and examples.

3.1. Clients / Partners / Customers

• Data types: name, company name, job title, postal address, mailing address, e-mail address, phone number, tax number, bank account number, order-related data, contractual documents, geographic/location identifiers (parcel numbers, coordinates).

• Method of collection: at contract conclusion, when requesting a quotation, via e-mail/order forms, during personal consultations.

3.2. Drone and Sensor Data, Geospatial Information

• Data types: aerial imagery (RGB/NIR/RE images), point clouds (LAS/LAZ), orthophotos, DEM/DTM, NDVI and other indices, location coordinates. Recordings may incidentally include images of individuals or vehicles.

• Method of collection: on-site recording, data collection using drones/sensors based on client orders.
  
  

3.3. Employees and Subcontractors

• Data types: name, date of birth, mother’s name (if required), personal identification details, social security/tax identification number, bank account number, employment contract, performance data, qualification documents related to the work performed.

• Method of collection: employment contracts, internal HR processes.
  
  

3.4. Website Visitors (logged by the website)

• Data types: IP address (for logging purposes), server logs (date, time, queries), name, e-mail address, and phone number provided through forms.

• Note: The Data Controller does not currently use cookie-based tracking (cookies are not applied), except if later business needs require it — in such cases, a separate Cookie Notice will be issued.

The Controller uses Google Analytics on the website in order to analyse website traffic, usage and performance. In this context, cookies and similar technologies may be used to collect data, in particular information relating to the visitor’s device, browser, IP address, pages viewed, session duration, and interactions performed on the website. Except for strictly necessary cookies, cookies are only used on the basis of the data subject’s prior consent.

3.5. Special Categories of Personal Data (Sensitive Data)

• The Data Controller does not process special categories of personal data (e.g., health data, racial/ethnic origin, political opinions, religion, biometric data), unless required by law or explicitly and lawfully consented to by the data subject.

4. Purposes and Legal Bases of Data Processing

The purposes of data processing are assigned to specific legal bases as follows: 

4.1. Performance of a Contract (GDPR Article 6(1)(b))

• Purposes: fulfillment of orders, conducting on-site surveys, delivery of reports and final products, invoicing.

• Data processed: client contact details, contractual data, invoicing data, site/location data.
  
  

4.2. Legal/Statutory Obligations (GDPR Article 6(1)(c))

• Purposes: compliance with accounting obligations, tax returns, employment obligations.

• Data processed: invoicing data, employee data.
  
  

4.3. Consent-Based Marketing and References (GDPR Article 6(1)(a))

• Purposes: sending newsletters, targeted offers, inclusion of names/client projects in reference materials.

• Data processed: e-mail address, name, partial project details.

• Note: Consent is voluntary and can be withdrawn at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  
  

4.4. Legitimate Interest (GDPR Article 6(1)(f))

• Purposes: improving service quality, research and development (in anonymized form), protection against fraud and abuse, internal administration, security measures.

• Data processed: usage data, service performance data, technical logs.

• Balancing test: The Data Controller ensures that legitimate interests do not override the fundamental rights of data subjects.
  
  

4.5. Research / Data Transfer Purposes (Special Rule)

• Any data transferred for research purposes is anonymized (excluding personal identification, in aggregated/parametric form — e.g., biomass values, NDVI averages by area), so that no conclusions can be drawn about a specific client, site, or individual.

• Legal basis: legitimate interest (GDPR Article 6(1)(f)) or explicit consent, depending on the nature of the data and whether it can be linked to an individual.

4.6. Cookies and web analytics

• Purpose: analysing the operation of the website, improving user experience, preparing visitor statistics, and developing the website.

• Legal basis: the data subject’s consent (Article 6(1)(a) GDPR) with regard to non-essential analytical cookies.

• Categories of data processed: shortened / masked IP address, device and browser data, approximate geographic location, pages visited, session data, events and interactions.

• Retention period: according to the retention period configured in Google Analytics and until the withdrawal of the data subject’s consent.

• The data subject may withdraw consent to the use of cookies at any time by changing the cookie settings.

5. Data Processors and Data Processing Agreements

The Data Controller engages external data processors. Written, GDPR-compliant Data Processing Agreements (DPAs) are concluded with all processors.

Main Data Processors:

• Logner Könyvvezető Kft. – bookkeeping, data processing related to invoicing. (Processing purpose: accounting and invoicing data.)

• Google Ireland Ltd. – Google Workspace, Google Drive services; e-mail and document storage. Data transfers outside the EU (if any) are carried out under agreements with Google and based on Standard Contractual Clauses (SCC).

• tárhely.eu – website and server hosting provider.

• Subcontractors – external drone pilots, field experts; access to data is limited to what is necessary for task completion and subject to confidentiality obligations.

Detailed information on data processors (registered seat, company registration number, responsible persons) is maintained by the Data Controller and made available to data subjects upon request.

6. Data Transfers to Third Countries

If any data processor transfers or stores data outside the EU (e.g., in the case of certain Google services), the Data Controller ensures compliance with the legal safeguards set out in Article 46 of the GDPR (e.g., Standard Contractual Clauses – SCC) and follows the guidance of the European Commission and the Hungarian National Authority for Data Protection and Freedom of Information (NAIH). The fact and legal basis of the data transfer, as well as the name of the foreign data processor, will be made available to the data subject upon request.

7. Data Retention Periods

The Data Controller retains personal data only for as long as necessary to achieve the processing purpose, or for the period required by law:

• Contractual documents, invoices, accounting materials: 8 years (as required by accounting regulations).

• Client contact data: for the duration of the contract; may be archived for 1 year after contract termination, unless a longer retention period is required by law.

• Drone recordings, raw data: by default retained for a maximum of 1 year after project completion, unless the Client provides written instructions otherwise or a longer period is required by law. Data transferred for research purposes in anonymized/aggregated form may be stored for longer, but always in a way that excludes personal identification.

• Marketing data (newsletter subscriptions): until consent is withdrawn, or immediately upon request for deletion.

• Employee data: according to retention periods required by labor law and other applicable legislation (e.g., payroll records, tax documentation).

• Web server logs / IP logs: for security purposes, stored for a maximum of 6–12 months, unless an investigation or legal procedure justifies longer retention.

8. Security and Technical-Organizational Measures

To protect personal data, the Data Controller applies the following measures:

Organizational measures:

• internal data protection policy and access control policy;

• data protection and security awareness training for staff;

• confidentiality obligations for employees and subcontractors;

• data protection incident response manual and designated responsible person.
  
  

Technical measures:

• role-based access control;

• VPN and firewall protection on internal networks;

• data encryption (REST/HTTPS, encryption of stored sensitive data);

• regular backups and disaster recovery plan;

• logging and audit capabilities (audit logs).

Processor compliance:

All data processors are bound by written Data Processing Agreements (DPAs), which include GDPR obligations (processing under instruction, technical and organizational safeguards, incident reporting, confidentiality).

9. Handling of Data Protection Incidents (Data Breach Protocol)

In the event of a data protection incident (e.g., unauthorized access, data loss, data leakage), the Data Controller will:

1. Immediately conduct an internal investigation to assess the cause and impact of the incident.

2. If the incident is likely to pose a risk to the rights and freedoms of data subjects, notify the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours. The notification will include the nature of the incident, its likely consequences, and the measures taken.

3. If the incident poses a high risk to data subjects, the Data Controller will also directly inform the affected individuals about the incident and mitigation steps (e.g., what actions they can take for their own protection).

4. Maintain an incident log, establish a follow-up action plan, and carry out a repeated risk assessment.

10. Rights of Data Subjects and Procedures for Exercising Them

Data subjects are entitled to exercise the rights granted to them under the GDPR. The detailed rules for exercising these rights are as follows:

10.1. Right of Access (GDPR Article 15)
Data subjects may request confirmation as to whether the Data Controller processes personal data about them. If so, they may request access to such data and related information (purpose, legal basis, categories, recipients, storage period).

10.2. Right to Rectification (Article 16)
Data subjects may request the correction of inaccurate personal data. The Data Controller will act without undue delay.

10.3. Right to Erasure / Right to be Forgotten (Article 17)
Data subjects may request the deletion of their personal data if the conditions are met (e.g., consent withdrawn, data no longer needed). The Data Controller will carry out deletion and, upon request, inform other controllers that deletion has taken place (where technically feasible and proportionate).

10.4. Right to Restriction of Processing (Article 18)
Data subjects may request restriction of processing in certain cases (e.g., contesting accuracy).

10.5. Right to Data Portability (Article 20)
Where processing is automated and based on contract or consent, data subjects may request to receive their data in a machine-readable format or transfer it to another controller.

10.6. Right to Object (Article 21)
Data subjects may object to processing where the legal basis is legitimate interest. In such cases, the Data Controller will review the objection and either stop processing or explain why processing must continue.

10.7. Right to Withdraw Consent
Consent can be withdrawn at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.8. Remedies and Complaints
If a data subject disagrees with the response received, they may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or seek remedy through the courts.

Exercise of rights:

• Requests can be submitted via e-mail to info@dualwingforestry.hu or by post to the registered office.

• The Data Controller’s response deadline: 30 days. In complex cases or where multiple requests are involved, an additional extension of up to 2 months may apply, with prior notification to the data subject.

• The Data Controller may require documents necessary to verify identity to prevent unauthorized disclosure of data.

11. Data Protection Officer (DPO) / Contact Person

DualWing Forestry Kft. has not formally appointed a Data Protection Officer (DPO), as its activities do not fall under the mandatory cases defined by the NAIH.

Primary contact for data protection matters: info@dualwingforestry.hu

All data protection-related requests should be sent to this contact. If a DPO is appointed in the future, their details will be published on the website.

12. Cookie- és webanalitikai nyilatkozat

• Cookies are used on the DualWing Forestry website. Strictly necessary cookies serve the proper functioning of the website, while analytical cookies are used through Google Analytics to collect information about the use of the website. Such data is used in particular for preparing visitor statistics, analysing user behaviour, and improving the website.

• When using Google Analytics, the Controller endeavours to ensure that IP addresses are processed in anonymised or shortened form. Google, acting as a data processor, processes data collected through cookies in accordance with its own data processing terms.

• Analytical cookies are only used on the basis of the data subject’s prior consent. The data subject may withdraw or modify such consent at any time through the cookie settings.

13. Remedies and Legal Options (NAIH, Courts)

Data subjects are entitled to file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):

• Address: 1055 Budapest, Falk Miksa Street 9–11.

• E-mail: ugyfelszolgalat@naih.hu

• Websites: https://www.naih.hu

In addition, data subjects may also enforce their rights through court proceedings at the competent court of their residence or at the seat of the Service Provider.

14. Documentation and Agreements with Data Processors

The Data Controller maintains internal records of all data processing activities (Record of Processing Activities) in relation to each data processor and has concluded Data Processing Agreements (DPAs) in compliance with the GDPR. Upon request, the Data Controller will provide data subjects with details regarding the responsible persons and contractual information of the data processors involved.

15. Special Provisions for Drone Recordings

1. Recording: All on-site drone recordings are carried out based on the Client’s explicit order and consent. The contract specifies the purpose of the recording and the intended use of the data.

2. Anonymization: During the processing of raw materials (images, point clouds), the Data Controller anonymizes any identifiable information (faces, license plates, unique site identifiers — where feasible), unless the Client expressly authorizes identifiable use in writing.

3. Data transfer for research: Data packages transferred for research, scientific analysis, or industrial development are provided exclusively in anonymized, parametric form (e.g., area-averaged NDVI values, biomass data, aggregated statistics), ensuring that no Client or geographic location can be identified.

4. Storage and deletion: Raw recordings are stored by default for a maximum of 1 year. If the Client requests otherwise, this will be specified in the contract. Deletion of raw data is carried out in a documented manner.

16. Amendments and Entry into Force

The Data Controller reserves the right to amend this Privacy Notice. Any changes will be published on the website, with the date of entry into force clearly indicated. Amendments become applicable from the date of their publication.

Effective date: September 15, 2025

17. Contact and Administration – Summary

• For questions or requests: info@dualwingforestry.hu

• Postal address: 9730 Kőszeg, Bem József Street 4.

• Supervisory Authority (NAIH): ugyfelszolgalat@naih.hu, https://www.naih.hu

Date of issue: March 23, 2026