1. DATA PROCESSING PRINCIPLES

Deep Layer Lab Ltd. (hereinafter referred to as the Data Controller) highly values the trust of its customers and partners, therefore it pays special attention to the protection of personal data. It is committed to handling the data of the data subjects responsibly, transparently and in accordance with applicable laws. It takes all necessary measures to protect personal data from unauthorized access, loss or misuse.

The purpose of this data management notice (hereinafter: Notice) is to ensure that all persons using the services provided in the form of making the ORBIS mobile and tablet application (hereinafter: Application) accessible and usable, regardless of their nationality or place of residence, have the right to informational self-determination and the right to the protection of personal data within the scope defined by law.

This Notice forms an inseparable annex to the General Terms and Conditions of Deep Layer Lab Kft. (v3.0 or later, hereinafter referred to as: GTC) and shall be interpreted in accordance with the data processing roles set out in Section 11 of the GTC, in particular Section 11.2.

1.1. Personal and material scope of the Information

This Notice applies to all natural persons whose personal data is processed by the Data Controller in connection with the use of ORBIS. The material scope covers all data processing activities carried out in connection with the use of the Application.

1.2. Data of the Data Controller

Data controller: Deep Layer Lab Ltd.

Headquarters: 1137 Budapest, Pozsonyi Street 22. Floor 3. Door

Company registration number: 01-09-445714

Tax number: 32845446-2-41

Email: info@deepplayerlab.io

Represented by: Zoltán Péter Füredi, Managing Director

The Data Controller is not obliged to appoint a Data Protection Officer (DPO) – subject to Article 37(1) of the GDPR – and has not appointed a DPO at this time.

1.3. Governing laws

During data processing, the Data Controller applies the following laws:

a) Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);

b) Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.);

c) Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society;

d) Act V of 2013 on the Civil Code;

e) Act CL of 2017 on the Taxation System and the legislation issued for its implementation;

f) Act C of 2000 on Accounting and the legislation issued for its implementation;

g) Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities;

h) Government Decree 373/2021. (VI. 30.) on the detailed rules for contracts between consumers and businesses for the sale of goods, the provision of digital content and the provision of digital services;

(i) Regulation (EU) 2024/1689 of the European Parliament and of the Council on harmonised rules on artificial intelligence (AI Regulation).

2. DEFINITIONS

For terms not defined in this Notice, the definitions set out in Article 4 of the GDPR apply. The main terms are:

a) “data processing” (Article 4(2) GDPR): any operation performed on personal data (collection, recording, storage, use, disclosure by disclosure to others, etc.);

b) “data controller” (Article 4(7) GDPR): the person who determines the purposes and means of the processing of personal data;

c) “data processor” (Article 4(8) GDPR): a person who processes personal data on behalf of the controller;

d) “consent of the data subject” (Article 4(11) GDPR): any freely given, specific and clearly indicated indication of the data subject’s wishes based on adequate information;

e) “personal data” (Article 4(1) GDPR): any information relating to an identified or identifiable natural person;

f) “sensitive data” (Article 9 (1) GDPR): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric identification, health or sex life;

g) “User”: a natural person designated by the Customer to use the Application.

3. DATA PROCESSING ACTIVITIES, ROLES

3.1. Data management roles (Section 11.2 of the GTC)

In connection with the operation of the ORBIS Application, the Data Controller:

a) acts as an independent data controller with regard to the data of the Customer’s (business partner) representatives and contacts;

b) acts as an independent data controller with respect to the data of Users designated by the Customer – unless otherwise agreed – limited to its own Application operation and service purposes; however, the Customer itself is also considered an independent data controller with respect to its own data processing for employer or organizational purposes;

c) in the case of a unique, dedicated configuration (e.g. unique server placement, closed hosting) – based on the express agreement included in the case contract – the Service Provider acts as the data processor of the Customer; in this case, the Parties shall conclude a data processing agreement (DPA) with content in accordance with Article 28 of the GDPR, with the template in Annex 2 to the GTC.

3.2. Purposes of data processing

The Data Controller processes personal data for the following purposes:

a) operating ORBIS user accounts and functions, providing the service;

b) training, developing and improving the accuracy of the AI model (only with the express consent of the data subject);

c) ensuring the security of the service, troubleshooting, and preventing abuse;

d) fulfillment of legal obligations (accounting, tax obligations, complaint handling);

e) maintaining contact with the Customer within the framework of the business relationship.

3.3. Legal basis for data processing

a) GDPR Article 6 (1) point b) – performance of the contractual relationship with the Customer or the User (operation of a user account);

b) GDPR Article 6(1)(a) – the data subject’s voluntary, explicit consent to the use of images by an AI model for teaching purposes;

c) GDPR Article 6 (1) (f) – the legitimate interest of the Data Controller in the security, operation, development and prevention of abuse of the service;

d) GDPR Article 6 (1) point (c) – fulfillment of a legal obligation (accounting, tax, complaint handling obligations).

3.4. Scope of personal data processed

a) User profile: email address, username, password (stored in encrypted form, with SHA-256 or stronger hash algorithm).

b) User Content (Uploaded Images): photos and their metadata created or uploaded by the User in the Application. The images are solely related to the intended use of the Application (identification of 3D printed parts).

AI model training use. The Data Controller may use the images uploaded by the User – only with the express, prior, voluntary consent of the Customer and/or the User – to train, develop and improve the accuracy of the AI model. In the absence of consent, such use will not take place. Consent can be withdrawn at any time, without giving reasons, free of charge (info@deepplayerlab.io); withdrawal does not affect the lawfulness of data processing prior to withdrawal.

c) Financial and billing data: billing name, address, tax number, bank account details. Its purpose is to pay for the service, complete payment transactions and fulfill accounting obligations.

d) Device and Internet usage data: device identifier, operating system type and version, IP address, language settings, access logs. The purpose is to ensure the security and performance of the Application and to prevent abuse.

3.5. Special data

The Data Controller does not process sensitive data pursuant to Article 9(1) of the GDPR in the course of its intended operation. If the image uploaded by the User accidentally contains sensitive data, the Data Controller will delete it upon request or ex officio.

4. COOKIES AND SIMILAR TECHNOLOGIES

The Data Controller may use cookies and similar techniques on its website and in the Application that allow the identification of the browser or device. A cookie is a small text file that is sent to the User’s computer or mobile device and automatically saved by the browser.

Types of cookies used:

a) session cookies: they are used only during a session and are automatically deleted after leaving the website;

b) persistent cookies: they store user settings and other information for a specific period of time (for example, two years).

The User can refuse cookies in their browser settings, save them only for one session, or delete them prematurely. If the User disables cookies, certain functions (e.g. language settings, automatic login) may not be available.

Note: the website is under development; the specific cookie list will be finalized at the same time as the live version of the website is released, and the Data Controller will then publish a detailed cookie statement.

5. AI MODEL TRAINING AND DEVELOPMENT CONTRIBUTORS

5.1. Development team

The ORBIS AI model is trained and further developed by the Data Controller’s development team. The legal status of the members of the development team (internal employee, agent, sub-processor) is published in the list of sub-processors specified in Section 6, in accordance with Section 18.4 of the GTC.

5.2. Source of teaching data

Only those images are used for training the AI model for which the Customer and/or the User has given their express consent in accordance with point 3.4. b). The Data Controller strives to pseudonymize the images used during model training, where this is possible due to the nature of the data.

5.3. AI Regulation Compliance

ORBIS qualifies as a limited risk AI system within the meaning of Regulation (EU) 2024/1689 (AI Regulation). The Controller complies with the transparency requirements of Article 50 of the AI Regulation: the User is informed that he/she is interacting with an AI system, about the decision-making nature of the Application, and that the results are probabilistic and require human review.

6. SUB-DATA PROCESSORS, FURTHER CONTRIBUTORS

The Data Controller may use sub-processors during data processing – in order to ensure the technical conditions of the service. The sub-processors act solely on the instructions and for the purposes of the Data Controller, based on a written contract pursuant to Article 28 of the GDPR.

Categories of currently used sub-processors (specific service provider names and locations are listed on the up-to-date list published on the Service Provider’s website):

a) cloud hosting and storage provider (data category: user account data, images, system logs);

b) payment service provider (data category: billing and financial data – exclusively to the extent necessary to carry out the transaction);

c) email and notification service provider (data category: email address, subject of communication);

d) billing system provider (data category: billing data);

e) AI model training infrastructure provider, if used (data category: pseudonymized images).

The Data Controller undertakes to immediately update the list published on its website in the event of the involvement of any new sub-processors or the replacement of existing sub-processors and to inform the Customers thereof in accordance with Section 18.4 of the GTC.

7. DATA TRANSFER TO THIRD COUNTRIES

The Data Controller generally processes personal data within the European Economic Area (EEA), and the vast majority of sub-processors are also located within the EEA.

If, in the event of an individual customer request, the server is located in a third country outside the EEA – in particular at the express request of the Customer, in accordance with point B.4.2 of the GTC – or if a sub-processor provides services in a third country, the data transfer may only take place subject to the guarantees provided in Chapter V of the GDPR, in particular:

a) in the case of a country affected by an adequacy decision of the European Commission (Article 45 of the GDPR);

b) by using standard contractual clauses (SCC) approved by the European Commission (Article 46 (2) point (c) of the GDPR);

c) with other appropriate safeguards in accordance with Articles 46-47 of the GDPR.

In such a case, the Data Controller will – if necessary – prepare a separate Data Transfer Addendum or Transfer Risk Assessment (TIA), which regulates in detail the purpose of the transfer, its legal basis, guarantees and the safeguards available to the data subjects.

8. PERIOD OF PERSONAL DATA RETENTION

The Data Controller processes personal data for the period necessary to achieve the purposes and for the duration of legal retention obligations.

8.1. Details of retention periods

a) User account data: for the duration of the business relationship, at the latest until the account is deleted.

b) Uploaded images upon termination of the contract: in accordance with point B.5.3 of the GTC, they will be permanently deleted within a maximum of 30 days after the termination of the contract.

c) Uploaded images in case of independent deletion of the user account (during the term of the contract): after the account is deleted, the images are retained by the Data Controller for a maximum of 5 (five) years based on security, development and legitimate business interests (documentation, evidence, evidence in the event of a legal dispute) and then deleted or anonymized. The 5-year retention period does not apply upon termination of the contract, when the 30-day deletion rule under point b) applies.

d) Images actually used to train an AI model: during the lifetime of the AI model (if the images become part of the model and are therefore integrated into the model in a way that cannot be subsequently extracted, the Data Controller shall inform the data subject of this fact in advance).

e) Accounting documents: 8 years pursuant to Section 169 (2) of Act C of 2000.

f) Tax documents: obligation under the Taxation Act (as a rule, 5 years).

g) System logs, operational data: maximum 12 months.

h) Complaints handling, customer communication: 5 years pursuant to Section 17/A. (7) of Act CLV of 1997 on Consumer Protection.

The Data Controller will delete or anonymize data that is no longer necessary for the above purposes, if possible.

9. RIGHTS OF THE DATA SUBJECT

In connection with data processing, the data subject is entitled to the rights set out in Chapter III of the GDPR. Requests to exercise these rights can be submitted to the email address info@deepplayerlab.io.

9.1. Identification

Before fulfilling the request, the Data Controller will always identify the data subject. If identification is not possible, the request cannot be fulfilled.

9.2. Processing time and fee

The Data Controller shall inform the data subject of the measures taken no later than 1 (one) month from the date of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further 2 (two) months, of which the Data Controller shall provide information within the 1-month deadline. The requested information and measures are free of charge; an exception is made if the request is clearly unfounded or excessive (e.g. due to its repetitive nature), in which case the Data Controller may charge a fee or refuse to comply with the request.

9.3. Right to information (access) (Article 15 GDPR)

The data subject may request information on whether his or her personal data is being processed and, if so, what the purpose is, what data is being processed, to whom the Data Controller transfers them, for how long they are stored, what rights and remedies the data subject has, from whom the Data Controller received the data, whether automated decisions are made regarding the data subject and, if so, with what logic. In the event of data transfer to a third country, the data subject may request the presentation of the guarantees set out in point 7. The data subject may also request a copy of the personal data processed; for further copies, the Data Controller may charge a fee in line with administrative costs.

9.4. Right to rectification (Article 16 of the GDPR)

The data subject may request that the Data Controller correct or complete his or her inaccurate or incompletely recorded personal data.

9.5. Right to erasure (“to be forgotten”) (Article 17 GDPR)

The data subject may request the erasure of his or her personal data if: (i) the data are no longer necessary for the original purpose; (ii) in the case of processing based on consent, the data subject withdraws his or her consent; (iii) the processing is unlawful; (iv) it is required by EU or national law. Data may not be erased if they are necessary: for freedom of expression, for compliance with a legal obligation, for public interest, for archiving/research/statistical purposes in the public interest, or for the establishment, exercise or defence of legal claims.

9.6. Right to restriction (Article 18 GDPR)

The data subject may request the restriction of data processing if: (i) he/she disputes the accuracy of the data (for the period of verification); (ii) the data processing is unlawful but the data subject opposes the erasure; (iii) the Data Controller no longer needs the data but the data subject requires them for the purposes of the data subject’s legal claims; (iv) the data subject has objected to the data processing (for the period of examination of the legitimate grounds).

9.7. Right to data portability (Article 20 GDPR)

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided and which are processed by automated means, based on consent or contract, in a structured, machine-readable format or to have them transmitted to another controller (where technically feasible). This right shall not prejudice the rights and freedoms of others.

9.8. Right to object (Article 21 of the GDPR)

The data subject may object to the processing based on Article 6(1)(e) and (f) of the GDPR, as well as to the processing for direct marketing purposes (and related profiling). In the latter case, the data shall be erased by the Controller without delay. In the former case, the Controller may only continue the processing if it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject.

9.9. Right to withdraw consent (GDPR Article 7 (3))

If the processing is based on the data subject’s consent (in particular the use of images for training an AI model), the data subject may withdraw his or her consent at any time, without giving reasons, and free of charge. The withdrawal does not affect the lawfulness of the processing carried out before the withdrawal – based on consent.

9.10. Automated decision-making, profiling (GDPR Article 22)

The Data Controller does not make automated individual decisions during the operation of the ORBIS Application that would have legal effects on the data subject or would similarly significantly affect him/her. The Application functions as a decision-making tool; the final decision is always based on the User’s discretion (Sections B.1.2 and B.1.3 of the GTC).

9.11. Deleting a user account

Within the ORBIS Application, the User may request the deletion of their user account. After that, the personal data required for user identification will be automatically deleted from the system; the retention of uploaded images is governed by points b) and c) of Section 8.1.

10. LEGAL REMEDIES

10.1. Complaint to the NAIH

The data subject may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) if, in his or her opinion, the processing of personal data concerning him or her is contrary to the GDPR.

Mailing address: 1363 Budapest, P.O. Box: 9.

Address: 1055 Budapest, Falk Miksa Street 9–11.

Phone: +36 (1) 391-1400

Website: http://naih.hu

E-mail: ugyfelszolgalat@naih.hu

10.2. Going to court

In the event of a violation of the rights of the data subject, he or she may apply to court. The court shall have jurisdiction over the case. The case may also be initiated – at the choice of the data subject – before the court of the data subject’s place of residence or residence.

10.3. Compensation and damages

If the Data Controller causes damage or violates the personal rights of the data subject by unlawfully processing the data, the Data Controller may be required to pay compensation or damages. The Data Controller shall be exempt from liability if it proves that the damage or injury was caused by an unavoidable cause outside the scope of data processing.

11. DATA SECURITY

The Data Controller shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the degree of risk, taking into account the current state of science and technology, the costs of implementation, the nature of the data processing and the risks to the rights and freedoms of natural persons, in accordance with Article 32 of the GDPR. Personal data shall be treated confidentially, with limited access, encryption and with the greatest possible degree of resilience, ensuring restoreability in the event of a problem. The Data Controller shall regularly test the systems. No system provides 100% security, therefore complete protection of data cannot be guaranteed.

12. OBLIGATION TO PROVIDE DATA AND DATA TRANSFER

In the context of a business relationship, the data subject is obliged to provide the personal data that are necessary for the conclusion and performance of the contract. In the absence of this data, the Data Controller is generally unable to conclude or perform the contract.

The Data Controller may transfer data – in accordance with the purposes of data processing – to: service providers (e.g. banks, insurance companies, IT service providers), sub-processors, domestic and foreign authorities or courts, and other relevant parties to legal proceedings. The provisions of point 7 apply to transfers to third countries.

13. AMENDMENT OF THE INFORMATION

The Data Controller reserves the right to amend this Notice at any time. The current version will be published on the Service Provider’s website (https://deepplayerlab.io) and will be included as Annex 4 to the GTC. In the event of a material amendment, the Data Controller will notify the data subjects by e-mail or other appropriate means within the deadline set out in Section 3.4 of the GTC.

Budapest, April 17, 2026.

Deep Layer Lab Ltd.

Zoltán Péter Füredi, Managing Director