Felhasználási feltételek

# SCYLLA RECOMAI — TERMS OF SERVICE (MASTER SUBSCRIPTION AGREEMENT) **Effective Date:** [INSERT DATE] **Version:** 1.0 **Last Updated:** [INSERT DATE] | Version | Date | Summary of Changes | |---------|------|---------------------| | 1.0 | [INSERT DATE] | Initial publication | --- ## 1. PARTIES, ACCEPTANCE, AND ORDER OF PRECEDENCE ### 1.1 Parties These Terms of Service ("**Terms**" or "**Agreement**") are entered into between: **Savvy Traveller Trading Kft.** (registered in Hungary under company number [INSERT], registered address: 6000 Kecskemet, Kokeny utca 10., Hungary; VAT ID: HU24766089) (hereinafter "**Provider**," "**we**," or "**us**"); and the legal entity or natural person acting in a business capacity that accepts these Terms by creating an Account, executing an Order Form, or otherwise using the Service (hereinafter "**Customer**" or "**you**"). Provider and Customer are each a "**Party**" and together the "**Parties**." ### 1.2 Acceptance By creating an Account, clicking "I accept," executing an Order Form referencing these Terms, or accessing or using the Service, Customer agrees to be bound by these Terms. If Customer does not agree, Customer must not use the Service. ### 1.3 Authority The individual accepting these Terms on behalf of a legal entity represents and warrants that they have the authority to bind that entity. If they lack such authority, they accept these Terms in their personal capacity. ### 1.4 Order of Precedence In the event of a conflict between documents, the following order of precedence applies (highest first): 1. The Data Processing Addendum (Annex B); 2. The Order Form (if any); 3. The SLA (Annex D, if applicable to Customer's plan); 4. These Terms (including all Annexes); 5. The Acceptable Use Policy (Annex A); 6. Provider's published documentation at recomai.hu/dokumentacio. If there is a conflict between these Terms and an Order Form, the Order Form prevails only with respect to the specific subject matter addressed in that Order Form. --- ## 2. DEFINITIONS In these Terms, capitalised terms have the following meanings: "**Account**" means the Customer's registered account on the Platform, through which the Customer and its Authorised Users access the Service. "**Add-on**" means an optional feature or capability (such as Merchandising or Out-of-Stock Downranking) that Customer may activate in addition to its Plan for an additional fee. "**Affiliate**" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership of more than fifty percent (50%) of the voting interests. "**API**" means the application programming interface(s) through which Customer may programmatically access the Service, as documented in the Documentation. "**API Key**" means the credential(s) issued to Customer for authenticating API requests. "**Authorised User**" means an individual whom Customer authorises to access the Dashboard under Customer's Account, such as Customer's employees, contractors, or agents. "**Confidential Information**" has the meaning set out in Section 8. "**Configuration**" means the settings, parameters, policies, merchandising rules, experiment definitions, and widget configurations that Customer applies within the Service to customise Recommendation Outputs. "**Customer Data**" means all data that Customer or its End Users submit, upload, transmit, or make available to the Service, including product catalogues, order data, customer records, behavioural events, tracking data, and any other data ingested via the API, webhooks, or the Dashboard. Customer Data does not include Derived Data or Usage Data. "**Dashboard**" means the web-based administrative interface accessible at scylla.recomai.hu through which Customer manages its Account, Stores, Configuration, and analytics. "**Data Processing Addendum**" or "**DPA**" means the addendum attached as Annex B. "**Derived Data**" means data generated by the Service through processing Customer Data, including trained Model parameters, embeddings, aggregate statistical insights, and performance metrics. Derived Data is anonymised or aggregated such that it does not identify any individual data subject. "**Documentation**" means Provider's then-current technical documentation, API reference, integration guides, and help articles published at recomai.hu/dokumentacio. "**End User**" means an individual who visits or interacts with Customer's online store or digital property where the Service is deployed. "**Feedback**" has the meaning set out in Section 9.3. "**Fees**" means the charges payable by Customer for the Service as set out in the applicable Plan, Order Form, or pricing page. "**GDPR**" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). "**Intellectual Property Rights**" means all patents, copyrights, moral rights, trademarks, trade secrets, database rights, design rights, know-how, and any other intellectual or industrial property rights, whether registered or unregistered, anywhere in the world. "**Model**" means the machine-learning model(s) used by the Service to generate Recommendation Outputs, including but not limited to product embedding models (Product2Vec), graph neural network models (LightGCN), text embedding models, image embedding models, ranking models, and bandit-based auto-tune models. "**Order Form**" means a written or electronic ordering document executed by the Parties that references these Terms and specifies the Plan, Fees, billing cycle, and any additional terms. "**Plan**" means the subscription tier selected by Customer (Kezdo, Normal, Premium, or Vallalati), each with defined usage limits, features, and Fees as published on the pricing page or set out in an Order Form. "**Platform**" means the software platform operated by Provider, comprising the API, Dashboard, tracking scripts, and all related infrastructure used to deliver the Service. "**Professional Services**" means consulting, integration, onboarding, model tuning, or other professional services provided by Provider under a Statement of Work. "**Recommendation Output**" means any product recommendation, ranking, score, list, or similar output generated by the Service in response to a recommendation request, including FBT (Frequently Bought Together) suggestions, contextual cross-sell recommendations, personalised feeds, search re-ranking results, and curated page outputs. "**Service**" means the Scylla RecomAI recommendation engine SaaS, including the API, Dashboard, tracking functionality, and all related features as described in the Documentation and made available under Customer's Plan. "**SLA**" means the service level agreement attached as Annex D, applicable only to Customers on the Vallalati plan or as otherwise agreed in an Order Form. "**Statement of Work**" or "**SOW**" means a document executed by the Parties describing the scope, deliverables, timeline, and fees for Professional Services. "**Store**" means a single online store or digital property that Customer connects to the Service, identified by its origin domain. "**Subscription Term**" means the period during which Customer is subscribed to the Service, as set out in Section 18. "**Usage Data**" means data about Customer's use of the Service that does not contain Customer Data or personal data, such as API call volumes, feature usage patterns, error rates, and system performance metrics. "**Widget**" means an embeddable front-end component provided by the Service for displaying Recommendation Outputs on Customer's Store. --- ## 3. SCOPE OF SERVICE; PROVISIONING; CUSTOMER RESPONSIBILITIES; ADMIN USERS ### 3.1 Service Description The Service is a recommendation engine delivered as a service. It processes Customer Data to generate Recommendation Outputs that Customer may display to End Users on Customer's Stores. The Service includes: (a) **REST API** for requesting Recommendation Outputs programmatically (including contextual recommendations, FBT, search re-ranking, and product classification); (b) **Dashboard** for managing Account settings, Stores, Configurations, A/B experiments, analytics, and billing; (c) **Tracking** functionality for collecting behavioural events (page views, add-to-cart, conversions) from End Users; (d) **Feedback ingestion** for recording which Recommendation Outputs were served and how End Users interacted with them; (e) **Analytics** for monitoring recommendation performance, click-through rates, and attributed revenue; and (f) any additional features made available under Customer's Plan or Add-ons. ### 3.2 Provisioning Upon Account creation, Provider will provision Customer's tenant environment. Provider aims to complete provisioning promptly but does not guarantee a specific provisioning timeline. ### 3.3 Plan Limits Each Plan specifies limits on the number of monthly recommendation requests, Products, Stores, and Widgets. Customer must not exceed these limits. If Customer consistently exceeds its Plan limits, Provider may (a) notify Customer and request an upgrade, (b) throttle or restrict Service access, or (c) apply overage charges as described in Section 10. ### 3.4 Customer Responsibilities Customer is responsible for: (a) providing accurate and complete registration information; (b) ensuring that Customer Data does not violate applicable law or third-party rights; (c) integrating the Service into Customer's Store in accordance with the Documentation; (d) maintaining the accuracy and quality of product catalogue data; (e) complying with the Acceptable Use Policy (Annex A); (f) providing any legally required notices and obtaining any legally required consents from End Users in connection with Customer's use of the Service, including cookie/tracking consent where required by ePrivacy legislation; (g) configuring and monitoring Recommendation Outputs for compliance with applicable law, including consumer protection rules and non-discrimination requirements; and (h) managing Authorised Users and their permissions. ### 3.5 Admin Users Customer may designate one or more Authorised Users as administrators. Customer is responsible for all actions taken through its Account by its Authorised Users. Customer must promptly revoke access for any Authorised User who no longer requires it. --- ## 4. ACCOUNT SECURITY; AUTHENTICATION; API KEYS; RATE LIMITS; USAGE MEASUREMENT ### 4.1 Account Security Customer must keep Account credentials and API Keys confidential. Customer must not share credentials across individuals. Customer must use strong, unique passwords and enable multi-factor authentication where available. Customer must notify Provider promptly at hello@recomai.hu if Customer becomes aware of any unauthorised access to its Account. ### 4.2 Authentication Access to the Dashboard requires authenticated login. Access to the API requires a valid API Key transmitted via the mechanism described in the Documentation. ### 4.3 API Keys Provider issues API Keys to Customer for programmatic access. Customer must treat API Keys as Confidential Information. Customer must not embed API Keys in client-side code that is accessible to End Users. Customer is responsible for all API calls made with its API Keys. Provider may revoke and re-issue API Keys if Provider reasonably believes they have been compromised. ### 4.4 Rate Limits The Service enforces rate limits to ensure fair usage and system stability. Current rate limits are published in the Documentation. Provider may adjust rate limits upon reasonable notice. Requests exceeding rate limits may be throttled or rejected. ### 4.5 Usage Measurement Provider measures usage (recommendation requests, product count, Store count, Widget count) using its internal systems. Provider's measurements are the definitive basis for determining compliance with Plan limits and calculating any overage charges. Customer may review its usage statistics in the Dashboard. --- ## 5. ACCEPTABLE USE POLICY Customer's use of the Service is subject to the Acceptable Use Policy set out in **Annex A**. The AUP is incorporated into these Terms by reference. Violation of the AUP constitutes a material breach of these Terms. --- ## 6. CUSTOMER DATA, INPUTS, AND OUTPUTS ### 6.1 Ownership of Customer Data As between the Parties, Customer retains all rights, title, and interest in and to Customer Data. Nothing in these Terms transfers ownership of Customer Data to Provider. ### 6.2 Licence to Process Customer Data Customer grants Provider a non-exclusive, worldwide, royalty-free licence to use, store, process, copy, and display Customer Data solely to the extent necessary to: (a) provide, operate, and maintain the Service for Customer; (b) generate Recommendation Outputs; (c) provide support and resolve technical issues; and (d) comply with applicable law. ### 6.3 Service Improvement and Model Training **(a) Tenant-Specific Models.** Provider processes Customer Data to train and refine Models that serve Customer's Account exclusively ("**Tenant Models**"). This processing is necessary to deliver the Service and does not require separate consent. **(b) Cross-Customer Improvement.** Provider may use Customer Data in anonymised and aggregated form to improve its Models, algorithms, and Service features for the benefit of all customers ("**General Improvement**"). **General Improvement is enabled by default. Customer may opt out of General Improvement at any time by notifying Provider in writing at hello@recomai.hu.** When Customer opts out, Provider will cease using Customer Data for General Improvement within thirty (30) days, but this does not require deletion of Model parameters already trained before the opt-out, provided such parameters do not contain or reveal Customer Data or personal data. [**Assumption:** General Improvement is opt-out by default. Confirm whether you prefer opt-in.] ### 6.4 Recommendation Output Terms **(a) Probabilistic Nature.** Recommendation Outputs are generated by machine-learning Models and are inherently probabilistic. Provider does not guarantee the accuracy, completeness, relevance, or commercial effectiveness of any Recommendation Output. **(b) No Guarantee of Results.** Provider makes no guarantee regarding revenue uplift, conversion rates, click-through rates, or any other business outcome resulting from the use of Recommendation Outputs. **(c) Customer Validation.** Customer is solely responsible for reviewing, validating, and testing Recommendation Outputs before displaying them to End Users. Customer must monitor Recommendation Outputs for inappropriate, inaccurate, or legally non-compliant content. **(d) High-Risk Decisions Prohibited.** Customer must not rely on Recommendation Outputs as the sole basis for decisions that produce legal effects concerning an individual or similarly significantly affect an individual, unless Customer independently ensures full compliance with all applicable laws (including GDPR Articles 22 and 13-14, the EU AI Act, and applicable consumer protection rules). Provider's Service is designed for product recommendations in an e-commerce context and is not intended for high-risk decision-making. **(e) Bias and Limitations.** Recommendation Outputs may reflect biases present in the underlying data. Customer acknowledges this and must implement appropriate safeguards, including human oversight, to prevent unlawful discrimination. ### 6.5 Data Retention Provider retains Customer Data for the duration of the Subscription Term and for a period of thirty (30) days thereafter (the "**Retention Period**"), after which Provider will delete Customer Data in accordance with Section 18.5. ### 6.6 Data Export Customer may export Customer Data through the Dashboard or API at any time during the Subscription Term and during the Retention Period. Provider will provide reasonable assistance for data export upon request. ### 6.7 Backups Provider maintains regular backups of Customer Data as part of its standard operations. Backups are maintained solely for disaster recovery purposes and are not a substitute for Customer's own data management practices. Provider does not guarantee that any individual backup can be restored on demand. --- ## 7. PRIVACY AND DATA PROTECTION ### 7.1 Privacy Policy Provider's processing of personal data collected from visitors to the recomai.hu website is governed by Provider's Privacy Policy, available at recomai.hu/adatvedelmi-iranyelvek. The Privacy Policy is not part of these Terms. ### 7.2 Data Processing Addendum Where Provider processes personal data on behalf of Customer as a data processor under the GDPR, the Data Processing Addendum attached as **Annex B** applies. The DPA forms an integral part of these Terms and contains the mandatory terms required by Article 28 GDPR. ### 7.3 Roles In the context of the Service: (a) Customer is the **data controller** (or, where Customer processes personal data on behalf of its own customers, a data processor) with respect to End User personal data contained in Customer Data. (b) Provider is the **data processor** processing personal data on behalf of Customer in accordance with Customer's instructions and the DPA. (c) For Usage Data and data about Customer's Authorised Users' use of the Dashboard, Provider acts as an independent data controller. ### 7.4 Security Measures Provider implements technical and organisational measures to protect Customer Data as described in **Annex C** (Security Measures). Provider will maintain security measures that are no less protective than those described in Annex C during the Subscription Term. --- ## 8. CONFIDENTIALITY ### 8.1 Definition "**Confidential Information**" means all non-public information disclosed by one Party (the "**Disclosing Party**") to the other Party (the "**Receiving Party**") in connection with these Terms, whether disclosed orally, in writing, electronically, or by inspection, that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes, without limitation: (a) Customer Data; (b) API Keys and Account credentials; (c) Provider's technology, algorithms, Models, source code, architecture, and roadmap; (d) business plans, pricing, financial information, and customer lists; and (e) the terms of any Order Form. ### 8.2 Exclusions Confidential Information does not include information that: (a) is or becomes publicly available without breach of these Terms; (b) was known to the Receiving Party prior to disclosure, as demonstrated by written records; (c) is independently developed by the Receiving Party without use of the Disclosing Party's Confidential Information; or (d) is lawfully received from a third party without restriction on disclosure. ### 8.3 Obligations The Receiving Party will: (a) use the Disclosing Party's Confidential Information only for purposes of exercising its rights or performing its obligations under these Terms; (b) protect the Disclosing Party's Confidential Information with at least the same degree of care it uses to protect its own Confidential Information, but in no event less than reasonable care; (c) not disclose the Disclosing Party's Confidential Information to any third party except to its employees, contractors, advisors, and Affiliates who need to know and are bound by confidentiality obligations no less protective than those in this Section; and (d) promptly notify the Disclosing Party upon becoming aware of any unauthorised disclosure. ### 8.4 Compelled Disclosure If the Receiving Party is compelled by law, regulation, or legal process to disclose Confidential Information, it will (to the extent legally permitted) provide the Disclosing Party with prompt written notice and cooperate with the Disclosing Party's efforts to obtain protective treatment. ### 8.5 Duration Confidentiality obligations survive termination of these Terms for a period of three (3) years, except with respect to trade secrets, which remain protected for as long as they qualify as trade secrets under applicable law. --- ## 9. INTELLECTUAL PROPERTY ### 9.1 Provider IP Provider and its licensors retain all rights, title, and interest in and to the Service, Platform, API, Dashboard, Widgets, Models, Documentation, Derived Data, Usage Data, and all related technology, including all Intellectual Property Rights therein. These Terms do not grant Customer any rights in or to Provider's Intellectual Property Rights except as expressly stated herein. ### 9.2 Licence to Use the Service Subject to Customer's compliance with these Terms and payment of Fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable, revocable licence during the Subscription Term to: (a) access and use the Service in accordance with the applicable Plan; (b) integrate the API into Customer's Stores using the mechanisms described in the Documentation; (c) deploy Widgets on Customer's Stores; and (d) use the Documentation for internal purposes in connection with the Service. ### 9.3 Restrictions Customer must not: (a) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, algorithms, or architecture of the Service or any Model; (b) attempt to extract, copy, replicate, or reconstruct any Model or Model parameters ("**model extraction**"); (c) use the Service to build a competing product or service; (d) publish benchmarks or performance comparisons of the Service without Provider's prior written consent; (e) sublicence, resell, or make the Service available to third parties other than End Users as contemplated by the Service's normal operation; (f) remove, alter, or obscure any proprietary notices in the Service; (g) use the Service in a manner that exceeds the scope of the licence granted herein; or (h) systematically scrape, crawl, or extract data from the Service or API beyond normal usage patterns. ### 9.4 Customer Feedback If Customer provides suggestions, ideas, enhancement requests, or other feedback regarding the Service ("**Feedback**"), Customer grants Provider a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up licence to use, modify, and incorporate Feedback into the Service and Provider's other products without restriction or obligation. Customer is not obligated to provide Feedback. ### 9.5 Open-Source and Third-Party Components The Service may incorporate open-source software components. A list of material open-source components and their licences is available upon request. Provider's use of open-source components does not affect Customer's rights under these Terms. Where an open-source licence requires it, Provider will make the relevant source code available. --- ## 10. FEES, BILLING, TAXES, USAGE OVERAGES, LATE PAYMENTS, DISPUTES ### 10.1 Fees Customer will pay the Fees applicable to its selected Plan and any Add-ons as published on Provider's pricing page or as set out in an Order Form. All Fees are stated in Hungarian Forints (HUF) unless otherwise agreed. Current Plans (net prices, excluding VAT): | Plan | Monthly | Yearly (per month) | Key Limits | |------|---------|---------------------|------------| | Kezdo | 14,900 Ft | 13,410 Ft | 30K recs/mo, 10K products, 1 Store, 1 Widget | | Normal | 34,900 Ft | 31,410 Ft | 100K recs/mo, 50K products, 1 Store, 3 Widgets | | Premium | 64,900 Ft | 58,410 Ft | 300K recs/mo, 200K products, 3 Stores, Unlimited Widgets | | Vallalati | Custom | Custom | Custom limits, SLA included | Add-ons (net prices, excluding VAT): | Add-on | Monthly | Yearly (per month) | |--------|---------|---------------------| | Merchandising | 14,990 Ft | 13,410 Ft | | Out-of-Stock Downranking | 14,990 Ft | 13,410 Ft | Provider may update pricing upon sixty (60) days' prior written notice. Updated pricing takes effect at the start of the next Subscription Term after the notice period. ### 10.2 Billing Cycle Fees are billed in advance on a monthly or annual basis, as selected by Customer (the "**Billing Cycle**"). Annual subscriptions receive a ten percent (10%) discount as reflected in the pricing table. ### 10.3 Payment Method Customer will provide a valid payment method (credit card or other method accepted by Provider's payment processor). Fees are charged automatically at the beginning of each Billing Cycle. Provider uses Stripe as its payment processor; Customer's use of Stripe is subject to Stripe's terms of service. ### 10.4 Taxes All Fees are exclusive of taxes. Customer is responsible for all applicable taxes, including VAT, sales tax, withholding tax, and any other governmental charges. Where Provider is required to collect VAT, it will be added to invoices at the applicable rate. If Customer is entitled to a VAT exemption or reverse charge, Customer must provide a valid VAT identification number and any required documentation. ### 10.5 Usage Overages If Customer exceeds its Plan limits in any billing month, Provider will notify Customer. Provider may, at its discretion: (a) request that Customer upgrade to a higher Plan; (b) charge overages at the per-unit rate published in the Documentation or agreed in an Order Form; or (c) throttle Service access until the next billing period. [**Assumption:** Overage pricing is determined case-by-case or per Documentation. Confirm whether you want fixed overage rates.] ### 10.6 Late Payments If Customer fails to pay any undisputed Fees when due, Provider may: (a) charge late interest at the rate of the Hungarian National Bank base rate plus eight (8) percentage points per annum (in accordance with Act IX of 2022 on Late Payments in Commercial Transactions), calculated from the due date until payment; (b) suspend Customer's access to the Service upon fifteen (15) days' written notice; and (c) engage a collection agency or take legal action to recover amounts owed plus reasonable collection costs. ### 10.7 Fee Disputes If Customer disputes any invoice in good faith, Customer must notify Provider in writing within fifteen (15) days of the invoice date, specifying the disputed amount and the reason for the dispute. Customer must pay all undisputed amounts when due. The Parties will negotiate in good faith to resolve the dispute within thirty (30) days. --- ## 11. TRIALS, BETAS, AND PRE-RELEASE FEATURES ### 11.1 Beta Features Provider may offer certain features designated as "beta," "preview," "experimental," or "early access" ("**Beta Features**"). Beta Features are provided for evaluation purposes and may be changed, suspended, or discontinued at any time without notice. ### 11.2 Beta Disclaimers Beta Features are provided "AS IS" and "AS AVAILABLE" without any warranty of any kind. Provider makes no commitments regarding the availability, reliability, performance, or continued existence of Beta Features. Customer uses Beta Features at its own risk. Data processed through Beta Features may be subject to additional limitations, including lack of backups, reduced security measures, or data loss. ### 11.3 Feedback on Beta Features Provider encourages Customer to provide Feedback on Beta Features. Any such Feedback is subject to Section 9.4. ### 11.4 No Free Trial The Service does not currently offer a free trial period. [**Assumption:** No free trial based on business context provided. Update if this changes.] --- ## 12. SERVICE LEVELS AND SUPPORT ### 12.1 Availability Target Provider aims to maintain reasonable availability of the Service. However, except as expressly stated in the SLA (Annex D) for Vallalati plan Customers, Provider does not guarantee any specific level of availability or uptime. ### 12.2 SLA for Vallalati Plan Customers on the Vallalati plan (or Customers who have an SLA specified in their Order Form) are entitled to the service level commitments set out in **Annex D**. The Vallalati SLA provides for a monthly availability target of 99%. ### 12.3 Support Provider offers technical support via email at hello@recomai.hu during CET business hours (Monday to Friday, 09:00-17:00 CET, excluding Hungarian public holidays). Provider aims to respond to support requests within the timeframes set out in Annex D. Support is provided in Hungarian and English. ### 12.4 Scheduled Maintenance Provider may perform scheduled maintenance during off-peak hours (typically between 22:00 and 06:00 CET). Provider will use reasonable efforts to notify Customer at least forty-eight (48) hours in advance of scheduled maintenance that may affect Service availability. Scheduled maintenance windows are excluded from availability calculations under the SLA. ### 12.5 Exclusions The following are excluded from availability calculations and do not constitute Service unavailability: (a) scheduled maintenance; (b) force majeure events (Section 21.4); (c) failures caused by Customer's equipment, network, or software; (d) failures caused by Customer's misuse of the Service or violation of the Documentation; (e) failures of third-party services or infrastructure outside Provider's reasonable control; and (f) suspension of Service in accordance with these Terms. --- ## 13. PROFESSIONAL SERVICES ### 13.1 Scope Provider may offer Professional Services such as integration consulting, onboarding assistance, model tuning, and custom development. Professional Services are not included in the standard Plans unless expressly stated. ### 13.2 Statements of Work Each engagement for Professional Services will be governed by a mutually agreed Statement of Work referencing these Terms. Each SOW will specify the scope, deliverables, timeline, acceptance criteria, and fees for the engagement. ### 13.3 Acceptance Unless the SOW specifies otherwise, deliverables will be deemed accepted ten (10) business days after delivery unless Customer provides written notice of material non-conformance with the SOW. Customer may reject deliverables only on grounds of material non-conformance with the SOW's acceptance criteria. ### 13.4 Professional Services Fees Professional Services are billed at the rates set out in the applicable SOW. Unless otherwise stated, Professional Services fees are billed monthly in arrears based on time and materials. Payment terms for Professional Services are thirty (30) days from invoice date. ### 13.5 Intellectual Property in Deliverables Unless the SOW expressly provides otherwise, all Intellectual Property Rights in deliverables created under a SOW vest in Provider. Provider grants Customer a non-exclusive, non-transferable licence to use such deliverables in connection with Customer's authorised use of the Service. --- ## 14. WARRANTIES ### 14.1 Mutual Warranties Each Party represents and warrants that: (a) it has the legal power and authority to enter into these Terms; (b) it will comply with all applicable laws in its performance under these Terms; and (c) the execution and performance of these Terms does not conflict with any other agreement to which it is a party. ### 14.2 Provider's Limited Warranty Provider warrants that during the Subscription Term, the Service will perform materially in accordance with the Documentation under normal use. Customer's sole and exclusive remedy for a breach of this warranty is, at Provider's option: (a) Provider will use commercially reasonable efforts to correct the non-conformance; or (b) if Provider is unable to correct the non-conformance within thirty (30) days of receiving written notice, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid Fees for the unused portion of the Subscription Term. ### 14.3 Disclaimer of Warranties EXCEPT FOR THE EXPRESS WARRANTIES STATED IN THIS SECTION 14 AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." PROVIDER DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS, OR THAT ANY RECOMMENDATION OUTPUT WILL BE ACCURATE, COMPLETE, OR SUITABLE FOR ANY PARTICULAR PURPOSE. ### 14.4 EU Consumer Rights Reservation Nothing in this Section limits any warranty rights that cannot be excluded or limited under applicable mandatory law. These Terms are intended for business-to-business use. If, notwithstanding this intention, any provision is found to be subject to mandatory consumer protection rules, the relevant mandatory rule will apply to the minimum extent required. ### 14.5 Security Provider implements commercially reasonable security measures as described in Annex C. Provider does not warrant that the Service is impenetrable or immune to all security threats. Provider will promptly notify Customer of any security breach affecting Customer Data in accordance with the DPA. --- ## 15. COMPLIANCE AND CUSTOMER OBLIGATIONS ### 15.1 Lawful Basis Customer is responsible for establishing and maintaining a valid legal basis under the GDPR (or other applicable data protection law) for all personal data that Customer submits to or collects through the Service, including End User personal data. ### 15.2 End User Notices and Consent Customer must provide End Users with clear and transparent privacy notices that disclose the use of the Service, the categories of data collected, and the purposes of processing, in compliance with Articles 13 and 14 GDPR. Where Customer's use of the Service requires consent (for example, for non-essential cookies or tracking), Customer is responsible for obtaining such consent in compliance with ePrivacy rules. ### 15.3 Personalisation Disclosures Where Recommendation Outputs constitute "personalisation" or "profiling" of End Users, Customer must inform End Users accordingly and, where required by law, provide mechanisms for End Users to opt out of personalisation. ### 15.4 Non-Discrimination Customer must not use the Service in a manner that results in unlawful discrimination against any individual or group based on protected characteristics (including but not limited to race, ethnicity, gender, religion, sexual orientation, disability, or age). Customer must regularly review and test Recommendation Outputs for discriminatory patterns. ### 15.5 Automated Decision-Making Customer must not use Recommendation Outputs as the sole basis for decisions that produce legal effects concerning an individual or similarly significantly affect an individual (within the meaning of Article 22 GDPR), unless Customer independently ensures compliance with all applicable safeguards (including the right to human intervention, the right to express a point of view, and the right to contest the decision). ### 15.6 EU AI Act Customer acknowledges that the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) may impose obligations on deployers of AI systems used for certain purposes, including recommender systems used by online platforms. If Customer qualifies as a "deployer" under the AI Act, Customer is solely responsible for fulfilling any applicable deployer obligations, including transparency, human oversight, record-keeping, and conformity assessment cooperation. Provider will provide reasonable cooperation and information to assist Customer's compliance efforts upon request. ### 15.7 Digital Services Act If Customer operates an "online platform" within the meaning of the Digital Services Act (Regulation (EU) 2022/2065), Customer is responsible for complying with DSA obligations regarding recommender systems, including providing End Users with information about the main parameters used for recommendations and offering at least one option not based on profiling (Article 38 DSA). Provider will provide reasonable information about how Recommendation Outputs are generated to assist Customer's DSA compliance. ### 15.8 Export Controls and Sanctions Customer represents and warrants that it is not located in, and will not use the Service from, any country or territory subject to comprehensive EU or Hungarian sanctions. Customer will not provide access to the Service to any individual or entity on an applicable sanctions list. ### 15.9 Recordkeeping Customer is responsible for maintaining all records required by applicable law in connection with Customer's use of the Service, including records of consent, data processing activities, and data protection impact assessments. --- ## 16. INDEMNITIES ### 16.1 Customer Indemnity Customer will defend, indemnify, and hold harmless Provider and its officers, directors, employees, and agents from and against any third-party claim, demand, loss, damage, cost, or expense (including reasonable legal fees) arising from or relating to: (a) Customer Data or any content that Customer submits to the Service; (b) Customer's breach of these Terms, including the AUP; (c) Customer's violation of applicable law; (d) Customer's End Users' claims arising from Customer's use or display of Recommendation Outputs; or (e) Customer's failure to provide required notices to or obtain required consents from End Users. ### 16.2 Provider IP Indemnity Provider will defend, indemnify, and hold harmless Customer from and against any third-party claim that the Service (as provided by Provider and used by Customer in accordance with these Terms) infringes a third party's Intellectual Property Rights in the European Union ("**IP Claim**"), and Provider will pay any damages finally awarded or settlement amounts agreed. ### 16.3 IP Indemnity Conditions and Carve-Outs Provider's indemnity obligation under Section 16.2 does not apply to the extent that the IP Claim arises from: (a) Customer's modification of the Service; (b) Customer's combination of the Service with products, services, or data not provided by Provider; (c) Customer Data; (d) Customer's use of the Service in violation of these Terms or the Documentation; or (e) Customer's continued use of an allegedly infringing version of the Service after Provider has provided a non-infringing alternative. ### 16.4 IP Indemnity Remedies If the Service becomes (or in Provider's opinion is likely to become) the subject of an IP Claim, Provider may, at its option and expense: (a) obtain the right for Customer to continue using the Service; (b) modify the Service to make it non-infringing; (c) replace the Service with a functionally equivalent non-infringing alternative; or (d) if none of the foregoing is commercially practicable, terminate the affected subscription and refund any prepaid Fees for the unused portion of the Subscription Term. ### 16.5 Data Protection Claims Each Party will bear its own liability for administrative fines imposed by supervisory authorities under data protection law, to the extent attributable to that Party's own acts or omissions. Neither Party may contractually require the other to bear fines that are imposed on it by a supervisory authority for that Party's own violations. ### 16.6 Indemnity Procedure The indemnified Party must: (a) promptly notify the indemnifying Party of the claim in writing; (b) grant the indemnifying Party sole control over the defence and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying Party's expense. The indemnifying Party may not settle any claim in a manner that imposes obligations on the indemnified Party without the indemnified Party's prior written consent (not to be unreasonably withheld). --- ## 17. LIMITATION OF LIABILITY ### 17.1 Exclusion of Indirect Damages TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATING TO THESE TERMS, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ### 17.2 Liability Cap SUBJECT TO SECTION 17.3, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO PROVIDER DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. ### 17.3 Carve-Outs The limitations in Sections 17.1 and 17.2 do not apply to: (a) a Party's indemnification obligations under Section 16; (b) a Party's breach of its confidentiality obligations under Section 8 (except that liability for such breach is capped at two (2) times the amount set out in Section 17.2); (c) Customer's obligation to pay Fees; (d) liability arising from a Party's wilful misconduct or gross negligence; (e) liability that cannot be excluded or limited under applicable mandatory law (including liability for death or personal injury caused by negligence); and (f) Provider's obligations under the DPA with respect to personal data breaches, to the extent such liability cannot be contractually limited under applicable data protection law. ### 17.4 Essential Basis Each Party acknowledges that the limitations of liability in this Section reflect a reasonable allocation of risk between the Parties and form an essential basis of the bargain. The Fees reflect this allocation. ### 17.5 Multiple Claims The existence of more than one claim does not enlarge the limits set out in this Section. The liability caps are aggregate caps, not per-incident caps. --- ## 18. TERM AND TERMINATION ### 18.1 Subscription Term The initial Subscription Term begins on the date Customer's Account is activated and continues for the duration of the selected Billing Cycle (monthly or annual). Unless terminated in accordance with this Section, the Subscription Term automatically renews for successive periods equal to the initial Billing Cycle. ### 18.2 Non-Renewal Either Party may prevent automatic renewal by providing written notice at least thirty (30) days before the end of the then-current Subscription Term for monthly subscriptions, or sixty (60) days before the end of the then-current Subscription Term for annual subscriptions. ### 18.3 Termination for Cause Either Party may terminate these Terms immediately upon written notice if: (a) the other Party commits a material breach of these Terms and fails to cure such breach within thirty (30) days of receiving written notice specifying the breach; or (b) the other Party becomes insolvent, makes an assignment for the benefit of creditors, or becomes subject to bankruptcy, liquidation, or similar proceedings. ### 18.4 Suspension Provider may suspend Customer's access to the Service, in whole or in part, immediately and without prior notice if: (a) Customer's use of the Service poses a security risk to the Service or any third party; (b) Customer's use could subject Provider or any third party to liability; (c) Customer is in material breach of the AUP; (d) Customer's Account has an unpaid balance that is more than fifteen (15) days past due; or (e) suspension is required to comply with applicable law or a court or regulatory order. Provider will use reasonable efforts to limit the scope and duration of any suspension and to provide notice as soon as reasonably practicable. ### 18.5 Effects of Termination Upon termination or expiration of these Terms: (a) Customer's right to access and use the Service terminates immediately; (b) Customer must cease all use of the Service, API, and any Provider materials; (c) each Party must return or destroy the other Party's Confidential Information, except as required by law or for legitimate record-keeping purposes; (d) Customer may request export of Customer Data during the Retention Period (thirty (30) days following termination); and (e) after the Retention Period, Provider will delete Customer Data from its active systems. Deletion from backup systems will occur in accordance with Provider's standard backup rotation schedule, typically within ninety (90) days. ### 18.6 Survival The following Sections survive termination: 2 (Definitions), 6.1 (Ownership), 8 (Confidentiality), 9.1 (Provider IP), 9.4 (Feedback), 10 (Fees, with respect to accrued obligations), 14.3 (Disclaimer), 16 (Indemnities), 17 (Limitation of Liability), 18.5-18.6 (Effects, Survival), 23 (Governing Law), and 24 (Miscellaneous). --- ## 19. CHANGES TO TERMS ### 19.1 Modifications Provider may modify these Terms from time to time. Provider will notify Customer of material changes at least thirty (30) days before they take effect by email to the address associated with Customer's Account and by posting the updated Terms on the website. ### 19.2 Continued Use If Customer continues to use the Service after the effective date of the updated Terms, Customer is deemed to have accepted the updated Terms. If Customer does not agree with the updated Terms, Customer must discontinue use of the Service and may terminate these Terms in accordance with Section 18.2 without penalty, provided Customer notifies Provider within the thirty (30) day notice period. ### 19.3 Order Form Protection Modifications to these Terms do not retroactively alter the express terms of a signed Order Form unless the Parties agree in writing. --- ## 20. PUBLICITY ### 20.1 Customer Reference Provider may identify Customer by name and logo as a user of the Service in Provider's marketing materials, website, and client lists, unless Customer opts out by notifying Provider in writing at hello@recomai.hu. ### 20.2 Case Studies Provider will not publish detailed case studies or testimonials featuring Customer without Customer's prior written approval. --- ## 21. ASSIGNMENT; SUBCONTRACTING; RELATIONSHIP; FORCE MAJEURE ### 21.1 Assignment Neither Party may assign these Terms without the prior written consent of the other Party, except that either Party may assign these Terms without consent to an Affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees in writing to be bound by these Terms. Any prohibited assignment is void. ### 21.2 Subcontracting Provider may use subcontractors to perform its obligations under these Terms, provided that Provider remains responsible for its subcontractors' performance and compliance. With respect to subprocessors, the DPA (Annex B) applies. ### 21.3 Relationship The Parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship. Neither Party has the authority to bind the other or incur obligations on the other's behalf. ### 21.4 Force Majeure Neither Party will be liable for any failure or delay in performing its obligations (other than payment obligations) to the extent caused by circumstances beyond its reasonable control, including natural disasters, pandemics, war, terrorism, riots, government actions, power failures, internet or telecommunications failures, or denial-of-service attacks ("**Force Majeure Event**"). The affected Party must promptly notify the other Party and use reasonable efforts to mitigate the impact. If a Force Majeure Event continues for more than sixty (60) days, either Party may terminate these Terms upon written notice. --- ## 22. NOTICES ### 22.1 Legal Notices All legal notices under these Terms must be in writing and delivered to: **Provider:** Savvy Traveller Trading Kft. 6000 Kecskemet, Kokeny utca 10., Hungary Email: hello@recomai.hu **Customer:** The address and email associated with Customer's Account, or as specified in the Order Form. ### 22.2 Delivery Notices are deemed received: (a) if delivered personally, upon delivery; (b) if sent by registered mail, five (5) business days after posting; (c) if sent by email, upon confirmed receipt (excluding automated responses). For termination notices and legal proceedings, email notice alone is sufficient only if also followed by registered mail within five (5) business days. ### 22.3 Operational Notices Routine operational notices (maintenance windows, feature updates, usage alerts) may be delivered via email, the Dashboard, or the Service's notification system. --- ## 23. GOVERNING LAW; DISPUTE RESOLUTION; VENUE; INJUNCTIVE RELIEF ### 23.1 Governing Law These Terms are governed by and construed in accordance with the laws of Hungary, without regard to its conflict of laws principles. ### 23.2 Dispute Resolution The Parties will attempt to resolve any dispute arising out of or relating to these Terms through good-faith negotiation. If the dispute is not resolved within thirty (30) days of a Party's written notice of the dispute, either Party may pursue resolution as set out below. ### 23.3 Jurisdiction and Venue [CHOOSE: **(a) Ordinary courts (Recommended for most B2B SaaS):** The courts of Hungary shall have exclusive jurisdiction. If the matter falls within the competence of a district court, the Kecskemet District Court (Kecskeméti Járásbíróság) shall have exclusive jurisdiction; if within the competence of a regional court, the Szeged Regional Court (Szegedi Törvényszék) shall have exclusive jurisdiction. — OR — **(b) Arbitration:** Disputes shall be finally resolved by arbitration administered by the Permanent Arbitration Court attached to the Hungarian Chamber of Commerce and Industry, in accordance with its rules, by a sole arbitrator, in Hungarian, seated in Budapest.] ### 23.4 Injunctive Relief Nothing in this Section prevents either Party from seeking injunctive or other equitable relief from any court of competent jurisdiction to prevent irreparable harm pending resolution of a dispute. --- ## 24. MISCELLANEOUS ### 24.1 Severability If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving the Parties' original intent. ### 24.2 Waiver No failure or delay by either Party in exercising any right under these Terms constitutes a waiver of that right. A waiver of any right is effective only if in writing and signed by the waiving Party. ### 24.3 Entire Agreement These Terms (including all Annexes, Order Forms, and SOWs) constitute the entire agreement between the Parties with respect to the subject matter hereof and supersede all prior and contemporaneous agreements, representations, and understandings, whether written or oral. ### 24.4 Interpretation Headings are for convenience only and do not affect interpretation. "Including" means "including without limitation." References to "days" mean calendar days unless otherwise specified. References to "written" or "in writing" include email. ### 24.5 Counterparts Order Forms and SOWs may be executed in counterparts, each of which is deemed an original. Electronic signatures have the same legal effect as handwritten signatures. ### 24.6 No Third-Party Beneficiaries These Terms do not confer any rights on any third party, except as expressly stated (such as indemnified persons under Section 16). --- --- # ANNEX A: ACCEPTABLE USE POLICY (AUP) **Effective Date:** [Same as Terms] This Acceptable Use Policy ("**AUP**") governs Customer's use of the Service and is incorporated into the Terms of Service by reference. ## A.1 General Customer must use the Service only for lawful purposes and in accordance with these Terms and the Documentation. Customer is responsible for ensuring that all Authorised Users and End Users comply with this AUP. ## A.2 Prohibited Content Customer must not submit, upload, or transmit to the Service any data or content that: (a) is unlawful, defamatory, obscene, or harmful; (b) infringes any third party's Intellectual Property Rights, privacy rights, or other rights; (c) contains malware, viruses, or other harmful code; (d) constitutes unsolicited commercial communications (spam); or (e) violates applicable export control, sanctions, or anti-money laundering laws. ## A.3 Prohibited Uses Customer must not: (a) **Unlawful Discrimination:** Use the Service to discriminate against individuals or groups based on protected characteristics (race, ethnicity, gender, religion, sexual orientation, disability, age, or any other protected characteristic under applicable law); (b) **Sensitive Inference:** Use the Service to infer sensitive personal data (as defined in Article 9 GDPR) about individuals, including health status, political opinions, religious beliefs, sexual orientation, or trade union membership; (c) **Harmful Profiling:** Use the Service to create profiles of individuals for purposes that are harmful, manipulative, or exploitative, including predatory pricing based on vulnerability assessments; (d) **Solely Automated Decisions:** Use Recommendation Outputs as the sole basis for decisions with legal or similarly significant effects on individuals without implementing the safeguards required by Article 22 GDPR; (e) **Security Abuse:** Attempt to gain unauthorised access to the Service, other Customers' data, Provider's infrastructure, or any connected systems; conduct vulnerability scanning, penetration testing, or security assessments of the Service without Provider's prior written consent; (f) **Service Disruption:** Intentionally overload, disrupt, or impair the Service or its infrastructure, including through denial-of-service attacks, excessive API calls designed to exhaust resources, or deliberate exploitation of rate limit mechanisms; (g) **Model Extraction:** Systematically query the Service to extract, reconstruct, or reverse-engineer the underlying Models, algorithms, or training data; (h) **Scraping:** Systematically scrape, crawl, or harvest data from the Service or API beyond normal usage patterns, or assist third parties in doing so; (i) **Competitive Use:** Use the Service to develop, train, or improve a competing product or service; (j) **Benchmarking:** Publish performance benchmarks or comparative analyses of the Service without Provider's prior written consent; (k) **Circumvention:** Attempt to circumvent usage limits, authentication mechanisms, rate limiting, or access controls; (l) **Fraudulent Use:** Use the Service for any fraudulent purpose, including manipulating recommendation results to deceive End Users; or (m) **Illegal Activities:** Use the Service in connection with any activity that violates applicable law. ## A.4 Enforcement Provider may investigate suspected violations of this AUP. If Provider determines that a violation has occurred, Provider may take action including: (a) issuing a warning; (b) temporarily or permanently suspending access to the Service; (c) removing violating content; (d) terminating the Agreement for cause; and/or (e) reporting the violation to law enforcement if required or appropriate. Provider will use reasonable efforts to notify Customer before taking enforcement action, except where immediate action is necessary to prevent harm or comply with legal obligations. --- --- # ANNEX B: DATA PROCESSING ADDENDUM (DPA) **Effective Date:** [Same as Terms] This Data Processing Addendum ("**DPA**") supplements the Terms of Service and forms an integral part thereof. Capitalised terms not defined in this DPA have the meanings given in the Terms. ## B.1 Scope and Roles ### B.1.1 This DPA applies to the extent that Provider processes personal data on behalf of Customer as a data processor in the course of providing the Service. ### B.1.2 Customer is the data controller (or, where applicable, data processor acting on behalf of its own controllers). Provider is the data processor. ## B.2 Subject Matter and Duration ### B.2.1 Subject Matter The processing of personal data by Provider in connection with the provision of the Service as described in the Terms. ### B.2.2 Duration The processing will continue for the duration of the Subscription Term plus the Retention Period, unless earlier terminated. ## B.3 Nature and Purpose of Processing Provider processes personal data for the following purposes: (a) providing the Service, including generating Recommendation Outputs; (b) ingesting and processing behavioural events (page views, add-to-cart events, purchases, conversions); (c) recording served recommendation logs and feedback events; (d) training and updating Tenant Models; (e) providing analytics and performance reporting; (f) providing technical support; (g) billing and usage measurement; and (h) as otherwise instructed by Customer through the Service's functionality or in writing. ## B.4 Categories of Data Subjects - End Users (visitors and customers of Customer's online Stores) - Customer's employees, contractors, and Authorised Users ## B.5 Categories of Personal Data - Pseudonymous identifiers (session UUIDs, user IDs, tracking identifiers) - Behavioural data (page views, product views, add-to-cart events, purchases) - Order data (order identifiers, product identifiers, quantities, revenue amounts) - Device and browser metadata (device type, user agent — where collected by tracking) - IP addresses (where collected by tracking, processed transiently) - Email addresses and names (of Authorised Users for Account management) - Any other personal data included by Customer in Customer Data ## B.6 Customer Instructions ### B.6.1 Provider will process personal data only on Customer's documented instructions, unless required by EU or Member State law to which Provider is subject (in which case Provider will inform Customer of that legal requirement before processing, unless legally prohibited from doing so). ### B.6.2 Customer's instructions are set out in: (a) these Terms and the DPA; (b) Customer's Configuration of the Service; and (c) any additional documented instructions provided by Customer in writing. Provider will promptly inform Customer if, in Provider's opinion, an instruction infringes applicable data protection law. ## B.7 Confidentiality Provider ensures that all personnel authorised to process personal data under this DPA are bound by appropriate confidentiality obligations (whether contractual or statutory). ## B.8 Security Measures Provider implements the technical and organisational measures described in **Annex C** to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Provider will not materially reduce the overall level of security during the Subscription Term. ## B.9 Subprocessors ### B.9.1 Current Subprocessors Customer hereby provides general written authorisation for Provider to engage subprocessors. As of the Effective Date, Provider uses the following subprocessors: | Subprocessor | Purpose | Location | |--------------|---------|----------| | Hetzner Online GmbH | Infrastructure hosting (servers, databases, storage) | Germany (EU) | | Stripe, Inc. | Payment processing and billing | EU/US (with EU data residency) | ### B.9.2 New Subprocessors Provider will notify Customer at least thirty (30) days before engaging a new subprocessor, by email or via the Dashboard. Customer may object to a new subprocessor on reasonable data protection grounds within fifteen (15) days of receiving notice. If Customer objects and the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Service without penalty. ### B.9.3 Subprocessor Obligations Provider will impose data protection obligations on each subprocessor that are no less protective than those set out in this DPA. Provider remains liable for the acts and omissions of its subprocessors. ## B.10 Cross-Border Transfers ### B.10.1 Provider stores and processes Customer Data within the European Economic Area (EEA). As of the Effective Date, Provider does not transfer personal data outside the EEA for the core Service. ### B.10.2 If a transfer of personal data outside the EEA becomes necessary (for example, through the engagement of a subprocessor located outside the EEA), Provider will ensure that an appropriate transfer mechanism is in place, such as: (a) an adequacy decision by the European Commission (Article 45 GDPR); (b) Standard Contractual Clauses (SCCs) adopted by the European Commission (Article 46(2)(c) GDPR), supplemented by a transfer impact assessment where required; or (c) another lawful transfer mechanism under Chapter V GDPR. ### B.10.3 SCCs Where SCCs are required, the Parties agree that the SCCs adopted by Commission Implementing Decision (EU) 2021/914 apply, with Module Two (Controller-to-Processor) as the default. [Applicable Module and Annexes to be completed based on the specific transfer scenario.] ## B.11 Assistance ### B.11.1 Data Subject Rights Provider will assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligations to respond to data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Provider will promptly forward to Customer any data subject request it receives directly. ### B.11.2 Other Obligations Provider will assist Customer in ensuring compliance with Articles 32-36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to Provider. ## B.12 Audits ### B.12.1 Provider will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or a qualified, independent auditor mandated by Customer. Customer must provide at least thirty (30) days' prior written notice of an audit. Audits will be conducted during business hours, with reasonable scope and duration, and will not unreasonably interfere with Provider's operations. ### B.12.2 If Customer requests an on-site audit, Customer will bear the reasonable costs of the audit. Provider may charge a reasonable fee for time spent assisting with audits beyond what is necessary to demonstrate compliance. ### B.12.3 Provider may satisfy audit requests by providing: (a) relevant certifications or audit reports (such as SOC 2, if available); (b) the results of penetration tests; or (c) written responses to Customer's audit questionnaire. ## B.13 Data Breach Notification ### B.13.1 Provider will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a personal data breach affecting Customer Data. ### B.13.2 The notification will include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach, including mitigation measures; and (d) the name and contact details of Provider's contact point. ### B.13.3 Provider will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. ## B.14 Deletion and Return of Data ### B.14.1 Upon termination or expiration of the Terms, Provider will, at Customer's election, delete or return all personal data processed under this DPA, and delete existing copies, unless EU or Member State law requires continued storage. ### B.14.2 Customer must make its election within the Retention Period (thirty (30) days after termination). If Customer does not make an election, Provider will delete the personal data after the Retention Period. ### B.14.3 Deletion from backup systems will occur in accordance with Provider's standard backup rotation schedule, not exceeding ninety (90) days from the end of the Retention Period. ## B.15 DPO and Contact Provider's data protection contact: Email: hello@recomai.hu [**Assumption:** Provider has not appointed a formal DPO. If a DPO is appointed, insert details here.] --- --- # ANNEX C: SECURITY MEASURES (TECHNICAL AND ORGANISATIONAL MEASURES — TOMs) **Effective Date:** [Same as Terms] Provider implements the following categories of technical and organisational measures to protect Customer Data and personal data: ## C.1 Access Control - **Authentication:** Dashboard access requires authenticated login with email and password. API access requires valid API Keys transmitted via secure headers. - **Authorisation:** Role-based access control (RBAC) for Authorised Users within the Dashboard. Principle of least privilege applied to Provider's internal systems. - **Multi-Tenant Isolation:** Each Customer's (Tenant's) data is logically isolated using PostgreSQL row-level security (tenant_id-based context). Tenant context is set per database session and cleared after each request. - **Internal API Security:** Internal service-to-service calls are authenticated using shared secrets (X-Scylla-Shared-Secret header). Internal endpoints are disabled if the shared secret is not configured. ## C.2 Data Protection in Transit - All data transmitted between Customer and the Service is encrypted using TLS 1.2 or higher. - API endpoints are accessible only via HTTPS. - Internal service-to-service communication uses encrypted channels. ## C.3 Data Protection at Rest - Customer Data stored in PostgreSQL databases is protected by disk-level encryption provided by the hosting provider (Hetzner). - Backups are encrypted. ## C.4 Infrastructure Security - **Hosting:** The Service is hosted on Hetzner infrastructure within the European Union (Germany). - **Network Security:** Firewalls, network segmentation, and intrusion prevention measures are in place. - **Patch Management:** Operating systems and software dependencies are kept up to date with security patches. ## C.5 Application Security - **Rate Limiting:** API and tracking endpoints enforce rate limits to prevent abuse (throttling per tenant/store). - **Input Validation:** All API inputs are validated using Pydantic schemas (Python) and Laravel form request validation (PHP). - **Origin Verification:** Public-facing storefront endpoints verify the request origin against registered Store domains. - **CORS:** Strict Cross-Origin Resource Sharing policies restrict which domains may access the API. - **Idempotent Ingestion:** Feedback and event ingestion uses deduplication hashes to prevent duplicate processing. ## C.6 Operational Security - **Logging and Monitoring:** The Service logs API requests, errors, and system events for security monitoring, debugging, and billing. Logs are retained for a reasonable period and access is restricted. - **Incident Response:** Provider maintains incident response procedures to detect, investigate, and remediate security incidents. - **Business Continuity:** Regular backups are maintained for disaster recovery. ## C.7 Personnel Security - Provider's personnel with access to Customer Data are bound by confidentiality obligations. - Access to production systems is restricted to authorised personnel on a need-to-know basis. ## C.8 Telemetry and Logging For transparency, the following data is logged by the Service: | Data Logged | Purpose | Retention | |-------------|---------|-----------| | API request metadata (endpoint, status, response time) | Performance monitoring, debugging, billing | [90 days — **Assumption**] | | Recommendation served logs (request ID, session UUID, placement, recommendations served, response metadata) | Analytics, model training, A/B testing | Duration of Subscription Term + Retention Period | | Feedback events (clicks, impressions, revenue attribution) | Model training, analytics | Duration of Subscription Term + Retention Period | | Storefront events (page views, add-to-cart, purchases) | Model training, analytics | Duration of Subscription Term + Retention Period | | Error logs | Debugging | [30 days — **Assumption**] | --- --- # ANNEX D: SERVICE LEVEL AGREEMENT (SLA) **Effective Date:** [Same as Terms] ## D.1 Applicability This SLA applies only to Customers on the **Vallalati** plan or Customers whose Order Form expressly incorporates this SLA. For all other plans, **no SLA applies**; Provider will use commercially reasonable efforts to maintain availability, but no specific availability target or service credit is provided. ## D.2 Availability Commitment Provider commits to a monthly Service availability of **99%** ("**Availability Target**"), measured as follows: **Monthly Availability (%) = ((Total Minutes in Month - Downtime Minutes) / Total Minutes in Month) x 100** "**Downtime**" means the period during which the API's primary recommendation endpoints return errors (HTTP 5xx) for more than fifty percent (50%) of valid requests over a rolling five-minute window, as measured by Provider's monitoring systems. Downtime does not include Excluded Events (Section D.4). ## D.3 Service Credits If Provider fails to meet the Availability Target in a given calendar month, Customer is entitled to a service credit calculated as follows: | Monthly Availability | Service Credit (% of monthly Fee) | |---------------------|-------------------------------------| | 98.0% - 98.99% | 5% | | 95.0% - 97.99% | 10% | | 90.0% - 94.99% | 20% | | Below 90.0% | 30% | ### D.3.1 Service credits are Customer's sole and exclusive remedy for Provider's failure to meet the Availability Target. ### D.3.2 To request a service credit, Customer must submit a written request to hello@recomai.hu within thirty (30) days of the end of the month in which the downtime occurred. ### D.3.3 Service credits are applied against future Fees and are not payable in cash. Service credits may not exceed thirty percent (30%) of the monthly Fee for the affected month. Service credits expire if Customer terminates or does not renew its subscription. ## D.4 Exclusions The following events are excluded from Downtime calculations: (a) Scheduled maintenance (as defined in Section 12.4 of the Terms); (b) Force majeure events; (c) Failures caused by Customer's equipment, network, software, or actions; (d) Failures caused by Customer's breach of the Terms, AUP, or Documentation; (e) Third-party service outages outside Provider's reasonable control; (f) Suspension of Service in accordance with the Terms; and (g) DNS propagation delays. ## D.5 Support Response Targets The following are target (not guaranteed) response times for support requests: | Severity | Description | Target Initial Response | |----------|-------------|------------------------| | Critical | Service completely unavailable; no workaround | 4 business hours | | High | Major feature impaired; workaround available | 8 business hours | | Medium | Non-critical issue affecting operations | 2 business days | | Low | General question, minor issue, feature request | 5 business days | Support is available via email at hello@recomai.hu during CET business hours (Monday-Friday, 09:00-17:00 CET, excluding Hungarian public holidays). ## D.6 Support for Non-SLA Plans Customers on the Kezdo, Normal, and Premium plans receive best-effort support with the following target response times (not guaranteed and not subject to service credits): | Severity | Target Initial Response | |----------|------------------------| | Critical | 1 business day | | High | 2 business days | | Medium | 5 business days | | Low | 10 business days | --- --- **END OF ENGLISH TERMS OF SERVICE** *This document continues with the Hungarian translation, which is the legally prevailing version. See: terms-of-service-hu.md*