InnOpen Group Kft.
Privacy Policy
Effective Date: 24 March 2026 Last Updated: 24 March 2026
Section 1
Who We Are
InnOpen Group Kft. (hereinafter "InnOpen", "we", "us", or "our") is an IT services and ERP consultancy company registered in Hungary, operating as Data Controller under the EU General Data Protection Regulation (GDPR).
- Company name
- InnOpen Group Kft.
- Website
- www.innopen.eu
- Country
- Hungary (EU)
- Role
- Data Controller under GDPR
Section 2
Scope of This Policy
This Privacy Policy applies to:
- Visitors and users of www.innopen.eu
- Users accessing our services through Google Sign-In (OAuth 2.0)
- Clients and contacts using our Odoo-based portals and applications
- Any person whose personal data we process in connection with our business activities
This policy complies with the EU General Data Protection Regulation (GDPR), the Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, and Google's API Services User Data Policy.
Section 3
Data We Collect
We may collect the following categories of personal data:
Identity & Contact Data
- Full name, email address, phone number, company name
- Profile picture (when provided via Google Sign-In)
Authentication Data (via Google Sign-In)
- Google account ID (
sub), email address, name, and profile picture as returned by the Google OAuth 2.0 API - OAuth 2.0 access tokens and refresh tokens (stored securely; never shared with third parties)
- We request only the minimum OAuth scopes necessary:
openid,email,profile
Technical & Usage Data
- IP address, browser type and version, operating system
- Pages visited, timestamps, session duration, referrer URLs
- Error logs and diagnostic information
Business & Transactional Data
- Data entered into our Odoo ERP system: orders, invoices, support tickets, CRM records
- Communications sent through our platform
Section 4
Google API Services & Google Sign-In
Google API Services User Data Policy
InnOpen Group Kft.'s use and transfer to any other app of information received from Google APIs will adhere to the
Google API Services User Data Policy,
including the Limited Use requirements.
What We Use Google APIs For
- Authentication: We use Google Sign-In (OAuth 2.0) to allow users to log in to our Odoo-based web portals securely without a separate password.
- Identity verification: We retrieve your Google account's name, email address, and profile picture to pre-fill your user profile.
Limited Use Disclosure
Data obtained via Google APIs is used strictly to provide or improve the user-facing features of our service. We do not:
- Use Google user data to serve advertising or for retargeting
- Sell, rent, or transfer Google user data to third parties
- Use Google user data for purposes unrelated to the authenticated service
- Use Google user data to train machine learning or AI models
- Allow humans to read Google user data unless (a) we have your explicit consent, (b) it is necessary for security or compliance, or (c) it is aggregated and anonymised
Revoking Google Access
You may revoke InnOpen Group Kft.'s access to your Google account at any time by visiting Google Account Permissions. Revoking access will sign you out of our services. Data previously collected will be handled according to Section 8.
Section 5
Legal Basis for Processing
Under GDPR Article 6, we process your personal data on the following legal bases:
Consent (Art. 6(1)(a))
When you choose to log in with Google Sign-In; when subscribing to communications.
Contract (Art. 6(1)(b))
Processing necessary to deliver the services you have requested or contracted.
Legal Obligation (Art. 6(1)(c))
Where required by Hungarian or EU law (e.g. invoicing, tax records).
Legitimate Interests (Art. 6(1)(f))
Security monitoring, fraud prevention, service improvement.
Section 6
How We Use Your Data
- Account & Authentication
- To create, manage, and authenticate your user account via Google Sign-In or Odoo portal login.
- Service Delivery
- To provide ERP, consultancy, and web services requested by you or your organisation.
- Communication
- To respond to enquiries, send service notifications, and provide support.
- Security
- To detect, investigate, and prevent fraudulent transactions, abuse, and security incidents.
- Legal Compliance
- To meet our obligations under Hungarian and EU law, including tax, accounting, and audit requirements.
- Improvement
- To analyse usage patterns (in aggregated, anonymised form) to improve our platform and services.
Section 7
Sharing & Disclosure of Data
We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:
- Service Providers
- Trusted third-party processors who assist in operating our platform (e.g. hosting providers, email delivery services), bound by GDPR Article 28-compliant data processing agreements.
- Google LLC
- As the OAuth 2.0 identity provider. Please refer to Google's Privacy Policy.
- Legal Authorities
- Where required by applicable law, court order, or regulatory obligation.
- Business Transfers
- In the event of a merger, acquisition, or asset sale, personal data may be transferred; affected users will be notified.
We do not transfer personal data outside the European Economic Area (EEA) without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
Section 8
Data Retention
Account & authentication data
Duration of active account + 30 days after deletion request
Google OAuth tokens
Until revoked by user or session expiry
Financial / invoicing records
8 years (Hungarian Accounting Act)
Support & communication logs
3 years from last interaction
Technical / server logs
90 days
After the applicable retention period, data is securely deleted or anonymised. Requests for early deletion may be submitted as described in Section 9.
Section 9
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of them, contact us as described in Section 14. We will respond within 30 days.
Right of Access (Art. 15)
Request a copy of the personal data we hold about you.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your personal data where no overriding legal basis exists.
Right to Restrict Processing (Art. 18)
Request that we limit how we use your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.
Right to Lodge a Complaint
Complain to the Hungarian data protection authority: NAIH – naih.hu
Section 10
Security
We implement appropriate technical and organisational measures to protect your personal data. These include:
- HTTPS/TLS encryption for all data in transit
- Encrypted storage for OAuth tokens and sensitive credentials
- Role-based access controls within our Odoo environment
- Regular security reviews and dependency updates
- Audit logging for sensitive data access events
In the event of a personal data breach posing a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Articles 33–34.
Section 11
Cookies & Tracking
Our website and Odoo portal use cookies and similar technologies:
Strictly Necessary
Session management, CSRF protection, login state.
Basis: Legitimate interest / Contract
Functional
Language preferences, UI settings.
Basis: Consent
Analytics
Aggregated usage statistics to improve the platform.
Basis: Consent
Google OAuth
Authentication state cookies set by Google's login flow.
Basis: Consent (at login)
You can control cookie preferences through your browser settings. Blocking strictly necessary cookies may impair service functionality.
Section 12
Children's Privacy
Our services are intended for business users and are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data without parental consent, we will delete it promptly. Please contact us as described in Section 14 if you believe a child has shared data with us.
Section 13
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the updated policy at www.innopen.eu/privacy with a revised effective date
- Displaying a prominent notice within the Odoo portal or application
- Sending an email notification if the change materially affects how we process your data
Continued use of our services after the effective date constitutes acceptance of the updated policy.
Contact
Have a question? Get in touch.
For data protection enquiries, rights requests, or any questions about this policy.
Contact UsCompany
InnOpen Group Kft.
Budapest, Hungary
Website
This document was last reviewed on 24 March 2026.