Privacy Policy
Gammatica
PRIVACY POLICY
Gammatica AI-Powered Management Platform
Version 2.0 | Effective: 15 March 2026
This document provides information about the processing of personal data related to the Gammatica software (“Gammatica” or “Software”) owned and operated by Gammatica Korlátolt Felelősségű Társaság as the data controller (“Gammatica Kft.” or “Controller”).
The personal data of customers using the Software (“Data Subject” or “User”) is processed by the Controller in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Hungarian data protection legislation (Act CXII of 2011).
The Controller reserves the right to unilaterally amend this document at any time. The amended Privacy Policy shall be effective as of the date of its publication.
1. Data Controller
Company name: Gammatica Kft.
Registered office: 1123 Budapest, Nagyenyed utca 5., basement level, Hungary
Postal address: 1123 Budapest, Nagyenyed utca 5., basement level, Hungary
Company reg. number: 01-09-434270
Court of registration: Budapest-Capital Regional Court
Tax number: 32628186-2-43
EU VAT number: HU32628186
Represented by: Viktor Dániel Várhegyi, Managing Director
Email: support@gammatica.co
2. Data Processing During the Use of the Software
2.1. Contact by Email
Purpose: To communicate with the User and reply to information sent by email.
Legal basis: The User’s prior, informed and voluntary consent (Article 6(1)(a) GDPR).
Data processed: Email address, other personal data provided by the User (typically name).
Retention period: 3 months from the date of the last communication.
Authorised access: Employees or agents responsible for contact and enquiries.
2.2. Registration and User Account Management
By clicking “Registration”, the User declares that they have read the Terms of Service and this Privacy Policy, understand their contents, and accept the terms of data processing.
Purpose: Registration, granting access, and sending reports.
Legal basis: Performance of a contract (Article 6(1)(b) GDPR).
Data for registration: First name, last name, email address.
Data for account management: First name, last name, password, email, language. Optionally: position, profile picture.
After registration, Users can log in via email/password or Google Account. Organisation heads can invite team members by email.
Retention period: 5 years after the termination of the contract.
Users may upload various content (client data, comments, ratings, calendar links). Gammatica provides the platform and data security but excludes responsibility for user-uploaded content.
2.3. Billing
Purpose: Billing for services used.
Legal basis: Legal obligation (Article 6(1)(c) GDPR; Act C of 2000 on Accounting; Act CL of 2017 on Taxation).
Data processed: Name/company name, billing address, tax number, bank account number (if applicable).
Retention period: 8 years after the relevant financial year.
2.4. Artificial Intelligence (AI) Features
Gammatica uses AI features to enhance the user experience:
- AI-powered chatbot (lead qualification, customer support)
- Automated text generation and content suggestions
- AI-assisted CRM features (lead scoring, notifications, workflow automation)
- Summary and report generation
- AI-powered email reply (analysing incoming emails and generating reply suggestions)
Purpose: Operating AI features to provide intelligent responses, suggestions, and automations based on User-provided data.
Legal basis: Performance of a contract (Article 6(1)(b) GDPR) — AI features are integral to the Software; and legitimate interest (Article 6(1)(f) GDPR) for service quality improvement.
Data processed: Text data entered into chat, CRM, and other fields; client data (name, email, phone, company); incoming and outgoing email content (when using AI email reply); behavioural data (interactions, clicks); uploaded document content insofar as processed by AI.
Retention period: OpenRouter does not store prompts or responses by default. AI-generated content stored in the CRM is retained until the User’s account is deleted.
Important notice: When using AI features, personal data may be transmitted via OpenRouter, Inc. to third-party language model providers (see Sections 3 and 4). When using AI email reply, email content (including sender name, address, and message body) may be transmitted to the AI provider. Please do not enter special categories of personal data (health, racial, political, sexual orientation, etc.) when using AI features.
2.5. Third-Party Integrations
Gammatica integrates with the following third-party services, activated only with the User’s explicit permission:
| Integration | Purpose | Data Processed |
|---|---|---|
| Gmail (Google) | Sending, receiving, and managing emails within Gammatica; AI-powered email reply generation | Email address, subject and body, sender/recipient data, attachment metadata |
| Google Calendar | Calendar event synchronisation, meeting management from CRM | Event name, date/time, attendee emails, location, description |
| Microsoft Outlook (email & calendar) | Email and calendar synchronisation with Gammatica; AI-powered email reply generation | Email address, subject and body, calendar event data, attendees |
| Make.com (Celonis) | Automation workflows: cross-system data synchronisation, trigger-based actions | All data involved in the workflow (CRM data, email data, calendar data — depending on the scenario configured) |
Legal basis: Performance of a contract (Article 6(1)(b) GDPR). Integrations only operate after the User’s activation and OAuth consent.
Retention period: Until the integration is deactivated or the User’s account is deleted. Third-party providers’ own retention policies also apply.
2.6. Automated Decision-Making and Profiling
In accordance with Article 22 of the GDPR, the Controller informs Users that Gammatica performs the following automated processing activities:
| Feature | Description and Impact |
|---|---|
| AI-based lead scoring | The system automatically scores clients based on interactions. Advisory only; the final decision is made by the User. |
| Chatbot-based qualification | The AI chatbot pre-screens enquiries. Serves as a suggestion, not a decision with legal effect. |
| Automatic workflow triggers | CRM events may trigger automatic actions (e.g., email sending, status change), including via Make.com. |
| AI email reply suggestion | AI analyses incoming emails and generates reply suggestions. Final sending requires the User’s approval. |
Data Subject’s right: The User may at any time request human intervention, express their view, and contest an automated decision by contacting support@gammatica.co.
3. Recipients, Data Transfers, Data Processors
Users’ personal data may be transferred or made available to:
| Name | Contact | Purpose / Task | Location |
|---|---|---|---|
| VAMOSOFT Kft. | 2310 Szigetszentmiklós, Kert u. 6. | info@vamosoft.hu | Software development, support | Hungary |
| Szigeti-Korán | 1132 Budapest, Visegrádi u. 48. | info@szigeti-koran.hu | Accountant | Hungary |
| DigitalOcean LLC | 101 6th Ave, New York | privacy@digitalocean.com | Hosting service | USA |
| Stripe Payments Europe Ltd. | Grand Canal St Lower, Dublin | privacy@stripe.com | Online payment system | Ireland |
| Billingo Technologies Zrt. | 1133 Budapest, Árbóc u. 6. | hello@billingo.hu | Online billing system | Hungary |
| Smartsupp.com, s.r.o. | Šumavská 31, 602 00 Brno | dpo@smartsupp.com | Online chat, customer support | Czech Republic |
| Make.com (Celonis SE) | Thomas-Dehler-Str. 14, Munich | privacy@celonis.com | Automation workflows | Germany |
| Google LLC (Gmail, Calendar, Workspace) | 1600 Amphitheatre Pkwy, Mountain View | privacy@google.com | Email & calendar integration, OAuth | USA |
| Microsoft Corp. (Outlook) | One Microsoft Way, Redmond | privacy@microsoft.com | Email & calendar integration | USA |
| PostHog Inc. (EU Cloud) | EU hosting: Frankfurt (AWS eu-central-1) | privacy@posthog.com | Product analytics, user behaviour analysis | EU (Germany) |
3.1. AI Service Data Processors
Gammatica’s AI features operate through OpenRouter, Inc., which routes requests to AI model providers.
| Provider | Location | Task | Data Retention |
|---|---|---|---|
| OpenRouter, Inc. | USA (New York) | Routing AI requests (proxy) | Does not store prompts/responses by default. Zero Data Retention (ZDR) enabled. |
| AI model providers (sub-processors) | USA / EU | Running language models, text generation, email reply generation | Only routes to providers that do not log prompts or use them for training. |
Sub-processors: Anthropic (Claude), OpenAI, Google (Gemini), Meta (Llama). Current list: openrouter.ai/docs/guides/privacy/logging
4. Data Transfers to Third Countries (Outside the EEA)
Personal data may be transferred outside the European Economic Area (EEA) with the following safeguards:
| Provider | Destination | Safeguards Applied |
|---|---|---|
| DigitalOcean LLC | USA | EU-U.S. Data Privacy Framework (DPF); Standard Contractual Clauses (SCC) |
| OpenRouter, Inc. | USA | Standard Contractual Clauses (SCC); Zero Data Retention (ZDR) |
| AI model providers | USA / varies | OpenRouter’s privacy settings ensure transfers only to providers with adequate safeguards |
| Stripe Payments Europe | Ireland / USA | EU-U.S. Data Privacy Framework; Stripe DPA |
| Google LLC | USA | EU-U.S. Data Privacy Framework; Google DPA; Standard Contractual Clauses |
| Microsoft Corp. | USA | EU-U.S. Data Privacy Framework; Microsoft DPA; Standard Contractual Clauses |
Note: Make.com (Celonis SE, Germany) and PostHog EU Cloud (Frankfurt, Germany) store data within the EEA and do not constitute third-country transfers.
Data Subject’s right: A copy of the safeguards can be requested at support@gammatica.co.
5. Cookies and Web Tracking
The gammatica.com website uses the following cookies and tracking technologies:
| Cookie / Tool | Purpose | Legal Basis | Lifetime |
|---|---|---|---|
| PostHog (EU Cloud) | Product analytics, session recording, feature usage analysis | Consent (Art. 6(1)(a) GDPR) | 24 months |
| Google Analytics | Website traffic analysis, visitor statistics | Consent (Art. 6(1)(a) GDPR) | 26 months |
| Google Tag Manager | Tag management for tracking codes | Consent (Art. 6(1)(a) GDPR) | Session |
| Meta Pixel | Ad campaign measurement, remarketing | Consent (Art. 6(1)(a) GDPR) | 90 days |
| Meta Conversions API | Server-side conversion tracking | Consent (Art. 6(1)(a) GDPR) | 90 days |
| Smartsupp | Online chat, customer support | Legitimate interest (Art. 6(1)(f)) | Until chat ends |
| Essential cookies | Basic website functionality | Legitimate interest (Art. 6(1)(f)) | Session |
PostHog EU Cloud: Analytics data is stored within the EU in Frankfurt (AWS eu-central-1). IP address capture is disabled by default.
Managing cookies: Users can accept or reject non-essential cookies via the cookie banner on first visit. Settings can be changed at any time.
5.1. Google Workspace API
The Controller explicitly affirms that Google Workspace APIs are not used to develop, improve, or train generalised AI and/or ML models.
The application may access the following Google user data:
- User profile: name, email address, profile picture
- Gmail content: reading and sending emails on behalf of the User (with explicit permission)
- Google Calendar: creating, reading, and modifying calendar events
- Google Workspace files: documents necessary for the Software’s functionality (with explicit permission)
Google user data is never sold. Data is only shared with third parties with User consent, for legal compliance, or with service providers bound by confidentiality agreements.
5.1.1. Data Protection Mechanisms for Google User Data
Gammatica implements the following technical and organizational measures to protect Google user data accessed through Google Workspace APIs. These measures are in addition to the general data security measures described elsewhere in this Privacy Policy:
Encryption: All data transmitted between Gammatica and Google services is encrypted using TLS 1.2 or higher (HTTPS). Google OAuth tokens and refresh tokens are encrypted at rest using AES-256 encryption and are stored separately from other application data.
Access Control: Access to Google user data within the Gammatica platform is governed by role-based access control (RBAC). Only authenticated and authorized users within a workspace can access data obtained through Google integrations. Internal staff access to production systems containing Google user data is restricted to essential personnel only and is logged.
Token Security: Google OAuth access tokens and refresh tokens are never:
- logged in application logs or error reports;
- displayed in user interfaces;
- transmitted to third parties;
- stored in client-side code or browser storage.
Tokens are stored server-side in encrypted form and are automatically revoked when the user disconnects the Google integration from their Gammatica account.
Data Isolation: Each workspace's Google integration data is logically isolated. Users in one workspace cannot access Google data belonging to another workspace.
Monitoring and Incident Response: Gammatica maintains system monitoring to detect unauthorized access attempts to Google user data. In the event of a data breach involving Google user data, Gammatica will notify affected users and Google within 72 hours in accordance with GDPR Article 33.
Data Minimization: Gammatica requests only the minimum OAuth scopes necessary for functionality. For Gmail integration, only the scopes required for sending and reading emails on behalf of the user are requested. Gammatica does not request or store full Gmail mailbox access beyond what is necessary for the features activated by the user.
Data Retention and Deletion: Google OAuth tokens are retained only while the user's Google integration is active. When a user disconnects their Google account or deletes their Gammatica workspace, all associated Google tokens and cached Google data are permanently and immediately deleted from Gammatica's systems.
Regular Security Reviews: Gammatica conducts periodic security reviews of its integration with Google APIs to ensure continued compliance with the Google API Services User Data Policy and applicable data protection regulations.
5.1.2. Google API Services Limited Use Disclosure
Gammatica's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Gammatica will only use access to Google user data to provide and improve user-facing features that are prominent in the application's user interface.
- Gammatica will not transfer Google user data to third parties unless necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior user notice.
- Gammatica will not use Google user data for serving advertisements.
- Gammatica will not allow humans to read Google user data unless the user has provided affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymized for internal operations.
6. Data Subject’s Rights
6.1. Right of Access
Data Subjects may request information on whether their data is processed, what data, on what basis, for what purpose, for how long, and whether automated decision-making applies. The first copy is free.
6.2. Right to Rectification
The Data Subject may request rectification of inaccurate data. The Controller shall comply within one month.
6.3. Right to Restriction of Processing
The Data Subject may request restriction where: accuracy is contested; processing is unlawful; the Controller no longer needs the data; or the Data Subject has objected.
6.4. Right to Object
The Data Subject may object to processing if they consider the Controller is handling data inappropriately.
6.5. Right to Erasure (“Right to Be Forgotten”)
The Data Subject may request erasure where: consent is withdrawn; the purpose has ceased; processing is unlawful.
6.6. Right to Data Portability
The Data Subject may request their data in a structured, machine-readable format where processing is consent-based and automated.
6.7. Right to Legal Remedy
If you believe your rights have been infringed, contact us at support@gammatica.co.
If your complaint cannot be resolved, you may lodge a complaint with:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
Postal address: 1363 Budapest, Pf.: 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
The Data Subject may also seek judicial remedy before the court of their habitual residence or domicile.
Budapest, 15 March 2026
Gammatica Kft.
Viktor Dániel Várhegyi, Managing Director