Privacy Policy for Clients

Please note: This English version is provided for informational purposes only. In the event of any discrepancy or legal interpretation, the Hungarian version of this Privacy Policy shall prevail.

The protection of personal data is extremely important to me. Therefore, in this Privacy Notice, I explain what personal data I process about you, for what purpose, and on what legal basis. The Privacy Notice also includes the rights to which you are entitled.

Data Controller Information

General legal basis for data processing

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.)
  • Act V of 2013 on the Civil Code (Ptk.)
  • Act CXVII of 1995 on Personal Income Tax (Szja Act)
  • Act CL of 2017 on the Rules of Taxation (Art.)
  • Act CXIX of 1995 on the Management of Name and Address Data for Research and Direct Marketing Purposes (DM Act)
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Eker Act)
  • Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities (Grt.)

Definitions

  • Personal data: Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical personal data include: name, address, place and date of birth, mother’s name.
  • Data processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If the purposes and means of processing are determined by Union or Member State law, the controller or specific criteria for its designation may also be provided by Union or Member State law.
  • Data processor: The natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.
  • Recipient: The natural or legal person, public authority, agency, or any other body to whom the personal data are disclosed, whether a third party or not.

Principles
When processing personal data, the Data Controller shall ensure that personal data are:

  • Processed lawfully, fairly, and transparently (lawfulness, fairness, transparency)
  • Collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research, or statistical purposes is not considered incompatible (purpose limitation)
  • Adequate, relevant, and limited to what is necessary (data minimization)
  • Accurate and, where necessary, kept up to date (accuracy)
  • Stored in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing; longer storage is permitted only for public interest archiving, scientific or historical research, or statistical purposes, with appropriate technical and organizational measures (storage limitation)
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (integrity and confidentiality)
  • The Data Controller is responsible for compliance and must be able to demonstrate it (accountability)

Data Processing Activities

  1. Contact via website
    • Purpose: To initiate and maintain contact
    • Legal basis: GDPR Art. 6(1)(b) – necessary for the performance of a contract or pre-contractual measures at the Data Subject’s request
    • Data Subjects: Interested parties
    • Data categories: Name, phone number, email address, message content
    • Retention period: 1 year from contact
    • Data transfer: None
    • Recipients: Listed in section 9 of this Privacy Notice
    • Data source: The Data Subject
    • Voluntariness: Required for contact; without it, the Data Controller cannot communicate
  2. Contact and communication
    • Purpose: Maintaining contact via email or phone
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Interested parties, clients
    • Data categories: Name, phone number, email, message content
    • Retention period: 1 year from contact
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Interested party, client
    • Voluntariness: Required for communication
  3. Appointment booking
    • Purpose: Booking appointments via phone or email
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Interested parties, clients
    • Data categories: Name, phone, email
    • Retention period: 1 year
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Interested party, client
    • Voluntariness: Required for booking
  4. Appointment reminders
    • Purpose: Sending reminder emails to clients about booked appointments
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Clients
    • Data categories: Name, phone, email
    • Retention period: 1 year
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Client
    • Voluntariness: Required for reminders
  5. Newsletter sending
    • Purpose: Sending newsletters
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Newsletter subscribers
    • Data categories: Name, email
    • Retention period: Until consent withdrawal
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Subscriber
    • Voluntariness: Voluntary
  6. Displaying client feedback
    • Purpose: Showing client feedback on the website
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Clients
    • Data categories: Age, feedback content
    • Retention period: Until consent withdrawal
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Client
    • Voluntariness: Voluntary
  7. Contract conclusion
    • Purpose: Entering into a therapy contract with the client
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Client, legal representative of minor client
    • Data categories: Client’s name and signature; legal representative’s name and signature
    • Retention period: 5 years from contract performance or termination
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Client, legal representative
    • Voluntariness: Required
  8. Data collection questionnaire
    • Purpose: Completing data collection form
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Clients
    • Data categories: Extensive personal, contact, demographic, health, therapy-related, and parental information
    • Retention period: 1 year from contact
    • Data transfer: None
    • Recipients: Section 9
    • Data source: Client
    • Voluntariness: Voluntary
  9. Health data related to service
    • Purpose: Processing health data arising during the service
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Clients
    • Data categories: Health, lifestyle, psychological, therapy, and medication-related information
    • Retention period: Until consent withdrawal
    • Data transfer: None
    • Data source: Client
    • Voluntariness: Voluntary
  10. Session notes
    • Purpose: Taking notes about the client in therapy
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Clients
    • Data categories: Name, age, psychological information, life milestones, medication data
    • Retention period: Until consent withdrawal
    • Data transfer: None
    • Data source: Client
    • Voluntariness: Voluntary
  11. Online consultation
    • Purpose: Conducting online consultation
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Interested parties, clients
    • Data categories: Name, email, live image and audio (not recorded)
    • Retention period: 1 year from contact
    • Data transfer: None
    • Data source: Interested party, client
    • Voluntariness: Required
  12. Parental consent form
    • Purpose: Completing parental consent for minor clients
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Client, legal representative
    • Data categories: Names, signatures
    • Retention period: Until consent withdrawal or 30 days after withdrawal
    • Data transfer: None
    • Data source: Client, legal representative
    • Voluntariness: Voluntary
  13. Invoicing
    • Purpose: Issuing invoices
    • Legal basis: GDPR Art. 6(1)(c) – legal obligation (VAT Act §159(1))
    • Data Subjects: Clients
    • Data categories: Name, address, email
    • Retention period: 5 years (Art. §78(3))
    • Data transfer: None
    • Data source: Client
    • Voluntariness: Required
  14. Service payment
    • Purpose: Payment via bank transfer or cash
    • Legal basis: GDPR Art. 6(1)(b)
    • Data Subjects: Clients
    • Data categories: Name, service ID, bank account, transfer amount and date
    • Retention period: 5 years (Art. §78(3))
    • Data transfer: None
    • Data source: Client
    • Voluntariness: Required
  15. Contractual communication with partners
    • Purpose: Communication to implement contract objectives
    • Legal basis: GDPR Art. 6(1)(f) – legitimate interest
    • Data Subjects: Partner representatives
    • Data categories: Name, position, phone, email
    • Retention period: 5 years from contract performance/termination
    • Data transfer: None
    • Data source: Partner contact
    • Voluntariness: Required
  16. Communication via social media
    • Purpose: Communication on social media
    • Legal basis: GDPR Art. 6(1)(a) – consent
    • Data Subjects: Social media users
    • Data categories: Name, public profile name, profile picture
    • Retention period: According to social media platform
    • Data transfer: None
    • Data source: User
    • Voluntariness: Voluntary

Website cookies

  • Cookies store user preferences for site functionality and analysis. Necessary cookies do not require consent. Other types require user consent. Browsers allow modification of cookie settings. Disabling cookies may limit website functionality.

Social media presence

Platform:

Name of the Data Controlle:

Availability of the Privacy Policy:

Facebook

Meta Platforms Ireland Ltd. (székhely: Merrion Road, Dublin, Írország)

https://www.facebook.com/privacy/explanation

Instagram

Meta Platforms Ireland Ltd. (székhely: Merrion Road, Dublin, Írország)

https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

 

LinkedIn

LinkedIn Ireland Unlimited Company (székhely: Wilton Plaza Wilton Place, Dublin 2, Írország)

https://www.linkedin.com/legal/privacy-policy

X

Twitter International Unlimited Company
(székhely: One Cumberland Place, Fenian Street
Dublin 2, Írország)

https://x.com/hu/privacy

Additional Data Controllers, Joint Data Processing
The Data Controller may involve additional independent Data Controllers in the course of data processing.

Recipients
Data Processors
The Data Controller engages Data Processors in the course of data processing.

The Data Processor does not make independent decisions and acts solely according to the contract with the Data Controller and the instructions received. The Data Controller only engages a Data Processor that provides appropriate guarantees—particularly regarding expertise, reliability, and resources—to implement technical and organizational measures ensuring compliance with the GDPR, including data security. The specific tasks and responsibilities of the Data Processor are regulated by the contract between the Data Controller and the Data Processor. After performing data processing on behalf of the Data Controller, the Data Processor shall return or delete the personal data according to the Data Controller’s choice, except where EU or national law applicable to the Data Processor requires storage.

Data Processor(s):

  • Hosting service provider: Rackhost Zrt. (registered office: 6722 Szeged, Tisza Lajos körút 41., company registration number: 06-10-000489)

  • Email system providers:

    • Rackhost Zrt. (registered office: 6722 Szeged, Tisza Lajos körút 41., company registration number: 06-10-000489)

    • Google Ireland (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)

  • Form-filling software: Google Ireland (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)

  • Online meeting platform (Google Meet): Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)

  • Invoicing software: KBOSS.hu Kft. (registered office: 1031 Budapest, Záhony utca 7., company registration number: 01-09-303201)

  • Accountant: Ködmön Könyvelőiroda Kft. (registered office: 2030 Érd, Géza utca 32., company registration number: 13-09-096927)

  • Document management: Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland)

  • Website developer and administrative staff: Tinka Tünde, sole proprietor (5561 Békésszentandrás, Béke tér 3., registration number: 55151436)

Independent Data Controllers
The Data Controller only provides personal data to authorities, courts, or other public bodies in the manner and for the purpose prescribed by law.

Personal data is provided to the following authorities under statutory obligation:

  • National Tax and Customs Administration: according to Annex 10, point 1 of Act CXXVII of 2007 on Value Added Tax (VAT Act)

Personal data is provided to the following legal entities as independent Data Controllers:

Access to Data
Authorized staff of the Data Controller may access personal data to the extent necessary to perform their duties.

Data Security Measures
The Data Controller ensures, through appropriate IT, technical, and personnel measures, the protection of personal data against unauthorized access or unlawful modification.

Rights of Data Subjects and Their Scope

Right to Information
/GDPR Articles 13-14/
You are entitled to be informed at the time your personal data is collected about the fact and purposes of processing. The Data Controller shall provide any additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context. You shall also be informed about profiling and its consequences.

Right of Access
/GDPR Article 15/
You have the right to request information on whether your personal data is being processed and, if so, to access the following details:

  • Which personal data is processed

  • On what legal basis

  • For what purpose

  • How long it will be processed

  • To whom, when, and under which law access was granted or to whom it was transmitted

  • The source of the personal data (if not provided by you)

  • Whether automated decision-making, including profiling, is applied, and its logic

Right to Rectification
/GDPR Article 16/
You have the right to request correction of inaccurate personal data or completion of incomplete data. You may, for example, request updating your email or other contact information.

Right to Erasure (“Right to be Forgotten”)
/GDPR Article 17/
You may request deletion of your personal data if:

  • The data is no longer necessary for the purposes for which it was collected or otherwise processed

  • You withdraw consent under Articles 6(1)(a) or 9(2)(a) and there is no other legal basis for processing

  • You object to processing under Article 21(1) and no overriding legitimate grounds exist, or under Article 21(2)

  • Data has been unlawfully processed

  • Data must be deleted to comply with EU or national law

  • Data was collected in connection with information society services offered to a child under Article 8(1)

Right to Restriction of Processing
/GDPR Article 18/
You may request restriction of processing if:

  • You contest the accuracy of the data

  • Processing is unlawful and you oppose erasure, requesting restriction instead

  • The Data Controller no longer needs the data but you require it for legal claims or defense

  • You have objected under Article 21(1) while the Controller verifies if its legitimate grounds override your interests

Right to Data Portability
/GDPR Article 20/
You may receive personal data you provided to a Data Controller in a structured, commonly used, machine-readable format, and transmit it to another Data Controller if:

  • Processing is based on consent or a contract

  • Processing is automated

You may request direct transmission between Controllers if technically feasible.

Right to Object
/GDPR Article 21/
You may object at any time to processing based on Articles 6(1)(e) or (f), including profiling. The Controller may only continue processing if it demonstrates compelling legitimate grounds or for legal claims.

For direct marketing, you may object at any time, including profiling related to marketing.

Right to Withdraw Consent
/GDPR Article 7(3)/
You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawal must be as easy as giving consent.

Remedies Related to Data Processing

Right to Lodge a Complaint with a Supervisory Authority
/GDPR Article 77/
You may lodge a complaint with the National Authority for Data Protection and Freedom of Information:

Right to Effective Judicial Remedy
/GDPR Article 79/
You may bring legal proceedings against the Data Controller or Data Processor if you believe your data is processed unlawfully. Courts act promptly. You may choose to file at the court competent according to your residence or place of stay. Courts’ contact: www.birosag.hu/torvenyszekek.hu

Updates to the Privacy Policy
The Data Controller reserves the right to unilaterally modify this Privacy Policy, particularly due to legal changes, supervisory authority practices, business needs, or other circumstances. Upon request, the Controller will provide the current version to the Data Subject in an agreed format.

Gárdony, 20 October 2025