GDPR Privacy Policy – Pura Flow Massage Budapest
Effective: November 27, 2025
Last updated: December 8, 2025
1. Data Controller's Details
- Name: Tibor Dénes Baracskai, individual enterpreneur
- Registered office: 1115, Budapest, Etele út 40/b 6/40
- Service Location: 1085 Budapest, Üllői út 14. (Fashion Day & Spa)
- Tax number: 91587790-1-43
- Registration number: 61482331
- E-mail: [email protected]
- Phone: +36 30 823 9013
- Website: www.puraflow.hu
2. Purpose and Legal Basis of Data Processing
| Purpose of Data Processing | Legal Basis | Note |
|---|---|---|
| Providing massage services, managing bookings | Performance of a contract (GDPR Art. 6(1)(b)) | Essential for providing the service. |
| Analyzing website traffic (Google Analytics) | Voluntary consent (GDPR Art. 6(1)(a)) | Occurs upon cookie acceptance. |
| Advertising, remarketing, and conversion tracking (Google Ads) | Voluntary consent (GDPR Art. 6(1)(a)) | Occurs upon cookie acceptance to improve ad relevance. |
| Displaying an interactive map (Google Maps) | Voluntary consent (GDPR Art. 6(1)(a)) | Occurs upon cookie acceptance to help find the salon. |
| Managing billing information | Legal obligation (GDPR Art. 6(1)(c)) | Based on accounting laws. |
| Sending newsletters, marketing | Voluntary consent (GDPR Art. 6(1)(a)) | By providing an e-mail address. |
| Contact (E-mail, Phone, WhatsApp) | Legitimate interest (GDPR Art. 6(1)(f)) | For answering incoming questions and providing offers. |
| Ensuring website security (Log files) | Legitimate interest (GDPR Art. 6(1)(f)) | To protect the website from attacks. |
3. Scope of Personal Data Processed
- Identification data: Name, e-mail address, phone number, WhatsApp identifier.
- Billing data: Billing name, address, details, transaction data.
- Payment data: In case of credit card payment, card details are processed by the secure system of Stripe Inc.; the Data Controller does not have access to them.
- Booking data: Booking data is recorded and stored by the minup.io system; the Data Controller manages it through this system (service type, time, personal data).
- Health data: Exclusively for the safe provision of the service (e.g., contraindications).
- Browsing and behavioral data: Data recorded during website use (based on consent), such as IP address, browser type, and pages viewed. This includes data collected by Google Analytics (web analytics), Google Ads (remarketing and conversion tracking), and Google Maps (map usage). Additionally, the Minup booking system may place cookies necessary for proper operation (e.g., maintaining the session), which are essential for providing the service.
4. Data Processors
The Data Controller uses the following partners for providing services, billing, and communication, who process the data as data processors:
| Role | Company / Platform | Headquarters and Data Processing Location |
|---|---|---|
| Website Hosting | DigitalOcean, LLC | 105 Edgeview Drive, Suite 425 Broomfield, Colorado 80021, U.S.A. (Server location: Frankfurt, Germany, EU) |
| E-mail Forwarding (Alias) | SimpleLogin SAS | Paris, France (EU) |
| E-mail Hosting | Google Ireland Limited (Gmail) | Dublin, Ireland (EU) |
| Online Booking System | Minup Kft. | 2071 Páty, Völgy sétány 8. 2. ajtó (Hungary) |
| Online Payment | Stripe Payments Europe, Ltd. | Dublin, Ireland (EU) |
| Invoicing and Newsletter | Billingo Technologies Zrt. | 1133 Budapest, Árbóc utca 6. (Hungary) |
| Web Analytics | Google Ireland Limited (Google Analytics) | Dublin, Ireland (EU) |
| Advertising and Conversion Tracking | Google Ireland Limited (Google Ads) | Dublin, Ireland (EU) |
| Map Service | Google Ireland Limited (Google Maps) | Dublin, Ireland (EU) |
| Communication (WhatsApp) | Meta Platforms Ireland Limited | Dublin, Ireland (EU) |
5. Data Retention Period
- Billing data: For 8 years, according to the Accounting Act (Act C of 2000, § 169 (2)).
- Booking data: For a maximum of 5 years from the completion of the service (Legitimate interest – for the purpose of enforcing legal claims).
- Newsletter database: Until the data subject unsubscribes (until consent is withdrawn).
- Google Analytics data: According to Google's policy (for the duration set by the Data Controller, e.g., 26 months).
- Google Ads and Google Maps data: According to Google's current privacy policies, until the user withdraws their cookie consent, or until the cookies expire (typically 30-90 days).
- Social media/WhatsApp communication: For 5 years after the communication has ended (Legitimate interest – for the purpose of enforcing legal claims).
6. The Data Subject's Consent to the Processing of Personal Data
The Data Controller informs the data subjects in detail about the purpose, legal basis, and scope of data processing during the booking process. Consent to the processing of data provided during the appointment booking is essential for the provision of the service.
7. Rights of the Data Subject
According to GDPR rules, the data subject has the right to access their data, to rectification, to restriction of processing, to erasure (e.g., when unsubscribing from a newsletter), to object to data processing, and to lodge a complaint with the supervisory authority (NAIH).
7.1. Detailed Conditions for Exercising Rights
The Data Controller will respond to data subject requests without undue delay, but no later than one month from the receipt of the request.
- Right of access: Upon your request, we will inform you about the purposes, legal basis, duration of data processing, and your rights.
- Right to rectification: You can request the rectification of inaccurate personal data without undue delay.
- Right to erasure (right to be forgotten): You can request erasure if the data is no longer necessary for the purpose for which it was collected, or if you withdraw your consent.
- Right to restriction of processing: You can request that we restrict processing if you contest the accuracy of the data or if the processing is unlawful.
- Right to data portability: You can request to receive the data you have provided in a structured, machine-readable format and to transmit it to another data controller.
- Right to object: In the case of data processing based on legitimate interest (e.g., Contact, Log files), you can object to the processing of your data.
8. Legal Remedies
The data subject can turn to the National Authority for Data Protection and Freedom of Information (NAIH) with a complaint regarding data processing:
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Phone: +36 (1) 391-1400
- E-mail: [email protected]
- Website: www.naih.hu
In case of violation of their rights, the data subject may take legal action against the Data Controller.
9. Data Security Measures
The Data Controller undertakes to ensure the security of the data and to take the technical and organizational measures necessary to protect the data against unauthorized access, alteration, deletion, or destruction.
- Data is transmitted using SSL/TLS encryption (Website, E-mail).
- Reliable data processors (hosting, cloud-based services) are used for data storage.
10. Contact
For questions related to data processing, you can contact the Data Controller at the following contact details:
- E-mail: [email protected] (via an alias provided by SimpleLogin.)
- Phone: +36 30 823 9013
- WhatsApp: +36 30 823 9013 (By sending a message, the data subject accepts the relevant terms of Meta Platforms.)