Privacy Policy
A plain-English summary of how BookFlow handles your personal data under GDPR. The legally binding version is the Hungarian original at /adatkezeles/.
/adatkezeles/ is authoritative.
1. Who we are
Webshopbirodalom Ltd. ("we", "us", "Provider") is the data controller of the personal data you provide when using BookFlow (bookflow.hu). We are based in Budapest, Hungary, and operate under EU/Hungarian data protection law (GDPR + Hungarian Act CXII of 2011).
2. What data we collect
2.1 From service providers (our customers)
- Name, email address, phone number, business name
- Billing data (tax number, address, payment method)
- Service configuration data (services offered, working hours, pricing)
- Login data (encrypted password, session tokens)
2.2 From end clients (people booking appointments)
- Name, email address (required for booking confirmation)
- Phone number (optional, for the service provider's records)
- Booking details (selected service, date, time)
2.3 Technical data
- IP address, browser type, referrer URL (server logs)
- Session cookies (for login state, not for tracking)
3. Why we process this data (lawful basis)
- Contract performance (GDPR Art. 6(1)(b)) — to provide the booking service to our customers and end clients
- Legal obligation (GDPR Art. 6(1)(c)) — to comply with Hungarian tax and accounting law (invoice retention)
- Legitimate interest (GDPR Art. 6(1)(f)) — to maintain system security, detect abuse, and improve the service
4. How long we keep your data
- Account data: while your account is active, plus 30 days after termination (for reactivation)
- Booking history: while the booking is active, plus the legal retention period (5 years for tax purposes if invoice-related)
- Server logs: 90 days
- Invoices and accounting data: 8 years (Hungarian Accounting Act)
5. Who has access to your data (processors)
We use the following data processors:
- Hetzner Online GmbH (Germany) — hosting (EU servers)
- MailHub (our own infrastructure) — sending booking confirmation and reminder emails
- Billingo (Hungary) — invoicing
- Stripe (Ireland/USA, when integrated) — payment processing
We do not sell your data to third parties.
6. International transfers
All data is processed within the EU (Hungary, Germany). If Stripe is enabled, payment processing may involve transfers to the USA under Stripe's GDPR-compliant standard contractual clauses.
7. Your GDPR rights
Under GDPR, you have the right to:
- Access your personal data (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure ("right to be forgotten", Article 17)
- Restriction of processing (Article 18)
- Data portability (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent at any time (where applicable)
- Lodge a complaint with the Hungarian Data Protection Authority (NAIH) or your local DPA
To exercise these rights, contact us at tothdaniel.ev@gmail.com. We respond within 30 days.
8. Security
- HTTPS encryption for all traffic (Let's Encrypt SSL)
- Passwords stored with bcrypt one-way hashing
- Daily encrypted backups
- EU-based hosting (Hetzner Germany), GDPR-compliant infrastructure
- Access logs retained for security auditing
9. Cookies
We use only essential cookies (login session, language preference). No advertising or third-party tracking cookies are set by default.
10. Children
The Service is intended for businesses and adults. We do not knowingly collect data from children under 16. If you believe we have such data, please contact us for immediate deletion.
11. Supervisory authority
The relevant supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
- Website: naih.hu
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Email: ugyfelszolgalat@naih.hu
EU residents may also contact their local data protection authority.
12. Changes to this policy
We may update this Privacy Policy. Material changes will be communicated by email to existing customers at least 15 days in advance.