Privacy Policy

1. Data Controller

The data controller is Magenta Team Korlátolt Felelősségű Társaság (registered office: Petőfi Sándor utca 12/1., 2085 Pilisvörösvár, Hungary; company registration number: 13-09-226488; tax number: 26142366-2-13; represented by: Adrian Olajos, Managing Director; email: legal@bellora.net). The Data Controller does not employ a Data Protection Officer (DPO), as its activities do not fall within the mandatory designation cases under GDPR Article 37. For data protection inquiries, the Data Controller can be reached at legal@bellora.net.

2. Scope of Processed Data

We process the following data during the use of the Service:

• Personal data: name, email address, phone number, profile picture
• Salon data: salon name, address, opening hours, photos, description
• Booking data: appointments, services, staff members, cancellation data
• Payment data: Stripe transaction identifiers, payment amounts, currency (we do not store credit card data)
• Communication data: email and SMS notifications, push notifications, notification preferences
• Technical data: IP address, browser type, device information, cookie identifiers
• Intake form data: responses to salon-configured questionnaires (which may include health-related data)

3. Purpose and Legal Basis of Data Processing

The following legal bases apply to each processing purpose:

• Account management and authentication: contract performance (GDPR Art. 6(1)(b)) — name, email, password hash, profile picture
• Appointment booking management: contract performance (GDPR Art. 6(1)(b)) — booking data, service, time, staff
• Payment processing (Stripe): contract performance (GDPR Art. 6(1)(b)) — transaction ID, amount, currency
• Sending notifications (email, SMS, push): legitimate interest (GDPR Art. 6(1)(f)) for transactional notifications; consent (GDPR Art. 6(1)(a)) for marketing notifications
• Invoicing and accounting: legal obligation (GDPR Art. 6(1)(c)) — billing data, transactions
• Error tracking and system security (Sentry): legitimate interest (GDPR Art. 6(1)(f)) — technical data, IP address, error reports
• Cookies (analytics): consent (GDPR Art. 6(1)(a)) — cookie identifiers, usage statistics
• Intake form data: consent (GDPR Art. 6(1)(a)); for health data, explicit consent (GDPR Art. 9(2)(a))

4. Data Retention Periods

The following retention periods apply to each data type:

• Account data (profile, settings): retained until account deletion, then permanently deleted within 30 days of the deletion request
• Booking data: 2 years from the booking date (for tax and accounting purposes), then anonymized
• Payment transactions: 8 years (in compliance with the Hungarian Accounting Act (Act C of 2000))
• SMS transaction logs: 1 year
• Audit logs: 90 days
• Sentry error data: 90 days
• Cookie consent: 1 year
• Notification preference changes (consent audit log): 3 years

5. Sub-Processors

We use the following sub-processors for the operation of the Service:

• Stripe (Stripe, Inc., San Francisco, USA) — payment processing, transaction data management
• Twilio (Twilio Inc., San Francisco, USA) — SMS notification delivery, phone number processing
• Resend (Resend, Inc., San Francisco, USA) — email notification delivery, email address processing
• Hetzner (Hetzner Online GmbH, Gunzenhausen, Germany) — server infrastructure, storage of all platform data (Helsinki, EU)
• Cloudflare (Cloudflare, Inc., San Francisco, USA) — DNS management, CDN, IP address processing
• Sentry (Functional Software, Inc., San Francisco, USA) — error tracking, technical data processing
• Szamlazz.hu (KBOSS.hu Kft., Budapest, Hungary) — invoicing, billing data processing

6. International Data Transfers

Some of our sub-processors (Stripe, Twilio, Resend, Sentry, Cloudflare) process data in the United States. These providers are certified under the EU-US Data Privacy Framework (DPF), which ensures adequate protection of personal data based on the European Commission's adequacy decision. Where the EU-US DPF is not applicable, Standard Contractual Clauses (SCCs) serve as the legal basis for the transfer. Hetzner and Szamlazz.hu process data exclusively within the European Union.

7. Rights of Data Subjects

Under the GDPR, you have the following rights: right of access (you may request a copy of your data); right to rectification (correction of inaccurate data); right to erasure (you may request deletion of your data); right to restriction of processing; right to data portability (you may request your data in a machine-readable format); right to object (against processing based on legitimate interest). For processing based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal. To exercise your rights, contact us at legal@bellora.net. The Service does not employ automated decision-making or profiling.

8. Data Security

We ensure data security through technical and organizational measures. Data is transmitted through encrypted channels and stored on secure servers. Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment service provider — the highest security standard in the payment industry. Bellora does not store, process, or transmit credit card data. Card details are handled directly by Stripe's encrypted systems.

9. Supervisory Authority

If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with the supervisory authority. In Hungary, the competent supervisory authority is: Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH), address: 1055 Budapest, Falk Miksa utca 9-11., email: ugyfelszolgalat@naih.hu, phone: +36 1 391 1400, website: www.naih.hu.