Privacy Policy

1. Purpose of our Data Management Policy
We aim to inform visitors of our website that during the operation and management of our website, we comply with the strict provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR, April 27, 2016), as well as the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (the Hungarian Information Act), which regulate the processing and protection of personal data of natural persons.
From this policy, you can learn who the owner, operator, and data controller of the website is, how we collect, store, and process personal data received via the website, and how we guarantee the data subjects’ rights to self-determination regarding their personal data.

2. URL of our website
https://www.suryaayurveda.hu
(továbbiakban: weboldal)

3. Who We Are
The owner and data controller of the website:
Company name: Surya Ayurveda Limited Liability Company
Company registration number: 13-09-230842
Tax number: 32425945-1-13
Registered office: 2000 Szentendre, Deli Antal Street 20 20.
Responsible organization for data processing: Surya Ayurveda Ltd.
Head of the organization responsible for data processing and website operator: Zsófia Singh, Managing Director
Phone: +36 70 6166510
E-mail: szentendre@suryaayurveda.hu

Hosting Provider:
NetMasters Ltd.
Address: 1105 Budapest, Cserkesz Street 32, Hungary 5.
Company Registration Number: 09-09-025522
Tax Number: 24812087-2-09
Phone: 0630 9234646
E-mail: szia@netmasters.hu

4. Purpose of our website
The purpose of the website:
• Presentation and promotion of our business and services
• Operation of a webshop
• Contact opportunities for interested, prospective, and existing clients
• Operation of an online appointment booking system
• Use of data provided by Users for marketing and direct business purposes, sending newsletters with the Users’ consent
• Providing Users with informative guidance
• Our website is linked to our Facebook and Instagram pages, so the website content can also be tracked there

5. GDPR Key Concepts
In this policy, we use the legal categories and concepts of the GDPR and the Information Act. For introduction, we briefly and clearly summarize the most important basic concepts:
User: a natural person who views the website (Visitor), or provides personal data through the website (User)
Data Subject: a natural person whose personal data is requested by the website and recorded, stored, processed, and used by the Data Controller
Personal Data: any data or information by which the data subject can be directly or indirectly identified
Data Processing: all operations performed on personal data, including collection, recording, storage, use, transfer, and deletion
Data Controller: a natural or legal person, or organization without legal personality, who alone or jointly with others makes decisions regarding the purposes and means of data processing, executes them, or has them executed by a data processor
Data Processor: a natural or legal person, or organization without legal personality, who processes personal data transferred by the Data Controller in the manner specified and for the purpose determined by the Data Controller
Data Management Incident: a serious breach of data security, resulting in the accidental or unlawful destruction, rendering unusable, or unauthorized access, use, or disclosure of personal data collected, stored, and processed by the Data Controller

6. What data does our website collect and for what purpose?
6/a. Anonymous technical data collection using cookies
The public content of our website can be viewed freely by anyone. We do not request personal data for this purpose.
However, like all websites, ours also uses small codes (cookies) that are placed on the visitor’s computer or mobile device for a shorter or longer period. Cookies are automatically logged on the servers of Surya Ayurveda Ltd. On our website, we use the following types of cookies: Session cookies and Functional cookies.
Cookies perform important technical tasks. Their operation does not provide information that can identify the Visitor personally.
Nevertheless, our website requests explicit consent or rejection from every Visitor regarding the use of cookies when they first open any page of our website.
Every Visitor has the right to accept or reject all cookies, or customize their consent individually. Everyone can modify their consent at any time afterward.
Consent stored by cookies is respected by our website on later visits, provided the Visitor has not deleted them from their browser in the meantime.
The settings of marketing (advertising and market research) cookies are transmitted by the CookieYes consent management application to Google’s Consent Mode V2 database so that Google takes it into account when displaying ads. For example, if a visitor rejects the advertising cookie, remarketing ads will not be shown to them.

6/b. Web Analytics Tools
Our website collects statistical data and technical information about the operation of the website using Google Analytics tools for the purpose of measuring visitor traffic. These data do not contain any personal information and only provide statistics on the number of visitors, their geographical distribution, interests (searched keywords, viewed pages, ratio of returning visitors, time spent on the website, etc.). This information is important for publishing content and images tailored to visitor interests.

6/d. Embedded Content from Other Websites
Our website may contain embedded content from other websites (e.g., YouTube videos, Facebook posts, embedded articles, images, etc.).
Such embedded content behaves in the same way as if the visitor had visited the website where the content originates.
These external websites—independently from us—are likely to collect statistical data regarding the content viewed, using cookies or third-party tracking codes (Google, Facebook, YouTube) to analyze visitor engagement.
We are not responsible for the data collection performed by these external sources, nor for the compliance of their data processing with applicable laws; the operator of the original source website is solely responsible.

7. Collection and Processing of Personal Data
Commercial and service websites usually request personal data when someone orders a product or service, submits information via a contact form, requests a quote, posts a comment on a blog, submits a registration form, subscribes to a newsletter, etc. In these cases, the user must provide certain personal data, at a minimum their name and email address or other contact details.

Forms on Our Website
Our website contains a contact form.
The form collects the following data:
• Name of the data subject
• Email address
• Phone number
• Information required for online appointment booking
• Information necessary for online orders and payments from our webshop

Personal data submitted via the form will be processed and used for the purposes indicated, and for appointments, our system automatically sends reminder emails/SMS 24 hours before the treatment.
Data subjects, as defined under GDPR and the Hungarian Info Act, have the legal right to know the purposes, methods, storage, protection, and duration of the processing of their personal data.
During the website visit, certain parameters of visitors and users may be recorded on our servers, including:
• Entry time, duration of visit, activities performed, exit time
• Browser type, resolution, language, operating system, device type
• Visitor IP address, name, email address

Legal Basis for Data Processing:
• The data subject’s consent provided through the contact form to be contacted via the provided contact information.
Purpose of data processing: identification of the data subject, data collection, data verification, online appointment booking, provision of health services, preparation and storage of patient records, communication, and information provision. Sending reminders via SMS or email regarding appointments. Collecting necessary information for fulfilling webshop orders.

Duration of Data Processing:
As the data controller, we retain the personal data of data subjects for 5 years. Upon written request of the data subject, their personal data will be deleted within 3 business days.

Use of Data:
Personal data submitted via the contact form is not stored on the web server/hosting, but the message module of the website forwards it directly to the data controller’s email address.
The data controller ensures the processing of received messages, providing responses, and the storage and protection of personal data.
Collected personal data is only used for the purposes intended by the data subject (e.g., telephone call back, answering questions via email or phone, recording health-related data relevant to treatments, sending reminders about appointments, collecting information necessary for webshop order fulfillment).
Names and contact details provided via the form are only used for communication with the person who initiated contact and are not added to any mailing list, shared with third parties except Ganesha-Imports Ltd. and Ajay Singh as individual entrepreneur, nor used for advertising purposes or unsolicited newsletters.

7.1. Data Sharing
Personal data submitted via the form is shared exclusively with Ganesha-Import Ltd. and Ajay Singh as individual entrepreneur, who cooperate in the activities of our company.

8. Data Retention Period
Personal data submitted via the form is stored for 5 years. Upon the request of the data subject, it will be deleted within 3 business days.

9. Data Security
The data connection between data subjects using the form and our website is secured with SSL encryption, indicated by the https:// prefix in the browser’s URL bar. By clicking the information icon before the URL, data subjects can verify that their connection is secure and that submitted data is protected from unauthorized access.

The hosting provider applies modern technical solutions and security software to prevent unauthorized access to information transmitted from the website to the data controller’s central email account.
Personal data submitted via the contact form is protected along the route between the web server and the company’s central Gmail account by automatic spam filters, including advanced filters provided by Google.
Google checks all incoming emails to ensure they come from verified, safe domains. This verification does not apply to content but filters spam, viruses, and unauthorized interventions.
For secure email delivery, our domain is protected with DKIM, SPF, and DMARC authentication and security measures as recommended by Google.
The company, as data controller, considers it its legal duty to immediately notify data subjects of any unauthorized access or misuse of personal data (data breach), and to fulfill mandatory reporting obligations under GDPR and the Info Act, and promptly take measures to restore appropriate data protection.

10. Do we carry out automated data processing, profiling, or automated decision-making?
Our website does not perform any automated processing or profiling based on the personal data received.
Information collected about website visitors through Google analytics tools (Analytics, Search Console) and advertising tools using cookies (Google Ads)—which cannot identify individual visitors—is collected, stored, and secured on Google servers in accordance with the strict security principles and policies published online by Google: https://policies.google.com/privacy?hl=hu

11. Do we transfer personal data to third parties?
Personal data provided by data subjects is neither disclosed publicly nor sold.

12. What rights does the data subject have regarding their personal data?
The data subject may contact the Data Controller using the contact details provided in this privacy notice to:
• Request information about the storage and processing of their personal data
• Request access to the personal data processed by the Data Controller
• Request correction of their personal data
• Request deletion of their personal data
• Object to the processing of their data
• Request restriction of data processing
• Withdraw their consent

Data subjects can exercise these rights at any time by directly contacting the Data Controller. Upon request, we provide all data previously submitted by the data subject via any form on our website, stored by the Data Controller. Data subjects may also request that any previously provided personal data be modified or deleted from our records. Deletion does not apply to data that must be retained for technical, administrative, legal, or security reasons for a specified period.

13. Detailed rights regarding data processing, enforcement, and remedies
If a data subject believes the Data Controller has violated their personal data protection rights, they may request investigation and cessation of the contested practice or submit an enforcement request to the Data Controller using the contact details below:

Data Controller
Organization responsible for data processing: Surya Ayurvéda Ltd.
Head of the organization responsible for data processing: Zsófia Singh, CEO
Phone: +36 70 6166510
Email: szentendre@suryaayurveda.hu

13.1. Data subject rights
The data subject may request from the Data Controller:
• Information about the processing of their personal data (before and during processing)
• Access to their personal data (a copy of the personal data held by the Data Controller)
• Correction or completion of personal data
• Deletion or restriction (lock) of personal data, except for legally mandatory processing
• Data portability
• Objection to data processing
Requests can be submitted in writing according to section 13.2. The Data Controller shall fulfill a lawful request within one month and notify the data subject at the provided contact information.

13.1.1. Right to information (Articles 13–14 GDPR)
The data subject may request written information from the Data Controller on:
• Which personal data is processed
• The legal basis for processing
• The purpose of processing
• The source of personal data
• The duration of processing
• Whether a data processor is used, and if so, its name, address, and activities
• To whom, when, and on what legal basis personal data was made accessible or transmitted
• Circumstances, effects, and measures taken regarding any data breach

13.1.2.Right of access (Article 15 GDPR)
The data subject is entitled to know whether their personal data is being processed. If so, they have the right to access the processed personal data, which they may request in writing according to section 13.2. The Data Controller shall provide a copy of the personal data, unless prohibited by other laws. If the request is submitted electronically, information must be provided in a commonly used electronic format, unless otherwise requested.

13.1.3. Right to rectification (Article 16 GDPR)
The data subject may request the Data Controller to correct any personal data (e.g., email or postal address) and complete any incomplete data, taking into account the purpose of processing.

13.1.4. Right to erasure (Article 17 GDPR)
The data subject may request the deletion of personal data if processing is based on their consent (e.g., for contact purposes). If personal data is provided for contract fulfillment or legal obligations, deletion cannot be granted, and the data must be processed for the retention period defined in this privacy notice.

13.1.5. Right to restriction of processing (Article 18 GDPR)
The data subject may request that their personal data be locked, clearly marking the restriction and ensuring separation from other data. Locking remains until the reason specified by the data subject necessitates storage. This may be requested, for example, if the data subject believes the Data Controller has processed data unlawfully but requires the data for ongoing official or judicial proceedings. Data will then be stored until the authority or court request is resolved, after which the data will be deleted.

13.1.6. Right to Data Portability (Article 20 GDPR)
The data subject may, in writing according to section 13.2, request that personal data provided to the Data Controller be received in a structured, commonly used, machine-readable format. The data subject is also entitled to transmit this data to another data controller without hindrance from the Data Controller if:
• The data processing is based on consent under Article 6(1)(a) or Article 9(2)(a) GDPR, or
• The data processing is based on a contract under Article 6(1)(b) GDPR, and
• The data processing is carried out in an automated manner.

13.1.7. Right to Object (Article 21 GDPR)
The data subject may, in writing according to section 13.2, object to the processing of their personal data based on the legitimate interests of the Data Controller or a third party under Article 6(1)(f) GDPR, including profiling based on such interests. In such cases, the Data Controller shall no longer process the personal data, except where the Data Controller demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such purposes, including profiling, and the personal data shall no longer be processed for this purpose.

13.2. 13.2. Enforcement of Data Subject Rights and Remedies

13.2.1. Contacting the Data Controller
Before initiating court or authority proceedings, it is recommended that the data subject send their request, complaint, or any claim under section 13.1 to the Data Controller for investigation and resolution. The Data Controller shall promptly investigate and respond to the request, objection, or complaint without undue delay, within the time frame required by applicable law.
If the request is submitted electronically, the response will be provided electronically where possible, unless the data subject requests otherwise. If the Data Controller fails to act on the request within the legal timeframe, the data subject shall be informed of the reasons for the inaction and that they may initiate judicial or authority proceedings. Requests regarding personal data may be submitted in writing, by traditional mail or email, to the contact details specified in section 1.

13.2.2. Initiating Authority Proceedings
The data subject may contact the National Authority for Data Protection and Freedom of Information (NAIH) to request an investigation or authority proceedings if they believe a violation or imminent risk of violation of their personal data rights has occurred. This includes situations where:
• The Data Controller restricts or rejects the exercise of data subject rights under section 13.1, or
• The Data Controller or a data processor acting on its behalf violates legal requirements for personal data processing established in law or EU legislation.

13.2.3. Judicial Remedies
Judicial remedies are governed by Act CXII of 2011 on informational self-determination and freedom of information. The data subject may file a lawsuit against the Data Controller if they believe the personal data processing regulations have been violated. The lawsuit may be filed at the competent court of the data subject’s residence or habitual residence. The data protection authority may intervene in the proceedings to support the data subject. Any person who suffers material or non-material damage due to a GDPR violation may claim compensation from the Data Controller or data processor. The Data Controller or data processor is exempt from liability if they prove they are not responsible for the event causing the damage.