Privacy Policy

Brahmayurveda Center Korlátolt Felelősségű Társaság

Effective as of: 2nd of February 2024

The following information contains the criteria for the activities of the Brahmayurveda Center Korlátolt Felelősségű Társaság (hereinafter: ‘Brahmayurveda’) in relation to the processing of personal data concerning you.

1. Definitions

Personal data: any information relating to an identified or identifiable natural person (hereinafter: ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special category of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation.

Health data: all data relating to the physical and mental condition of a natural person, as well as all data relating to their state of health in connection with the health care they have received.

Data Subject: an identified or identifiable natural person.

Processing: any operation or totality of operations on data, regardless of the procedure used, in particular the collection, recording, registration, organisation, storage, alteration, processing, querying, utilisation (including transfer and disclosure), coordination or linking of personal data, as well as the blocking, erasure and destruction of personal data. Processing includes the production of photographs, voice or image recordings and the recording of physical characteristics suitable for personal identification (e.g.: finger or palm print, DNA sample and iris images);

Controller: any person who performs the processing, determines the purpose of the processing, makes and implements decisions on the processing (including the tools used), or implements them through the processor.

Processing: performance of the technical tasks related to processing operations, regardless of the method and means used to perform the operations and the place of application.

Data transfer: where the data is made available to specific third parties; Disclosure: where data is made available to everyone.

Processor: the natural or legal person or organisation without legal personality performing the processing of personal data on behalf of the Controller;

1

Data erasure: rendering the data unrecognisable in a manner that their recovery is no longer possible.

Automated data file: a series of data to be processed automatically.

Automatic processing: includes the following operations when performed through partially or fully automated means: storage of data, logical or arithmetic operations on data, alteration, erasure, retrieval and distribution of data.

Customer: a natural person, who requests an appointment at Brahmayurveda (www.brahmayurveda.com) by e-mail, telephone or in person, personally subscribes to a newsletter, uses a private health care service, or purchases a product.

Where this Notice uses the term Data Subject, it shall also apply to the Customer.

2. The Controller

Brahmayurveda Center Kft. undertakes to ensure that the processing related to its services meets the requirements set out in this Notice and in all applicable legislation.

This Privacy Notice is available at https://brahmayurveda.com/

Company name: Brahmayurveda Center Korlátolt Felelősségű Társaság
Registered office: 1101 Budapest, Expo tér 5-7
Business site: 1065 Budapest, Podmaniczky utca 18, Ground Floor 2 (Brahmayurveda Center) Branch: 2730 Albertirsa, Kossuth Lajos utca 2 (Brahmayurveda Guesthouse)
Company reg. no.: 01-09-355132
Tax number: 27344994-2-42
Represented by: Szidónia Világi, Managing Director independently
Phone number: + 36-70 396-9-668,
Website: www.brahmayurveda.com
Data Protection Officer: IDBC Creative Solutions Kft.
E-mail: adatkezeles@brahmayurveda.hu
(hereinafter: ‘Brahmayurveda’)

3. During which activities does Brahmayurveda process personal data?
3.1. Administration relating to a contract for health and physical well-

being improving services.

Purpose
processing:
Grounds for processing:

Concluding, amending and terminating a contract for health and physical well-being improving services
Performance of a contract for the provision of health care and physical well-being improving services (Article 6 (1) b) of the GDPR)

The processing of special categories of personal data, in so far as this is necessary for the performance of the contract, is

of the

2

Data subject categories:

Categories of personal data processed:

governed by Article 9 (2) h) of the GDPR in addition to the above legal grounds.
Natural persons using health and physical well-being improving services, in the case of a minor, who is a user, their legal representative.

Personal identification data (name, name at birth, date of birth, mother’s name, gender)
Contact data (address, postal address, telephone number, e- mail address)

Health data generated in connection with health care, physical well-being services, health status before and after treatments, recommended treatments and dietary supplements, name, date and time of requested service

Social security number
Existence of health fund membership/health insurance
If the service is used by a minor, the scope of the processed data is expanded with the data of the legal representative indicated in the contract.
Details of the guest category and loyalty card
Notification settings set in the customer management system Medical records: 30 years from the recording of the data (Section 30 of the Act on the Processing of Health Data)

Contact and other contractual data processed separately from the medical records: During the term of the contract concluded with the data subject/customer +5 years limitation period/deadline for claim enforcement.

In case of health fund membership/health insurance: Brahmayurveda transfers the personal identification and contact data to the health insurance company in order to provide the health service.

Term of processing:

Recipients:

3.2. Provision of health and physical well-being services

Purpose
processing:
Grounds for processing:

Provision of health and physical well-being services

Performance of a contract for the provision of health care and physical well-being improving services (Article 6 (1) b) of the GDPR)
The processing of special categories of personal data, in so far as this is necessary for the performance of the contract, is governed by Article 9 (2) h) of the GDPR in addition to the above legal grounds.

The provision of data to the Electronic Health Service Space (hereinafter: ‘EESZT’) maintained by the National Healthcare Service Center (hereinafter: ‘ÁEEK’) is necessary to fulfil the legal obligation of the Controller (Article 6 (1) c) of the GDPR), according to Act XLVII of 1997 and the Decree of the Minister of Human Capacities 39/2016 (21 December) EMMI.

of the

3

Data subject categories:

Categories of personal data processed:

Natural persons using health and physical well-being improving services, in the case of a minor, who is a user, their legal representative.
Personal identification data (name, name at birth, date of birth, mother’s name, gender)

Contact data (address, postal address, telephone number, e- mail address)
Health data generated in connection with health care, physical well-being services, health status before and after treatments, recommended treatments and dietary supplements, name, date and time of requested service

Social security number
Existence of health fund membership/health insurance
If the service is used by a minor, the scope of the processed data is expanded with the data of the legal representative indicated in the contract.
Medical records: 30 years from the recording of the data (Section 30 of the Act on the Processing of Health Data) Contact and other contractual data processed separately from the medical records: During the term of the contract concluded with the data subject/customer + 5 years limitation period/deadline for claim enforcement.
Mandatory data supply to the EESZT maintained by the ÁEEK.

Term of processing:

Recipients:
3.3. Enforcement of claims relating to a contract

of the Grounds for processing:

Data subject categories:

Categories of personal data processed:

Enforcement of claims related to a contract for health and physical well-being improving services, and a contract for the adult education service
Brahmayurveda’s legitimate interest in enforcing claims (Article 6 (1) f) of the GDPR)

Fulfilment of a legal obligation (Article 6 (1) c) of the GDPR) The processing of special categories of personal data, in so far as this is necessary for the performance of the contract, is governed by Article 9 (2) f) of the GDPR in addition to the above legal grounds.

Natural persons using health and physical well-being improving services and adult education service, in the case of a minor, who is a user, their legal representative.
a) For health and physical well-being improving services:

Personal identification data (name, name at birth, date of birth, mother’s name, gender)
Contact data (address, postal address, telephone number, e-mail address)

Health data generated in connection with health care, physical well-being services, health status before and after treatments, recommended treatments and dietary supplements, name, date and time of requested service Social security number

Purpose processing:

4

Term of processing:

Recipients:

Existence of health fund membership/health insurance If the service is used by a minor, the scope of the processed data is expanded with the data of the legal representative indicated in the contract.

Details of guest category and loyalty card
b) For the adult education service, personal data processed in connection with the processing of data relating to the adult education service, i.e. data relating to the person participating in the training and to the training – including the name, date and time of the training.
Medical records: 30 years from the recording of the data (Section 30 of the Act on the Processing of Health Data) Contact and other contractual data processed separately from the medical records: During the term of the contract concluded with the data subject/customer + 5 years limitation period/deadline for claim enforcement.
In case of health fund membership/health insurance: Brahmayurveda transfers the personal identification and contact data to the health insurance company in order to provide the health service.

3.4. Accommodation

Purpose of the processing:
Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

Provision of accommodation services

The processing is necessary for the performance of a contract, in which the Data Subject is a party, or to take steps at the request of the Data Subject prior to the conclusion of the contract (Article 6 (1) b) of the GDPR).

Natural persons using the hotel services, in the case of a minor, who is a user, their legal representative.
Personal identification data (e.g.: name, name at birth, date of birth)

Contact data (address, telephone number, e-mail address) Special diet
Date of commencement, expected and actual date of end of the use of the accommodation

The duration of the processing is 5 years after the receipt of the request (limitation period)
The provision of data for the National Tourist Data Service Center (NTAK) is set out in section 3.14 as an independent data processing activity.

3.5. Providing care during the use of the accommodation and/or the adult education service

Purpose of the Providing care during the use of the accommodation processing:

5

Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

The processing is necessary for the performance of a contract, in which the Data Subject is a party, or to take steps at the request of the Data Subject prior to the conclusion of the contract (Article 6 (1) b) of the GDPR).

The processing of special categories of personal data, in so far as this is necessary for the performance of the contract, is governed by Article 9 (2) h) of the GDPR in addition to the above legal grounds.

Natural persons using the hotel services, in the case of a minor, who is a user, their legal representative.
Personal identification data (e.g.: name, name at birth, date of birth, gender)

Contact data (address, telephone number, e-mail address) Special diet
The duration of the processing is 5 years after the receipt of the request (limitation period)
Brahmayurveda does not transfer the personal data affected by this processing.

3.6.Providing adult education services

Purpose of the processing:

Grounds for processing:

Data subject categories: Categories of personal data processed:

Providing services aimed at the provision of Ayurveda Lifestyle Training and/or Ayurvedic Masseur Training organised on the basis of an adult education contract
The processing is necessary for the performance of a contract, in which the Data Subject is a party, or to take steps at the request of the Data Subject prior to the conclusion of the contract (Article 6 (1) b) of the GDPR).

The content elements of the adult education legal relationship are provided for in Section 12/A-13/B of Act LXXVII of 2013 on Adult Education (hereinafter: ‘Adult Education Act’), while the content elements of the adult education contract are regulated in Section 21 of Government Decree 11/2020 (7 February) on the Implementation of the Adult Education Act. Natural persons participating in adult education

The natural personal identification data of the person participating in the training and, in connection with the issuance of the educational identification code, the educational identification code, e-mail address and data on the highest level of education. (Section 21 (1) a) of the Adult Education Act)

The training-related data relating to the person’s highest level of education, professional qualifications, skills and knowledge of a foreign language, entry into and completion of the training, or exit from the training, assessment and qualification during the training, payment obligations relating to the training and the training loan used. (Section 21 (1) b) of the Adult Education Act)

6

Term of processing: Recipients:

The above data may be used for statistical purposes and transferred in a manner unsuitable for personal identification for statistical purposes, and may be transferred in a manner suitable for individual identification for statistical purposes to the Central Statistical Office free of charge to, and used.

Until the last day of the eighth year from the conclusion of the adult education contract (Section 21 (5) of the Adult Education Act)
The adult education data supply system (Section 20/A of the Adult Education Act), based on the above legal provision, the vocational education and adult education module of the Public Education Registration and Scholastic System (NEPTUN KRÉTA) must be used; the KRÉTA system is owned by SDA Informatika Zrt.

3.7.

Purpose
processing:
Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing:

Recipients:

3.8. Contact

Purpose of processing:
Grounds for processing:

Complaint processing

of the

Complaint processing

Fulfilment of the legal obligation to process complaints (Article 6 (1) c) GDPR) pursuant to the Civil Code, the Consumer Protection Act and the Healthcare Act.
The natural persons using the service provided by the company and submitting a complaint based thereon, in the case of a minor, who is a user, their legal representative submitting the complaint.

The personal identification data of the complainant provided in the complaint (typically: name, e-mail address, home address), as well as personal and, if applicable, health data included in the complaint, if the complaint is lodged orally via phone or by other means of electronic telecommunications, the unique identification number of the complaint.

In the case of consumer protection complaints, the retention period of complaint report shall be 3 years. (Article 17/A(7) of the Consumer Protection Act)
In the case of complaints related to the healthcare service, the retention period of the documents related to the complaint and its investigation shall be 5 years. (Article 29(4) of the Healthcare Act)

The authorities and courts specified in legislation, at their official request or invitation, in accordance with the law.

Contact

The processing is necessary to take steps at the request of the Data Subject prior to the conclusion of the contract for the

the

7

Data subject categories:

Categories of personal data processed:

Term of processing:

Joint Controller: Recipients:

provision of health and physical well-being improving services and accommodation services (Article 6 (1) b) of the GDPR). The natural persons using or intending to use the services provided by the company, in the case of a minor, who is a user, their legal representative.

Name
Telephone number
E-mail address
Personal data set out in the message
Messenger ID based on the decision of the Data Subject During the term of the contract concluded with the Data Subject/Customer + 5 years limitation period/deadline for claim enforcement.
If no contract is concluded, 5 years from the receipt of the request.
In the case of communication via Messenger, Facebook is considered the Joint Controller, see the relevant section of the list of Controllers.
Brahmayurveda does not transfer the personal data affected by this processing.

3.9. Newsletter service

Purpose processing:

of the

Newsletter service: marketing and business development, direct business acquisition, promotion of Brahmayurveda’s services, facilitation of the use of its services, notification about current promotions, products, information and recommended diet, PR events.

Consent of the Data Subject/Customer. Article 6 (1) a) of the GDPR and Section 6 (5) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

Data Subjects of adult age or the adult representatives of Data Subjects of minor age, who have subscribed to the Company’s newsletter.
Name

E-mail address
How the data subject heard about the Controller
Until unsubscription/withdrawal of consent
Brahmayurveda does not transfer the personal data affected by this processing.

Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

3.10. Operation of a surveillance system

Purpose of the Operation of an electronic surveillance system
processing:
Grounds for processing: The legitimate interest of Brahmayurveda in the protection of

human life, physical integrity, personal liberty and property, 8

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

Camera processing at the Controller’s registered office:

3.11. Invoicing

Purpose of the processing:
Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

the protection of hazardous materials, the protection of business, payment, banking and securities secrets and customer data (including personal data and health data), the protection of the property of the Controller and the property of those in the territory supervised by the Controller, as well as the continuous, safe operation of the Controller and the control of the work (Article 6 (1) f) of the GDPR).

The natural persons entering the Brahmayurveda Center and the Brahmayurveda Guesthouse.
Image recording taken of the Data Subject, the behaviour of the Data Subject as seen in the image recording, and the time the image recording was taken

In the absence of official or court use, 30 calendar days from its recording.
The camera recordings will be forwarded only to the authorities and courts specified by law, at their official request or order, in accordance with the law or for the purpose of initiating official proceedings.

It is not Brahmayurveda, but DoclerPro Kft., that operates a surveillance system on the premises of the Docler Office Building and the related outdoor properties located at the Controller’s registered office. The Privacy Policy is available at the reception of the Docler Office Building.

The fulfilment of Brahmayurveda’s legal obligations regarding the issuance of invoices and receipts.
With regard to the data processed in connection with invoicing, the grounds for the processing is Article 6 (1) c) of the GDPR, with reference to Section 169 of Act C of 2000 on Accounting and Section 228 of Act CL of 2017 on Taxation, as well as Section 169 of Act CXXVII of 2007 on Value Added Tax. The natural persons purchasing Brahmayurveda’s products and using its services, and in the case of a minor, who is a user, their legal representative.

The name and address (billing address) of the Customer/Data Subject, if necessary, the health insurance or health fund, where the Data Subject is a policyholder or member, the membership certificate number, and the purchased product or service used. At least 8 years, in accordance with Section 169 of the Accounting Act.

The processed data is transferred by Brahmayurveda to the authorities and courts specified in legislation, upon their official request and order, in accordance with the law.

9

3.12. Processing related to social media sites

Purpose of the processing:

Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

Operation and moderation of Brahmayurveda’s social media profiles (facebook and instagram), description of Brahmayurveda’s services, continuous development of Brahmayurveda’s services through the analysis of traffic data. The Data Subject’s consent pursuant to Article 6 (1) a) of the GDPR, given by their activities on the social media profile of Brahmayurveda (writing an opinion or comment, reaction, sharing, etc.).

Brahmayurveda’s legitimate interest in the proper operation and moderation of its social media profiles pursuant to Article 6 (1) f) of the GDPR (e.g.: in the deleting of offensive posts).
The natural persons who view Brahmayurveda’s social media sites, post a rating about it, post a reaction (like, etc.) to the posts shared on the social media sites, or share those posts. The name and any personal data that the Data Subject shares or publishes in a comment about themselves on the social media site and in relation to the social media profile of Brahmayurveda.

Until consent is withdrawn or the entry/group is deleted Brahmayurveda does not transfer the personal data affected by this processing.

3.13. Processing related to the Controller’s website, cookie policy

3.13.1. Web server

During the visit to the website maintained by the Controller, available at www.brahmayurveda.hu and www.brahmayurveda.com (hereinafter: ‘Website’), the web server does not log the user’s activities, such processing does not take place.

3.13.2. Request for quotation

In case of concluding a contract, the personal data provided on the quotation request page of the Website or provided to us by e-mail or telephone is processed for the purposes specified in Sections 3.1-3.8 and 3.11 above. If the visit is cancelled, i.e. no contract is concluded between the parties based on the quotation request, the personal data are erased within 5 business days from the notification of the cancellation.

3.13.3. Cookie policy
The information regarding the cookies used on the websites www.brahmayurveda.hu and

www.brahmayurveda.com shall be set out in the Cookie Policy of the Controller. 10

3.14. Data forwarding to the National Tourist Data Service Center

Purpose of the processing:

Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing:

Recipients:

Protection of the rights, safety and assets of the Data Subject and others, ensuring compliance with the provisions regarding stay and residence of third country nationals and persons with freedom of movement and of residence.

Article 6 (1) c) of the GDPR – legal obligation to which Brahmayurveda is subject, in particular, Article 9/H of Act CLVI of 2016, Articles 7, 14 and 14/C of Government Decree No. 235/2019. (X. 15.).

Natural persons using the accommodation service provided by Brahmayurveda.
a) family name and given name, birth family and given name, sex, nationality of the person using the accommodation service, mother’s birth family and given name, identifiers of the identification or travel document of the person using the accommodation service, in the case of third party nationals, number of the visa or residence permit, date and place of entry, b) address of the accommodation service, date of commencement, expected and actual date of end of the use of the accommodation

Brahmayurveda shall process the above categories of personal data until the last day of the year following the year of recording, then the categories of personal data set out in subsection a) shall be erased and thereby the categories of personal data set out in subsection b) shall become anonymized.

The processed data is transferred by Brahmayurveda to the authorities and courts specified in legislation, upon their official request and order, in accordance with the law.

Brahmayurveda shall, on the basis of statutory obligation, record the above categories of personal data concerning the data subject with the accommodation management software in the course of the check-in. The data subject shall, in the course of the check-in, produce their identification or travel documents to Brahmayurveda to allow the recording of personal data. In case no identification or travel document is produced, Brahmayurveda shall refuse the provision of the accommodation service. The data not included in the identification or travel document produced shall not be recorded. The police may perform queries in the database of the National Touristic Data Service Center, and may request the forwarding of data processed by Brahmayurveda, for the purposes of law enforcement, crime prevention, the protection of public order, public security, the order of the state border, the rights, security and assets of the data subject and others, and to issue arrest warrants.

11

3.15. Quality assurance, investigation of customer complaints, inspection of employees

Purpose of the processing:

Grounds for processing:

Data subject categories:

Categories of personal data processed:

Term of processing: Recipients:

Ensuring the quality of Ayurvedic treatments covering the whole body, investigating customer complaints, inspection of employees.
The legitimate interest pursued by Brahmayurveda to ensure the quality of its Ayurvedic treatments covering the whole body, investigating customer complaints and inspection of employees. (Article 6(1)f of GDPR)

In case the data subjects communicate health data during the treatments in oral form, the processing of special category of personal data is based on Article 9(2)h of GDPR.
Natural persons using services that improve health and physical well-being.

Audio recording made in the course of the treatment covering the whole body, date, time and location of the recording, name of the therapist and the client.
3 months

Brahmayurveda does not transfer the personal data affected by this processing.

Brahmayurveda creates audio recordings in the course of the Ayurvedic treatments in order to ensure the quality of the treatments, investigate customer complaints and inspect employees. The audio recordings will only be played back in the event of a customer complaint. Only the professional leader shall be entitled to access the audio recordings. The data subjects shall be entitled to request information on the processing of the personal data concerning them, listen to the audio recording(s) and to object to the processing.

3.16. Processing for the Brahma Loyalty Program

Purpose of processing:

Grounds for processing:

Categories of data subjects:
Categories of personal data:

To reward the loyalty of data subjects to the services provided by the Controller and to ensure participation in the Brahma Loyalty Program (hereinafter: Program) operated by the Controller. The purpose of the Program is to enable the Controller to offer a discount to data subjects in proportion to the number of visits and the value of the services used, in accordance with the rules detailed in the Controller’s General Terms and Conditions.

The Controller’s legitimate interest in offering discounts to returning customers based on the value of certain services previously used, thereby increasing customer satisfaction and turnover (Article 6 (1)(f) of GDPR)

Natural persons using health and physical well-being services, and in the case of minors, their legal representative.
Name;
Name and date of the service received;

The value of the service received; 12

Duration of processing: Recipients:

4. Processors

Rate of discount
1 year
The Controller uses a Processor for the operation of the reservation system it uses and for the proper functioning and management of the Programme. Details of the Processor: Altegio Europe Korlátolt Felelősségű Társaság (company registration number: 01-09-302414; tax number: 26110123-2- 41; registered office: 1054 Budapest, Széchenyi István tér 7.)

The Processors shall not use another data processor in the performance of their activities without the prior written ad hoc or general authorisation of Brahmayurveda. The Processors shall not make a substantive decision regarding processing, they shall process the personal data made known to them only in accordance with the provisions of Brahmayurveda, shall not process the data for their own purposes, and shall store and preserve the personal data in accordance with the provisions of Brahmayurveda. The Data Subjects may contact Brahmayurveda, as the Controller, in relation to the processing or may enforce their rights against it.

a. Contributing physician

In order to use the private healthcare services and the services improving physical well-being, the health data of the Data Subjects are processed by a physician employed by Brahmayurveda.

The provision of data to the Electronic Health Service Space (hereinafter: ‘EESZT’) maintained by the National Healthcare Service Center (hereinafter: ‘ÁEEK’) takes place according to Act XLVII of 1997 and the Decree of the Minister of Human Capacities 39/2016 (21 December) EMMI, with this activity performed accordance with the law by the contributing physician, as an independent Controller.

b. Appointment booking system

For the performance of appointment booking and customer management tasks related to our services we use the YClients customer management system provided by YCLIENTS HUNGARY Kft. (registered office: 1211 Budapest, II. Rákóczi Ferenc út 107-115. D. lház. 3. em. 9., company registration number: 01-09-302414, mailing address: 1211 Budapest, II. Rákóczi Ferenc út 107-115. D. lház. 3. em. 9., e-mail: info@yclients.hu, customer support hotline: +36 1 700 8108), which is accessible to our staff, including the contributing physician. The present privacy policy of Brahmayurveda Center Kft. is also accessible from Brahmayurveda’s YClients website. The data processor is involved in the following activities: performance of technical tasks related to the signing up, appointment booking service, user account, newsletter service, and other services available on the website of YClients. The

13

technical tasks related to the operation of the system provided by the data processor are carried out by the following subprocessor: PELETINO LIMITED (registered office: 1066 Nicosia, Cyprus, 5 Themistocles Dervis Elenion Building, registration number: 370539, Cyprus).

c. Invoicing

The electronic invoices to be issued by Brahmayurveda are issued by Kulcs-Soft Nyrt. which provides the Kulcs-Soft service. Its Privacy Notice can be found at: https://www.kulcs- soft.hu/adatvedelem.

Company name: Kulcs-Soft Nyilvánosan Működő Részvénytársaság Registered office: 1016 Budapest, Mészáros utca 13.
Company reg. no.: 01-10-045531
Tax number: 13812203-2-41

E-mail: adatvedelem@kulcs-soft.hu d. Bookkeeping

Docler Services Korlátolt Felelősségű Társaság (registered office: 1101 Budapest, Expo tér 5- 7, company reg. no.: 01-09-186181, tax number: 24856984-2-42), as a Processor, participates in the bookkeeping of accounting documents based on a written contract concluded with the Controller. In doing so, the Processor processes the name and address of the Data Subject to the extent necessary for the accounting records, for a period corresponding to Section 169 (2) of the Accounting Act (at least 8 years), after which it erases them without any delay. The Privacy Notice of the Processor is available at https://www.doclerholding.hu/hu/imprint/#GDPR.

e. IT service provider

Our company uses a Processor to maintain and manage its website, which provides IT services (storage space and domain name services) and, within the framework of our contract with it, processes the personal data provided on the website. The operations performed by it include the recording, collection and storage of personal data on the server and their destruction.

The storage space service provider protects the data against damage, destruction, loss, alteration, access or disclosure by unauthorised persons, and against any other unauthorised processing methods.

These Processors are the following:

i. Storage space and domain name service provider

Company name: Webonic Kft.
Registered office: 8000 Székesfehérvár, Budai út 9-11 Company reg. no.: 07-09-025725

14

Tax number: 25138205-2-07
Bank account: OTP 11742001-29904501-00000000
The Privacy Notice of the storage space service provider, as Processor, is available at: https://www.webonic.hu/aszf, under Section 17.

ii. Web and software developer

Name: Docler Services S.à r.l.
Registered office: 44, Avenue John F. Kennedy L-1855 Luxembourg Company registration number: B 207.465
VAT number: LU28676305
Website: www.doclerholding.com

f. Security cameras

The operation of the security camera system is performed by DoclerPro Kft. (registered office: 1101 Budapest, Expo tér 5-7, company reg. no.: 01-09-889799, tax number: 14119699-2-42), as Processor.

A sign and/or pictogram informs the Data Subjects at the entrances of the Brahmayurveda Center and the Brahmayurveda Guesthouse of camera processing. The Privacy Notice on camera processing is available at the reception of the Brahmayurveda Center and the Brahmayurveda Guesthouse.

The Customer/Data Subject may request that Brahmayurveda not erase the recordings until a court or authority has requested it, but for a maximum of 30 days if this is necessary to enforce the Data Subject’s right or legitimate interest (e.g.: to uncover the circumstances of a possible crime).

g. Facebook Messenger

If the Data Subject maintains contact with Brahmayurveda via Facebook Messenger, Meta Platforms, Inc. and Meta Platforms Ireland Limited (European registered office: Grand Canal Harbour, Grand Canal Square 4, Dublin 2, Ireland), as the provider of Messenger, is considered a Joint Controller. The erasure of the message exchange via Messenger can be done by the Data Subject in relation to their own account, with regard to the Brahmayurveda account, the message exchange via Messenger can be erased by Brahmayurveda at the request of the Data Subject. Apart from erasure, Brahmayurveda has no direct impact on the other features of the processing, it cooperates with Facebook upon request. The Privacy Notice of Facebook is available at: https://www.facebook.com/full_data_use_policy

h. Facebook and Instagram social media sites

If the data subject interacts with Brahmayurveda’s Facebook and/or Instagram social media profile (post a rating of the page, likes the page, likes a post, comments, shares, etc.), Meta Platforms, Inc. and Meta Platforms Ireland Limited (European registered office: Grand Canal Harbour, Grand Canal Square 4, Dublin 2, Ireland) , as the service provider for the Facebook

15

and Instagram social media sites, is considered a Joint Controller. The rating, reaction, sharing, post, subscription, etc. can be erased or modified by the Data Subject themselves on the interface of the social media site. With respect to the other data processed, Brahmayurveda either proceeds itself or cooperates with Facebook, depending on what action it is authorised to perform in relation to the given personal data. The Privacy Notice of the Facebook social media site is available at: https://www.facebook.com/full_data_use_policy. The Privacy Notice of the Instagram social media site is available at: https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram%20Help& bc[1]=Privacy%20and%20Safety%20Center.

i. Contracting, completing declarations in electronic form

The Controller uses the TabLog software service to make the following legal declarations electronically: concluding a contract between the Data Subject and the Controller, the Data Subject’s consent to the processing, consent to processing for marketing purposes. The TabLog service provider is Floor99 Proptech Fejlesztő Kft. (registered office: 9023 Győr, Körkemence u. 8, tax number: 26568526-2-08, company reg. no.: 08-09-030459), the Privacy Notice of which is available at: https://www.tablog.hu/hu/adatkezelesi-tajekoztato.

j. Statutory registration of accommodation-related data

National Tourist Data Service Center (Nemzeti Turisztikai Adatszolgálató Központ, NTAK) shall act as the processor of Brahmayurveda on statutory grounds. NTAK is operated by Magyar Turisztikai Ügynökség Zrt. (registered office: 1027 Budapest, Kacsa u. 15-23; company registration no.: 01-10-041364; tax number: 10356113-2-43), the privacy notice is available at https://info.ntak.hu/adatkezelesi-tajekoztato (in Hungarian). The terms and conditions of the controller-to-processor relationship between Brahmayurveda and NTAK shall be set out in Article 14 of the Government Decree No. 235/2019. (X. 15.) en lieu of a data processing agreement.

k. Booking and CRM system

The booking and CRM system used by the Controller is provided by Altegio Europe Korlátolt Felelősségű Társaság (company registration number: 01-09-302414; tax number: 26110123-2- 41; registered office: 1054 Budapest, Széchenyi István tér 7.).

5. Data security measures

In order to make the processing of the personal data as secure as possible, Brahmayurveda or its contracted physician partner, as Processor, only collects health data from the Data Subject in person, in a paper-based form. Therefore, we ask our Customers not to send us health data or documents containing health data by e-mail or by post.

16

The recordings recorded by the security camera system are stored exclusively by Brahmayurveda Center Kft. on servers located in a locked room, with enhanced data security measures. Unauthorised persons may not access the recordings, only the authorised employees and contributors of Docler Services Kft. and Brahmayurveda, to the extent necessary for the performance of their duties.

6. Rights of the Data Subject during processing

During the period of processing, you have the following rights:

a. Right to information

The Data Subject may request information from the Controller on the processing of their personal data within the period of processing. The Controller shall inform the Data Subject in writing, in a comprehensible form, as soon as possible after the submission of the request, but not later than within 25 days, of the processed data, the purpose, legal ground and duration of the processing and, if the data were transferred, of the recipients of the data and the purpose for their transfer, and whether the Controller provided access thereto to a third party.

The information shall be provided by Brahmayurveda free of charge, but Brahmayurveda may charge a reasonable fee (proportionate to the administrative costs) or choose not to comply with a request for information, which is clearly unfounded or repetitive in nature. Brahmayurveda draws the attention of the Data Subjects to the fact that their right to information can be exercised either in writing (by e-mail) or in person.

b. Access to data and the right to data portability

The Data Subject has the right to receive notification from the Controller regarding whether or not their personal data are being processed, and if they are, the Data Subject has the right to access their personal data and the following information:

1. a)  the purposes of the processing;

2. b)  the categories of the personal data concerned;

3. c)  the recipients or categories of recipients to whom the personal data have been or will be

   communicated;

4. d)  the planned preservation period of the personal data;

5. e)  the right of the data subject to request the Controller to rectify, erase or restrict the

   processing of the personal data concerning them and to object to the processing of such

   personal data;

6. f)  the right to lodge a complaint with a supervisory authority;

7. g)  if the data were not collected from the Data Subject, all available information on their

   source;

8. h)  the fact of automated decision-making, including profiling.

The Data Subject may request the issuance of a copy of their personal data, in return for which Brahmayurveda may charge a reasonable fee (proportionate to the administrative costs).

17

The Data Subject may request to receive the personal data concerning them, and provided to the Controller, in a structured, commonly used and machine-readable format, and shall have the right to transfer those data to another controller without hindrance from the Controller to which the personal data were provided if:

1. a)  the processing is based on consent pursuant to Article 6 (1) a) or Article 9 (2) a) or a contract pursuant to Article 6 (1) b); and

2. b)  the processing is automated.

Brahmayurveda fulfils its obligations regarding these rights of the Data Subject by respecting the rights of others and its own rights (especially the right to the protection of trade secrets and intellectual property) and accordingly does not pass on data containing trade secrets (e.g.: details of processing) to the Data Subject.

c. Right to the rectification of data

If the Data Subject becomes aware that any of their personal data (in particular, e.g.: contact details, e-mail address, telephone number) processed by Brahmayurveda and stored in its registration systems is incorrect (e.g.: due to misspelling) or incomplete, then, according to their request sent to the contact details specified in Section 3, Brahmayurveda shall supplement their incomplete personal data and rectify their incorrect data in its registration systems.

The Controller shall comply with their request for rectification without undue delay and at the latest within 3 business days.

d. The right to block data and restrict processing

At the contact details provided in Section 3, the Data Subject may request a restriction on the processing of their personal data, in which case Brahmayurveda may only store their personal data without using it or performing any further processing operation (e.g.: transfer, erasure); the latter may take place during the restriction only if the Data Subject consents to them or they are necessary for the submission, enforcement and defence of a legal claim or the protection of the rights of a third party, the European Union or an important public interest of an EU Member State.

They can request a restriction on processing if

• they believe that their data are inaccurate and they do not want them to be used by Brahmayurveda until they are corrected, or if they consider the processing to be unlawful, or

• the purpose of the processing by Brahmayurveda has ceased, but they do not want their data to be erased, as they require it, for example, for the submission, defence or enforcement of their legal claim.

  The Data Subject may request that the Controller block the personal data if the final erasure of the data would harm the Data Subject’s legitimate interests. The personal data blocked in this

18

way may only be processed for as long as the purpose, which precluded the erasure of the personal data, exists.

e. Right to the erasure of data

The Data Subject has the option to request the erasure of their personal data, which the Controller shall comply with without undue delay, but no later than within 3 business days. The right to erasure does not extend to cases where the Controller is obliged by law to continue storing the data (e.g.: in connection with invoicing).

The Data Subject has the right to withdraw their consent to the processing at any time, which, however, does not affect the lawfulness of the processing performed prior to the withdrawal.

If the Data Subject withdraws their consent to the processing and

• there is no other legal ground for the processing, or

• if the purpose of the processing has ceased, or

• the processing is unlawful, or

• the data must be erased by law,

then, according to their request sent to the contact details specified in Section 3, Brahmayurveda shall permanently erase their personal data and copies thereof from its registration systems and destroy them.

f. Right to object to processing

The Data Subject shall have the right to object to the processing of their personal data, including profiling, at any time for reasons related to their situation, if the processing is necessary for the performance of a task in the public interest or to perform a task in the exercise of official authority vested in the Controller, or the processing is necessary to protect the legitimate interests of the Controller or of a third party. In such a case the Controller shall no longer process the personal data unless the they demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the Data Subject or which relate to the submission, enforcement or defence of legal claims.

The Controller shall review the objection within the shortest possible time or within no more than 3 business days following the submission of the request, shall make a decision on its merits and shall notify the Data Subject in writing of its decision. If the Data Controller does not comply with the Data Subject’s request for rectification, blocking or erasure, it shall notify the factual and legal reasons for rejecting the request for rectification, blocking or erasure in writing, or with the consent of the Data Subject, electronically, within 25 days of the receipt of the request.

19

7. How can the rights relating to processing be enforced?

The Data Subject may submit their application or request for the exercising of their rights relating to the processing detailed above at the contact details specified in Section 3.

Please provide at least two pieces of personal data in your request that will allow Brahmayurveda to identify you (e.g.: name and phone number, name and e-mail address). You can make your request or remark verbally, in person, however, Brahmayurveda will always provide a written reply (primarily in the form of your choice, failing which Brahmayurveda will respond electronically by e-mail or in a paper-based form, by post). Please indicate in your written request (by e-mail or on paper) the form in which you would like to receive a reply (e.g.: electronically by e-mail or in a paper-based form, in person), otherwise the reply will be sent to the Data Subject by Brahmayurveda in the form corresponding to the form of your request. Brahmayurveda will provide a substantive response to your application or request regarding the processing within 30 days of receipt, or in exceptional cased (e.g.: due to the complexity of the request) within 60 days. In the latter case, it shall, within 1 month of the receipt of the request, inform you separately of the extension of the time limit for the reply and the reasons therefor.

8. Processing in the case of minors

In the case of the services provided by Brahmayurveda, the performance of the service contract provides a legal ground for the processing, therefore the processing does not require separate parental consent. Other related processing (invoicing, claim enforcement, security camera processing, etc.) is also not based on the Data Subject’s consent. Only our newsletter service is based on the consent of the Data Subject. In the case of a Data Subject, who is minor, the adult representative of the minor Data Subject is entitled to subscribe to our newsletter service.

Brahmayurveda does not provide information society services directly to children, nor does it perform automated decision-making and profiling. The terms and conditions of Facebook registration and use govern communication via Messenger and the processing of data related to the social media sites, as a user account with the service provider is required to use these services.

The general data subject rights (right to information, access, rectification, restriction, data portability, objection or legal remedy) apply to the child individually and jointly with the parent. Where appropriate, Brahmayurveda may also request a declaration from the parent entitled to make a declaration of rights (e.g.: when exercising the right to erasure). These requests must be considered on a case-by-case basis, taking into account all the circumstances of the case.

9. Amendment of the Privacy Notice

Brahmayurveda Kft. reserves the right to amend this Privacy Notice at any time, especially in case of introduction of new processing or changes in the processing already in progress. Following the amendment of the Privacy Notice, all Customers/Data Subjects must be informed

20

in an appropriate manner (newsletter, pop-up window upon login, displayed at their registered office). By continuing to use the service, the Customers/Data Subjects acknowledge the changed processing rules, with no further consent required. If you have any questions or comments regarding the processing or the contents of this Notice, please send them to the dpo@idbc.hu e-mail address.

10.Enforcement

For all questions relating to the processing and the exercising of the rights detailed above, as well as in response to Brahmayurveda’s processing questions and inquiries, the Data Subject may contact Brahmayurveda Kft. at the following contact details:

Data Protection Officer: IDBC Creative Solutions Kft. E-mail address: adatkezeles@brahmayurveda.hu Mailing address: 1101 Budapest, Expo tér 5-7

The Data Subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NADPFI) (registered office: 1055 Budapest Falk Miksa utca 9-11, http://naih.hu, e-mail: ugyfelszolgalat@naih.hu, postal address: 1363 Budapest, P.O. Box: 9, phone number: +36 (1) 391-1400, fax: +36 (1) 391-1410) regarding the processing performed by Brahmayurveda.

In addition to the above, the Data Subject may enforce their rights before a court pursuant to the GDPR, the Infotv. and the effective Civil Code. The Data Subject may bring proceedings before the general court competent according to their habitual place of residence.

This Privacy Notice enters into effect on the date of signature. Dated in Budapest on the 2nd day of February 2024.

Szidónia Világi Managing Director