Privacy Policy
POTZAK.ORG Zrt.
for the Bellyy.io website
I. Contents of the privacy policy
Bellyy.io (hereinafter referred to as Website) is operated by POTZAK.ORG Zrt. (Hereinafter referred to as the Data Controller). Data Controller informs the visitors and the Users (hereinafter referred to as Data Subject) about the data processing of the Website and the services provided by the Data Controller performed via the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: General Data Protection Regulation or GDPR). The Data Controller considers great importance to the right to privacy of the Data Subjects.
From the Website the Data Subject may obtain information about the contents published by the Data Controller, as well as perform a health check, and they can also purchase the Bellyy digital exercise program (hereinafter together: the Service).
Data processing not listed in this policy will be notified separately at the time of data collection.
II. Definitions
Key concepts and their interpretation in the Privacy Policy:
Data Subject: Any natural person whose data is collected, held or processed.
Personal data: Any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data Controller: Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processing: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Transfer of personal data: Making the data available to a specific third party.
Disclosure: Making the data available to anyone.
Erasure of
the personal data: Making the data unrecognizable in such a way that it is no longer possible to recover it.
Destruction: Complete physical destruction of the data carrier.
Sets of personal data: The totality of the data processed in one register.
Third party: Means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process personal data.
Restriction of processing: Means the marking of stored personal data with the aim of limiting their processing in the future.
Processor: Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Consent of the
Data Subject: Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach: Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Definitions used in this Privacy Policy are consistent with:
- The Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; the “GDPR”),
- Act CXII of 2011 on the right to informational self-determination and on the freedom of information (Info tv.),
- Act V of 2013 on the Civil Code (Ptk.),
- the concepts of the Hungarian Data Protection Authority’s recommendations on prior data protection requirements.
III. contact details of the data Controller and the place of the data processing:
Bellyy.io is operated by POTZAK.ORG Zrt. as a Data Controller.
Registered seat: 97 Hegedűs Gy. str B. bld. 2nd fl., 1133 Budapest
Registration number: 01-10-141091
E-mail: info@bellyy.io
Place of the data processing: Hungary
Representative: Viktor Lajos Nagy director
IV. Circumstances of data processing, legal basics, purpose, case of data processing
Data processing performed by the Data Controller
The data processing performed by the Data Controller is carried out according to the following criteria specified below.
4.1 Registration
To use the Service, visitors may register to create the User account.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person registering on the Website. | · name,
· e-mail, · age (optional), · password. |
Use of the Service provided by the Website. | GDPR Article 6 (1) a): consent of the Data Subject. | Until the User account is deleted, or the withdrawal of the consent.
In case of an inactive account, the data will be deleted by the Data Controller after 5 years from the last login. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.2 Editing User account
After registration, the User can change his or her data at any time in the menu item entitled “Profile data”.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person registered on the Website. | · name,
· e-mail, · age, · picture, · password. |
To process the accurate data of Data Subjects. | GDPR Article 6 (1) a): consent of the Data Subject. | Until the User account is deleted, or the withdrawal of the consent.
In case of an inactive account, the data will be deleted by the Data Controller after5 years from the last login. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.3 Health check
The Data Controller provides the opportunity for Users to complete a self-assessment health check. If the analysis indicates the split of the abdominal muscles, the Data Subject may contact the Data Controller to provide him or her a proper rehabilitation by the Bellyy exercise program.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person registered on the Website who have completed the Bellyy health check. | · omphalocele,
· sensation of the abdominal muscles by head lifting. · data on the detection of a split abdominal muscle. |
Providing analysis about the split abdominal muscles to the Data Subjects.
|
GDPR Article 6(1) a) and 9 (2) a): consent of the Data Subject. | Until the User account is deleted, or the withdrawal of the consent.
In case of an inactive account, the data will be deleted by the Data Controller after5 years from the last login. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent shall not affect that Data Controller store the anonym results for statistical purposes.
4.4 Place the order through the Website
You can order the Bellyy digital exercise program through the Website. No registration is required to make a purchase on the Website.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person placing an order through the Website. | · name,
· zip code, · city, · address, · telephone number, · e-mail. |
Order administration, order confirmation. | The processing is based on GDPR Article 6 (1) b): performance of a contract. | Data Controller shall process personal data for a 5-year term [in accordance with Section 6:22 (1) of Act V of 2013 on the Civil Code (“Ptk.”)]. |
Once the payment has been made, the order considered successful.
Payment can be made by direct bank transfer or by PayPal. The service provider (bank, PayPal) used during the payment process is an independent Data Controller. For more information about the data processing of the service provider, please visit the website of your bank.
PayPal’s privacy policy is available at the following link: https://www.paypal.com/hu/webapps/mpp/ua/privacy-full
4.5 Invoicing
After placing a successful order through the Website, the Data Controller will send an invoice to the Data Subject.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person who places a successful order through the Website. | · name,
· zip code, · city, · address, · e-mail, · order number. |
To issue an invoice. | GDPR Article 6 (1) c): legal obligation according to Section 169 (2) of the Act C of 2000 on Accounting. | The accounting documents underlying the accounting records directly or indirectly shall be retained for eight years. |
To carry out the invoicing, the Data Controller forwards the data to Ten Control Kft. as a Data Processor indicated below.
4.6 Withdrawal and termination
Before paying the Service Provider’s fee, the Data Subject may exercise the right of withdrawal by sending a statement to the e-mail address of the Data Controller info@diastasisrectiexercise.com. Data Subject may exercise this right for 14 days from the conclusion of the contract based on the Terms of Use point 8.1.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Any person who places a successful order through the Website. | · name,
· zip code, · city, · address, · order number. |
Claim of customer demand, refund of service fee. | GDPR Article 6 (1) c): legal obligation according to Section 23 (1) Government Decree No. 45/2014. (II. 26.). | Data Controller shall process personal data for a 5-year term [in accordance with Section 6:22 (1) of Act V of 2013 on the Civil Code (“Ptk.”)]. |
4.7 Newsletter
Data Controller provides an opportunity for interested Data Subject to receive news, advice, and articles via their e-mail address.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
Users who subscribe to the newsletter explicitly. | · name,
· e-mail. |
Sending news, advice, articles and offers related to split abdominal muscles to the Data Subject. | GDPR Article 6 (1) a): consent of the Data Subject. | Until the user account is deleted, or the withdrawal of the consent. In case of an inactive account, the data will be deleted by the Data Controller after 5 years from the last login. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Data Controller shall not be liable if the provided data is incorrect or inadequate.
4.8 Contact service
If the Data Subject has any remarks, questions, problems, or complaints regarding the Service, she or he may contact the Data Controller via the interface created on the Website, or via e-mail or telephone.
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
People who report a question or problem through the Website. | · name,
· e-mail, · topic, · any freely given personal data |
Answering the questions, solving the problems, traceability. Improving the User experience. | GDPR Article 6 (1) a): consent of the Data Subject. |
Data Controller shall process personal data for 1 year after the communication or the withdrawal of the consent. |
People who report a question or problem through an e-mail. | · name,
· email, · any freely given personal data. |
Answering the questions, solving the problems, traceability. Improving the User experience. | GDPR Article 6 (1) a): consent of the Data Subject. |
Data Controller shall process personal data for 1 year after the communication or the withdrawal of the consent. |
People who report a question or problem by phone. | · name,
· telephone number, · any freely given personal data |
Answering the questions, solving the problems, traceability. Improving the User experience. | GDPR Article 6 (1) a): consent of the Data Subject. |
Data Controller shall process personal data for 1 year after the communication or the withdrawal of the consent. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.9 Personal data generated during visiting the Website (cookies):
Data Subjects | Types of processed personal data | Purpose of the processing | Legal basis of processing | Duration of the processing |
All Data Subjects visiting the App. | · date,
· time, · IP address of the Data Subject’s tool, · name of the visited site, · information about the Data Subject’s operating system and browser. |
While visiting the Website, the Data Controller records the visitor data to check the operation of the service and prevent misuse.
Identify Users and track visitors |
GDPR Article 6 (1) a): consent of the Data Subject unless the purpose of the use of cookies is the transmission of communications via an electronic communications network or is strictly required by the Data Controller for the provision of an information society service specifically requested by the subscriber or user. | In the case of session cookies, the duration of data processing lasts until the end of the visit to the websites, while in other cases it lasts for a maximum of 365 days. |
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Data Subject has the option to delete cookies under the settings of the Privacy menu item in the Tools / Settings menu of her / his browser.
V. Use of data processors
To manage and store data, the Data Controller cooperates with the following Data Processors.
- Name: Ten Control Kft.
Address: H-2016, 156. Móricz Zs. road, Leányfalu
E-mail: tencontrolkft@gmail.com
- Name: Servergarden Kft.
Address: H-1023, 28-32. Lajos street, Budapest
VI. Transfers of personal data
The Data Controller shall transfer data to the Data Processors listed in Chapter V. No data will be transferred to a third country during the processing.
VII. Personal data rights of the Data Subject
Data Subjects may exercise all rights related to the legal basis belonging to the data processing case. The Data Subject may exercise his or her rights in writing:
- by mail: H-1133 97. B. 6/2 Hegedűs Gy. Street Budapest, or
- by e-mail: info@bellyy.io
Data Controller shall provide information on action taken on a request to the Data Subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.
7.1 Right to information and access
The Data Subject shall have the right to get information about the personal data stored by the Data Controller and information related to their processing, to request them at any time, to check what personal data the Data Controller keeps records of and the right to access the personal data.
7.2 Right to rectification
The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her.
7.3 Right to erasure
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- the personal data have been collected in relation to the offer of information society services directly to children.
7.4 Right to restriction of processing
The Data Subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted – with the exception of storage – personal data shall only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A Data Subject who has obtained restriction shall be informed by the Controller before the restriction of processing is lifted.
7.5 Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where the processing is based on consent and the processing is carried out by automated means.
7.6 Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The Data Subject cannot enforce the rights listed in this Chapter if the Data Controller demonstrates that it is not in a position to identify the Data Subject. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Where the Controller has reasonable doubts concerning the identity of the natural person making the request, the Controller may request the provision of additional information necessary to confirm the identity of the data subject.
VIII. Remedy
The Data Subject may exercise his or her rights via e-mail or post in accordance with the contacts provided in Chapter III.
If the Data Controller does not take action on the request of the Data Subject, the Data Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority to
- the Hungarian Data Protection Authority (registered seat: H-1055 9-11 Falk Miksa Street Budapest; mail: Pf.: 9. 1363 Budapest; e-mail: ugyfelszolgalat@naih.hu; web: https://www.naih.hu/)
and seeking a judicial remedy to
- the court in accordance with the GDPR, Info tv. and the Ptk.
- Notification of a personal data breach
To verify the measures related to the personal data breach, to notify the supervisory authority and the Data Subject, the Data Controller maintains a record which contains the scope of personal data, the scope and number of Data Subjects, the date, circumstances, and effects of the personal data breach.
If the Data Controller considers that the personal data breach is likely to result in a risk to the rights and freedoms of the Data Subject, Data Controller shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
If the Data Controller considers that the data breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.
X. Data security
The Data Controller undertakes to ensure the security of the data and takes technical measures to ensure that the recorded, stored, and processed data are protected. Data Controller does everything possible measure to prevent the destruction, unauthorized use, and unauthorized alteration of the data. The Data Controller also commits itself to call any third party whom the data may be transferred to fulfil this obligation.
XI. Miscellaneous
The Data Controller reserves the right to unilaterally amend this Privacy Policy with prior notice to the Data Subject via the Website. After the entry into force of the amendment, the Data Subject accepts the provisions of the amended Privacy Policy with suggestive behaviour. In all cases, please read the amendments to the privacy notice carefully, as they contain important information about the processing of the personal data.
This Privacy Notice is effective as of December 16, 2020.