Privacy Policy
PRIVACY POLICY
RoseHill Pilates
1. INTRODUCTION
The purpose of this Privacy Policy is to provide transparent and comprehensible information to Clients utilising the services of RoseHill Pilates studio and to cooperating instructors regarding the processing of their personal data.
The Data Controller is committed to protecting personal data and takes all necessary technical and organisational measures to ensure the secure processing of data.
This Policy has been prepared pursuant to the following legislation:
• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act)
• Act V of 2013 on the Civil Code
• Act C of 2000 on Accounting
• Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services
2. DATA CONTROLLER INFORMATION
Name:
dr. Lívia Tácsik, sole proprietor
Registered Office:
1023 Budapest, Margit utca 15. ground floor
Registration Number:
61526527
Tax Number:
91609759-1-41
Studio Name:
RoseHill Pilates
Studio Address:
1023 Budapest, Margit utca 15.
Website:
Email:
(hereinafter: "Data Controller")
Data Protection Officer: The Data Controller is not required to appoint a Data Protection Officer pursuant to Article 37 of the GDPR. For data protection enquiries, the Data Controller may be contacted directly at the above addresses.
3. DEFINITIONS
"Personal data" means any information relating to an identified or identifiable natural person.
"Data subject" means any identified or identifiable natural person on the basis of personal data (Client, Instructor).
"Processing" means any operation performed on personal data (collection, recording, storage, alteration, consultation, use, disclosure, erasure, destruction).
"Controller" means a natural or legal person which determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person which processes personal data on behalf of the Controller.
"Independent controller" means a third party which processes personal data for its own purposes and pursuant to its own legal basis, independently of the Controller (e.g., payment service providers).
"Special categories of data" means personal data referred to in Article 9 of the GDPR, in particular health data, the processing of which requires enhanced protection.
"CCTV system" means one (1) camera installed above the fireplace in the Studio premises, which continuously records images for the purposes of property and personal protection.
4. PROCESSING ACTIVITIES
4.1 Operation of the Booking System
Purpose:
Booking appointments for pilates classes, provision of services, communication
Legal basis:
Article 6(1)(b) GDPR – performance of a contract
Data processed:
Name, email address, telephone number, booking date, type of service
Retention period:
5 years from the provision of the service (general limitation period under the Civil Code)
Nature of data provision:
Necessary for the conclusion of the contract. Booking is not possible without providing the data.
4.2 Health Questionnaire (First Session)
Prior to the first pilates class, the Data Controller may request the Client to complete a health questionnaire to assess whether the Client has any health conditions or contraindications that would preclude or restrict the performance of pilates exercises. Health data constitutes special categories of data under Article 9 of the GDPR.
Purpose:
Assessment of Client's health status for safe training, screening for contraindications
Legal basis:
Article 9(2)(a) GDPR – explicit consent of the data subject
Data processed:
Health status information (e.g., injuries, illnesses, pregnancy, surgeries)
Retention period:
Until withdrawal of consent, but no longer than 1 year from the last class attended
Nature of data provision:
Voluntary, but if refused, the Instructor may decline to hold the class if safe training cannot be guaranteed.
Consent may be withdrawn at any time without giving reasons at rosehillpilates@gmail.com. Withdrawal shall not affect the lawfulness of processing carried out prior to withdrawal. A consequence of withdrawal may be that the Instructor cannot guarantee the Client's safe training.
4.3 Online Payment (Barion)
Purpose:
Processing online payments during booking via the website
Legal basis:
Article 6(1)(b) GDPR – performance of a contract
Data processed:
Payment transaction data (bank card data is processed exclusively by Barion)
Payment service provider:
Barion Payment Zrt. (independent controller)
Retention period:
In accordance with Barion Payment Zrt.'s data processing policy
Barion Payment Zrt. (registered office: 1117 Budapest, Irinyi József utca 4-20. 2nd floor, company registration number: 01-10-048552) is a payment service provider authorised and supervised by the National Bank of Hungary (MNB licence number: H-EN-I-1064/2013). Barion acts as an independent controller with respect to personal data connected to payment transactions. Detailed information on Barion's data processing practices is available at https://www.barion.com/hu/adatvedelmi-tajekoztato/
4.4 On-Site Payment for Group Classes (SumUp)
Purpose:
Processing bank card payments at the Studio for group classes
Legal basis:
Article 6(1)(b) GDPR – performance of a contract
Data processed:
Payment transaction data (bank card data is processed exclusively by SumUp)
Payment service provider:
SumUp EU Payments UAB (independent controller)
Retention period:
In accordance with SumUp EU Payments UAB's data processing policy
SumUp EU Payments UAB (registered office: Ukmergės g. 126, 08100 Vilnius, Lithuania, company registration number: 305074395) is an electronic money institution authorised by the Bank of Lithuania (licence number: 56, issue date: 27 August 2019). SumUp acts as an independent controller with respect to personal data connected to payment transactions. Detailed information on SumUp's data processing practices is available at https://www.sumup.com/hu-hu/adatvedelem/
4.5 Private Class Payments (Cooperating Instructors)
In the case of private classes, the Client pays the Cooperating Instructor's fee directly to the Instructor on-site via SumUp card reader. In such cases, the Cooperating Instructor, as a sole proprietor, is deemed an independent controller with respect to payment transactions under Article 4(7) of the GDPR.
Under their cooperation agreement with the Studio, Cooperating Instructors are required to:
• have their own privacy policy, or accept this Policy as applicable;
• inform Clients about payment data processing and SumUp data transfers;
• comply with GDPR requirements, particularly the principles of data minimisation, transparency, and data security.
4.6 Invoicing
Purpose:
Issuance and retention of accounting documents
Legal basis:
Article 6(1)(c) GDPR – legal obligation (Section 169 of the Accounting Act)
Data processed:
Name, billing address, tax number (if applicable)
Retention period:
8 years (Section 169(2) of the Accounting Act)
4.7 CCTV System
Purpose:
Property protection, personal safety, equipment protection, prevention and evidencing of unlawful acts
Legal basis:
Article 6(1)(f) GDPR – legitimate interest
Data processed:
Image, time of recording, behaviour on the recording
Retention period:
72 hours (3 business days) with automatic overwriting, except where the recording serves as evidence in judicial or official proceedings
One (1) camera operates in the Studio, positioned above the fireplace, recording the entire pilates room. The camera does not record audio. A warning sign (pictogram) at the entrance to the Studio informs data subjects of the camera's operation.
Legitimate interest assessment:
The Data Controller has carried out a legitimate interest assessment prior to operating the CCTV system, pursuant to Article 6(1)(f) of the GDPR. The result of the assessment: the Data Controller's legitimate interest (protection of valuable pilates equipment, personal safety of Clients and Instructors) takes precedence over the data subjects' interests in privacy, taking into account that (i) surveillance is limited to the public exercise area, (ii) the retention period is minimal (72 hours), (iii) only the Data Controller has access to the recordings, and (iv) data subjects receive prior notice. The legitimate interest assessment documentation is available for inspection at the Data Controller.
Access to the recordings is limited to the Data Controller and, in cases prescribed by law, the competent authorities. The data subject may object to CCTV surveillance pursuant to Article 21 of the GDPR; in the event of an objection, the Data Controller will assess whether the legitimate interest takes precedence.
4.8 Cooperating Instructors' Data
Purpose:
Performance of cooperation agreement, verification of qualifications, communication, settlement
Legal basis:
Article 6(1)(b) and (c) GDPR – performance of a contract, legal obligation
Data processed:
Name, birth data, mother's maiden name, address, sole proprietor registration number, tax number, email, telephone, qualifications, bank account number
Retention period:
5 years from termination of the contract; 8 years for invoices
5. PROCESSORS AND INDEPENDENT CONTROLLERS
The Data Controller uses the following service providers, which act as independent controllers:
Service Provider
Activity
Privacy Policy
Barion Payment Zrt.
1117 Budapest, Infopark sétány 1.
MNB licence: H-EN-I-1064/2013
Online payment (website)
barion.com/hu/adatvedelmi-tajekoztato/
SumUp EU Payments UAB
Ukmergės g. 126, 08100 Vilnius, Lithuania
Bank of Lithuania licence: 56
On-site card payment (SumUp terminal)
sumup.com/hu-hu/adatvedelem/
Important notice: Barion Payment Zrt. and SumUp EU Payments UAB act as independent controllers with respect to payment transactions. This means that they process payment data for their own purposes and pursuant to their own legal basis. The Data Controller is not a processor with respect to these service providers. For data protection issues relating to payment service providers, please contact the relevant service provider directly.
Transfers to third countries: SumUp EU Payments UAB is a company with its registered office in Lithuania, which operates within the EU, so the GDPR applies directly to data transfers within the EEA. The Data Controller only transfers personal data to countries outside the European Economic Area (EEA) where the guarantees set out in Chapter V of the GDPR are in place.
6. AUTOMATED DECISION-MAKING AND PROFILING
The Data Controller does not use automated decision-making and does not carry out profiling within the meaning of Article 22 of the GDPR. All decisions in the course of processing personal data are made by natural persons.
7. DATA SUBJECT RIGHTS
Data subjects have the following rights under the GDPR:
• Right of access (Article 15): to request information about the personal data processed
• Right to rectification (Article 16): to request correction of inaccurate data
• Right to erasure (Article 17): to request deletion of personal data ("right to be forgotten")
• Right to restriction (Article 18): to request restriction of processing
• Right to data portability (Article 20): to receive data in a machine-readable format
• Right to object (Article 21): to object to processing based on legitimate interest (particularly in respect of the CCTV system)
• Withdrawal of consent: consent may be withdrawn at any time without giving reasons by email (rosehillpilates@gmail.com). Withdrawal shall not affect the lawfulness of processing carried out prior to withdrawal.
Requests to exercise data subject rights will be fulfilled by the Data Controller within 30 days. Requests may be submitted to rosehillpilates@gmail.com.
Exercising rights with payment service providers: To exercise data subject rights in relation to data processed by Barion and SumUp, please contact the relevant service provider directly at the contact details they provide.
8. REMEDIES
Data subjects have the following remedies:
1. Complaint to the Data Controller: rosehillpilates@gmail.com
2. Complaint to the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu
3. Judicial remedy: The data subject may also bring proceedings before the court of their place of residence or habitual residence.
9. DATA SECURITY
The Data Controller applies appropriate technical and organisational measures to protect personal data:
• password protection and access restrictions
• SSL/TLS encryption on the website
• secure, closed storage of CCTV recordings
• regular security backups
In the event of a data breach, the Data Controller shall act in accordance with Articles 33-34 of the GDPR: notify NAIH within 72 hours and, if the breach is likely to result in a high risk to the rights of data subjects, notify the data subjects.
10. AMENDMENTS TO THIS POLICY
The Data Controller reserves the right to amend this Policy unilaterally. The amended Policy will be published on the Studio's website (rosehillpilates.com) and displayed at the Studio. In the event of material changes, the Data Controller will notify data subjects by email.
11. CONTACT
Email: rosehillpilates@gmail.com
Postal address: 1023 Budapest, Margit utca 15.
This Privacy Policy shall become effective on 06 January 2026.
RoseHill Pilates
This English translation is provided for informational purposes only. In the event of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail.