Data processing information
The Data Controller pays special attention to the fact that, during the processing of personal data in its system, it processes, stores and uses it in accordance with the provisions of Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (the "Regulation") on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation).
In connection with the processing of data, the Data Controller hereby informs the visitors of the website (hereinafter referred to as the "User") about the personal data it processes, the principles and practices followed in the processing of personal data, and the method and possibilities for exercising the User's rights.
The User has the right to partially or completely withdraw his/her consent to data processing by means of a written notification to the Data Controller, or to request the deletion of his/her data in the manner specified in the information.
1. NAME OF DATA CONTROLLER
The data is processed by Mindwell Psychological Center Zrt.
Head office: Budapest, 1122 Goldmark Károly utca 3. fszt. 1.
Company registration number: 01-10-142311
Tax number: 32255625-2-43
E-mail address: webshop@mindwill.ro
2. LEGAL BASIS FOR DATA PROCESSING
The legal basis for data processing is the voluntary consent of the User or the fulfillment of a legal obligation pursuant to Article 6(1)(a) of Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ("Regulation") on the protection of natural persons with regard to the processing of personal data when using the services available on the Website and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation).
The User may withdraw his/her consent to data processing at any time - or in the case of data processing based on the law, after the expiry of the limitation period specified by the law - in which case the Data Controller will delete all of the User's personal data from the system.
In the absence of withdrawal, the duration of data processing in each case involving data processing is the deadline specified in this information.
3. SCOPE, TIME, PURPOSE, LEGAL BASIS OF PROCESSED DATA
Registration: normal registration.
Name, Email address
The processing of personal data required during registration begins with registration and continues until its deletion upon request. If the User does not request the deletion of their registration, it will be deleted from the system no later than 30 days after the termination of the Website.
Providing the opportunity to purchase in the web store as a registered user; User identification; order delivery; enabling invoicing after registration using the billing information provided during the order; Crediting loyalty points, which can be used during subsequent purchases.
Voluntary consent of the User
Contacting the Data Controller by e-mail, telephone, or post.
Name; Email address (mandatory when filling out an email or contact form); Phone number (mandatory when making a telephone inquiry).
Postal and e-mail inquiries: The processing of personal data provided during contact begins with the voluntary provision of the data and continues until its deletion upon request. If the User does not request the deletion of his/her personal data provided during contact, the Data Controller - except in the case of a complaint letter - deletes it from its system no later than 30 days after the termination of the Website. An exception is complaint letters, the retention period of which is 5 years.
contact, maintaining contact; complaint handling.
Voluntary consent of the user
E-mail address
Voluntary consent of the user
3.1. Other data processing
3.1.1. Newsletter, DM activity
Scope of data processed: Name, email address, phone number
Purpose of data processing: By subscribing, the User agrees that the Data Controller will send him/her a newsletter with direct marketing content using the direct inquiry method. In the event of subscription, the Data Controller – in the absence of a different statement, objection or protest – will use the name, email address and phone number provided by the User during the request as personal data for the purpose of the Data Controller sending informational material, promotions, offers and information about its services.
Duration of data processing: The Data Controller will process this data until the User unsubscribes from it. For newsletters, by clicking on the unsubscribe link in the newsletter, and for DM messages, by e-mail or by post. In the event of unsubscribing, the Data Controller will not contact the User with further newsletters, DMs or offers. The User may unsubscribe from the newsletter at any time, without limitation or justification, free of charge.
Legal basis for data processing: Voluntary consent of the User.
3.1.2. Profiling
Purpose of data processing: During profiling, the Data Controller prepares an analysis of the purchasing habits of a given person (or group of individuals) in order to use them to display targeted advertising, send a personalized newsletter or use them to send informational and reminder messages based on the recording of their behavior (e.g. you have been here a long time...; you left your cart and we saved the content in it, etc.). The Data Controller bases profiling on the User's browsing history and purchase data.
Profiling and the display and sending of targeted advertising related to their business activities in this context - in the absence of a different statement or objection - will only take place if the User expressly consents to this during registration.
If the User does not consent to the use of his/her personal data for this purpose, the Data Controller will not perform profiling of the User, however, the personal data provided for registration, ordering, newsletter subscription, etc. will continue to be managed, stored and processed in order to provide the available and provided services (e.g. sending system messages, sending coupons, recording orders, sending newsletters, etc.).
Scope of data managed and transferred: Name, browsing history, purchase data
Data processor: Mailchimp c/o The Rocket Science Group, LLC
Data processing period: The Data Controller will perform profiling as long as the User does not object to profiling. The User has the right to object to the processing of this data at any time, without giving reasons or adverse legal consequences, by means of a written statement addressed to the Data Controller. In the event of an objection, the Data Controller will no longer use the User's data for profiling purposes and the User will continue to be entitled to use the Website.
Legal basis for data processing: Voluntary consent of the user.
3.1.3. Writing a product review
Purpose of data processing: authentic information for other consumers, enhancing the user experience. The User can write a product review about the products he or she has purchased, which will help other buyers make a decision regarding the purchase of the given product.
Scope of data processed: first name
Duration of data processing: The Data Controller processes this data as long as the User does not request the deletion of the displayed data.
Legal basis for data processing: User's voluntary consent.
3.1.4. Data collected in connection with the use of the Website (data processing for other purposes)
3.1.4.1. Technical data, Website visit data
Purpose of data processing: The Data Controller's system automatically records the IP address of the User's computer, the start time of the visit, and in some cases - depending on the computer's settings - the type of browser and operating system. The data recorded in this way will only be linked to other personal data if the User registers on the Website. The data is processed solely for statistical purposes. The purpose of data processing is to monitor the operation of the service, provide personalized service and prevent abuse.
The Data Controller does not connect the data obtained during the analysis of log files with other information, and does not seek to identify the User.
The IP address is a series of numbers that can be used to clearly identify the User's computer accessing the Internet. IP addresses can even be used to geographically locate the visitor using a given computer. The address of the visited pages and the date and time data are not suitable for identifying the User by themselves, but when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the User.
Scope of processed data: date, time, the IP address of the User's computer, the type of browser, the address of the viewed and previously visited website.
Duration of data processing: 30 days from the date of viewing the Website.
Legal basis for data processing: Voluntary consent of the user.
3.1.4.2. Cookie management
In order to provide customized service, the Data Controller places a small data package, so-called cookie, on the User's computer and reads it back during the subsequent visit. If the browser sends back a previously saved cookie, the cookie management service provider has the opportunity to connect the User's current visit with previous ones, but only with regard to its own content.
Session cookie:
Purpose of data management: These cookies serve to make the Website work more efficiently and securely, so they are essential for certain functions of the Website or certain applications to work properly.
Scope of data managed: does not record personal data
Duration of data management: lives for the duration of the visit to the website, after which it is automatically deleted.
Persistent cookie:
Purpose of data management: the Data Controller also uses a persistent cookie for a better user experience (e.g. to provide optimized navigation). These cookies are stored for a longer period in the browser's cookie file. The duration of this depends on the settings used by the User in their internet browser.
Scope of data processed: no personal data is recorded
Data processing time: These cookies are stored for a longer period in the browser's cookie file. The duration of this depends on the settings used by the User in their internet browser, typically 30-60-90-120-180-365 days
Scope of data subjects in the case of data collected by cookies: All users browsing the site
Legal basis for data processing: User's voluntary consent.
Deleting cookies
The User has the right to delete cookies from their own computer or to disable the use of cookies in their browser. Cookies can usually be managed in the Tools/Settings menu of browsers under the Privacy/History/Personal Settings menu, under the cookie, cookie or tracking name.
3.1.4.3. Data management by external service providers
The html code of the portal contains links coming from and pointing to external servers independent of the Data Controller. The server of the external service provider is directly connected to the User's computer. We draw the attention of our visitors to the fact that the service providers of these links are able to collect user data due to the direct connection from their server and direct communication with the User's browser.
Any content that may be personalized for the User is served by the server of the external service provider.
The data controllers listed below can provide detailed information on the processing of data by the server of external service providers. The Website may contain information, in particular advertisements, that originate from third parties, advertising providers who are not connected to the Data Controller. It may happen that these third parties also place cookies, web beacons on the User's computer, or use similar technologies to collect data in order to send the User an advertising message addressed to them in connection with their own services. In such cases, the data processing is governed by the data protection regulations set by these third parties, and the Data Controller assumes no liability for such data processing.
In order to provide customized service, external service providers place and read back a small data package, so-called cookie, on the User's computer. If the browser sends back a previously saved cookie, the service providers managing it have the opportunity to connect the User's current visit with previous ones, but only with regard to their own content.
The Data Controller's advertisements may be displayed on Internet websites by external service providers (Google). These external service providers (Google) use cookies to store that the User has previously visited the Data Controller's Website, and based on this, display the advertisements to the User in a personalized manner (i.e., they carry out remarketing activities).
Cookies placed by Google Analytics
Purpose of data processing: The Google Analytics server, as an external service provider, facilitates the independent measurement and auditing of the Website's traffic and other web analytics data. Google can provide detailed information about the management of measurement data at www.google-analytics.com.
Cookies placed by Google Analytics
Purpose of data processing: The Google Analytics server, as an external service provider, helps to independently measure and audit the Website's traffic and other web analytics data. Google can provide detailed information about the management of measurement data at www.google-analytics.com.
Google Analytics is an analytics service of Google Inc. ("Google"). Google Analytics analyzes user interactions on the Website using cookies stored on the User's computer. Analytics cookies are anonymized and aggregated data, based on which it is difficult to identify the User, but it cannot be ruled out.
The analytical information collected by Google Analytics cookies is transferred to and stored on Google's servers. This information is processed by Google on behalf of the Data Controller to evaluate the Users' browsing habits, compile reports on the frequency of use of the Website, and provide further services related to the use to the Data Controller.
Scope of data processed: IP address, Analytical cookies (cookies) are anonymized and aggregated data, based on which the computer or the User cannot be identified.
Duration of data processing: 14 months
Legal basis for data processing: User's voluntary consent.
Further information about the cookies used by Google can be viewed at the following link: http://www.google.com/policies/technologies/ads/
Google's privacy statement can be viewed at the following link: http://www.google.com/intl/hu/policies/privacy/.
Google Adwords
Purpose of data processing: The Website uses Google Adwords remarketing tracking codes. This is based on the fact that the Data Controller will later target visitors to the site with remarketing ads on websites belonging to the Google Display Network. The remarketing code uses cookies to tag visitors. Users of the Website can disable these cookies by visiting the Google ad settings manager and following the instructions there. After that, they will not receive personalized offers from the Data Controller.
Scope of data processed: IP address, Analytical cookies (cookies) are anonymized and aggregated data, based on which it is not possible to identify the computer or the User.
Duration of data management: 14 months
Legal basis for data management: Voluntary consent of the user.
Meta remarketing
Purpose of data management: Using Meta (Facebook and Instagram) remarketing codes, the Data Controller displays various campaigns and promotions for the User who has previously visited the Website.
Scope of data managed: IP address, cookies for analytical purposes, anonymized and aggregated data, based on which the identification of the computer or the User is not possible
Duration of data management: 14 months
Legal basis for data management: Voluntary consent of the user.
TikTok remarketing
Purpose of data management: Using TikTok (ByteDance) remarketing codes, the Data Controller displays various campaigns and promotions for the User who has previously visited the Website.
Scope of processed data: IP address, cookies for analytical purposes, anonymized and aggregated data, based on which the computer or the User cannot be identified
Duration of data processing: 14 months
Legal basis for data processing: User's voluntary consent.
Shopify Inc.
Adatkezelés célja: Bankkártyás fizetés megvalósítása. A Mindwell Pszichológiai Központ Zrt., mint adatkezelő által a felhasználói adatbázisában tárolt alábbi személyes adatok átadásra kerülnek az Shopify Inc., mint adatfeldolgozó részére. Az adatfeldolgozó által végzett adatfeldolgozási tevékenység jellege és célja a Shopify Adatkezelési tájékoztatóban, az alábbi linken tekinthető meg: https://www.shopify.com/legal/dpa
Scope of data transferred: Name, email address, telephone number, billing address, shipping address
Legal basis for data processing: User's voluntary consent.
4.1 Data processors:
Mindwell Psychological Center Ltd.
Registered address: Budapest, 1122 Goldmark Károly utca 3. fszt. 1.
Company registration number: 01-10-142311
Registering court: Budapest Court of Registration
Tax number: 32255625-1-43
E-mail address: webshop@mindwill.ro
Activity: Operates the website.
Trading and Service Provider:
Shopify Inc.
Cím: 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Kanada
Cégjegyzékszám 426160-7
E-mail címe: support@shopify.com
Telefon: +1-613-241-2828
Activity: Operates the website on behalf of the Data Controller. hosting provider, server operator.
Cloudflare Inc.
Address: c/o Registered Agent Solutions, Inc., 838 Walker Road, Suite 21-2, Dover, DE 19904, USA.
Business registration number: 12401448.
Tax ID: 20-0762369.
Activity: Infrastructure operation.
Mailchimp c/o The Rocket Science Group, LLC
Head office: 675 Ponce De Leon Ave NE; Suite 5000; Atlanta, GA 30308 USA
Activity: sending out newsletters, displaying targeted advertising using personal data collected during website use, Google and Facebook remarketing activities on behalf of the Data Controller.
Selkie-System Kft.
Head office: 1062 Budapest, Székely Bertalan utca 10. fszt. 10.
Company registration number 01-09-982917
Tax number: 23888409-2-42
Activity: accounting
PBS EUROCONTA SRL
Head office: Romania, Cluj-Napoca, str. Alverna, no. 71-73, Corp A, Et.1, ap. 18, Cluj County.
Company registration number: J12/300/2017.
Tax identification number: RO36989524
Activity: accounting
KBOSS.hu Kft. (Számlázz.hu)
Head office: 1031 Budapest, Záhony utca 7/D.
Email: info@szamlazz.hu
Company registration number 01-09-303201
Tax number: 13421739-2-41
Activity: invoicing
Meta Platforms, Inc. (USA)
Head office: Menlo Park, California, USA
Activity: Profiling, advertising, analytical and measurement services, display of behavioral advertising on Meta platforms (Facebook, Instagram, etc.)
Google LLC (USA).
Head office: 1600 Amphitheatre Pkwy. Montain View, California 94043
Activity: Profiling, advertising, analytics and measurement services, displaying behavioral advertising on Google platforms
Google Ireland Limited
Head office: Gordon House, Barrow Street, Dublin 4, Ireland
Activity: Providing Google Workplace and Google Drive cloud-based services.
FAN COURIER EXPRESS SRL
Registered at: 020331 Soseaua Fabrica De Glucoza Nr. 11C, Bucharest, Romania.
Company registration number: J40/4014/2001
Tax number: RO13838336
Activity: Courier service
In case of delivery by courier service, in addition to home delivery, parcels can be collected as follows:
To FANbox Parcel machines
To Collect Point collection points
The exact list of Fan Courier parcel machines and collection points can be viewed at the following link: https://www.fancourier.ro/locatii-fan/.
6. USER RIGHTS
6.1. Information and access to personal data
The User has the right to be informed about his/her personal data stored by the Data Controller and the information related to their management; check what data the Data Controller keeps about him/her, and is also entitled to access personal data. The User is obliged to submit his/her request for access to the data in writing (by e-mail or post) to the Data Controller. The Data Controller shall provide the User with the information in a widely used electronic format, unless the User requests it not in writing, on paper. The Data Controller shall not provide verbal information by telephone in the event of exercising access.
In the event of exercising the right of access, the information shall cover the following:
definition of the scope of the data processed, purpose, time and legal basis of the data processed,
data transfer: to whom the data have been transferred or will be transferred in the future,
identification of the data source.
The Data Controller shall provide the User with a copy of the personal data (in person at the customer service) free of charge for the first time. For further copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs. If the User requests the copy electronically, the information shall be made available to the User by email in a widely used electronic format.
After the information, if the User does not agree with the data processing and the accuracy of the processed data, he may request the correction, completion, deletion or restriction of the processing of his personal data as specified in point 6, he may object to the processing of such personal data, or he may initiate the procedure specified in point 7.
6.2. Right to rectify or supplement processed personal data
Upon the written request of the User, the Data Controller shall rectify without undue delay inaccurate personal data indicated by the User, in writing or in person at one of the Data Controller’s stores, or supplement incomplete data with content indicated by the User. The Data Controller shall inform all recipients to whom the personal data has been disclosed of the rectification or supplementation, unless this proves impossible or requires a disproportionate effort. The User shall be informed of the data of these recipients if he so requests in writing.
6.3. Right to restriction of data processing
The User may request the Data Controller to restrict the processing of his/her data by means of a written request if
The User disputes the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data,
the data processing is unlawful and the User opposes the erasure of the data and instead requests the restriction of their use,
The Data Controller no longer needs the personal data for the purposes of data processing, but the User requires them for the establishment, exercise or defence of legal claims,
The User objects to the data processing: in this case the restriction shall apply for a period until it is determined whether the legitimate grounds of the Data Controller override those of the User.
Personal data subject to restrictions may be processed during this period, except for storage, only with the consent of the User, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or a Member State. The Data Controller shall inform the User at whose request the data processing has been restricted in advance of the lifting of the data processing restriction.
6.4. Right to erasure (to be forgotten)
At the request of the User, the Data Controller shall erase the personal data concerning the User concerned without undue delay if one of the specified reasons applies:
i) the personal data is no longer necessary for the purpose for which they were collected or otherwise processed by the Data Controller;
ii) the User withdraws his consent which forms the basis of the data processing and there is no other legal basis for the data processing;
iii) the User objects to the data processing on grounds relating to his or her own situation and there is no legitimate reason for the data processing,
iv) the User objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling, if it is related to direct marketing,
v) the Data Controller processes the personal data unlawfully;
vi) the personal data were collected in connection with the offering of information society services directly to children.
The user may not exercise the right to erasure or to be forgotten if the processing is necessary
i) for the exercise of the right to freedom of expression and information;
ii) on grounds of public interest in the field of public health;
iii) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where the exercise of the right to erasure would render such processing impossible or would seriously jeopardise such processing; or
iv) for the establishment, exercise or defence of legal claims.
6.5. Right to data portability
Data portability allows the User to obtain and further use his/her "own" data provided by the User in the Data Controller's system, for his/her own purposes and through various service providers specified by him/her. In all cases, the right is limited to the data provided by the User, there is no possibility of portability of other data. (e.g. statistics, etc.)
The User receives the personal data relating to him/her, which is found in the Data Controller's system (e.g. when subscribing to a newsletter):
in a structured, widely used, machine-readable format,
has the right to transmit it to another data controller,
may request the direct transmission of the data to another data controller - if this is technically feasible in the Data Controller's system.
The Data Controller shall fulfill the request for data portability solely on the basis of a request sent by email or post. In order to fulfill the request, the Data Controller shall be satisfied that the authorized User actually wishes to exercise this right. For this, it is necessary for the User to appear in person at the Data Controller’s headquarters after the notification, in order for the Data Controller to be able to identify the requesting User using the data in its system. Within the framework of this right, the User may request the portability of the data that he/she has provided to the Data Controller (it does not apply to statistical data, purchase data, data generated in the Data Controller’s system in other ways, etc.). Exercising the right does not automatically result in the deletion of the data from the Data Controller’s systems, therefore the User may continue to use the Data Controller’s services after exercising this right.
6.6. Objection to the processing of personal data
The User may object at any time to the processing of his/her personal data, including profiling, for reasons related to his/her own situation, and the User is entitled to object at any time to the processing of personal data concerning him/her for direct marketing purposes, including profiling. If the User objects to the processing of personal data, the Data Controller will delete the User’s personal data from its system.
The user can object in writing (by email or post) or in the case of a newsletter by clicking on the unsubscribe link in the newsletter.
6.7. Deadline for fulfilling the request
The data controller shall inform the data subject of the measures taken in response to the above requests without undue delay, but in any case no later than one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months.
6.8.
If the data subject has submitted the request electronically, the information will be provided electronically, unless the data subject requests otherwise.
6.9.
If the controller fails to act on the data subject's request for any reason, it shall inform the data subject thereof without delay and at the latest within one month of receipt of the request and shall inform the data subject of that reason and of the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
6.10.
The controller shall provide the requested information free of charge. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may charge a reasonable fee, taking into account the administrative costs of providing the requested information or taking the requested action, or may refuse to act on the request.
6.11.
The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing made by it, unless this proves impossible or involves a disproportionate effort. Upon request by the data subject, the controller shall inform the data subject of these recipients.
6.12.
The controller shall provide the data subject with a copy of the personal data subject to processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless the data subject requests otherwise.
7. REMEDIES
7.1.
In the event of any concerns regarding our data processing procedures or activities, please contact us directly or our Data Protection Officer in the first instance so that we can answer your questions and handle your complaint.
7.2.
If you are not satisfied with our actions, you may lodge a complaint with the data protection supervisory authority as a legal remedy or, after our rejection of your complaint, you may also apply to court to enforce your rights.
7.3.
In Romania, the data protection supervisory authority is:
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Registered at: B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, cod postal 010336
Bucuresti, Romania
Phone: +40.318.059.211, +40.318.059.212
Fax: +40.318.059.602
Email: anspdcp@dataprotection.ro
Website: https://www.dataprotection.ro/
7.4.
You may also assert your legal claim in court. The adjudication of data protection lawsuits falls within the jurisdiction of a court. The lawsuit may be initiated – at the choice of the data subject – before the court of the place of residence or residence of the data subject within 30 days of the notification of the decision on data processing.
8. HANDLING DATA PROTECTION INCIDENTS
A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. The Data Controller shall keep a record of the personal data affected by the incident, the number and scope of the data subjects, the date, circumstances, effects, and measures taken to address the incident, for the purpose of monitoring the measures taken in connection with the data protection incident, informing the supervisory authority, and the User. The record shall include the scope of the personal data affected by the incident, the scope and number of the data subjects, the date, circumstances, effects, and measures taken to address the incident. In the event of an incident, the Data Controller shall, unless it is unlikely to result in a risk to the rights and freedoms of natural persons, inform the User and the supervisory authority of the data protection incident without undue delay, but if possible, within 72 hours. If the notification is not made within 72 hours, the reasons for the delay must be attached.
9. OTHER PROVISIONS
The Data Controller reserves the right to unilaterally modify this Data Management Notice, with prior notification to the Users using the website via the website. The modifications shall enter into force for the User on the date specified in the notification, unless the User objects to the modifications. By using the website, the User accepts the contents of the modified Data Management Notice.
If the User has provided third party data to use the service, or has caused damage in any way while using the Website, the Data Controller is entitled to claim compensation from the User.
The Data Controller does not check the personal data provided to it. The person providing it is solely responsible for the adequacy of the data provided. When providing an e-mail address, any User also assumes responsibility for the fact that only he or she uses the service from the provided e-mail address.
This Privacy Policy is effective from 01.04.2026.