“SPANDORA ONLINE”
Privacy Policy

You are currently reading the Privacy Policy for the Spandora.hu website, webshop, and related social media campaigns operated by Spandora Aesthetic Clinic.

(1) Contact details of the Data Controller

The “Data Controller” is the natural or legal person (or an organization without legal personality) who, within the framework defined by law, independently or jointly with others determines the purposes of data processing, makes and implements decisions relating to data processing (including the tools used), or has them implemented by a data processor. In this case, I&S Limited Kft. is your Data Controller. Our company’s contact details: Name: I\&S Limited Liability Company Registered office: 1036 Budapest, Bécsi út 38–44, 1st floor “Spandora” Email: [info@spandora.hu](mailto:info@spandora.hu) Phone: +36/1-550-0333 Contact details of the company’s Data Protection Officer: [dpo@spandora.hu](mailto:dpo@spandora.hu) The Data Controller considers it of paramount importance to respect the informational self-determination rights of its clients and business partners, in line with the principles and practices set out in this notice.

(2) Key terms to understand this notice

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Health data” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(3) Purpose of processing, scope of the data we process, legal basis, and retention—tabular overview

For easier review, we have summarized our processing activities below. If you have any questions regarding the table, please contact us using the details provided in section (1)!

No.	Purpose of processing	Scope of data processed	Legal basis	Retention period
1.	Processing for social media (Facebook–Instagram, TikTok) LEAD and other direct marketing campaigns	name, email address, phone number, postal code	Explicit consent given on social media marketing platforms – GDPR Article 6(1)(a)	Until consent is withdrawn, or until the Spandora Call Center initiates a direct marketing call
2.	Recording a product order in the webshop	surname, first name, company name (optional), postal code, city, street and house number, county, phone number, email address, product type, delivery address (if different), note, order time	GDPR Article 6(1)(b) – contract preparation and performance; see details in the Spandora.hu T&C	We process the data for 5 years following termination (performance) of the contract.
3.	Compliance with statutory invoicing obligations related to webshop purchases	name (surname and first name), address, data included on accounting documents to be retained	Compliance with a legal obligation (GDPR Article 6(1)(c) in view of Section 169 of Act C of 2000 on Accounting)	We retain the data for 8 years in accordance with the Accounting Act.
4.	On the website – Cosmetics – Registration for a preliminary consultation prior to booking a Facial Diagnostic Examination (Octoline and EunSung ComfortLine, Hydron, MesoLux devices)	name, email, phone number, source (Facebook, Google Ads, Instagram, TikTok)	Explicit consent on the website under GDPR Article 6(1)(a)	Until consent is withdrawn, or – in case of contract conclusion: for 5 years after termination of the contract – in case of inactivity (“no purchase”): 1 month from the 3rd and last contact attempt, but maximum 1 year. (see details in the separate Spandora Client Privacy Policy)
5.	On the website – Cosmetics – Body Treatment – appointment request for the ComfortLine device	name, email, phone number, source (Facebook, Google Ads, Instagram, TikTok)	Explicit consent on the website under GDPR Article 6(1)(a)	Until consent is withdrawn, or – in case of contract conclusion: for 5 years after termination of the contract – in case of inactivity (“no purchase”): 1 month from the 3rd and last contact attempt, but maximum 1 year. (see details in the Spandora Client Privacy Policy)
6.	On the website – Aesthetic medicine – Registration for a preliminary medical consultation prior to booking	name, email, phone number, source (Facebook, Google Ads, Instagram, TikTok)	Consent given on social media marketing platforms – GDPR Article 6(1)(a)	Until consent is withdrawn, or – in case of contract conclusion: for 5 years after termination of the contract – in case of inactivity (“no purchase”): 1 month from the 3rd and last contact attempt, but maximum 1 year. (see details in the Spandora Client Privacy Policy)
7.	Sending newsletters (via social media campaigns or on the website)	name (surname and first name), email address, postal code	Explicit consent under GDPR Article 6(1)(a)	We process the data until consent is withdrawn. You can unsubscribe via the link provided in the newsletter.
8.	Complaint handling, feedback, suggestions related to social media campaign(s) and website operation	name (surname and first name), email address, phone number, date of receipt of the complaint	Legitimate interest of the Data Controller under GDPR Article 6(1)(f)	5 years after closure of the complaint case (civil law limitation period)
9.	Customer satisfaction survey	name, email address, comment, date of completion	Legitimate interest of the Data Controller under GDPR Article 6(1)(f)	14 months after completion of the survey

In addition to the above, our website uses cookies, for which a separate notice is available.

(4) Data and IT security

In providing services, the Data Controller selects and operates the IT tools used for the processing of personal data so that the processed data are protected—by measures proportionate to the risks—against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction. The technical (e.g., IT) and organizational measures applied include so-called logical measures such as encryption and pseudonymization, and administrative measures such as contracts, non-disclosure agreements, and the implementation of IT/information security measures in line with MSZ/IEC/ISO 27001 requirements.

(5) About Data Processors

To fulfil its obligations related to personal data processing, the Data Controller uses Data Processor(s) for specific purposes during processing (e.g., printing house). For transparency, the table below summarizes the purposes for which our company cooperates with which data processors.

Service

Name and contact details of Data Processors Iratkozzon fel hírlevelünkre Vezetéknév Keresztnév E-mail cím Online adatvédelem Elolvastam és elfogadom az Online Adatvédelmi Tájékoztatóban foglaltakat Ügyfél adatvédelem Elolvastam és elfogadom az Ügyfél Adatvédelmi Tájékoztatóban foglaltakat Feliratkozom