Privacy Policy
Effective Date: 2026. május 1. | Version 1.0
1. Introduction
This Privacy Policy explains how HoliVed ('we', 'us', 'our'), operated by Kőrösi Ádám as a sole trader registered in Hungary, collects, uses, and protects your personal data when you use our platform at holived.com.
We are committed to processing your data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, 'GDPR') and applicable Hungarian data protection law.
By creating an account and using HoliVed, you acknowledge that you have read and understood this Privacy Policy.
2. What Data We Collect and Why
2.1 Account and Identity Data
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Account creation, login, communication | Contract performance (Art. 6(1)(b)) | Until account deletion + 3 years |
| Password (hashed) | Authentication | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Name (optional) | Personalisation | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
| Preferred language | Multilingual AI responses | Legitimate interest (Art. 6(1)(f)) | Until account deletion or change |
2.2 Birth Data (Special Sensitivity)
Our platform requires birth data to calculate personalised Vedic astrological and wellness recommendations. We treat this data with particular care.
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Date of birth | Vedic chart calculation (Jyotish) | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Time of birth (hh:mm + timezone) | Precise astrological calculation | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Place of birth (coordinates) | Geocentric chart calculation | Contract performance (Art. 6(1)(b)) | Until account deletion |
2.3 Subscription and Payment Data
We never store full card numbers. Payment processing is handled entirely by Stripe, Inc. — a PCI DSS Level 1 certified processor.
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Subscription plan, status, billing cycle | Service delivery | Contract performance (Art. 6(1)(b)) | 7 years (accounting law) |
| Payment method token (Stripe) | Recurring billing | Contract performance (Art. 6(1)(b)) | Until subscription cancellation |
| Invoice data (name, address, tax number) | Legal invoicing (Billingo/NAV) | Legal obligation (Art. 6(1)(c)) | 8 years (Hungarian accounting law) |
| Transaction history | Dispute resolution, accounting | Legal obligation (Art. 6(1)(c)) | 8 years |
2.4 Usage and Technical Data
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address | Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Browser/device type | Technical compatibility | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Feature usage logs | Product improvement, debugging | Legitimate interest (Art. 6(1)(f)) | 12 months |
| Error logs | Technical stability | Legitimate interest (Art. 6(1)(f)) | 30 days |
2.5 AI-Generated Content (Claude API)
We use Anthropic's Claude API to generate personalised Vedic interpretations and recommendations. When you request AI-generated content:
- Your birth data and event preferences are included in the API request to generate a contextual response.
- Anthropic processes this data as a data processor on our behalf. Anthropic's API does not use submitted prompts to train models (subject to their DPA terms).
- AI-generated responses are displayed to you in-app and may be logged for quality and debugging purposes for up to 30 days.
3. Data Processors (Third-Party Services)
We use the following sub-processors to deliver our service. The data processing terms applicable to each are shown in the table below:
| Processor | Role | Location | Data Shared | DPA |
|---|---|---|---|---|
| Supabase, Inc. | Database & authentication | EU (Frankfurt) / US | All user data, birth data | Supabase DPA (aláírva: 2026.04.26.) |
| Stripe, Inc. | Payment processing | US / EU | Email, payment tokens, subscription data | Stripe DPA (accepted via ToS) |
| Vercel, Inc. | Web hosting & CDN | US / EU | IP addresses, usage logs | Vercel DPA (accepted via ToS) |
| Anthropic, PBC | AI content generation (Claude API) — Auspicious Moment + fallback | US | Birth data, event preferences | Automatikusan érvényes: anthropic.com/legal/data-processing-addendum |
| Billingo (Octonull Kft.) | Invoice generation & NAV reporting | Hungary (EU) | Name, address, invoice data | Billingo DPA (accepted via ToS) |
| Prokerala.com | Vedic/Jyotish calculations | India | Birth date, time, location (pseudonymised) | API Terms of Service (pseudonymisation applied) |
| Google LLC (Gemini API) | AI content generation (Gemini API) — Health, Astro, Space, SIGNAL | US | Birth data, uploaded health images (face/tongue/nails/eyes), room/floor-plan images, event preferences | Paid-tier Gemini API — no training; Google "Data Processing Addendum for Products Where Google is a Data Processor" (ai.google.dev/gemini-api/terms) |
| fal - Features & Labels, Inc. (fal.ai) | AI image transformation (Vastu Room Scan & Floor Plan) | US | User-uploaded room and floor-plan photos | DPA requested — pending |
| Resend | Transactional & notification email | US | Email address, name | Resend DPA + SCCs (resend.com/legal/dpa) |
| Functional Software, Inc. (Sentry) | Error tracking & application monitoring | EU (Frankfurt) data residency; vendor US | Diagnostic/error events (may include IP address, user ID, request metadata) | Sentry DPA + SCCs (sentry.io/legal/dpa); EU data residency |
| Better Stack | Uptime monitoring & alerting | EU (default data storage) | Endpoint health checks; alert recipient email | Better Stack DPA (betterstack.com/dpa); EU data storage |
For transfers to the US (Supabase, Stripe, Vercel, Anthropic), we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission under GDPR Article 46(2)(c), supplemented where applicable by additional technical and organizational measures.
4. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@holived.com. We will respond within 30 days.
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Art. 15) | Receive a copy of all personal data we hold about you | Email request to privacy@holived.com |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | In-app settings or email request |
| Erasure (Art. 17) | Request deletion of your data ('right to be forgotten') | Account deletion in-app or email request |
| Restriction (Art. 18) | Limit how we process your data in certain circumstances | Email request with specific grounds |
| Portability (Art. 20) | Receive your data in machine-readable format (JSON/CSV) | Email request to privacy@holived.com |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email request with specific grounds |
| Withdraw Consent | Withdraw marketing/cookie consent at any time | Cookie settings or email request |
5. Data Security
- All data transmitted is encrypted using TLS 1.2 or higher.
- Passwords are hashed using bcrypt — we never store plaintext passwords.
- Database access is restricted (Supabase Row Level Security).
- API keys and secrets are stored in environment variables, never in source code.
- In the event of a data breach, we will notify the NAIH within 72 hours (GDPR Art. 33–34).
6. Data Retention
- Account and birth data: duration of account + 3 years after deletion.
- Financial and invoice records: 8 years (Hungarian accounting law).
- Technical logs: 30–90 days.
- Backups: purged within 30 days of account deletion.
7. Children's Privacy
Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. Contact privacy@holived.com if you believe a child has provided data.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email and/or via an in-app notice at least 14 days before the change takes effect. The current version is always available at holived.com/privacy.
9. Contact Us
Address: 7700 Mohács, Jókai utca 1. 3/18., Hungary
Email: privacy@holived.com
Website: holived.com
Response time: Within 5 business days, no later than 30 days (GDPR).