Effective date: 27 June 2026 Last updated: 27 June 2026
This Privacy Policy explains how personal data is handled in connection with Profiling.app (the "Service"). Please read it alongside our Terms of Service, Cookie and Tracking Policy and Sub-processor List.
The Service is operated by Tamás Szigeti, an individual entrepreneur (egyéni vállalkozó) registered in Hungary ("we", "us", "our", the "Operator").
| Registered name | Tamás Szigeti |
| Registered seat | 2484 Gárdony, Mikszáth Kálmán utca 29., Hungary |
| Tax number (adószám) | HU22141239 |
| Registration number (nyilvántartási szám) | 41944082 |
| Contact for privacy matters | privacy@profiling.app |
| Postal address | 2484 Gárdony, Mikszáth Kálmán utca 29., Hungary |
We have not appointed a Data Protection Officer. We are not required to: our processing does not consist of large-scale systematic monitoring of individuals as a core activity, nor of large-scale processing of special categories of data, which are the conditions that compel appointment under Article 37 of the UK/EU General Data Protection Regulation ("GDPR"). You may raise any data-protection question using the contact details above, and we will handle it directly.
The Service has an unusual but deliberate structure, and your rights depend on understanding it.
We act as a Controller of your identity. Your account — your email address, your authentication details, the workspaces you belong to — is held and managed by us across every workspace you touch. For this identity record, we decide the purposes and means of processing, so we are the Controller.
We act as a Processor of profiling data. When an organisation (a "Workspace", called a "Tenant" in our technical documentation) commissions a profile of someone, that organisation decides who is profiled and why. For the questionnaire answers, the derived matrix and the evaluation, the commissioning Workspace is the Controller and we merely process that data on its instructions. Our obligations to that Workspace are set out in the Data Processing Agreement.
The exception — self-profiling. When you profile yourself, you commission the profile, you are the subject of it, and you control it. In that case there is no separate organisational Controller: you are the individual the data concerns, and we process your profiling data to deliver the result you asked for.
The sections below tell you, for each kind of data, which role applies.
| Data | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Email address | Account identity, authentication, sign-in links, service emails | Performance of a contract (6(1)(b)); legitimate interests in securing accounts (6(1)(f)) |
| Password hash (if you set one) | Authentication | Performance of a contract (6(1)(b)) |
| Google account identifier and basic profile (if you use Google sign-in) | Authentication via Google OAuth | Performance of a contract (6(1)(b)) |
| Name / display name | Identifying you within a workspace, deriving your personal workspace | Performance of a contract (6(1)(b)) |
| Magic-link tokens, verification state | Passwordless sign-in and email verification | Performance of a contract (6(1)(b)) |
| Workspace memberships and roles | Operating the workspace model | Performance of a contract (6(1)(b)) |
We use Google solely for sign-in. We do not read your Google Workspace data, your contacts, or anything beyond the basic profile needed to authenticate you. We do not use Google Analytics or any Google advertising product.
| Data | Purpose | Lawful basis |
|---|---|---|
| Billing name and address | Issuing legally required invoices | Legal obligation (6(1)(c)) — Hungarian invoicing law |
| Card details | Taking payment | Performance of a contract (6(1)(b)) — handled directly by Stripe; we never see or store full card numbers |
| Purchase and invoice records | Accounting, tax, audit | Legal obligation (6(1)(c)) |
Invoices are issued through Billingo (a Hungarian provider) as required by Hungarian law. Card payment is handled by Stripe; your full card number is entered directly into Stripe's systems and is never transmitted through or stored by us.
| Data | Purpose | Controller |
|---|---|---|
| Your questionnaire answers | Producing your profile | The commissioning Workspace, or you (self-profiling) |
| The derived 10×10 matrix | Representing your profile | The commissioning Workspace, or you |
| The written evaluation | Interpreting your profile | The commissioning Workspace, or you |
Your individual answers stay internal. We store them, but we do not display them to the commissioning Workspace. We may inspect them ourselves only for debugging and to operate the Service correctly. What the Workspace and you may see is the derived matrix and the evaluation — not the underlying answers.
Where a Workspace commissioned the profile, the lawful basis for processing your profiling data is the Workspace's to establish — it might be your consent, the Workspace's legitimate interests, or the performance of an employment relationship. Under our Terms of Service, the Workspace promises us that it has a lawful basis to profile you and has given you any privacy notice the law requires. If you were profiled by an organisation and want to understand why, contact that organisation; they are the Controller and they hold that answer. We will also help you reach them.
| Data | Purpose | Lawful basis |
|---|---|---|
| Server logs, error reports (technical) | Keeping the Service running and secure, diagnosing faults | Legitimate interests (6(1)(f)) |
| Product analytics (page-level, cookieless) | Understanding aggregate usage to improve the Service | Legitimate interests (6(1)(f)) |
Our analytics are self-hosted (Umami), set no cookies, and do not build a profile of you. Our error tracking (Sentry) is configured not to capture profiling answers, evaluation text, or IP addresses; it identifies a session only by an opaque user identifier (a UUID).
Some evaluations may be generated with the assistance of an AI model. When this happens:
An evaluation is decision-support, not a decision. We produce a written interpretation; what anyone does with it is their own decision, taken by a human. We do not make automated decisions that produce legal or similarly significant effects about you within the meaning of Article 22 GDPR. If a Workspace uses an evaluation to make a decision about you (for example in hiring), that decision is the Workspace's, taken by its people, and the Workspace is responsible for it. You should direct any question about such a decision to the Workspace that made it.
We use a small set of sub-processors to run the Service. Each is bound by a contract that restricts them to processing data only as needed to provide their service to us. The current list, with locations and purposes, is maintained at Sub-processor List and forms part of this Policy.
We do not sell your data. We do not share it for advertising. We disclose it only: to the sub-processors on that list; to the commissioning Workspace (for profiling data, where it is the Controller); to you; and where we are legally compelled to.
Our own personnel and contractors who help operate the Service (for example, in sales, onboarding, and customer support) may access personal data where needed to do their work. They do so under our authority and are bound to keep it confidential and to process it only on our instructions.
Support and administrative email is handled through a standard email provider located in the EEA. This is ordinary business correspondence rather than processing of your data within the Service, so it is not listed as a sub-processor; we mention it here for transparency.
Our infrastructure is hosted in the European Union (Amsterdam), and most of our sub-processors process data within the EU or EEA.
Some sub-processors are based in, or may process data in, countries outside the EEA — chiefly the United States:
Where any sub-processor processes data outside the EEA, we rely on an adequacy decision or the SCCs as the transfer mechanism. The Sub-processor List states the mechanism for each.
| Data | Retention |
|---|---|
| Identity / account data | For as long as your account exists; deleted on account deletion (see §8) |
| Profiling data commissioned by a Workspace | For the Workspace's chosen retention period (by default, 24 months), or until you or the Workspace ask us to delete it sooner |
| Billing and invoice records | For the period required by Hungarian tax and accounting law (currently 8 years) |
| Server logs / error reports | A short rolling window appropriate to fault diagnosis |
When you ask us to delete your account, your identity record and the assignments where you are the respondent are deleted, cascading as described in §8. Profiling data held on behalf of a Workspace is additionally subject to that Workspace's retention choice and deletion requests.
Under the GDPR you have the right to access, rectification, erasure, restriction, portability and objection, and the right not to be subject to solely-automated decisions with significant effects (which, as explained in §4, we do not make).
How to exercise them depends on which role applies:
We will respond within the statutory time limit (generally one month). You also have the right to lodge a complaint with the Hungarian supervisory authority, the National Authority for Data Protection and Freedom of Information (NAIH) — naih.hu — or with the supervisory authority where you live or work.
We hold profiling answers internally and do not expose them to commissioning Workspaces. Our error tracking is configured to exclude profiling content and IP addresses. Data sent to AI providers is stripped of direct identifiers. Access to data is limited to what is needed to operate the Service. We host within the EU with a reputable infrastructure provider, including managed backups.
No method of transmission or storage is perfectly secure, but we take reasonable and proportionate measures appropriate to the sensitivity of the data.
The Service is not directed at, and may not be used by, anyone under 18. We do not knowingly process the data of minors. If you believe a minor has been profiled, contact us and we will delete the data.
We may update this Policy. When we make a material change we will update the "Last updated" date and, where appropriate, notify you. Continued use after a change means you accept the updated Policy.
Questions, requests, or complaints about this Policy or your data:
Tamás Szigeti
privacy@profiling.app
2484 Gárdony, Mikszáth Kálmán utca 29., Hungary