hello@skillbot.hu

Privacy Policy

Privacy Policy

Effective from: 2025.05.21

PostInsight (hereinafter: Data Controller), as the operator of the online service available at https://postinsight.ai, powered by artificial intelligence to analyze social media posts and provide content suggestions (hereinafter: Service), hereby publishes information on its data processing activities related to the Service.

Visitors to the Website and registered users (hereinafter: User), by using the Service, accept the conditions set forth in this Privacy Policy (hereinafter: Policy); therefore, please read this document carefully before providing any data.

1. Data Controller Information

  • Be Social Kft.
  • Company registration number: 01 09 997245
  • Registration authority: Court of Registration of the Budapest-Capital Regional Court
  • Registered office: 1037 Budapest, Seregély utca 3-5.
  • Tax number: 242394 82 241
  • E-mail: hello@skillbot.hu

2. Information on Specific Data Processing Activities

a) Registration and Credit Purchase

Scope of processed data:

  • email address
  • Facebook account ID
  • number of credits (purchased and used)
  • Stripe data related to purchase transaction: transaction ID, amount
  • registration date

Purpose of data processing:

The data provided during registration and credit purchase is processed for the purposes of contract formation, performance, invoicing, customer relationship management, and traceability. The system uses Facebook login, during which the Data Controller does not store passwords.

Duration of data processing:

  • 5 years after the user account is deleted, based on the Civil Code § 6:22 (for legal enforcement),
  • 8 years for billing data, according to the Accounting Act § 169.

Legal basis of data processing:

  • GDPR Article 6(1)(b) – performance of a contract
  • In case of accounting obligation: GDPR Article 6(1)(c) – legal obligation

Important note:

The Data Controller does not have access to the credit card data provided during credit purchases. These are handled by Stripe Payments Europe, Ltd. according to its own privacy policy:https://stripe.com/en-hu/privacy

b) User Account Management

Scope of processed data:

  • data provided during registration
  • current credit balance
  • purchase history
  • transaction ID
  • previously generated AI content (post evaluations, suggestions)
  • contact email

Purpose of data processing:

Operating the user account, traceability of requests, transaction tracking, and system usage support.

Legal basis: GDPR Article 6(1)(b) – performance of a contract

c) Sending System Messages

Scope of processed data:

  • email address
  • type of registration
  • credit balance
  • system status information

Purpose: Sending operational information related to the Service (e.g., maintenance, feature changes), not for marketing purposes.

Legal basis: GDPR Article 6(1)(f) – legitimate interest of the Data Controller (based on a balancing of interests)

Right to object: The User may object to the data processing at any time and request the deletion of such data.

d) Newsletter Subscription

Processed data:

  • email address
  • registration date
  • optionally: name/nickname

Purpose:

Sending marketing information (new features, promotions, news).

Legal basis: GDPR Article 6(1)(a) – voluntary consent

Unsubscription:

Can be done at any time free of charge via the link in the newsletter or by email.

e) Complaint Management

Processed data:

  • name
  • email address
  • text of the complaint
  • date of response
  • registration ID

Purpose: Documenting and ensuring the traceability of complaint handling in accordance with legal requirements.

Legal basis: Fgytv. § 17/B – legal obligation

Retention period: 3 years

3. Scope of Access to Personal Data, Data Processing

Personal data may be accessed by the Data Controller operating the PostInsight service and by the data processors it commissions to carry out certain technical operations, in accordance with applicable laws, especially the provisions of the GDPR.

Organizations involved in data processing:

1. Hosting Provider

  • Name: Salesforce Inc. – Heroku platform
  • Registered office: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
  • Contact: https://www.heroku.com/policy/security
  • Purpose of data processing: Ensuring the secure and continuous technical operation of the Website and Software

2. Artificial Intelligence Provider

  • Name: OpenAI OpCo, LLC
  • Website: https://openai.com/policies/privacy-policy
  • Purpose of data processing: Generating evaluations, suggestions, and content requested by Users as part of the Service
  • Scope of transferred data: prompts entered by the User, previous interactions, and credit amount on which the request is based
  • Note: OpenAI does not identify the natural person, and the input and output content is used exclusively for machine processing

3. Payment Provider

  • Name: Stripe Payments Europe, Ltd.
  • Website: https://stripe.com/en-hu/privacy
  • Purpose of data processing: Conducting card payments, secure transaction management
  • Transferred data: transaction ID, email address, purchase amounts
  • Important: The Data Controller does not have access to card data or payment method details

4. Newsletter and Email Sending

  • Name: Mailchimp (The Rocket Science Group LLC)
  • Contact: https://mailchimp.com/contact/
  • Purpose of data processing: Sending marketing newsletters
  • Transferred data: email address, name or nickname, subscription date, subscription status
  • Name: Mailgun Technologies, Inc.
  • Contact: https://www.mailgun.com/contact/support/
  • Purpose of data processing: Sending transactional emails and system messages (e.g., password reminder, notifications)
  • Transferred data: email address, username (if any)

Additional Information

The Data Controller reserves the right to involve additional data processors in the future for the technical or administrative operation of the Service. Users will be notified of such changes via an update to this Policy.

The Data Controller transfers personal data only:

  • based on legal obligation, or
  • with the User's explicit prior consent to third parties.

4. User Rights

Users are entitled to the following rights in relation to the processing of their personal data, which they may exercise via the contact information provided in section 1.

Right of Access to Personal Data

The User has the right to request confirmation as to whether the Data Controller is processing their personal data and, if so, to access the following information:

  • purposes of processing;
  • categories of personal data concerned;
  • recipients or categories of recipients of the data;
  • planned duration of data storage;
  • User rights to rectification, deletion, restriction, and objection;
  • right to lodge a complaint with a Supervisory Authority;
  • data sources (if not provided by the User);
  • the existence of automated decision-making, including profiling, its logic, and anticipated consequences;
  • identity and roles of data processors.

The Data Controller shall provide the information within 1 month of receiving the request, extendable by 2 months if necessary. The first copy is free; further copies may incur a reasonable administrative fee.

Right to Rectification

The User may request the correction, update, or completion of inaccurate, outdated, or incomplete personal data. The Data Controller shall act without undue delay.

Right to Erasure (“Right to be Forgotten”)

The User may request the deletion of their personal data if:

  • the data is no longer necessary for the purpose for which it was collected;
  • the legal basis for processing was consent, which is now withdrawn;
  • the User objects to the processing and no overriding legitimate grounds exist;
  • the processing was unlawful;
  • deletion is required by law.

Deletion is not required if the processing:

  • is necessary for legal claims;
  • is mandated by public interest or legal obligation;
  • serves archiving, research, or statistical purposes;
  • involves the exercise of freedom of expression or information.

Right to Restriction of Processing

The User may request a restriction of processing if:

  • they dispute the accuracy of the data;
  • the processing is unlawful, but the User opposes deletion;
  • the Data Controller no longer needs the data, but the User requires it for legal claims;
  • the User has objected to processing and the assessment is pending.

Restricted data may only be processed with the User’s consent, or for legal claims or the protection of another person’s rights.

Right to Data Portability

The User may request that the Data Controller transfer their personal data, stored in a commonly used, machine-readable format, to themselves or another controller. The data will be delivered in CSV and/or PDF format upon request.

Right to Object

The User has the right to object at any time to the processing of their personal data based on:

  • legitimate interest;
  • performance of a task carried out in the public interest;
  • profiling.

In the event of an objection, the Data Controller shall no longer process the data unless it can demonstrate compelling legitimate grounds or it is necessary for legal claims.

Notification Obligation

The Data Controller shall inform all recipients of any rectification, erasure, or restriction of data processing, unless this proves impossible or involves disproportionate effort. Upon request, the User shall be informed about such recipients.

Response Time and Costs

The Data Controller shall respond without undue delay, and at the latest within 1 month. This period may be extended by another 2 months if necessary.

The first response is free of charge, but a reasonable administrative fee may be charged or the request may be rejected if it is unfounded, excessive, or repetitive.

5.) Data Security

The Data Controller is committed to ensuring the security of personal data and implements all reasonable technical, organizational, and administrative measures to protect the data. In particular, the Data Controller strives to:

  • prevent the destruction, unauthorized access, alteration, disclosure, transmission, or deletion of personal data;
  • ensure that only authorized individuals have access to personal data;
  • require appropriate security measures from third parties in case of data transfer.

Data processors used by the Data Controller may access personal data only to the extent necessary to perform their tasks.

The User acknowledges that data transmission over the internet cannot be completely secure, but the Data Controller takes all reasonable measures to ensure maximum protection.

The Data Controller does not collect sensitive data, particularly regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, sexual orientation, or criminal record.

6.) Handling and Reporting Data Protection Incidents

Data protection incident: any event resulting in the unlawful processing, alteration, deletion, unauthorized access, or loss of personal data.

The Data Controller must:

  • report the incident without undue delay, and no later than within 72 hours, to the National Authority for Data Protection and Freedom of Information (NAIH), unless it is unlikely to pose a risk to the rights and freedoms of individuals.

The report must include:

  • the nature of the incident, number of data subjects affected, types of data involved;
  • the name and contact details of the Data Controller;
  • the potential consequences;
  • the measures taken or proposed.

Notification of data subjects: If the incident poses a high risk to personal data, the Data Controller must notify the affected individuals within 72 hours, unless:
  • appropriate technical and organizational measures were already in place;
  • these measures ensured the risk is no longer likely;
  • notification would involve disproportionate effort (in which case public communication is sufficient).

Incident log: The Data Controller shall record the incident and retain the log for 5 years. The log shall include:

  • types of personal data affected;
  • number of data subjects affected;
  • time, circumstances, and consequences of the incident;
  • measures taken.

7.) Enforcement Options

The User may contact the Data Controller directly using the contact details in section 1 for any questions or complaints regarding data processing.

If the User believes their rights have been violated, they have the following legal remedies:

Complaint to the Supervisory Authority:

National Authority for Data Protection and Freedom of Information (NAIH)

  • Address: 1055 Budapest, Falk Miksa Street 9-11
  • Website: www.naih.hu
  • Email: ugyfelszolgalat@naih.hu

    • 8.4. Cookies Used and Their Legal Basis

    Cookie categories and their legal basis are as follows:

    Cookie TypeLegal BasisPurpose
    Necessary cookiesGDPR Article 6(1)(f) – legitimate interestEnsuring the basic functions of the website (e.g., login, navigation, security).
    Statistical cookiesGDPR Article 6(1)(a) – consentCollecting anonymized statistics on user behavior for website development.
    Marketing cookiesGDPR Article 6(1)(a) – consentDisplaying personalized ads, remarketing.

    8.4.1. Necessary Cookies

    These cookies are essential for the operation of the website and cannot be disabled.

    NamePurposeExpiry
    cc_consentStoring cookie consent level365 days
    locale, jwt, tenant, role, uid, fname, nname, avatar, threadUser session and preference management365 days

    8.4.2. Statistical Cookies

    NameProviderPurposeExpiry
    _ga, _ga_*Google AnalyticsTracking visitor behavior2 years
    _gidGoogle AnalyticsSession-level statistics24 hours
    _gatGoogle AnalyticsThrottle request rate1 minute

    More information about Google Analytics data processing: Google Analytics privacy page.

    8.4.3. Marketing Cookies

    NameProviderPurposeExpiry
    NID, __gads, FPAU etc.Google AdsDisplaying personalized advertisements6–540 days
    fbc, _fbp, datr etc.FacebookStoring user identifiers for targeted adsSession – 2 years

    Advertising preferences can be changed on the Google and Facebook platforms:

    • Google Ads Settings
    • Network Advertising Initiative
    • Facebook Data Policy

    8.5. Third-party Cookies

    The website uses technologies from external advertising and analytics providers (e.g., Google, Facebook). These providers may place their own cookies on your device, which are subject to their own privacy policies. The Operator is not responsible for the data processing resulting from these.

    8.6. Managing Cookies in the Browser

    Users can individually configure the acceptance or blocking of cookies in most browsers. Useful links for various browsers:

    • Google Chrome
    • Mozilla Firefox
    • Microsoft Edge
    • Safari

    9. Other Provisions

    For matters not regulated in this Privacy Policy, the applicable Hungarian legislation shall prevail, in particular:

    • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information,
    • and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

    shall apply.

    Effective date of the Policy: May 21, 2025.

    Location: Budapest