Draft — the operator's legal name and address (highlighted below) still need to be filled in before full public launch. This is a strong template; a light review by a Hungarian/EU lawyer is advisable.
Who we are
HypnoLore (“HypnoLore”, “we”, “us”, “our”) operates the website at https://hypnolore.com. We are the data controller responsible for your personal data.
- Controller: [OPERATOR LEGAL NAME]
- Address: [REGISTERED ADDRESS]
- Contact for privacy matters: privacy@hypnolore.com
If you have any questions about this policy or how we handle your data, contact us at the email above.
Who this site is for
HypnoLore is an adult (18+) website offering hypnosis audio content. It is not intended for anyone under 18, and we do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, contact us and we will delete it.
What we collect, why, and the legal basis
We collect only the data we need to run the service. Each activity, the data involved, the purpose and our legal basis under Article 6 GDPR:
| What we process | Data | Purpose | Legal basis |
|---|---|---|---|
| Member account | Display name, email, password (stored only as a bcrypt hash — we never see your plain password), 18+ confirmation, email-verified flag, created/updated timestamps, last login | Create and operate your account, authenticate you, give access to member features | Contract — Art. 6(1)(b) |
| Email verification | Email + a verification token | Confirm you control the email and reduce spam/fraud sign-ups | Contract & legitimate interest — Art. 6(1)(b)/(f) |
| Age confirmation | A record that you confirmed 18+ (account flag and/or age cookie) | Restrict adult content to adults | Legal obligation / legitimate interest — Art. 6(1)(c)/(f) |
| Session & security | Session identifier, CSRF token | Keep you logged in securely; protect forms against forgery | Legitimate interest — Art. 6(1)(f) (strictly necessary) |
| Spam/abuse prevention | Captcha challenge/response | Tell humans from bots on forms | Legitimate interest — Art. 6(1)(f) |
| Commission requests (currently disabled) | Name, email, message, IP address (private log) | Receive and answer a commission enquiry; abuse/fraud record | Pre-contract/contract & legitimate interest — Art. 6(1)(b)/(f) |
| Server logs | IP address, time, requests, user-agent, error data | Keep the service available, diagnose issues, detect attacks | Legitimate interest — Art. 6(1)(f) |
| Email to us | Your email and message | Respond to you and provide support | Legitimate interest / contract — Art. 6(1)(f)/(b) |
We do not run advertising or analytics trackers, and we do not sell your personal data.
YouTube embeds
Some pages can embed videos from YouTube (operated by Google). We use a click-to-load approach: no YouTube content is loaded and no YouTube cookies are set until you actively choose to play a video. When you play an embedded video, YouTube/Google may set cookies and process data (including your IP address) under its own privacy policy, acting as a separate controller. We have no control over YouTube's cookies. See cookies and “International transfers” below.
Cookies
We use a small number of first-party cookies. The strictly necessary ones make the site work and keep it secure; the age cookie remembers your age confirmation for convenience. We do not use advertising, profiling, or analytics cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
hl_session | Keeps you logged in; carries the CSRF token protecting forms. HttpOnly, SameSite=Lax. | Session | Strictly necessary · first-party |
hl_age_ok | Remembers that you confirmed you are 18+, so you aren't asked every visit. | ~1 year | Functional · first-party |
| YouTube cookies | Set by YouTube/Google only if you choose to load and play an embedded video. | Set/controlled by Google | Third-party · on play |
Strictly necessary and functional cookies do not require consent. Third-party cookies (YouTube) require your consent before being set — which is why we never load YouTube until you click to play. You can also control or delete cookies in your browser settings, though disabling strictly necessary cookies may break login.
Analytics
We run our own privacy-friendly, cookieless analytics to understand basic traffic — how many people visit, which pages they view, roughly where they come from (e.g. YouTube, search, direct), an approximate country, device/browser type, and which buttons are clicked. It is entirely first-party (no Google Analytics or third-party trackers) and uses no cookies. We do not store your raw IP address: it is used only momentarily to derive an approximate country (via an offline lookup, with no external call) and a daily-rotating anonymous hash that lets us count unique visitors for a day without identifying anyone or tracking you across days. Because this data is anonymous and not used to profile you, it does not require a consent banner. The legal basis is our legitimate interest (Art. 6(1)(f)) in understanding and improving the site.
Who we share data with
We keep your data within our own infrastructure as far as possible. Where we use service providers, they act as our data processors under contract and may only process data on our instructions.
- Hosting / infrastructure: our own Linux server located in the EU, media on local storage.
- Email delivery: we currently capture verification mail locally. When outbound email is enabled we will use an SMTP/email provider as a processor (named here once chosen).
- Bot/abuse protection: currently a built-in, first-party captcha with no third party. If we later enable Cloudflare Turnstile, Cloudflare acts as a processor and may process limited technical data (including IP) to verify you are human.
- YouTube / Google: a third party for embedded video playback, only after you choose to play.
We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety or property of HypnoLore, our users, or others.
International transfers
Our own processing takes place within the EU. However, YouTube/Google playback (when you choose it) typically transfers data to the United States; Google relies on the EU–US Data Privacy Framework and/or Standard Contractual Clauses. If we later adopt Cloudflare Turnstile or a non-EU email provider, any transfer outside the EEA will be protected by an adequacy decision and/or Standard Contractual Clauses with supplementary measures as appropriate. For more on the safeguards in place, contact us at privacy@hypnolore.com.
How long we keep your data
| Data | Retention |
|---|---|
| Active account data | Until you delete your account or ask us to, then removed within 30 days (minus anything we must keep for a legal reason) |
| Unverified accounts | Automatically purged after 30 days if never confirmed |
| Inactive accounts | May be deleted after 24 months of no logins, after attempting to notify you |
| Login / security records | Recent records up to 12 months |
| Server logs (incl. IP) | 30–90 days, then deleted or anonymised |
| Commission requests | Duration of the request + up to 12 months (longer if a contract results) |
| Support correspondence | Up to 24 months after the matter is resolved |
| Legally required records (e.g. accounting once paid features go live) | The statutory period (commonly 8 years in Hungary) |
Where we no longer need data, we delete it or irreversibly anonymise it.
Your rights
Under the GDPR you have the right to: access a copy of your data; rectification of inaccurate data; erasure (“right to be forgotten”); restriction of processing; data portability; objection to processing based on our legitimate interests; and to withdraw consent where we rely on it (e.g. third-party cookies) at any time, without affecting prior processing.
Exercise any of these by emailing privacy@hypnolore.com. We may need to verify your identity. We respond without undue delay and within one month (extendable by up to two further months for complex requests, with notice). Exercising your rights is free unless requests are manifestly unfounded or excessive. You can also manage or delete much of your account data from your account settings.
Right to complain
If you believe we've mishandled your data, please contact us first so we can put it right. You also have the right to lodge a complaint with a supervisory authority — in the EU country where you live or work, or where the issue occurred. In Hungary, this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), naih.hu.
How we protect your data
We take appropriate technical and organisational measures, including: storing passwords only as bcrypt hashes (never plain text); HTTPS encryption in transit; HttpOnly, SameSite session cookies and CSRF protection; brute-force throttling; restricted administrative access; upload validation; and keeping our EU-based systems patched and monitored. No method is ever completely secure, but we work to protect your data and to respond promptly to any incident, including notifying you and the authorities where the law requires.
Changes to this policy
We may update this policy from time to time, for example if our processing or service providers change. We'll update the “Last updated” date above and, where appropriate, notify registered members. Please review this page periodically.