Privacy Policy

Last updated: 2026-03-31

This service is operated by Marton Lasetzky, acting as an individual under the commercial name Compath App (“we”, “us”, “our”).

For the purposes of this Privacy Policy:

• Each client clinic or business using the service is the Data Controller (“Client” or “Clinic”).
• Compath App acts as a Data Processor, processing data strictly on behalf of and under the documented instructions of the Client.

This Privacy Policy explains how we process personal data within the scope of the Compath App platform.

In plain language: Compath App is a data analytics and communication platform for clinics. We process personal data only on behalf of our clients and do not determine how or why personal data is used. Your clinic (the Client) controls the data; we simply provide the tools.

If you are a patient or end user: This Privacy Policy describes how Compath App processes data on behalf of clinics. If you have questions about your personal data, or wish to exercise your rights under GDPR (access, rectification, erasure, etc.), please contact the clinic or business that collected your data directly. If you are unsure who the relevant Data Controller is, you may contact us at marton.lasetzky@compath.hu and we will assist in identifying and connecting you with the appropriate clinic.

1. Roles and Responsibilities

1.1 Data Controller

The Client determines:

• the purposes of processing,
• the lawful basis under GDPR (including Article 6 and Article 9 where applicable),
• and is responsible for informing data subjects and obtaining any required consent.

Legal basis for processing is determined solely by the Client as Data Controller.

1.2 Data Processor

Compath App:

• acts solely on behalf of the Client,
• processes data only to deliver the contracted services,
• does not use personal data for its own purposes,
• does not sell personal data.

We do not obtain consent directly from data subjects; where consent is required, it is the responsibility of the Client as Data Controller.

1.3 Processor Obligations (Article 28 GDPR)

In compliance with Article 28 of the GDPR, Compath App:

• Processes personal data only on documented instructions from the Client (as defined in the Data Processing Agreement, Terms of Service, and through the Client's use and configuration of the Service)
• Ensures that persons authorised to process personal data are committed to confidentiality
• Implements appropriate technical and organisational measures to ensure security (Article 32)
• Assists the Client in responding to data subject rights requests
• Assists the Client in ensuring compliance with security obligations, breach notifications, and Data Protection Impact Assessments (DPIAs)
• Deletes or returns all personal data to the Client after termination of services, unless retention is required by law
• Makes available to the Client all information necessary to demonstrate compliance and allows for audits or provides audit evidence upon reasonable request

2. Categories of Data We Process

We process only data that the Client provides or authorises us to access through the following methods:

• File uploads: CSV and XML files uploaded by the Client
• API integrations: Google Calendar, Google Ads (when connected and authorized)
• Web tracking: Google Tag Manager events from clinic websites
• Webhooks: Phone call tracking events from telephony providers

2.1 Patient & Client Data

Collected through CSV/XML file uploads, calendar integrations, and web tracking:

• Name
• Email address
• Phone number
• Internal patient or client identifiers

2.2 Treatment & Medical Service Data

• Treatment or service types (e.g. dental procedures)
• Treatment dates and durations
• Associated pricing
• Treatment schedules and plans

Important: Some data processed may qualify as special category personal data (health data) under Article 9 GDPR, depending on the Client's use of the platform. The Client is responsible for establishing a valid Article 9 legal basis where applicable.

2.3 Appointment & Booking Data

• Appointment dates and times
• Booking status (scheduled, completed, cancelled)
• Booking identifiers
• Linked patient identifiers

2.4 Payment & Financial Data

• Payment amounts and dates
• Revenue data linked to treatments or appointments
• Aggregated financial inflow and outflow data from Client bank accounts

Note: Financial data is used exclusively for analytics and reporting purposes and is accessible only to authorised Client roles as configured by the Client.

2.5 Marketing & Web Analytics Data

Collected via Google Tag Manager events from clinic websites:

• UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term)
• Click IDs (gclid for Google Ads, fbclid for Facebook Ads)
• Landing pages and referrer URLs
• Timestamps and session identifiers
• Event data (page views, booking interactions, conversion events)
• User behavior on booking widgets (e.g., Salonic booking system embedded on website)

2.6 Advertising Platform Data

• Campaigns, ad groups, ads
• Spend, impressions, clicks, CTR
• Conversion metrics

2.7 Calendar Data

• Appointment-related events retrieved from Google Calendar
• Event timing and availability data used for operational analysis
• Staff calendar names and appointment schedules

2.8 Call Tracking Data

• Phone call events (inbound/outbound calls)
• Call duration and timestamps
• Caller phone numbers
• Call tracking provider identifiers

3. Purpose of Processing

We process data strictly under Client instructions for the following purposes:

3.1 Analytics, Reporting & Attribution

• Marketing performance and ROI analysis
• Cross-channel attribution
• Booking and revenue attribution
• Aggregated offline conversion uploads to Google Ads and Meta Ads (weekly, non-individual, tied to click IDs)

3.2 Operational & Financial Insights

• Appointment utilisation and capacity analysis
• Treatment and pricing performance
• Revenue and trend analysis
• Staff and scheduling efficiency insights

3.3 Patient & Client Engagement Insights

• Retention and churn indicators
• Recall and visit frequency analysis
• Segmentation insights

3.4 Best Actions (Automated Recommendations)

• Automated recommendations and communication workflows generated from patient data
• Best Action templates and rules configurable by the Client
• Recommendations may relate to patient engagement, treatment follow-ups, recalls, appointment reminders, or marketing activities
• Execution tracking and performance analytics for automated communications

Automated Decision-Making: These recommendations do not constitute fully automated decision-making producing legal or similarly significant effects on individuals under Article 22 GDPR. All final decisions regarding patient communication and engagement are made by the Client.

3.5 Communication Services

• Sending transactional and marketing emails on behalf of the Client
• Making or tracking phone calls and SMS messages on behalf of the Client
• Examples include appointment reminders, recalls, follow-ups, satisfaction surveys, and re-engagement campaigns

All communication templates:

• are configured by the Client,
• include mandatory unsubscribe functionality (for emails and SMS),
• comply with applicable email, SMS, and marketing regulations,
• are triggered by automated rules defined by the Client.

4. Reporting & Access

• Analytics and reports are delivered via Metabase, embedded in our secure web application.
• Access is governed by role-based access control (RBAC) defined by the Client.

5. Data Storage and Security

All primary data is hosted in AWS (eu-central-1, Frankfurt).

5.1 Security Measures

• AES-256 encryption at rest
• TLS 1.2+ encryption in transit
• AWS VPC network isolation with private subnets (staging/production)
• Secrets stored in AWS Secrets Manager
• JWT-based authentication with refresh tokens
• Two-factor authentication (2FA) support using TOTP
• Role-based access control (RBAC)
• Principle of least privilege (IAM)
• IP allowlist authentication for webhooks
• Continuous monitoring and alerts
• Audit logs stored in AWS CloudWatch

6. Cookies and Tracking Technologies

6.1 Cookies on Compath App Platform

The Compath App web application (app.compath.hu) uses essential cookies only for authentication and security purposes. These cookies are strictly necessary for the Service to function and do not require consent under GDPR and the ePrivacy Directive.

Essential Cookies We Use:

• Authentication cookies (httpOnly) – secure refresh tokens for maintaining user sessions
• JWT tokens – short-lived access tokens for API authentication
• Session identifiers – for maintaining secure login state

We do NOT use:

• Analytics or tracking cookies on the Compath App platform
• Advertising or marketing cookies
• Third-party cookies for profiling or behavioral tracking

These essential cookies:

• Are encrypted and secure (httpOnly, Secure flag, SameSite protection)
• Expire after a defined session period
• Cannot be disabled without preventing access to the Service
• Do not track user behavior across other websites

6.2 Tracking on Client Websites (GTM Events)

Important distinction: The Compath App platform does not track end-users (patients) on clinic websites. Instead, our Clients implement Google Tag Manager (GTM) on their own websites to track patient interactions (bookings, page views, conversions).

Client responsibilities:

• Clients (clinics) are the Data Controllers for tracking on their own websites
• Clients must implement cookie consent banners on their websites in compliance with GDPR and ePrivacy Directive
• Clients must obtain user consent before loading GTM and analytics cookies
• Clients must provide their own cookie policy and privacy notice to website visitors
• GTM tracking scripts are managed and controlled by the Client, not by Compath App

Our role: Compath App receives GTM event data via webhooks or API endpoints after events have been triggered on client websites. We act as a Data Processor and do not control the tracking mechanism or consent flow on client websites.

6.3 Browser Storage

The Compath App platform may use browser local storage or session storage for:

• Caching user preferences and UI state
• Storing non-sensitive application settings
• Temporary storage of authentication state

No personal data or sensitive information is stored in browser storage.

6.4 Managing Cookies

Users can manage cookies through their browser settings. However, disabling essential authentication cookies will prevent access to the Compath App platform.

For tracking on client clinic websites, patients should refer to the clinic's own cookie policy and manage consent through the clinic's cookie banner.

7. Data Sharing

Data is shared only as instructed by the Client and only for service delivery.

7.1 Client Access

We provide dashboards, analytics, and recommendations via the Compath App platform.

7.2 Third-Party Integrations (Optional)

Activated only if configured by the Client:

• Google Ads API – offline conversion uploads (aggregated, tied to click IDs)
• Meta Conversions API – offline conversion uploads (aggregated)
• Google Calendar API – staff appointment and availability data
• Google OAuth – authentication and API access authorization
• Google Tag Manager – web analytics event collection from clinic websites

We do not share data with unauthorised third parties.

8. Sub-Processors

• Amazon Web Services (AWS) – cloud hosting, database storage, file storage, secrets management, security, audit logging
• Metabase – business intelligence analytics and reporting platform
• SendGrid (Twilio) – transactional and marketing email delivery
• DIDWW – phone call tracking and telephony services
• Google (Calendar API, Ads API) – calendar data retrieval and advertising services (if connected)
• Meta (Facebook/Instagram) – advertising services (if connected)

All sub-processors are subject to GDPR-compliant data processing agreements.

Sub-Processor Changes: An up-to-date list of sub-processors is available upon request. Clients will be notified of any intended changes to sub-processors in accordance with the Data Processing Agreement (minimum 30 days' advance notice), allowing them to object to such changes on reasonable grounds.

9. Data Retention

Data is retained:

• for the duration of the Client’s active contract, and
• up to 24 months after termination unless otherwise instructed by the Client,

unless:

• the Client requests earlier deletion, or
• retention is required by law.

Upon termination, personal data will be deleted or returned to the Client as instructed, in accordance with our processor obligations.

10. Data Subject Rights

As a Data Processor, Compath App does not handle requests from data subjects directly.

10.1 For Patients and End Users

If you are a patient or website visitor whose data is processed through the Compath App platform, you have the following rights under GDPR:

• Right of access (Article 15) – obtain confirmation and a copy of your personal data
• Right to rectification (Article 16) – correct inaccurate personal data
• Right to erasure (Article 17) – request deletion of your personal data
• Right to restriction (Article 18) – limit processing of your personal data
• Right to data portability (Article 20) – receive your data in machine-readable format
• Right to object (Article 21) – object to processing based on legitimate interests or for direct marketing

To exercise these rights: Please contact the clinic or business that collected your data (the Data Controller). They are responsible for responding to your request within the legal timeframe (typically 30 days).

If you are unsure who to contact: Email us at marton.lasetzky@compath.hu with details about how your data was collected (e.g., which clinic website you visited, when you made an appointment), and we will help identify the relevant Data Controller and facilitate your request.

10.2 For Clients (Data Controllers)

We will assist Clients in fulfilling data subject rights requests upon instruction, including providing access to relevant data, facilitating correction or deletion, and supporting portability requests.

11. Personal Data Breaches

In the event of a personal data breach, we will notify the affected Client without undue delay and no later than 72 hours, including:

• nature of the breach,
• likely consequences,
• mitigation measures taken.

12. International Data Transfers

Primary data processing and storage occurs within the European Union (AWS eu-central-1, Frankfurt, Germany).

Some sub-processors (Google, Meta, SendGrid/Twilio, DIDWW) may process data outside the EU/EEA for specific services. When data is transferred outside the EU/EEA, these sub-processors rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
• Adequacy decisions where applicable, and/or
• Additional safeguards such as encryption and access controls

All international data transfers comply with GDPR requirements.

13. Updates to This Policy

This Privacy Policy may be updated periodically. The latest version will always be available at:
https://privacy.compath.hu

14. Data Protection Officer (DPO)

We do not currently appoint a Data Protection Officer (DPO), as we are not legally required to do so under Article 37 GDPR. For data protection inquiries, please contact us using the details below.

15. Contact

Name: Marton Lasetzky
Trading as: Compath App
Email: marton.lasetzky@compath.hu
Address: Budapest, Hungary