Effective date: 19 April 2026
This Privacy Policy describes the processing of personal data on the website https://vimora-care.eu and in connection with the Vimora Care service. The purpose of the service is to help caregivers, care workers, families and clients find each other through profiles, search functions, subscriptions, contact unlocks and notifications.
1. Data Controller
Data Controller: Vimora Grup Kft.
Registered office: 2440 Százhalombatta, Erkel Ferenc körút 80, 2nd floor, door 6, Hungary
E-mail: info@vimora-care.eu
Website: https://vimora-care.eu
Privacy requests: info@vimora-care.eu
2. Who Does This Privacy Policy Apply To?
This Privacy Policy applies to:
- visitors of the website;
- users registering as caregivers or care workers;
- users registering as families, clients or persons seeking care;
- cared-for or care-dependent persons whose data is provided in a family profile;
- buyers and subscribers;
- users initiating or affected by a contact unlock;
- users giving or receiving ratings;
- persons contacting customer support or the Data Controller in any other way.
Registration is only available to persons who are at least 18 years old.
3. Categories of Data Processed
3.1. Account and Registration Data
For registration and login, the following data is processed: name, e-mail address, phone number, password, user role, language setting, registration date, login data and account status data.
The password is not stored in readable form, but in the technically protected form used by WordPress.
3.2. Profile Data of Caregivers or Care Workers
Processed data may include in particular: profile picture, first name, last name, e-mail address, phone number, age, gender, native language, spoken languages, country of work, region, county or federal state and service area, professional or legal status, education, experience, availability, accepted forms of care, accepted and excluded tasks, pay expectation, profile visibility status and subscription status.
3.3. Profile Data of Families or Clients
Processed data may include in particular: profile picture, name, e-mail address, phone number, country, region, county or federal state, settlement or city, service area, form of care, available days and time slots, expected care duration, mobility, transfer or moving needs, assistive devices, basic information on housing circumstances, accommodation availability, expected qualification of the caregiver, family budget or pay-related data, profile visibility status and subscription status.
The family provides a settlement or city for the place of care. Vimora Care does not request an exact residential address, street name or house number in the family profile. For technical reasons, the city search may process settlement-level coordinates and, where applicable, a postal code; however, this is not an exact address.
3.4. Care-Related and Health-Related Data
The family profile may contain data relating to the care needs or health condition of the cared-for person, such as mobility status, dementia or cognitive condition, incontinence, assistive devices, being bedridden, transfer or lifting needs, and care tasks.
These data may qualify as special categories of personal data under the GDPR. Their processing requires explicit consent.
3.5. Purchase, Subscription and Payment Data
Processed data: WooCommerce order data, ordered product or service, subscription status, payment status, entitlement data, billing name and address, e-mail address, order identifiers, transaction identifiers and tokens returned by the payment service provider.
Vimora Care does not store full bank card numbers, CVC codes or full bank card details. Payment is processed through the WooCommerce PayPal Payments / PayPal payment infrastructure, including card payments through PayPal, Apple Pay and Google Pay.
3.6. Contact Unlock Data
When a contact is unlocked, the system processes the identifier of the requesting user and the target user, the time of the unlock, the unlock entitlement, the unlock log, the data required for sending e-mails and the links to the relevant profiles.
After a contact unlock, the following data may be shared with the other party: first name, e-mail address, phone number, profile link and the pay expectation or budget data connected to the relevant profile. After the contact unlock, the system may temporarily set the target profile to non-public.
3.7. Speed Email Notification Data
When using the Speed Email service, the system may send a notification about a matching user of the other user type based on the selected service area and profile data. The e-mail may include the first name, e-mail address, phone number and profile link of the relevant profile.
Speed Email is a system message, not a newsletter. No marketing newsletter is currently sent.
3.8. Rating Data
After a contact unlock, users may rate each other. The processed data are: rating user, rated user, rating value, date and time of creation and modification of the rating.
Only the average rating and the number of ratings are displayed publicly. The name of the rating user and the individual rating are not public.
3.9. Technical Data, Cookies and External Technologies
Processed data may include: IP address, browser and device data, time of visit, session identifiers, login and security logs, cookies required for WordPress and WooCommerce, Google reCAPTCHA v3 data, Microsoft Clarity analytics data in cookieless configuration, technical data related to Geoapify city search, and technical data related to OpenStreetMap map tile requests.
4. Purposes, Legal Bases and Retention Periods
| Purpose | Data Processed | Legal Basis | Retention Period |
| Registration and user account management | name, e-mail address, phone number, password, role, account status | Article 6(1)(b) GDPR, performance of a contract | until the account exists or until a deletion request |
| Creation and management of caregiver or family profiles | profile data, service area, languages, availability, pay or budget data | Article 6(1)(b) GDPR; for optional data Article 6(1)(a) GDPR, consent | until the profile exists or until a deletion request |
| Processing of care-related and health-related data | data relating to health condition, mobility, mental state or care needs | Article 6(1)(a) GDPR and Article 9(2)(a) GDPR, explicit consent | until consent is withdrawn, the profile is deleted or a deletion request is submitted |
| Public profile display, search and filtering | public profile data, area data, filterable data, aggregated rating | Article 6(1)(b) GDPR | while the profile is public |
| Management of subscriptions, paid services and entitlements | orders, subscription status, payment status, entitlement data | Article 6(1)(b) GDPR | until the end of the contractual relationship or the expiry of legal limitation periods |
| Payment processing | payment method, transaction identifier, payment status, tokens | Article 6(1)(b) GDPR | as long as necessary for payment processing and proof of payment |
| Invoicing and accounting | billing name, billing address, order and invoice data | Article 6(1)(c) GDPR, legal obligation | 8 years under applicable accounting rules |
| Contact unlock | identifiers of the requesting and target users, contact details, profile link, unlock log | Article 6(1)(b) GDPR; for logging Article 6(1)(f) GDPR, legitimate interest | until the account or profile exists or until a deletion request; in case of legal disputes, as long as necessary |
| Speed Email notification | service area, profile link, first name, e-mail address, phone number, notification log | Article 6(1)(b) GDPR | as long as necessary for using and verifying the service |
| Ratings | rating user, rated user, score, time | Article 6(1)(f) GDPR, legitimate interest: building trust and preventing abuse | until the account or profile exists or until a deletion request; upon deletion, anonymisation or deletion may be applied |
| Customer support and complaint handling | content of the request, name, e-mail address, related account or order data | Article 6(1)(b), Article 6(1)(f) or Article 6(1)(c) GDPR | until the case is closed or, in case of legal claims, until the limitation period expires |
| Security, abuse prevention and technical operation | IP address, logs, nonces, session data, reCAPTCHA data | Article 6(1)(f) GDPR, legitimate interest | as long as necessary for the security purpose |
| Analytics and cookies | cookie identifiers, visit and usage data, browser data | for necessary cookies Article 6(1)(f) GDPR; for non-essential analytics Article 6(1)(a) GDPR, consent | as specified in cookie settings and external providers’ privacy notices |
Where processing is based on consent, consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
5. Required and Optional Data Provision
Providing the data required for registration, account use, profile display, contact unlock, payment, invoicing and security checks is a condition for using the relevant service.
If the required data is not provided, registration, profile creation, payment, contact unlock, use of Speed Email or making the profile searchable may not be possible.
Providing optional profile data is not mandatory. However, missing optional data may affect the completeness, searchability or usability of the profile.
6. Consents and Acceptances
During registration, profile update or payment, the user must accept this Privacy Policy where the relevant process requires it.
Separate explicit consent is required for the processing of care-related or health-related data. If a family user provides data not about themselves but about the cared-for person, the user must ensure that they are entitled to do so and that the cared-for person or their legal representative has been informed about the data processing.
7. Public, Hidden and Post-Unlock Shared Data
The following data may be displayed publicly: first name, profile picture, service country, region or county/federal state, settlement or city for family profiles, service area, languages, available days and time periods, form of care, competences, accepted tasks, pay expectation or budget, and aggregated rating.
Non-public data include: last name, e-mail address, phone number, password, order data, billing data, payment identifiers, administrative logs and security logs.
After a contact unlock, the following data may be shared with the other party: first name, e-mail address, phone number, profile link and the pay expectation or budget data connected to the relevant profile.
8. Providing Data of Other Persons
If a family or client profile contains data not of the registering user but of a cared-for or other person, the source of the data is the registering user.
The registering user must ensure that:
- the data is accurate and may be lawfully provided;
- the cared-for person or their legal representative has been informed about the data processing;
- in the case of health-related or care-related data, the required explicit consent or other appropriate authorisation exists;
- no data or images of another person are uploaded without authorisation.
In the case of unauthorised data provision, the Data Controller may restrict, modify or delete the profile.
9. Recipients and Processors
The Data Controller’s staff, administrators and maintenance providers may access personal data only to the extent necessary for their tasks.
Data may be transferred to the following recipients or processors:
| Recipient or Service Provider | Role | Data Concerned |
| Sybell Informatika Kft. | hosting provider and SMTP/e-mail infrastructure | website, database, data required for sending e-mails |
| PayPal / WooCommerce PayPal Payments | payment service provider | payment data, transaction identifiers, payment statuses |
| Apple Pay and Google Pay through PayPal payment infrastructure | payment options | data required for the payment transaction |
| Számlázz.hu | invoicing service provider | billing name, billing address, e-mail address, order and invoice data |
| Geoapify | city search and settlement autocomplete | search query, technical data, IP address |
| OpenStreetMap map tile service | map display | IP address and technical data related to map tile requests |
| Google reCAPTCHA v3 | form protection and abuse prevention | technical and browser data |
| Microsoft Clarity | analytics in cookieless configuration | usage and technical data |
| Developer and maintenance provider | technical operation, bug fixing, development | data necessary for the relevant task |
| Accountant, legal representative, authority | legal, accounting or authority-related obligations | data necessary for the relevant procedure |
| Other registered user | public profile view, contact unlock, Speed Email | public profile data and, in case of contact unlock or Speed Email, contact data |
WordPress, WooCommerce, Gravity Forms, WooCommerce Subscriptions, WPML and Kadence are software components used for operating the website. They become external recipients only if an external service, support or integration connected to the relevant software actually gains access to personal data.
10. Transfers Outside the EU/EEA
Some external service providers, in particular PayPal, Google, Microsoft or other international providers, may process data in countries outside the EU/EEA. In such cases, the transfer may be based on appropriate safeguards applied by the service provider, such as an adequacy decision, standard contractual clauses or another lawful transfer mechanism.
11. Automated Processes and Ranking
Vimora Care does not use any decision based solely on automated processing that would constitute an automated individual decision under Article 22 GDPR producing legal effects or similarly significantly affecting the data subject.
The system may automatically manage technical or contractual statuses, such as subscription status, profile visibility, temporary inactive status after contact unlock, search and filter results, and purchased profile boosts or ranking improvements.
12. Cookies and External Technologies
The website uses necessary cookies for login, session management, WooCommerce cart and purchase, security checks and the basic operation of the website.
Non-essential analytics or measurement technologies are used only if the user has given consent, or if the relevant configuration operates without processing personal data. The website may use Complianz to manage cookie consent.
Google reCAPTCHA v3 helps protect forms and prevent abuse. Microsoft Clarity may help analyse website usage in cookieless configuration. Geoapify may be used for settlement search, and OpenStreetMap for map display.
13. Rights of Data Subjects
Under the GDPR, data subjects have the right to:
- request access to their personal data;
- request rectification of inaccurate data;
- request deletion of data;
- request restriction of processing;
- object to processing based on legitimate interests;
- request data portability where the conditions are met;
- withdraw consent where processing is based on consent;
- lodge a complaint with a supervisory authority;
- seek judicial remedy.
Data subject requests are received by the Data Controller at info@vimora-care.eu.
The Data Controller responds to requests without undue delay and, as a general rule, within one month of receipt. If necessary, this period may be extended by a further two months. The Data Controller informs the data subject of the extension within one month of receipt of the request.
Before fulfilling a request, the Data Controller may request proof of identity where this is necessary to prevent unauthorised access to data.
14. Complaint and Legal Remedy
Data subjects may first contact the Data Controller with their complaint at info@vimora-care.eu.
If the data subject believes that the processing violates the GDPR, they may lodge a complaint with the Hungarian data protection supervisory authority.
Nemzeti Adatvédelmi és Információszabadság Hatóság
Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary
Postal address: 1363 Budapest, Pf.: 9, Hungary
E-mail: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391 1400
Website: https://naih.hu
Data subjects may also turn to a court. As a general rule, proceedings may also be initiated before the court competent according to the data subject’s place of residence or stay.
15. Data Security
The Data Controller applies appropriate technical and organisational measures to protect personal data. Such measures may include, in particular, access restrictions, management of administrator rights, SSL/TLS, security updates, logging, backups, and restricting development and maintenance access.
In the event of a personal data breach, the Data Controller acts in accordance with the GDPR.
16. Changes to This Privacy Policy
The Data Controller may amend this Privacy Policy if the service, the technology used, the group of processors or the legal environment changes.
In the event of significant changes, the Data Controller may provide information on the website or by e-mail.