Privacy Policy – Rakovnická 60 mobile app

Effective from: 19 April 2026 · Version 2.2

Česká verze tohoto dokumentu / Czech version: www.r60.cz/privacy

This policy describes how the Rakovnická 60 mobile app (the "app") processes personal data of its users. The app is an optional companion to the non-commercial long-distance hiking/running event Rakovnická 60.

1. Data controller

Rakovnická 60, z.s. (registered association)
Company ID (IČO): 23021390
Registered in the Czech Republic
E-mail: rakovnicka60@gmail.com
Web: www.r60.cz

2. What personal data we process

The app collects only the data necessary for its function. The categories of data processed depend on which features of the app you use.

2.1 Identification and contact data

• E-mail address – for account login and event-related communication
• First and last name – for participant identification (taken from event registration)
• Phone number (optional) – for emergency organizer-to-participant contact
• City of residence – from the registration form
• Team name (optional) – if the participant starts as part of a team
• Date of birth / year of birth – for selected routes (R100), to verify the age limit
• Gender – for category-based ranking of results
• IP address – recorded at registration to deter abuse

2.2 Data related to race participation

• Bib number, assigned by the organizer
• Selected route / discipline
• Checkpoint and finish times
• Entry fee payment status
• Registration preferences (t-shirt, accommodation, bus transport, etc.)

2.3 Data processed by the app's features

• Precise location (GPS) – only after you grant the operating system permission. During active in-app navigation, your GPS position is streamed to our server, which computes real-time navigation information for your map (distance to finish, distance to the next checkpoint, whether you are on the trail). Individual GPS coordinates are not retained on the server long-term – once processed, they are discarded. Only the official checkpoint times remain stored long-term (see §2.2).
• Push-notification device identifier (FCM token) – for delivering notifications from organizers and social notifications from the gallery
• Content uploaded to the gallery – photos, captions, categories, upload timestamp. Uploaded photos are stored on our server (see §5) and are publicly visible to all other logged-in participants in the gallery of the current year, together with your first and last name.
• Gallery interactions – your hearts (likes) and comments on other participants' photos, as well as hearts and comments you receive on yours. Comments and hearts are public – visible to all logged-in participants, including your name.

3. How we use your data

• To enable login and access to the app
• To display your position on the event-route map
• For real-time navigation computations (distance to finish, distance to the next checkpoint, on-trail check)
• To operate the shared photo gallery between participants
• To send push notifications related to the current edition of the event (start times, route changes, safety alerts, weather) and gallery social interactions (notification of a heart or comment on your photo)
• To maintain the results list and event history
• For technical support and responses to user requests
• To comply with legal obligations (in particular accounting records of paid entry fees)

4. Legal basis for processing

Processing takes place under the following legal bases:

• Performance of a contract – participation in the Rakovnická 60 event, including operation of related app features (Art. 6(1)(b) GDPR)
• Consent – for access to location (in-race navigation), push notifications, and voluntary upload of content to the gallery (Art. 6(1)(a) GDPR). Consent can be withdrawn at any time in your device settings or by deleting your account in the app.
• Compliance with a legal obligation – retention of accounting records of paid entry fees under Act No. 563/1991 Coll., on Accounting (Art. 6(1)(c) GDPR)
• Legitimate interest – archiving anonymised historical records of past editions for statistics and event-tradition purposes (Art. 6(1)(f) GDPR)

5. Who we share data with

We do not share your personal data with third parties for commercial or advertising purposes. We use the following services for technical processing only:

• Firebase Cloud Messaging (Google LLC) – used solely to deliver push notifications. Google acts as a data processor. More information: firebase.google.com/support/privacy
• Apple Push Notification service (Apple Inc.) – to deliver push notifications to iOS devices. Apple acts as a data processor. More: apple.com/legal/privacy
• Wedos Internet, a.s. – web-hosting provider (Czech Republic) for the server, database, and gallery photo storage

Your data is not sold, rented, or shared for advertising purposes.

5.1 International data transfers

Delivery of push notifications via Firebase Cloud Messaging and Apple Push Notification service may involve a transfer of technical data (FCM token, notification payload) to providers in the United States. Such transfer is safeguarded in line with GDPR:

• Google LLC is certified under the EU-U.S. Data Privacy Framework; for any remaining cases, it relies on the European Commission's Standard Contractual Clauses (SCCs).
• Apple Inc. likewise relies on Standard Contractual Clauses and is registered under the Data Privacy Framework for the relevant services.

All other data (registration details, gallery content) is stored exclusively on servers located in the Czech Republic.

6. How long we retain data

• Login and contact data (e-mail, phone, password): for as long as your account is active; deleted immediately if you use the "Delete account" function in the app (see §13), or within 14 days of an e-mail deletion request
• Registration and results data for a specific edition (bib number, route, times, payment status): for the duration of active participation + 3 years; after account deletion these records remain in anonymised form (see §13)
• Accounting records of paid entry fees: for the period required by Act No. 563/1991 Coll. on Accounting (typically 5 years)
• Gallery photos, comments, and hearts: for as long as your account exists; deleted immediately when you delete your account in the app
• GPS location: individual coordinates streamed to the server during navigation are not retained long-term – the server computes the real-time response for your app and discards the coordinate. Only official checkpoint times, which form part of the results list, are retained long-term (see §2.2).
• FCM token: until you uninstall the app, log out, disable notifications in the app settings, or delete your account
• IP address from registration: deleted when you delete your account

7. Your rights

Under the GDPR you have the right to:

• access your personal data
• rectify inaccurate data
• erase your data ("right to be forgotten")
• restrict processing
• object to processing
• data portability
• withdraw consent at any time (without affecting the lawfulness of prior processing)
• lodge a complaint with the Office for Personal Data Protection (Czech DPA)

8. How to exercise your rights

You have two ways to exercise any of the rights above:

• Self-service account deletion directly in the app – the "Delete account" function in Settings deletes your personal data immediately. Details in §13.
• E-mail request – write to rakovnicka60@gmail.com. We will reply within 30 days at the latest. For an account-deletion request, personal data will be removed from our database within 14 days of verifying the request.

For users who no longer have access to the app (lost device, forgotten credentials, etc.), the e-mail path is always available.

9. Security

All communication between the app and our server is encrypted (HTTPS/TLS). Passwords are stored in the database only in hashed (bcrypt) form – the controller has no access to them in clear text. Database access is limited to authorised members of the organising team.

10. Protection of children and minors

Under §7 of Act No. 110/2019 Coll. on the processing of personal data (the Czech adaptation of the GDPR), the age of digital consent for information-society services is 15 years.

The app is therefore not intended for persons under 15 without the consent of their legal guardian. Registration of a participant under 15 must be carried out by a legal guardian. If we learn that we have collected data from a child under 15 without such consent, we will delete the data without undue delay.

11. Changes to this policy

This policy may be updated from time to time. The current version is always available at www.r60.cz/privacy-en.html. The date of the most recent update is shown in the header of this document.

The data categories described in this document correspond to the information the controller declares in the App Store Connect Privacy Labels and the Google Play Console Data Safety form.

12. Contact

For questions regarding the protection of personal data, please contact:
E-mail: rakovnicka60@gmail.com

13. In-app account deletion

In line with App Store Guideline 5.1.1(v) and the Google Play Data-Deletion policy, the app lets you permanently delete your account directly from the mobile app — there is no need to send an e-mail or visit a website.

Where to find it

In the app, open the Settings tab → at the very bottom you will find the "Delete account" button underneath the "Log out" button.

How deletion works

The flow is two-step to avoid accidental deletion:

1. Tapping "Delete account" shows a summary of what will be removed.
2. If you wish to proceed, you enter your current password and type the word "SMAZAT" (Czech for "DELETE") to confirm.

Once confirmed, the deletion is executed immediately and is irreversible.

What is permanently removed when you delete your account

• login credentials (e-mail and hashed password)
• contact data (phone number, team name, IP address from registration)
• all photos you have uploaded to the gallery, including the files stored on the server
• all your hearts and comments on photos
• all hearts and comments left by others under your photos
• your device's push-notification registration (FCM tokens)

What remains in anonymised form and why

Records of your participation in past editions of the event (bib number, discipline/route, paid entry fee, checkpoint and finish times) remain in the organizer's database in an anonymised form – your first and last name are replaced with the value "Smazaný účet" ("Deleted account") and your e-mail with a sentinel of the form deleted-<ID>@r60.cz. These records no longer allow you to be identified.

The reason for retaining these anonymised records is:

• compliance with the legal obligation to retain accounting records of paid entry fees under Act No. 563/1991 Coll. on Accounting (Art. 6(1)(c) GDPR);
• the association's legitimate interest in archiving event history and annual statistics (Art. 6(1)(f) GDPR).

Immediate effects of deletion

After deletion, you are automatically logged out of the app. Your access token is invalidated and push notifications will no longer be delivered to your device.

Full erasure including historical participation records

If you do not wish even the anonymised retention of participation records and request a full erasure, send a request to rakovnicka60@gmail.com. The organizer will consider the request in light of the legal obligation to retain accounting records described above. We will inform you of the outcome within 30 days at the latest.

This document takes effect on 19 April 2026.