Privacy Policy

Last updated: 27 March 2026

This Privacy Policy applies to the mobile application HolyTrails, operated by APONI s.r.o. It describes what personal data we collect, how we use it, where it is stored, and what rights you have under the GDPR Regulation (EU) 2016/679.

1. Data Controller

APONI s.r.o.
Ružová 48, 040 11 Košice, Slovak Republic
Company ID: 53920741
E-mail: gdpr@aponi.sk

2. What Data We Collect and Why

Category Data Purpose Legal basis
Email registration Email address, display name, password (bcrypt hash) Account management, authentication Performance of contract (Art. 6(1)(b))
Google Sign-In Name, email, Google ID (via Firebase Authentication) Passwordless authentication Performance of contract (Art. 6(1)(b))
Apple Sign-In Name, email or anonymous relay email, Apple ID Passwordless authentication Performance of contract (Art. 6(1)(b))
Facebook Login Name, email, Facebook ID Passwordless authentication Performance of contract (Art. 6(1)(b))
Location GPS coordinates, BLE iBeacon signals POI proximity detection, navigation — processed locally on device only, not sent to server Legitimate interest (Art. 6(1)(f))
In-app activity Visited points of interest, completed missions, earned achievements, saved places Personalisation, progress tracking Performance of contract (Art. 6(1)(b))
Issue reports Report text, issue type, device info (model, OS version, app version) Improving content and app quality Legitimate interest (Art. 6(1)(f))
Transactional emails Email address Account verification, password reset Performance of contract (Art. 6(1)(b))

3. Where Data Is Stored

All data is stored on servers located in the Czech Republic, an EU member state. Data is not transferred outside the EU/EEA except when signing in via Google (Firebase Authentication — Google LLC, USA), Apple (Apple Inc., USA) and Facebook (Meta Platforms Inc., USA). These providers ensure GDPR-compliant transfers through Standard Contractual Clauses (SCCs).

4. Firebase Authentication

Google Sign-In uses Firebase Authentication (Google LLC). Firebase is used solely for authentication — not for analytics, advertising or behavioural tracking. Google Privacy Policy: policies.google.com/privacy.

5. Sharing Data with Third Parties

We do not sell your personal data. We share it only to the extent necessary:

6. Data Retention

7. Your Rights (GDPR)

Under GDPR you have the following rights:

To exercise your rights, contact us at: gdpr@aponi.sk. We will respond within 30 days.

8. Data Deletion — Facebook

If you signed in via Facebook and wish to delete data associated with your account, you may do so via Facebook Settings → Apps and Websites, or contact us at gdpr@aponi.sk and we will delete the data within 30 days.

9. Security

We have implemented appropriate technical and organisational measures to protect your data:

10. Children

The application is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you discover that a child has provided us with personal data without parental consent, please contact us at gdpr@aponi.sk.

11. Changes to This Policy

We may update this policy. We will notify you of material changes by email or via an in-app notification. The date of the last update is shown at the top of this document.

12. Contact

APONI s.r.o.
Ružová 48, 040 11 Košice, Slovak Republic
General enquiries: info@aponi.sk
GDPR and privacy: gdpr@aponi.sk