Last updated: 27 March 2026
This Privacy Policy applies to the mobile application HolyTrails, operated by APONI s.r.o. It describes what personal data we collect, how we use it, where it is stored, and what rights you have under the GDPR Regulation (EU) 2016/679.
APONI s.r.o.
Ružová 48, 040 11 Košice, Slovak Republic
Company ID: 53920741
E-mail: gdpr@aponi.sk
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Email registration | Email address, display name, password (bcrypt hash) | Account management, authentication | Performance of contract (Art. 6(1)(b)) |
| Google Sign-In | Name, email, Google ID (via Firebase Authentication) | Passwordless authentication | Performance of contract (Art. 6(1)(b)) |
| Apple Sign-In | Name, email or anonymous relay email, Apple ID | Passwordless authentication | Performance of contract (Art. 6(1)(b)) |
| Facebook Login | Name, email, Facebook ID | Passwordless authentication | Performance of contract (Art. 6(1)(b)) |
| Location | GPS coordinates, BLE iBeacon signals | POI proximity detection, navigation — processed locally on device only, not sent to server | Legitimate interest (Art. 6(1)(f)) |
| In-app activity | Visited points of interest, completed missions, earned achievements, saved places | Personalisation, progress tracking | Performance of contract (Art. 6(1)(b)) |
| Issue reports | Report text, issue type, device info (model, OS version, app version) | Improving content and app quality | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Email address | Account verification, password reset | Performance of contract (Art. 6(1)(b)) |
All data is stored on servers located in the Czech Republic, an EU member state. Data is not transferred outside the EU/EEA except when signing in via Google (Firebase Authentication — Google LLC, USA), Apple (Apple Inc., USA) and Facebook (Meta Platforms Inc., USA). These providers ensure GDPR-compliant transfers through Standard Contractual Clauses (SCCs).
Google Sign-In uses Firebase Authentication (Google LLC). Firebase is used solely for authentication — not for analytics, advertising or behavioural tracking. Google Privacy Policy: policies.google.com/privacy.
We do not sell your personal data. We share it only to the extent necessary:
Under GDPR you have the following rights:
To exercise your rights, contact us at: gdpr@aponi.sk. We will respond within 30 days.
If you signed in via Facebook and wish to delete data associated with your account, you may do so via Facebook Settings → Apps and Websites, or contact us at gdpr@aponi.sk and we will delete the data within 30 days.
We have implemented appropriate technical and organisational measures to protect your data:
The application is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you discover that a child has provided us with personal data without parental consent, please contact us at gdpr@aponi.sk.
We may update this policy. We will notify you of material changes by email or via an in-app notification. The date of the last update is shown at the top of this document.
APONI s.r.o.
Ružová 48, 040 11 Košice, Slovak Republic
General enquiries: info@aponi.sk
GDPR and privacy: gdpr@aponi.sk