Start Free Login to your account

Privacy Policy

Kwindoo Ltd.Last updated:

Kwindoo Magyarország Ltd. ("Kwindoo," "we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard the information you provide when using our platform.

1. Who We Are

Kwindoo Magyarország Ltd. ("Kwindoo," "we," "us," or "our") is the data controller responsible for your personal data.

Kwindoo Magyarország Ltd.
Registered address: 2053 Herceghalom, Kozáromi út 13/2., Hungary
Managing Director: Botond Kristóf Pénzes
Email: [email protected]

We operate the Kwindoo platform (website and mobile applications), providing live GPS tracking, race management, and results services for sailing and other racing events.

2. Scope of This Policy

This Privacy Policy applies to all users of the Kwindoo platform, including Race Organizers (who create and manage events), Racers (who participate in tracked events), and visitors to our website. It covers data collected through our website (kwindoo.com), our iOS and Android mobile applications, and any related services we provide.

When a Race Organizer uses Kwindoo to manage an event, Kwindoo remains the data controller for all personal data processed through the platform. Race Organizers may access certain participant data (such as names, entries, and results) as part of the service functionality, but they may not use such data for purposes unrelated to the event.

3. Data We Collect

3.1 Account & Profile Data

When you create an account, we collect your name, email address, and authentication credentials. If you sign in via Google or Apple, we receive basic profile information (name and email) from those providers. You may also voluntarily provide additional profile information such as a photo, nationality, club affiliation, or boat details.

3.2 Payment & Billing Data (Race Organizers Only)

If you are a Race Organizer purchasing a subscription or one-time service, we collect billing name, billing address, and limited payment details. Full payment card information is processed and stored exclusively by our payment processor, Stripe. We do not have access to your full card number. Racers do not pay anything through the Kwindoo platform; any entry fees charged by Race Organizers are outside our scope.

3.3 Race & Location Data

When you participate in a tracked race, we collect real-time GPS location data from your device for the duration of the event. We also process race entries, results, performance metrics, finish times, and any boat or equipment information you provide. This data is integral to the core service and may be displayed publicly on the platform as part of race results and live tracking.

3.4 Technical & Device Data

We automatically collect IP address, device type, operating system version, browser type, app version, screen resolution, language preference, and general geographic region derived from your IP address. We also collect crash reports, error logs, and performance diagnostics to maintain and improve the platform.

3.5 Usage & Analytics Data

We collect information about how you interact with our platform, including pages viewed, features used, session duration, click patterns, and navigation paths. This helps us understand how the platform is used and where we can improve.

3.6 Communication Data

We retain emails, support requests, and other messages you send us. If you subscribe to our email communications, we also track email opens and clicks to measure engagement.

4. How We Use Your Data

We use the personal data we collect for the following purposes:

  • providing and operating the Kwindoo platform, including account management, live tracking, and results publication;
  • processing payments and managing subscriptions for Race Organizers;
  • communicating with you about your account, events, and service updates;
  • sending marketing communications where you have consented;
  • analyzing platform usage to improve our features, performance, and user experience;
  • detecting, preventing, and addressing technical issues, errors, and potential security threats;
  • complying with applicable legal obligations, including tax and accounting requirements;
  • enforcing our Terms of Service.

5. Legal Bases for Processing (GDPR Article 6)

  • Providing the platform (accounts, tracking, results) — Performance of contract, Art. 6(1)(b)
  • Processing payments — Performance of contract, Art. 6(1)(b)
  • Live GPS tracking during races — Performance of contract, Art. 6(1)(b)
  • Publishing race results and tracking data — Legitimate interest, Art. 6(1)(f)
  • Service-related communications — Performance of contract, Art. 6(1)(b)
  • Marketing emails and notifications — Consent, Art. 6(1)(a)
  • Analytics and platform improvement — Legitimate interest, Art. 6(1)(f)
  • Error monitoring and debugging — Legitimate interest, Art. 6(1)(f)
  • Security and fraud prevention — Legitimate interest, Art. 6(1)(f)
  • Tax, accounting, and legal compliance — Legal obligation, Art. 6(1)(c)

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time.

6. Data Sharing & Sub-Processors

We do not sell your personal data to third parties. We do not share, license, or disclose personal data for monetary or other valuable consideration. We share personal data only with the service providers ("sub-processors") necessary to operate the platform, and only to the extent required for their specific function.

  • Amazon Web Services (AWS) — Hosting, database, infrastructure — EU (Frankfurt)
  • Cloudflare — CDN, DNS, DDoS protection — Global (US HQ) — EU-US DPF; SCCs
  • Stripe — Payment processing — US / EU — EU-US DPF; SCCs
  • Google LLC (GA4) — Web and app analytics — US — EU-US DPF; SCCs
  • Google LLC (Firebase) — Push notifications, app services — US — EU-US DPF; SCCs
  • Google LLC (Sign-In) — Authentication — US — EU-US DPF; SCCs
  • Apple Inc. — Authentication (Sign in with Apple) — US — EU-US DPF; SCCs
  • Mixpanel — Product analytics — US — EU-US DPF; SCCs
  • Mailerlite — Email communications — EU (Lithuania)
  • Sentry — Error tracking, crash reports — US — SCCs

In addition, Race Organizers may view certain participant data (names, entries, race results, tracking data) for events they manage. Race results, tracking replays, and leaderboards are published on the platform and are publicly accessible.

We may also disclose data if required by law, regulation, or legal process, or to protect the rights, safety, or property of Kwindoo, our users, or others.

7. International Data Transfers

Our primary infrastructure is hosted within the European Economic Area (AWS Frankfurt, Germany). However, some of our sub-processors are based in the United States or operate globally.

For transfers of personal data outside the EEA, we rely on the following safeguards:

  • EU-US Data Privacy Framework (DPF): For US-based providers certified under the DPF adequacy decision adopted by the European Commission on July 10, 2023.
  • Standard Contractual Clauses (SCCs): The European Commission's standard contractual clauses for international transfers, as adopted under Commission Implementing Decision (EU) 2021/914.
  • Supplementary measures: Where required based on transfer impact assessments, including encryption, pseudonymization, and contractual commitments regarding government access requests.

You may request a copy of the relevant transfer safeguards by contacting us.

8. Data Retention

  • Account data — Duration of account + 30 days after deletion — Service provision; grace period for accidental deletion
  • Payment & billing records — 8 years after transaction — Hungarian Accounting Act (Szt. 169. §)
  • Race results & tracking data — Indefinitely (public record) — Core platform functionality; sporting record
  • Analytics data (GA4) — 14 months — Platform improvement
  • Analytics data (Mixpanel) — 12 months — Product analytics
  • Error logs (Sentry) — 90 days — Debugging and stability
  • Marketing consent & email data — Until consent withdrawn — Email communications

Upon account deletion, we anonymize or delete personal data within 30 days, except where retention is required by law or where data forms part of the public racing record (in which case you may separately request its removal).

9. Your Rights (EEA & UK)

Under the General Data Protection Regulation (EU GDPR) and the UK GDPR, you have the following rights regarding your personal data:

  • Right of access — Obtain confirmation of whether we process your data and request a copy.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure — Request deletion of your data where there is no compelling reason for continued processing.
  • Right to restriction — Request that we limit processing in certain circumstances.
  • Right to data portability — Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to object — Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — File a complaint with a supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable by 60 days for complex requests).

Lead Supervisory Authority (EEA):
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
1055 Budapest, Falk Miksa utca 9-11., Hungary
www.naih.hu

UK Supervisory Authority:
Information Commissioner's Office (ICO)
www.ico.org.uk

10. Your Rights (United States)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another US state with comprehensive privacy legislation, you have additional rights as described below.

California (CCPA / CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the right to: know what personal information we collect, use, disclose, and whether we sell or share it; request deletion of personal information; request correction of inaccurate personal information; opt out of the "sale" or "sharing" of personal information; and not be discriminated against for exercising these rights.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CPRA.

Categories of personal information we have collected in the preceding 12 months:

  • Identifiers (name, email, IP address, account ID) — Source: You; automatic collection — Purpose: Service provision, communication
  • Commercial information (subscription records, transaction history) — Source: You; Stripe — Purpose: Payment processing
  • Internet/electronic activity (browsing history, app interactions, device info) — Source: Automatic collection — Purpose: Analytics, improvement
  • Geolocation data (precise GPS during races; approximate from IP) — Source: Your device — Purpose: Live tracking, results

Other US States

If you reside in Virginia, Colorado, Connecticut, Texas, Oregon, or another state with an applicable consumer privacy law, you generally have rights to access, correct, delete, and obtain a portable copy of your data, as well as the right to opt out of targeted advertising and profiling. We honor these rights equivalently to California rights described above.

To submit a verifiable consumer request, email [email protected] with the subject line "US Privacy Request." We will verify your identity and respond within 45 days.

11. Cookies & Tracking Technologies

We use cookies and similar technologies (pixels, local storage, SDKs in mobile apps) for the following purposes:

Strictly Necessary

These cookies are essential for the platform to function. They handle authentication sessions, security tokens, and load balancing. You cannot opt out of these without losing platform functionality.

Analytics

We use Google Analytics 4 and Mixpanel to understand how users interact with our platform. These tools use cookies and device identifiers to collect usage data. GA4 is configured with IP anonymization enabled. These cookies are only placed with your consent (for users in the EEA/UK).

Marketing (when active)

When we run advertising campaigns, we may use cookies from Google Ads and Meta (Facebook/Instagram) to measure ad effectiveness and build audiences. These cookies are only placed with your explicit consent and are not currently active.

Managing Your Preferences

For EEA and UK users, we present a cookie consent banner on your first visit. You can change your preferences at any time via the cookie settings link in the website footer. You may also control cookies through your browser settings, though this may impact functionality.

For mobile apps, analytics collection can be managed through the app settings or your device's privacy controls (such as App Tracking Transparency on iOS).

12. Children's Privacy

The Kwindoo platform is designed for general audiences and is primarily used by adults. We do not knowingly collect personal data from children under the age of 16 without verifiable parental or guardian consent. We do not require users to provide their age during registration.

We are aware that minors may participate in sailing events under the supervision of their parents, guardians, or coaches. Where a minor uses the platform in connection with organized training or racing, we expect that a parent or guardian has authorized such use and is responsible for supervising it.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information as promptly as possible.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) with respect to children under 13. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at [email protected] and we will promptly delete the data.

13. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest (AES-256), role-based access controls with least-privilege principles, DDoS protection and web application firewall via Cloudflare, regular security assessments, automated infrastructure monitoring and alerting, and secure software development practices.

While no system is completely secure, we continuously review and update our security measures to reflect current best practices and threats.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) or through a prominent notice on our platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

We encourage you to review this policy periodically. Your continued use of the platform after the effective date of an updated policy constitutes acceptance of the changes.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, please contact us:

Kwindoo Magyarország Ltd.
Attn: Botond Kristóf Pénzes (Managing Director)
2053 Herceghalom, Kozáromi út 13/2., Hungary
Email: [email protected]

We aim to respond to all legitimate requests within 30 days. If your request is particularly complex, we will notify you and may take up to 90 days total.