HIKE AND FLY SCORING SYSTEM

PRIVACY POLICY AND DATA PROTECTION FRAMEWORK

Last Updated: May 28, 2025

INTRODUCTION

At Hike and Fly Scoring System, we highly value your privacy and are committed to protecting your personal data in accordance with applicable data protection laws, particularly the Swiss Federal Act on Data Protection and the EU General Data Protection Regulation (GDPR). This comprehensive Privacy Policy outlines the principles, practices, and procedures concerning the collection, use, and processing of your personal data in connection with our website available at www.hikeandfly.app and our official Android and iOS mobile applications, as well as our associated Hike and Fly Scoring System (collectively referred to as “HFSS”, “the Service”, “we”, “our”, or “us"), operated by Simone Severini based in Switzerland.

This Privacy Policy is a binding agreement between:

1. Hike and Fly Scoring System ("HFSS”, “we”, “our”, “us”, “the Service"), operated by Simone Severini, and
2. The User ("you”, “your”, “User”, “Pilot”, “Race Director")

This Privacy Policy does not extend to any external links that may lead to offers from third parties. For such external services, the data protection regulations of the respective providers apply.

At Hike and Fly Scoring System (www.hikeandfly.app), we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy provides detailed information on how we collect, process, share, and protect your data in compliance with the General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection, and other applicable data protection laws.

We understand the importance of safeguarding the personal information you entrust to us, particularly when it comes to sensitive data such as your location information during paragliding activities. This Privacy Policy is designed to be transparent, comprehensive, and easily understandable, providing you with all the information you need regarding our data processing activities.

1. DATA CONTROLLER INFORMATION

Data Controller: Simone Severini
Email Address: [email protected]
Website: www.hikeandfly.app
Club Management System: clubs.hikeandfly.app
Postal Address: Caslano, Switzerland

For questions or requests related to data processing by us, you may contact us by mail at the address listed above or via email at [email protected]. We strive to respond to all legitimate inquiries within a reasonable timeframe, typically within 2-5 business days for general inquiries and within the legally prescribed timeframes for formal data subject requests.

1.1 Club Management System Data Controllers

For the Club Management System:

• Primary Data Controller: Each individual club using the system acts as a data controller for their members’ data
• Platform Provider: HFSS - Hike and Fly Scoring System (data processor for clubs)
• Contact: For club-specific data inquiries, contact your club directly
• Platform Support: [email protected]

2. LEGAL BASIS FOR PROCESSING

In accordance with applicable data protection laws, particularly the GDPR and the Swiss Federal Act on Data Protection, we process your personal data on the following legal bases:

2.1 Contractual Necessity (Art. 6(1)(b) GDPR)

We process certain personal data because it is necessary for the performance of our contract with you to provide the HFSS scoring and tracking services. Without this essential information, we would be unable to provide you with our services as requested. This includes processing necessary to:

• Create and manage your user account
• Calculate and display race scores and rankings
• Verify your participation in races
• Process and validate GPS tracks for race verification
• Provide technical support for service-related issues

2.2 Legitimate Interests (Art. 6(1)(f) GDPR)

We process some personal data based on our legitimate interests, which we have carefully balanced against your fundamental rights and freedoms. Our legitimate interests include:

• Ensuring pilot safety during races through real-time location tracking
• Verifying race participation and ensuring the accuracy of race scoring
• Improving our services and user experience through analysis of usage patterns
• Analyzing aggregated performance metrics for sports development and historical records
• Protecting our legal rights and complying with our legal obligations
• Ensuring the security and integrity of our platform
• Detecting and preventing fraudulent activities or misuse of our services

We conduct regular assessments to ensure that our legitimate interests do not override your rights and freedoms. You have the right to object to such processing at any time (see Section 9.6).

2.3 Consent (Art. 6(1)(a) GDPR)

For certain processing activities, we rely on your explicit consent, which you can withdraw at any time without affecting the lawfulness of processing based on consent before its withdrawal. These activities include:

• Integration with third-party services (such as Strava, Garmin, etc.)
• Sending marketing communications about our services and events
• Using your data in anonymized statistical analyses for research purposes
• Public display of race results and rankings with your name
• Publication of event photographs that may include your image
• Processing of certain special categories of personal data

2.4 Legal Obligations (Art. 6(1)(c) GDPR)

Some processing is necessary for compliance with our legal obligations under EU, Swiss, or other applicable laws, including:

• Tax and accounting requirements
• Responding to valid legal requests from authorities
• Maintaining records required by law
• Complying with sports federation regulations and requirements
• Implementing appropriate security measures

3. CATEGORIES OF PERSONAL DATA WE COLLECT

3.1 Account and Profile Data

• Full name
• Email address
• Username and password (encrypted)
• Profile picture
• Date of birth
• Contact details
• Account preferences

3.2 Pilot-Specific Data

• Pilot license information and certification level
• Emergency contact information
• Medical information relevant to race participation
• Insurance details and policy numbers
• Photographic identification

3.3 Club Member Data (Club Management System)

• Digital membership card information
• Member ID and membership status
• License expiry dates and validity
• Insurance policy numbers and coverage details
• Medical certificates and fitness status
• Safety records and incident reports
• Shuttle booking history
• Club-specific member preferences

3.4 Location and Activity Data

• GPS coordinates and tracking data (collected via our mobile applications with your explicit permission)
• Altitude information
• Speed metrics
• Route information
• Start/finish times
• Waypoint verification data
• Flight duration and distance metrics

3.5 Race Director Data

• Professional email address
• First and last name
• Contact telephone number
• Role designation and account status
• Account creation timestamp
• Activity logs related to race management

3.6 Technical Data

• IP address
• Device information
• Browser type and version
• Operating system
• Access time and date
• Pages visited
• App usage statistics
• Crash reports and performance data

3.7 Integration Data

When you connect to third-party services like Strava or Garmin, we may receive:

• Account identifiers from those services
• Activity data synced from those platforms
• Profile information as shared by those services

3.8 Club Administrator Data

• Administrative contact information
• Club registration details
• Payment information for club services
• Club operational data and settings
• Member management activity logs

4. HOW WE USE YOUR PERSONAL DATA

4.1 Service Provision and Improvement

• Creating and managing user accounts
• Processing and scoring race participation
• Verifying race routes and waypoints
• Authenticating your identity
• Providing customer support
• Improving and developing our platform
• Managing club memberships and digital membership cards
• Processing shuttle bookings and coordinating transportation
• Verifying insurance and license validity for club members
• Facilitating club communications and member management

4.2 Safety and Operations

• Monitoring pilot safety during races
• Facilitating emergency response
• Verifying pilot qualifications
• Ensuring compliance with competition rules
• Resolving disputes regarding race results

4.3 Analysis and Research

• Analyzing platform usage patterns
• Developing statistical insights
• Creating anonymized datasets
• Improving algorithm accuracy
• Enhancing future race planning

4.4 Communication

• Sending service-related notifications
• Providing race information and results
• Responding to your inquiries
• Sending marketing communications (with consent)
• Notifying about changes to our terms or privacy policy

5. GPS TRACKING DATA SPECIAL PROVISIONS

5.1 Collection Methods and Purposes

GPS tracking data is collected primarily via our official Android and iOS mobile applications, which require your explicit permission to access precise location data. This data is collected to:

• Verify race participation and completion
• Calculate accurate scores based on verified routes
• Monitor pilot safety and facilitate emergency response
• Provide real-time race progress information
• Create detailed post-race analysis

5.2 Technical Implementation

• GPS data is collected at intervals of [specific interval, e.g., every 10 seconds]
• Accuracy parameters: [details about accuracy measurements]
• Data transmission protocols include industry-standard encryption
• Storage occurs in real-time with backup redundancy

5.3 Retention and Access

• Real-time GPS data is processed immediately for safety monitoring
• Raw GPS data is retained for 90 days post-race for dispute resolution
• Processed route data is retained for 5 years for historical records
• Access to GPS data is strictly limited to:
  • Designated race officials
  • Safety personnel during race events
  • Technical staff for maintenance and troubleshooting
  • The pilot who generated the data

5.4 Privacy Controls for Location Data

• Pilots can access their own complete tracking history
• Pilots can delete historical tracking data older than 90 days
• Real-time tracking can be disabled outside of official race periods
• Location “fuzzing” options are available for public displays of non-race activities
• In our mobile applications, you can control location permissions at any time via your device settings. Disabling location access will prevent the app from collecting or transmitting your precise location.

6. THIRD-PARTY INTEGRATIONS AND DATA SHARING

6.1 Service Providers and Processors

In order to provide our Service effectively, we engage various service providers who may have access to or process personal data on our behalf. These processors are carefully selected and contractually obligated to provide appropriate security measures and to process personal data only according to our instructions.

We share personal data with the following categories of service providers:

• Cloud hosting providers (servers located in Lithuania, European Union)
• Database management services and data storage providers
• Customer support platforms and ticketing systems
• Analytics services for platform improvement
• Email and communication service providers (SendGrid)
• Payment processors (if applicable to future services)
• Authentication service providers
• Mapping and geographical information service providers
• Backup and disaster recovery service providers
• Cloud storage providers (MinIO)

For Club Management System specifically:

• Insurance providers (for member coverage verification)
• National flying federations (FIVL, etc.)
• Emergency services (when required)
• Email service providers for club communications

All service providers acting as data processors are bound by Data Processing Agreements that comply with GDPR requirements, including:

• Processing data only as instructed by us
• Implementing appropriate technical and organizational security measures
• Assisting with data subject rights requests
• Supporting data protection impact assessments when necessary
• Cooperating with supervisory authorities if required
• Returning or deleting data at the end of the engagement
• Submitting to audits and inspections

We regularly review our service providers’ data protection practices and compliance with our standards.

6.2 Third-Party Integrations

Our platform offers optional integrations with third-party services to enhance functionality and user experience. These integrations are entirely voluntary, and you maintain control over whether to connect these services to your HFSS account.

6.2.1 Strava Integration

When you choose to connect your HFSS account with Strava:

• We access your Strava account via OAuth authentication protocol (a secure authorization standard)
• The connection requires your explicit consent through Strava’s authorization screen
• We retrieve the following data from Strava:
  • Activity data including GPS tracks and associated timestamps
  • Distance, elevation, and speed information
  • Activity type classification
  • Activity titles and descriptions (but not private notes)
  • Public activity settings
• We process this data to:
  • Verify your participation in races
  • Import training activities for analysis
  • Provide seamless data synchronization between platforms
  • Calculate scoring based on verified activities
• Data flow limitations:
  • We do not modify your data on Strava
  • We do not post content to your Strava account without specific permission
  • We do not access your Strava contacts or social connections
  • We do not access data from activities explicitly marked as private on Strava unless specifically authorized

6.2.2 Garmin Integration

When you choose to connect your HFSS account with Garmin Connect:

• We access your Garmin Connect account via Garmin’s authorized API connections
• The connection requires your explicit permission through Garmin’s authorization flow
• We retrieve the following data from Garmin:
  • GPS tracks from activities you choose to share
  • Heart rate data (if your device records it and you consent to sharing)
  • Activity timestamps and duration
  • Elevation and barometric data
  • Device information of recording devices
  • Activity classifications and types
• We process this data to:
  • Verify race participation and route adherence
  • Import training activities for analysis and improvement
  • Calculate accurate scoring based on validated tracks
  • Provide performance insights based on your historical data
• Data flow limitations:
  • We do not modify your data on Garmin
  • We do not control your Garmin devices
  • We do not access data from activities not explicitly shared
  • We do not access medical information beyond what is necessary for race safety

6.2.3 Data Control for Integrations

We provide you with substantial control over these integrations:

• Integrations are entirely optional and activated at your discretion
• You can disconnect any integration at any time through your HFSS account settings
• Revoking access does not affect previously imported data, but prevents future data synchronization
• You can selectively choose which data types are synchronized from these services
• You control whether activities are automatically imported or manually selected
• For each integration, detailed consent is obtained for specific data types
• You can view a log of data access and synchronization events

6.4 Cross-Platform Integration (HFSS Main Platform and Club Management)

The Club Management System integrates with the main HFSS platform to provide seamless services:

6.4.1 Data Sharing Between Platforms

• Members can link their club accounts with HFSS competition accounts
• Flight data may be shared between platforms with your consent
• Live tracking during club events follows HFSS policies
• Unified privacy settings across platforms
• Competition results integrate with club member profiles
• Insurance and license verification shared for race participation

6.4.2 Integrated Consent

When linking accounts between platforms:

• You explicitly consent to data sharing between the systems
• You can manage integration settings in your profile
• You can unlink accounts at any time
• Historical data remains subject to retention policies

6.5 Race Information Sharing

As a platform focused on paragliding competitions and racing, certain information sharing is intrinsic to our Service:

6.5.1 Public Display of Race Information

• Participant names and overall race results are publicly displayed on race leaderboards
• Real-time race progress may be publicly visible during official races (with consent options)
• GPS tracks may be displayed publicly at a reduced resolution for race verification
• Race highlights and statistical data may be shared for promotional purposes
• Historical race results are maintained as a matter of sporting record

6.5.2 Sporting Community Information Sharing

• Results may be shared with paragliding federations and sporting bodies
• Record attempts and achievements may be submitted to relevant sporting authorities
• Aggregate statistics may be shared with the paragliding community for sport development
• Event photographs and videos may be published for race documentation and promotion

6.5.3 Privacy Controls for Race Information

• Private training flights remain private unless explicitly shared
• Options to race under a pseudonym in certain events
• Controls for the precision level of publicly displayed tracks
• Ability to opt out of photographs and promotional materials
• Separate consent for different types of information sharing

6.6 Legal Disclosures

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). Specifically, we may disclose data:

• In response to lawful requests from law enforcement agencies
• To comply with court orders or legal processes
• To protect and defend our legal rights and property
• To prevent or investigate possible wrongdoing in connection with the Service
• To protect the personal safety of users of the Service or the public
• To protect against legal liability

Such disclosures are conducted with appropriate scrutiny of the requests and with respect for the proportionality principle.

6.7 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. In such events:

• We will notify you via email and/or a prominent notice on our website
• We will inform you about any changes in the ownership or uses of your personal data
• We will specify any choices you may have regarding your personal data
• The acquirer will be obligated to respect the commitments made in this Privacy Policy

We will not transfer your personal data to a successor entity unless that entity agrees to process your personal data in a manner compatible with this Privacy Policy.

6.8 Future Commercial Relationships

While we currently do not share data with commercial third parties for advertising purposes, we reserve the right to establish such relationships in the future. In such cases:

• We will update this Privacy Policy and provide notice of the changes
• We will obtain appropriate consent where required
• We will offer clear opt-out mechanisms
• We will ensure that any such sharing complies with applicable data protection laws

Any future data sharing will be implemented with a strong focus on user privacy and control.

7. INTERNATIONAL DATA TRANSFERS

In the course of providing our Service, personal data may be processed in different countries. We’re committed to ensuring that any international transfer of personal data complies with applicable data protection laws and that appropriate safeguards are in place to protect your information.

7.1 Locations of Processing

Your personal data is primarily processed in the following locations:

• Switzerland, where our main operations are based and where our company is headquartered
• Lithuania, European Union, where our primary servers and hosting infrastructure are located
• Other European Economic Area (EEA) countries where our service providers may process data
• Countries for which the European Commission has issued an adequacy decision, confirming an adequate level of data protection
• Countries where we’ve implemented appropriate safeguards to ensure adequate protection of your data

We have deliberately selected service providers with data centers in the EEA to ensure the highest level of data protection for our users’ personal information. Where possible, we prioritize keeping data processing activities within Switzerland and the European Economic Area.

7.2 Safeguards for International Transfers

For any transfers of personal data outside Switzerland or the EEA to countries that do not have an adequacy decision from the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC), we implement appropriate safeguards to ensure that your data receives an equivalent level of protection:

7.2.1 Standard Contractual Clauses

We primarily rely on Standard Contractual Clauses (SCCs) approved by the European Commission. These contractual clauses impose binding data protection obligations on the recipient of your data, ensuring they handle your data in compliance with EU data protection standards.

7.2.2 Additional Technical and Organizational Measures

In addition to SCCs, we implement supplementary measures as recommended by the European Data Protection Board, which may include:

• End-to-end encryption of data during transfer and storage
• Pseudonymization or anonymization where possible
• Data minimization to limit the scope of transferred data
• Regular audits of our data processors located outside the EEA
• Contractual commitments for additional security measures
• Technical restrictions on access to data from certain jurisdictions
• Enhanced monitoring of access to transferred data

7.2.3 Binding Corporate Rules

If applicable to specific transfers, we may rely on approved Binding Corporate Rules (BCRs) of our service providers, which establish enforceable data protection standards within a corporate group.

7.2.4 Derogations for Specific Situations

In limited circumstances, where the above safeguards cannot be implemented, we may rely on specific derogations allowed under Article 49 of the GDPR, such as:

• Your explicit consent to the transfer (after being informed of the possible risks)
• Necessity for the performance of a contract between you and us
• Importance for the establishment, exercise, or defense of legal claims
• Protection of your vital interests or those of others, if you are physically or legally incapable of giving consent
• Necessity for important reasons of public interest

7.3 Transparency and Control

We are committed to transparency regarding international data transfers:

• You can request information about the countries where your data is processed
• You can inquire about the safeguards we’ve implemented for specific transfers
• You can request a copy of the standard data protection clauses we use for transfers
• You have the right to withdraw consent for transfers based on consent
• We will inform you before transferring your data to a new jurisdiction that hasn’t been covered by this Privacy Policy

To exercise these rights or to request more information about our international data transfers, please contact us at [email protected].

7.4 Compliance with Swiss Requirements

As a Swiss-based company, we comply with the requirements of the Swiss Federal Act on Data Protection for international transfers of data. This includes:

• Ensuring an adequate level of protection for personal data transferred abroad
• Implementing appropriate safeguards when transferring to countries without adequate protection
• Informing the Federal Data Protection and Information Commissioner about safeguards when required
• Respecting specific Swiss requirements that may differ from the GDPR

7.5 Monitoring of International Transfer Framework

We actively monitor developments in international data transfer regulations, including:

• Changes to adequacy decisions by the European Commission or the Swiss FDPIC
• Updates to Standard Contractual Clauses
• Court decisions affecting the legality of transfer mechanisms
• New guidance from data protection authorities

We are committed to adapting our international transfer mechanisms as necessary to ensure continued compliance with evolving legal requirements.

8. DATA SECURITY MEASURES

The security of your personal data is of paramount importance to us. We implement a comprehensive framework of technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Our approach to data security follows industry best practices and is regularly reviewed and updated.

8.1 Technical Measures

We employ state-of-the-art technical security measures to protect your personal data throughout its lifecycle in our systems:

8.1.1 Encryption and Secure Communication

• End-to-end encryption for transmission of sensitive data using TLS 1.3 protocols
• Strong encryption algorithms (AES-256) for personal data at rest in our databases
• Secure API endpoints with certificate pinning to prevent man-in-the-middle attacks
• Encrypted database backups with separate encryption keys
• Secure key management practices with regular rotation of cryptographic keys
• VPN and encrypted channels for administrative access
• Secure development practices for our mobile applications with certificate pinning

8.1.2 Access Controls and Authentication

• Robust authentication mechanisms with multi-factor authentication (MFA) for all administrative access
• Role-based access control (RBAC) with principle of least privilege
• Unique login credentials with strong password requirements
• Automatic session timeouts after periods of inactivity
• Secure password storage using modern hashing algorithms (bcrypt with appropriate work factors)
• Logging of all authentication attempts and access to sensitive data
• Regular review of access privileges and prompt revocation when no longer needed

8.1.3 Infrastructure Security

• Firewalls and intrusion detection/prevention systems
• Regular security patches and updates to all systems
• Network segmentation to isolate sensitive data stores
• DDoS protection and traffic monitoring
• Server hardening and secure configuration following industry benchmarks
• Vulnerability scanning and penetration testing by independent security professionals
• Trusted IP restrictions for administrative access
• Redundant systems to ensure availability of service and data

8.1.4 Data Protection Controls

• Regular and secure backup procedures with integrity verification
• Anonymization and pseudonymization techniques where appropriate
• Data loss prevention tools to prevent unauthorized exfiltration of data
• Secure data deletion procedures when data is no longer needed
• Separate environments for development, testing, and production
• Containment strategies to limit the impact of potential security incidents
• Input validation and output encoding to prevent injection attacks

8.2 Organizational Measures

Beyond technical controls, we implement comprehensive organizational measures to ensure the security of your data:

8.2.1 Security Governance

• Documented information security policies and procedures
• Regular security risk assessments and mitigation planning
• Designation of security responsibilities within our organization
• Security steering committee with executive oversight
• Compliance monitoring and internal audits
• Defined security metrics and performance indicators
• Regular review and updates to security controls

8.2.2 Staff Training and Awareness

• Comprehensive data protection and security training for all staff
• Regular security awareness programs and updates
• Specialized training for staff with access to sensitive data
• Clear protocols for handling security incidents
• Security requirements included in employee contracts
• Disciplinary procedures for security policy violations
• Security awareness communications and reminders

8.2.3 Third-Party Management

• Security and privacy assessments of service providers
• Contractual security obligations for all data processors
• Regular review of third-party security practices
• Monitoring of service provider compliance
• Incident notification requirements for third parties
• Security certification requirements for critical providers
• Right to audit provisions in service provider contracts

8.2.4 Physical Security

• Secure physical locations for server infrastructure
• Access controls for server rooms and office spaces
• Environmental protections (fire, flood, power)
• Monitoring and surveillance of physical premises
• Secure disposal of physical media
• Clean desk policy and secure document handling

8.3 Data Breach Procedures

Despite our best efforts to prevent security incidents, we maintain comprehensive procedures to deal with potential data breaches:

8.3.1 Detection and Investigation

• Automated monitoring and alerting systems to detect unusual activities
• Dedicated security incident response team
• Documented procedures for identifying and classifying potential breaches
• Forensic capabilities to investigate security incidents
• Root cause analysis protocols for all security events
• Timeline reconstruction capabilities for security investigations

8.3.2 Containment and Remediation

• Predefined incident response playbooks for various scenarios
• Incident severity classification framework
• Containment procedures to limit the impact of breaches
• Business continuity and disaster recovery procedures
• Post-incident reviews and improvement processes
• Remediation tracking and verification

8.3.3 Notification Procedures

In the event of a data breach that affects your personal data:

• We will notify relevant supervisory authorities without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• We will inform affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms
• Our notifications will include:
  • The nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Contact details for further information
• We maintain a comprehensive data breach register in compliance with GDPR Article 33(5)

8.4 Continuous Improvement

Our commitment to data security includes continuous improvement processes:

• Regular security audits and assessments
• Keeping informed of emerging security threats and vulnerabilities
• Testing of security controls, including simulated attack scenarios
• Adaptation of security measures to address new risks
• Review of security incidents in the wider industry to learn from others’ experiences
• Participation in security information sharing communities
• Implementation of security certifications and standards where appropriate

8.5 User Responsibilities

While we implement robust security measures, the security of your account also depends on you:

• Keep your account credentials confidential
• Use strong, unique passwords for your HFSS account
• Enable multi-factor authentication if available
• Log out of your account when using shared devices
• Report any suspicious activities or potential security incidents promptly
• Keep your devices and software updated
• Be cautious about phishing attempts claiming to be from our Service

We regularly assess and update our security measures to ensure they remain effective and appropriate to the nature of the data we process and the evolving threat landscape.

9. YOUR PRIVACY RIGHTS

Under GDPR and other applicable data protection laws, you have the following rights:

9.1 Right to Access

You can request confirmation of whether we process your personal data and receive a copy of that data.

9.2 Right to Rectification

You can request correction of inaccurate personal data or completion of incomplete data.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data under certain circumstances, including:

• The data is no longer necessary for the purposes collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

9.4 Right to Restriction of Processing

You can request restriction of processing where:

• You contest the accuracy of the data
• The processing is unlawful but you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of legitimate grounds

9.5 Right to Data Portability

You can request to receive your personal data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.

9.6 Right to Object

You can object to processing based on legitimate interests, public interest, or profiling, and to direct marketing.

9.7 Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

9.8 Right to Withdraw Consent

You can withdraw consent at any time where processing is based on consent.

9.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may request specific information to confirm your identity.

10. DATA RETENTION

10.1 Retention Periods

We retain different types of data for specific periods:

• Account data: Duration of account plus 2 years after deletion
• Race results and scorecards: Indefinitely for historical records (with pseudonymization after 5 years)
• GPS tracking data: 90 days in raw form; 5 years for processed route data
• Medical information: Duration of race participation plus 3 years
• Technical logs: 1 year from creation
• Communication records: 3 years from last interaction

Club Management System specific retention:

• Membership records: Active duration plus 2 years after termination
• Flight/Competition data: Follows HFSS platform policy (90 days full, archived indefinitely)
• Financial records: 10 years (Swiss/EU legal requirement)
• Insurance documents: Policy duration plus 5 years
• Safety incidents: 5 years (aligned with HFSS)
• Email communications: 6 months
• Shuttle booking records: 2 years

10.2 Criteria for Determining Retention

Retention periods are determined based on:

• Legal requirements
• Limitation periods for potential claims
• Historical and statistical value
• Operational necessity
• Safety documentation requirements

10.3 Data Minimization and Deletion

• Data is regularly reviewed and deleted when no longer necessary
• Anonymization is implemented where possible for historical records
• Secure deletion protocols ensure data cannot be recovered
• You can request earlier deletion subject to legal retention requirements

11. COOKIES AND SIMILAR TECHNOLOGIES

Our Service uses cookies and similar technologies to enhance user experience, analyze usage patterns, and provide certain functionality. This section explains how we use these technologies and the controls available to you.

11.1 What Are Cookies and Similar Technologies?

11.1.1 Cookies

Cookies are small text files that are stored on your device (computer, tablet, smartphone) when you visit our website or use our applications. These files allow our Service to recognize your device and remember certain information about your visits, such as your preferences and actions on our platform.

11.1.2 Similar Technologies

In addition to cookies, we may use other technologies that store or access information on your device:

• Web beacons (pixels): Small transparent image files used to track your movements on websites
• Local storage: Browser storage mechanisms that provide greater storage capacity than cookies
• Session storage: Similar to local storage but cleared when the session ends
• IndexedDB: A client-side storage API for significant amounts of structured data
• Mobile device identifiers: Identifiers assigned to mobile devices for tracking and analytics

11.2 Types of Cookies We Use

11.2.1 Essential Cookies

These cookies are strictly necessary for the functioning of our website and Service. They enable core functionality such as security, account authentication, and remembering your privacy preferences. Because these cookies are essential for the operation of our Service, they cannot be disabled, but they do not collect any personal information beyond what is necessary for the Service to function.

Examples of essential cookies we use:

• Authentication cookies that remember your login state
• Security cookies that help protect your account
• Cookies that remember your cookie consent choices
• Cookies necessary for load balancing and website availability

11.2.2 Preference Cookies

These cookies allow our Service to remember choices you have made and provide enhanced, personalized features. They may be set by us or by third-party providers whose services we have added to our pages.

Examples of preference cookies we use:

• Cookies that remember your language preference
• Cookies that remember your display settings (such as map view preferences)
• Cookies that save your preferred default locations
• Cookies that remember whether you’ve seen certain notifications

11.2.3 Analytics Cookies

These cookies help us understand how visitors interact with our Service by collecting and reporting information anonymously. They allow us to count visits and traffic sources, see which parts of our Service are most popular, and understand how users navigate through the site.

Examples of analytics cookies we use:

• Google Analytics cookies (with IP anonymization enabled)
• Cookies that track which features you use most frequently
• Cookies that measure page load times and other performance metrics
• Cookies that help us identify usability issues

11.2.4 Marketing Cookies

These cookies track your browsing habits to enable us to show advertising which is more likely to be of interest to you. They are usually placed by advertising networks with our permission. They remember that you have visited a website and this information is shared with other organizations such as advertisers. These cookies are only used with your explicit consent.

Currently, we make limited use of marketing cookies as our focus is on providing the best possible service rather than advertising.

11.3 Cookie Control and Your Choices

11.3.1 Cookie Consent

When you first visit our Service, you will be presented with a cookie banner that allows you to:

• Accept all cookies
• Reject non-essential cookies
• Customize your cookie preferences by category
• Access more detailed information about each cookie

Your cookie preferences are saved and you will not be asked again unless:

• You clear your cookies or use a different browser/device
• Our cookie policy changes significantly
• 12 months have passed since your last consent (to ensure your choices remain current)

11.3.2 Browser Settings

Most web browsers allow control of cookies through the browser settings. You can usually:

• View and delete cookies stored on your device
• Block cookies by activating the setting that allows you to refuse all or some cookies
• Configure settings for specific websites
• Use private/incognito browsing modes to browse without storing cookies

Please note that restricting cookies may impact the functionality of our Service. The procedure to manage cookies differs for each browser, and you can find detailed instructions in your browser’s help section.

11.3.3 Withdrawing Consent

You can change your cookie preferences at any time by:

• Clicking on the “Cookie Settings” link in the footer of our website
• Contacting us at [email protected] to request changes
• Using your browser settings to delete existing cookies

11.3.4 Do Not Track Signals

Some browsers transmit “Do Not Track” signals. We honor Do Not Track signals by disabling all non-essential cookies for users who have enabled this feature in their browsers.

11.4 Our Specific Use of Cookies and Similar Technologies

11.4.1 First-Party Cookies

These are cookies set by our domain (hikeandfly.app):

• Authentication: To remember your login status
• Session management: To maintain your session as you navigate our site
• Security: To protect against fraud and authenticate requests
• Preferences: To remember your settings and preferences
• Analytics: To understand how our Service is used (anonymized)

11.4.2 Third-Party Cookies

These are cookies set by our service providers:

• Analytics: Google Analytics (with anonymization) to improve our Service
• Maps: Map providers to enable location-based features
• Content delivery networks: To efficiently deliver website assets
• User feedback tools: To collect your feedback about our Service

11.4.3 Local Storage

We use local storage to:

• Cache map data to improve performance
• Store offline GPS data when network connectivity is unavailable
• Remember display preferences
• Enable offline functionality of critical features

11.4.4 Mobile Device Technologies

In our official Android and iOS mobile applications, we may use:

• Mobile device identifiers (in compliance with platform policies)
• Local storage for offline functionality
• Push notification tokens (with your permission)
• Precise GPS and location services (with your explicit permission, required for race participation and safety features)

11.5 Cookie Lifetimes

Our cookies have different lifetimes depending on their purpose:

• Session cookies: Deleted when you close your browser
• Persistent cookies: Remain on your device for a specified period:
  • Authentication cookies: 14 days
  • Preference cookies: 6 months
  • Analytics cookies: 12 months
  • Marketing cookies (if applicable): 30 days

11.6 Updates to Our Cookie Policy

We may update our use of cookies from time to time to improve our Service or comply with regulatory changes. Significant changes will be communicated to you through an updated cookie banner and may require renewed consent.

11.7 More Information

For detailed information about the specific cookies we use, including their names, purposes, and lifetimes, please contact us at [email protected].

12. CHILDREN’S PRIVACY

12.1 Age Restrictions

Our service, including our website and official Android and iOS mobile applications, is not directed to individuals under the age of 16. We do not knowingly collect personal data, including precise location data, from children under 16 without verifiable parental consent.

For Club Management System:

• Club membership may be available to minors with parental consent
• Shuttle pilots must be 18 years or older
• Flight tracking features require participants to be at least 16 years old
• Clubs are responsible for verifying age and obtaining parental consent where required

12.2 Special Protections

If we collect data from users aged 16-18:

• We implement age verification measures
• We collect only minimal necessary data
• We do not use data for profiling or marketing
• We provide age-appropriate privacy information
• We obtain parental consent where required by law

12.3 Discovery of Child Data

If we discover we have collected data from a child under 16 without proper consent:

• We will immediately cease processing the data
• We will delete the data unless retention is required by law
• We will review and improve our age verification procedures

13. CHANGES TO THIS PRIVACY POLICY

13.1 Update Procedures

We may update this Privacy Policy from time to time. When we do:

• We will post the new Policy on our website
• We will update the “Last Updated” date at the top
• We will notify you via email for significant changes
• We will seek renewed consent where required

13.2 Prior Versions

Previous versions of this Privacy Policy will be archived and available upon request.

14. DISPUTE RESOLUTION

14.1 Contact Us First

If you have concerns about our data practices, please contact us first at [email protected].

14.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of an alleged infringement.

14.3 Governing Law

This Privacy Policy is governed by the laws of Switzerland, without regard to its conflict of law provisions.

15. ADDITIONAL PROVISIONS FOR SPECIFIC JURISDICTIONS

15.1 European Economic Area (EEA) and UK

• Our Data Protection Officer can be contacted at: [email protected]
• The lead supervisory authority for HFSS is [relevant DPA]

15.2 California Residents

• California residents have additional rights under the CCPA/CPRA
• We do not sell personal information as defined by the CCPA
• [Additional California-specific provisions if applicable]

15.3 Other Jurisdictions

• We comply with local data protection requirements in all jurisdictions where we operate
• Additional information for specific jurisdictions is available upon request

16. SPECIAL CATEGORY DATA PROCESSING

16.1 Health Data

We may process health data that is relevant to race participation, such as:

• Medical conditions relevant to paragliding
• Fitness information for safety assessment
• Emergency medical information

16.2 Legal Basis for Special Category Data

We process special category data based on:

• Your explicit consent
• Necessity to protect your vital interests or those of another person
• Necessity for preventive or occupational medicine purposes
• Substantial public interest (where applicable)

16.3 Enhanced Protections

Special category data receives enhanced protection:

• Stricter access controls
• Additional encryption
• Enhanced anonymization where possible
• Separate consent mechanisms
• Regular review of necessity

17. FUTURE COMMERCIAL CONSIDERATIONS

17.1 Current Model

The Hike and Fly Scoring System platform is currently provided free of charge to all users. This allows us to focus on building a robust community of paragliding enthusiasts and to refine our services based on user feedback without financial barriers to participation.

17.2 Potential Future Changes

As we continue to develop and expand our Service, we may introduce certain commercial elements to ensure the long-term sustainability and continued development of the platform. In the interest of complete transparency, we are providing information about potential future changes that might affect our data processing activities:

17.2.1 Possible Future Commercial Models

We may consider implementing one or more of the following commercial models:

• Premium subscription tiers with enhanced features and capabilities
• Paid race management tools for Race Directors and event organizers
• Sponsored events with commercial partners in the paragliding industry
• In-app purchases for advanced analytics and training insights
• Licensed use of our scoring system for major competitions
• API access for third-party developers to build complementary services
• Specialized organizational accounts for clubs and teams

17.2.2 Implementation Procedure

Should we decide to implement any commercial features, we commit to the following approach:

• You will receive clear notification at least 60 days before any implementation
• Detailed information will be provided about the nature and scope of the changes
• Transparent pricing information will be communicated in advance
• Existing free features will remain accessible where technically and financially feasible
• A granular approach will allow you to select only the services you wish to use
• Trial periods may be offered to allow you to evaluate premium features
• Any changes involving new data processing activities will be clearly explained
• Updated terms and conditions will be provided with sufficient time for review

17.2.3 Data Processing Implications

Any commercial features may involve additional data processing activities, such as:

• Payment processing information for subscriptions or purchases
• Enhanced usage analytics to improve premium features
• Integration with additional third-party services
• More detailed performance metrics and competitive analysis
• Account management information for subscription services

We commit to:

• Processing any additional data in accordance with this Privacy Policy
• Obtaining new consent where required by applicable law
• Conducting data protection impact assessments for new processing activities
• Implementing appropriate security measures for any new data processing
• Providing clear information about how your data will be used
• Maintaining data minimization principles even in commercial operations

17.3 User Control and Transition

Should we introduce commercial elements, we will ensure you maintain substantial control over your data and experience:

17.3.1 Export and Transition Options

• You will be able to export all your historical data before making decisions about new services
• Data portability will be prioritized to prevent vendor lock-in
• Transition periods will allow for a smooth adaptation to any new models
• Your historical data will not be held hostage behind paywalls

17.3.2 Tiered Approach

• Multiple service tiers may be offered to provide choice based on individual needs
• Essential safety features will remain accessible to all users regardless of subscription status
• Basic race participation and scoring may remain free while advanced features become premium
• Community features may remain accessible to maintain the inclusive nature of the platform

17.3.3 Advertising and Marketing

If we introduce advertising or marketing in the future:

• Clear distinctions will be made between content and advertisements
• Opt-out options will be provided for personalized advertising
• Targeting will be based only on information you have explicitly shared
• Privacy-friendly advertising approaches will be prioritized
• Transparent information about advertising partners will be provided

17.3.4 Data Retention Changes

Any changes to our commercial model may affect data retention periods:

• Subscription account data may be retained for as long as the subscription remains active
• Financial transaction records may be retained to comply with accounting and tax laws
• Specific retention periods will be defined for each new category of data
• You will be informed about any new retention periods that apply to your data

17.4 Notification Process

For any significant changes to our commercial model:

• Email notifications will be sent to all registered users
• Prominent notices will be displayed on our website and in our applications
• Detailed explanations will be provided about how changes affect different user types
• A dedicated point of contact will be available to address questions and concerns
• FAQs will be published to address common questions about the transitions

We remain committed to maintaining a balance between sustainable operation of our Service and respecting your privacy as we evolve. Any future commercial considerations will be implemented with a user-centric approach, prioritizing transparency, choice, and control.

18. CONTACT US

We value open communication with our users regarding all aspects of our Service, including matters related to privacy and data protection. Our team is committed to addressing your questions, concerns, and requests in a timely and comprehensive manner.

18.1 Contact Information

For all privacy-related inquiries, you may reach us through the following channels:

Data Protection Contact:
Simone Severini
Email: [email protected]
Website: www.hikeandfly.app
Club Management System: clubs.hikeandfly.app
Postal Address: Caslano, Switzerland

Club Management System Specific Inquiries:

• Privacy: [email protected]
• Support: [email protected]
• Data Requests: [email protected]

18.2 Types of Privacy Inquiries We Address

We welcome all privacy-related communications, including but not limited to:

• Questions about this Privacy Policy or our data processing activities
• Requests to exercise your data protection rights (access, rectification, erasure, etc.)
• Reports of potential data breaches or security concerns
• Feedback on our privacy practices
• Requests for clarification about specific data processing
• Concerns about third-party integrations
• Questions about international data transfers
• Requests for additional information on our security measures
• Withdrawal of previously given consent
• Complaints about our data handling practices

18.3 Response Times

We are committed to responding to your inquiries promptly and efficiently:

• General privacy inquiries: Within 2 business days
• Data subject rights requests: Within 30 calendar days (may be extended by up to two additional months in cases of complex or numerous requests, with notification)
• Urgent security matters: Within 24 hours
• Consent withdrawal confirmations: Within 1 business day
• Data breach notifications: In accordance with legal requirements (to authorities within 72 hours, to affected individuals without undue delay)

18.4 How We Handle Your Inquiries

When you contact us with a privacy-related matter:

• We will confirm receipt of your communication
• We will identify the appropriate team member to address your specific concern
• We may request additional information to verify your identity for security purposes, particularly for data subject rights requests
• We will provide a clear and comprehensive response
• We will maintain records of our communications in accordance with our data retention policies
• We will follow up as needed to ensure your concern has been satisfactorily addressed

18.5 Escalation Procedures

If you are not satisfied with our initial response:

• You may request that your concern be escalated to senior management
• You may request information about alternative dispute resolution options
• You may contact the relevant supervisory authority (see section 14.2)
• You may exercise your rights under applicable data protection laws

18.6 Additional Support Resources

In addition to direct contact, we offer:

• FAQs on common privacy questions on our website
• Help documentation related to privacy settings and controls
• User guides for managing your data within our platform
• Community forums where general questions may be discussed (without sharing personal data)

18.7 Changes to Contact Information

If our contact information changes, we will:

• Update this Privacy Policy
• Post notices on our website and in our applications
• Send email notifications to users where appropriate
• Ensure continuity in handling ongoing inquiries

We appreciate your trust in our Service and value your feedback as we continuously work to improve our data protection practices and transparency.

---

By using the Hike and Fly Scoring System, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. This document represents the entire agreement between you and us regarding the processing of your personal data in connection with our Service.

_Last Updated: May 14, 2025_