DBDouble Blind
DOUBLE BLIND – MANTRAILING PLATFORM

Privacy Policy

Privacy Policy

Effective from: 19 March 2026 until revoked Read in Hungarian

1. Data Controller and Purpose of the Policy

This Privacy Policy describes the data processing activities carried out during the use of the DOUBLE BLIND mobile application operated by the Kutyás Oktatási és Sport Alapítvány (registered office: 1121 Budapest, Szanatórium utca 7.; tax number: 19411996-1-43; represented by: Andrea Bondor and Darinka Györki) (hereinafter: the “Data Controller”).

The purpose of this Policy is to present to users, in a transparent manner, what data we process, for what purpose, on what legal basis, for how long, and what rights users are entitled to.

Definitions

Personal data: any information relating to an identified or identifiable natural person (Article 4(1) GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data or online identifier.

Data subject: any identified or identifiable natural person whose personal data are processed by the Data Controller (Article 4(1) GDPR). For the purposes of this Policy, a data subject includes, in particular, a registered or non-registered natural person user using the DOUBLE BLIND application.

Processing: any operation performed on personal data, such as collection, recording, storage, alteration, retrieval, use, transmission or deletion (Article 4(2) GDPR).

Data Controller: the natural or legal person which determines the purposes and means of the processing of personal data (Article 4(7) GDPR). For the purposes of this Policy, the Data Controller is the Kutyás Oktatási és Sport Alapítvány.

Data Processor: the natural or legal person which processes personal data on behalf of the Data Controller (Article 4(8) GDPR).

Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them (Article 4(11) GDPR).

2. Nature of the Application and Context of Data Processing

DOUBLE BLIND is a dog sport and training support application that assists, in particular, the practice, documentation and analysis of mantrailing activities.

During the operation of the application, data created and recorded by users - including, in particular, tracks, location data and training notes - form part of the core functionality of the application.

The Data Controller does not sell users’ personal data to third parties.

3. Scope and Nature of Data Processed

During the use of the application, the Data Controller may process various types of data, including data related to the user account (for example, email address and user identifier), basic identification data received from external login providers (Google, Facebook, X), as well as content provided or generated by the user.

In the case of third-party login, the basic profile data provided by the relevant service provider - such as name, email address or unique identifier - may be transferred to the application solely for the purpose of user identification and account creation.

User content may include, in particular, dog photographs, GPX files, tracks, notes and other training-related information.

The application may also process technical data, such as device type, operating system and application version.

The data processed by the application, their purposes and legal bases are as follows:

Data Purpose Legal basis
Email address Account creation, login, sending notifications Performance of a contract (Article 6(1)(b) GDPR)
Username / user identifier Account identification, display within the application Performance of a contract (Article 6(1)(b) GDPR)
Profile data received from third parties (name, email address, unique identifier provided by Google, Facebook or X) Simplified login, account creation User consent (Article 6(1)(a) GDPR)
GPS location data Track recording, training documentation, map display User consent (Article 6(1)(a) GDPR)
GPX files Track import, training planning and replay User consent (Article 6(1)(a) GDPR)
Dog photograph Profile, training documentation User consent (Article 6(1)(a) GDPR)
Training notes, track descriptions Training documentation, searchability/retrieval, educational analysis User consent (Article 6(1)(a) GDPR)
Technical data (device type, operating system, application version) Troubleshooting, ensuring compatibility, security Legitimate interest (Article 6(1)(f) GDPR)
Log data (login timestamps, application usage events) Prevention of abuse, account security, identification of technical errors Legitimate interest (Article 6(1)(f) GDPR)
Subscription and purchase data (package type, subscription status) Access management, billing Performance of a contract (Article 6(1)(b) GDPR)

4. Processing of Location Data

For the operation of certain functions of the application, GPS-based location data may be recorded, particularly during the creation and display of training tracks.

The user acknowledges that location data may, due to their technical nature, be inaccurate, incomplete or delayed, and that they serve solely the functional operation of the application.

The use of location data is based on the user’s consent and may be restricted or disabled at any time in the device settings, which may affect the availability of certain functions.

5. User Content and Its Risks

Content uploaded or created by the user - including, in particular, tracks, GPX files, notes and images - remains exclusively under the user’s control.

The Data Controller does not verify the accuracy, completeness or safety of such content and assumes no responsibility for consequences arising from its use.

The user acknowledges that activities carried out on the basis of incorrect or inaccurate data may involve risks.

The primary purpose of data processing is the provision of the service, in particular operating the user account, recording and displaying training data, and ensuring the technical operation of the application.

The legal basis for processing may be the performance of a contract (Article 6(1)(b) GDPR), the user’s consent (particularly in the case of location data), and the Data Controller’s legitimate interest in the secure operation of the application.

7. Data Processors and Technical Infrastructure

For the operation of the application, the Data Controller may use external service providers, particularly for server hosting, database management, authentication and technical operation purposes.

The services of Heroku (Salesforce, Inc.) are used to provide the application’s infrastructure. Heroku processes the data as a data processor, based on the instructions of the Data Controller.

The application may also use the platform services of the Apple App Store and Google Play for the purposes of application distribution, subscription management and payment processing.

8. International Data Transfers

Due to the international nature of the service, it may occur that certain data processors operate outside the European Economic Area.

In all cases, data transfers shall take place with safeguards that comply with the applicable data protection legislation. Transfers outside the EEA shall take place on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission or on the basis of an adequacy decision relating to the country concerned.

9. Data Retention

The Data Controller shall retain personal data for as long as the purpose of processing exists or as required by applicable legislation.

Retention periods are, in particular, as follows:

Account data: for 30 days following deletion of the user account

GPS location data and tracks: for 6 months from the completion of the training session or from deletion of the data by the user

Log data and technical logs: for a maximum of 90 days

Subscription and billing data: for 8 years, based on the applicable accounting and tax obligations

The user is entitled to request the deletion of their personal data, which the Data Controller shall carry out without undue delay, unless retention of the data is required by law.

10. User Rights

The user has the right of access, rectification, erasure, restriction of processing, data portability and objection.

The user is entitled to lodge a complaint with the competent data protection authority. Requests for the exercise of rights may be submitted to privacy@doubleblindtrail.app. The Data Controller shall respond within 30 days.

Complaints may be submitted to the National Authority for Data Protection and Freedom of Information (NAIH, naih.hu, 1055 Budapest, Falk Miksa u. 9-11.).

The user may withdraw their consent at any time in the application settings or by sending a request to privacy@doubleblindtrail.app. Withdrawal shall not affect the lawfulness of processing carried out prior to the withdrawal.

11. Data Security

The Data Controller applies appropriate technical and organizational measures in order to protect personal data, including, in particular, protection against unauthorized access, modification, disclosure or deletion.

The security measures of the application may include, in particular:

JWT Bearer Token-based authentication with global access protection

the application of authorization control mechanisms

the use of CORS restrictions

secure bcrypt-based password hashing

the use of encrypted data communication (HTTPS/TLS)

restricted access to administrative and technical systems

12. Processing of Children’s Data

The application is not specifically intended for children, and the Data Controller does not knowingly process data relating to children. The Data Controller processes the personal data of persons under the age of 16 only on the basis of verified parental or legal guardian consent. If the Data Controller becomes aware that data relating to a person under the age of 16 have been recorded without consent, such data shall be deleted without delay.

13. Amendment of the Policy

The Data Controller reserves the right to amend this Privacy Policy. The amended version shall enter into force upon publication. In the event of a material amendment, the Data Controller shall notify the data subjects at least 30 days before the entry into force through the application or by email.

END OF PRIVACY POLICY