CZEnduro
CZEnduro

Privacy Policy

Effective from: January 26, 2026 | Last updated: January 26, 2026

1. Data Controller

The data controller of your personal data is the operator of the CZEnduro platform:

Auto Trutnov s.r.o.

Registered office: Krkonošská 566, 541 01 Trutnov

Company ID: 25931270

Tax ID: CZ25931270

E-mail: info@czenduro.cz

Web: www.czenduro.cz

2. Scope and Purpose of Personal Data Processing

2.1 Basic User Data

Processed data:

  • Email address
  • Password (stored in securely encrypted form)
  • User role (rider, organizer, admin)

Purpose of processing:

  • Creating and managing user accounts
  • Authentication and access authorization
  • Communication with users regarding platform services
  • Account security (protection against brute-force attacks, password reset)

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest of the controller (Art. 6(1)(f) GDPR) in securing the service.

2.2 Rider Profile Data

Processed data:

  • First and last name
  • Date of birth
  • Gender
  • Nationality
  • Phone number
  • Emergency contact (name, phone)
  • License number (if required)
  • Team name (optional)
  • Health information relevant to the race (optional)

Purpose of processing:

  • Race registration
  • Identification of race participants
  • Emergency contact
  • Providing medical assistance in case of injury
  • Creating race results

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). For health data, the legal basis is explicit consent (Art. 9(2)(a) GDPR).

2.3 Motorcycle/Bike Data

Processed data:

  • Vehicle brand, model, and year of manufacture
  • VIN (vehicle identification number)
  • License plate number (optional)
  • Engine volume and type (for motorcycles)
  • Bike type (for bike races)
  • Vehicle category

Purpose of processing:

  • Classification into the correct race category
  • Verification of vehicle technical parameters
  • Maintaining records of racing vehicles

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

2.4 Registration and Payment Data

Processed data:

  • Race registration information (race, category, price, start number)
  • Payment data processed through Stripe (card number, payment method)
  • Payment status and transaction information
  • Registration history

Purpose of processing:

  • Processing registration payments
  • Issuing invoices and tax documents
  • Managing race participation
  • Fulfilling legal accounting and tax obligations

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

2.5 Uploaded Documents

Processed data:

  • Racing licenses
  • Medical certificates
  • Other documents required by the race organizer

Purpose of processing:

  • Verification of eligibility to participate in the race
  • Meeting conditions set by the organizer or legislation

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

2.6 Race Organizer Data

Processed data:

  • Business name / First and last name
  • Company ID, Tax ID (for legal entities and self-employed)
  • Registered office / residence address
  • Contact email and phone
  • Bank account details (IBAN)
  • Date of birth (for individuals)
  • Stripe Connected Account ID

Purpose of processing:

  • Managing organizer accounts
  • Processing payments and fund transfers
  • Fulfilling accounting and tax obligations
  • Communication with organizers

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

2.7 Technical and Security Data

Processed data:

  • IP address
  • Login information (successful/unsuccessful logins)
  • System activity history (audit log)
  • Technical data about device and browser

Purpose of processing:

  • Securing the platform against abuse
  • Detection and prevention of fraudulent behavior
  • Technical support and incident resolution
  • Service analysis and improvement

Legal basis: Legitimate interest of the controller (Art. 6(1)(f) GDPR) in securing the service and preventing abuse.

3. Personal Data Retention Period

Accounting and tax documents:

10 years from the end of the tax period (according to the Accounting Act)

Registrations and payments:

10 years from the race completion (for accounting and tax purposes)

User account and profile:

Until account deletion by the user or after 5 years of inactivity

Health data:

1 year after race completion, then automatically deleted

Audit logs and security records:

2 years from record creation

Email logs:

1 year from sending

After the retention period expires, personal data is securely deleted or anonymized in a way that prevents their re-identification.

4. Sharing Personal Data with Third Parties

We may share your personal data with the following categories of recipients:

Stripe, Inc.

Purpose: Online credit card payment processing

Headquarters: 510 Townsend Street, San Francisco, CA 94103, USA

Legal basis: Standard contractual clauses approved by the European Commission

Stripe is a PCI DSS Level 1 certified payment service provider. More information at: https://stripe.com/privacy

Amazon Web Services (AWS)

Purpose: Platform hosting, document storage (S3), email sending (SES)

Region: EU (Frankfurt, eu-central-1)

All data is stored exclusively within the European Union. More information at: https://aws.amazon.com/privacy/

Race Organizers

Purpose: Organizing and conducting races

We only share data necessary for race organization with organizers (name, contact, vehicle data, start number, registration data). Each organizer is an independent data controller for their races.

We do not transfer data to third countries outside the EU/EEA except for Stripe and AWS, which have appropriate personal data protection guarantees.

5. Your Rights as a Data Subject

According to GDPR, you have the following rights:

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to obtain access to such data including a copy.

Right to rectification (Art. 16 GDPR)

You have the right to rectify inaccurate personal data and to complete incomplete data. Most data can be corrected directly in your user profile.

Right to erasure - "right to be forgotten" (Art. 17 GDPR)

You have the right to request the erasure of your personal data if they are no longer necessary for the purposes for which they were collected, or if you withdraw consent. This right is limited in cases where we have a legal obligation to retain data (e.g., accounting documents for 10 years).

Right to restriction of processing (Art. 18 GDPR)

You may request restriction of processing of your personal data if you contest their accuracy, the processing is unlawful, or you object to the processing.

Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format (JSON) and the right to transmit that data to another controller.

Right to object (Art. 21 GDPR)

You have the right to object to the processing of your personal data that is based on the legitimate interest of the controller.

Right to withdraw consent (Art. 7(3) GDPR)

If processing is based on consent (e.g., health data), you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with the supervisory authority for personal data protection:

Office for Personal Data Protection

Pplk. Sochora 27, 170 00 Praha 7

Tel.: +420 234 665 111

Email: posta@uoou.cz

Web: www.uoou.cz

How to exercise your rights?

To exercise your rights, contact us at info@czenduro.cz. We will respond without undue delay, at the latest within 30 days of receiving the request. If necessary, we may extend this period by an additional 2 months due to the complexity of the request - we will inform you of such extension.

6. Personal Data Security

We take the security of your personal data very seriously. We have implemented the following technical and organizational measures:

Technical measures

  • Secure password encryption using modern hashing algorithms
  • HTTPS/TLS encryption of all communication
  • Protection against brute-force attacks (automatic account locking)
  • Two-factor JWT token authentication
  • Encryption of sensitive data in the database
  • Regular security audits
  • Automatic security updates

Organizational measures

  • Access to personal data only for authorized persons
  • Data processing agreements with subcontractors
  • Regular employee training on GDPR
  • Data backup with geographic redundancy
  • Security incident response plan
  • Audit log of all access to personal data

Reporting security incidents

In case we detect a personal data breach that could pose a risk to your rights and freedoms, we will inform you without undue delay (within 72 hours of detecting the incident) at your registered email.

7. Cookies and Tracking Technologies

The CZEnduro platform uses the following types of cookies:

Essential cookies

These cookies are necessary for the basic functioning of the website and cannot be disabled.

  • JWT authentication token (valid for 7 days)
  • Session management
  • Security cookies (CSRF protection)

Functional cookies

Allow advanced features and personalization (e.g., language preferences).

Legal basis: Your consent (you can refuse them)

We do not use: Third-party analytics cookies, advertising cookies, or other tracking technologies for marketing purposes.

You can manage your preferences in your browser settings. Blocking cookies may limit platform functionality.

8. Automated Decision-Making and Profiling

The CZEnduro platform does not use automated decision-making or profiling within the meaning of Art. 22 GDPR. All decisions regarding registrations and race participation are made by human operators (race organizers or administrators).

9. Minors

The platform services are intended for persons over 16 years of age. Processing personal data of children under 16 requires consent from a parent or legal guardian.

If we discover that we have unintentionally collected personal data from a child under 16 without the consent of a legal guardian, we will immediately delete such data.

For parents/legal guardians: If you wish to exercise any data subject rights on behalf of your child, contact us at info@czenduro.cz. We will require identity verification and proof of legal guardianship.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

We will inform you of material changes by email or through a visible notice on the platform at least 30 days before the changes take effect.

The date of the last update can be found at the top of this document. We recommend checking this policy regularly.

11. Contact Information

If you have any questions about the processing of your personal data or wish to exercise your rights, contact us:

Auto Trutnov s.r.o.

Registered office: Krkonošská 566, 541 01 Trutnov

Company ID: 25931270, Tax ID: CZ25931270

Person responsible for GDPR:

info@czenduro.cz

Final Statement

CZEnduro commits to comply with all applicable legal regulations in the field of personal data protection, especially Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act No. 110/2019 Coll., on personal data processing. We value your privacy and dedicate maximum effort to protecting your personal data.

Privacy Policy | CZEnduro