How we collect, use, and protect your personal data
The data controller responsible for personal data processed through the Make A Camp platform (“Platform”, “Service”, or “Application”) is:
| Name | Make A Camp |
| info@makeacamp.com | |
| Website | makeacamp.com |
If you have any question relating to the processing of your personal data, or you wish to exercise any of your rights described in this Policy, please contact us at the address above. (GDPR Art. 13(1)(a); Infotv. § 20(1)(a))
The following key terms are used throughout this Policy:
This Policy applies to all personal data processed in connection with the Make A Camp platform, including:
This Policy covers both:
The categories of personal data processed via the Platform are described below. (GDPR Art. 13(1)(d); Infotv. § 20(1)(c))
When you create an account or log in using Google Sign-In (OAuth 2.0 / Firebase Authentication), we receive from Google the following data:
To personalise your experience, we store the following non-sensitive preference data linked to your account:
When an account holder creates a camp, the following data is collected and stored:
When camp operators invite collaborators:
Camp operators design custom registration forms. The exact data collected depends on the form configuration. Typical categories include, but are not limited to:
| Category | Typical Fields |
|---|---|
| Identity data | Full name, date of birth, gender |
| Contact data | E-mail address, telephone number, home address |
| Health and special-needs data | Allergies, dietary requirements, medical conditions, medication, physical or mental disabilities |
| Guardian / parental data | Parent or guardian name, contact information (typically when the participant is a minor) |
| Emergency contact data | Name, relationship, phone number |
| Camp logistics data | Room assignment, group/team selection, staff area selection, attendance declarations |
| Financial data | Camp fees, payment status, currency, cost breakdown per participant |
| Tournament / activity data | Competition results, points, scores, group rankings |
| Free-text responses | Any answer to open-ended form questions as configured by the camp operator |
Every data-modifying action performed by account holders is automatically logged. Each audit log record contains:
We process personal data only when we have a valid legal basis to do so. (GDPR Art. 6; Infotv. § 5)
| Processing Purpose | Legal Basis (GDPR Art. 6) | Details |
|---|---|---|
| Account creation and authentication | Art. 6(1)(b) – Contract performance | Necessary to provide you with access to the Platform and its features. |
| Operating and delivering Platform features (camps, forms, timetables, rooms, tournaments, etc.) | Art. 6(1)(b) – Contract performance | Core service delivery; without this processing the Service cannot function. |
| Processing participant registration form data on behalf of camp operators | Art. 6(1)(b) – Contract performance and / or Art. 6(1)(a) – Consent (as determined by the camp operator as independent data controller) | Make A Camp acts as a data processor. The camp operator is the data controller of participant data and must ensure a valid legal basis applies. |
| Storing user interface preferences | Art. 6(1)(f) – Legitimate interests | Providing a consistent, personalised user experience. No adverse effect on data subjects. |
| Maintaining audit logs | Art. 6(1)(f) – Legitimate interests | Accountability, security, traceability of data changes, fraud prevention, and compliance with legal obligations. Access is strictly restricted to camp administrators. |
| Member invitation management | Art. 6(1)(b) – Contract performance | Necessary to enable collaboration features of the Platform. |
| Attendance tracking (check-in / check-out) | Art. 6(1)(b) – Contract performance and / or Art. 6(1)(f) – Legitimate interests | Safety and organisational management during camp operations. |
| Generating and exporting data reports (PDF, XLSX, CSV) | Art. 6(1)(b) – Contract performance | Providing operators with tools to manage their camp data. Export files are generated locally on the user’s device and not transmitted to external servers. |
| Complying with legal obligations | Art. 6(1)(c) – Legal obligation | Where we are required by applicable law to retain or disclose data. |
| Defending or establishing legal claims | Art. 6(1)(f) – Legitimate interests | Preserving evidence in case of legal disputes. Processing is strictly limited to what is necessary. |
Regulation (EU) 2016/679 Article 9 and Act CXII of 2011 § 5(2) provide heightened protection for “special category” data, including data revealing health conditions, disabilities, dietary requirements linked to religion, and other sensitive attributes.
The Platform’s customisable registration forms may be configured by camp operators to collect special-category data (e.g., allergies, medical conditions, dietary requirements). Where this occurs:
Camps frequently involve minors (persons under the age of 18 and, for certain online services, under 16). (GDPR Art. 8; Infotv. § 5(1))
We engage the following data processors who process personal data on our behalf. All processors are bound by data processing agreements (DPAs) in accordance with GDPR Art. 28. (GDPR Art. 13(1)(e); Infotv. § 20(1)(e))
| Processor | Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
| Services used | Firebase Authentication, Cloud Firestore database, Firebase Storage (configured), Firebase Cloud Messaging (configured, not currently active) |
| Data processed | All data stored in the Platform (user accounts, camp data, participant form data, audit logs, etc.) |
| Purpose | Authentication services; primary cloud database storage; file storage infrastructure |
| DPA reference | Google Cloud Data Processing and Security Terms (cloud.google.com/terms/data-processing-addendum) |
| Transfer safeguard | EU Standard Contractual Clauses (SCCs) – see Section 9 |
User interface preferences (dark mode, language, layout settings) are stored locally on the user’s own device using the device operating system’s shared preferences mechanism (SharedPreferences on Android / iOS; local storage on web). This data does not leave the user’s device to any third party other than Google Firebase (see 8.1 above).
PDF, Excel (XLSX), and CSV exports are generated entirely on the user’s device using
on-device libraries (pdf, excel, printing). The resulting files
are saved directly to the user’s device and are not transmitted to any external server
or third party by Make A Camp.
The following services are configured in the application infrastructure but are not currently active and do not process any personal data:
All personal data processed by the Platform is stored in Google Cloud Firestore. Google LLC is a US-based entity. (GDPR Chapter V; Infotv. § 8)
Transfers to the United States are safeguarded by:
You can review Google’s data protection practices at policies.google.com/privacy. To request a copy of the applicable SCCs, contact us at info@makeacamp.com.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. (GDPR Art. 5(1)(e); Infotv. § 4(2))
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Account data (name, email, UID) | Duration of the account; deleted upon account deletion | Contract performance |
| User preferences | Duration of the account; deleted upon account deletion | Contract performance / legitimate interests |
| Camp data and all sub-data (timetables, schedule entries, rooms) | Until the camp is deleted by the operator; maximum 5 years after camp end date unless extended by operator | Contract performance |
| Participant registration form responses | Until the form or camp is deleted by the operator; deleted on operator’s instruction | Contract performance (operator as data controller) |
| Attendance records | Same as participant form responses | Contract performance |
| Audit logs | 5 years from the date of the logged action, unless a shorter or longer period is required by applicable law | Legitimate interests (security, accountability, legal defence) |
| Member invitation records | Duration of camp membership; deleted with camp or upon member removal | Contract performance |
| Financial data (per-camp aggregates and per-participant costs) | 8 years following the end of the financial year in which the camp took place (Act C of 2000 on Accounting – Számviteli törvény, § 169) | Legal obligation |
| Dismissed tips | Duration of the account | Legitimate interests |
Upon expiry of the applicable retention period, personal data is deleted or anonymised in a manner that prevents re-identification.
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. (GDPR Art. 32; Infotv. § 7)
Despite our best efforts, no method of electronic transmission or storage is 100% secure. In the event of a personal data breach, we will follow the procedures described in Section 15.
The Make A Camp web application uses local storage and session storage mechanisms in the user’s browser (the functional equivalent of cookies). (Directive 2002/58/EC as amended by Directive 2009/136/EC; Infotv. § 13/A)
| Storage Item | Type | Purpose | Duration |
|---|---|---|---|
| Firebase authentication token | Local storage (managed by Firebase SDK) | Maintains logged-in session; avoids repeated authentication on page reload | Until sign-out or token expiry |
| User interface preferences (dark mode, language, layout, etc.) | Local storage (SharedPreferences / browser local storage) | Saves user preferences between sessions | Until cleared by user or account deletion |
We do not use advertising cookies, cross-site tracking cookies, analytics cookies, or any third-party cookies of our own accord. Google Firebase may set its own cookies or use local storage for authentication state management; refer to Google’s Cookie Policy for details.
Under the GDPR and Infotv., you have the following rights regarding your personal data. (GDPR Arts. 15–22; Infotv. §§ 14–21)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about the processing.
You have the right to request the correction of inaccurate personal data or the completion of incomplete data without undue delay.
You may request the deletion of your personal data where:
The right to erasure does not apply where retention is required by law (e.g., accounting records).
You may request that we restrict processing of your data (i.e., retain it but not use it) in certain circumstances, for example while we verify a dispute about accuracy or where processing is unlawful but you oppose erasure.
Where processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and to transmit it to another controller.
Where processing is based on legitimate interests (Art. 6(1)(f)), you have the right to object at any time on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is necessary for the establishment, exercise, or defence of legal claims.
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects. See also Section 14.
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of the above rights, contact us at:
info@makeacamp.com
Please include your full name, e-mail address associated with your account, and a clear description
of your request. We will respond within 30 days; in complex cases we may extend
this period by a further 60 days, and will notify you accordingly.
(GDPR Art. 12(3); Infotv. § 16(3))
Exercising your rights is free of charge. If requests are manifestly unfounded or excessive (in particular due to their repetitive character), we may charge a reasonable administrative fee or refuse to act on the request. (GDPR Art. 12(5))
If you are a camp participant whose data was submitted via a registration form, the camp operator is the data controller of that data. While Make A Camp can assist in responding to your request as a data processor, you should first direct your request to the camp operator who collected your data. If you do not know who the operator is, contact us at info@makeacamp.com and we will endeavour to help.
Make A Camp does not use automated decision-making or profiling that produces legal or similarly significant effects on any individual. (GDPR Art. 22; Infotv. § 20(1)(i))
Automated features within the Platform (e.g., auto-assignment of groups, automatic totalling of tournament scores, financial aggregations) are operational tools provided to camp operators and do not produce legal effects on participants.
In the event of a personal data breach, we will: (GDPR Arts. 33–34; Infotv. § 25/L)
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. (GDPR Art. 13; Infotv. § 20)
Previous versions of this Policy are available on request by contacting info@makeacamp.com.
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data:
| info@makeacamp.com | |
| Subject line | “Privacy Request – [Your Name]” |
| Website | makeacamp.com |
You have the right to lodge a complaint with the competent data-protection supervisory authority at any time, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. (GDPR Art. 77; Infotv. § 52)
The competent authority in Hungary is:
| Authority | Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) National Authority for Data Protection and Freedom of Information |
| Address | 1055 Budapest, Falk Miksa utca 9–11., Hungary |
| Telephone | +36 1 391 1400 |
| ugyfelszolgalat@naih.hu | |
| Website | www.naih.hu |
We encourage you to contact us first before filing a complaint with the NAIH, so that we can endeavour to resolve any concern directly and promptly.
© 2026 Make A Camp. All rights reserved.
This Privacy Policy was last reviewed by the data controller on 18 April 2026.
Governing law: Regulation (EU) 2016/679 (GDPR); Act CXII of 2011 (Infotv.); applicable Hungarian
law.