Privacy Policy
Last Updated: November 8, 2025
1. Introduction
TimeRacer ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our GPS route racing application.
TimeRacer is operated from the United States and complies with the General Data Protection Regulation (GDPR) for users in the European Union and European Economic Area.
2. Data We Collect
2.1 Account Information
- Email address: Used for authentication and account recovery
- Username: Your public display name visible to other users
- Account creation date: Timestamp of when you registered
- Password: Stored securely using industry-standard encryption (we never see your actual password)
2.2 Route Data
- GPS coordinates: Latitude and longitude of checkpoints you create
- Route names and descriptions: Text you provide when creating routes
- Route metadata: Distance, difficulty level, category, and visibility settings
- Checkpoint details: Names, detection radius, and order of waypoints
2.3 Performance Data
- Time trial results: Your completion times for routes
- Checkpoint split times: Timestamps when you reach each checkpoint
- Leaderboard rankings: Your position relative to other users
2.4 Social Interaction Data
- Route likes: Routes you've marked as favorites
- Route ratings: Star ratings and reviews you submit
- View counts: Number of times your public routes are viewed
2.5 Analytics Data (Optional - Requires Your Consent)
- Page views: Which screens and features you use
- Navigation patterns: How you move through the app
- Feature usage: Which buttons and functions you interact with
- Device information: Browser type, operating system, screen size
- Anonymized IP address: General location (city/region level only)
- Session duration: How long you use the app
Important: Analytics tracking only occurs if you explicitly consent via the cookie banner. You can withdraw consent at any time in Settings.
3. Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR:
- Contractual Necessity (GDPR Art. 6(1)(b)): Account information, route data, and performance data are necessary to provide the TimeRacer service you've signed up for
- Legitimate Interest (GDPR Art. 6(1)(f)): We have a legitimate interest in improving our service, preventing fraud, and ensuring security
- Consent (GDPR Art. 6(1)(a)): Analytics tracking via PostHog only occurs with your explicit, freely-given consent
4. Third-Party Services
We use the following third-party services to operate TimeRacer:
4.1 Supabase (Database & Authentication)
- Location: United States (AWS infrastructure)
- Purpose: Secure data storage, user authentication, and real-time features
- Data shared: All account, route, and performance data
- Privacy Policy: https://supabase.com/privacy
4.2 PostHog (Analytics - Optional)
- Location: United States
- Purpose: Product analytics and user behavior tracking (only with your consent)
- Data shared: Usage patterns, device info, anonymized location
- Privacy Policy: https://posthog.com/privacy
- Data retention: 12 months
4.3 Stripe (Payment Processing - Pro Users Only)
- Location: United States
- Purpose: Secure payment processing for Pro subscriptions
- Data shared: Email, payment information (we never see your card details)
- Privacy Policy: https://stripe.com/privacy
4.4 OpenStreetMap (Mapping)
5. Your Rights Under GDPR
As a data subject, you have the following rights:
5.1 Right to Access (Art. 15)
You can view your profile data in the app and download all your data using the "Download My Data" button in Settings.
5.2 Right to Rectification (Art. 16)
You can update your username and other profile information in Settings at any time.
5.3 Right to Erasure / "Right to be Forgotten" (Art. 17)
You can permanently delete your account and all associated data using the "Delete Account" button in Settings. This action is irreversible.
5.4 Right to Data Portability (Art. 20)
You can export all your data in JSON format using the "Download My Data" feature. This includes your profile, routes, checkpoints, time trial results, and social interactions.
5.5 Right to Object (Art. 21)
You can object to analytics tracking by declining the cookie consent banner or disabling analytics in Settings.
5.6 Right to Withdraw Consent (Art. 7(3))
You can withdraw your analytics consent at any time in Settings. This will stop all tracking immediately.
5.7 Right to Lodge a Complaint
If you believe we've mishandled your data, you have the right to lodge a complaint with your local data protection authority.
6. Data Retention
- Active accounts: Your data is retained indefinitely while your account exists
- Deleted accounts: All data is permanently removed from our production database within 30 days
- Backup data: Deleted data is removed from backups within 30 days
- Analytics data: PostHog retains analytics data for 12 months, then automatically deletes it
- Public routes: If you delete your account, your public routes are also deleted (they are not transferred to other users)
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Encryption at rest: Database is encrypted using AES-256
- Password security: Passwords are hashed using bcrypt with salt
- Row Level Security: Database policies ensure users can only access their own data
- Regular backups: Daily automated backups with 30-day retention
- Access controls: Strict authentication and authorization on all API endpoints
8. Cookies and Local Storage
8.1 Essential Cookies (No Consent Required)
- Authentication tokens: Keep you logged in
- Session data: Maintain app state during your visit
- User preferences: Remember your settings (units, sound, etc.)
8.2 Analytics Cookies (Requires Consent)
- PostHog tracking: Only loaded if you accept the cookie banner
- User identification: Links your actions to your account (only if logged in and consented)
9. Children's Privacy
TimeRacer is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
10. International Data Transfers
Your data is stored on servers located in the United States. If you are accessing TimeRacer from the EU/EEA, your data will be transferred internationally. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) with our service providers
- GDPR-compliant data processing agreements
- Regular security audits and compliance reviews
11. Changes to This Policy
We may update this privacy policy from time to time. When we make significant changes, we will notify you via email or through a prominent notice in the app. The "Last Updated" date at the top of this policy indicates when it was last revised.
12. Contact Us
If you have questions about this privacy policy or want to exercise your data rights, please contact us:
- Email: [email protected]
- Response time: We will respond to all requests within 30 days as required by GDPR
For data subject access requests, please include:
- Your full name and email address associated with your account
- A description of your request (access, deletion, correction, etc.)
- Any additional information that will help us verify your identity
13. Summary of Your Privacy Choices
πͺ
Analytics Tracking: Accept or decline in the cookie banner, or toggle in Settings
π₯
Download Your Data: Use "Download My Data" in Settings
ποΈ
Delete Your Account: Use "Delete Account" in Settings (irreversible)