Privacy Policy
Last updated: April 26, 2026
1. Information We Collect
Account Information
When you create an account, we collect your display name, email address, and (if you set one) a password stored as a salted bcrypt hash. If you sign in via a third-party provider (Discord, Google, Facebook, iRacing), we receive your profile name, email, avatar, and a provider-specific account ID. We store the OAuth access and refresh tokens these providers issue so we can keep you signed in; these tokens are encrypted at rest with AES-256-GCM when RACEY_TOKEN_ENCRYPTION_KEY is configured.
Profile Information
You may add a bio, helmet image, banner, preferred car number, timezone, locale, and notification preferences. If you link a sim-racing platform, we store your external platform ID. When a platform makes profile details available, we may also store ratings, safety rating, license categories, and content ownership flags so we can display your profile and gate appropriately-licensed races.
League & Racing Data
League configurations, season schedules, registrations, race results, lap times, standings, point breakdowns, penalties, protests, appeals, steward votes, announcements, polls, race-control session logs, incidents, flags, messages, and audit-trail entries you create or have created on your behalf.
Technical & Operational Data
We log IP addresses (for rate limiting and abuse prevention), authentication audit-trail rows (action, entity, timestamp, IP), web push notification subscription endpoints (if you opt in), device timezone, and Stripe customer ID (if you upgrade to a paid plan).
2. How We Use Your Information
- To provide, maintain, and improve the Platform
- To authenticate your identity and secure your account
- To send transactional emails (account verification, password resets, league announcements you opt into, billing notices)
- To display public league information (standings, results, driver profiles)
- To detect and prevent abuse, fraud, and security incidents
- To diagnose errors and monitor service health (via our error-reporting sub-processor; see Section 4)
3. Lawful Basis for Processing (GDPR)
For users in the European Union, the United Kingdom, and other jurisdictions with comparable laws, we rely on the following lawful bases:
- Performance of a contract: account creation, league participation, payment processing
- Legitimate interests: fraud prevention, service security, error monitoring, transactional emails
- Consent: non-essential email opt-ins, web push notifications, optional sub-processor data sharing
- Legal obligation: retention of payment records, response to lawful authority requests
4. Sub-processors
We share necessary information with the following third-party processors. Each one is named, scoped, and limited to the data category required to perform its function. We do not sell your personal information.
| Provider | Region | Data Category | Purpose |
|---|---|---|---|
| Sentry | United States | Error stack traces, request URLs (with secret query params redacted), HTTP status codes, anonymized request context. Cookies and Authorization headers are stripped before transmission. | Error tracking and performance monitoring |
| Resend | United States | Recipient email address, subject, body content of transactional emails | Transactional email delivery (account verification, password reset, league announcements) |
| Stripe | United States, European Union | Email address, name, payment instrument identifiers (card last-4), billing address, transaction amounts, subscription status | Payment processing, subscription management, billing portal |
| Cloudflare | Global | IP address, browser fingerprint, captcha challenge response (Turnstile) | Bot protection on signup and signin forms |
| Discord | United States | Discord user ID, username, avatar, email (when you sign in via Discord OAuth) | OAuth sign-in, optional Discord channel notifications for leagues you administer |
| United States, European Union | Google account email, name, profile picture (when you sign in via Google OAuth) | OAuth sign-in | |
| United States, Ireland | Facebook user ID, name, email (when you sign in via Facebook OAuth) | OAuth sign-in | |
| iRacing | United States | iRacing customer ID; ratings, licenses, and content ownership when available | Sim-racing profile display and license-gated season eligibility |
| Anthropic | United States | Anonymized protest descriptions, race summary text (when AI features are enabled) | AI-assisted protest summaries, race reports (opt-in feature) |
We do not use advertising networks or marketing tracking cookies. Sentry (listed above) may set functional cookies for error monitoring and session replay when a crash occurs. The list above is exhaustive of the third parties to which your data flows.
5. International Transfers
Several of our sub-processors are located in the United States. When we transfer personal data of EU/UK users to a processor outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism executed with each provider.
6. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we anonymize personal identifiers within 30 days while retaining league-internal records (race results, standings, audit-trail rows, payment history) attributed to a "Deleted user" placeholder. This anonymization preserves the integrity of league championships and protest history without continuing to identify you. Stripe payment records are retained per our payment processor's legal requirements (typically 7 years for tax and audit purposes).
Activity Trail (administrative audit log)
Changes to leagues, organizations, teams, scoring rules, broadcast presets, memberships, and roles are recorded in an administrative Activity Trail. Free and Pro leagues retain Activity Trail rows on a rolling 365-day window; Enterprise retention is unlimited. Sensitive values (passwords, API keys, session tokens, authorization headers) are redacted before the row is written. When a user deletes their account, we anonymize the User row that the actor id points at and scrub the per-row IP address and free-text details from each Activity Trail entry they authored. The actor id itself is preserved so admins of the league or organization can verify the action's origin in their Activity Trail; the row remains accountable for the action.
Full details, including the redaction blocklist and upgrade/downgrade behavior, live in the Data Retention Policy.
7. Cookies
We use strictly-necessary and functional cookies only:
- Authentication: Session cookies (httpOnly, Secure, SameSite=Lax) to keep you signed in
- CSRF protection: Auth.js CSRF tokens
- Preferences: Theme selection, dismissed banners, onboarding progress
- Error monitoring: Sentry (see Section 4) may set functional cookies for error monitoring
We do not use advertising or marketing tracking cookies.
8. Your Rights
You have the right to:
- Access the personal data we hold about you (Settings → Account → Export)
- Correct inaccurate information (Settings → Profile)
- Delete your account, which anonymizes your personal data within 30 days (Settings → Account → Delete)
- Export your data in a JSON portable format (Settings → Account → Export)
- Opt out of non-essential communications (Settings → Notifications)
- Lodge a complaint with your supervisory authority (e.g., your national Data Protection Authority in the EU/UK)
For GDPR/CCPA requests beyond the self-service options, contact us at the address in Section 12.
9. Data Security
Your data is stored in encrypted databases. Passwords are hashed using bcrypt. OAuth access and refresh tokens are encrypted at rest with AES-256-GCM. Sessions use signed, httpOnly, Secure, SameSite=Lax cookies. All connections to the Platform use TLS 1.2 or higher. We log all administrative actions and review the audit log periodically. Despite these measures, no online service is 100% secure.
10. Breach Notification
If we become aware of a personal data breach that is likely to result in a risk to your rights or freedoms, we will notify affected users within 72 hours of becoming aware of it, in accordance with GDPR Article 33 and equivalent obligations.
11. Children
Racey is not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete the information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes via email or a notice on the Platform.
13. Contact
Questions about this Privacy Policy? Contact us at privacy@racey.gg.