Privacy Policy
Effective date: 3 July 2026 · Last updated: 3 July 2026
1. Data controller and contact
Privacy contact: [email protected]
Postal address available on request.
We are not required by the GDPR to appoint a Data Protection Officer, but our privacy inbox is monitored and responses are provided within 30 days.
2. What data we collect and why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account | Email, first/last name, password hash, sign-in provider (Google / Facebook / Strava) | Create your account, sign you in | Contract (Art. 6(1)(b)) |
| Race preferences | Races you save (❤️), reminder timing, sport categories | Show your saved-races list, schedule registration-open reminders | Contract (Art. 6(1)(b)) |
| Push tokens | Web Push endpoint (VAPID), APNs/FCM device tokens | Deliver push notifications | Consent (Art. 6(1)(a)) |
| Location | Approximate GPS at app open, only if you allow it | Detect if you are near a race you've saved, suggest nearby lodging | Consent (Art. 6(1)(a)) |
| Usage analytics | Pages viewed, API endpoints hit, timestamps, coarse user-agent (~200 chars) | Fix bugs, improve the product, measure feature adoption | Legitimate interests (Art. 6(1)(f)) |
| Affiliate attribution | Click ID (`clickref` / `sub_id`) linked to your account when you tap an outbound affiliate link | Credit any cashback earned when the third-party network confirms the conversion | Contract (Art. 6(1)(b)) |
| Billing | Stripe customer ID, invoice history, plan tier | Manage paid subscriptions, issue receipts | Contract (Art. 6(1)(b)); Legal obligation for tax records (Art. 6(1)(c)) |
| Communications | Support emails, replies to notifications | Answer your questions, resolve issues | Legitimate interests (Art. 6(1)(f)) |
We do not collect or store payment card numbers — Stripe handles all card data on its own PCI-compliant infrastructure. We do not process any special-category data (health, biometric, racial or ethnic) as defined in Article 9 of the GDPR.
3. Cookies and similar technologies
race.travel uses a single first-party session cookie (race_travel_athlete)
to keep you signed in. It is HTTP-only, SameSite=Lax, and lasts 30 days.
We do not deploy third-party advertising cookies. Affiliate networks (e.g. Awin, Travelpayouts) place their own cookies only after you click an outbound affiliate link — that click sends you to their domain where their cookie policy applies. We use IAB TCF-2 compatible consent when required by your region.
4. Who we share data with
We share limited data only with the following processors and only for the purposes listed:
- Stripe, Inc. — payment processing (billing data only)
- Mailgun (Sinch Email) — transactional email delivery (email + first name)
- Apple Push Notification service and Firebase Cloud Messaging (Google) — push delivery (device tokens only)
- Cloudflare — content delivery, DDoS protection, edge cron (technical request data only)
- Awin, Booking.com, Travelpayouts, GetYourGuide, RunSignup and similar affiliate networks — we forward an anonymous click identifier when you tap an outbound affiliate link so any cashback you earn can be attributed back to your race.travel account. We do not send them your email, name or account contents.
We never sell your personal data. We do not share your data for behavioural advertising. We do not perform automated decision-making with legal effects as defined in Article 22 of the GDPR.
5. International transfers
Our infrastructure is hosted in the European Union (Estonia and Germany). Some processors (Stripe, Mailgun, Google/Firebase, Apple, Cloudflare) are based in the United States or process data globally. Transfers to these processors are covered by (a) the EU-US Data Privacy Framework where the processor is certified, and/or (b) the European Commission's Standard Contractual Clauses (SCCs, 2021/914).
6. How long we keep data
- Account data — for as long as your account exists, plus 90 days after deletion for backup rotation.
- Race preferences and favorites — same as account data.
- Push tokens — deleted immediately when a device unsubscribes or the token expires.
- Usage analytics — 24 months maximum, then aggregated and anonymised.
- Affiliate conversion records — 7 years for accounting purposes (mandatory retention under Estonian bookkeeping law).
- Support emails — 24 months.
7. Your rights (GDPR, Articles 15–22)
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to certain processing
- Export your data in a machine-readable format (data portability)
- Withdraw your consent at any time (without affecting the lawfulness of processing prior to withdrawal)
- Lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon), or the supervisory authority in your EU country of residence
To exercise any of these rights, email [email protected]. We respond within 30 days, extendable once by 60 days for complex requests. Deleting your account from the settings screen triggers immediate erasure of your race preferences, push tokens, saved trips and personally identifying fields; anonymised analytics may remain.
8. Security
- Passwords stored as salted hashes (never in plain text)
- All traffic served over HTTPS with modern TLS ciphers
- Session cookies are HTTP-only and SameSite-restricted
- Push notification credentials are stored server-side only
- Database access is restricted, encrypted at rest, and audit-logged
9. Children
race.travel is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, email [email protected] and we will delete it promptly.
10. Changes to this Policy
We may update this Policy to reflect new features, processors or legal requirements. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.