Privacy Policy

Effective date: 3 July 2026 · Last updated: 3 July 2026

This Policy explains how Cyber System OÜ (Estonia, EU — the "Controller") processes personal data through the race.travel service. It is designed to comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

1. Data controller and contact

Cyber System OÜ · Tallinn, Estonia (EU) · Established 2004
Privacy contact: [email protected]
Postal address available on request.

We are not required by the GDPR to appoint a Data Protection Officer, but our privacy inbox is monitored and responses are provided within 30 days.

2. What data we collect and why

CategoryExamplesPurposeLegal basis
Account Email, first/last name, password hash, sign-in provider (Google / Facebook / Strava) Create your account, sign you in Contract (Art. 6(1)(b))
Race preferences Races you save (❤️), reminder timing, sport categories Show your saved-races list, schedule registration-open reminders Contract (Art. 6(1)(b))
Push tokens Web Push endpoint (VAPID), APNs/FCM device tokens Deliver push notifications Consent (Art. 6(1)(a))
Location Approximate GPS at app open, only if you allow it Detect if you are near a race you've saved, suggest nearby lodging Consent (Art. 6(1)(a))
Usage analytics Pages viewed, API endpoints hit, timestamps, coarse user-agent (~200 chars) Fix bugs, improve the product, measure feature adoption Legitimate interests (Art. 6(1)(f))
Affiliate attribution Click ID (`clickref` / `sub_id`) linked to your account when you tap an outbound affiliate link Credit any cashback earned when the third-party network confirms the conversion Contract (Art. 6(1)(b))
Billing Stripe customer ID, invoice history, plan tier Manage paid subscriptions, issue receipts Contract (Art. 6(1)(b)); Legal obligation for tax records (Art. 6(1)(c))
Communications Support emails, replies to notifications Answer your questions, resolve issues Legitimate interests (Art. 6(1)(f))

We do not collect or store payment card numbers — Stripe handles all card data on its own PCI-compliant infrastructure. We do not process any special-category data (health, biometric, racial or ethnic) as defined in Article 9 of the GDPR.

3. Cookies and similar technologies

race.travel uses a single first-party session cookie (race_travel_athlete) to keep you signed in. It is HTTP-only, SameSite=Lax, and lasts 30 days.

We do not deploy third-party advertising cookies. Affiliate networks (e.g. Awin, Travelpayouts) place their own cookies only after you click an outbound affiliate link — that click sends you to their domain where their cookie policy applies. We use IAB TCF-2 compatible consent when required by your region.

4. Who we share data with

We share limited data only with the following processors and only for the purposes listed:

We never sell your personal data. We do not share your data for behavioural advertising. We do not perform automated decision-making with legal effects as defined in Article 22 of the GDPR.

5. International transfers

Our infrastructure is hosted in the European Union (Estonia and Germany). Some processors (Stripe, Mailgun, Google/Firebase, Apple, Cloudflare) are based in the United States or process data globally. Transfers to these processors are covered by (a) the EU-US Data Privacy Framework where the processor is certified, and/or (b) the European Commission's Standard Contractual Clauses (SCCs, 2021/914).

6. How long we keep data

7. Your rights (GDPR, Articles 15–22)

You have the right to:

To exercise any of these rights, email [email protected]. We respond within 30 days, extendable once by 60 days for complex requests. Deleting your account from the settings screen triggers immediate erasure of your race preferences, push tokens, saved trips and personally identifying fields; anonymised analytics may remain.

8. Security

9. Children

race.travel is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, email [email protected] and we will delete it promptly.

10. Changes to this Policy

We may update this Policy to reflect new features, processors or legal requirements. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.