Privacy policy

RaceRecords stores the profile you create and the races you log, uses that data to compute age-graded percentages and personal records, and shows whatever you choose to make public at /u/your-handle. We run privacy-friendly, opt-in page-view analytics (Vercel Web Analytics), do not embed advertising trackers, and never sell or share your data.

Profile: name, date of birth, gender, country, the handle you choose for your public URL, an optional bio, your visibility preference, your pace-unit preference (km or mi), and the four per-field visibility toggles that control what visitors see on your public profile.

Races: for each race you log: date, race name, city, country, category (track or road), distance, chip time, whether the course was officially measured, and any of the optional fields you fill in (start time, age-group place, age-group finishers, official result link, Strava link, shoe brand, shoe model, comments).

Account: the email address you signed in with (managed by Supabase Auth) and standard server logs from our hosting platforms.

Strava connection (optional):when you connect your Strava account, we store the OAuth access and refresh tokens plus your Strava athlete ID so we can fetch the activities you have tagged as a Race. Tokens are server-only, never read by your browser. Imported races land as drafts that are private to you until you confirm the chip time. Disconnecting from Settings → Integrations revokes the token with Strava and deletes any drafts that have not been confirmed. If you revoke RaceRecords from inside Strava, the same cleanup runs automatically via Strava’s deauthorization webhook.

City lookup from finish coordinates: Strava frequently omits the city/country fields on imported activities. When that happens (and only when that happens), we send the finish coordinate of that activity to BigDataCloud’s free reverse-geocoding endpoint to translate it into a city name. No tokens, profile data, or other Strava activity fields are forwarded. The feature is on by default; you can turn it off any time from Settings → Integrations (“Look up city & country from finish coordinates”). With it off, imports land with whatever Strava itself provided and nothing is sent to BigDataCloud.

Date of birth and gender are needed for age-graded calculations (WMA 2023 for track, Alan Jones 2025 for road). Profile fields and race details power your dashboard and, when you opt in, your public profile. Email is used to sign you in.

Legal basis under GDPR: legitimate interest for operating the service you signed up for, plus your explicit consent when you choose to publish your profile.

We use cookies that are strictly necessaryto keep you signed in (set by Supabase Auth). There are no advertising trackers and no third-party scripts that profile you across sites. Your consent banner choice (accept or reject analytics) is recorded as a single value in your browser’s localStorage and nothing more.

With your consent, we collect aggregated, privacy-friendly page views via Vercel Web Analytics and Core Web Vitals performance metrics via Vercel Speed Insights. Both implementations do not set tracking cookies, do not store IP addresses, and do not fingerprint visitors across sites — Web Analytics derives a daily-rotating, hashed identifier to deduplicate visits, and Speed Insights reports anonymous browser-measured vitals (LCP, CLS, INP, …). We use the resulting counts and metrics to understand which pages people read and where performance regresses. No requests are sent until you click Accept on the consent banner; choosing Reject disables both for this browser.

Database and authentication are managed by Supabase as our data processor. The web app is hosted on Vercel. Both providers are subject to their own privacy commitments; their documentation lists the regions they operate in.

You always can, via the dashboard. The profile-level visibility you choose controls everyone else:

• Private: only you. Your handle URL returns 404 for everyone else.
• Unlisted: anyone with the link to /u/your-handle can read your profile, but search engines are asked not to index it.
• Public: your handle URL is open and listed in the site sitemap so search engines can index it.

On top of that, per-field toggles control whether your race locations, age-group place + finishers, shoes, race notes, and exact age appear on the public view.

We never sell your data, never share it with advertisers, and never use it to train models.

Your data stays until you delete your account. There are no automatic deletions. Deleting your account removes your profile row, every logged race, and your authentication record from our database within the same request. There is no soft-delete or trash bin.

Vulnerability reports go to support@racerecords.run with the subject prefix [security]. Acknowledgement target is 72 hours. Full policy, scope, and incident runbooks live at /legal/security.

If a confirmed breach involves your Strava connection (OAuth tokens or Strava activity data fetched via those tokens), we notify Strava within 24 hours of confirmation and you within 72 hours, as required.

Under GDPR you have the right to:

• Access: every field we store about you is visible in your dashboard and settings.
• Portability:download a JSON file of everything from Settings → Your data → Download your data.
• Correction: edit any field in settings or on a race directly.
• Erasure:Settings → Delete account removes everything.
• Object / restrict:flip your profile to private at any time. Public → private propagates immediately; the sitemap drops your handle within an hour.

Questions, corrections, or a request you can’t complete from within the app: email support@racerecords.run.

If we change what we store or how it’s used we update this page and bump the “Last updated” date at the top. Material changes are flagged on the dashboard before they take effect.