Privacy Policy

1. Who We Are

RaceLyx is a race timing and management platform. Our service is provided at racelyx.com. When we refer to "we", "us", or "our", we mean the RaceLyx service and its operators.

2. What Data We Collect

• Account information: Email address, display name, and password (stored as a salted PBKDF2 hash - never plaintext).
• Hardware ID: A fingerprint of the computer running the RaceLyx desktop application, used to enforce license terms and prevent trial abuse.
• Race session results: Lap times, positions, and session metadata uploaded by track operators running RaceLyx timing software. This data is publicly visible.
• Driver profile: Optional information you provide such as car number, race class, team name, and biography.
• Push notification subscriptions: If you opt in to race-start notifications, we store your browser's push endpoint and encryption keys (provided by your browser vendor).
• Registration data: Driver name, car number, class, and transponder ID submitted through online pre-registration forms.

3. How We Use Your Data

• To authenticate you and manage your subscription license.
• To display your race history and driver profile to other users.
• To send you account-related emails (email verification, account notices).
• To deliver push notifications when you have opted in.
• To provide track operators with pre-registration information.
• We do not sell your data to third parties.
• We do not use your data for advertising.

4. Data Retention

• Race session data: Retained for 90 days from the date of the session.
• Account and profile data: Retained until you delete your account or request erasure.
• Pre-registration data: Retained for 7 days after submission.
• Email verification codes: Expire automatically after 24 hours.

5. Third-Party Services

• Cloudflare: We host our website and API on Cloudflare Pages and use Cloudflare Workers KV for data storage. Cloudflare may process network-level data subject to their privacy policy at cloudflare.com/privacypolicy.
• ZeptoMail: We use ZeptoMail (by Zoho) to deliver transactional emails. Your email address is passed to ZeptoMail solely for delivery of messages you have triggered (e.g., email verification).
• Browser push services: Push notifications are delivered through your browser vendor's infrastructure (e.g., Google FCM, Mozilla, Apple APNs). Your push endpoint is shared with these services when we deliver a notification.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights:

• Right to access: Request a copy of all data we hold about you (see "Export My Data" below).
• Right to erasure: Request deletion of all your personal data (see "Delete My Account" below).
• Right to rectification: Update your profile information at any time via your Profile page.
• Right to restrict processing: Contact us to limit how we use your data.
• Right to data portability: Export your data in machine-readable JSON format (see below).

To exercise rights not covered by the tools below, email us at privacy@racelyx.com.

7. Cookies & Local Storage

We use browser localStorage to store your authentication token and preferences. We do not use tracking cookies or third-party analytics cookies. Our service worker may cache static assets for offline functionality.

8. Security

Passwords are hashed using PBKDF2 with SHA-256 and a unique salt before storage. All data is transmitted over HTTPS. We use HMAC-SHA256 signed JWT tokens for authentication. We do not store payment information - licensing is handled separately.

9. Children's Privacy

Our service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such data, please contact us for immediate deletion.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your account or via a notice on this page.