Privacy Policy
Version: v1.0 (overseas / English) Effective date: 2026-06-02 Last updated: 2026-06-02 Scope: This Policy applies to the "Race Log" service (web at carting.hao456.pro, Android app on Google Play, iOS app on the App Store).
This Policy is written for an international audience and addresses EU GDPR, UK GDPR, California CCPA/CPRA, Canadian PIPEDA, Japanese APPI, South Korean PIPA, Brazilian LGPD, Google Play Data Safety, and Apple App Store Privacy requirements. Chinese users should refer to the simplified Chinese version (carting.hao456.pro/privacy) which addresses China PIPL requirements.
Introduction
Race Log (the "Service", "we", "us", "our") is a GPS-data analysis and AI-coaching tool for amateur karting and motorsport drivers. We take your privacy seriously.
Our core commitments:
- Data minimization — we only collect what's necessary to provide the Service.
- Explicit consent for anything beyond strict necessity.
- Right to be forgotten — you can delete your data at any time (see §13).
- Children's protection — we do not target users under 13 (US/most regions) or under 16 (EU).
Please read this Policy carefully before using the Service.
1. Information We Collect
1.1 Information you provide
| Data | When | Necessity |
|---|---|---|
| Email address | Sign-up | Required (login + password recovery) |
| Password (hashed, never plain) | Sign-up | Required |
| Display name | Profile | Optional |
| Real name | Profile | Optional |
| Avatar | Profile | Optional |
| City | Profile | Optional (for community filtering) |
| Karting experience / vehicle preference | Profile | Optional (personalizes report tone) |
1.2 Content you upload
| Content | Personal info included | Purpose |
|---|---|---|
| .vbo file | GPS track (lat/lon/speed/accel + timestamp) | Core analysis input |
| Data extracted from GoPro/DJI video | Same as above; video itself stays on your device | Same |
| Session notes / feedback | Free text you provide | Personal memory + service improvement |
| Custom track names | Text you provide | Convenience labeling |
Important: Video files are processed entirely on your device. We only receive the extracted GPS data (~MB-scale text), never the video bytes.
1.3 Automatically collected information
Device + runtime info (for diagnostics only)
- Device model, OS version, app version (via User-Agent)
- App crash / page-load-failure technical stack traces (does not include account contents or upload data)
We currently do not integrate any third-party advertising SDK or analytics tracking SDK. We do not collect click trails, page dwell time, or cross-app behavior.
Location information
- Karting GPS coordinates: included in the .vbo data you actively upload (i.e., the GPS trace of your driving session). Used to generate lap-time, line, and braking analyses. This is "user content" you provide; we do not acquire your real-time location via system location permission (the app currently does not request location permission).
- Track identification: the starting/ending GPS coordinates in your upload are sent to a mapping API to auto-match the track name.
We do not:
- Request or covertly access your system real-time location
- Sell your location data to third parties
2. How We Use Your Information & Legal Basis (GDPR Art. 6)
| Purpose | Data | Legal basis |
|---|---|---|
| Provide data analysis reports | Uploaded .vbo / GPS data | Contract (GDPR Art. 6(1)(b)) |
| Account login + security | Email, password | Contract |
| Cross-session progress tracking | Historical sessions | Consent (Art. 6(1)(a)) |
| Compare with other drivers on the same track (when session is public) | Public session GPS data | Explicit consent |
| Product improvement (crash logs, usage statistics) | Device info, usage data | Legitimate interest (Art. 6(1)(f)) |
| Push notifications (coach ready, new PB) | Email / device token | Consent |
| Customer support / user feedback | Feedback content you submit | Contract |
| AI coach feedback generation | Your session's analysis results | Contract |
| Data sanity audit | Your session's analysis results | Legitimate interest |
| Algorithm improvement (anonymized aggregated data) | Anonymized GPS / operation data | Consent (opt-out available in settings) |
3. What We Do Not Do
We commit to never:
- Sell your personal information to third parties.
- Use your data for advertising unrelated to the Service.
- Share your data with commercial partners without notifying you.
- Upload your videos to our servers (video processing is fully local).
- Access your phone's contacts or photos library without your explicit file picker selection.
4. Special Protection for Children
4.1 Age thresholds
- Under 13 (US / most regions, COPPA): We do not knowingly collect data from children under 13. Registration is prohibited unless a parent provides verifiable consent.
- Under 16 (EU, GDPR Art. 8): A parent or legal guardian must provide explicit consent. Some EU member states set the threshold at 13-16; we apply the most protective rule per the user's residence.
- 13-18: Where applicable, data is treated under "sensitive personal information" standards.
4.2 Collection principle
- Minimum necessary: optional fields default to disabled.
- No commercial profiling: we do not build user profiles or run ad targeting on minors.
- No third-party sharing beyond strictly necessary processors (cloud hosting).
4.3 Parental rights
- View all the minor's personal information at any time.
- Request correction or deletion.
- Withdraw consent / delete the minor's account.
Email 207319@qq.com if you discover a minor has registered without your consent — we will verify and act within 5 business days.
4.4 Safety reminder
This Service includes performance driving data analysis. Minors should:
- Use it under guardian/coach supervision.
- Not engage in unsafe driving based on lap-time data beyond their skill level.
- Operate only within track-marshal-permitted boundaries.
5. Data Storage
5.1 Storage location
- Account info, uploaded .vbo data, generated reports: stored on Supabase Cloud (database and object storage, servers located in the United States — AWS us-east-1 region).
- This means your personal data is processed and stored outside your country. See §10 for cross-border transfer details.
5.2 Retention periods
- Account info: for the lifetime of your account; on deletion, enters a 7-day soft-delete window then permanent deletion (see §13).
- Uploaded session data / reports: deleted alongside the account.
- AI coach feedback / audit invocation records: result is generated and persisted with the report; we do not retain separate long-term conversation logs.
- Crash / error logs: 90 days.
- Anonymized non-identifiable statistical data: may be retained long-term.
6. Data Sharing, Sub-processors, and Disclosure
6.1 Sub-processors
We use the following third-party data processors. Each processor is contractually bound by data-protection terms (DPA / SCC where applicable):
| Processor | Entity | Data shared | Purpose | Location |
|---|---|---|---|---|
| Supabase | Supabase, Inc. | Account info, uploaded .vbo data, report files | Cloud database + object storage | US (AWS us-east-1) |
| Vercel | Vercel, Inc. | Web access requests, edge cache | Web hosting + CDN | US (multi-region) |
| Railway | Railway Corp. | Pending analysis tasks | Backend compute | US |
| Anthropic | Anthropic PBC | Your session's analysis summary | AI coach narrative (Claude) | US |
| OpenAI | OpenAI L.L.C. | Your session's analysis summary (fallback) | LLM backup | US |
| ElevenLabs | ElevenLabs Inc. | Coach narration text | Voice synthesis for narration audio | US / UK |
| Google LLC | Push notification device token | FCM Push Notifications | US | |
| Sentry | Functional Software, Inc. | Anonymized crash logs | Error tracking | US |
| Apple | Apple Inc. | APNs device token (iOS only) | Push Notifications | US |
We do not share your personal information with third parties beyond the list above for any commercial purpose.
6.2 Transfer (corporate events)
We do not transfer personal data in the normal course of business. In the event of a merger, acquisition, or asset transfer, we will notify users prominently and ensure the new entity continues to honor this Policy.
6.3 Public disclosure
Only when required by law or with your explicit consent.
7. Your Rights (DSAR — Data Subject Access Request)
Under GDPR, UK-GDPR, CCPA, PIPEDA, APPI, and similar laws, you have these rights:
| Right | How to exercise |
|---|---|
| Right to know / access | Read this Policy; view "Me → Profile" in the app for your data; email 207319@qq.com to request an export |
| Right to rectification | Edit your profile fields directly; for content you cannot edit, email us |
| Right to erasure ("right to be forgotten") | Delete individual sessions in the session detail page; for full account deletion see §13 |
| Right to data portability | Email 207319@qq.com — we provide your account data + uploaded .vbo originals + analysis JSON within 15 business days, in machine-readable format |
| Right to object | Withdraw consent for optional processing (public session sharing, AI coach analysis); email us |
| Right to restrict processing | While we verify a complaint, you can request we pause processing |
| Right to withdraw consent | At any time, without affecting the lawfulness of prior processing |
| Right not to be subject to automated decisions | We do not make legally significant decisions about you using only automated processing |
| Right to complain | File with your national supervisory authority (see §15) |
SLA: We respond within 30 calendar days of receiving your request. For complex requests, we may extend by up to 60 days and will inform you of the extension.
8. Cookies and Similar Technologies
8.1 What we use
- Web: cookies for login session, language preference, no-tracking analytics (page visits only, no fingerprinting).
- App: local storage (SharedPreferences / UserDefaults) for login session and preferences.
8.2 Your choice
You may block cookies in your browser settings, but some features (login, language persistence) will not work.
8.3 What we do not use
- Third-party advertising / tracking cookies
- Cross-site behavioral analytics
- Fingerprinting beyond standard User-Agent
9. Security
We use reasonable technical and organizational measures:
9.1 Technical
- Transport: HTTPS / TLS 1.3
- Storage: passwords hashed with bcrypt; sensitive fields encrypted at rest
- Access control: Supabase Row Level Security (RLS) — users can only access their own data
- Vulnerability response: report to 207319@qq.com — first response within 24 hours
9.2 Organizational
- Least privilege: only essential personnel have backend access
- Audit logs: admin actions are logged and retained
- Periodic security training for personnel
9.3 Breach response
- In the event of a data breach affecting your rights, we will notify you within 72 hours via in-app notice + email.
- Concurrent notification to applicable regulators per GDPR Art. 33.
9.4 Your responsibility
- Keep your password secure
- Do not share your account
- Log out of public devices
10. International Data Transfers
The Service's primary cloud infrastructure (Supabase, Vercel, Railway, Anthropic, OpenAI, ElevenLabs, Sentry) is located in the United States. If you access the Service from outside the US:
10.1 Legal basis for transfer
- EEA / UK users: We rely on the European Commission's Standard Contractual Clauses (SCCs) and applicable supplementary measures. Sub-processors above are SCC-bound or otherwise covered by adequacy decisions where available.
- Other regions: Equivalent contractual protections.
10.2 What this means
- Your data crosses the border to the US for processing
- US data-protection laws may differ from your home country
- Government access requests to US providers are governed by US law
- You can object to processing or request data localization (we will explain options)
10.3 No data transfer to China
For users registered with non-Chinese phone number / non-Chinese email, your data does not transfer to China. AI coach narratives (Anthropic, OpenAI) and voice synthesis (ElevenLabs) are processed in the US / UK, not China.
11. California Residents (CCPA / CPRA Notice)
If you are a California resident:
11.1 Categories of personal information we collect
See §1. Categories under CCPA: Identifiers (email, name), Personal records (profile), Internet activity (limited), Geolocation (precise, from your uploads), Audio (if you generate narration), Inferences (driving style profile).
11.2 Sources
Directly from you (sign-up, uploads, profile editing).
11.3 Business purposes
See §2 (legal basis table).
11.4 Sharing for cross-context behavioral advertising
We do not share personal information for cross-context behavioral advertising. We do not "sell" personal information under CCPA's definition.
11.5 Your CCPA rights
- Right to know what we collect, source, and purpose
- Right to delete (see §13)
- Right to correct
- Right to opt out of sale / sharing (not applicable — we do not sell)
- Right to limit use of sensitive info (we do not use sensitive info for inference)
- Right to non-discrimination for exercising rights
To exercise: email 207319@qq.com with "CCPA Request" in the subject line. We respond within 45 days, with one 45-day extension if necessary.
12. Apple App Store Privacy Nutrition Label
| Data category | Collected | Linked to user | Used for tracking | Purpose |
|---|---|---|---|---|
| Contact info — Email / Phone | ✅ | Yes | ❌ | Account management |
| Contact info — Name | ✅ (optional) | Yes | ❌ | Account management |
| User content — Uploaded GPS telemetry | ✅ | Yes | ❌ | App functionality |
| Location — Precise (within your upload, not system location permission) | ✅ | Yes | ❌ | App functionality |
| Identifiers — Device ID (for crash reports) | ✅ | Yes | ❌ | App functionality |
| Diagnostics — Crash + performance data | ✅ | No | ❌ | App functionality |
We do not collect: browsing history, search history, health/fitness, financial info, contacts, behavioral analytics (no third-party tracking SDK).
We do not track across apps or websites (no ATT prompt triggered).
13. Account Deletion
You can delete your account through any of these channels — Google Play and Apple App Store compliance requires multiple access paths:
- In-app: Open the app → Me → Account → "Delete Account". Submit confirmation.
- Public web URL (no login required, works after uninstall): visit carting.hao456.pro/account/delete and submit the form with your registered email.
- Email: send a deletion request to 207319@qq.com with your registered email address.
13.1 Deletion process
- Submission: We receive your deletion request.
- Verification: We send a confirmation email to your registered address (to prevent unauthorized deletion).
- Soft-delete (7-day window): After confirmation, your account is marked deleted — you can no longer log in, and the account is invisible in the product. During these 7 days, contact us to recover if you change your mind.
- Permanent deletion: After 7 days, your account, uploaded data, reports, and personal information are permanently deleted from active databases and object storage. This is irreversible.
13.2 Deletion scope (matches Google Play Data Safety declaration)
The following are permanently deleted:
- Account info (email, phone, name, avatar, profile, preferences)
- All session uploads (.vbo files, GPS tracks)
- All generated reports (analysis JSON, coach narratives, narration audio)
- Custom track names, session notes, feedback records
- Login history, device info
The following may be retained:
- Anonymized statistics (lap-time leaderboard samples with all personal identifiers stripped — these contribute to community benchmarks but cannot be linked back to you).
- Financial / billing records (if you had a subscription, per tax law minimum 7-year retention; no personal identifiers beyond what tax law requires).
- Content legally required to retain (per statutory periods).
13.3 SLA
- Acknowledgment: within 3 business days
- Confirmation email sent: within 7 business days
- Permanent deletion: 7 days after your confirmation
14. Changes to This Policy
14.1 We may update this Policy from time to time.
14.2 Material changes (expansion of data collection, new sub-processors, new sharing scope) will be notified prominently within the app or by email, and require renewed explicit consent.
14.3 Continued use of the Service after non-material updates is deemed acceptance.
15. Contact Us
| Channel | Contact |
|---|---|
| Data Protection Contact | 207319@qq.com |
| Mailing address | Shenyang City, Liaoning Province, China |
| In-app feedback | Me → About → Contact Us |
| DPO (not legally required for individual operator, but provided as best practice) | 207319@qq.com |
Response SLA: We respond to data-protection requests within 15 business days of receipt. Complex requests may take up to 30 days, with notification of any extension.
16. Regulatory Authorities (file a complaint)
If you believe we have violated your rights, you may file a complaint with the supervisory authority in your jurisdiction:
- EU: Your national Data Protection Authority. List: edpb.europa.eu/about-edpb/about-edpb/members_en
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
- Canada: Office of the Privacy Commissioner — priv.gc.ca
- Japan: Personal Information Protection Commission (PPC) — ppc.go.jp
- South Korea: Personal Information Protection Commission — pipc.go.kr/eng
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
Operator Information
| Item | Value |
|---|---|
| Operating entity | Wang Yufeng (individual) |
| Country of registration | China |
| Service primary infrastructure region | United States |
| Service availability | Worldwide (excluding sanctioned jurisdictions) |
| Data Protection Contact | 207319@qq.com |