RACETO.DAY

Privacy Policy

RACETO.DAY is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

Effective date: May 8, 2026

Data Controller

The data controller is WKLEIN, EURL registered under SIREN 814 178 752. For any questions regarding your personal data, you can reach us via Messenger (messenger.com/t/61579261292968) or Discord (discord.com/invite/eMpe88JbN6).

Data We Collect

We collect different types of data depending on how you use our platform:

Account Data (when you log in via Discord or Google)

When you sign in using Discord or Google OAuth, we receive and store:

  • Your provider account ID (Discord user ID or Google account ID)
  • Your username or display name (as provided by your authentication provider)
  • Your email address (as provided by your authentication provider)
  • Your avatar or profile picture URL

Profile Data (optional, provided by you)

You may choose to enrich your profile with the following information:

  • Display name
  • Bio (up to 500 characters)
  • Country
  • Experience level (beginner, intermediate, advanced)
  • Vehicle types (auto, moto, drift)
  • Profile visibility setting (public, registered users only, or private)

Location Data (optional, stored on our servers)

If you choose to add your location to your profile, we store:

  • Approximate geographic coordinates, automatically rounded to ~11 km precision for your privacy
  • A city/region label (e.g. "Paris, FR")

Location is only stored if you explicitly add it via your profile settings. You can toggle visibility on the community map at any time using the "Show location" switch, or remove your location entirely. Your precise address is never stored.

Usage Data

When you interact with the platform, we store:

  • Favorited events and circuits
  • Event attendance (RSVPs)
  • Saved search filters and notification preferences
  • Group memberships, proposals, votes, posts, comments, and likes
  • Vehicle build profiles, specifications, images, and timeline entries
  • Posts and timeline entries (personal, build journal, and group posts), including text, images, and linked YouTube videos
  • Build photo galleries and image attachments uploaded with comments
  • Push notification subscription endpoints (browser-provided opaque identifier) when you opt in to push notifications

Data Stored Locally on Your Device

Some data is stored in your browser's localStorage and never sent to our servers unless you log in:

  • Favorites (synced to your account upon login)

Cookies

We use the following cookies. The first three are strictly necessary for the platform to function. Analytics cookies are only set if you accept them via the cookie banner:

CookieDescription
authjs.session-tokenAuthentication session cookie. Encrypted JWT containing your user ID and roles. Expires when the session ends.
NEXT_LOCALEStores your preferred language. Persists across sessions.
cookie-consentRecords whether you have accepted or dismissed the cookie notice.
_gaGoogle Analytics cookie used to distinguish users. Set only if you accept analytics cookies. Expires after 2 years.
_ga_*Google Analytics cookie used to maintain session state. Set only if you accept analytics cookies. Expires after 2 years.

How We Use Your Data

We process your personal data for the following purposes:

  • Authentication and account management
  • Providing platform features (favorites, attendance, saved searches, groups, builds)
  • Sending push notifications for saved search matches and group activity (only if you opt in)
  • Displaying your public profile and approximate location on the community map (only if you set your profile visibility to public and enable location sharing)
  • Displaying your vehicle build profiles publicly in the community

Legal Basis for Processing

We process your data under the following legal bases as defined by GDPR Article 6:

  • Consent (Art. 6(1)(a))For push notifications, public profile visibility, location sharing on the community map, and optional profile information.
  • Performance of contract (Art. 6(1)(b))For providing the core service when you create an account.
  • Legitimate interest (Art. 6(1)(f))For platform security, abuse prevention, and service improvement.

Third-Party Services

We use the following third-party services. No personal data is shared with them except as described:

  • Amazon Web Services (AWS)Our application and database are hosted on AWS infrastructure in the eu-west-1 (Ireland) region. AWS acts as a data processor under GDPR. All data remains within the European Union. AWS's Data Processing Addendum (DPA) applies.
  • Cloudflare R2Cloudflare R2 (S3-compatible object storage) hosts user-uploaded images: build covers, build photo galleries, timeline entry images, comment image attachments, group avatars/covers, organizer logos and gallery photos. Images are processed (resized, re-encoded to WebP) before storage. Cloudflare acts as a data processor under GDPR.
  • Browser push servicesBrowser push services (Mozilla autopush, Apple Push Notification service, Google FCM) deliver push notifications. We send the notification content directly to the endpoint URL your browser provided; we do not share your data with these services beyond what is required by the Web Push protocol.
  • Google AnalyticsUsed for anonymous usage analytics (page views, session duration). Only activated if you accept analytics cookies via the cookie banner. Google may transfer data to the United States under the EU-US Data Privacy Framework. Google's privacy policy applies.
  • Google OAuthUsed as an authentication provider. We receive your public profile information (name, email, profile picture) during the OAuth flow. If you sign in with Google, your account may be linked to an existing account with the same email address. Google's privacy policy applies.
  • DiscordUsed as an authentication provider. We receive your public profile information (name, email, avatar) during the OAuth flow. Discord's privacy policy applies to your Discord account.
  • OpenStreetMapMap tiles and geocoding provided by OpenStreetMap. Your IP address is visible to tile servers when viewing the map (community map, event maps). No personal data is transmitted by us.
  • Open-MeteoWeather forecasts fetched from the Open-Meteo API using circuit coordinates. No personal data is transmitted.

Data Retention

Your account data is retained as long as your account is active. You can request deletion of your account and all associated data at any time by contacting us. Posts, comments, build photos and discussions, group activity, and image attachments are deleted along with your account. Browser-stored data (localStorage, cookies) is retained until you clear it manually or it expires. Push notification subscriptions are automatically cleaned up when they expire or you disable them in your settings.

Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted session tokens (JWT), HTTPS-only connections, parameterized database queries to prevent injection attacks, and access controls on all API endpoints. Location coordinates are automatically rounded to ~11 km precision before storage. Our application and database are hosted on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region, within the European Union.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of accessYou can request a copy of all personal data we hold about you.
  • Right to rectificationYou can correct inaccurate data via your profile page or by contacting us.
  • Right to erasureYou can request complete deletion of your account and all associated data.
  • Right to data portabilityYou can request your data in a structured, machine-readable format.
  • Right to restrictionYou can request that we limit how we process your data.
  • Right to objectYou can object to processing based on legitimate interest.
  • Right to withdraw consentYou can withdraw consent at any time (e.g. disable location sharing, set profile to private) without affecting the lawfulness of prior processing.

If you believe your rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority, at www.cnil.fr.

Children's Privacy

RACETO.DAY is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via the platform. The effective date at the top of this page indicates the last revision. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact Us

For any questions, contact us via Messenger or Discord:

MessengerDiscord