PRIVACY POLICY

1. Who we are

• MyRacingPath Ltd is a UK company registered at Companies House under number [COMPANY NUMBER], with registered office at [REGISTERED ADDRESS].
• We are the data controller for personal data we collect about you through MyRacingPath.
• We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REG NUMBER].
• For users in the European Union, our appointed representative under Article 27 UK GDPR is [EU REPRESENTATIVE NAME AND ADDRESS]. You can contact them directly at [EU REP EMAIL].
• For any data protection questions, contact us at support@myracingpath.com.

2. What data we collect

3. How we collect data

• Directly from you when you create an account, complete surveys, use our features, or communicate with us.
• Automatically through cookies and similar technologies (see our Cookie Policy).
• From third parties only where specifically stated: Stripe (payment confirmation), authentication providers (if you use Google sign-in), verified parental consent providers.

4. Why we collect data (purposes and legal basis)

• To provide the MyRacingPath service and personalised AI career recommendations: Article 6(1)(b) UK GDPR (contract performance).
• To process payments: Article 6(1)(b).
• To send service-related communications such as confirmation emails, renewal reminders, and security notifications: Article 6(1)(b).
• To send marketing communications: Article 6(1)(a) consent. You can withdraw at any time.
• To process health data where voluntarily provided: Article 9(2)(a) explicit consent.
• To prevent fraud and protect the security of our service: Article 6(1)(f) legitimate interests, balanced against user rights.
• To comply with legal obligations including tax, accounting, safeguarding, and regulatory requirements: Article 6(1)(c).
• To protect vital interests in case of safeguarding concerns: Article 6(1)(d) and Schedule 1 Part 2 paragraph 18 of the Data Protection Act 2018.

5. Automated decisions and profiling

• We use automated processing to generate your Skill Score, Racing Path, and Race Engineer responses.
• These do not produce legal effects or similarly significant effects on you. They are informational support tools only and all significant decisions about your career remain yours.
• For users under 18, automated decisions with significant effects are not made, in line with Recital 71 UK GDPR.
• You can request human review of any automated output at any time.

6. Who we share data with (sub-processors)

We share limited personal data with the following sub-processors, each bound by data processing agreements and appropriate safeguards:

• We do not sell or rent your personal data to third parties.
• We may share data with law enforcement where legally required (for example under a court order or valid law enforcement request).
• We may share aggregated, anonymised data that does not identify you with partners for business purposes.
• If we are acquired or merge with another business, data may transfer to the successor entity, subject to the same protections as in this Policy.

7. International transfers

• Some of our sub-processors are in the United States. We rely on the following safeguards: EU-US Data Privacy Framework certification (Stripe, Vercel, Google, Resend); Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for all vendors; Transfer Impact Assessments completed for non-DPF vendors.
• You can request a copy of our transfer mechanisms by contacting us.

8. How long we keep data

• Account data: during your subscription plus 90 days after deletion request (soft-delete window).
• Payment records: 6 years (Companies Act 2006 s.388 and HMRC VAT Notice 700/21).
• Marketing consent logs: 2 years after withdrawal.
• Race Engineer conversation logs: 30 days on our servers (or 7 days on Anthropic). Full conversations remain in your account until you delete them.
• Session files and associated timing data: retained for the lifetime of your account, or 3 years from the date of upload if your account is deleted, whichever comes first.
• Breach records: 5 years.
• Community messages from users under 18: auto-deleted after 12 months of account inactivity.
• After retention periods expire, data is deleted or anonymised irreversibly.

9. Your rights

Under UK and EU GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data (the “right to be forgotten”).
• Restrict processing.
• Object to processing based on legitimate interests or for direct marketing.
• Data portability (receive your data in a machine-readable format).
• Withdraw consent where processing is based on consent.
• Not be subject to solely automated decisions with legal or similarly significant effects.
• Lodge a complaint with the ICO (ico.org.uk) or your local EU data protection authority.

To exercise any of these rights, contact us at support@myracingpath.com. We will respond within one month, extendable by two months for complex requests, with notice.

For users under 13, rights can be exercised by the parent or legal guardian via the Parent Portal. There is no charge in most cases. Excessive or unfounded requests may incur a reasonable fee or be refused.

10. Children's privacy (ages 13 to 17)

• We provide simplified, age-banded privacy information in line with Standard 4 of the ICO Age Appropriate Design Code: a short, plain-language summary for ages 13 to 15, and a near-full version with illustrated key points for ages 16 to 17.
• For users under 18 we apply additional protections by default: high privacy settings, geolocation off, profiling for marketing disabled, public profile off (you can opt in), no nudge techniques, Parent Portal oversight, enhanced content moderation.
• For users under 13, see our Parental Consent Policy.

11. Security

• We use industry-standard security measures including encryption in transit and at rest, role-based access controls, and regular security reviews.
• No system is 100% secure. We will notify affected users and the ICO of any personal data breach that poses a risk to your rights within 72 hours where required under Article 33.
• You are responsible for keeping your password secure.

12. Cookies and tracking

We use cookies and similar technologies. See our Cookie Policy for full details. Behavioural advertising cookies are not used on accounts for users under 18.

13. Changes to this policy

• We review and update this Privacy Policy regularly. The “Last updated” date reflects the most recent version.
• For material changes, we will notify you by email at least 30 days before the change takes effect.

14. How to complain

Contact us first at support@myracingpath.com. We aim to resolve concerns promptly. You can also complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113, or to your local EU data protection authority if you are an EU resident.