Privacy Policy

Personal Information

When you create an account, we collect your email address and username. You may optionally provide additional profile information such as your name, bio, avatar, racing achievements, team affiliations, and career highlights. Authentication is handled securely through Supabase Auth with support for Google OAuth, email OTP (one-time password), and magic links.

Website Content & Media

We store all content you create for your websites, including text, structured data (race results, achievements, stats), and media files. Images and videos are uploaded to Supabase Storage with automatic optimization and CDN delivery. Gallery limits apply based on your subscription plan (Free: 20 images, Pro: 50 images, Max: 100 images, with optional +50 image add-on available).

Usage Data & Analytics

With your consent (GDPR/CCPA compliant), we collect analytics data through Google Analytics 4 and Vercel Speed Insights. This includes page views, device type, browser information, geographic location (city-level), session duration, and feature usage patterns. Analytics are used solely to improve platform performance and user experience. You can opt out at any time through cookie preferences.

Technical & Security Information

For security and abuse prevention, we use your IP address for rate limiting (e.g., limiting login attempts, preventing spam signups). IP addresses are processed in-memory and not permanently stored. Browser user agent information is collected only when errors occur to help diagnose issues. Google reCAPTCHA is used on signup forms to prevent bot abuse. All authentication sessions use secure HTTP-only cookies with PKCE flow. Database access is protected by Row-Level Security (RLS) policies that ensure users can only access their own data.

Payment & Subscription Data

For paid subscriptions (Pro £9/mo, Max £19/mo), we use Stripe for payment processing. RaceXa does not store credit card numbers. We retain subscription metadata (plan type, status, billing dates) in our Supabase database to manage access to features. All payment information is handled exclusively by Stripe in compliance with PCI DSS standards.

AI-Generated Content

When using Alice AI content assistant (Paid plan feature), your field labels, existing content context, and generation prompts are sent to Google Gemini API to generate suggestions. Alice is accessible via sparkle buttons in the editor, batch AI fill, floating chat widget, and full-page chat interface (/alice). We do not train AI models on your data. AI requests are processed in real-time and not stored beyond standard server logs.

Content Moderation & Safety

To protect users and maintain platform integrity, we automatically scan uploaded content using third-party moderation services:

• OpenAI Moderation API - Scans text and images for sexual content, violence, hate speech, harassment, and self-harm before save/publish operations
• Google Web Risk API - Checks URLs for malware, phishing, unwanted software, and social engineering threats

Flagged content is analyzed in real-time and may be blocked from publication. Moderation scans are necessary for platform safety and are not used to train AI models or for purposes beyond content policy enforcement.

Service Provision & Hosting

We use your information to provide, maintain, and improve our website builder. Your account data is stored in Supabase (PostgreSQL database) with automated backups. Websites are hosted on Vercel's global CDN for optimal performance. Media files are served through Supabase Storage with automatic image optimization. All infrastructure uses enterprise-grade SSL/TLS encryption and Row-Level Security (RLS) policies enforce data isolation between users.

Communication & Support

We send transactional emails through Resend for essential account activities (email verification, password resets, subscription confirmations). We may also send product updates, feature announcements, and promotional content about new website templates or platform improvements. Marketing emails include an unsubscribe link. Transactional emails cannot be opted out as they are necessary for account security.

Platform Improvement & Analytics

With consent, we analyze usage patterns through Google Analytics 4 and Vercel Speed Insights to identify performance bottlenecks, popular features, and areas for improvement. Analytics are anonymized where possible and aggregated for reporting. We use this data to prioritize new templates, optimize page load times, and improve editor UX for the motorsport community.

Security & Fraud Prevention

We process technical information to detect and prevent abuse, spam, unauthorized access, and fraudulent accounts. Google reCAPTCHA analyzes signup behavior to block bots. Rate limiting prevents API abuse. Session tokens expire after 7 days and use secure HTTP-only cookies with SameSite protection.

Public Content

Content you publish on your motorsport websites is publicly accessible via your chosen username (racexa.com/[username]/[template]). Published sites are indexed by search engines (Google, Bing). Gallery images are served through Supabase CDN with public URLs once published. Unpublished sites remain private and are only accessible to you when logged in.

Service Providers & Infrastructure

We share data with trusted third-party service providers who operate our infrastructure:

• Supabase Inc. - Database hosting, authentication, file storage (PostgreSQL, Auth, Storage)
• Vercel Inc. - Website hosting, CDN, serverless functions, analytics
• Stripe Inc. - Payment processing, subscription management (PCI DSS compliant)
• Google LLC - AI content generation (Gemini API), analytics (GA4), spam prevention (reCAPTCHA), URL safety (Web Risk API)
• OpenAI - Content moderation for text and images (Moderation API)
• Resend - Transactional email delivery (account verification, password resets)

All providers are bound by data processing agreements (DPAs) and operate under GDPR-compliant Standard Contractual Clauses (SCCs). They are prohibited from using your data for purposes beyond providing services to RaceXa.

Analytics & Performance Monitoring

With your consent, anonymized usage data is shared with Google Analytics 4 and Vercel Analytics to measure platform performance and user engagement. IP addresses are anonymized, and personal identifiers are removed before transmission. You can opt out via cookie preferences or browser extensions.

No Data Sales

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not participate in data broker activities or advertising networks beyond standard analytics (Google Analytics, Vercel Analytics).

Infrastructure Security

• Encryption in Transit: All connections use TLS 1.3 encryption (HTTPS)
• Encryption at Rest: Database and file storage encrypted with AES-256
• Secure Authentication: PKCE OAuth flow, HTTP-only session cookies, 7-day token expiration
• Database Security: PostgreSQL Row-Level Security (RLS) policies enforce user data isolation
• API Protection: Rate limiting, request validation, CORS policies

Application Security

• Input Validation: All user inputs sanitized and validated with Zod schema validation
• Content Moderation: Automated scanning for malicious URLs, prohibited content, and policy violations
• Spam Prevention: Google reCAPTCHA v3 on signup, rate limiting on API endpoints
• Session Management: HTTP-only cookies with SameSite protection, 7-day expiration

Infrastructure Providers

• Hosting: Vercel (SOC 2 Type II certified, ISO 27001 compliant)
• Database: Supabase on AWS (SOC 2 Type II, GDPR compliant)
• Payment: Stripe (PCI DSS Level 1 certified)

Monitoring & Response

We maintain error tracking and automated dependency updates to protect against emerging threats. In the event of a data breach affecting your account, we will notify you within 72 hours as required by GDPR Article 33.

Account Access & Management

You can access, review, and update your personal information through your account dashboard. This includes profile details, username, email, bio, avatar, and website content. For data not accessible through the dashboard, contact privacy@racexa.com with your request.

Data Portability (GDPR Article 20)

You have the right to export your data in machine-readable format (JSON). Contact privacy@racexa.com to request a complete data export, which includes: account information, website content, media file URLs, subscription history, and consent records. We will provide the export within 30 days.

Marketing Communications & Consent

You can opt out of promotional emails by clicking the unsubscribe link in any marketing email or by updating your email preferences in account settings. Opting out does not affect transactional emails (account verification, password resets, subscription confirmations) which are necessary for account security and service operation.

Cookie & Analytics Control

You can manage cookie preferences at any time by clicking "Cookie Settings" in the footer. You can accept or reject functional and analytics cookies. Strictly necessary cookies (authentication, security) cannot be disabled as they are essential for the platform to function. You can also use browser settings or install the Google Analytics Opt-out Browser Add-on.

Account Deletion (Right to Erasure)

You can delete your account at any time through Settings → Account → Delete Account. Upon deletion, we will permanently remove:

• Your personal profile information (email, username, bio, avatar)
• All website content and media files from Supabase Storage
• Published websites (they will become inaccessible)
• Subscription data (after current billing period)

Retention exceptions: We may retain anonymized analytics data, aggregated usage statistics, financial records for tax compliance (7 years), and data required by law or pending legal proceedings.

GDPR Rights (EU/UK Users)

Under GDPR, you have the right to: access your data (Article 15), rectify inaccurate data (Article 16), erasure/deletion (Article 17), restrict processing (Article 18), data portability (Article 20), object to processing (Article 21), and withdraw consent (Article 7). To exercise these rights, email privacy@racexa.com with your request and proof of identity.

CCPA Rights (California Users)

California residents have the right to: know what personal information is collected (this policy), request deletion of personal information, opt out of data sales (we don't sell data), and non-discrimination for exercising privacy rights. Submit CCPA requests to privacy@racexa.com.

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, understand how you use our platform, and improve your experience. We also use similar technologies like localStorage and sessionStorage.

Cookie Categories

Third-Party Services

We use the following third-party services that may set their own cookies:

• Google LLC - Analytics and reCAPTCHA (Privacy Policy)
• Vercel Inc. - Analytics and hosting (Privacy Policy)
• Supabase Inc. - Authentication and database (Privacy Policy)

How to Control Cookies

Your Rights Regarding Cookies

Under GDPR and CCPA, you have the right to:

• Be informed about what cookies we use (this policy)
• Consent to or refuse non-essential cookies
• Withdraw your consent at any time
• Request deletion of data collected through cookies
• Opt out of analytics and tracking

Cross-Border Data Transfers

Some of our third-party services (Google, Vercel) are based in the United States. When you consent to analytics cookies, your data may be transferred internationally. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Locations

• Database & Storage: Supabase on AWS (multiple regions, primary: EU)
• Website Hosting: Vercel global CDN (nearest edge location to user)
• Email: Resend (US-based)
• Analytics: Google Analytics (US), Vercel Analytics (US)
• Payments: Stripe (US and EU data centers)
• AI Processing: Google Gemini API (US), OpenAI Moderation API (US)
• Security: Google Web Risk API (US)

Notification of Changes

• Material Changes: We will notify you by email and/or prominent notice on the platform at least 30 days before changes take effect
• Minor Updates: Non-material changes (clarifications, formatting) will be posted without notice
• Consent: Continued use of the service after changes take effect constitutes acceptance of the updated policy