Privacy Policy

Effective Date: July 25, 2025 · Last Updated: March 25, 2026

1. Introduction / About Us

RaceControl.ai is a California-based software development firm specializing in AI-augmented integration workflows, mobile applications, branding solutions, and social media automation for motorsport teams.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you:

• Visit our website https://www.racecontrol.ai
• Use our mobile applications
• Interact with us or use our Services as a client

This policy also addresses our role concerning the data processed through the solutions we build for our clients.

Please read this Privacy Policy carefully. If you do not agree with the terms of this privacy policy, please do not access our website, mobile applications, or use our Services.

2. Scope of This Policy

This Privacy Policy applies to:

• Information we collect through our website (https://www.racecontrol.ai)
• Information we collect through our mobile applications available on Google Play Store and Apple App Store
• Information we collect during sales, marketing, and client engagement processes
• Information related to our direct business contacts (client representatives, vendor contacts)

This Privacy Policy does not govern the data processing practices within the applications, workflows, or systems we build for our clients. Our clients act as the "Business" (under CCPA/CPRA) or "Data Controller" for the data processed within those solutions. We typically act as a "Service Provider" or "Data Processor" for that data, processing it only according to our contractual agreements with our clients.

3. Information We Collect

Information You Provide Directly:

• Contact Information: Name, email address, phone number, company name, job title when you fill out contact forms, request consultations, subscribe to newsletters, or communicate with us
• Account Information: Username, password, and profile information when you create an account in our mobile applications
• Project Information: Details about your business needs and project requirements when discussing potential Services
• Communication Records: Records and copies of your correspondence if you contact us
• Payment Information: Credit card details, billing address, and transaction history for subscription services (processed securely through third-party payment processors)
• User-Generated Content: Any content, feedback, or data you provide through our applications
• Telemetry and Racing Data: Vehicle performance data from CSV files and data logger exports, including speed, throttle position, brake pressure, steering angle, RPM, gear position, and lap times, uploaded or imported for coaching analysis
• Setup Sheet Data: Vehicle configuration details (suspension settings, alignment, tire pressures, gearing, etc.) and associated notes used as context for coaching analysis
• Imported File Metadata: When connecting external data sources (such as Google Drive), we collect file names, sizes, file types, folder structure, and modification dates of files within connected folders

Information Collected Automatically:

Website Data:

• Log and Usage Data: IP address, browser type and version, pages visited, time and date of visit, time spent on pages, and other diagnostic data
• Cookies and Tracking Technologies: We use cookies, web beacons, and pixels to track website activity

Mobile Application Data:

• Device Information: Device type, operating system version, device identifiers (UDID, advertising ID, Android ID), mobile carrier information
• App Usage Data: Features used, time spent in app, crash reports, performance data
• Location Data: Approximate location based on IP address (precise location only with explicit permission)
• Mobile Analytics: App installation, updates, and usage patterns through Firebase Analytics and similar services

Device Permissions (Mobile Apps):

Our mobile applications may request the following permissions:

• Camera: To allow photo capture for profile pictures or content creation (optional)
• Storage: To save files and cache data locally (required for app functionality)
• Network Access: To connect to our services and sync data (required)
• Push Notifications: To send important updates and messages (optional)

Third-Party Services Integration:

We integrate with the following third-party services that may collect additional data:

• Google Analytics/Firebase: For app usage analytics and crash reporting
• Google Vertex AI (Gemini): AI-powered coaching features including Session Intelligence (multi-session progression analysis with optional video) and Driver Coach (single-session telemetry analysis). All AI processing occurs server-side; no on-device models are used. Google does not use data submitted through Vertex AI to train its foundation models (see Vertex AI Data Governance).
• Google Drive API: Read-only access for importing coaching data (telemetry, video, documents) from connected folders
• Stripe/PayPal: For payment processing (they maintain their own privacy policies)
• Cloud Infrastructure: Google Cloud Platform for data storage, processing, and coaching data storage
• Customer Support: Zendesk or similar platforms for customer service interactions

Information We Process on Behalf of Clients (as a Service Provider):

When providing Services, we may process data controlled by our clients, including:

• Business data required for integration workflows
• End-user data collected through mobile apps we develop (governed by the client's policy)
• Content provided by the client for AI model training, RAG systems, or analysis
• Social media account credentials and content for automated posting (with explicit client authorization)
• Other data types as defined in our specific client agreements

4. How We Use Your Information

To Provide and Manage Our Services:

• Respond to inquiries and fulfill requests for consultations or information
• Create and manage user accounts
• Process payments and manage subscriptions
• Negotiate, enter into, and manage client agreements
• Develop, deliver, and support custom software solutions
• Provide customer support and technical assistance

To Communicate With You:

• Send administrative information, service updates, and support messages
• Send marketing communications (with your consent where required - you can opt-out at any time)
• Send push notifications about app updates and important information (with your permission)

To Improve Our Services:

• Understand how users interact with our website and mobile applications
• Analyze usage patterns to improve user experience
• Conduct research and analytics for internal purposes
• Debug issues and improve app performance

For Security and Compliance:

• Maintain the security and integrity of our systems
• Prevent fraud and unauthorized access
• Comply with legal obligations and enforce our terms
• Monitor for and prevent prohibited activities

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area, our legal bases for processing include:

• Contract Performance: To provide services you've requested
• Legitimate Interests: To improve our services, ensure security, and conduct business operations
• Consent: For marketing communications and optional features (you may withdraw consent at any time)
• Legal Obligation: To comply with applicable laws and regulations

6. How We Share Your Information

We do not sell your personal information, nor do we "share" it for cross-context behavioral advertising purposes (as defined under CCPA/CPRA).

We may disclose information in the following circumstances:

• With Service Providers: Third-party vendors who perform services on our behalf, including:
  • Cloud hosting providers (AWS, Google Cloud, Microsoft Azure)
  • Payment processors (Stripe, PayPal)
  • Analytics providers (Google Analytics, Firebase)
  • Customer support platforms (Zendesk)
  • Email delivery services (SendGrid, Mailchimp)
• As Directed by Clients: Client-controlled data only as explicitly instructed by the client within our service agreement scope
• For Legal Reasons: When required by law, subpoena, or legal process, or to protect rights, safety, and security
• Business Transfers: In connection with mergers, acquisitions, or asset sales, subject to confidentiality arrangements
• With Your Consent: Any other sharing will be done only with your explicit consent

7. Data Security

We implement comprehensive security measures including:

• Encryption of data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication requirements
• Secure payment processing through PCI-compliant providers
• Employee training on data protection practices

However, no security measures are perfect, and we cannot guarantee absolute security of your data.

8. Connected Accounts and AI Data Processing

RaceControl allows team owners to connect third-party social media accounts (such as YouTube, Instagram, and Facebook) to enable publishing content on behalf of their team.

Data We Access

When you connect a YouTube account, we access the following through Google's OAuth 2.0 authorization:

• Channel information: Your YouTube channel name, channel ID, and channel thumbnail image (via the youtube.readonly scope)
• Video uploads: The ability to upload videos to your channel on your behalf (via the youtube.upload scope)
• Video management: The ability to manage video metadata such as titles, descriptions, and privacy settings (via the youtube.force-ssl scope)

We do not access your YouTube watch history, subscriptions, or private videos. We access only the data necessary to provide the publishing features you have authorized.

How Credentials Are Stored

OAuth tokens for connected accounts are encrypted at rest using AES-256-GCM with team-specific encryption keys derived via PBKDF2. Encrypted tokens are stored in Google Cloud Firestore. Tokens are never returned to the client application after the initial connection and are accessible only to server-side functions.

Access Controls

Only the team owner can connect or disconnect a social media account. Publishing actions using connected accounts are restricted to authorized team members (team admin role or above). The team owner may optionally require per-post approval before content is published.

Retention and Deletion

Connected account credentials are retained only while the account remains connected. When the team owner disconnects an account, we revoke the OAuth token with the platform provider and permanently delete the stored credentials from our systems. If a team is deleted, all associated connected account credentials are also deleted.

No Selling or Sharing

Data obtained from connected social media accounts is not sold, shared with third parties, or used for advertising. It is used solely to publish content on behalf of your team as you direct.

Google API Services Compliance

RaceControl's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

AI-Powered Coaching Features

RaceControl uses Google Vertex AI (Gemini) to analyze motorsport telemetry data and optional in-car video, providing structured driving improvement feedback. All AI processing occurs on Google Cloud infrastructure (us-central1 region) — no AI models run on your device.

Session Intelligence

Session Intelligence analyzes driving telemetry across multiple sessions to identify progression trends, technique patterns, and improvement opportunities. It optionally analyzes in-car video to correlate visual driving behavior with telemetry data.

Data Sent to Google Vertex AI: When you request a Session Intelligence analysis, the following data is assembled server-side and transmitted to Google's Vertex AI service (Gemini 2.5 Pro) for processing:

• Telemetry data from uploaded CSV files (lap times, speed, throttle position, brake pressure, steering angle, RPM, gear position, GPS coordinates)
• Optional in-car video (MP4) uploaded to Firebase Storage
• Setup sheet data associated with the relevant car and event (field values and notes)
• Event notes and descriptions entered by team members
• Car information (name, number, vehicle year/make/model, competition series and class)
• Prior session analyses for the same car/driver (to track progression across events)
• Platform-level series knowledge (general racing series regulations and technique references — not personal data)

What AI Generates: Session Intelligence produces coaching reports containing technique observations, lap-by-lap progression data, improvement recommendations, telemetry trace visualizations, and suggested video clip markers. All AI-generated content is presented in a dedicated Session Intelligence screen with clear AI attribution.

Driver Coach (Single Session)

Driver Coach provides instant AI analysis of a single uploaded telemetry session.

Data Sent to Google Vertex AI: When you request a coaching analysis, the following data is assembled server-side and transmitted to Google's Vertex AI service (Gemini 2.5 Flash) for processing:

• Telemetry data from a single uploaded CSV file (same channels as Session Intelligence)
• Setup sheet data associated with the relevant car and event
• Event context and series knowledge
• Prior session analysis (if the session is part of a sequence)

Data Handling for All AI Features

No personally identifying information (names, email addresses, profile data) is included in AI analysis requests. Data is transmitted over encrypted connections (HTTPS/TLS) and is processed by Google subject to their Cloud Data Processing Addendum.

Google does not use data submitted through Vertex AI to train its foundation models. See Vertex AI Data Governance for details.

How Analysis Results Are Stored: Coaching analysis results (structured JSON feedback) are stored in Google Cloud Firestore under your team's data scope. Results include the AI-generated analysis, a record of which context sources were used, and token usage metrics for internal cost tracking. Results are accessible to team members based on role permissions.

No Selling or Sharing: Telemetry data, video files, and coaching analysis results are not sold, shared with third parties, or used for advertising. They are used solely to provide the coaching features you have requested.

Connected Data Sources (Google Drive)

Team Admins can connect Google Drive folders to import racing data (telemetry, video, documents) into RaceControl for use with the Driver Coach and other coaching features.

Data We Access: When a folder is connected, we access file metadata (names, sizes, MIME types, modification dates) and file contents for supported file types via the Google Drive API with read-only access (drive.readonly scope). We do not access files outside the specified folder, your personal Drive contents, or any other Google account data.

How Files Are Stored: Imported files are copied to a team-scoped Google Cloud Storage bucket. Files are organized by team, event, and file type. Original files in Google Drive are never modified or deleted by RaceControl.

Sync Records: For each imported file, we store a sync record in Firestore containing the Drive file ID, file name, file size, file type classification, sync timestamp, and cloud storage path.

Access Controls: Only Team Admins or Team Owners can connect or disconnect data sources. Imported data is accessible to team members based on role permissions.

Retention and Deletion: Imported files and sync records are retained while the data source remains connected and the team is active. When a Team Admin disconnects a data source, no further files are imported; existing imported files remain until manually deleted or the team is deleted. When a team is deleted, all imported coaching data and sync records are permanently deleted.

No Selling or Sharing: Data imported from Google Drive is not sold, shared with third parties, or used for advertising.

Google API Services Compliance (Drive)

RaceControl's use of data received from the Google Drive API adheres to the Google API Services User Data Policy, including the Limited Use requirements.

9. Data Retention

• Account Data: Retained while your account is active and for a reasonable period after account closure
• Transaction Records: Retained as required by law (typically 7 years for tax purposes)
• Marketing Data: Until you opt-out or we no longer have a legitimate business need
• Client-Controlled Data: According to our agreement terms with each client
• Connected Account Credentials: Retained only while the social media account remains connected; permanently deleted upon disconnection (see Section 8)
• Coaching Analysis Results: Retained while the team account is active; permanently deleted when a team is deleted
• Imported Coaching Data (Cloud Storage): Retained while the data source is connected and the team is active; permanently deleted when the team is deleted
• Drive Sync Records: Retained while the team account is active; permanently deleted when a team is deleted
• Analytics Data: Typically retained for 26 months in anonymized form

10. Your Privacy Rights

California Residents (CCPA/CPRA Rights):

• Right to Know/Access: Request information about personal data we've collected
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: We don't sell data, so no opt-out needed for sales
• Right to Limit Use of Sensitive Personal Information: Request limits on sensitive data use
• Right to Non-Discrimination: You won't be discriminated against for exercising rights

European Users (GDPR Rights):

• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data under certain circumstances
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for consent-based processing

Exercising Your Rights:

Contact us at info@racecontrol.ai or 925-477-0497. We'll verify your identity before processing requests and respond within the required timeframes (30 days for CCPA, 30 days for GDPR).

11. Children's Privacy (COPPA Compliance)

RaceControl complies with the Children's Online Privacy Protection Act (COPPA).

Age Requirements:

• Users must be at least 13 years old to create an account
• Users under 13 are prohibited from using our Services
• We collect date of birth during account creation for age verification purposes

Parental Consent for Users Aged 13-17:

• Users aged 13-17 require verifiable parental consent before account activation
• We collect parent/guardian email addresses solely for the purpose of obtaining consent
• Parents receive a secure consent link via email to approve their child's account
• Consent links expire after 7 days and can only be used once
• Parents can review, modify, or delete their child's information at any time by contacting us

Data We Collect from Minors:

• Date of birth (for age verification only)
• Parent/guardian email (for consent purposes only, ages 13-17)
• Standard account information (name, email, profile data)
• Usage data as described in Section 3 of this policy

Parental Rights:

Parents of users aged 13-17 have the right to:

• Review all personal information collected from their child
• Request deletion of their child's account and all associated data
• Refuse to allow further collection or use of their child's information
• Revoke consent at any time

Verifiable Parental Consent Process:

• Parent email must be different from child's email address
• Consent links are cryptographically secured with 64-character tokens
• Parents must actively click to provide consent (no passive consent)
• All consent actions are logged with timestamps for compliance verification

Data Deletion for Minors:

If we discover we have collected information from a child under 13 without proper consent, we will:

• Delete the account immediately
• Purge all associated personal information
• Notify the parent/guardian if contact information is available

Client Responsibilities:

If we process children's data on behalf of clients, the client acts as the Data Controller and is responsible for ensuring COPPA compliance within their own services.

Contact for Parental Inquiries:

Parents with questions or requests regarding their child's data should contact us at:

Email: support@racecontrol.ai
Phone: 925-477-0497

12. Subscription and Payment Information

For subscription services:

• Payment information is processed by third-party payment processors (Stripe, PayPal)
• We store only transaction IDs and subscription status, not full payment details
• Billing information is retained for tax and legal compliance purposes
• You can cancel subscriptions through your account settings or by contacting support
• Refund policies are outlined in our Terms of Service

13. International Data Transfers

For US Users: Data is processed and stored in the United States.

For International Users: Your data may be transferred to and processed in the United States. We implement appropriate safeguards including:

• Standard Contractual Clauses for EU transfers
• Adequacy decisions where applicable
• Additional security measures as required by local law

14. Push Notifications

Our mobile apps may send push notifications for:

• Important account updates
• Security alerts
• New feature announcements
• Marketing messages (with separate consent)

You can control notification preferences in your device settings or app preferences.

15. Third-Party Links and Services

Our services may contain links to third-party websites and services. This Privacy Policy doesn't apply to those third parties. We encourage you to review their privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We'll notify you of material changes by:

• Posting the updated policy on our website and in our mobile apps
• Sending email notifications to registered users
• Displaying in-app notifications for significant changes

Continued use after changes constitutes acceptance of the updated policy.

17. Contact Us

Data Protection Officer: info@racecontrol.ai
Phone: 925-477-0497
Address: RaceControl, Contra Costa County, California

For EU Users: Our EU representative can be contacted at the same email address.

For privacy-related inquiries, data subject requests, or concerns about our privacy practices, please contact us using the information above.