← Back to RaceReports

Privacy Policy

Last updated: 2026-05-03

RaceReports (“we”, “us”) is operated from Malaysia and complies with the Personal Data Protection Act 2010 (PDPA). This page explains what we collect, why we collect it, who we share it with, and how to exercise your rights over your own data.

1. What we collect

  • Account info: email, password (hashed by Supabase Auth), and optionally a Google or Strava OAuth identifier you authorise.
  • Profile info: the handle, name, location, and preferred distances you enter when you complete signup.
  • Race reviews and uploads:the reviews, ratings, GPX tracks, and photos you publish. These are public by design — that's the whole point of the platform.
  • Usage data: page views (with a per-session anonymous identifier — no IPs stored), referrer headers, and user-agent strings, used in aggregate by event organisers to gauge demand.
  • Strava connection (if you opt in): we store the OAuth tokens needed to read your activity history. You can disconnect at any time on your account page; we delete the tokens immediately.

2. What we do with it

  • Run the platform — show your reviews to other runners, populate organiser dashboards with aggregate demand counts, send transactional emails (verification approvals, replies to your reviews, registration-open alerts you opted in to).
  • Improve the product — anonymous usage logs help us spot broken pages and slow queries.
  • Comply with legal obligations — respond to lawful information requests where required.

We do not sell your data. We do not run third-party ad networks. We do not share individual-level data with race organisers — they only see aggregate counts on their dashboards.

3. Who we share it with

  • Supabase — our database and authentication provider (data resident in their infrastructure).
  • Vercel — our application host.
  • Resend — sends transactional email on our behalf.
  • Strava — only if you explicitly link your account.
  • Sentry — receives anonymised error stack traces when something breaks in the app.

4. Your rights

Under the PDPA you can request access to your data, ask us to correct it, withdraw consent for its processing, or request deletion. Email hello@racereports.co and we will respond within 30 days. You can also delete your account directly from /account; this removes your auth row, your profile, and cascades to all your reviews, photos, and GPX uploads.

5. Children

RaceReports is intended for runners aged 16 and over. If you believe a child has registered, contact us and we will remove the account.

6. Changes to this policy

We'll post material changes here at least 14 days before they take effect, and email all signed-in users.

7. Contact

Data protection enquiries: hello@racereports.co.

PrivacyTermsCookieshello@racereports.co