Privacy policy
Last updated: March 2, 2026
Who we are
Raceday ("we", "us", "our") operates the sports coaching platform at raceday.dev. We help coaches manage athletes, analyse performance test data, and plan races. This privacy policy explains how we collect, use, and protect personal data in accordance with the General Data Protection Regulation (GDPR) and Belgian data protection law.
What data we collect
Account data
When you create a coach account, we collect your name, email address, and a hashed version of your password (using bcrypt). If you sign in with Google, we also receive your Google account identifier.
Athlete and health data
Coaches enter athlete data into the platform. This may include names, email addresses, dates of birth, gender, weight, height, and health-related performance metrics such as VO2max, heart rate, lactate thresholds, and training zone calculations. Under GDPR, health-related data is a special category of personal data that requires explicit consent.
Location and GPX data
Coaches may upload GPX files containing GPS coordinates for race courses. This data includes latitude, longitude, and elevation points. GPX files are parsed server-side and stored as part of race records.
Payment data
We use Stripe to process payments. We do not store credit card numbers or full payment details on our servers. Stripe handles payment data in accordance with PCI-DSS standards. We store only Stripe customer and subscription identifiers to manage your subscription.
Usage and log data
We collect activity logs that include your IP address, the action performed, and a timestamp. IP addresses are retained for 90 days for security purposes and then permanently deleted.
Legal bases for processing
We process personal data under the following legal bases:
| Data type | Legal basis | Details |
|---|---|---|
| Account data | Contract (Art. 6(1)(b)) | Necessary to provide the coaching platform service |
| Athlete health data | Explicit consent (Art. 9(2)(a)) | Coaches must obtain explicit consent from athletes before entering health-related data |
| Payment data | Contract (Art. 6(1)(b)) | Necessary to process subscription payments |
| Activity logs and IP addresses | Legitimate interest (Art. 6(1)(f)) | Security monitoring and abuse prevention |
| Analytics cookies | Consent (Art. 6(1)(a)) | Only placed after user consents via the cookie banner |
Third-party processors
We share personal data with the following third-party service providers, each of whom acts as a data processor under GDPR:
| Processor | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Stripe | Payment processing | Email, subscription details | stripe.com/privacy |
| OAuth authentication | Email, name (during sign-in) | policies.google.com/privacy | |
| Resend | Transactional emails | Email address | resend.com/legal/privacy-policy |
| Vercel | Hosting and analytics | IP address, usage data | vercel.com/legal/privacy-policy |
Cookies
We use a small number of cookies that are essential to the service or used for analytics with your consent. For full details, see our cookie policy.
Data retention
| Data | Retention period |
|---|---|
| Coach account data | Until you delete your account. After deletion, data is retained for a 30-day grace period, then permanently removed. |
| Athlete data | Until the coach deletes the athlete or deletes their account |
| IP addresses in activity logs | 90 days, then permanently deleted |
| GPX course data | Until the associated race is deleted |
| Payment records | Retained by Stripe in accordance with their retention policy and applicable financial regulations |
Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to the 30-day grace period)
- Right to data portability — receive your data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we use your data
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with a supervisory authority. In Belgium, this is the Data Protection Authority (Gegevensbeschermingsautoriteit).
You can manage your data and privacy settings from your privacy dashboard.
Coach-athlete relationship
Raceday follows a coach-athlete model where coaches enter and manage data on behalf of their athletes. In GDPR terms:
- The coach is the data controller for athlete personal data. Coaches are responsible for obtaining proper consent from athletes before entering their data, especially health-related data.
- Raceday acts as a data processor, processing athlete data on behalf of the coach according to this privacy policy and our terms of service.
Athletes who wish to exercise their data rights should contact their coach directly. Coaches can export, update, or delete athlete data through the platform.
Data security
We implement appropriate technical measures to protect your data:
- Passwords are hashed using bcrypt before storage
- Sessions use signed JWT tokens stored in httpOnly, secure cookies
- All data is transmitted over TLS (HTTPS)
- GPX files are parsed and processed server-side
- Payment data is handled entirely by Stripe and never touches our servers
Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will notify you through the platform or by email. The "last updated" date at the top of this page indicates the most recent revision.
Contact
If you have questions about this privacy policy or our data practices, contact us at [email protected].