Privacy Policy

Race Strategist is an independently-operated paid web service based in Lithuania, EU. For privacy questions, write to info@racestrategist.com. Under the GDPR, Race Strategist is the data controller for the personal data described below.

We collect only what we need to run the service:

• Account data — when you sign up, our authentication provider Clerk receives your email address, name, and (for social sign-in) the identifier from Google or Apple. We see the same fields.
• Payment data — when you subscribe, our payment processor Stripe receives your card details directly from your browser. We never see or store your card number; we only see a Stripe customer ID and the last four digits / expiry shown in your billing page.
• F1 Fantasy team data — if you connect your F1 Fantasy account, you authorise us to log in on your behalf and read your team, league memberships, and predictions. We cache your F1 session cookie for up to 6 hours so we don’t re-authenticate on every refresh, and store your team picks + budget in our database. Your F1 Fantasy password is sent directly to F1 Fantasy’s login form via a server-side browser session; we do not store it after that single login attempt completes.
• Usage data — our server logs request paths, response codes, coarse browser type, and IP address (last octet truncated after 7 days), kept for 30 days for debugging and abuse prevention.
• Analytics — if you accept the cookie banner, Google Analytics 4 records anonymised page views, referrer, browser type, and approximate region. If you decline, GA4 is never loaded.
• Cookies — see “Cookies” section below.

• To deliver the service you signed up for (run predictions, store your team, render your account pages).
• To bill you and let you manage your subscription.
• To answer your support emails.
• To prevent abuse (rate limiting, fraud detection on Stripe’s side).
• To send essential service emails (receipts, password resets, important changes to terms or this policy). We do not send marketing emails unless you opt in.

Legal basis under GDPR Article 6: performance of a contract (your subscription), legitimate interest (security, abuse prevention), and consent (Google Analytics 4 — loaded only if you accept the cookie banner).

We use a small number of subprocessors. Each is bound by their own DPA and (for transfers outside the EEA) Standard Contractual Clauses:

• Clerk, Inc. — authentication. United States.
• Stripe, Inc. (Stripe Payments Europe Ltd for EU billing) — subscription billing and payment processing.
• F1 Fantasy (operated by Formula 1 / Genius Sports) — your F1 Fantasy team is held by them. We act as a client of their public service on your behalf.
• Contabo GmbH — server hosting in Germany.
• Anthropic PBC — provides the AI model (Claude) behind the Pro tier’s AI Coach. Conversations sent to the AI Coach are transmitted to Anthropic for processing; Anthropic does not train on this data per their API terms.
• Google LLC — Google Analytics 4 (web analytics, United States). Loaded only after you accept the cookie banner; we instruct GA4 to anonymise IP addresses. Google is certified under the EU-US Data Privacy Framework.

Some of the subprocessors above are based in the United States. Where we transfer your personal data outside the EEA, we rely on the EU-US Data Privacy Framework certification or Standard Contractual Clauses 2021/914/EU.

• Account data: until you delete your account.
• Subscription history (legal/accounting): 7 years per LT and EU tax law.
• Server logs: 30 days. Backups: 90 days, then permanently deleted.
• F1 session cache: up to 6 hours per refresh; tokens rotated after.
• AI Coach chat history: up to 90 days, then deleted.

Under the GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted (“right to be forgotten”).
• Receive your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent (where consent was the legal basis).
• Lodge a complaint with the State Data Protection Inspectorate of Lithuania (Valstybinė duomenų apsaugos inspekcija) or your local supervisory authority.

To exercise any of these, email info@racestrategist.com from the address tied to your account. We respond within 30 days.

We use two categories of cookies:

Strictly necessary

• __session, __clerk_db_jwt — Clerk authentication.
• __stripe_mid, __stripe_sid — Stripe checkout/portal.
• cookie_consent — remembers your choice on the cookie banner so we don’t show it again. Set when you click Accept or Decline; expires after one year.

Analytics (consent required)

• _ga, _ga_* — Google Analytics 4. Used to understand how visitors use the site. Loaded only after you click Accept on the cookie banner; not loaded if you click Decline or ignore the banner. IP addresses are anonymised.

Withdrawing consent. To revoke analytics consent, clear the cookie_consent cookie in your browser (the banner will reappear on your next visit so you can pick Decline) or use your browser’s “Do Not Track” / cookie-blocking settings.

The service is not intended for users under 16. If you believe a child has given us their data, contact us and we’ll delete it.

If we change this policy materially, we’ll email you and post a notice on the site at least 14 days before the new version takes effect.