September 2023
This Privacy Policy (“Policy”) explains how We collect and process the personal data of natural persons (individuals), either who visit our Website (“Visitors”) or use our services for organizing events (“Organizers”) or for registering for these events (“Participants”) (collectively: “you”). Personal data, or personal information, means any information relating to an identified or identifiable natural person. This includes information that you tell us, what we learn from you and the choices you make about the marketing you want us to send to you. This Policy explains how we do this, what your rights are and how the law protects you.
This Policy applies to any users of our Website at racecheck.com (the “Website”) and/or our services.
Your use of our Website and/or our services will be subject to the most current version of this Policy posted on our Website at the time of your use. We recommend that you check the Website from time to time to inform yourself of any changes in this Policy or any of our other terms, However, if we do make changes to this Policy, we will notify you by SMS, email or otherwise.
We are Racecheck Limited ("We”). We are a company registered in England and Wales under company number 09974171. Our registered office is at Scott House 3.20, London, SE1 7LY.
You can contact us by email at info “at” racecheck.com. If you need, you can write to us at Scott House 3.20, London, SE1 7LY.
For the purposes of data protection law, we are data controllers. A data controller is an organisation that determines the purposes and means of processing. Our representative for all queries in relation to this Policy and your data protection rights is Alexandros Tanti.
We may collect personal information about you in the following ways:
Data you give to us:
Data we collect when you use our Website and/or our services:
Data from third parties we work with:
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity data – name, address, date of birth, city and country of residence and gender
Contact data – your physical address, your email address and/or social media account(s)
Financial data – bank account and/or payment card details which are directly dealt with by our payment partners. However, please note that we do not store your payment card details ourselves
Technical data - your login data, browser type and version, time zone setting and location, and other technology on the devices you use to access our Website
Profile data - your sports preference, upcoming race calendar, past race history and race finish times
Third-Party Accounts – Racecheck allows you to sign up and log in to our Website and/or our services using accounts you create with third-party products and services, such as Facebook, Twitter or Strava. If you access our Website and/or our services with Third-Party Accounts we will collect personal data that you have agreed to make available such as your name, email address, profile information and preferences with the applicable Third-Party Account. These personal data are collected by the Third-Party Account provider and is provided to Racecheck under their privacy policies. You can generally control the personal data that we receive from these sources using the privacy controls in your Third-Party Account
Usage data – information about how you use our Website and/or our Services
Marketing and communications data – your preferences in receiving marketing from us and our third parties and your communication preferences, by specifying whether you wish to opt in or out
Organisations data – name, size, location, contact details and event information for the organisation
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Website’s feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.
We do not collect any special categories of personal data about you. This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any personal data about criminal convictions and offences.
We do not knowingly process any personal data relating to children. If you are under 16 years, you must not provide us your personal data without the consent of a parent or guardian.
Your personal data are protected by law.
We are only allowed to use your personal data if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data.
In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a technical, business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.
What we use your personal information for |
What personal information we collect |
Who is affected |
Our legal grounds for processing |
Our legitimate interests (if applicable) |
To register you as a new user (if you register on our Website and/or for our services) |
|
|
|
N/a. |
To process event orders that you have placed |
|
|
|
N/a. |
To manage payments or collect and recover money owed to us |
|
|
|
To keep ourrecords up to date and ensure payments are being made |
To manage our relationship with you, including notifying you about changes to our terms and/or this Policy |
|
|
|
To keep records up-to-date and ensure that the business is being run efficiently |
To manage relationships with our business / events partners |
|
|
|
Developing our services, and what we charge for them. To assess the health of our relationships with business / event partners |
To administer and protect our business and our website/app |
|
|
|
Running our business, provision of administration and IT services, network security |
To administer our services |
|
|
|
To ensue the business is being run effectively and efficiently |
To use data analytics to improve our Website, our services, including marketing, customer relationships and experiences |
|
|
|
To define types of users for our services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy |
To make suggestions and recommendations to you about events that may be of interest to you |
|
|
|
To develop our services, our Website and grow our business |
To allow for displaying the participants’ reviews of sporting events on our Website and that of Organisers |
|
|
|
N/a. |
Recipients
We may share your personal information with any of the following organisations, for the purposes of providing the services which you have requested from us:
A data processor is an organisation that processes personal data on behalf of the data controller. We currently use the following data processors:
You can find details of how these third parties use your personal data by looking at their privacy- or data protection policies, all of which should be available on the relevant websites, or on request.
We require all organisations who we share your personal data with to respect the security of your personal data and to treat it in accordance with the law. We do not allow any of our service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Publicly Available Information
Your personal data and content may be publicly accessible to, and searchable by, other Racecheck users. However, you will be able to make your account private so that only Racecheck can view and access your profile. We provide a variety of tools to control the sharing of your personal data.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to submit the event entry request for the event you wish to take part in). In this case, we may have to cancel the service you have with us, but we will notify you if this is the case at the time.
Our Website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your personal data. We do not control these third-party websites and are not responsible for their privacy- or data protection statements. When you leave our Website, we encourage you to read the relevant notices or policies of every website you visit.
Any reviews that you submit will be deemed to have been made public and therefore your name (first name and initial of your last name) and review will be accessible from anywhere in the world. In this context, these personal data may be shared with service providers in countries which do not provide a level of protection for personal data that is comparable to that offered in the EEA or the UK.
The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA and/or the UK, and unless the country of destination is recognised as providing an adequate level of protection under applicable data protection rules, we will take necessary measures to ensure that the recipient provides sufficient safeguards for the protection of your personal data, including by entering into contracts approved by the responsible data protection authorities.
We currently transfer the following personal data outside the EEA/UK:
What personal data we share |
Who is affected |
Recipients and destinations |
Our legal safeguards for transferring personal data |
Identification data (name, pseudonym), date of birth, personal comments and reviews of a specific sporting event, any other information voluntarily provided by you |
|
|
Standard Contractual Clauses (Article 46(2)(c) UK GDPR) supplemented with the UK Addendum |
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the Information Commissioner’s Office (ICO)) of a breach, whenever we are legally required to do so.
We will keep your personal data for as long as you are our customer.
After you stop being a customer and regularly using our Website and/or our Services, your personal data will only be held until you delete it from your profile or explicitly ask us to delete or remove the personal data we hold. Generally, the personal data is kept for 6 years after your account has been closed. This is to help us deal with any disputes, analyse historic data so that we can identify trends and improve the user experience.
We may use your personal data to tell you about sporting events organised by our event partners as well as other services offered by us.
We can only use your personal data to send you marketing messages if we have either your consent or a legitimate interest to do so.
You can ask us to stop sending you marketing messages at any time – you just need to contact us at info “at”racecheck.com or use the opt-out links on any marketing message sent to you. Alternatively, if you log into your account through our Website, you can control the notifications and email communications.
We do not share your personal data with any third-party company for marketing purposes.
Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of using our Website or any other transaction between you and us.
You have certain rights which are set out in the law relating to your personal data. The most important rights are set out below.
Getting a copy of the information we hold
You can ask us for a copy of the personal data which we hold about you, by writing to us at info “at” racecheck.com. This is known as a data subject access request.
You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive. In such circumstances we can charge a reasonable fee or refuse to comply with your request.
We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month and in that case we will notify you and keep you updated.
Telling us if information we hold is incorrect
You have the right to question any personal data we hold about you that you think is wrong or incomplete. Please contact us at info “at” racecheck.com if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it. Alternatively, you can edit the personal data yourself via our Website.
Telling us if you want us to stop using your personal data
You have the right to:
To request any of the above please contact info “at”racecheck.com
There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Withdrawing consent
When we process your personal data based on your consent, you can withdraw your consent to us using your personal data at any time. Please contact us at info “at” racecheck.com if you want to withdraw your consent. If you withdraw your consent, we may not be able to provide you with certain services.
Request a transfer of personal data
You may ask us to transfer your personal data to a third party. This right only applies to automated processing for which you initially provided consent for us to use or where we used the personal data to perform a contract with you.
Please let us know if you are unhappy with how we have used your personal data by contacting us at info “at” racecheck.com.
You also have a right to complain to the ICO. You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Security at Racecheck
Cloud infrastructure security
Racecheck operates as a cloud-based company, with no in-house data centers on-premises and a virtual corporate network infrastructure.
Amazon Web Services
Racecheck's infrastructure is hosted on Amazon Web Services (AWS) data centers, which operate using EU availability zones and are certified by SOC2 and PCI DSS Level 1, among other security certifications. AWS provides several security and privacy features that Racecheck utilises, including carefully configured security groups, isolated virtual private cloud (VPC) environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection. Additionally, all of Racecheck's operating systems, databases, and applications are hardened to minimise vulnerabilities and enhance their overall security. The physical security of our cloud infrastructure is handled by AWS.
Google Cloud
Racecheck utilises Google Cloud Platform to meet certain business needs such as mail, calendars, and video calls.
Vulnerability management
Racecheck has an internal monitoring and reporting system in place to promptly detect any server or service vulnerabilities, bugs, or issues. Additionally, our website is scanned regularly for potential vulnerabilities, and any findings are addressed within specific timeframes based on their severity level.
Architectural design
Our platform follows the design principles of microservices architecture, which involves breaking down the application into a set of loosely coupled services that can be independently developed, deployed, and scaled. This design allows us to automatically scale our platform according to demand.
Data security
All data transmitted to and from our cloud infrastructure is encrypted during transit, and data stored on our cloud infrastructure is protected by firewalls and stored within multiple isolated VPCs. All of our websites are secured using Transport Layer Security (TLS), and we only support data sent via web submissions that utilize HTTPS. To safeguard the protection of personal data, we send emails using TLS. In the event that the recipient's email client does not support TLS, we use the next highest secure protocol that is supported by the client.
Application security
Security is embedded in our DevOps process and Racecheck adheres to the OWASP Top 10 guidelines.