Privacy Policy


September 2023

This Privacy Policy (“Policy”) explains how We collect and process the personal data of natural persons (individuals), either who visit our Website (“Visitors”) or use our services for organizing events (“Organizers”) or for registering for these events (“Participants”) (collectively: “you”). Personal data, or personal information, means any information relating to an identified or identifiable natural person. This includes information that you tell us, what we learn from you and the choices you make about the marketing you want us to send to you. This Policy explains how we do this, what your rights are and how the law protects you.

This Policy applies to any users of our Website at racecheck.com (the “Website”) and/or our services.

  1. Changes to the Privacy Policy

    Your use of our Website and/or our services will be subject to the most current version of this Policy posted on our Website at the time of your use. We recommend that you check the Website from time to time to inform yourself of any changes in this Policy or any of our other terms, However, if we do make changes to this Policy, we will notify you by SMS, email or otherwise.

  1. Who we are and how you can contact us

    We are Racecheck Limited ("We”). We are a company registered in England and Wales under company number 09974171. Our registered office is at Scott House 3.20, London, SE1 7LY.

    You can contact us by email at info “at” racecheck.com. If you need, you can write to us at Scott House 3.20, London, SE1 7LY.

    For the purposes of data protection law, we are data controllers. A data controller is an organisation that determines the purposes and means of processing. Our representative for all queries in relation to this Policy and your data protection rights is Alexandros Tanti.

  1. Where we collect your personal information from

    We may collect personal information about you in the following ways:

    Data you give to us:

    • Data you give to us when you register to use our services and/or our Website
    • When you talk to us on the phone.
    • In emails or letters to us.
    • When you give us feedback on our services.

    Data we collect when you use our Website and/or our services:

    • Profile and usage data, including data we gather from the devices you use to connect to those services such as computers and mobile phones, using cookies

    Data from third parties we work with:

    • Social networks such as Facebook, Twitter or Strava
    • Public information sources, such as Companies House
    • Agents or contractors working on our behalf
  1. Data we collect about you

    We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

    Identity data – name, address, date of birth, city and country of residence and gender

    Contact data – your physical address, your email address and/or social media account(s)

    Financial data – bank account and/or payment card details which are directly dealt with by our payment partners. However, please note that we do not store your payment card details ourselves

    Technical data - your login data, browser type and version, time zone setting and location, and other technology on the devices you use to access our Website

    Profile data - your sports preference, upcoming race calendar, past race history and race finish times

    Third-Party Accounts – Racecheck allows you to sign up and log in to our Website and/or our services using accounts you create with third-party products and services, such as Facebook, Twitter or Strava. If you access our Website and/or our services with Third-Party Accounts we will collect personal data that you have agreed to make available such as your name, email address, profile information and preferences with the applicable Third-Party Account. These personal data are collected by the Third-Party Account provider and is provided to Racecheck under their privacy policies. You can generally control the personal data that we receive from these sources using the privacy controls in your Third-Party Account

    Usage data – information about how you use our Website and/or our Services

    Marketing and communications data – your preferences in receiving marketing from us and our third parties and your communication preferences, by specifying whether you wish to opt in or out

    Organisations data – name, size, location, contact details and event information for the organisation

    We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Website’s feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.

    We do not collect any special categories of personal data about you. This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any personal data about criminal convictions and offences.

    We do not knowingly process any personal data relating to children. If you are under 16 years, you must not provide us your personal data without the consent of a parent or guardian.

  1. How we use your personal information

    Your personal data are protected by law.

    We are only allowed to use your personal data if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data.

    In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a technical, business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.

    What we use your personal information for

    What personal information we collect

    Who is affected

    Our legal grounds for processing

    Our legitimate interests (if applicable)

    To register you as a new user (if you register on our Website and/or for our services)

    • Identity data
    • Contact data
    • Profile data
    • Organizers
    • Participants
    • Performance of our contract with you

    N/a.

    To process event orders that you have placed

    • Identity data
    • Contact data
    • Profile data
    • Financial data
    • Participants
    • Performance of our contract with you

    N/a.

    To manage payments or collect and recover money owed to us

    • Financial data
    • Organizers
    • Participants
    • Performance of our contract with you

    To keep ourrecords up to date and ensure payments are being made

    To manage our relationship with you, including notifying you about changes to our terms and/or this Policy

    • Identity data
    • Contact data
    • Profile data
    • Organizers
    • Participants
    • Performance of our contract with you
    • Necessary to comply with a legal obligation
    • Legitimate interests

    To keep records up-to-date and ensure that the business is being run efficiently

    To manage relationships with our business / events partners

    • Identity data
    • Contact data
    • Organizers
    • Participants
    • Legitimate interests

    Developing our services, and what we charge for them.

    To assess the health of our relationships with business / event partners

    To administer and protect our business and our website/app

    • Technical data
    • Organizers
    • Participants
    • Legitimate interests

    Running our business, provision of administration and IT services, network security

    To administer our services

    • Identity data
    • Contact data
    • Profile data
    • Organizers
    • Participants
    • Performance of our contract with you
    • Legitimate interests

    To ensue the business is being run effectively and efficiently

    To use data analytics to improve our Website, our services, including marketing, customer relationships and experiences

    • Technical data
    • Usage data
    • Profile data
    • Visitors
    • Legitimate interests

    To define types of users for our services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy

    To make suggestions and recommendations to you about events that may be of interest to you

    • Identity data
    • Contact data
    • Marketing and communications data
    • Profile data
    • Participants
    • Legitimate interests

    To develop our services, our Website and grow our business

    To allow for displaying the participants’ reviews of sporting events on our Website and that of Organisers

    • Identity data
    • Events attended
    • Review contents
    • Participants
    • Consent

    N/a.

  1. Who we share your personal information with

    Recipients

    We may share your personal information with any of the following organisations, for the purposes of providing the services which you have requested from us:

    • Organisers
    • Agents and advisers that we use
    • Developers and other service providers of event organisers
    • Third parties who provide services Racecheck such as proving IT services to us, supporting and improving our services, promoting our services, processing payments, or fulfilling event booking requests. These service providers will only have access to the personal data necessary to perform these limited functions on our behalf and are required to protect and secure your personal data.

    A data processor is an organisation that processes personal data on behalf of the data controller. We currently use the following data processors:

    • Sengrid.com are our email service providers. Opted-in athlete users are automatically added to a GDPR opt-in emailing list which can be used for marketing purposes;
    • Intercom.com are our chat support system for Organisers only, used to improve user experience and provide live help when needed. Intercom collects basic data to identify users and facilitate customer support;
    • Mixpanel.com, Hubspot, Google Analytics and Hotjar are used for analytics and performance reporting purposes, collecting website visitor data via cookies. We use these analytics platforms to study user behaviour and improve user experience; and
    • Event organizers and their service providers.

    You can find details of how these third parties use your personal data by looking at their privacy- or data protection policies, all of which should be available on the relevant websites, or on request.

    We require all organisations who we share your personal data with to respect the security of your personal data and to treat it in accordance with the law. We do not allow any of our service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

    Publicly Available Information

    Your personal data and content may be publicly accessible to, and searchable by, other Racecheck users. However, you will be able to make your account private so that only Racecheck can view and access your profile. We provide a variety of tools to control the sharing of your personal data.

  1. What if you do not provide your data?

    Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to submit the event entry request for the event you wish to take part in). In this case, we may have to cancel the service you have with us, but we will notify you if this is the case at the time.

  1. Third party links

    Our Website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your personal data. We do not control these third-party websites and are not responsible for their privacy- or data protection statements. When you leave our Website, we encourage you to read the relevant notices or policies of every website you visit.

  1. Transferring your personal information outside the EEA and/or UK

    Any reviews that you submit will be deemed to have been made public and therefore your name (first name and initial of your last name) and review will be accessible from anywhere in the world. In this context, these personal data may be shared with service providers in countries which do not provide a level of protection for personal data that is comparable to that offered in the EEA or the UK.

    The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA and/or the UK, and unless the country of destination is recognised as providing an adequate level of protection under applicable data protection rules, we will take necessary measures to ensure that the recipient provides sufficient safeguards for the protection of your personal data, including by entering into contracts approved by the responsible data protection authorities.

    We currently transfer the following personal data outside the EEA/UK:

    What personal data we share

    Who is affected

    Recipients and destinations

    Our legal safeguards for transferring personal data

    Identification data (name, pseudonym), date of birth, personal comments and reviews of a specific sporting event, any other information voluntarily provided by you

    • Participants
    • Contact persons of Organiser
    • Organizers (worldwide)

    Standard Contractual Clauses (Article 46(2)(c) UK GDPR) supplemented with the UK Addendum

  1. Data Security

    We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the Information Commissioner’s Office (ICO)) of a breach, whenever we are legally required to do so.

  1. How long do we keep your personal information

    We will keep your personal data for as long as you are our customer.

    After you stop being a customer and regularly using our Website and/or our Services, your personal data will only be held until you delete it from your profile or explicitly ask us to delete or remove the personal data we hold. Generally, the personal data is kept for 6 years after your account has been closed. This is to help us deal with any disputes, analyse historic data so that we can identify trends and improve the user experience.

  1. Marketing

    We may use your personal data to tell you about sporting events organised by our event partners as well as other services offered by us.

    We can only use your personal data to send you marketing messages if we have either your consent or a legitimate interest to do so.

    You can ask us to stop sending you marketing messages at any time – you just need to contact us at info “at”racecheck.com or use the opt-out links on any marketing message sent to you. Alternatively, if you log into your account through our Website, you can control the notifications and email communications.

    We do not share your personal data with any third-party company for marketing purposes.

    Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of using our Website or any other transaction between you and us.

  1. Your rights

    You have certain rights which are set out in the law relating to your personal data. The most important rights are set out below.

    Getting a copy of the information we hold

    You can ask us for a copy of the personal data which we hold about you, by writing to us at info “at” racecheck.com. This is known as a data subject access request.

    You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive. In such circumstances we can charge a reasonable fee or refuse to comply with your request.

    We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month and in that case we will notify you and keep you updated.

    Telling us if information we hold is incorrect

    You have the right to question any personal data we hold about you that you think is wrong or incomplete. Please contact us at info “at” racecheck.com if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it. Alternatively, you can edit the personal data yourself via our Website.

    Telling us if you want us to stop using your personal data

    You have the right to:

    • object to our use of your personal data (known as the right to object); or
    • ask us to delete the personal data (known as the right to erasure); or
    • request the restriction of processing; or
    • ask us to stop using it if there is no need for us to use it (known as the right to be forgotten).

    To request any of the above please contact info “at”racecheck.com

    There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.

    Where we rely on our legitimate interest

    In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

    Withdrawing consent

    When we process your personal data based on your consent, you can withdraw your consent to us using your personal data at any time. Please contact us at info “at” racecheck.com if you want to withdraw your consent. If you withdraw your consent, we may not be able to provide you with certain services.

    Request a transfer of personal data

    You may ask us to transfer your personal data to a third party. This right only applies to automated processing for which you initially provided consent for us to use or where we used the personal data to perform a contract with you.

  1. Making a complaint

    Please let us know if you are unhappy with how we have used your personal data by contacting us at info “at” racecheck.com.

    You also have a right to complain to the ICO. You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

  1. Cookies

    We and/or third parties use cookies and other tracking technologies on our Website.

    View our Cookie Policy for further information on how we use cookies and to reset your preferences.

  1. Security at Racecheck

    • Cloud infrastructure security

      Racecheck operates as a cloud-based company, with no in-house data centers on-premises and a virtual corporate network infrastructure.

    • Amazon Web Services

      Racecheck's infrastructure is hosted on Amazon Web Services (AWS) data centers, which operate using EU availability zones and are certified by SOC2 and PCI DSS Level 1, among other security certifications. AWS provides several security and privacy features that Racecheck utilises, including carefully configured security groups, isolated virtual private cloud (VPC) environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection. Additionally, all of Racecheck's operating systems, databases, and applications are hardened to minimise vulnerabilities and enhance their overall security. The physical security of our cloud infrastructure is handled by AWS.

    • Google Cloud

      Racecheck utilises Google Cloud Platform to meet certain business needs such as mail, calendars, and video calls.

    • Vulnerability management

      Racecheck has an internal monitoring and reporting system in place to promptly detect any server or service vulnerabilities, bugs, or issues. Additionally, our website is scanned regularly for potential vulnerabilities, and any findings are addressed within specific timeframes based on their severity level.

    • Architectural design

      Our platform follows the design principles of microservices architecture, which involves breaking down the application into a set of loosely coupled services that can be independently developed, deployed, and scaled. This design allows us to automatically scale our platform according to demand.

    • Data security

      All data transmitted to and from our cloud infrastructure is encrypted during transit, and data stored on our cloud infrastructure is protected by firewalls and stored within multiple isolated VPCs. All of our websites are secured using Transport Layer Security (TLS), and we only support data sent via web submissions that utilize HTTPS. To safeguard the protection of personal data, we send emails using TLS. In the event that the recipient's email client does not support TLS, we use the next highest secure protocol that is supported by the client.

    • Application security

      Security is embedded in our DevOps process and Racecheck adheres to the OWASP Top 10 guidelines.