This Policy governs the activities of the operator of the RaceMeet mobile application – **Track Lane Eight, P.S.A.** (hereinafter referred to as the “**Operator**,” “**Controller**,” or “**we**”) regarding the processing of personal data of:

• **Users** registered in the RaceMeet mobile application;
• **Athletes** participating in competitions who consent to data publication;
• Individuals featured as characters, experts, and presenters in the Operator's promotional and informational materials;
• Representatives of parties to contracts concluded with the Operator;
• Individuals who have submitted requests (applications, complaints, proposals) or are mentioned in such requests;
• Social media users (hereinafter collectively referred to as the “**Data Subject(s)**”).

This Policy is approved in accordance with **Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - "GDPR" or "RODO")**.

1. Terms and Definitions

The following terms are used in this Policy with the meanings indicated below (unless otherwise defined in the GDPR):

1.1. Automated Processing – Processing of personal data using computing means.

1.2. Anonymization – Actions that make it impossible to identify a specific data subject from the remaining data.

1.3. Blocking – Temporary suspension of access to or processing of personal data.

1.4. Information Resources – The RaceMeet mobile application and/or the website www.RaceMeet.app.

1.5. Processing of Personal Data – Any operation or set of operations performed with personal data.

1.6. Personal Data – Any information relating to an identified or identifiable natural person (Data Subject).

1.7. User – An individual aged 16 or older who has completed the registration procedure in the RaceMeet application for personal use (viewing, tracking, receiving notifications), whose data is **not subject to public dissemination** in ratings or results.

1.8. Athlete – A User who has additionally applied to participate in a sporting event conducted through the Application and thereby consented to the **dissemination of their data** (name, surname, results) for public rating purposes.

1.9. Last Activity in the RaceMeet Application – Registration, authorization in the account, submission of an application for an event, or filling out profile fields.

1.10. Dissemination of Personal Data – Actions aimed at providing access to personal data to an indefinite circle of persons (applies only to the data of **Athletes**, e.g., publishing ratings).

1.11. Mixed Processing – Processing of personal data both on paper and using computing means.

1.12. Cross-Border Transfer – The transfer of personal data to the territory of a foreign country **outside the European Economic Area (EEA)**.

1.13. Deletion/Destruction – Actions that make it impossible to restore personal data.

2. Purposes, Scope, Legal Basis, and Data Storage Periods

The Operator processes personal data in the following cases:

2.1. Purpose 1 – Account Activity and Provision of Basic Services

2.1.1. Purpose: Creation and administration of a **User or Athlete** account, provision of basic Application services, technical support.

2.1.2. Data Subjects: Users and Athletes.

2.1.3. Data Processed: IP address, date and time of registration/authorization, activity data, device information, first and last name, email address, mobile phone number, vehicle data, **age**. **Please note: data processed for this purpose is not subject to public dissemination.**

2.1.4. Legal Basis: Art. 6(1)(b) GDPR (processing necessary for the performance of a contract - Terms of Service) and **Art. 6(1)(f) GDPR** (legitimate interest) for technical support.

2.1.5. Storage Period: As long as the User/Athlete has an account, and for 3 years after account deletion.

2.2. Purpose 2 – Promotional Mailings (Marketing)

2.2.1. Purpose: Sending promotional and informational materials via email.

2.2.2. Data Processed: Name, email address.

2.2.3. Legal Basis: Art. 6(1)(a) GDPR (Consent).

2.2.4. Storage Period: Until the User withdraws their consent.

2.3. Purpose 3 – Publication of Materials and Rating Formation

2.3.1. Purpose: Preparation and **public dissemination** of results, ratings, photos, and videos related to participation in sporting events (creation of Pilot/Athlete profile).

2.3.2. Data Subjects: **Only Athletes** who have applied to participate.

2.3.3. Data Processed: First name, last name, audio or video interviews, images (**Pilot's photo**, video with sound), **vehicle data (including characteristics and photo), race results, ranking position**.

2.3.4. Legal Basis: Art. 6(1)(b) GDPR (performance of the contract for participation in a public sporting event) and **Art. 6(1)(f) GDPR** (legitimate interest in documenting events).

2.3.5. Storage Period: Long-term for historical records or until a valid request for erasure is processed under the GDPR.

2.4. Purpose 4 – Contractual Relations and Legal Obligations

2.4.1. Purpose: Concluding and executing contracts, complying with legal obligations (tax law, accounting).

2.4.2. Data Processed: Full name, position, contact details, data necessary for accounting.

2.4.3. Legal Basis: Art. 6(1)(b) GDPR (performance of a contract) and **Art. 6(1)(c) GDPR** (compliance with legal obligations).

2.4.4. Storage Period: For the duration of the contract and 5 years after the end of the financial year (in accordance with Polish law).

3. Recipients of Personal Data (Processors and Third Parties)

3.1. Data Processors (on behalf of the Controller):

• **Cloud and Hosting Providers (e.g., Google LLC):** For corporate email, cloud storage, and application hosting. Transfer is based on **Standard Contractual Clauses (SCCs)** approved by the European Commission.
• **Email Service Providers (Marketing Platforms):** For sending marketing emails.
• **Event Organisers / Partners:** For assistance in organising and conducting sporting events (only within the EEA).

3.2. Independent Controllers and Third Parties:

• Banks and payment systems;
• Government authorities (as required by law);
• Social media platforms (when publishing content).

4. Cross-Border Transfer of Personal Data

4.1. We strive to store and process data within the European Economic Area (EEA).

4.2. If data is transferred outside the EEA to a country not deemed "adequate" by the European Commission (e.g., the USA), we apply appropriate safeguards, such as **Standard Contractual Clauses (SCCs)** approved by the European Commission.

4.3. **The Operator guarantees that it does not transfer personal data to the Republic of Belarus.**

5. Data Subject Rights and DPO

5.1. In accordance with the GDPR, Data Subjects have the following rights:

5.1.1. Right of access (Art. 15 GDPR).

5.1.2. Right to rectification (Art. 16 GDPR).

5.1.3. Right to erasure (“Right to be forgotten”) (Art. 17 GDPR).

5.1.4. Right to restriction of processing (Art. 18 GDPR).

5.1.5. Right to data portability (Art. 20 GDPR).

5.1.6. Right to object (Art. 21 GDPR), including an unconditional right to object to direct marketing.

5.1.7. Right to withdraw consent (Art. 7(3) GDPR).

5.1.8. Right to lodge a complaint with a supervisory authority (President of the Personal Data Protection Office - PUODO).

5.1.9. Implementation Procedure: To exercise your rights, please send a request to the Operator's general email or directly to the DPO. We will respond within one month.

5.10. Data Protection Officer (DPO)

The Operator has appointed a Data Protection Officer (DPO). You can contact the DPO regarding all matters related to the processing of your personal data and the exercise of your rights:

DPO Email: **dpo@racemeet.com**

6. Use of Cookies and Other Tracking Technologies

6.1. The Operator **does not use** cookies, web beacons, or similar tracking technologies to collect or store personal data on the RaceMeet.app website or in the mobile application.

7. Final Provisions and Children's Privacy

7.1. The Operator implements and continuously improves organizational and technical measures to protect personal data.

7.2. Issues not regulated in this Policy are governed by the **GDPR** and the **laws of the Republic of Poland**.

7.3. The Operator reserves the right to introduce amendments and/or supplements to this Policy with notification to the Data Subjects.

7.4. Children's Privacy

• The Application may be used for **viewing content without registration** by individuals under 16 years of age (recommended minimum age: 4+). In this case, no personal data is collected.
• For **any registration** (as a basic User or an Athlete), the individual must have reached the age of **16**, or parental/legal guardian permission must be obtained.
• **Procedure for Basic Registration (User < 16):** If a registering user confirms an age **under 16**, the Operator **must** obtain **explicit and verifiable consent** from the parent/guardian for the processing of the minimum set of the child's personal data necessary for authorization and content viewing. Without such confirmed consent, registration will not be completed.
• **Procedure for Creating a Pilot/Athlete Profile (< 16):** Creating a Pilot/Athlete Profile (Purpose 2.3), which involves the **public dissemination** of data, requires **separate, additional, and explicit consent** from the parent/guardian. If a child under 16 attempts to create such a profile, the Operator must request this second, extended consent.

Controller Details:

Track Lane Eight, P.S.A.

Legal Address: Legionowa Street 10, room 208, 15-099 Bialystok, Poland

NIP: 5423505336

General Contact Email: **contact@racemeet.com**

DPO Email: **dpo@racemeet.com**