30 July 2018
Here at Racefully we strive to be straightforward and open about our business practices and to act with integrity at all times. This is especially the case with respect to how we manage and use your personal data.
"Racefully" is the brand we trade under and a registered trade mark of Project X Ltd. The Racefully mobile app (our ‘app’), our website at raceful.ly, which can also be accessed via racefullyapp.com and racefully.com (our ‘website’), our blog at blog.raceful.ly (our ‘blog’) and our pages on Facebook, LinkedIn, Twitter and Instagram, as well as the pages we host at shared.raceful.ly (our ‘social media pages’) are all operated by us, Project X Ltd.
We collect information, including information from which you are personally identifiable (‘personal data’), when you choose to provide it to us and through your use of our services.
We collect personal data that you provide when you: register for our services, create a Racefully user profile, connect any of your social media accounts to our services, connect any third party health or fitness apps (such as Apple Healthkit and Strava), software, wearables or other devices (‘trackers’) to our services, contact us with inquiries, support requests, comments or feedback, make payment for any services that we provide on a paid-for basis, provide information through our services about yourself (for example, in relation to your fitness goals or achievements), post messages, photos or other information through our services, invite your contacts and friends to join Racefully, or participate in any surveys or competitions that we may run.
Please note that it is possible for you to register for a Racefully account and also to connect certain of the services to your Facebook and Google accounts (‘third party services’). If you have consented to allow any of your third party service providers to provide personal data or other information to us, then we may collect that data or information. This information may include your name, profile picture, gender, user ID, and email address. We may use that information to supplement the information we have about you and/or to provide and improve our services.
To enable you to enjoy the social aspects of Racefully as much as possible, you are welcome to invite your contacts, friends and family (‘friends’) to join our community. You can use the app's invite friends feature to send invitations to your friends to download Racefully so that they can connect with you in the app. You can use this feature in a number of ways. Specifically, you can permit the app to list your phone contacts (these remain on your device and we cannot access them in any way) so that you can select friends and send invitations to them, and you can also send invitations to other Racefully users and via social networking and messaging services such as Facebook, Twitter, WhatsApp, Skype, and Slack.
If you use the invite friends feature to send an invitation to a phone contact, we will use their first name, surname and email to send your invitations for you. We retain this data only for purposes of recognising any of your contacts who accept your invitations and register with us, and we delete it if your contact has not accepted your invitation after 90 days. When you use the invite friends feature to invite friends on social media, we create a unique link to Racefully for you to share. We do not see your social media friends' details unless they use the link to download Racefully and then register with us. We only use the friend information that we do collect when you use the invite friends feature for the purposes of sending the invitations you send on your behalf and for no other purpose. Please do not not send invitations to anyone you don't know or who would not consent to you sharing their information in this way so that invitations can be sent to them.
We also collect personal data automatically through your use of the services. To enable us to do this, when you download and run our app, we will be provided with a unique ID that identifies your device to our services. This enables us to recognise and authenticate you when you use the app and allow you to access your data, so that you can use it for example to track and review your activities, set goals and challenges, complete your profile and set your personal settings and privacy preferences.
In order to provide the services, we track your activity and collect the following information: the date and time when you started / finished exercising, your elevation and location while exercising, how far you have gone, the number of steps you have taken (if you have enabled step-tracking), and how long you have been exercising. We collect your elevation and location data so that you can track your exercises and also create and - if you choose to do so - share your routes with other users. If you have connected trackers to our services, we will also automatically collect the data that they make available.
We currently request only very limited data directly through our app that may relate in any way to your health and fitness, and it is entirely optional whether you provide it. Specifically, we collect information about your gender, height and weight if you choose to provide this information in the app Personal Settings. We request this data so that we can calculate and provide you with information relating to your calorie consumption and effort when exercising, and enable you to set and track your progress against your weight goals, if you choose to do this.
We have a partnership with TrainAsONE, the AI run training company (‘TAO’). Together, we have developed an integrated service that allows TAO subscribers to connect their TAO account with their Racefully account, so that they can receive TAO's personalised AI training using Racefully's advanced voice coach narration and wearables integrations. If you are a TAO subscriber and have chosen to connect your TAO account with your Racefully account so that we can provide this service, we will send your GPS tracking data and other activity information to TAO (so that they can analyse your activities and tailor their plans based on your goals and performance) and we will receive from TAO your personalised plans, so that we can deliver them to you.
We do not directly collect any other physical or fitness-related data unless you decide to include it in the free-form text entry section provided when you set other goals on the app or in any other content that you choose to post though our services. We are however able to infer information about your fitness from our understanding of how often you exercise, the terrain and topology of where you exercise and the prevailing environmental conditions, how far you go, your pace, and, if you have provided this information, your gender, height and weight. In addition, if you have connected any other fitness tracker(s) to our services, we will collect the information provided to us by the tracker(s). As trackers become more sophisticated, it is likely that they will provide a more detailed and broader range of information, but currently many devices already monitor the number of steps you take, your cadence and your heart rate. If you have configured your tracker(s) to provide this information to us, we may use it to supplement our understanding of your fitness and to provide and improve the services for you.
While you can use our app purely personally, without using any of Racefully's social features, we firmly believe people get the most out of their fitness activities when they share their experience together. Our app therefore provides many opportunities for social, collaborative or competitive exercise, and participation in group activities through Racefully Tribes. Whether you choose to use any of the social and group features we provide is entirely up to you. If you do use them, we will need to collect and use the data you share to provide the features you have chosen to use. This data may include: sent invitations to join Racefully, time and recipient; accepted invitations and time of acceptance, membership of Racefully Tribes, and participation and performance in Racefully Tribe activities and challenges. Our app also provides social chat and messaging features and as a result, we and the users you chat and message with will have access to the content you share through those services. We do not use this information though except to specifically provide the service you are using.
When you use our services, we may receive or collect information about the devices and services you are using. This information may include the IP address of the device you are using to access the services, browser type, operating system, the referring/exit web page, pages visited, location, date/time stamp, numbers of clicks, your mobile carrier, device information (including mobile phone and/or fitness device and application IDs), search terms, and cookie or other tracking information (‘device and service data’). We may store this data ourselves or it may be included in databases owned and managed by our service providers. In addition, we use Google Analytics as a method of tracking site statistics and user behaviour using the services. We use device and service data and the information provided by Google Analytics, Localytics, Branch and Facebook to better understand our users, their preferences and how they use our services, and to provide and improve our services for our users.
We have designed our services to provide you with significant control over how your data is used. Specifically:
We hope it goes without saying that we will respect the choices you make through the settings you select in the app.
This section describes how your personal data may be shared on our services and with third parties.
Our services are intrinsically social, and therefore when you provide us with certain personal data it may be shared with other users of the services, as well as to other social networks where you have chosen to do this. For example, if you invite a friend to join Racefully on Facebook using the services, the content you choose to share with them on Facebook will be accessible on the Facebook platform.
When you download the app, you will be invited to create a user profile. You will need to provide your name (or nickname), which will be visible to other users as described below, and your email address (we need your email address to be able to identify you and communicate with you, but we do not share it with other users). You will also be able to upload a profile picture, and share your goals if you wish. If you sign in using a social network, we will automatically use your social network profile picture and name in your Racefully user profile.
By default, the following profile data will be viewable by other Racefully users: your name / nickname (ie we will share whichever you have chosen to be known by in the app), profile image if available (ie only if you create one or sign in using a social network), your tribe memberships, the number and type of activities you have tracked on Racefully, and your achievements.
As we've mentioned, Racefully aims to make virtual fitness social, so you can send and accept friend requests through the app. People you have made friends with in this way will be able by default to see: your profile picture, name / nickname (again, only whichever you have chosen to be known by in the app), broad location (city / state level only) as well as your goals, achievements and activities, and activity information, including distance, pace, height gained and lost, and any fitness-related data (such as heart rate) that you have chosen to share with us.
In addition, we host activities that people have shared to social at shared.raceful.ly. Each page on this site has its own unique link (for example, like https://shared.raceful.ly/activities/6608f66a53104786cdf251539f6e980b), so although they're hosted publicly, only people that you have chosen to share your activities with will be able to reach your page with the shared activity on it.
Although we want to help you make your Racefully experience as social as you want it to be, we also respect your privacy and have put you in control of what data you share. You can easily change your privacy settings in the app, so that your data is not shared with other app users, is shared only with friends you have made in the app, or is shared publicly. Please use the privacy settings in the app to make sure you have everything exactly as you want it.
If you use our blog to post images or other content, your user name and time of posting will be shared with anyone using this service. Please always ensure that if you post images of other people, or content relating to them, or from which they may be identified, you have their permission.
As mentioned above, we already offer integrations that allow you to connect your Racefully account with third party services such as Apple Healthkit and TrainAsONE. We continue to develop new integrations so that we can provide you with a rich experience and support as many of your chosen apps and wearables as we can. There is no requirement for you to use such integrations and the decision to do so - or not - is entirely yours. If you do enable an integration, we will share your data (including potentially detailed tracking information, with time and location details) with the relevant third party, and they will share similar data with us. This enables each of us to provide you with the health and fitness data from each of our services that you want to access. We also use such data to understand how you use other third party services and to improve our own services. We do not make the data we receive from these third parties publicly available (unless you choose to do this through Racefully's settings and sharing features) or use it for other purposes. You can also always switch off integrations at any time. If you do so, we will stop sharing data with the relevant third party service provider(s) and they will cease sharing data with us. However, it will not be possible for us to prevent those third parties from using the data you have already shared with them through our services. Please note as well that their use of your data - including data received while the Racefully integration was enabled - will be subject to their privacy policies, so you should check these carefully before using their services or sharing data with them through Racefully.
We use service providers to perform certain services for us. For example, we currently or may in the future use service providers to host our website and databases, manage user communications and provide user support, provide fraud protection and / credit risk information, process payments, and provide website and data analytics services.
When we hire a service provider to provide services to us, we may need to share access or provide them with certain personal data. However, we only do this to the extent necessary to enable them to perform their services effectively for us and require them to keep all such data secure. More information on the service providers we use is set out in the International transfers section below.
In order to provide the services, we need to share certain information, including personal data, with service providers located outside the EU where data protection standards may be less rigorous. These service providers and the services they provide include: Facebook and Google (to enable user authentication on sign-on to the app), Localytics (to track usage of our app), Crashlytics (to help us diagnose technical issues), Instabug (for bug reporting), QuickBlox and Twilio (for in-app messaging and chat), Firebase (to enable live racing), Branch (to send friend requests and other personalised links back to the app), Mailchimp to manage our user email database and send communications to you; and Google Analytics (to better understand how our blog and website are used). Each of these providers are contractually bound to keep your data secure and only to use it for the purposes of enabling us to provide the services and, in the case of Facebook and Google, in accordance with the privacy policies or notices they have shared with you in relation to your use of their services.
We may aggregate information about you with information collected from other users of our services or from third parties and analyse it to better understand our users' demographics, interests and behaviours. We may also anonymise and aggregate this information and share it with our affiliates, agents and business partners. Such anonymised and aggregated information will not identify you personally.
Under data protection law, you have important rights with respect to your personal data. These are explained below, and you can also find out more about them here.
You have the right to obtain: (i) confirmation whether your personal data is being processed by us and, if so, (ii) access to your personal data and further information relating to your personal data, including: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; and, where we hold personal data on you which we have not collected from you, any available information as to their source.
You have the right to obtain the rectification of inaccurate personal data concerning you from us and, taking into account the purposes of the processing, the right to have incomplete personal data completed. If we become aware that personal data relating to you is not correct, we will rectify these without undue delay and inform you of this rectification. Please note that you can update much of your information in your account settings.
Although it is not an absolute right, in many circumstances you will have the right to have us delete personal data that we store about you. If you wish to have us delete the personal data we hold on you, please contact us at firstname.lastname@example.org. We will need to verify your identity before considering your request, but will then delete your data except in circumstances where we are legally obliged or entitled not to do so. You should note, however, that we will not be able to delete data that you have chosen to share publicly outside the Racefully platform.
You also have the right to the restriction of processing of your personal data in certain circumstances. These exist where: the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data; the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; we no longer need the personal data for the purposes of the processing, but the data are required by you for the establishment, exercise or defence of legal claims; or you object to any processing we are carrying out based on our legitimate interests, pending the verification whether the legitimate grounds we are relying on override yours.
Where we rely on your consent as the lawful basis of our processing you may revoke your consent for future data processing at any time. However, this does not affect the lawfulness of our processing based on the consent before your revocation. In certain cases, we may continue to process your information after you have withdrawn consent, if we have another legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
You have the right to object at any time to the processing of your personal data for which our legitimate interests are the legal basis, including profiling based on those provisions. You also have the right to object to processing of your personal data for direct marketing purposes.
You have the right to: (i) receive a copy of your personal data in a structured, commonly used and machine-readable format, and (ii) transmit your personal data to another controller without hindrance from us.
You have the right to file a complaint with your local supervisory authority, if you think that our processing of your personal data infringes applicable law.
If you wish to exercise any of your rights, please contact us at email@example.com. We reserve the right to verify who we are dealing with in all circumstances to ensure that any request is genuine and legitimate before we implement it. Once we have done this, we will act promptly to ensure all your rights are fully respected.
Data protection laws stipulate that we may only collect and process your personal data if we have a lawful basis for doing so.
We rely on the following lawful bases for processing your personal data:
We process some of your personal data because it is necessary for the performance of our contract with you. These data include your name, user ID and other basic registration information, any other data that we are required to process in order to provide you with any service that we are contractually obliged to provide to you, together with any payment details you provide, which we need to to be able to identify you and know when you signed up for our services, to provide those services to you, and to process any subscription payments or other payments you make for any paid-for services that we provide from time to time.
We process certain personal data that you provide or that we obtain through your use of the services because you have consented to our processing of the data. The types of data we process with your consent include:
We also rely on consent when:
We process other personal data provided by or collected from you because it is necessary for the purposes of our or your legitimate interests and / or the legitimate interests of another party. We rely on the legitimate interests basis for processing your data:
We also rely on legitimate interests when:
In the future, we may transfer your personal data to a purchaser in the context of a business transfer (as described above). Any such transfer will also be made on the basis of legitimate interests.
In certain circumstances, we may also be required to process your personal data where we are subject to a legal obligation to do so, for example in connection with a criminal investigation by a competent law enforcement authority, or to respond a regulatory investigation or comply with the requirements of a relevant regulatory authority.
We believe there is a material difference between personal data that we collect automatically through your use of the services or you provide to us in the reasonable expectation that it will be kept secure and confidential (for example, your user name and password and credit card information) and information that you provide with the intention that it should be publicly available on any of the services, or which you send to us on an unsolicited basis. We shall therefore be entitled to reproduce, use, share and distribute any content that you post on any of our services that are publicly available (for example, our social media pages), or send to us on an unsolicited basis (for example, new service or product ideas) without attribution or payment of compensation to you.
We cannot and will not be responsible for how any users or third parties use any personal data that you choose to make publicly available on the services. Please therefore always carefully consider what you post publicly and ensure it is appropriate before doing so.
We do not knowingly seek or collect personal data from people under the age of thirteen. If you are under thirteen, please do not use the services. If you are the parent or guardian of a child under the age of thirteen and have reason to believe they have provided personal data to us, please contact us at firstname.lastname@example.org. We may need to request certain information from you to verify your identity. Where we are satisfied that we have been provided personal data by a child under thirteen and you are entitled to ask us as their parent or guardian to delete such data, we will use all reasonable endeavours to do so.
We are legally obliged to take appropriate technical and organisational measures against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, that data. The steps we take include ensuring that technical and organizational procedures and physical security measures are implemented, kept up to date and maintained to protect against unauthorised access to systems on which we store personal data and the unauthorised or accidental loss or disclosure of that data. Specifically, all our data is transmitted using TSL (Transport Layer Security) and stored securely on Amazon's AWS cloud. However, the internet, email and other communications services are not fully secure or error free. You should therefore take special care when deciding whether to share personal data with us or anyone else using these services.
To further protect access to your personal data, you need to set a username and password to be able to access your Racefully account. Please keep these details secure, and change your password regularly to reduce the risk of unauthorised access. You should also take care to limit access to your computer and other internet-connected devices and ensure you have logged out when you have finished using your account. Since you control use of your username and password and access to your devices, we cannot be responsible for any activities that take place using your account.
We store personal data collected as part of our services while you are a user of our services and then for a period of no more than six years from the time that either you delete Racefully from your device and contact us to confirm you have done so or it otherwise becomes apparent that your account has become inactive. This includes data collected and provided to the service during use and data provided to customer support. However, as noted below, if you have made data publicly available on Racefully or on other services through Racefully, this will remain publicly available.
Data used for analytics purposes is retained only in aggregate form after 12 months
Data you delete from the service may be retained in backups for up to 35 days after deletion.
You can access your information and correct or update it through the services.
If you have any questions about how to do this or about the data we hold about you, please contact us at email@example.com. We may need to request certain information from you to verify your identity before we disclose any personal data to you. Please note that we are unable to share data of any other user with you except if they have chosen to share it through the services with you.
You may choose to cease using the services and delete your profile at any time. If you delete your profile, other people will not be able to see it. Please note, however, that any other data that you have provided or which we have collected through the services will be retained and if you made it publicly available, it will remain publicly accessible.
If you have any other comments or questions, please contact us at firstname.lastname@example.org and we will do our best to respond promptly and helpfully.