Privacy Policy
Last updated: December 19, 2025
Data Controller:
Kornel Miszczak
ul. Stefczyka 99, 34-116 Bachowice
NIP: 5512651565, REGON: 520239649
E-mail: hello@racethon.com
This Privacy Policy sets out the rules for processing personal data of customers and users of the website https://www.racethon.com ("Website") and the Racethon mobile application ("App"). This document also forms part of the Terms of Service, available at: https://www.racethon.com/terms.html. Consent to the processing of personal data is voluntary, but in some cases necessary to use the services.
1. Data processed on the Website and in the App
We obtain personal data directly from the user when placing an order, registering an account, subscribing to the newsletter, or using the App.
1.1. Data when placing an order
We process the following data to fulfill orders:
- first and last name,
- email address,
- phone number,
- delivery address (for Silver and Gold packages),
Art. 6(1)(b) GDPR - performance of a contract,
Art. 6(1)(c) GDPR - accounting and tax obligations.
1.2. Data in the mobile App
We process:
- account data (email, name),
- delivery address (for Silver and Gold packages),
- training data and statistics,
- challenge completion progress,
Art. 6(1)(b) GDPR - provision of services available in the App.
1.3. Payment data
Payment processing is handled by Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.
- Card data (number, expiration date, BLIK, CVV) is not stored on our servers.
- CVV is never stored.
- Card number and expiration date may only be stored locally on the user's device, without access from our side.
Stripe processes data in accordance with PCI DSS and its own policy: https://stripe.com/privacy
Art. 6(1)(b) GDPR - payment processing,
Art. 6(1)(f) GDPR - ensuring transaction security.
1.4. Newsletter
We process the email address for the purpose of sending a newsletter containing information about new challenges, promotions, and updates.
Art. 6(1)(a) GDPR - consent,
Art. 10 of the Act on Providing Services by Electronic Means - consent to receive commercial information electronically.
1.5. Voluntary nature of providing data
- Providing data when placing an order is necessary to conclude and perform the contract. Failure to provide data prevents placing an order.
- Providing data for the newsletter is voluntary.
- Consent to analytical and marketing cookies is voluntary and does not affect the ability to use the Website.
2. Analytical, marketing tools, and notifications
2.1. Google Analytics 4
Service provided by Google LLC (USA). Processed data includes:
- how the Website and App are used,
- page views, clicks, session duration,
- device type and operating system.
Google Privacy Policy: https://policies.google.com/privacy
Art. 6(1)(a) GDPR - consent to analytical cookies.
2.2. Hotjar
Service provided by Hotjar Ltd (Malta) for analyzing user behavior and improving UX quality.
Art. 6(1)(a) GDPR - consent.
2.3. Firebase (Google)
The App uses Firebase services, including:
- Firebase Analytics,
- Firebase Crashlytics,
- Firebase Cloud Messaging (push notifications).
Processed data may include:
- device identifier,
- technical application data,
- error information,
- push notification token.
Firebase Privacy Policy: https://firebase.google.com/support/privacy
Firebase Analytics - Art. 6(1)(a) GDPR (consent),
Firebase Cloud Messaging (push notifications) - Art. 6(1)(a) GDPR (user consent to receive notifications),
Firebase Crashlytics (error diagnostics) - Art. 6(1)(f) GDPR (legitimate interest of the controller in ensuring App stability).
3. Data recipients
Data may be transferred to third parties to the extent necessary for the provision of services:
- Stripe, Inc. (USA) - payment processing,
- MailerLite Limited (Ireland) - newsletter,
- InPost sp. z o.o., InPost Paczkomaty sp. z o.o., Integer.pl S.A. (Poland) - shipping of rewards,
- Google LLC (USA) - Google Analytics 4 and Firebase,
- Hotjar Ltd (Malta) - website behavior analytics.
4. Transfer of data outside the EEA
Data may be transferred to third countries (including the USA) in connection with the use of Google services (GA4, Firebase) and Stripe.
Transfer is based on:
- European Commission decision of July 10, 2023, establishing an adequate level of data protection in the USA (EU-US Data Privacy Framework) - for certified entities,
- Standard Contractual Clauses (SCC) - as supplementary safeguards.
The user may obtain a copy of the safeguards used by writing to: hello@racethon.com
5. Cookies
Before loading analytical and marketing cookies, we display a banner allowing category selection. These cookies are not installed before consent is given.
The Website uses cookies for the following purposes:
Necessary (do not require consent):
- proper functioning of the Website,
- order processing,
Analytical (require consent):
- Google Analytics 4,
- Hotjar.
Marketing (require consent).
Social:
- integration with social media platforms (e.g., share buttons).
The user may change or withdraw consent at any time through browser settings or the cookie banner.
6. User rights
The user has the right to:
- access to data,
- rectification of data,
- erasure of data ("right to be forgotten"),
- restriction of processing,
- data portability,
- object to processing,
- object to profiling for direct marketing purposes,
Complaints may be filed with:
President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw
6.1. Deleting an account in the Racethon App
To delete an account in the Racethon app, you must:
- Send an email to hello@racethon.com requesting account deletion.
- Enter "Account deletion" in the subject line.
- Include the email address associated with the account in the App in the message body.
The request will be processed within 14 business days of receiving the message.
Data that will be deleted:
- account data (email, name),
- delivery address,
- training data and statistics,
Data that may be retained:
- accounting and invoicing data - for 5 years from the end of the tax year (legal obligation),
- order-related data - until the expiration of claims (maximum 6 years).
7. Data retention period
| Data category | Retention period |
|---|---|
| Newsletter | until unsubscription |
| Orders | until expiration of claims |
| Accounting data | 5 years from end of tax year |
| Account data and App data | until account deletion or deletion request |
| Google Analytics | 26 months |
8. Automated decision-making
We do not make automated decisions within the meaning of Art. 22 GDPR. Marketing analytics may include basic statistical segmentation, which does not produce legal effects or significantly affect the user.
9. Contact
For matters regarding personal data, please contact:
E-mail: hello@racethon.com
We respond to messages within 14 business days.