Privacy Policy
Last updated: 26 May 2026
Aitaky SRL ("Aitaky", "we", "us") operates the TakyRace platform. This Privacy Policy explains how we collect, use, and protect your personal data when you create an account or use our services.
1. Data Controller
The data controller for personal data processed through TakyRace is:
Aitaky SRL
Privacy contact:privacy@aitaky.com
2. Data We Collect at Sign-In
When you create an account or sign in, we collect:
- —Full name — to identify you on the platform and in championship standings
- —Email address — for account authentication and transactional messages (confirmation, password reset)
- —Password hash — stored securely by Supabase Auth; your plain-text password is never stored or seen by us
- —Account creation timestamp — for security and audit purposes
If you sign in with Google or Steam, we receive basic identity data from that provider to create or link your account — from Google: your name, email and Google account ID; from Steam: your SteamID and public profile (e.g. avatar and persona name). These providers operate outside the EU (Google and Valve/Steam, United States); this exchange takes place only because you chose that sign-in method, and any transfer is covered by Standard Contractual Clauses. We never receive or store your password for these accounts.
During onboarding (optional), you may also provide:
- —Nickname / Gamertag — displayed publicly in standings
- —Nationality — shown on your driver profile
- —Profile avatar — displayed on your driver profile
- —Short bio — displayed on your driver profile
3. How We Use Your Data
We send marketing or promotional emails only if you have given your explicit opt-in consent (at sign-up or later); you can withdraw that consent at any time via the unsubscribe link or by contacting us, without affecting the rest of the Service. We never sell or share your personal data with third parties for their own commercial purposes.
| Purpose | Legal basis |
|---|---|
| Account creation and authentication | Art. 6.1.b GDPR — performance of a contract |
| Sending transactional emails (confirmation, password reset) | Art. 6.1.b GDPR — performance of a contract |
| Displaying driver standings and profiles | Art. 6.1.b GDPR — performance of a contract |
| Sending optional marketing / product-update emails (only if you opted in) | Art. 6.1.a GDPR — consent (withdrawable at any time) |
| Platform security and abuse prevention | Art. 6.1.f GDPR — legitimate interest |
| Compliance with legal obligations | Art. 6.1.c GDPR — legal obligation |
4. Infrastructure & Sub-processors
Our core infrastructure processes your data within eu-central-1 (Frankfurt, Germany), inside the European Economic Area, under GDPR-compliant data processing agreements (Art. 28 GDPR). Some optional, consent-gated third-party content (video embeds) and payment or future integrations may involve a transfer outside the EEA, always covered by Standard Contractual Clauses (SCCs).
| Provider | Role | Location | Transfer safeguard |
|---|---|---|---|
| Supabase | Database and authentication | eu-central-1, Frankfurt | Within EU/EEA |
| AWS Amplify | Application hosting | eu-central-1, Frankfurt | Within EU/EEA |
| AWS SES | Transactional email delivery | eu-central-1, Frankfurt | Within EU/EEA |
| Video embeds — YouTube, Vimeo, Twitch | Playback of externally-hosted incident videos (loaded only after consent) | United States | Consent + SCCs |
| Stripe (Stripe Payments Europe, Ltd) | Marketplace payments, seller onboarding/KYC and payouts | EU/EEA (Ireland) | Any US transfer under SCCs |
| Simulator APIs (e.g. iRacing) — planned | Import of competitive data (not yet active) | To be determined | SCCs for any non-EU transfer |
Our community Discord is operated by Discord Inc. (US); if you choose to join it, Discord's own privacy policy applies to that off-platform interaction.
5. Data Retention
| Data | Retention period |
|---|---|
| Account data (name, email, profile) | Until you request deletion of your account |
| Authentication logs | 90 days |
| Email delivery logs | 30 days |
6. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- —Access (Art. 15) — request a copy of the personal data we hold about you
- —Rectification (Art. 16) — correct inaccurate or incomplete data
- —Erasure (Art. 17) — request deletion of your account and personal data
- —Portability (Art. 20) — receive your data in a structured, machine-readable format
- —Restriction (Art. 18) — ask us to limit the processing of your data
- —Objection (Art. 21) — object to processing based on legitimate interest
- —Lodge a complaint — with your national data protection supervisory authority
To exercise your rights, contact us at privacy@aitaky.com. We respond within 30 days.
7. Cookies & Local Storage
TakyRace uses only strictly necessary session cookies for authentication, managed by Supabase Auth. No advertising, analytics, or tracking cookies are set without your explicit consent.
8. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or on the platform. Continued use of TakyRace after the updated effective date constitutes acceptance of the revised policy.
9. Contact
For any privacy-related questions or to exercise your GDPR rights:
Controller:Aitaky SRL
Email:privacy@aitaky.com
TakyRace Privacy Policy — v1.0 — 2026