Legal · privacy
Privacy Policy
1. Controller
The controller of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is pending registration, pending registration, pending registration pending registration, Sweden, contact support@pace-ly.com. We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR.
2. What we collect and why
| Category | Source | Legal basis | Retention |
|---|---|---|---|
| Account identifiers — Discord ID, name, avatar URL, email | Discord OAuth on first sign-in | Art. 6(1)(b) — performance of the contract (operating your account) | Until account deletion + 30 days |
| Billing data — Stripe customer ID, subscription status, period dates | Stripe webhooks; we never see your card number | Art. 6(1)(b) — contract; Art. 6(1)(c) — bookkeeping obligation | 7 years from end of fiscal year (Bokföringslagen 7:2) |
| Telemetry — throttle, brake, steering, suspension, tyre, etc. (in-sim only) | Pace-ly Client reads iRacing shared memory and uploads it | Art. 6(1)(b) — to provide the analysis service | 24 months unless you delete sooner |
| AI chat transcripts and driver feedback | You, by chatting with Pace-ly | Art. 6(1)(b) | 12 months unless you delete sooner |
| Technical data — IP address, user-agent, request logs | Your browser and the live-client connecting to our edge | Art. 6(1)(f) — legitimate interest in security and abuse prevention | 90 days |
| Consent records — timestamp, IP, document version, hash | Captured when you accept ToS/Privacy | Art. 6(1)(c) — to demonstrate compliance with GDPR Art. 7(1) | Lifetime of account + 6 years (statute of limitations) |
3. Recipients and sub-processors
We share personal data only with the sub-processors listed at /subprocessors. In summary:
- Discord Inc. — identity provider for OAuth sign-in (US, SCCs).
- Stripe Payments Europe Ltd. — payment processing (Ireland, intra-EEA).
- Anthropic PBC — AI inference for the race-engineer feature (US, SCCs). Anthropic does not train on API inputs by default.
- Cloudflare Inc.— edge hosting, D1 database, R2 telemetry storage. We configure R2 to keep EU users’ data in EU jurisdictions (SCCs apply).
4. International transfers
Where personal data leaves the EEA (Anthropic, Discord, Cloudflare US), transfers rely on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, supplementary technical measures (encryption in transit, encryption at rest). DPAs are stored and available on request to support@pace-ly.com.
5. Your rights under GDPR
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). For access/portability you can use the self-service download at /account/privacy; for everything else email support@pace-ly.com. We respond within one month (Art. 12(3)).
You may withdraw any consent you have given at any time without affecting the lawfulness of past processing. You may lodge a complaint with the Swedish supervisory authority Integritetsskyddsmyndigheten (IMY) at imy.se, or with the DPA of your habitual residence.
6. Automated decision-making and AI
Pace-ly uses an AI model (Anthropic Claude) to generate setup advice and driving observations. This is not automated decision-making within the meaning of Article 22 GDPR — no legal or similarly significant effect is produced for you, and the output is advisory only, requiring your own action to apply. See /ai-disclosure for the full disclosure.
7. Security
Data is encrypted in transit (TLS) and at rest (Cloudflare-provided encryption for D1 and R2). Access to production systems is restricted to the founder. See /legal-security for our security and vulnerability disclosure policy.
8. Children
The Service is not directed at persons under 18. We do not knowingly collect personal data from minors. If you believe a minor has used the Service, please contact support@pace-ly.com and we will delete the account.
9. Cookies
The Service uses a single strictly-necessary session cookie set by our authentication system. We do not use analytics, advertising or tracking cookies. See /cookies.
10. Changes to this Policy
We may update this Policy. The version and date are shown above. For material changes affecting your rights we will notify you by email or in-product banner.