Privacy Policy

1. Overview

Braking Lab is designed with privacy in mind. The Service consists of a web application, a desktop telemetry capture client for Windows, and an AI-powered Race Engineer. This policy covers all components. The web application requires a free account; your training data is synchronized to your account so it stays available across devices.

2. Data We Collect

3. How We Use Your Data

• Provide and improve the Service
• Sync your data across devices (if enabled)
• Display your iRacing owned content and match it with series schedules (if connected)
• Analyze usage patterns to improve features
• Analyze anonymous hardware usage to optimize support for popular racing peripherals
• Communicate important updates about the Service
• Process telemetry data to generate braking zone analysis, corner analysis, and performance metrics
• Provide AI-powered coaching insights through the Race Engineer when you connect an AI client
• Display your lap times on the public leaderboard if you opt in
• Generate race strategy recommendations from your practice telemetry

4. Data Storage & Security

Account data is stored securely using Supabase infrastructure with encryption at rest and in transit. Telemetry data captured by the desktop client is stored locally before upload, then transmitted to Cloudflare R2 for blob storage and Supabase for metadata indexing. The AI Race Engineer runs on Railway servers. iRacing OAuth tokens, if you choose to connect your account, are encrypted using AES-256-GCM and stored in secure HTTP-only cookies in your browser with a 7-day expiry. We do not store iRacing account data on our servers. We implement industry-standard security measures to protect your information.

5. Data Sharing

We do not sell your personal data. We may share data with: (a) service providers who help operate the Service (Supabase for database hosting, Cloudflare for content delivery and telemetry storage, Railway for AI server hosting, Sentry for error monitoring, PostHog for analytics, Stripe Payments Europe Ltd. for payment processing — Stripe is PCI-DSS Level 1 certified and binds international transfers via Standard Contractual Clauses); (b) law enforcement if required by law; (c) third-party AI providers (such as Anthropic or OpenAI) only when you explicitly authorize access by connecting an AI client via OAuth 2.0 — these providers receive only the data you query through the AI interface; (d) publicly on the leaderboard if you opt in, limited to your display name, lap times, track, and car. All service providers are bound by confidentiality and data-processing agreements.

6. Billing and Payment Data

When you purchase a paid subscription, payment is processed by Stripe Payments Europe, Limited ("Stripe"). To complete a purchase and to comply with our tax and accounting obligations, we collect: your account email, billing name, billing address (country and postal code at minimum), VAT/Tax ID if you provide one, the type of plan and seat count, the amount charged and currency, and Stripe-issued identifiers for the customer and subscription. Full card numbers and other sensitive payment instrument data are entered directly into Stripe's PCI-DSS-compliant systems and are never stored on Braking Lab servers; we only receive a tokenized reference. We may also use Stripe's risk-scoring signals (including IP and device data collected by Stripe at checkout) to detect and prevent fraud. Legal basis for this processing: performance of the contract you enter when you subscribe (Art. 6.1.b GDPR) and compliance with our legal obligations under Spanish tax and accounting law (Art. 6.1.c GDPR). Retention: invoices, accounting records and related billing data are retained for at least six (6) years after the end of the relevant fiscal year, in accordance with Article 30 of the Spanish Commercial Code (Código de Comercio) for accounting records and the four (4) year general statute of limitations under Article 66 of the Spanish General Tax Act (Ley General Tributaria) for VAT; we apply the longer six-year period to cover both. Tokenized customer data held by Stripe is retained per Stripe's own retention policy.

7. AI Processing & Third-Party AI Access

Braking Lab offers an AI Race Engineer feature accessible through third-party AI clients such as Claude, ChatGPT, Cursor, or Windsurf. When you connect an AI client, you authorize it via OAuth 2.0 with PKCE to access your telemetry data through our MCP (Model Context Protocol) server. The AI client can query your sessions, laps, braking zones, corners, and other telemetry data to provide coaching insights. AI processing occurs in an isolated sandbox environment on our servers. We do not push your data to AI providers — the AI client pulls data through authenticated API calls that you initiate. You can revoke AI client access at any time from your account settings. AI-generated coaching reports are stored in your account and are not shared with other users.

8. Desktop Software

The Braking Lab Capture client is optional desktop software for Windows that interfaces with iRacing's telemetry SDK. The client captures telemetry data in real-time during your iRacing sessions and uploads it to our cloud infrastructure. The client communicates only with Braking Lab servers (Supabase and Cloudflare R2) and Sentry for error reporting. The client does not collect browsing data, keystrokes, screenshots, or any information outside of iRacing telemetry. Auto-update functionality may contact our servers to check for and download new versions.

9. Cookies & Analytics

We use essential cookies for authentication, session management and user preferences. We use PostHog for privacy-friendly product analytics to understand how the Service is used; PostHog can be opted out of from your browser. When you start a paid checkout, Stripe sets its own essential cookies on the checkout page for fraud prevention and session continuity; these are required to complete a payment and are governed by Stripe's privacy policy. We do not use marketing or third-party advertising cookies.

10. Your Rights

• Access: Request a copy of your personal data
• Correction: Update inaccurate information
• Deletion: Delete your account and all associated data
• Portability: Export your training data
• Opt-out: Disable cloud sync at any time
• Disconnect: Revoke iRacing connection and delete all locally stored tokens at any time
• Revoke: Revoke AI client access and delete all AI-generated coaching reports at any time
• Lodge a complaint: You have the right to file a complaint with a supervisory authority. In Spain this is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), www.aepd.es.

11. Data Retention

We retain your account and training data as long as your account is active. If you delete your account, all associated data — including telemetry blobs stored in Cloudflare R2 — is permanently deleted within 30 days. Billing records (invoices, subscription history, refund records) are retained for at least six (6) years after the end of the relevant fiscal year as required by Spanish accounting and tax law; this applies even after account deletion. Anonymous analytics data may be retained indefinitely in aggregated form.

12. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us.

13. International Transfers

Your data may be transferred to and processed in countries outside your residence, including the European Union (Supabase hosting), the United States (Cloudflare R2, Railway, Stripe), and wherever your chosen AI provider operates. We ensure appropriate safeguards are in place for all international transfers in compliance with applicable data protection laws, including Standard Contractual Clauses with our US-based processors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or sending you an email.

15. Automated Decision-Making

The Race Engineer uses AI models to analyze your telemetry data and generate coaching recommendations, braking zone analysis, and race strategy suggestions. These outputs are provided for informational and entertainment purposes only. No automated decisions are made that have legal or similarly significant effects on you. You are not required to follow any AI-generated advice, and we make no guarantees about its accuracy or suitability.

16. Contact Us

For privacy-related questions or to exercise your rights under the GDPR, contact us at hola.rdiaz.racing@gmail.com. The data controller is Roberto Díaz Bartolomé (NIF 71655922-C), Calle Vázquez de Mella 75, 6º D, 33012 Oviedo, Spain. If you believe your rights have not been respected, you may also file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.