Privacy Policy — Runtime Racing

Strategia-X ("Strategia-X," "we," "us," or "our") operates the Runtime Racing mobile application for Android phones and Wear OS smartwatches (collectively, the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the App.

We are committed to protecting your privacy and complying with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the California Online Privacy Protection Act (CalOPPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other applicable state, federal, and international privacy laws.

Developer: Strategia-X / Rocky Stack
Package Name: com.runtime.racing
Website: www.strategia-x.com
General Inquiries: [email protected]
Privacy & Support: [email protected]

By installing, accessing, or using Runtime Racing, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

We collect the following categories of information:

1.1 Account Information

When you sign in to the App using Google Sign-In or Apple Sign-In, we collect:

• Email address
• Display name
• Profile photo URL
• Authentication provider (Google, Apple, or email/password)
• Account creation and last sign-in timestamps

1.2 Precise Location Data

Runtime Racing is a motorsport telemetry application. Precise GPS location data is a core function of the App. We collect:

• GPS coordinates (latitude and longitude) at up to 10 times per second during active recording sessions
• Altitude above sea level
• Speed derived from GPS position changes
• Compass bearing (direction of travel)
• GPS accuracy metrics

Important: Location data is collected continuously during recording sessions, including when the App is in the background or the device screen is off (via a foreground service). Background location access is required to prevent data loss during active motorsport sessions and will only operate when you have an active recording session running.

1.3 Sensor and Telemetry Data

During recording sessions, we collect data from your device's hardware sensors:

• Accelerometer data — linear acceleration forces in three axes, used to calculate lateral and longitudinal G-forces
• Gyroscope data — angular velocity in three axes, used to calculate lean angle and pitch
• Rotation vector — device orientation, used for lean angle calculation (relevant to motorcycle use)
• Magnetometer data — magnetic field readings used for compass heading

This sensor data is combined ("fused") with GPS data to produce comprehensive telemetry snapshots at approximately 60 times per second.

1.4 Camera and Audio Data

If you enable video recording:

• Video footage captured by the device camera during recording sessions
• Audio captured by the device microphone (only when audio recording is enabled in settings; you may disable this at any time)

Video and audio data is stored locally on your device. It is uploaded to our cloud servers only if you explicitly choose to sync a session to the cloud.

1.5 Biometric Data (Heart Rate)

If you use the Wear OS companion app with a compatible smartwatch:

• Heart rate (beats per minute) measured by the watch's optical heart rate sensor
• Heart rate accuracy indicator
• Heart rate data is transmitted from the watch to the phone via the Wearable Data Layer API and may be included in session telemetry

Heart rate data is classified as biometric information under certain privacy laws (including the CCPA/CPRA). We collect this data only with your explicit permission and only during active recording sessions.

1.6 Vehicle Data (OBD-II)

If you connect an OBD-II diagnostic adapter via Bluetooth:

• Engine RPM, vehicle speed, throttle position
• Engine coolant temperature, intake air temperature, oil temperature
• Turbo/supercharger boost pressure
• Fuel tank level, mass air flow rate
• Engine load, ignition timing advance
• Diagnostic trouble codes (vehicle fault codes)
• Additional vehicle parameters (up to 60+ diagnostic parameters)

OBD-II vehicle data is stored locally on your device and is not uploaded to our cloud servers.

1.7 External Sensor Data (Bluetooth)

If you connect external Bluetooth sensors:

• Heart rate monitors: Heart rate in BPM
• Tire Pressure Monitoring System (TPMS) sensors: Tire pressure (PSI) and tire temperature per wheel position
• External GPS modules: Higher-accuracy GPS coordinates and speed
• Lap timing beacons: Lap trigger signals for precise timing

External sensor data is processed locally and integrated into your session telemetry. Bluetooth device names, addresses, and battery levels are used locally for connection management and are not uploaded.

1.8 Device Information

We collect the following device information when you submit feedback through the App:

• Device model and manufacturer
• Android operating system version and SDK level
• Available system RAM
• Battery level
• App version and build number

1.9 Usage and Behavioral Data

When you submit feedback, we collect contextual information to help us diagnose issues:

• The screen you were viewing at the time of feedback submission
• Whether a recording session was active
• The last 10 in-app user interaction events (e.g., "tapped start," "opened settings")
• Any recent application error messages

1.10 User-Generated Content

You may provide the following content through the App:

• Feedback messages — free-text descriptions submitted via the in-app feedback form
• Screenshots — screen captures attached to feedback submissions
• Social profile information — display name, username, biography, location, vehicle information, and social media links
• Social posts, comments, and chat messages — content you create in the activity feed, comments on posts, and live stream chat
• Session notes — free-text notes you attach to recorded sessions

1.11 Anonymized Driving Analytics

After you complete 5 or more recording sessions, the App generates a "Driver DNA" profile that classifies your driving style. We upload anonymized driving statistics to our servers for population comparison purposes:

• Five numerical driving dimension scores (braking, cornering, throttle, apex consistency, line consistency)
• Three categorical driving style classifications (braking profile, cornering profile, throttle profile)
• Total session count
• Upload timestamp

This data is uploaded with a randomly generated identifier that is not linked to your account, device, or any personal information. We cannot re-identify you from this anonymized data. However, we disclose that the combination of driving style scores could theoretically be quasi-identifiable in a very small user population.

1.12 Social and Community Data

If you use social features, we collect:

• Friend connections (friend requests sent, accepted, or blocked)
• Leaderboard submissions (lap times, vehicle class, verification status)
• Activity feed interactions (posts, likes, comments, bookmarks, content reports)
• Challenge participation data
• Online presence status (online/offline, last seen, current activity)

1.13 Live Streaming Data

If you host or join a live telemetry streaming session:

• Real-time GPS coordinates streamed at up to 10 times per second to session viewers
• Real-time speed, G-force, lap timing, and lean angle data
• Chat messages exchanged during the session
• Viewer identity (display name, role, connection timestamp)

Important: During live streaming, your precise real-time location is visible to anyone who has your session code. Only share your session code with trusted individuals.

We collect information through the following methods:

• Directly from you — Account credentials, profile information, feedback text, social content, session notes, settings preferences
• Automatically from your device — GPS location, sensor data (accelerometer, gyroscope, magnetometer, rotation vector), camera, microphone, device information
• From connected external devices — OBD-II vehicle data, Bluetooth sensor readings (heart rate, TPMS, GPS, lap beacons), Wear OS heart rate
• From third-party authentication providers — Google account information (name, email, photo) or Apple account information (name, email) when you sign in
• Derived or computed — G-force calculations, driving style classifications, skill scores, improvement recommendations, theoretical best lap times

We use the information we collect for the following purposes:

• Core App functionality — Recording telemetry sessions, calculating lap times, displaying gauges and overlays. Data used: Location, sensor data, camera/audio. Legal basis: Contract performance; Legitimate interest.
• AI coaching and analysis — Generating voice coaching cues, driving improvement recommendations, session grades. Data used: Location, sensor data, session history. Legal basis: Contract performance.
• Driver DNA profiling — Classifying your driving style and generating personalized training plans. Data used: Sensor data, session history. Legal basis: Consent; Legitimate interest.
• Population comparison — Calculating your percentile ranking among other drivers. Data used: Anonymized driving scores. Legal basis: Legitimate interest.
• Ghost racing — Overlaying previous lap data for real-time comparison. Data used: Location, telemetry history. Legal basis: Contract performance.
• Live streaming — Broadcasting telemetry to crew/coaches in real time. Data used: Location, telemetry, chat messages. Legal basis: Consent.
• Cloud sync — Backing up sessions across devices. Data used: Session data, telemetry, video. Legal basis: Consent.
• Social features — Leaderboards, activity feed, friend connections, challenges. Data used: Account info, session results, social content. Legal basis: Consent; Contract performance.
• External device integration — Enhancing telemetry with OBD-II, sensors, cameras. Data used: Vehicle data, sensor data, camera media. Legal basis: Contract performance.
• Wear OS companion — Displaying telemetry on your smartwatch. Data used: Telemetry, session state, heart rate. Legal basis: Contract performance.
• Data export — Generating PDF reports, CSV, and MoTeC files. Data used: Session data, telemetry, driver profile. Legal basis: Contract performance.
• Feedback and support — Diagnosing bugs, responding to your reports. Data used: Feedback text, screenshots, device info, usage context. Legal basis: Legitimate interest.
• App improvement — Understanding usage patterns, improving features. Data used: Anonymized aggregate statistics. Legal basis: Legitimate interest.
• Account management — Authentication, authorization, account preferences. Data used: Account info, settings. Legal basis: Contract performance.

We do NOT use your information for:

• Advertising or ad targeting
• Selling your personal data to third parties
• Profiling for purposes unrelated to the App's motorsport functionality
• Automated decision-making with legal or similarly significant effects

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b)) — Core telemetry recording, lap timing, data export, account management, coaching features you subscribe to.
• Consent (Article 6(1)(a)) — Location data collection, camera/microphone access, heart rate monitoring, live streaming, cloud sync, social features, anonymized analytics upload. You may withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)) — App improvement based on anonymized data, feedback processing for bug fixes, fraud prevention on leaderboards. Our legitimate interests do not override your fundamental rights and freedoms.

Special Category Data: Heart rate data constitutes health data under GDPR Article 9. We process this data only with your explicit consent (Article 9(2)(a)), which you provide by granting the BODY_SENSORS permission and enabling heart rate monitoring.

5.1 Service Providers

We use Google Firebase as our primary backend infrastructure. The following Firebase services process your data:

• Firebase Authentication — Processes email, name, and photo URL for user identity and sign-in.
• Cloud Firestore — Processes session metadata, social data, leaderboards, feedback, and DNA statistics for cloud storage and real-time sync.
• Realtime Database — Processes live streaming telemetry and chat for low-latency real-time data delivery.
• Cloud Storage — Processes telemetry files, video recordings, and screenshots for binary file storage.

Google processes data as a data processor on our behalf under Google's Data Processing Terms. For more information, see Google's Privacy Policy and Firebase Data Processing Terms.

5.2 Other Users (Social Features)

If you use social features, certain information is visible to other users:

• Leaderboards — Display name, lap time, vehicle class, verification status. Opt-in via privacy settings.
• Activity feed — Posts, achievements, session highlights. Configurable: Public, Friends, or Private.
• Friend connections — Display name, username, avatar, online status. Controllable via privacy settings.
• Live streaming — Real-time location, telemetry, chat messages. Only visible to users with your session code.
• Presence status — Online/offline, current track. Controllable via privacy settings.

5.3 We Do NOT Sell Your Personal Information

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This applies to all users, including California residents under the CCPA/CPRA.

We do not share your personal information for cross-context behavioral advertising.

5.4 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or legal process
• Protect and defend the rights or property of Strategia-X
• Prevent or investigate possible wrongdoing in connection with the App
• Protect the personal safety of users of the App or the public
• Protect against legal liability

5.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via the App or email before your information becomes subject to a different privacy policy.

We retain your data according to the following schedule:

• Account information — Until account deletion. Deleted when you delete your account.
• Local session data — Until you delete it. Stored on your device; you control deletion.
• Cloud-synced sessions — Until you delete them or delete your account. You may delete individual sessions.
• Telemetry recordings — Same as session data. Part of session records.
• Video recordings — Stored locally until you delete them. Uploaded to cloud only if you choose to sync.
• Feedback submissions — 2 years. Retained for product improvement; deleted after 2 years.
• Anonymized DNA statistics — Indefinitely. Cannot be linked to you; used for aggregate population comparison.
• Leaderboard entries — Until you delete them or delete your account. Public records may persist in cached views.
• Social content — Until you delete it or delete your account. Posts, comments, and chat messages.
• Live streaming data — Automatically deleted when session ends. Real-time data is ephemeral.
• Device information — Same as feedback submissions. Collected only with feedback.

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption in transit: All data transmitted between the App and Firebase servers uses TLS 1.2 or higher encryption.
• Encryption at rest: Firebase encrypts all stored data at rest using AES-256 encryption.
• Authentication: Access to cloud data requires authenticated sessions via Firebase Authentication with OAuth 2.0.
• Access controls: Cloud data is organized per user and protected by Firebase Security Rules that enforce user-level access control.
• Local storage: On-device data is stored in the App's private storage directory, protected by the Android operating system's application sandboxing.
• Anonymization: Population driving statistics are uploaded with random identifiers that cannot be linked to user accounts.
• No unnecessary collection: We do not collect analytics, crash reporting, or advertising identifiers. The App contains no third-party analytics, advertising, or tracking SDKs.
• Release builds: Production builds use code minification (ProGuard/R8) and resource shrinking.

Important disclaimer: While we take reasonable measures to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.

If you become aware of a security vulnerability or data breach, please contact us immediately at [email protected].

Firebase infrastructure is operated by Google and may process data in data centers located in the United States and other countries. If you are located in the European Economic Area, United Kingdom, or Switzerland, your data may be transferred to countries that the European Commission has not recognized as providing an adequate level of data protection.

For such transfers, we rely on:

• Google's Standard Contractual Clauses (SCCs) incorporated into the Firebase Data Processing Terms
• Google's compliance certifications including ISO 27001, ISO 27017, ISO 27018, and SOC 2

You can learn more about Google's data transfer mechanisms at Google Cloud Privacy.

Regardless of your location, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you. Email [email protected].
• Correction — Request correction of inaccurate personal data. Update in-app or email [email protected].
• Deletion — Request deletion of your personal data. Delete account in-app or email [email protected].
• Data portability — Receive your data in a structured, machine-readable format. Use in-app export (PDF, CSV, MoTeC, JSON) or email [email protected].
• Withdrawal of consent — Withdraw consent for data processing at any time. Revoke permissions in device settings or email [email protected].
• Opt-out of social features — Disable leaderboards, presence sharing, and activity feed. Adjust privacy settings within the App.
• Opt-out of anonymized analytics — Prevent upload of anonymized Driver DNA statistics. Contact [email protected].

We will respond to all data rights requests within 30 days (or 45 days for complex requests, with notice). We will not discriminate against you for exercising any of your privacy rights.

To verify your identity when making a request, we may ask you to confirm your email address associated with your account.

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

10.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we have collected about you
• The categories of sources from which we collected the information
• The business or commercial purpose for collecting the information
• The categories of third parties with whom we share the information
• The specific pieces of personal information we have collected about you

10.2 Categories of Personal Information Collected

Under CCPA categories, we collect:

• A. Identifiers — Name, email address, account ID. Not sold. Not shared for advertising.
• B. Personal information per Cal. Civ. Code 1798.80(e) — Name, email address. Not sold. Not shared for advertising.
• C. Protected classification characteristics — None collected.
• D. Commercial information — Premium account status. Not sold. Not shared for advertising.
• E. Biometric information — Heart rate data (Wear OS). Not sold. Not shared for advertising.
• F. Internet or network activity — In-app navigation events (feedback context only). Not sold. Not shared for advertising.
• G. Geolocation data — Precise GPS coordinates during sessions. Not sold. Not shared for advertising.
• H. Sensory data — Video recordings, audio recordings. Not sold. Not shared for advertising.
• I. Professional or employment information — None collected.
• J. Non-public education information — None collected.
• K. Inferences — Driving style classifications, skill scores, improvement recommendations. Not sold. Not shared for advertising.
• L. Sensitive personal information — Precise geolocation, biometric data (heart rate). Not sold. Not shared for advertising.

10.3 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing a transaction you requested, security purposes).

10.4 Right to Correct

You have the right to request correction of inaccurate personal information.

10.5 Right to Opt-Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of sale or sharing. However, if our practices change, we will provide a "Do Not Sell or Share My Personal Information" mechanism.

10.6 Right to Limit Use of Sensitive Personal Information

You have the right to limit the use of sensitive personal information (precise geolocation, biometric data) to purposes necessary to provide the services you request. You can exercise this right by:

• Revoking location permissions in your device settings
• Disabling heart rate monitoring on your Wear OS device
• Disabling camera and microphone permissions in your device settings

10.7 Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access levels for exercising your rights.

10.8 Authorized Agents

You may designate an authorized agent to make privacy requests on your behalf. The agent must provide proof of authorization (e.g., a signed written authorization or power of attorney). We may still require you to verify your identity directly.

10.9 Financial Incentives

We do not offer financial incentives for the collection, sale, or deletion of personal information.

10.10 How to Submit Requests

To exercise your CCPA/CPRA rights:

• Email: [email protected] with the subject line "California Privacy Request"
• Verification: We will verify your identity by confirming your email address associated with your account

We will respond within 45 days of receiving a verifiable request. If we need more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the GDPR:

11.1 Data Subject Rights

• Right of access (Art. 15) — Obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16) — Have inaccurate personal data corrected.
• Right to erasure ("right to be forgotten") (Art. 17) — Have your personal data deleted under certain circumstances.
• Right to restriction of processing (Art. 18) — Limit how we process your data in certain situations.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON, CSV).
• Right to object (Art. 21) — Object to processing based on legitimate interests.
• Right not to be subject to automated decision-making (Art. 22) — We do not make automated decisions with legal effects based on your data.
• Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting the lawfulness of prior processing.

11.2 Data Protection Officer

For GDPR-related inquiries, contact our privacy team:

• Email: [email protected]
• Subject line: "GDPR Data Subject Request"

11.3 Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority in your country of residence if you believe we have violated your data protection rights.

11.4 Data Processing Records

We maintain records of our processing activities as required by GDPR Article 30, available upon request.

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or other U.S. states with comprehensive privacy laws, you may have rights including:

• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to data portability — receive your data in a portable format
• Right to opt out of targeted advertising (we do not engage in targeted advertising), sale of personal data (we do not sell personal data), and profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)

Appeals Process

If we decline your privacy request, you have the right to appeal. To appeal, email [email protected] with the subject line "Privacy Rights Appeal" within 60 days of our response. We will respond to your appeal within 60 days.

If your appeal is denied, you may contact your state's Attorney General to file a complaint.

Runtime Racing is a motorsport application intended for individuals aged 16 or older. We do not knowingly collect personal information from children under the age of 16 (or under 13 in jurisdictions where COPPA applies).

If we learn that we have collected personal information from a child under the applicable minimum age, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

14.1 Google Firebase

Runtime Racing uses Google Firebase for authentication, data storage, real-time data synchronization, and file storage. Firebase is operated by Google LLC and processes data in accordance with:

• Google Privacy Policy
• Firebase Privacy and Security Documentation
• Google Cloud Data Processing Terms

14.2 Google Play Services

The App uses Google Play Services for:

• Fused Location Provider — GPS location services
• Wearable Data Layer API — Phone-to-watch communication
• Google Sign-In — Authentication

Google Play Services is subject to the Google Privacy Policy.

14.3 Apple Sign-In

If you sign in with Apple, Apple processes your authentication data in accordance with Apple's Privacy Policy.

14.4 No Advertising or Analytics SDKs

Runtime Racing does not integrate any third-party advertising SDKs (e.g., AdMob, Facebook Audience Network), analytics SDKs (e.g., Google Analytics, Firebase Analytics, Amplitude, Mixpanel), crash reporting SDKs (e.g., Crashlytics, Sentry, Bugsnag), or attribution SDKs (e.g., AppsFlyer, Adjust).

The App does not display advertisements and does not track you for advertising purposes.

When you connect external devices via Bluetooth, the App collects data described in Sections 1.6 and 1.7. Important details:

• OBD-II data stays on your device. Vehicle diagnostic data is not uploaded to our servers.
• Bluetooth device identifiers (MAC addresses, device names) are used solely for connection management and are not stored persistently or uploaded.
• External sensor data (heart rate, tire pressure, GPS) is integrated into session telemetry and follows the same storage and sharing rules as other telemetry data.
• GoPro and action camera data (video files, metadata) is downloaded to your device and follows the same storage rules as local video recordings.

You can disconnect external devices at any time through the App's settings.

The Runtime Racing Wear OS companion app collects the following data on your smartwatch:

• Heart rate via the Wear Health Services API (requires explicit BODY_SENSORS permission)
• Session commands you initiate from the watch (start, stop, pause, resume, manual lap)

This data is transmitted to your paired phone via the Wearable Data Layer API (a direct Bluetooth/Wi-Fi connection between your devices — not transmitted over the internet). The phone app then processes this data as part of your session telemetry.

The Wear OS app does not independently connect to the internet or upload data to our servers.

Runtime Racing does not track users across third-party websites or services. The App does not respond to "Do Not Track" (DNT) browser signals because the App does not engage in online tracking. We honor the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document
• Notify you via a prominent notice within the App (e.g., the "What's New" dialog)
• For material changes affecting your rights, provide at least 30 days' notice before the changes take effect

Your continued use of the App after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, please stop using the App and delete your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Strategia-X
Website: www.strategia-x.com
General Inquiries: [email protected]
Privacy & Support: [email protected]

For formal privacy requests, please include:

• Your full name
• The email address associated with your account
• A description of your request
• Your country/state of residence (for jurisdiction-specific rights)

We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 days (or the applicable statutory period).

This Privacy Policy is effective as of March 10, 2026.