Privacy Policy

1. Who we are

RaceConnect ("we", "us", "our") operates this platform connecting athletes with race events in South Africa. We are the Responsible Party for your personal information in terms of POPIA. Race organizers who use our platform to manage their events are separate Responsible Parties for the personal information they collect from their participants — we process that data on their behalf as an Operator.

2. What personal information we collect

2.1 Account & athlete profile

Provided by you when you register an account or fill in your athlete profile:

• Name, email address, password (stored hashed — we never see it in plain text)
• Phone number, date of birth, gender, South African ID number
• Province, club affiliation, ASA running licence number, T-shirt size
• Emergency contact name and phone number
• Optional: medical conditions, medical aid scheme and number — used only for race-day safety
• Profile photo (avatar), if uploaded
• Dependents linked to your account (e.g. children registered for races on your behalf)
• Bank details if you sell on our marketplace — stored encrypted at rest

2.2 Registrations & race history

• Which races you registered for, when, the entry fee paid, your registration number and bib
• Whether you checked in, completed the race, your finish time and position
• Reviews and ratings you post for events

2.3 Optional marketing research data

After a race you've already paid for, we may ask 1–2 short, anonymous research questions (e.g. shoe brand, nutrition products, household income bracket). These are opt-in: you can skip any question, and you can turn the prompt off entirely under Profile → Privacy. Answers are stored against your account so we don't ask the same question twice, but they're only ever shared with third parties in aggregate or pseudonymous form (see §4).

2.4 Payment information

Card and bank details for race entries and marketplace purchases are processed by our payment provider, PayFast (Pty) Ltd. We do not see or store card numbers, CVVs or internet-banking credentials. We retain only the transaction reference, amount and outcome for accounting and reconciliation.

2.5 Authentication & session data

• Browser session cookies (essential, can't be disabled without breaking login)
• Theme and small UI preferences (stored in your browser's localStorage)
• Google account ID, name and email, if you sign in with Google
• IP address and user-agent, recorded for security audit and abuse prevention

2.6 Automatically collected analytics

• Page views, referrer URLs, basic device information (Google Analytics 4)
• Application error logs (so we can fix bugs that affect you)

3. Why we process it (lawful basis)

Under POPIA we may only process your personal information if at least one of these conditions applies. For each kind of data above, the basis is:

• Performance of a contract — to register you for races you have entered, accept your payment, hand your details to the race organizer so they can deliver the race, and produce official results.
• Compliance with a legal obligation — keeping financial records, responding to lawful requests from regulators.
• Your explicit consent — for the optional marketing research questions, for your profile photo, and for emergency-contact and medical information (you choose what to share).
• Legitimate interest — fraud prevention, platform security, anonymized aggregate analytics that don't identify you.

4. How we anonymize and share data

4.1 Public race results

Race results are public by default — finish position, time, bib, your name and club. You can switch on "Anonymize my data on public pages" in Profile → Privacy. When that's on, your name shows as "Anonymous Athlete", your club and city are hidden on public results, public reviews, and future leaderboards. Race organizers you registered with, and authenticated API consumers, continue to see your real details.

4.2 Marketing data shared with partners

When we share marketing-research data with advertising partners or sponsors, we share it in one of two forms — never in a form that identifies you:

• Aggregate counts: "78% of respondents wear Nike", "12% bank with Capitec". No row-level data leaves the platform.
• Pseudonymous rows: each respondent appears as a short hash (e.g. user_a8f3e9b21d40c5e7) that is impossible to reverse without the platform's secret key. No name, no email, no phone, no ID number.

4.3 Who else sees your data

• The race organizer whose event you've entered — they see the same registration and emergency/medical info you would expect to give them on a paper entry form. This is essential to running the race.
• Our service providers, only to the extent they need it to do their job: PayFast (payment processing), Resend (email delivery), Google (only if you sign in with Google), MapLibre (route maps — your location data only loads if you view a route), and our hosting and error-monitoring providers.
• We do not sell personal information.

5. Your POPIA rights

You have the following rights in respect of personal information we hold about you:

• Access — see what we hold. Most of it is visible to you immediately at /profile, /profile/athlete, and /my-registrations. For anything else, email privacy@raceconnect.co.za.
• Correction — change inaccurate information. You can edit most fields yourself from the Profile and Athlete Profile pages.
• Deletion — delete your account at any time under Profile → Delete account. See §6 for exactly what happens.
• Object to processing — turn off the anonymize toggle and marketing-question prompts under Profile → Privacy. To object to other processing, email us.
• Withdraw consent — remove any optional information (medical, emergency, etc.) by editing your athlete profile, or unsubscribe from notification emails under Profile → Notifications.
• Lodge a complaint — if you believe we've mishandled your data, you may complain to the South African Information Regulator at inforegulator.org.za. We'd appreciate the chance to fix it first — email privacy@raceconnect.co.za.

6. Deleting your account

When you delete your account from Profile → Delete account, here's exactly what happens:

• Your name is replaced with "Deleted User".
• Your email is changed to a non-routable placeholder so it can never be used to identify or contact you.
• Your password is erased.
• All other personally-identifying fields are erased: phone, date of birth, gender, ID number, emergency contact, medical conditions, medical aid info, club, ASA licence, T-shirt size, province, avatar, Google account link.
• Your sessions and login tokens are revoked.
• Your account row is marked deleted but kept because of how race results work: your historical race entries and finish times stay on the platform so the official record of each race remains intact, attributed to "Deleted User" on public results. If you want your historical entries removed too, email us — we'll review case-by-case (race-day records have legitimate retention reasons).

Marketing-research answers you'd already provided stay in the aggregate counts but are no longer attributable to you (the link from row to user is severed).

7. Privacy settings in your control

All controls live on the same page: Profile → Privacy.

• Anonymize my data on public pages — hides your name, club and city from public race results, public reviews, future leaderboards.
• Don't ask me marketing questions — turns off the post-registration research prompt entirely.

Separately:

• Email notification preferences at Profile → Notifications — turn off race reminders, new-race announcements, registration confirmations independently.
• Unfollow organizers — on the same notifications tab — stops their new-race announcements reaching you.

8. Cookies and tracking

We use the minimum necessary. A session cookie keeps you logged in. Small preferences (theme, sidebar collapsed) are stored in your browser's localStorage, not on our servers. Google Analytics 4 records page views and basic device information so we can improve the platform — you can block this by enabling "Do Not Track" or a content blocker.

9. How long we keep your data

• Active account: as long as your account exists.
• Deleted account: PII is wiped immediately as described in §6. The (scrubbed) account row and its registration / finish-time records remain so race history isn't rewritten.
• Financial records: kept for at least five years as required by South African tax and accounting law.
• Marketing-research answers: kept until you delete your account; thereafter retained in aggregate only.

10. Security

We use industry-standard measures to protect your data: HTTPS everywhere, hashed passwords, encrypted bank-detail storage, scoped API access tokens, server-side input validation, and regular dependency updates. No system is perfectly secure — if a data breach affects you, we will notify you and the Information Regulator as POPIA requires.

11. Transfers outside South Africa

Some of our service providers (PayFast within SA, Resend for email, our hosting and error monitoring) operate infrastructure in or via other countries. Where personal information is transferred outside South Africa, it is to recipients that are bound by laws or contracts offering an adequate level of protection equivalent to POPIA.

12. Children

The platform is intended for adults. We allow parents and legal guardians to register dependent children for races under their own accounts. We don't process personal information from a child without the consent of a competent person (parent or guardian) and we only collect the minimum needed to run the race (name, date of birth, emergency contact).

13. Changes to this policy

We may update this policy as the platform evolves or the law changes. Material changes will be notified via email to active accounts at least seven days before they take effect, and the "Last updated" date at the top will change.

14. Contact us

For privacy-related questions, requests to access, correct or delete your data, or to lodge a complaint:

Information Officer, RaceConnect
Email: privacy@raceconnect.co.za