Privacy Policy

1. Introduction

OUIRACE SAS (hereinafter "OuiRace," "we," "us," or "our") is committed to protecting the privacy and personal data of all users of the OuiRace Platform. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).

Company information

Data Protection Officer

For any questions regarding this Privacy Policy or the processing of personal data:

2. Scope of This Policy

This Privacy Policy applies to:

• Participants: individuals registering for sports events via the Platform
• Organizers: individuals or legal entities creating and managing events on the Platform
• Visitors: individuals browsing the Platform without creating an account

This policy covers all personal data collected through:

• The OuiRace website (www.ouirace.com)
• The OuiRace mobile application
• Email communications
• Customer support interactions

3. Data Controllers and Joint Responsibility

3.1 Primary data controller

OuiRace acts as the primary data controller for:

• User account data (Participants and Organizers)
• Platform usage data and analytics
• Technical data (IP addresses, cookies, logs)
• Customer support communications

3.2 Joint data controllers

For Participant registration data, OuiRace and the Event Organizer are joint data controllers under GDPR Article 26. This means:

• OuiRace collects and processes registration data through the Platform
• The Organizer receives and uses this data to manage Event participation
• Both parties are responsible for compliance with data protection obligations
• Participants may exercise their rights with either OuiRace or the Organizer

The joint responsibility agreement defines:

• OuiRace is responsible for: secure data collection, payment processing, data security measures, providing tools for data subject rights
• Organizer is responsible for: accuracy of Event information, appropriate use of Participant data, responding to Participant inquiries, deletion of data when no longer necessary

3.3 Data processor

Stripe, Inc. acts as our data processor for payment processing. Stripe processes payment data on our behalf and is bound by contractual obligations to protect this data in accordance with GDPR standards.

4. Personal Data We Collect

4.1 Data collected from Participants

When registering for an Event, we collect:

Identity data:

• Surname, first name
• Date of birth
• Gender (optional, for Event statistics)

Contact data:

• Email address
• Phone number
• Postal address (if required by Organizer)

Event data:

• Selected Event and category
• Registration date and time
• Registration preferences

Payment data:

• Credit card information (processed and stored by Stripe, not by OuiRace)
• Transaction ID
• Payment date and amount
• Invoice details

Optional data:

• Emergency contact information (if required by Organizer)
• Medical information (if required by Organizer for medical certificate verification)
• T-shirt size or other preferences

4.2 Data collected from Organizers

When creating an Organizer account, we collect:

Identity data (individuals):

• Surname, first name
• Date of birth
• Copy of valid ID (identity card or passport)

Identity data (legal entities):

• Company or association name
• Registration number (SIREN/SIRET)
• Legal structure
• Official documents (Kbis extract, prefecture receipt, statutes)
• Legal representative identity and ID copy

Contact data:

• Email address
• Phone number
• Postal address
• Proof of address (less than 3 months old)

Financial data:

• Bank account details (IBAN, BIC)
• Tax identification number
• Billing address

Event data:

• Events created and managed
• Participant lists and statistics
• Financial transactions and transfers
• Communications with Participants

4.3 Data collected from all users

Technical data:

• IP address
• Browser type and version
• Device type and operating system
• Language preferences
• Referring website
• Pages viewed and time spent
• Date and time of visit

Cookies and similar technologies:

• Session cookies (essential for Platform functionality)
• Analytics cookies (with consent, for Platform improvement)
• Preference cookies (for user settings)

5. How We Use Personal Data

5.1 Legal basis for processing

We process personal data based on the following legal grounds:

Contractual necessity (GDPR Article 6(1)(b)):

• Processing Event registrations
• Managing user accounts
• Processing payments
• Providing customer support
• Delivering services requested by users

Legal obligation (GDPR Article 6(1)(c)):

• Complying with accounting and tax requirements
• KYC (Know Your Customer) verification for anti-money laundering
• Responding to legal requests from authorities
• Retaining invoices and financial records

Legitimate interest (GDPR Article 6(1)(f)):

• Fraud prevention and security
• Platform improvement and analytics
• Direct marketing to existing customers (with opt-out option)
• Defending legal claims

Consent (GDPR Article 6(1)(a)):

• Non-essential cookies and analytics
• Marketing communications to non-customers
• Optional data fields

5.2 Purposes of processing

We use personal data for the following purposes:

6. Data Sharing and Recipients

6.1 Within OuiRace

Personal data may be accessed by:

• Customer support team (for support requests)
• Technical team (for platform maintenance and troubleshooting)
• Finance team (for payment processing and accounting)
• Management (for business operations and compliance)

All OuiRace employees are bound by confidentiality obligations and receive data protection training.

6.2 Event Organizers

Participant registration data is shared with the relevant Event Organizer, including:

• Name, email, phone number, date of birth
• Registration details and preferences
• Any additional information required for Event participation

Organizers commit to:

• Using data only for Event management purposes
• Protecting data in accordance with GDPR
• Not sharing data with third parties without consent
• Deleting data when no longer necessary

6.3 Service providers and data processors

We share data with the following categories of service providers:

Payment processing:

• Stripe, Inc. - Payment processing, fraud prevention, PCI-DSS compliance
• Data shared: payment information, transaction details
• Location: European Union data centers
• Privacy policy: https://stripe.com/privacy

Hosting and infrastructure:

• Cloud hosting providers (servers located in European Union)
• Data shared: all Platform data
• Security certifications: ISO 27001, SOC 2

Email service providers:

• Transactional email delivery (registration confirmations, invoices)
• Marketing emails (with consent)
• Data shared: email addresses, names, message content

Analytics:

• Usage analytics (anonymized when possible)
• Data shared: aggregated usage statistics, technical data
• Used for: Platform improvement, performance monitoring

All service providers are carefully selected and bound by data processing agreements (DPA) ensuring GDPR compliance.

6.4 Legal requirements

We may disclose personal data when required by law:

• In response to court orders or legal processes
• To comply with regulatory requirements
• To protect rights, property, or safety of OuiRace, users, or the public
• In connection with fraud investigation or prevention

6.5 Business transfers

In case of merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity, subject to:

• Continued protection under this Privacy Policy
• Notification to affected users
• Opportunity to object or delete data

6.6 Third parties we do NOT share with

7. International Data Transfers

7.1 Data storage location

Personal data is primarily stored on servers located in the European Union, ensuring full GDPR protection.

7.2 Transfers outside the EU

Some service providers (e.g., Stripe) may process data outside the European Economic Area (EEA). In such cases, we ensure adequate protection through:

• EU Standard Contractual Clauses (SCCs): contractual guarantees approved by the European Commission
• Adequacy decisions: transfers to countries recognized by the EU as providing adequate protection
• Privacy Shield or equivalent certifications (where applicable)

7.3 Your rights regarding international transfers

You have the right to:

• Request information about international transfers
• Obtain a copy of safeguards in place
• Object to transfers in certain circumstances

Contact dpo@ouirace.com for more information.

8. Data Retention Periods

We retain personal data only as long as necessary for the purposes outlined in this policy:

8.1 Participant data

8.2 Organizer data

8.3 Technical data

8.4 Deletion process

At the end of retention periods:

• Personal data is permanently deleted from active databases
• Backups containing personal data are deleted or anonymized
• Data stored by service providers is deleted according to agreements
• Only anonymized statistical data may be retained indefinitely

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

9.1 Right of access (Article 15)

You have the right to obtain:

• Confirmation that your personal data is being processed
• Access to your personal data
• Information about processing purposes, categories, recipients, retention periods
• Copy of your personal data

How to exercise: Email dpo@ouirace.com with "Access Request" in subject line. Include proof of identity.

Response time: Within 1 month (extendable to 3 months for complex requests).

9.2 Right of rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise:

• Update directly in your account settings, or
• Email dpo@ouirace.com with corrections

Response time: Within 1 month.

9.3 Right to erasure / "Right to be forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• Data has been unlawfully processed
• Legal obligation requires erasure

Exceptions (we may retain data despite erasure request):

• Compliance with legal obligations (tax, accounting)
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest

How to exercise: Email dpo@ouirace.com with "Erasure Request" in subject line.

Response time: Within 1 month.

9.4 Right to restriction of processing (Article 18)

You have the right to request temporary suspension of processing when:

• You contest the accuracy of data (while we verify)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

How to exercise: Email dpo@ouirace.com with "Restriction Request" in subject line.

Response time: Within 1 month.

9.5 Right to data portability (Article 20)

You have the right to:

• Receive your personal data in structured, commonly used, machine-readable format (e.g., CSV, JSON)
• Transmit this data to another service provider

This right applies only to data:

• You provided to us
• Processed based on consent or contract
• Processed by automated means

How to exercise: Email dpo@ouirace.com with "Portability Request" in subject line.

Response time: Within 1 month.

Format provided: CSV file containing your account and registration data.

9.6 Right to object (Article 21)

You have the right to object to processing based on:

• Legitimate interest: You may object at any time for reasons relating to your particular situation
• Direct marketing: You may object at any time (including profiling for marketing)

How to exercise:

• For marketing: Click "Unsubscribe" in any marketing email, or adjust preferences in account settings
• For other processing: Email dpo@ouirace.com with "Objection" in subject line

Response time: Within 1 month (marketing opt-out: immediately).

9.7 Right to withdraw consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw it at any time.

How to exercise:

• Adjust preferences in account settings
• Click "Unsubscribe" in emails
• Email dpo@ouirace.com

Note: Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

9.8 Right to lodge a complaint

You have the right to lodge a complaint with the data protection supervisory authority:

9.9 Exercising your rights

General process:

1. Send request to dpo@ouirace.com with:
   • Subject line indicating the right you wish to exercise
   • Proof of identity (copy of ID card or passport)
   • Clear description of your request
2. We verify your identity (may request additional information)
3. We respond within 1 month (extendable to 3 months for complex requests)
4. We provide requested information or action free of charge

Excessive or unfounded requests: We may charge a reasonable fee or refuse the request.

10. Data Security Measures

OuiRace implements appropriate technical and organizational measures to protect personal data:

10.1 Technical measures

Encryption:

• SSL/TLS encryption for all data in transit
• Encryption of sensitive data at rest
• Secure password hashing (bcrypt algorithm)

Access control:

• Role-based access control (RBAC)
• Multi-factor authentication available
• Automatic session timeout
• Strong password requirements

Infrastructure security:

• Firewall protection
• Intrusion detection and prevention systems
• Regular security patches and updates
• DDoS protection
• Isolated production and development environments

Data protection:

• Daily automated backups
• Backup encryption
• Disaster recovery plan
• Data redundancy across multiple servers

Application security:

• Input validation and sanitization
• Protection against common vulnerabilities (SQL injection, XSS, CSRF)
• Regular security testing and audits
• Secure coding practices

10.2 Organizational measures

Policies and procedures:

• Data protection policy
• Incident response plan
• Access control policy
• Data retention and deletion procedures

Employee training:

• Regular data protection training
• Confidentiality agreements
• Security awareness programs
• Clear data handling procedures

Vendor management:

• Due diligence on service providers
• Data processing agreements (DPA)
• Regular vendor security assessments
• Contractual security requirements

Monitoring and auditing:

• Access logging and monitoring
• Regular security audits
• Vulnerability assessments
• Penetration testing (annually)

10.3 Data breach response

In case of a personal data breach:

Detection and containment:

• Immediate investigation and containment
• Assessment of scope and impact
• Documentation of breach details

Notification:

• CNIL notification within 72 hours (if high risk)
• Affected individuals notified without undue delay (if high risk to rights and freedoms)
• Communication includes nature of breach, likely consequences, and mitigation measures

Remediation:

• Implementation of corrective measures
• Prevention of future occurrences
• Review and update of security procedures

11. Cookies and Tracking Technologies

11.1 What are cookies?

Cookies are small text files stored on your device when you visit the Platform. They help us provide, protect, and improve our services.

11.2 Types of cookies we use

Essential cookies (no consent required):

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance
• User preferences (language, display settings)

Analytics cookies (require consent):

• Usage statistics (pages viewed, time spent)
• Traffic sources and user behavior
• Error tracking and debugging
• A/B testing and feature optimization

Marketing cookies (require consent):

• Retargeting and advertising
• Social media integration
• Email campaign tracking
• Conversion tracking

11.3 Third-party cookies

We may use third-party cookies from:

• Google Analytics (usage analytics)
• Social media platforms (share buttons)
• Advertising networks (retargeting)

These third parties have their own privacy policies.

11.4 Cookie duration

• Session cookies: Deleted when you close your browser
• Persistent cookies: Stored for up to 13 months

11.5 Managing cookies

You can control cookies through:

Browser settings:

• Block all cookies
• Delete existing cookies
• Allow cookies from specific sites
• Receive notifications before cookies are stored

Cookie consent banner:

• Accept or reject non-essential cookies
• View and modify cookie preferences
• Access detailed cookie information

Cookie policy: For detailed information, see our full Cookie Policy at www.ouirace.com/cookie-policy

12. Children's Privacy

12.1 Age requirements

Account creation: Restricted to individuals 18 years or older.

Event registration: Minors may register for Events with parental authorization. The parent or legal guardian must:

• Provide consent during registration
• Complete the registration form on behalf of the minor
• Accept Terms and Conditions
• Assume responsibility for the minor's participation

12.2 Parental rights

Parents or legal guardians have the right to:

• Access their child's personal data
• Request correction or deletion
• Withdraw consent
• Object to processing

12.3 Discovery of underage data

If we discover we have collected data from a child under 18 without proper parental consent:

• We immediately delete the data
• We close the account
• We notify the individual of the deletion

13. Automated Decision-Making and Profiling

13.1 Limited use of automation

OuiRace uses limited automated processing for:

Fraud detection:

• Automated analysis of payment transactions
• Risk scoring for suspicious activities
• Flagging of potentially fraudulent registrations

Event recommendations:

• Suggesting Events based on past registrations
• Location-based Event suggestions
• Personalized Event discovery

13.2 Your rights

You have the right to:

• Not be subject to decisions based solely on automated processing that produce legal effects or significantly affect you
• Obtain human intervention
• Express your point of view
• Contest the decision

Note: Fraud detection measures are necessary for contract performance and protection of OuiRace and users.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy to reflect:

• Changes in our data processing practices
• New features or services
• Legal or regulatory requirements
• Best practice recommendations

14.2 Notification

Substantial changes:

• Published on the Platform at least 30 days before effective date
• Notified to registered users by email
• Continued use after effective date constitutes acceptance

Minor changes:

• Published on the Platform
• Notification may not be provided
• Examples: typographical corrections, clarifications, additional examples

14.3 Version history

• Version 1.0 - January 15, 2025: Initial version

16. Legal References

This Privacy Policy complies with:

• GDPR: EU Regulation 2016/679 of April 27, 2016
• French Data Protection Act: Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (modified)
• ePrivacy Directive: Directive 2002/58/EC (as implemented in French law)
• French Consumer Code: Code de la consommation
• French Civil Code: Code civil