Privacy Policy
Last updated: 3 June 2026
This privacy policy explains how personal data is processed (1) when you visit the website playraceit.com and (2) when you use the RaceIt desktop application and online service ("RaceIt", "the app"). We process data in accordance with the Swiss Federal Act on Data Protection (revFADP/nDSG) and, where applicable to users in the EU/EEA, the General Data Protection Regulation (GDPR). We keep data collection to what is necessary to operate the service. Neither the website nor the app uses advertising, third-party analytics, or tracking technologies.
1. Controller
The person responsible for data processing is:
Nils Rothenbühler
Ravensbüelerstrasse 10
8330 Pfäffikon ZH, Switzerland
Email: contact@playraceit.com
2. Backend & where your data is stored
Both the website and the app rely on Supabase (Supabase, Inc.) as our backend provider for the database, authentication, file storage, and serverless functions. Network traffic is delivered via the Cloudflare content delivery network (Cloudflare, Inc., USA). The website is hosted by Vercel Inc. (USA). These providers act as our processors and may process data outside Switzerland/the EU; such transfers are safeguarded by the EU Standard Contractual Clauses and the equivalent Swiss provisions.
Part A — The website (playraceit.com)
3. Server log files
When you open the website, the hosting provider (Vercel) automatically processes technical information your browser transmits: IP address, date/time of the request, the page or file requested, the referring URL, and your browser type, version, and operating system. This is technically necessary to deliver the site securely. Legal basis: our legitimate interest in a secure, functioning website (Art. 6 (1)(f) GDPR; Art. 31 revFADP).
4. Download & version check
The download button and the "latest version" indicator load release information from
Supabase, delivered via Cloudflare. When you load the page or start a download, your IP
address is necessarily transmitted to these providers so the file and version data can be
delivered. A strictly necessary security cookie may be set (e.g. Cloudflare's
__cf_bm token). Legal basis: provision of the requested service
(Art. 6 (1)(b) GDPR) and security (Art. 6 (1)(f) GDPR; Art. 31 revFADP).
5. Fonts & cookies
The "Outfit" web font is self-hosted; no data is sent to Google Fonts or other font servers. The website itself sets no cookies and uses no analytics. The only cookies that may appear are the strictly necessary Cloudflare security cookies described above.
Part B — The RaceIt application & online service
6. Sign-in with Steam
RaceIt uses Steam (Valve Corporation) for authentication via Steam OpenID. When you sign in, we verify your Steam login and receive your SteamID64. Using Steam's Web API we additionally retrieve your Steam persona (display name) and your Steam avatar image URL. We do not receive your Steam password. Your interaction with Steam is additionally governed by Valve's own privacy policy.
7. Account & profile
We create and store an account and player profile containing:
- a SteamID-derived internal user ID and a synthetic login email (
steam_<id>@raceit.local), - your SteamID64, Steam persona, and avatar URL,
- your gamertag and selected region,
- onboarding status and account timestamps.
Authentication tokens (access/refresh tokens) are stored locally on your device to keep you signed in. Legal basis: performance of the service you requested (Art. 6 (1)(b) GDPR; Art. 31 revFADP).
8. Gameplay, matches & ranking
To provide ranked matchmaking and an ELO ranking, we process and store:
- matchmaking queue entries and the matches you take part in,
- your MMR/ELO and its changes, level, wins, losses, total races, and win streaks,
- per-race results: finish position, finish/race times, DNF status, validity, and placement status,
- safety metrics derived from gameplay (collision/safety score and contact counts),
- lobby/host information needed to connect players (e.g. host SteamID and the Steam connect token for the in-game lobby).
Legal basis: performance of the service (Art. 6 (1)(b) GDPR; Art. 31 revFADP).
9. In-match chat
If you send messages in the in-match chat, the message content, your profile reference, and a timestamp are stored and shown to the other participants of that match. Please do not share sensitive personal information in chat. Legal basis: performance of the service (Art. 6 (1)(b) GDPR) and our legitimate interest in moderation and abuse prevention (Art. 6 (1)(f) GDPR; Art. 31 revFADP).
10. Telemetry from Forza
RaceIt reads Forza's "Data Out" telemetry locally on your device (over a local UDP port) to measure lap and finish times and to detect collisions during a race. This raw telemetry is processed on your computer; only the derived results (such as finish time and safety score) are transmitted to and stored on our backend. We do not store the raw telemetry stream. Legal basis: performance of the service (Art. 6 (1)(b) GDPR; Art. 31 revFADP).
11. Visibility to other players
RaceIt is a multiplayer service. Your display name (Steam persona/gamertag), avatar, rank, and statistics are visible to other players you are matched with and may appear on leaderboards and player cards within the app. Match chat is visible to the participants of the same match.
12. Fair play, anti-cheat & bans
We may process match and account data to detect cheating, manipulation, or abuse, and to enforce fair-play rules, including suspending or banning accounts and storing a ban reason. Legal basis: our legitimate interest in protecting the integrity of the service and other players (Art. 6 (1)(f) GDPR; Art. 31 revFADP).
Part C — General
13. Retention & account deletion
Account and profile data is kept for as long as your account exists. Match history and ranking data may be retained where needed for the integrity of leaderboards and anti-abuse purposes. Server log files are deleted routinely by the hosting/CDN providers (typically within days to weeks). You may request deletion of your account and associated personal data at any time by emailing contact@playraceit.com; we will delete or anonymise your data unless we are required or entitled to retain it.
14. Your rights
Subject to applicable law, you have the right to obtain information about the personal data we process about you, and to request its correction, deletion, or restriction. Where the GDPR applies, you additionally have the rights to data portability and to object to processing based on legitimate interests (Art. 21 GDPR) for reasons relating to your particular situation. To exercise these rights, contact us using the details in section 1.
15. Right to lodge a complaint
If you believe the processing of your data infringes data protection law, you may lodge a complaint with a supervisory authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch). In the EU/EEA you may contact the supervisory authority of your country of residence.
16. Changes to this policy
We may update this privacy policy to reflect changes to the service or legal requirements. The current version is always available on this page.