This Privacy Policy explains what data PitLabs ("we") collects, how we use it, and the rights you have. We aim for clear and plain language.

PitLabs operates a Windows desktop app and a web account portal that acts as an AI race engineer for sim racing.

1. Data We Collect

We collect only what we need to run the service.

1.1 Account Data

- Email address
- Password (bcrypt hash only — we never see plain-text passwords)

1.2 OAuth Login Data

If you sign in using:
- Google
- Discord
we receive your name, email, avatar URL, and provider user ID.

1.3 Driver Profile Data

- Display name
- Self-rated skill level
- Driving-style preferences
- Racing goals
- Any free-text notes you enter

1.4 Billing Data

Handled via Stripe.
We store:
- Stripe customer ID
- Subscription status
We never store card numbers.

1.5 Session History

For each driving session:
- Track name
- Car name
- Conditions
- Best lap time
- Number of valid laps
- Number of lockups

1.6 Telemetry Summaries

We upload aggregated telemetry the AI needs (sector deltas, brake/throttle summaries).
Raw telemetry never leaves your PC.

1.7 Saved Setups

For Pro users, we store .svm setup files uploaded to your cloud library.

1.8 Usage Metering

We track weekly AI request counts for free-tier limits.

1.9 Technical Data

Collected automatically:
- IP address
- Browser type
- Device type
- Standard server logs (kept ~30 days)

1.10 Cookies & Local Storage

- Auth session cookie (httpOnly, secure)
- UI preferences (units, layout, etc.)

2. How We Use Your Data

We use your data to:

1. Operate the service (authentication, AI engineer responses, billing)
2. Send transactional emails (signup confirmation, password resets, receipts, invites)
3. Provide aggregated, anonymized analytics to improve PitLabs
4. Enforce usage limits
5. Provide customer support

We never sell your data.
We never use it for ad targeting.
We only share it with the sub-processors listed below.

3. Sub-Processors

Supabase | Database + Auth | EU + US |
Vercel | Web hosting | Global |
Stripe (above) | Payments | US, EU |
| Google (above) | OAuth sign-in | US |
| Discord (above) | OAuth sign-in | US |
| Anthropic (Claude) | AI engineer responses | US |
| Email provider (TBD) | Transactional + marketing email | TBD |

4. Legal Bases for Processing

Under GDPR:
- Contract — running the PitLabs service
- Consent — marketing emails (if enabled)
- Legitimate interest — security logs, abuse prevention

5. Data Retention

- Account data: kept until you delete your account
- Telemetry summaries: retained ~30 days, then deleted
- Session history & setups: retained for your entire account life
- Billing records: retained for 7 years (or required by law)
- Backups: rolling 30-day Supabase backups

6. Your Rights (GDPR / CCPA)

GDPR Rights (EU/EEA users)
You may:
- Access your data (export in the portal or by email request)
- Correct your profile
- Delete your account
- Download a portable copy of your data (JSON export)
- Object to processing
- Withdraw marketing-email consent at any time

California (CCPA) Rights
California residents may:
- Request what data we collect
- Request deletion
- Request information about data sharing

We do not sell personal information.

7. Children

PitLabs is for users 16 and older.
We do not knowingly collect data from children.
If you believe a child has an account, contact us to request deletion.

8. Security Measures

- Passwords handled via Supabase Auth, hashed with bcrypt
- HTTPS everywhere
- Row-Level Security ensuring users access only their own data
- Telemetry remains local except for aggregated summaries
- Breach notifications within 72 hours where required by GDPR

9. International Transfers

Data may be processed in the EU, US, or other regions where our sub-processors operate.
We use GDPR-approved safeguards such as Standard Contractual Clauses where required.

10. Changes to This Policy

We will notify you of material changes by email at least 30 days before they take effect.

11. Contact Us

support@pitlabs.app
PitLabs