Privacy Policy

Last updated: March 7, 2026

1. Data Controller

The data controller responsible for your personal data is Česká dostihová federace (Czech Racing Federation), a registered association under Czech law.

  • IČO: 70848475
  • Registered address: Liblice 81, 277 32 Liblice, Czech Republic
  • Registry: Municipal Court in Prague, file ref. L 69625/MSPH
  • Email: ivo.widziolek@gmail.com
  • Phone: +420 777 168 101

This policy explains how we collect, use, store, and protect your personal data when you use our platform at www.grwhracing.eu in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Czech Act No. 110/2019 Coll. on the Processing of Personal Data.

This policy is provided in English. Communication with us may be conducted in English or Czech.

Territorial Scope

This Privacy Policy applies to all users of our platform worldwide. The GDPR applies to our processing of your personal data because we are an organisation established in the European Union (GDPR Article 3(1)), regardless of your country of residence.

All users, whether located in the EU/EEA or elsewhere, receive the same data protection rights and safeguards described in this policy. If you reside in a country with its own data protection legislation (e.g., the UK GDPR, California Consumer Privacy Act, or Brazil's LGPD), those protections apply in addition to the GDPR to the extent required by applicable law.

The governing law for all matters arising from this Privacy Policy is the law of the Czech Republic (see our Terms of Service).

2. Data We Collect

Account Data (required for registration)

  • Full name
  • Login email address
  • Password (stored only in hashed form, never in plain text)

Profile Data (optional — displayed on your public profile page)

  • Profile photo (avatar)
  • Biography
  • Contact email (separate from login email)
  • Phone number
  • Date of birth
  • Gender
  • Country of residence
  • Breeding kennel name
  • External links (social media profiles, websites)

Billing Data (collected during subscription payment)

  • Billing address (street, city, state, postal code, country)
  • Payment card details are processed exclusively by Stripe and are never stored on our servers

Technical Data (collected automatically)

  • IP address (stored with your session for security purposes)
  • IP address at registration (stored with your account for abuse prevention)
  • Browser and device information (user agent string, stored with your session)
  • Session timestamps

User-Generated Content

  • Dog photos you upload
  • Advertising listings (including contact email and phone you provide for each listing)
  • Dog assignment requests
  • Favourite dogs selections

3. Obligation to Provide Data

  • Account data (full name, login email, password) is required to create an account. Without it, you cannot register or use the platform.
  • Billing data (billing address) is required to process subscription payments. Without it, you cannot subscribe.
  • Profile data (biography, contact email, phone, date of birth, gender, country, breeding kennel, external links, avatar) is entirely optional. Not providing it has no consequences beyond a less complete public profile.

4. Purpose and Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR Article 6:

Performance of a contract (Art. 6(1)(b))

  • Creating and managing your account
  • Processing subscription payments
  • Providing platform features (advertising, dog management, statistics)
  • Displaying your public profile to other users
  • Processing optional profile data (biography, phone number, date of birth, gender, country, breeding kennel, external links, avatar) that you voluntarily provide to populate your public profile

Legitimate interest (Art. 6(1)(f))

  • Session security: storing IP addresses and device information to detect unauthorized access and enforce session limits (max 3 concurrent sessions)
  • Rate limiting: using IP addresses to prevent brute-force attacks on authentication
  • Fraud prevention: detecting fraudulent profile claims
  • Abuse prevention: storing the IP address used at registration to limit the number of accounts that can be created from a single IP address
  • Platform improvement and debugging

Consent (Art. 6(1)(a))

  • Analytics: PostHog tracks identified user sessions for product analytics only after you consent to analytics cookies via the cookie consent banner. You may withdraw consent at any time via the cookie settings.

5. Third-Party Services and Data Transfers

We share personal data with the following third-party service providers. The legal basis for each cross-border transfer is noted below.

Stripe, Inc. (USA) — Payment Processing

We share your name, email, phone number, and billing address with Stripe to process subscription payments and manage billing. Stripe handles all payment card data directly and is PCI-DSS compliant. Stripe may set its own cookies for fraud prevention during checkout. Transfer basis: EU-US Data Privacy Framework. Stripe Privacy Policy

Cloudflare, Inc. (USA) — Content Delivery Network and Image Storage

User avatars, dog photos, and advertising listing photos are stored on Cloudflare R2 (S3-compatible object storage) and served via publicly accessible URLs. This means that anyone with the direct URL can view these images. Transfer basis: EU-US Data Privacy Framework. Cloudflare Privacy Policy

PostHog, Inc. (USA) — Analytics

PostHog collects product analytics for identified users only. No data is collected from anonymous visitors. PostHog may set its own cookies. Transfer basis: Standard Contractual Clauses (SCCs). PostHog Privacy Policy

Vercel, Inc. (USA) — Hosting and Analytics

Our platform is hosted on Vercel. In production, Vercel collects basic performance analytics (page load times) without collecting personally identifiable information. Transfer basis: EU-US Data Privacy Framework. Vercel Privacy Policy

Neon, Inc. (USA) — Database Hosting

All user data (account information, profiles, sessions, billing data, and user-generated content) is stored in a PostgreSQL database hosted by Neon in the EU (Frankfurt, Germany). While data is stored within the EU, Neon is a US-based company with potential access to the data for infrastructure maintenance. Transfer basis: EU-US Data Privacy Framework. Neon Privacy Policy

CookieYes Limited (UK) — Cookie Consent Management

CookieYes provides the cookie consent banner on our platform. It stores your consent preferences and does not collect personally identifiable information. Transfer basis: European Commission adequacy decision for the United Kingdom. CookieYes Privacy Policy

6. Cookies

Essential Cookies (no consent required)

  • session — First-party, httpOnly, secure, sameSite=strict. Duration: 30 days. Contains an encrypted authentication token (JWT) with your user ID, role, and session identifier. This cookie is strictly necessary for the platform to function and to keep you signed in.

Third-Party Cookies

  • Stripe — Set by Stripe during the payment process for fraud prevention and payment processing.
  • PostHog — Used for product analytics of identified users for product improvement. Only set after you consent to analytics cookies.
  • CookieYes — Stores your cookie consent preferences (accepted and rejected categories). Essential for remembering your consent choices.

In accordance with Section 89(3) of Czech Act No. 127/2005 Coll. on Electronic Communications, non-essential cookies require your explicit consent. You can manage your cookie preferences at any time using the cookie consent banner or by clicking "Cookie Settings" in the footer. Disabling the session cookie will prevent you from signing in.

7. Data Retention

  • Account data: Retained for as long as your account is active. If your account is deactivated, data is kept in a soft-deleted state for at least 1 year for dispute resolution and compliance purposes. You may request full erasure at any time by contacting us.
  • Session data (IP address, device info): Retained for a maximum of 30 days. Sessions are automatically deleted upon expiry or when manually revoked.
  • Registration IP address: Retained for as long as your account is active, as it is stored with your account data. Erased upon account deletion or upon request.
  • Uploaded images: Deleted from storage when the associated entity (dog profile, advertising listing, or user account) is deleted.
  • Payment data: Subscription status and billing address are stored locally. Full payment history is retained by Stripe per their retention policy.

8. Your Rights

Under the GDPR (Articles 15–22), you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Correct inaccurate personal data. You can update most profile data directly in your account settings.
  • Right to erasure — Request deletion of your personal data. We will erase your data unless we have a legal obligation to retain it.
  • Right to restriction of processing — Request that we limit how we use your data.
  • Right to data portability — Receive your data in a structured, commonly used, machine-readable format (e.g., JSON).
  • Right to object — Object to processing based on legitimate interest.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making — You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you (see also Section 11).

To exercise any of these rights, contact us at ivo.widziolek@gmail.com. We will respond within 30 days. This period may be extended by up to two further months where necessary due to the complexity or number of requests, in which case we will inform you of the extension within the initial 30 days.

You also have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, Czech Republic; uoou.gov.cz. If you reside in another EU member state, you may also lodge a complaint with your local supervisory authority.

9. Security Measures

We implement the following measures to protect your data:

  • Passwords are hashed using bcrypt with a high cost factor
  • Authentication uses encrypted JWT tokens in httpOnly, secure cookies
  • Content Security Policy (CSP) headers protect against cross-site scripting
  • Rate limiting on authentication endpoints prevents brute-force attacks
  • Maximum 3 concurrent sessions per account; all sessions are revoked on password change
  • Stripe webhook signatures are cryptographically verified
  • HTTPS is enforced across the entire platform
  • Database connections are encrypted with SSL in production

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34 and Czech Act No. 110/2019 Coll. We will also notify the Úřad pro ochranu osobních údajů (ÚOOÚ) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

10. Children

Our platform is not directed at children under 15 years of age. In accordance with Section 7 of Czech Act No. 110/2019 Coll., the age of consent for information society services in the Czech Republic is 15. We do not knowingly collect personal data from anyone under 15. If we become aware that we have collected data from a child under 15, we will take steps to delete it promptly.

11. Automated Decision-Making

We do not use automated decision-making or profiling as defined in GDPR Article 22. All decisions affecting your account are made by human administrators.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes before they take effect by placing a prominent notice on the Platform and updating the "Last updated" date at the top of this page. Where processing is based on your consent, we will seek fresh consent for any material changes to such processing.

13. Contact

For any questions about this Privacy Policy or your personal data, contact us:

  • Email: ivo.widziolek@gmail.com
  • Phone: +420 777 168 101
  • Address: Česká dostihová federace, Liblice 81, 277 32 Liblice, Czech Republic