Privacy Policy

1. Ways We Collect Your Personal Data

We employ a "Privacy by Design" approach. We generally do not collect personal data unless provided voluntarily by you directly, or via a third party who has been duly authorised by you to disclose your personal data to us, through the following channels:

• Directly from you: When you register for an account, sign up for an event, submit an enquiry, or opt in to a tax-deductible donation.
• Automatically via the platform: When you connect third-party fitness applications (e.g., Strava, Apple Health) to sync your workout data, or through standard website cookies necessary for functionality.

2. The Information We Collect

We practise strict Data Minimisation, collecting only what is essential for event operations, user experience, and legal compliance:

• Standard Event Data: Name, email address, contact number, shipping address, social media handles (if linked), and workout metrics (distance, time, pace).
• Mandatory NRIC/FIN Collection (For Charity & Tax Deductions): In compliance with the Personal Data Protection Commission (PDPC) Advisory Guidelines, HeyRace generally does not collect NRIC/FIN numbers. Exception: For events partnered with Institutions of a Public Character (IPCs) where you opt in to make a tax-deductible donation, the collection of NRIC/FIN is legally mandated by the Inland Revenue Authority of Singapore (IRAS).

3. Accuracy of Personal Data

We generally rely on personal data provided by you or your authorised representative. To ensure that your personal data is current, complete, and accurate, please update your profile settings or inform our Data Protection Officer if there are any changes to your personal data.

4. How We Use Your Information

Your data is strictly used to facilitate the services you have requested and operate our business, including:

• Administering events, validating workout submissions, and updating event milestones.
• Data Validation & Fraud Detection: To maintain platform integrity and operational efficiency, manually submitted activity records—including images, photos, and screenshots—may be processed using Artificial Intelligence (AI) for fraud detection and Optical Character Recognition (OCR) for automated validation. Note: This processing applies exclusively to manual submissions. Data synchronized via third-party APIs (such as Strava) is strictly excluded from all AI or machine learning applications.
• Processing payments securely and fulfilling the delivery of physical items to your designated address.
• Responding to, handling, and processing queries, complaints, and feedback from you.
• Submitting tax-deductible donation records to IRAS via our partner charities (only if explicitly opted-in).
• Conducting statistical analysis and planning to improve our platform.
• Complying with applicable laws, regulations, and guidelines, or assisting in law enforcement and investigations.
• Enforcing our Terms of Use.

The purposes listed above may continue to apply for a reasonable period even in situations where your relationship with us has been terminated or altered in any way.

5. Sharing & Disclosing Your Information

HeyRace does not sell, rent, or trade your personal data. We only disclose information on a strict "need-to-know" basis:

• Payment Gateways: We use secure third-party processors (e.g., Stripe) to handle transaction data. We do not store full credit card numbers on our servers.
• Logistics Partners: Third-party couriers strictly for the delivery of physical items.
• Partner Institutions/Charities: Secure transmission of specific donation and NRIC data strictly for IRAS tax-deduction compliance. This data is siloed and never used for marketing.
• Public Leaderboards: To protect participant privacy, public leaderboards and class rankings utilise aggregated data, pseudonymised data (e.g., displaying only first names and last initials), or user-selected nicknames. Individual Strava API activity data is completely excluded from public leaderboards and remains visible only to the authenticated user.
• Legal & Regulatory Authorities: We may disclose data if required by law, to comply with legal processes, to protect and defend our rights or property, or under exigent circumstances to protect the personal safety of our users.

6. Protection & Security Safeguards

To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, or disposal, we utilise enterprise-grade security protocols:

• Encryption, Hashing & Infrastructure: All personal data transmitted is encrypted using industry-standard TLS/SSL protocols. Sensitive data at rest (such as NRICs) is encrypted using AES-256. User passwords are securely hashed and never stored in plain text.
• Role-Based Access Control (RBAC) & Audit Trails: Access to personal data is strictly restricted internally. The platform maintains internal access logs to monitor any extraction of sensitive data.
• Data Breach Protocol: In the highly unlikely event of a notifiable data breach, HeyRace will notify the PDPC within 72 hours, inform affected event partners immediately, and notify affected individuals.

Please note: While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot absolutely guarantee its security.

7. Retention and Purging of Personal Data

We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected. We utilise automated purging protocols:

• Post-Event Purge: Personal data directly tied to event logistics (such as shipping addresses) is retained only for as long as necessary to fulfil the delivery of physical items and manage customer service enquiries (typically 30–60 days post-event).
• NRIC Destruction: NRIC data collected for tax deduction purposes is securely transmitted to the relevant partner institution and subsequently purged from HeyRace's active databases immediately following successful transmission and verification.

8. Cross-Border Data Transfers & Cloud Hosting

Our primary digital infrastructure is hosted on secure, enterprise-grade cloud servers which may be located outside of Singapore. When your personal data is transferred to these external servers, we ensure it is protected by Standard Contractual Clauses (SCCs) and that the receiving jurisdictions, or the cloud service providers themselves, are legally bound to uphold data protection standards comparable to the PDPA and international frameworks.

9. Protection of Minors

If you are under 18 years of age, you must obtain consent from your parent or legal guardian before using our platform, registering for an event, or submitting personal data. Parents or guardians who believe we have inadvertently collected data from a minor without appropriate consent may contact our Data Protection Officer for its immediate removal.

10. Contact Preferences and Marketing

We respect your inbox and distinguish between essential and promotional communications:

• Transactional Communications: You will receive essential emails regarding your registration, payment receipts, password resets, and shipping updates.
• Marketing Communications: You will only receive promotional emails about future events or partner offers if you have explicitly opted in. You may update your preferences or unsubscribe at any time.

11. Withdrawing Your Consent

The consent that you provide will remain valid until withdrawn in writing. You may withdraw consent and request us to stop collecting, using, and/or disclosing your personal data by submitting your request to our Data Protection Officer. We shall seek to process your request within ten (10) business days. Please note that withdrawing consent may mean we are no longer in a position to continue providing our platform services to you.

12. Account Erasure & Right to be Forgotten

In alignment with international privacy standards, including the principles of the GDPR, you have the right to request the complete deletion of your account and associated personal data.

• Manual Erasure: You may submit a data deletion request to our Data Protection Officer. Upon verification, all identifiable personal data, including historical event metrics, will be permanently purged from our active systems within 30 days.
• Automated Third-Party Purging (Strava): If you have linked a third-party fitness account such as Strava, HeyRace strictly complies with automated deauthorisation webhooks. If you delete your Strava account or revoke HeyRace's access via Strava's settings, our systems will automatically and immediately purge all of your cached Strava API data without requiring a manual request.

13. Access to and Correction of Personal Data

You have the right to access and correct the personal data we hold about you.

• You may view, update, or correct your standard profile information directly through your HeyRace account dashboard.
• For formal access or correction requests, please contact our Data Protection Officer. We will respond within thirty (30) business days. Please note that a reasonable administrative fee may be charged for an access request. We will inform you of the fee before processing your request.

14. Third-Party Integrations & External Websites

• Third-Party Fitness Integrations (Strava): If you optionally connect your account with Strava, you grant limited, read-only access to specific activity metrics (e.g., distance, duration, date) via a secure OAuth token. In strict compliance with the Strava API Agreement:
  • Strict Data Privacy: Your imported Strava activity data is accessible and visible only to you within your personal dashboard. Raw Strava data, including GPS routing, is never shared with third parties, other users, or displayed on public leaderboards.
  • AI Prohibition: Data obtained via the Strava API is completely isolated and is never used to train artificial intelligence, machine learning models, or similar applications.
  • Revocation & Deletion: You may disconnect your Strava integration at any time through your profile settings. Upon disconnection, your OAuth tokens are instantly invalidated, and all cached Strava activity data is systematically purged from our servers.
• Other Fitness Applications: For other third-party integrations, we only import the data necessary for the event. We accept no responsibility for the independent privacy practices of those external applications. You acknowledge and agree that we shall not be held responsible for any loss or damage sustained by sharing information via these features.
• External Links: Our platform may contain links to external websites. We accept no liability for the privacy practices or content of these external sites.
• Cookies: Our website uses cookies to improve your user experience. You may block these via your browser settings, though you may lose personalisation settings and functionality.

15. Changes to this Policy

We may revise this Policy from time to time without prior notice. You can determine if any such revision has taken place by referring to the "Last updated" date. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

16. Governing Law & Dispute Resolution

This Policy shall be governed by and construed according to the laws of Singapore. In the event of any dispute arising out of or in connection with this Policy, both parties shall first take reasonable efforts to settle the dispute in good faith and in an amicable manner by negotiation before resorting to the exclusive jurisdiction of the Singapore courts.