Privacy Policy

Last updated: 24 April 2026 · Covers gridcard.site and the GRIDCARD app (iOS / Android)

The authoritative version of this policy is in German. GRIDCARD is operated from Germany. The legally binding text is the German Datenschutzerklärung, which meets GDPR Art. 13 / 14 information requirements. This English summary exists to make the key facts accessible to users who do not read German; in case of any contradiction, the German version prevails.

Controller

Daniel Hofmann

c/o MDC#492

Welserstraße 3

87463 Dietmannsried

Germany

Email: support@gridcard.site

Daniel Hofmann is the data controller in the sense of GDPR Art. 4(7) for all processing described here.

What is processed, and why

Anonymous account. When you open the GRIDCARD app for the first time, Supabase Auth generates a random UUID. No email, phone number, or social identity is collected. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Driver-card profile data. The handle, display name, bio, country, race number, team tag, preferred sims and disciplines, and hardware setup that you enter in the app. Legal basis: Art. 6(1)(b) GDPR.
Public driver card at gridcard.site/c/<handle>. If you enable public sharing in the app, the profile data listed above is served as a public HTML page viewable by anyone with the URL. Legal basis: Art. 6(1)(a) GDPR (consent). Withdraw at any time by disabling public sharing in the app; the page goes offline within minutes.
Subscription (GRIDCARD Pro). Apple (iOS) or Google (Android) processes the payment for the monthly or yearly tier. The purchase receipt and entitlement state are received through RevenueCat. Card numbers and bank details are not received. Legal basis: Art. 6(1)(b) GDPR.
Optional platform linking (LFM, LMU). If you link an external racing platform in the app, GRIDCARD fetches publicly available stats for the username you provide. Legal basis: Art. 6(1)(a) GDPR (consent). Unlink any time in the Settings screen.
Feedback form (in-app). Your message, optional 1–5 star rating, and technical diagnostics (app version, build number). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement). Rate-limited to 5 submissions per account per hour.
Server logs. IP address, timestamp, URL, user agent, kept briefly by the hosting provider (Netlify) for operations and abuse prevention. Legal basis: Art. 6(1)(f) GDPR.

What is NOT processed

No analytics, no tracking pixels, no advertising SDKs, no crash reporting, no location or GPS data, no access to camera, photos, contacts, or health data, no push notifications, no cookies on the website. A cookie banner is therefore not required.

Service providers (processors under GDPR Art. 28)

Netlify, Inc. — 101 2nd Street, San Francisco, CA 94105, USA. Hosts the website and edge-proxies the public card pages. Transfers covered by the EU-U.S. Data Privacy Framework and SCCs.
Supabase, Inc. — 3500 S Dupont Hwy, Dover, DE 19901, USA. Database, authentication, and Edge Functions for the app and the public card backend. Transfers covered by Standard Contractual Clauses; DPA at supabase.com/terms/dpa.
RevenueCat, Inc. — 150 Spear Street, Suite 1750, San Francisco, CA 94105, USA. Processes the in-app purchase receipts and entitlement state.
Apple, Inc. (iOS) / Google LLC (Android). The payment itself is handled by the App Store / Play Store under their own privacy policies.
Low Fuel Motorsport, Motorsport Games / Studio 397 (Le Mans Ultimate) — only if you explicitly link your account in the app.

Retention

Active accounts: as long as you keep using the app.
Inactive anonymous accounts: deleted automatically after 30 days of inactivity by the cleanup_stale_anonymous_users() database routine.
Server logs: short-term, not longer than needed for abuse prevention.
Purchase records: kept for the statutory period under German tax law (§ 147 AO, up to 10 years).

Your rights under the GDPR

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)).
Right to lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@gridcard.site. Because the account is anonymous, please include your handle or the account UUID visible in the app's Settings → Debug screen so the correct record can be identified.

For erasure (Art. 17) you don't need to email at all — the app provides a one-tap path under Settings → Delete all my data. Your account and every record tied to it are removed from the server within seconds.

Full text and German authoritative version

For the complete processing disclosures including all GDPR Art. 13 information elements, see the authoritative Datenschutzerklärung (German).