Privacy Policy

Introduction

Endurance HQ ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event management platform and related services (the "Service").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service. By accessing or using the Service, you agree to this Privacy Policy and our Terms and Conditions.

1. Information We Collect

1.1 Information You Provide to Us

We collect information you provide directly when you:

• Create an Account: Name, email address, phone number, profile information
• Register for Events: Personal details (name, date of birth, gender, address), emergency contact information, health data (medical conditions, allergies), electronic signature for waivers
• Sign Up as a Volunteer: Name, email, phone, skills, availability, shift preferences
• Create Events (Race Directors): Organization details, event information, marketing content, images, sponsor logos
• Make Payments: Payment card information (processed securely by Stripe), billing address
• Contact Support: Communication history, support tickets, feedback

1.2 Information Collected Automatically

When you access our Service, we automatically collect:

• Device Information: Device type, operating system, browser type, IP address
• Usage Data: Pages visited, features used, time spent, click patterns, referring URLs
• Location Data: General geographic location based on IP address (not precise GPS)
• Offline Storage: Data cached locally in IndexedDB for offline functionality (participant lists, check-in queues, event schedules)
• Cookies and Similar Technologies: Session cookies, authentication tokens, preference settings

1.3 Information from Third-Party Services

We integrate with third-party services that may collect or share information:

• Clerk (Authentication): Account creation, login data, OAuth provider information
• Stripe (Payments): Payment transaction details, fraud prevention data
• Resend (Email): Email delivery status, open rates, bounce notifications
• Twilio (SMS): SMS delivery status, phone number validation
• Vercel (Hosting/Analytics): Traffic analytics, performance metrics

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Improve the Service

• Create and manage user accounts
• Process event registrations and payments
• Generate QR codes for check-in systems
• Send confirmation emails and race day information
• Manage volunteer shifts and assignments
• Enable offline functionality via local storage
• Provide customer support and respond to inquiries
• Monitor and improve platform performance

2.2 Communicate with You

• Send registration confirmations and race day updates
• Notify volunteers of shift assignments and check-in status
• Send important service announcements and updates
• Respond to support requests and feedback
• Send marketing communications (with your consent)

2.3 Ensure Security and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms and Conditions
• Comply with legal obligations and law enforcement requests
• Protect the rights and safety of users and the public

2.4 Analytics and Research

• Analyze usage patterns and trends
• Conduct research to improve features
• Generate aggregate, anonymized statistics
• A/B test new features and improvements

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 With Race Directors

When you register for an event or volunteer for a shift, we share your registration information with the event's race director. Race directors are independent data controllers responsible for handling your information in accordance with applicable laws.

3.2 With Service Providers

We share information with trusted third-party service providers who help us operate the Service:

• Clerk: User authentication and account management
• Stripe: Payment processing and fraud prevention
• Resend: Transactional email delivery
• Twilio: SMS notifications
• Neon (PostgreSQL): Database hosting
• Vercel: Application hosting and CDN
• External Image Hosts: Imgur, Cloudinary (if you use external image URLs)

3.3 For Legal Reasons

We may disclose your information if required by law or in response to:

• Legal process (subpoenas, court orders)
• Law enforcement or regulatory requests
• Protection of our rights, property, or safety
• Emergency situations involving public safety

3.4 Business Transfers

If Endurance HQ is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

• Account Information: Retained until account deletion, plus 90 days for backup recovery
• Event Registrations: Retained for 7 years for tax and legal compliance
• Payment Records: Retained per Stripe's requirements and tax law (typically 7 years)
• Volunteer Records: Retained for 3 years after last activity
• Offline Cache: Automatically cleared after 7-30 days of inactivity
• Analytics Data: Aggregate data retained indefinitely; personal identifiers removed after 2 years

You may request deletion of your data at any time by contacting support@endurancehq.app. Some information may need to be retained for legal or legitimate business purposes.

5. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

5.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information
• Export: Download your data in a portable format
• Opt-Out: Unsubscribe from marketing communications

5.2 GDPR Rights (EU/EEA Users)

• Right to Erasure: "Right to be forgotten" under certain conditions
• Right to Restriction: Limit how we use your data
• Right to Object: Object to processing for direct marketing or legitimate interests
• Right to Portability: Receive your data in a machine-readable format
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

5.3 CCPA Rights (California Residents)

• Right to Know: Know what personal information is collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service and pricing regardless of exercising privacy rights

5.4 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@endurancehq.app
• Account settings: Manage preferences in your dashboard
• Unsubscribe links: Included in all marketing emails

6. Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: TLS/SSL encryption for data in transit, encryption at rest for databases
• Authentication: Secure authentication via Clerk with multi-factor authentication support
• Payment Security: PCI-DSS compliant payment processing via Stripe (we do not store card details)
• Access Controls: Role-based access controls, principle of least privilege
• QR Code Security: JWT-signed QR codes with expiration and event validation
• Offline Security: IndexedDB protected by browser same-origin policy
• Monitoring: Continuous security monitoring and incident response procedures

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but strive to use commercially acceptable means to protect your personal information.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic functionality
• Functional Cookies: Remember preferences and settings (language, theme)
• Analytics Cookies: Help us understand usage patterns (Vercel Analytics)
• Service Worker: Enables offline functionality and background sync

7.2 Local Storage

We use browser local storage and IndexedDB to:

• Store email addresses for race day portal access
• Cache participant lists for offline check-in
• Queue offline mutations (check-ins, updates) for sync
• Store race day schedules and event information

7.3 Managing Cookies

Most web browsers allow you to control cookies through settings. Note that disabling cookies may affect Service functionality. You can clear local storage and IndexedDB through browser settings, but this will disable offline features.

8. Children's Privacy

Endurance HQ does not knowingly collect personal information from children under 13 years of age (or under 16 in the EU). If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@endurancehq.app.

For events that allow minors to participate, race directors must obtain parental consent and comply with applicable child protection laws. We are not responsible for race directors' compliance with child privacy regulations.

9. International Data Transfers

Endurance HQ is based in the United States. Your information may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

For transfers from the EU/EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Service providers with appropriate safeguards (e.g., EU-US Data Privacy Framework)

10. Third-Party Websites and Services

The Service may contain links to third-party websites (event websites, sponsor sites, social media, image hosting services). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.

This includes:

• External image hosting services (Imgur, Cloudinary)
• Social media platforms linked from event pages
• Sponsor websites
• Lodging and travel booking sites

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date at the top
• Sending an email to registered users (for significant changes)
• Displaying a prominent notice in the Service

Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. Data Protection Officer

If you have questions about this Privacy Policy or our data practices, you may contact our Data Protection Officer: