GridStrategy ("we," "us," or "our") operates the GridStrategy platform at gridstrategy.io, an independent Formula 1 race strategy analytics service. We are the data controller for personal information collected through the Service.
For any privacy-related questions, requests, or concerns, you may contact us at:
We aim to respond to all legitimate privacy requests within thirty (30) days, and within the legally required timeframes for jurisdictions with specific response deadlines.
We collect the following categories of information, depending on how you interact with the Service:
We do not intentionally collect:
We use the information we collect for the following purposes, each tied to a lawful basis:
Lawful basis: Performance of contract. We use your account information and usage data to authenticate you, deliver the features you request, maintain your preferences, and operate the platform.
Lawful basis: Legitimate interests. We analyze aggregated usage patterns to understand how the Service is used, identify areas for improvement, diagnose technical problems, and develop new features. This analysis does not involve decisions that significantly affect you individually.
Lawful basis: Consent (for marketing); legitimate interests (for service communications). We may send you service-related communications (account notices, security alerts, policy updates) and, where you have opted in, product updates and newsletters. You may withdraw marketing consent at any time.
Lawful basis: Legitimate interests; legal obligation. We process certain data to detect, investigate, and prevent fraudulent, abusive, or unauthorized activity, and to protect the security and integrity of the Service and our users.
Lawful basis: Legal obligation. We may process your data to comply with applicable laws, regulations, court orders, or binding requests from competent authorities.
We share your personal information only in the limited circumstances described below. We do not sell, rent, or trade personal information.
We engage trusted third-party vendors to help operate the Service, including cloud hosting providers, authentication services, error monitoring tools, and email delivery providers. These vendors process data on our behalf under contractual obligations that require them to protect your information and prohibit use for their own purposes.
If GridStrategy is involved in a merger, acquisition, asset sale, or other business combination, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.
We may disclose your information if required by law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of GridStrategy, our users, or the public. Where legally permitted, we will notify you of such requests.
We may share your information with third parties when you have explicitly consented to such sharing.
We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or other purposes.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, as required by applicable law, or as needed to resolve disputes and enforce our agreements.
When data is no longer required, we securely delete or anonymize it. You may request earlier deletion subject to the limitations described in Section 6.
Depending on where you are located, you may have certain rights regarding your personal information. We honor these rights globally, not only where legally mandated.
If you are located in the European Economic Area or United Kingdom, you also have the right to:
Our legal bases for processing under GDPR are: contract performance (Article 6(1)(b)), legitimate interests (Article 6(1)(f)), legal obligation (Article 6(1)(c)), and consent (Article 6(1)(a)) where applicable. You may contact our Data Protection Officer at dpo@gridstrategy.io or lodge a complaint with your local supervisory authority.
California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell personal information), the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights.
To submit a verifiable consumer request, contact us at privacy@gridstrategy.io. We will respond within 45 days, with a possible 45-day extension when reasonably necessary. We do not discriminate against users who exercise their CCPA rights.
Users in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), Japan (APPI), South Korea (PIPA), and other jurisdictions with applicable privacy laws may also have rights under their respective laws. We will honor valid rights requests in accordance with the applicable law of your jurisdiction. Contact us at privacy@gridstrategy.io to make a request.
To exercise any of the rights described above, submit a request to privacy@gridstrategy.io. We may require verification of your identity before fulfilling requests to protect against unauthorized access. We will not charge a fee for reasonable requests, but may do so for repetitive or manifestly unfounded requests as permitted by applicable law.
We use the following categories of cookies and similar technologies:
You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and be notified when cookies are set. Note that disabling cookies may affect Service functionality. Our cookie consent banner (where required) allows you to manage non-essential cookies at the time of first access.
We respect browser-level Do Not Track (DNT) signals. When we detect a DNT signal, we limit data collection to what is strictly necessary to provide the Service.
GridStrategy operates globally. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States, which may have different data protection laws than those in your jurisdiction.
Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, we implement appropriate safeguards including:
You may request a copy of the relevant transfer mechanism by contacting us at privacy@gridstrategy.io.
We implement technical, administrative, and physical safeguards designed to protect your personal information from unauthorized access, use, alteration, and disclosure. These measures include:
No security system is impenetrable. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@gridstrategy.io and we will promptly delete that information.
If we learn that we have collected personal information from a child under 16 without verified parental consent, we will take immediate steps to delete that information.
The Service may contain links to third-party websites or integrate with third-party data providers such as OpenF1 and FastF1. These third parties have their own privacy policies. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
Your continued use of the Service after the revised policy becomes effective constitutes acceptance of the changes. If you do not agree, you should stop using the Service and may request deletion of your account and data.
GridStrategy acts as data controller for personal information processed through the Service. Our Data Protection Officer can be reached at dpo@gridstrategy.io. You have the right to lodge a complaint with your national supervisory authority.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on users.
GridStrategy does not sell personal information as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We do not share personal information for cross-context behavioral advertising. California residents may submit privacy rights requests at privacy@gridstrategy.io.
Categories of personal information collected in the preceding 12 months: identifiers (name, email, IP address); internet or network activity; geolocation data (country/region level only); inferences drawn from usage data. Business or commercial purposes: service operation, security, analytics, legal compliance.
For users in Brazil, we process personal data on the following legal bases under the Lei Geral de Protecao de Dados: consent (Article 7, I), contract performance (Article 7, V), legitimate interests (Article 7, IX), and legal obligation (Article 7, II). Brazilian users may exercise their rights under Articles 17-22 of the LGPD by contacting privacy@gridstrategy.io.
We collect, use, and disclose personal information in accordance with the Personal Information Protection and Electronic Documents Act and applicable provincial privacy legislation. Our privacy practices are overseen by our designated Privacy Officer reachable at privacy@gridstrategy.io. Canadian users may file complaints with the Office of the Privacy Commissioner of Canada.
If you have questions, concerns, or requests related to this Privacy Policy or our data practices:
We take all privacy inquiries seriously and will respond within the timeframes required by applicable law, and in no case later than thirty (30) days from receipt of a valid request.