Legal GDPR Compliant

Privacy Policy

Effective: February 3, 2026 · Last updated: February 3, 2026

1. Introduction 2. Information We Collect 3. How We Use Your Data 4. Legal Basis (GDPR) 5. Data Sharing 6. Data Retention 7. Your Rights 8. Data Security 9. International Transfers 10. Children's Privacy 11. Cookies 12. Do Not Track 13. Policy Changes 14. Third-Party Links 15. Contact

At a glance

We collect email, display name, timezone, and prediction activity

We never sell your data or send marketing emails

Data is hosted in the EU

You can request access, correction, or deletion at any time

Inactive accounts are anonymized after 1 year

Contact: [email protected]

1 Introduction

This Privacy Policy explains how ApexClub ("we," "us," or "Service") collects, uses, discloses, and protects your personal information. We are committed to protecting your privacy and handling your data responsibly.

The Service is operated by an individual (natural person, not a legal entity) based in the European Union, and complies with applicable EU data protection laws, including the General Data Protection Regulation (GDPR).

Data Controller: Individual operator, based in the Netherlands — [email protected]

Given the nature and scale of data processing, the appointment of a Data Protection Officer (DPO) is not required under GDPR Article 37. For any data protection inquiries, please contact us directly at the email above.

2 Information We Collect

2.1 Information You Provide

Account Information:

Email address
Password (stored as an encrypted hash — we never store the raw password)
Display name (username)
Timezone preference

Predictions and Activity:

Your race predictions, scores, and points
League memberships and league names you create

2.2 Information Collected Automatically

Usage Data via Heap Analytics (production only):

Pages visited, features used, and time spent on the Service
Device type, browser information, and IP address (anonymized)
Referring website and interactions

2.3 Information from Third Parties

Google OAuth (if you choose to sign in with Google):

Google account email address and Google account ID
Basic profile information provided by Google

3 How We Use Your Information

3.1 Service Provision

Create and manage your account
Process and display your predictions
Calculate scores and maintain leaderboards
Manage leagues and memberships
Display race calendars and deadlines in your timezone

3.2 Communication

Send transactional emails (password resets, email verification)
Respond to your support requests
Send important Service updates

3.3 Service Improvement

Analyze usage patterns to improve the Service
Identify and fix bugs or technical issues
Optimize user experience

3.4 Security and Compliance

Detect and prevent fraud or abuse
Enforce our Terms of Service
Comply with legal obligations

We do NOT send marketing or promotional emails, sell your personal information to third parties, or use your data for purposes other than those listed above.

4 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide the Service you've signed up for
Legitimate Interests: Improving the Service, ensuring security, and analyzing usage
Consent: When we ask for specific consent (e.g., for analytics cookies)
Legal Obligations: When required by law

5 Data Sharing and Disclosure

5.1 Third-Party Service Providers

Heap Analytics — usage analytics; receives anonymized usage data and browser information. Privacy Policy
Google (OAuth Provider) — authentication token exchange when you sign in with Google. Privacy Policy
Hosting Provider — data storage and Service hosting; located in the European Union

5.2 Legal Requirements

We may disclose your information if required to comply with a legal obligation, respond to lawful requests from public authorities, or protect against fraud or illegal activities.

5.3 Business Transfers

If the Service is acquired or merged with another entity, your data may be transferred to the new owner. You will be notified of any such change.

6 Data Retention

Active accounts: We retain your personal data for as long as your account is active
Inactive accounts: If you do not use the Service for 1 year, your personal data will be automatically anonymized (email removed, display name replaced with "Anonymous User [ID]", password and Google ID removed). You will receive an email warning at the 11-month mark before anonymization occurs.
Deleted accounts: Personal data is anonymized; predictions and league history remain anonymized to preserve league integrity
Legal retention: Some data may be retained longer if required by law or for fraud prevention

6.1 Data Export Before Anonymization

Before anonymization occurs — whether from account deletion, termination, or inactivity — you will have a 30-day window to request a data export. The export includes your prediction history, scores, and league memberships in a machine-readable format (JSON or CSV). To request an export, email [email protected].

7 Your Rights (GDPR)

As an EU resident, you have the following rights. To exercise any of them, contact [email protected] — we will respond within 30 days.

Access Request a copy of all personal data we hold about you

Rectification Request correction of inaccurate or incomplete data

Erasure Request deletion of your account and anonymization of your data

Restriction Request limitation of how we process your data

Portability Request a copy of your data in a structured, machine-readable format

Object Object to processing based on legitimate interests

Withdraw Consent Withdraw consent at any time where processing is consent-based

Lodge a Complaint File a complaint with your local data protection authority

8 Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: Passwords are hashed using bcrypt with a per-user salt
Secure transmission: HTTPS for all communications in production
Access controls: Limited access to personal data

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9 International Data Transfers

Your data is processed and stored within the European Union. If data is transferred outside the EU, we ensure appropriate safeguards are in place as required by GDPR.

10 Children's Privacy

The Service has no age restrictions. However, we do not knowingly collect personal information from children under 13 without parental consent. If we become aware that we have collected data from a child under 13 without parental consent, we will delete it. Parents or guardians may contact us to request deletion of their child's data.

11 Cookies and Tracking

Cookies are essential for this Service to work. We use them for authentication, security, and basic functionality. Without cookies, you cannot log in or use ApexClub.

11.1 Essential Cookies

We use essential cookies that are strictly necessary for the Service to function:

auth_token: Stores your authentication session (JWT). Required to stay logged in.
csrf_token: Protects against cross-site request forgery attacks.
cookie_consent: Remembers that you have acknowledged our cookie notice.

These cookies cannot be disabled as they are required for the Service to operate. By using ApexClub, you accept the use of these essential cookies.

11.2 Google OAuth Cookies

If you sign in with Google, Google may set cookies as part of the authentication process. These cookies are managed by Google and are necessary for the sign-in flow to work. See Google's Cookie Policy for details.

11.3 Analytics Cookies (Heap Analytics)

We use Heap Analytics to understand how users interact with the Service. These cookies track page views and interactions but do not collect personally identifiable information directly.

Analytics cookies require your explicit consent. When you first visit ApexClub, you will be asked to accept or decline analytics cookies. You can change your choice at any time through the cookie settings in the site footer.

Declining analytics cookies has zero impact on Service functionality — you can use every feature of ApexClub without them.

Heap Analytics is operated by Heap Inc., a US-based company. While data is collected from our EU-hosted Service, analytics data processed by Heap may be subject to US law. See Heap's Privacy Policy for details.

11.4 Managing Cookies

Essential cookies (authentication and security) cannot be disabled — they are required for the Service to function. Analytics cookies are opt-in only and can be accepted or declined through the cookie consent banner, or managed at any time via the cookie settings link in the site footer. Disabling essential cookies will prevent you from logging in and using the Service.

12 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We do not currently respond to DNT signals, as there is no industry standard for how to respond to them.

13 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top and notify you via email for material changes. Continued use of the Service after changes constitutes acceptance.

14 Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites and encourage you to read their privacy policies.

15 Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact:

Email: [email protected]
Subject Line: Privacy Policy Inquiry

We will respond to your inquiry within 30 days.

Read our Terms of Service