Privacy Policy
Effective: April 25, 2026 · Last updated: April 25, 2026
This Privacy Policy describes how the GRID by ZN mobile and web app (“GRID,” “the app,” “we,” “us”) collects, uses, and shares information about you when you use the app.
If you don’t agree with this policy, don’t use the app.
1. Who we are
GRID by ZN is a software platform built to help drag racing tracks run race weekends. The platform is currently operated by an individual founder (business not yet formally incorporated). Once the business is incorporated, this policy will be updated with the legal entity name and registered address.
Contact: gridbyzn@gmail.com
2. What we collect
We only collect what the app needs to run. We do not collect data for advertising, behavioral profiling, or resale.
From racers
- Name, date of birth, phone number, email address
- Emergency contact name and phone number
- Profile photo (avatar) you upload
- Photos of your safety gear (helmet, jacket, harness, etc.) and their certification dates
- Vehicle information you save (year, make, model, engine, chassis specs)
- Tech card information you fill out (vehicle, performance, safety, licensing)
- Liability waiver signatures, including for family members or crew if you sign on their behalf
- For minors: parent/guardian name, phone, relationship, and signature
- A QR code token used by gate staff to look you up
From track staff (gate, tech inspector, tower, track admin)
- Email address and the staff role(s) you’ve been assigned at a track
- Actions you take in the app (entries logged, cards approved, etc.) for audit purposes
From everyone
- Authentication identifiers (provided by Supabase, our auth provider)
- Push notification tokens (only if you allow notifications)
- Operational logs (e.g., when you signed in, what device type) to keep the service running and detect abuse
We do not collect
- Behavioral analytics or marketing data
- Location data
- Contacts or photos beyond what you explicitly upload
- Financial information directly (when payments are added in a future version, those will be processed by Stripe; we’ll never see or store your card number)
3. How we use what we collect
- To let you sign in and use the app.
- To let track staff find you when you arrive at a race (QR scan).
- To let inspectors verify your tech card and approve you to race.
- To let tower staff confirm you’re cleared to race (paid + waiver + approved card).
- To send you push notifications about your tech card or waiver status.
- To remind you when your gear or waiver is about to expire.
- To keep an audit log of what changes happen, so a track admin can investigate disputes.
- To make backups and keep the system reliable.
4. Who sees your information
Your information is scoped to the tracks you race at. A staff member at a track can see racers who race at their track, not racers at unrelated tracks.
- You — see all your own data.
- Gate staff — see your name, photo, waiver status, gear status, and tech card status at their track when you arrive.
- Tech inspectors — see your tech card, gear, signatures.
- Tower staff — see your name, paid/waiver/card status, and a list of tech cards at their track. They can also look up a racer for emergency contact information when needed.
- Track admins — see operational data at their track (entries, classes, audit log, deleted items).
We don’t sell your information to third parties. We don’t share it with advertisers.
We share information with the third-party services we use to run the app:
- Supabase (Postgres, Auth, Storage, Realtime, Edge Functions) — hosts your data
- Resend — sends sign-in verification codes and other transactional email
- Expo Push Notifications — delivers push notifications
- Stripe (when payments are launched) — processes card transactions
- Sentry (once integrated) — collects error reports to help us fix bugs
We share information when required by law (subpoena, court order, etc.).
5. Where your data is stored
Your data is stored on Supabase’s servers in their hosted region (currently US East). Some operational data may transit through Alberta, Canada (where the founder is located). We rely on Supabase’s standard data protection practices, including encryption at rest and in transit.
If you’re in the EU/UK, this means your data leaves your jurisdiction. By using the app you consent to this transfer.
6. How long we keep your data
- Active accounts: as long as your account is active and you’re using the app.
- Soft-deleted records (entries, tech cards, classes, events): retained indefinitely in the audit trail so track admins can investigate disputes.
- Account deletion: when you delete your account, your personal information (name, DOB, phone, email, photos, signatures) is removed or anonymized within 30 days. References to you in audit logs are anonymized — they show that an entry happened, but not your identity.
- Push tokens: removed when you sign out or revoke notification permission.
7. Children and minors
Racers under 18 can use the app, but a parent or legal guardian must sign their liability waiver. We collect the parent’s name, phone number, relationship, and signature for that purpose.
If you believe a child under 13 has registered without parental consent, contact gridbyzn@gmail.com and we’ll delete the account.
We don’t direct the app at children under 13.
8. Your rights
Depending on where you live, you may have the right to:
- See what information we have about you
- Correct information that’s wrong
- Delete your account and personal information
- Export your data in a machine-readable format
- Withdraw consent (which means you can no longer use the app)
You can do most of these directly in the app:
- View / edit: Profile screen
- Delete account: Settings → Delete Account
For anything you can’t do in-app, email gridbyzn@gmail.com.
If you’re in the EU/UK, you have additional rights under GDPR. If you’re in California, you have rights under CCPA. If you’re in Canada, you have rights under PIPEDA. We honor those rights — contact us.
9. Security
We protect your data using:
- HTTPS/TLS in transit
- Encryption at rest (Supabase)
- Row-level security policies (you can only see what you’re allowed to see)
- Mandatory two-factor authentication at sign-in (6-digit code emailed to you)
- Optional authenticator-app (TOTP) as a second factor
- Audit logging of admin/staff actions
No system is perfectly secure. If we discover a data breach affecting you, we’ll notify you within a reasonable time and as required by applicable law.
For more detail, see our security overview.
10. Cookies and tracking
The mobile app does not use cookies.
The web version uses minimal cookies required for authentication (Supabase session). We don’t use tracking cookies or third-party advertising cookies.
11. Changes to this policy
If we change this policy, we’ll update the “Last updated” date at the top. For material changes, we’ll notify you in-app or by email. Continuing to use the app after a change means you accept the updated policy.
12. Contact
Questions? Want to delete your data outside of the app?