Privacy Policy

1. Ways We Collect Your Personal Data

We employ a "Privacy by Design" approach. We generally do not collect personal data unless provided voluntarily by you directly, or via a third party who has been duly authorised by you to disclose your personal data to us, through the following channels:

• Directly from you: When you register for an account, sign up for a virtual race, submit an enquiry, or opt in to a tax-deductible donation.
• Automatically via the platform: When you connect third-party fitness applications (e.g., Strava, Apple Health) to sync your workout data, or through standard website cookies necessary for functionality.

2. The Information We Collect

We practise strict Data Minimisation, collecting only what is essential for event operations, user experience, and legal compliance:

• Standard Event Data: Name, email address, contact number, shipping address, social media handles (if linked), and workout metrics (distance, time, pace).
• Mandatory NRIC/FIN Collection (For Charity & Tax Deductions): In compliance with the Personal Data Protection Commission (PDPC) Advisory Guidelines, HeyRace generally does not collect NRIC/FIN numbers. Exception: For events partnered with Institutions of a Public Character (IPCs) where you opt in to make a tax-deductible donation, the collection of NRIC/FIN is legally mandated by the Inland Revenue Authority of Singapore (IRAS).

3. Accuracy of Personal Data

We generally rely on personal data provided by you or your authorised representative. To ensure that your personal data is current, complete, and accurate, please update your profile settings or inform our Data Protection Officer if there are any changes to your personal data.

4. How We Use Your Information

Your data is strictly used to facilitate the services you have requested and operate our business, including:

• Administering virtual races, validating workout submissions, and updating event leaderboards.
• Processing payments securely and fulfilling the delivery of physical race items to your designated address.
• Responding to, handling, and processing queries, complaints, and feedback from you.
• Submitting tax-deductible donation records to IRAS via our partner charities (only if explicitly opted-in).
• Conducting statistical analysis and planning to improve our platform.
• Complying with applicable laws, regulations, and guidelines, or assisting in law enforcement and investigations.
• Enforcing our Terms of Use.

The purposes listed above may continue to apply for a reasonable period even in situations where your relationship with us has been terminated or altered in any way.

5. Sharing & Disclosing Your Information

HeyRace does not sell, rent, or trade your personal data. We only disclose information on a strict "need-to-know" basis:

• Payment Gateways: We use secure third-party processors (e.g., Stripe) to handle transaction data. We do not store full credit card numbers on our servers.
• Logistics Partners: Third-party couriers strictly for the delivery of race items.
• Partner Institutions/Charities: Secure transmission of specific donation and NRIC data strictly for IRAS tax-deduction compliance. This data is siloed and never used for marketing.
• Public Leaderboards: To protect participant privacy, public leaderboards and class rankings utilise aggregated data, pseudonymised data (e.g., displaying only first names and last initials), or user-selected nicknames.
• Legal & Regulatory Authorities: We may disclose data if required by law, to comply with legal processes, to protect and defend our rights or property, or under exigent circumstances to protect the personal safety of our users.

6. Protection & Security Safeguards

To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, or disposal, we utilise enterprise-grade security protocols:

• Encryption, Hashing & Infrastructure: All personal data transmitted is encrypted using industry-standard TLS/SSL protocols. Sensitive data at rest (such as NRICs) is encrypted using AES-256. User passwords are securely hashed and never stored in plain text.
• Role-Based Access Control (RBAC) & Audit Trails: Access to personal data is strictly restricted internally. The platform maintains internal access logs to monitor any extraction of sensitive data.
• Data Breach Protocol: In the highly unlikely event of a notifiable data breach, HeyRace will notify the PDPC within 72 hours, inform affected event partners immediately, and notify affected individuals.

Please note: While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot absolutely guarantee its security.

7. Retention and Purging of Personal Data

We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected. We utilise automated purging protocols:

• Post-Event Purge: Personal data directly tied to event logistics (such as shipping addresses) is retained only for as long as necessary to fulfil the delivery of race items and manage customer service enquiries (typically 30–60 days post-event).
• NRIC Destruction: NRIC data collected for tax deduction purposes is securely transmitted to the relevant partner institution and subsequently purged from HeyRace's active databases immediately following successful transmission and verification.

8. Cross-Border Data Transfers

Our primary servers are hosted in secure cloud environments. If your personal data is transferred to servers or third-party service providers located outside of Singapore, we will take necessary steps to ensure that the receiving jurisdictions have comparable data protection standards to the PDPA.

9. Protection of Minors

If you are under 18 years of age, you must obtain consent from your parent or legal guardian before using our platform, registering for a race, or submitting personal data. Parents or guardians who believe we have inadvertently collected data from a minor without appropriate consent may contact our Data Protection Officer for its immediate removal.

10. Contact Preferences and Marketing

We respect your inbox and distinguish between essential and promotional communications:

• Transactional Communications: You will receive essential emails regarding your race registration, payment receipts, password resets, and shipping updates.
• Marketing Communications: You will only receive promotional emails about future races or partner offers if you have explicitly opted in. You may update your preferences or unsubscribe at any time.

11. Withdrawing Your Consent

The consent that you provide will remain valid until withdrawn in writing. You may withdraw consent and request us to stop collecting, using, and/or disclosing your personal data by submitting your request to our Data Protection Officer. We shall seek to process your request within ten (10) business days. Please note that withdrawing consent may mean we are no longer in a position to continue providing our platform services to you.

12. Access to and Correction of Personal Data

You have the right to access and correct the personal data we hold about you.

• You may view, update, or correct your standard profile information directly through your HeyRace account dashboard.
• For formal access or correction requests, please contact our Data Protection Officer. We will respond within thirty (30) business days. Please note that a reasonable administrative fee may be charged for an access request. We will inform you of the fee before processing your request.

13. Third-Party Integrations & External Websites

• Fitness Applications: When you authorise HeyRace to sync with external platforms (e.g., Strava), we only import the data necessary for the virtual race. We accept no responsibility for the independent privacy practices of those third-party applications. You acknowledge and agree that we shall not be held responsible for any loss or damage sustained by sharing information via these features.
• External Links: Our platform may contain links to external websites. We accept no liability for the privacy practices or content of these external sites.
• Cookies: Our website uses cookies to improve your user experience. You may block these via your browser settings, though you may lose personalisation settings and functionality.

14. Changes to this Policy

We may revise this Policy from time to time without prior notice. You can determine if any such revision has taken place by referring to the "Last updated" date. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

15. Governing Law & Dispute Resolution

This Policy shall be governed by and construed according to the laws of Singapore. In the event of any dispute arising out of or in connection with this Policy, both parties shall first take reasonable efforts to settle the dispute in good faith and in an amicable manner by negotiation before resorting to the exclusive jurisdiction of the Singapore courts.