Privacy Policy

Introduction

Welcome to Crewable ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our race planning and crew coordination platform at crewable.run (the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us when you:

• Create an Account: Name, email address, password, profile picture
• Subscribe to Our Service: Billing information processed through Stripe (we do not store full credit card numbers)
• Create Race Plans: Race names, dates, locations, distances, start times, race images
• Manage Products: Nutrition information (product names, calories, carbohydrates, sodium, caffeine content), product images
• Plan Aid Stations: Aid station names, distances, crew accessibility preferences, map links, product assignments
• Upload GPX Files: Complete GPS track data including coordinates, elevation, and timestamps
• Manage Race Access: Email addresses of crew members and collaborators, role assignments (runner/crew/director)
• Join Waitlist: Email address via landing page forms
• Contact Support: Segment requests, support inquiries

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

• Usage Data: Pages viewed, features used, time spent on pages, access dates and times
• Device Information: Browser type and version, operating system, device type
• Analytics Events: Form interactions, registration clicks, location sharing attempts, sponsor link clicks, email events (via Vercel Analytics)
• Performance Metrics: Web Vitals and performance data (via Vercel Speed Insights)
• Cookies and Similar Technologies: Session management cookies (httpOnly), authentication tokens
• IP Address and Location: General geographic location based on IP address

1.3 Information from Third-Party Integrations

• Strava Integration: If you connect your Strava account, we collect activity data including dates, times, distances, and calories burned
• Endurance HQ Integration (Direct Registration): If you register for an event through Endurance HQ and opt-in to our service, we receive your name, email, registration ID, event details, and aid station information to auto-create your race plan
• Endurance HQ Integration (Race Director Invitation): If a race director using Endurance HQ invites you to use Crewable for their event, we receive your name, email, and bib number to send you an invitation. An account is only created after you accept the invitation by clicking the activation link in the email, which constitutes your explicit consent
• Map Interactions: Location coordinates when you use map features, share locations, or interact with sponsor links (with UTM parameters)

1.4 Information We Do NOT Collect

We do not:

• Use invasive third-party tracking pixels (no Google Analytics, Facebook Pixel, or similar trackers)
• Sell your personal information to third parties
• Collect health data beyond basic nutrition planning (calories, carbs, sodium, caffeine)
• Store full credit card numbers (handled securely by Stripe)

2. How We Use Your Information

We use the information we collect to:

• Provide and Maintain the Service: Account creation, authentication, race planning, nutrition tracking
• Process Transactions: Manage subscriptions, process payments, send billing confirmations
• Communicate with You: Send service updates, respond to inquiries, deliver transactional emails, send marketing communications (with your consent)
• Improve the Service: Analyze usage patterns, identify bugs, develop new features, optimize performance
• Security and Fraud Prevention: Monitor for suspicious activity, verify user identity, protect against unauthorized access
• Compliance: Comply with legal obligations, enforce our terms, protect our rights
• Collaboration: Enable race planning collaboration between runners and crew members
• Integration Services: Auto-create race plans from Endurance HQ registrations, sync Strava activities

3. How We Share Your Information

3.1 Third-Party Service Providers

We share information with trusted third-party providers who assist us in operating the Service:

3.2 Race Collaborators

When you invite crew members or share race access, we share relevant race planning information with those individuals based on their assigned role (runner, crew, or director).

3.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Government or regulatory requests
• Protection of our rights, property, or safety
• Emergencies involving potential harm to persons

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information.

3.5 What We Do NOT Do

• We do not sell your personal information
• We do not share your information with advertisers
• We do not use your data for unrelated marketing purposes

4. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Account Data: Retained until you delete your account
• Race Plans and Products: Retained indefinitely unless deleted by you
• GPX Files: Retained until you delete them or your account
• Transaction Records: Retained for 7 years for accounting and tax purposes
• Email Marketing Lists: Retained until you unsubscribe
• Analytics Data: Aggregated data retained indefinitely; individual events for up to 2 years
• Support Communications: Retained for 3 years

When you delete your account, we automatically cascade delete all associated data including races, products, aid stations, subscriptions, and customer records. However, we may retain certain information for legal compliance, dispute resolution, and enforcement of our agreements.

5. Your Privacy Rights

5.1 General Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information
• Portability: Receive your data in a structured, commonly used format
• Objection: Object to processing of your personal information
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent for data processing where consent was the basis

5.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to lodge a complaint with a supervisory authority
• Right to data portability
• Right to object to automated decision-making

5.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to deletion
• Right to non-discrimination for exercising CCPA rights

5.4 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at: privacy@ultraruncrew.com
• Log in to your account and update your information directly
• Use the unsubscribe link in marketing emails

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: HTTPS/TLS encryption for all data in transit
• Authentication: Secure authentication via Clerk with httpOnly session cookies
• Access Controls: Role-based access control for race planning features
• Webhook Security: Signature verification for Stripe and Clerk webhooks
• API Security: Bearer token authentication for integration endpoints
• Database Security: Managed PostgreSQL with encryption at rest (Vercel Postgres)
• Payment Security: PCI DSS compliant payment processing via Stripe (we do not store card numbers)

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

7. Cookies and Tracking Technologies

7.1 What We Use

• Essential Cookies: Session management cookies (httpOnly) required for authentication and security
• Analytics: Vercel Analytics for usage tracking (first-party only, no third-party trackers)
• Performance: Vercel Speed Insights for monitoring page load performance

7.2 Your Choices

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service. We do not currently offer a cookie consent banner because we only use essential and first-party analytics cookies.

7.3 Do Not Track

We do not currently respond to "Do Not Track" signals because we do not use invasive third-party tracking technologies.

8. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws different from your country of residence.

We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs) with service providers
• Compliance with GDPR requirements for EU data transfers
• Service providers certified under relevant data protection frameworks

9. Children's Privacy

The Service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@ultraruncrew.com, and we will delete such information.

10. Third-Party Links

The Service may contain links to third-party websites, including sponsor websites (tracked with UTM parameters), Strava, and map services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for significant changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

13. Data Processing Addendum

For business customers who need a Data Processing Addendum (DPA) for GDPR compliance, please contact us at legal@ultraruncrew.com.