Privacy Policy

Last updated: 19 January 2026

1. Introduction

Formula Corporation Pty Ltd (ABN 36 139 810 361), trading as The Great Race ("Company", "we", "us", or "our"), is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use The Great Race Account service located at accounts.thegreatrace.com ("Service").

We are bound by the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in Schedule 1 of the Privacy Act. This policy is designed to comply with Australian privacy law and, where applicable, the General Data Protection Regulation (GDPR) for users located in the European Union.

By using the Service, you consent to the collection, use, and disclosure of your personal information in accordance with this Privacy Policy. If you do not agree to this Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Create an account: Email address, password (stored securely using industry-standard hashing), and display name
• Update your profile: Display name, profile picture/avatar, and communication preferences
• Make a purchase: Billing information is processed by our payment provider (Stripe); we receive only transaction confirmations and do not store your complete credit card details
• Contact us: Name, email address, and any information you include in your correspondence
• Enable two-factor authentication: Phone number (if using SMS-based 2FA) or authenticator app details

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect:

• Device Information: Browser type and version, operating system, device type, and unique device identifiers
• Usage Data: Pages and features accessed, timestamps of access, referring URLs, and navigation patterns
• Log Data: IP address, access times, authentication events (login, logout, password changes), and error logs
• Session Information: Active sessions, session duration, and connected applications accessed via single sign-on
• Location Information: Approximate geographic location derived from your IP address (country and region level only)

2.3 Information from Third Parties

We may receive personal information from third parties, including:

• OAuth Providers: If you sign in using Google or another OAuth provider, we receive your email address, name, and profile picture as authorised by you during the OAuth flow
• Payment Providers: Stripe provides us with transaction confirmations, subscription status, and limited billing information (such as the last four digits of your card and card type)
• Connected Applications: Applications within The Great Race family may share usage information and entitlement status

2.4 Sensitive Information

We do not intentionally collect sensitive information as defined under the Privacy Act (such as health information, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). If you provide such information voluntarily (for example, in correspondence with us), you consent to us collecting and handling that information in accordance with this Policy.

3. How We Use Your Information

3.1 Primary Purposes

We use your personal information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Provide single sign-on access to connected applications
• Process subscriptions, payments, and refunds
• Track and manage your entitlements across connected applications
• Send you service-related communications (account verification, security alerts, subscription notifications, and important updates)
• Respond to your enquiries and provide customer support

3.2 Secondary Purposes

We may also use your personal information to:

• Detect, prevent, and address fraud, security breaches, and other harmful activities
• Monitor and analyse usage patterns to improve user experience
• Enforce our Terms of Service and other policies
• Comply with legal obligations and respond to lawful requests from authorities
• Protect our rights, property, and safety, and that of our users and the public

3.3 Marketing Communications

With your consent, we may send you promotional communications about products, services, and events offered by The Great Race family of applications. You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your Account settings
• Contacting us

Note that opting out of marketing communications will not affect service-related communications (such as security alerts or billing notifications), which are necessary for the operation of your account.

4. Legal Basis for Processing (GDPR)

For users located in the European Union, we process your personal information on the following legal bases:

• Contract: Processing necessary to perform our contract with you (providing the Service, managing subscriptions)
• Legitimate Interests: Processing necessary for our legitimate interests (security, fraud prevention, service improvement) that do not override your rights
• Legal Obligation: Processing necessary to comply with legal requirements (tax records, law enforcement requests)
• Consent: Processing based on your consent (marketing communications)

5. Information Sharing and Disclosure

5.1 Connected Applications

When you use single sign-on (SSO) to access connected applications, we share the following information with those applications:

• Your user identifier (a unique, pseudonymous ID)
• Email address
• Display name and avatar (if provided)
• Your active entitlements (what content/features you have access to)
• Subscription status (active, expired, etc.)

Connected applications receive only the information necessary to provide their services. Each connected application has its own privacy policy governing how it uses this information.

5.2 Service Providers

We engage trusted third-party service providers to perform functions on our behalf. These providers have access to your personal information only to perform specific tasks and are obligated to protect it. Our key service providers include:

• Stripe, Inc. (United States): Payment processing and subscription management. Stripe Privacy Policy
• Supabase, Inc. (United States): Database infrastructure and authentication services. Supabase Privacy Policy
• Cloudflare, Inc. (United States): Content delivery, security, and DDoS protection. Cloudflare Privacy Policy
• Resend, Inc. (United States): Transactional email delivery.Resend Privacy Policy
• Google LLC (United States): OAuth authentication (if you choose to sign in with Google). Google Privacy Policy

5.3 Legal Requirements

We may disclose your personal information if required to do so by law or in response to:

• Valid legal process (subpoenas, court orders, government requests)
• Requests from law enforcement or other government authorities
• Situations where disclosure is necessary to protect our rights, property, or safety, or that of our users or the public
• Suspected fraud, security threats, or other illegal activities

We will attempt to notify you of such requests unless prohibited by law or where notification would be futile, inappropriate, or would jeopardise an investigation.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service of any change in ownership or use of your personal information, and any choices you may have regarding your information.

5.5 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption.
• Password Security: Passwords are hashed using industry-standard algorithms (bcrypt/Argon2) and are never stored in plain text.
• Access Controls: Access to personal information is restricted to authorised personnel who need it to perform their duties, using role-based access controls and multi-factor authentication.
• Security Monitoring: We employ web application firewalls, intrusion detection systems, and continuous security monitoring to detect and respond to threats.
• Rate Limiting: We implement rate limiting on authentication endpoints to prevent brute force attacks.
• Audit Logging: All authentication events and administrative actions are logged for security audit purposes.
• Regular Assessments: We conduct regular security assessments and vulnerability testing.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to:

• Maintain your account and provide the Service
• Comply with legal obligations (including tax and accounting requirements)
• Resolve disputes and enforce our agreements
• Meet legitimate business purposes

Specific retention periods include:

• Account Information: Retained while your account is active and for 7 years after account closure (for legal compliance)
• Authentication Logs: Retained for 1 year for security purposes
• Payment Records: Retained for 7 years (tax and accounting requirements)
• Marketing Preferences: Retained until you withdraw consent
• Support Correspondence: Retained for 3 years after resolution

When personal information is no longer required, we will securely delete or anonymise it.

8. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries other than Australia, including the United States, where our service providers operate. These countries may have data protection laws that differ from those in Australia.

When we transfer personal information internationally, we take steps to ensure appropriate safeguards are in place, including:

• Ensuring recipients are bound by contractual obligations to protect your information
• Selecting service providers that participate in recognised data protection frameworks
• Implementing standard contractual clauses approved by relevant authorities

By using the Service, you consent to the transfer of your information to these countries.

9. Your Rights and Choices

9.1 Australian Privacy Rights

Under the Privacy Act, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Complain about a breach of the APPs

9.2 Additional Rights (GDPR)

If you are located in the European Union, you have additional rights including:

• Right to Erasure: Request deletion of your personal data (subject to certain exceptions)
• Right to Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

9.3 Exercising Your Rights

You can exercise many of these rights directly through your Account settings:

• View and update your profile information
• View your active sessions and revoke access
• Update your communication preferences
• Download a copy of your account data
• Delete your account

For other requests, please contact us. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

9.4 Complaints

If you believe we have breached your privacy rights, you may lodge a complaint with us. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

10. Cookies and Tracking Technologies

10.1 Cookies We Use

We use cookies and similar technologies for authentication and essential functionality. Our cookie usage is as follows:

10.2 Third-Party Cookies

We do not use third-party advertising or analytics cookies. Our service providers (Cloudflare, Stripe) may set cookies necessary for their services to function.

10.3 Cookie Preferences

As we only use essential cookies necessary for the Service to function, there is no option to disable them while using the Service. You can configure your browser to block all cookies, but this will prevent you from using the Service.

11. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this Policy
• We will notify you by email or through prominent notice on the Service
• For significant changes, we will provide at least 30 days' notice before they take effect

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

We will acknowledge your enquiry within 7 days and endeavour to provide a substantive response within 30 days.