← OCD Race Labs
Legal

Privacy Policy.

Effective: May 16, 2026 · Last updated: May 16, 2026

1. Who We Are

OCD Race Labs is operated by Rodrigo Espejo B., based in Santiago, Chile. For any privacy-related questions, contact rodrigo@ocdracelabs.com.

2. What We Collect

We collect only what we need to provide the Service:

  • Account data: email, password hash (not the password itself), display name, primary role (rider, coach, mechanic).
  • Rider profile data: date of birth, height, weight, dominant side, skill level, primary discipline, country, team — only what you choose to fill in.
  • Training data: bike configurations, component setups, sessions, runs, voice notes, photos, and any feedback you log.
  • Technical data: IP address, browser type, request timestamps — handled by our infrastructure providers (Supabase, Cloudflare) for security and uptime, retained briefly in logs.

3. What We Don't Do

We don't use third-party advertising trackers, social media pixels, or behavioral profiling. We don't collect data about you from other websites or data brokers. We don't track your location unless you explicitly attach GPS data to a session. We don't sell or share data that personally identifies you. See Section 6 for how we work with aggregated, anonymized data.

4. How We Use Your Data

We use your personal data to:

  • Run the Service and let you log your data
  • Share content with coaches, mechanics, or teammates you explicitly invite
  • Send essential transactional emails (signup confirmation, password reset, account changes)
  • Diagnose and fix bugs
  • Comply with legal obligations

We also process data in aggregated, anonymized form for analytics, product development, machine learning, and market intelligence — see Section 6.

5. Legal Basis

We process your data based on (a) your consent when you sign up, (b) the contract we have with you (these Terms), and (c) our legitimate interest in running, improving, and developing the Service. For users in Chile, this complies with Ley 19.628 sobre Protección de la Vida Privada and Ley 21.719. For users in the EU/UK, this complies with GDPR.

6. Aggregate Analytics & Insights

Beyond operating the Service, we use aggregated and anonymized data— data that doesn't identify you individually — for the following purposes:

  • Product analytics. Understanding how the Service is used so we can improve it. For example: how many users log a session per week, which features are most used, where users drop off in flows.
  • Market intelligence. Generating insights about the mountain bike industry. For example: distribution of bike brands and models in our user base, popularity of frame materials, average geometry numbers by discipline, suspension setup trends.
  • Industry reports.We may publish industry reports (such as an annual “State of MTB” report) with aggregated, anonymized statistics about the rider community.
  • Partner programs. We may share aggregated, anonymized insights with manufacturers, teams, federations, or other partners — including commercial arrangements where partners pay for access to aggregate data or analytics dashboards.
  • Machine learning & AI. We may train machine learning models on aggregated, anonymized data to power features like setup recommendations, performance predictions, anomaly detection, and other AI-driven capabilities.

Important guardrails:

  • All data used for these purposes is anonymized. Identifiers like name, email, and account ID are stripped before aggregation.
  • We don't share, sell, or transfer data that could reasonably be re-identified as belonging to you.
  • Aggregate data with low cell counts (small groups where individuals might be inferable) is excluded or bucketed further.
  • In a future release, you'll be able to opt out of having your data used for aggregate analytics via account settings. Until then, you can opt out by emailing us at rodrigo@ocdracelabs.com.

7. Sharing of Personal Data

We don't sell your personal data. Ever.

We share personal data only with:

  • Service providers who run the Service for us (Supabase for database/auth, Cloudflare for hosting/CDN). They process data on our behalf under contractual confidentiality.
  • People you explicitly invite (coaches, mechanics, teammates) — only the data you share with them.
  • Law enforcement only when legally required (court order, subpoena, etc.) and only the minimum data necessary.

8. International Transfers

Our database (Supabase) and CDN (Cloudflare) operate globally. Your data may be stored or processed in the United States, the European Union, or other regions where these providers operate. These transfers are protected by standard contractual clauses and other safeguards required by applicable law.

9. Retention

We keep your personal data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we're required to retain it longer by law (e.g., for tax records). Aggregated, anonymized data and statistics may be retained indefinitely.

10. Your Rights

You can:

  • Access your data — most of it is visible directly in the app
  • Correct your data through account settings (coming soon) or by emailing us
  • Exportyour data in machine-readable format (JSON / CSV) — email us and we'll send it within 30 days
  • Delete your account and all associated personal data
  • Opt out of aggregate analytics (see Section 6)
  • Withdraw consent for processing at any time (this will mean we can no longer provide the Service to you)
  • Object to certain processing or file a complaint with a data protection authority

To exercise any of these rights, email rodrigo@ocdracelabs.com. We respond within 30 days.

11. Children

The Service is not for users under 16. We don't knowingly collect data from anyone under 16. If you believe a child is using the Service without parental consent, contact us and we'll investigate and delete the account.

12. Cookies

We use only essential cookies for authentication and session management. See our Cookies Policy for details.

13. Security

We protect your data with industry-standard measures: passwords are stored as bcrypt hashes, traffic is encrypted with TLS, the database has row-level security (RLS) so users can only access their own data, and access to production systems requires multi-factor authentication. No system is 100% secure, but we take this seriously.

14. Changes to This Policy

We may update this Policy occasionally. If we make material changes, we'll notify you by email or in-app at least 14 days before changes take effect. Continued use of the Service after the changes take effect means you accept the updated Policy.

15. Contact

Questions, requests, or complaints about your privacy?
rodrigo@ocdracelabs.com
Rodrigo Espejo B. · Santiago, Chile.

© 2026 OCD LABS · ALL RIGHTS RESERVED
TermsCookies