Privacy Notice

1. Introduction

Apex and Exit ("we," "our," or "the Service") is committed to protecting your privacy. This Privacy Notice explains what personal data we collect, why we collect it, how it is stored, and your rights regarding that data.

For privacy inquiries, please contact us at support@apexandexit.com.

2. Information We Collect

2.1 Information You Provide (Account Users)

The Service can be used without creating an account. By default, any preferences or favorites you set are stored locally in your browser and are not transmitted to our servers.

Optional Account Creation: If you choose to create an account, we collect and store:

• Email address and hashed password (if you register with email)
• Display name (if provided)
• Your favorite series and tracks
• Your owned cars and tracks
• Account creation date and last login date

iRacing Account Linking (Optional): If you connect your iRacing account via OAuth, we additionally receive and store the following data from iRacing:

• iRacing customer ID
• Display name from your iRacing profile
• License ratings (category, safety rating, iRating, time trial rating) for each license class
• Helmet color scheme (three color values from your iRacing profile)
• Owned car and track package IDs

Account creation is entirely voluntary. If you choose not to create an account, no personal data is transmitted to our servers.

2.2 Automatically Collected Information

We collect anonymous usage statistics through our analytics service, which may include:

• Pages visited and features used
• Browser type and version
• Operating system
• Referring website
• Date and time of visits
• Approximate geographic location (country/region level only)

This information is collected in aggregate and does not identify individual users. See Section 7 for details.

2.3 Server Logs

Our servers automatically generate access logs that may include IP addresses, request paths, timestamps, and HTTP status codes. These logs are used solely for security monitoring, abuse prevention, and debugging. They are retained for 90 days and then deleted.

3. How We Use Information

We use the information we collect to:

• Provide account functionality and sync your data across devices
• Authenticate your identity and prevent unauthorized access
• Send account-related emails (email verification, account change notifications)
• Improve the Service and user experience
• Analyze usage patterns and trends
• Fix bugs and technical issues
• Monitor and prevent abuse or misuse of the Service

We do not sell, rent, or share your personal information with any third party for marketing or commercial purposes.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide account features you have requested — authentication, data sync, email verification, and account management.
• Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, abuse prevention, server log retention for debugging, and aggregate analytics to improve the Service. Our interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c) GDPR): Where we are required to process or retain data to comply with applicable law.

Users who do not create an account have no personal data processed on our servers. Anonymous analytics do not involve personal data and do not require a legal basis under GDPR.

5. Data Storage and Location

5.1 Local Storage (Default, No Account)

By default, the Service uses your browser's local storage to save your preferences, including favorite series, owned content, and display settings. This data is stored only on your device and is never transmitted to our servers. You can clear it at any time through your browser settings.

5.2 Server Storage (Account Holders)

Account data is stored on servers located in Newark, New Jersey, United States, hosted by Akamai Technologies (Linode). Data is encrypted in transit (TLS) and at rest. Access is restricted to authorized personnel for support purposes only.

6. Data Retention

• Account data (profile, favorites, owned content, iRacing link): retained until you delete your account, or for 90 days after your last login (whichever comes first). Accounts that have been inactive for 90 days are automatically deleted. You will receive warning emails at 30 days, 7 days, and 1 day before deletion if you have a verified email address. You can also delete your account at any time from your Account Settings.
• Server/application logs: retained for 90 days, then permanently deleted.
• Analytics data: stored in aggregate only, with no personal identifiers. No individual retention limit applies.
• Authentication tokens: session tokens expire automatically; all tokens are revoked upon account deletion.

7. Cookies and Tracking Technologies

We use minimal, privacy-respecting technologies. We do not use cookies for advertising or cross-site tracking.

7.1 Essential Storage

Browser Local Storage: Used to save your preferences and settings locally on your device. Strictly necessary for the Service to function. Does not require consent under GDPR Art. 6(1)(f).

7.2 Analytics (Cookie-Free, No Consent Required)

We use Umami Analytics, a privacy-focused service that:

• Does not use any cookies
• Does not collect personally identifiable information
• Does not track users across websites
• Provides aggregate statistics only
• Is GDPR, CCPA, and PECR compliant

Because Umami does not use cookies and does not collect personal data, it does not require your consent. More information: Umami Privacy Policy

7.3 Bot Protection

We use Cloudflare Turnstile on registration and login forms to prevent automated abuse. Turnstile operates without setting tracking cookies and does not store personal data on our behalf. See Cloudflare's privacy policy for details on how they process challenge requests: Cloudflare Privacy Policy.

8. Sub-Processors

We use the following third-party services that may process data on our behalf. We have reviewed each for appropriate privacy and security standards.

8.1 External Links

The Service contains links to external websites (iRacing.com, Ko-fi, etc.). We are not responsible for the privacy practices of those sites. Please review their policies before providing personal information.

9. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, your account data will be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers, provided through Akamai's Data Protection Addendum and Master Services Agreement, and through Namecheap's Data Processing Addendum. The United States has not received a general adequacy decision from the European Commission; however, SCCs provide appropriate safeguards under GDPR Art. 46(2)(c).

Jurisdictions requiring local data storage: This Service does not target users in jurisdictions that mandate local storage of personal data (including the People's Republic of China and the Russian Federation). If you are located in such a jurisdiction, please do not create an account.

10. Data Security

We implement the following technical and organizational measures to protect your data:

• Encryption of all data in transit (TLS)
• Encryption of data at rest on our servers
• Passwords stored as one-way hashes (bcrypt)
• Secure OAuth 2.0 / PKCE authentication flows
• Regular security updates and dependency patching
• Access to production data restricted to authorized personnel only
• Bot protection on registration and authentication endpoints

No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining reasonable and current security standards.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Provide details of the nature of the breach, the data affected, and the steps taken to address it

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at support@apexandexit.com immediately and we will delete it.

13. Your Rights and Choices

13.1 Self-Service Rights (All Users)

You can exercise the following rights directly from your Account Settings page without contacting us:

• Right to access / data portability: Download a complete copy of all data we hold about you as a JSON file.
• Right to erasure: Permanently delete your account and all associated data.
• Right to rectification (partial): Update your email address and display name directly in settings.

13.2 Rights Requiring a Request

To exercise the following rights, contact us at support@apexandexit.com:

• Right to rectification (other fields): Correction of any inaccurate personal data not editable in settings.
• Right to restriction of processing: Request that we limit how we process your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests.

Note on iRacing-sourced data: Data retrieved from iRacing (display name, license ratings, helmet colors, owned content) is read directly from iRacing's systems and reflects what iRacing holds. We cannot modify this data on your behalf. To correct it, please update your iRacing profile at iracing.com and re-sync your account, or contact us to remove the iRacing link from your account entirely.

We will respond to requests within 30 days. We may ask you to verify your identity before acting on a request.

13.3 EEA / UK Users — Supervisory Authority

If you are located in the EEA or United Kingdom and believe we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with your local data protection authority. A list of EEA authorities is available at edpb.europa.eu. The UK authority is the Information Commissioner's Office (ICO).

13.4 California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect, to request deletion, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information with third parties for commercial purposes. To exercise your California rights, contact us at support@apexandexit.com or use the self-service tools in your Account Settings.

13.5 Non-Account Users

If you use the Service without an account, your preferences are stored only in your browser's local storage and are never transmitted to our servers. You can clear this data at any time through your browser settings.

14. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. We will post the updated notice on this page and update the "Last Updated" date. For material changes that affect how we process account holders' personal data, we will notify registered users by email where possible. Continued use of the Service after the effective date of changes constitutes acceptance of the updated notice.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Notice or your personal data:

Email: support@apexandexit.com

We aim to respond to all privacy-related inquiries within 5 business days.

16. Disclaimer

This site is not affiliated with, endorsed by, or connected to iRacing.com Motorsport Simulations, LLC. All trademarks, service marks, and company names are the property of their respective owners.