ApexLog

Privacy Policy

Last updated: 26 April 2026

This policy describes what personal data ApexLog collects, how we use it, who we share it with, how long we keep it, and what rights you have — including the right to download or permanently delete your data.

Data controller

ApexLog is operated as a sole-trader project. The data controller is Marcin Sitko ([email protected]). ApexLog is hosted in the European Union (Azure Poland Central).

What we collect

  • Email address — used for account login, email verification, password reset, and security notifications.
  • Telemetry and session data you upload: lap times, GPS samples, car setup notes, session notes, track-day context, and metadata of uploaded files.
  • OAuth profile data (when you sign in with Google or Microsoft): email address, display name, and an opaque provider user ID. We do not request or store profile photos, contact lists, or calendar data.

How we use it

  • To create and secure your account, verify your email, and send you account-related notifications.
  • To process uploaded telemetry, build session summaries, and power all ApexLog features.
  • To investigate reported bugs and improve service reliability.

Legal basis (GDPR)

We process your data on the basis of contract performance (Art. 6(1)(b) GDPR) — processing is necessary to provide the service you signed up for. We do not sell your data and do not use it for advertising.

Sub-processors

We share data with the following processors solely to operate the service:

  • Microsoft Azure (Poland Central) — cloud hosting for the API, database, and telemetry file storage.
  • Resend — transactional email delivery (verification emails, password resets). Only your email address is transmitted.
  • Stripe — payment processing (not yet active; will be added when paid plans launch). When enabled, billing data will be handled by Stripe under their own DPA.

Data retention

We keep your data for as long as your account is active. If you delete your account, all personal data — including uploaded telemetry files — is hard-deleted immediately and cannot be recovered. We do not keep backups of deleted accounts beyond our standard infrastructure backup window (up to 30 days).

Your rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Portability (Art. 20) — download all your data as a structured JSON file at any time from Account → Download my data. Account
  • Erasure (Art. 17) — permanently delete your account and all associated data at any time from Account → Delete my account. Account
  • Restriction — ask us to stop processing your data while a complaint is pending.
  • Object — object to processing based on legitimate interests (not applicable here as we rely on contract performance).

To exercise any right, or to lodge a complaint, email [email protected]. You also have the right to contact your national data protection authority.

Contact

Privacy questions: [email protected]