PRIVACY POLICY

1. Introduction

This Privacy Policy describes how [Legal entity name and address] ("we," "us," or "our") collects, uses, and shares personal information when you use LapForge (the "Service"): our websites, games, and related features. It should be read together with our Terms of Service.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, please do not use the Service.

2. Information we collect

The categories below depend on how you use LapForge (for example, signed-in users vs guest play).

• Account and authentication. When you sign in, our authentication provider processes identifiers such as email address, user id, and profile fields your identity provider shares with us (for example display name or avatar URL). We associate your account with a stable username and optional profile information you choose to provide.
• Profile and public presence. Information you add to your profile may include display name, bio, avatar image, and optional links you choose to show on your public profile.
• Gameplay and community content. Data generated through play and publishing may include lap times, leaderboard placements, ghost or replay data where the Service stores it, tracks or maps you create (including titles, descriptions, thumbnails, and related metadata), votes or reactions, and daily challenge participation where applicable.
• Technical and usage data. We and our hosting and infrastructure providers may process IP address, device and browser type, general location derived from IP, timestamps, pages or routes viewed, diagnostics, and error logs needed to operate and secure the Service.
• Communications. If you contact us (for example about privacy or support), we process the content of your message and contact details you provide.

We do not use LapForge to collect payment card numbers on-device for core access as described today; if we add payments, we will update this policy and identify the payment processor.

3. How we collect information

• Directly from you when you register, edit your profile, publish tracks, race while signed in, vote, or email us.
• Automatically when you use the Service (for example session maintenance, security telemetry, and server logs).
• From identity providers when you choose social or OAuth sign-in (such as Google, GitHub, or X): those providers share certain profile fields according to their settings and your consent with them; their use of your data is governed by their policies.

If you use guest or limited modes where offered, we collect less account-linked data; features that require an account (for example persisting certain leaderboard results) may be unavailable.

4. How we use information

We use personal information to:

• Provide, operate, and improve LapForge (accounts, racing, tracks, leaderboards).
• Maintain integrity of competitions (for example detecting abuse or cheating).
• Communicate with you about the Service, security, or policy changes.
• Comply with law and respond to lawful requests.
• Protect the security and stability of our systems and users.

We do not sell your personal information as a commodity. If we use analytics or marketing tools in the future, we will describe them here and, where required, obtain consent or offer opt-out as applicable law requires.

5. Legal bases (including GDPR)

Where the GDPR or similar laws apply, we rely on one or more of the following: performing our contract with you (providing the Service); legitimate interests that are not overridden by your rights (for example securing the Service and preventing fraud); legal obligation; or your consent when consent is required (for example certain cookies or optional communications).

[Legal review: confirm the legal basis for each processing activity and document consent flows where needed.]

6. Sharing and service providers

We share personal information with vendors who process it on our instructions to operate the Service, including:

• Supabase (or equivalent) for authentication, database storage, and related backend services.
• Hosting and infrastructure (for example Vercel or similar) to serve the application and process requests.
• Identity providers you select for OAuth sign-in.

We may also disclose information if required by law, to enforce our terms, or to protect rights, safety, and security. Public-facing parts of the Service (such as leaderboards, profiles, or published tracks) display information you submit according to product design.

[Legal review: list subprocessors you actually use; execute data processing agreements as required.]

7. International transfers

Your information may be processed in countries other than where you live, including where our providers operate data centers. When we transfer personal data from the European Economic Area, UK, or Switzerland, we use appropriate safeguards where required (such as Standard Contractual Clauses or other mechanisms).

[Legal review: align this section with your actual providers, transfer mechanisms, and records of transfer impact assessments.]

8. How long we keep information

We retain personal information for as long as your account is active and as needed to provide the Service, resolve disputes, comply with legal obligations, and enforce our agreements. Specific retention periods may vary by data type; when data is no longer needed, we delete or de-identify it subject to backup and legal holds.

[Legal review: set concrete retention periods for logs, deleted accounts, and backups.]

9. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or export your personal information; object to or restrict certain processing; withdraw consent where processing is consent-based; and lodge a complaint with a supervisory authority. California residents may have additional rights under the CCPA/CPRA (such as knowing categories of personal information and requesting deletion, subject to exceptions).

To exercise rights, contact us at [Privacy contact email]. We may need to verify your request. You may also control some profile fields directly in the Service where the product supports it.

[Legal review: add region-specific instructions, appeal processes, authorized agents, and “do not sell / share” wording if applicable.]

10. Cookies and similar technologies

We use cookies and similar technologies as needed for session management, security, and preferences when you use the Service. Third-party sign-in flows may set cookies governed by those providers. If we add non-essential analytics or advertising cookies, we will describe them and obtain consent where required.

You can control cookies through your browser settings; blocking essential cookies may affect sign-in or core functionality.

11. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption in transit where appropriate and access controls. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

12. Children

LapForge is not directed at children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children below that age. If you believe we have collected such information, contact us and we will take appropriate steps.

[Legal review: align age threshold and parental consent with applicable laws and product reality.]

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we may provide additional notice (for example on the Service or by email when we have your address). Your continued use after the effective date constitutes acceptance of the revised policy where permitted by law.

14. Contact us

For privacy questions or requests, contact: [Privacy contact email]
Controller: [Legal entity name and address]

[Optional: Data Protection Officer or EU representative — add if required in your jurisdiction.]