Privacy and Cookie Policy
Last updated: March 26, 2026
This notice describes how your Personal Data is processed when you use the GPKingdom News mobile application ("App") and the website app.gpkingdom.it ("Website"), hereinafter collectively referred to as the "Service".
1. Data Controller
The Data Controller is:
- Raze S.R.L.
- Via IV Novembre 84, 23868 Valmadrera (LC), Italy
- VAT / Tax Code: 04229070133
- Email: info@razehub.it
No Data Protection Officer (DPO) has been appointed, as the conditions set out in Art. 37 GDPR are not met.
2. Types of Personal Data Collected
2.1 Data provided voluntarily by the User
- News category preferences
- Notification preferences (priority level)
- Favourite races
- Theme and appearance settings
- Haptic feedback preferences
IMPORTANT: The App does NOT collect name, surname, email address, phone number, profile picture, date of birth, or any other directly identifiable personal data. No registration with personal data is required.
2.2 Data collected automatically
- Usage data: information about how the User interacts with the Service (screens visited, features used, UI events)
- Device data: model, operating system, App version, language, platform (iOS/Android)
- Crash and diagnostic data: error logs, stack traces, screen screenshots at the time of crash, view hierarchy (only in case of errors)
- Network data: IP address (from which an approximate geographical location at city/region level may be derived)
- Push token: device identifier for sending push notifications
- GPS location: only if the User explicitly grants permission, used to show nearby events
- Calendar events: only if the User explicitly grants permission, to add race sessions to the device calendar
2.3 Identifiers used
| Identifier | Type | Where used | Persistence |
|---|---|---|---|
| Anonymous Supabase UUID | Internal User ID (UUID v4) automatically generated at launch, without any registration | Supabase, PostHog, Firebase Analytics, Sentry | Persistent (anonymous session) |
| Expo Push Token | Device token | Push notification registration on Supabase | Until uninstallation |
| IDFA / GAID | Advertising identifiers | Not collected directly by the App — managed by advertising networks (Google AdMob, Unity Ads, Meta Audience Network, AppLovin) only with prior consent via Google UMP | Managed by Google |
The Service does not require access to the camera, microphone, address book, photo gallery, or Bluetooth.
3. Purposes of Processing and Legal Basis
| Purpose | Data processed | Legal basis |
|---|---|---|
| Service Provision — Delivery of news, race calendar, standings, motorsport statistics | Usage data, device data, preferences, anonymous UUID | Performance of a contract (Art. 6(1)(b)) |
| Subscription Management — Processing purchases via App Store and Google Play | Anonymous UUID, transaction data (managed by Apple/Google via RevenueCat) | Performance of a contract (Art. 6(1)(b)) |
| Service push notifications — Sending breaking news, race results, editorial updates | Push token, notification preferences, language | Performance of a contract (Art. 6(1)(b)) |
| Product analytics — Aggregate analysis of App usage to improve the Service | Anonymous UUID, UI events, screens visited, device data | Legitimate interest (Art. 6(1)(f)) |
| Crash reporting and diagnostics — Identification and resolution of technical errors | Anonymous UUID, crash data, device data, IP address, screen screenshot | Legitimate interest (Art. 6(1)(f)) |
| Personalised advertising — Displaying personalised ads via Google AdMob and mediation partners (Unity Ads, Meta Audience Network, AppLovin) | Advertising identifiers (IDFA/GAID), device data, IP | Consent (Art. 6(1)(a)) |
| Firebase Analytics — Advanced in-App behaviour analysis | Anonymous UUID, events, device data | Consent (Art. 6(1)(a)) |
| GPS Location — Showing events and news near the User's location | GPS location | Consent (Art. 6(1)(a)) |
| Legal obligations — Retention of tax data related to purchases | Transaction data | Legal obligation (Art. 6(1)(c)) |
For processing based on legitimate interest, the Controller has assessed that its legitimate interest in improving the Service and ensuring its technical stability does not override the fundamental rights and freedoms of the User, considering that the processed data is pseudonymised (anonymous UUID) and not directly identifiable.
4. Third-Party Services
4.1 Backend and Hosting
- Supabase (Supabase Inc., San Francisco, USA): PostgreSQL database for anonymous authentication, preferences, notifications, configuration. Privacy policy: https://supabase.com/privacy
- Cloudflare Pages (Cloudflare Inc., San Francisco, USA): hosting for app.gpkingdom.it website. Privacy policy: https://www.cloudflare.com/privacypolicy/
4.2 Payments
- RevenueCat (RevenueCat Inc., San Francisco, USA): subscription and in-app purchase management. Payments are processed directly by Apple and Google; the App does not collect or store credit card data. Privacy policy: https://www.revenuecat.com/privacy
4.3 Advertising
- Google AdMob (Google LLC, Mountain View, USA): primary advertising platform with mediation. Privacy policy: https://policies.google.com/privacy
- Unity Ads (Unity Technologies, San Francisco, USA): advertising network via AdMob mediation. Privacy policy: https://unity.com/legal/privacy-policy
- Meta Audience Network (Meta Platforms Inc., Menlo Park, USA): advertising network via AdMob mediation. Privacy policy: https://www.facebook.com/privacy/policy/
- AppLovin (AppLovin Corporation, Palo Alto, USA): advertising network via AdMob mediation. Privacy policy: https://www.applovin.com/privacy/
All advertising SDKs are activated exclusively after the User's explicit consent via the Google UMP framework (IAB TCF 2.0). Subscribed users (PRO or ad-free) do not see advertisements.
4.4 Analytics
- PostHog (PostHog Inc.): product analytics. Data is hosted entirely within the European Union (eu.i.posthog.com). Privacy policy: https://posthog.com/privacy
- Firebase Analytics (Google LLC, Mountain View, USA): activated only after consent via Google UMP. Privacy policy: https://firebase.google.com/support/privacy
4.5 Crash Reporting
- Sentry (Functional Software Inc., San Francisco, USA): error and performance monitoring. Data is hosted within the European Union (ingest.de.sentry.io). Crash reports may include the User's anonymous UUID and IP address. Privacy policy: https://sentry.io/privacy/
- Firebase Crashlytics (Google LLC, Mountain View, USA): additional crash reporting. Privacy policy: https://firebase.google.com/support/privacy
4.6 Push Notifications
- Expo Notifications (Expo / Software Mansion): intermediary service for Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM). Privacy policy: https://expo.dev/privacy
4.7 Maps
- Google Maps SDK (Google LLC): used for map rendering on event pages. Privacy policy: https://policies.google.com/privacy
4.8 Artificial Intelligence
- Apple Intelligence: the App uses Apple's AI features for article summary generation. Processing occurs entirely on the User's device (on-device). No data is sent to external servers for this feature.
4.9 Editorial Content
- WordPress REST API (gpkingdom.it): the Service retrieves articles and news from the editorial website gpkingdom.it via REST API.
5. International Data Transfers
The User's personal data may be transferred to countries outside the European Economic Area (EEA), particularly to the United States, in connection with the third-party services listed above.
Such transfers are based on:
- EU-US Data Privacy Framework (DPF): for certified providers (Google, Meta, Unity, AppLovin, RevenueCat, Expo, Sentry, Supabase)
- Standard Contractual Clauses (SCCs) adopted by the European Commission: for other providers
PostHog and Sentry host data entirely within the European Union (eu.i.posthog.com and ingest.de.sentry.io respectively), therefore no extra-EU transfer occurs for these services.
6. Data Retention Periods
| Data category | Retention period |
|---|---|
| Anonymous session and UUID | For the duration of App use. Deleted upon uninstallation or after a prolonged period of inactivity. |
| User preferences (categories, notifications, favourites, theme) | For the duration of App use |
| Transaction and billing data | 10 years from the transaction (Italian tax obligation ex Art. 2220 Civil Code) |
| Analytics (PostHog) | Aggregated and pseudonymised data. Raw data retained according to PostHog's policy. |
| Crash reporting (Sentry) | 90 days |
| Firebase Analytics | Raw data: maximum 14 months (Google Analytics 4 setting) |
| Advertising data (AdMob, Unity Ads, Meta, AppLovin) | According to Google's retention policy |
| Push token | Until notification deactivation or App uninstallation |
7. Data Subject Rights
Under Articles 15-22 of the GDPR, the User has the right to:
- Right of access (Art. 15): obtain confirmation as to whether personal data is being processed and, if so, obtain access to it
- Right to rectification (Art. 16): obtain rectification of inaccurate personal data
- Right to erasure (Art. 17): obtain erasure of personal data ("right to be forgotten")
- Right to restriction (Art. 18): obtain restriction of processing
- Right to data portability (Art. 20): receive personal data in a structured, commonly used and machine-readable format
- Right to object (Art. 21): object to processing of personal data based on legitimate interest
- Right not to be subject to automated decision-making (Art. 22)
- Right to withdraw consent: at any time, without affecting the lawfulness of processing based on consent given before its withdrawal
The Controller undertakes to respond to requests within 30 days of receipt, extendable by a further 60 days in case of particular complexity (Art. 12(3) GDPR).
Important notice (Art. 11 GDPR): As the App does not require registration and uses exclusively anonymous identifiers (UUID), the Controller may not be able to identify the Data Subject. In such cases, the rights under Articles 15-20 do not apply, unless the Data Subject provides additional information enabling their identification.
To withdraw consent for personalised advertising:
- iOS: Settings > Privacy & Security > Tracking
- Android: Settings > Google > Ads
Complaint to the Supervisory Authority: The User has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): Piazza Venezia 11, 00187 Rome — email: protocollo@gpdp.it — website: https://www.garanteprivacy.it
8. Cookies and Tracking Technologies
Website (app.gpkingdom.it): The Website uses only technical cookies necessary for operation (Cloudflare). No profiling cookies, third-party advertising cookies, or analytics tools are used on the website.
Mobile App: The App does not use cookies. Tracking SDKs (Firebase Analytics, Google AdMob) are activated exclusively after the User's explicit consent through the Google User Messaging Platform (UMP) framework, compliant with the IAB Transparency & Consent Framework (TCF) 2.0. Firebase Analytics data collection is disabled by default (analytics_auto_collection_enabled: false) and is enabled only after obtaining consent.
9. Push Notifications
The App may send push notifications via the Expo Notifications service. Notifications are exclusively editorial and service-related:
- Breaking News: urgent motorsport news
- Race updates: session results, grid changes
- New articles: published editorial content
No promotional or marketing notifications are sent.
The User can customise the notification priority level (all, important, urgent) from the App settings. Notifications can be deactivated at any time from the device settings.
10. Children
The App is rated 4+ on the Apple and Google stores. It does not knowingly collect directly identifiable personal data from children under 14, as it does not require any registration with personal data.
Should the Controller become aware that it has collected personal data from minors without adequate consent, it will promptly delete such data.
11. Nature of Data Provision
The App does not require mandatory personal data for its basic use. The following permissions are entirely optional:
- GPS location: to view events and news nearby
- Calendar: to add race sessions to the device calendar
- Push notifications: to receive real-time updates
- Advertising consent: for the display of personalised advertisements
Refusal to grant these permissions does not affect access to the App's core features.
12. Data Security
The Controller adopts appropriate technical and organisational measures to protect Personal Data (Art. 32 GDPR):
- All communications use HTTPS/TLS protocol
- The session token is encrypted using AES-256-CTR; the encryption key is securely stored in the iOS Keychain or Android Keystore
- Access to data on Supabase is protected by Row Level Security (RLS) and authentication security gates
- Continuous monitoring via Sentry enables timely identification of anomalies
13. Changes to this Policy
The Controller reserves the right to make changes to this notice at any time. Changes will be published on this page with an updated date. In the event of substantial changes, the Controller will notify Users through the App or the Website.
14. Contact Information
For any request regarding the processing of personal data:
Raze S.R.L.
Via IV Novembre 84, 23868 Valmadrera (LC), Italy
Email: info@razehub.it
15. Definitions
- Personal Data: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR)
- User: the natural person who uses the Service
- Data Controller: the natural or legal person who determines the purposes and means of the processing of Personal Data (Art. 4(7) GDPR)
- Data Processor: the natural or legal person who processes Personal Data on behalf of the Controller (Art. 4(8) GDPR)
- Service: the App and the Website, as defined in this notice
- App: the GPKingdom News mobile application
- Website: the website app.gpkingdom.it
This notice is drafted pursuant to Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.