Random Racing Club Privacy Policy
Document status: In effect
Prepared: June 2026
Effective Date: June 9, 2026
Legal entity: RAFA Racing Club LLC ("we," "us," or "our")
1. Introduction
Random Racing Club ("RRC"), powered by RAFA, is a free motorsports community operated by RAFA Racing Club LLC. This Privacy Policy explains how we collect, use, store, and share your personal information when you sign up for membership, use our web application, participate in community activities, or purchase merchandise.
We are committed to transparency and to giving you real control over your data. If you have questions, contact us at privacy@randomracingclub.com.
2. Who This Policy Applies To
This policy applies to all users of the Random Racing Club web application (hosted at randomracingclub.com), Discord community, Klaviyo-powered email communications, Shopify-powered merchandise store, and any related RRC services.
Age requirement. RRC membership is open to individuals aged 16 and older. We do not knowingly collect personal information from anyone under the age of 16. If you believe we have inadvertently collected information from a minor below 16, please contact us immediately at privacy@randomracingclub.com so we can delete it. [NOTE FOR COUNSEL: Confirm whether the minimum age gate should be 13, 16, or 18 in light of COPPA, GDPR-K, and any applicable state law. See Section 15 — Decisions for Counsel.]
3. Information We Collect
3.1 Information You Provide at Signup
When you create a Random Racing Club membership, we collect the following:
| Field | Required / Optional | Purpose |
|---|---|---|
| First name | Required | Personalization, communications |
| Last name | Required | Account identification |
| Email address | Required | Account creation, communications |
| ZIP code / Country | Required | Regional chapters, event relevance, compliance |
| Age confirmation (16+) | Required | Age gate — confirms you meet the minimum age requirement |
| Favorite racing series | Optional | Content personalization, community matching |
| Sim racing platform | Optional | Sim event signups, community matching |
| Email marketing consent | Optional (separate checkbox) | Klaviyo email communications — opt-in only |
| SMS marketing consent | Optional (separate checkbox) | SMS time-sensitive communications — opt-in only |
Member number. Upon successful signup, you are assigned a unique sequential member number. Members who join within the first 150 spots are designated "Founders." Your member number is associated with your account and is a permanent part of your membership record.
Signup source. We record how you found RRC (e.g., social media referral, event, driver link) to understand our acquisition channels.
3.2 Information Collected Through Your Use of RRC
As you engage with the community, we may collect additional information:
- Event RSVPs and attendance — which events you have registered for or attended
- Sim racing participation — sign-ups for and participation in iRacing or other sim racing events hosted through RRC
- Content engagement — whether you open our emails or interact with our content (collected via standard email analytics in Klaviyo)
- Merchandise purchases — order history and shipping address when you purchase through our Shopify store
- Discord activity — participation in our Discord community (note: Discord's own privacy policy also governs your Discord data; we receive limited activity signals from Discord)
- Referral data — if you referred someone to RRC or were referred by another member
3.3 Technical and Automatically Collected Information
- Log data — IP address, browser type, device type, pages visited, timestamps
- Cookies and analytics — see Section 11 (Cookies) below
3.4 Information We Do Not Collect at This Time
We do not currently require or collect: date of birth (beyond the 16+ confirmation), phone number (unless you have separately provided it for SMS opt-in), payment card details (processed by Shopify's payment infrastructure, not stored by us), or government ID.
4. How We Use Your Information
We use your personal information for the following purposes:
| Purpose | Legal Basis (GDPR) | Notes |
|---|---|---|
| Creating and managing your RRC membership account | Performance of contract / legitimate interests | Core service |
| Sending email marketing communications (race alerts, newsletters, club news) | Consent | Only if you opted in via the email consent checkbox at signup or a subsequent preference center. You may withdraw at any time. |
| Sending SMS marketing communications (events, drops, time-sensitive notices) | Consent | Only if you opted in via the SMS consent checkbox. You may withdraw at any time. |
| Personalizing your experience (series recommendations, event suggestions) | Legitimate interests | Based on your stated preferences |
| Processing merchandise orders | Performance of contract | Via Shopify |
| Administering sim racing events and event RSVPs | Performance of contract / legitimate interests | Core community service |
| Assigning and maintaining your member number and Founder status | Performance of contract | Permanent record |
| Analytics and community improvement | Legitimate interests | Aggregated and, where possible, anonymized |
| Compliance with legal obligations | Legal obligation | E.g., tax, fraud prevention |
| Sponsor-facing reporting | Legitimate interests | [NOTE FOR COUNSEL: See Section 7.3 — data shared with sponsors is aggregated and anonymized; confirm whether any individual-level data sharing requires separate disclosure or consent.] |
5. The Two Consent Checkboxes — How They Work
At signup, we present two separate, unchecked, optional consent checkboxes:
Consent 1 — Email marketing: "Email me race-day alerts and club news." Checking this box means you consent to receive Klaviyo-powered email communications from RRC, including newsletters, race alerts, event announcements, drop notifications, and community updates. This is an explicit, granular opt-in; it is not bundled with any other consent and is not a condition of membership.
Consent 2 — SMS marketing: "Text me time-sensitive stuff (events, drops)." Checking this box means you consent to receive SMS text messages from RRC for time-sensitive communications such as event reminders, drop launches, and urgent club news. This is a separate, explicit, granular opt-in, independent of the email consent above.
What happens if you check neither. You can be a full RRC member — with access to Discord, your member profile, event RSVPs, and sim racing signups — without consenting to any marketing communications. The two consent checkboxes are truly optional.
How to withdraw consent. You can withdraw either or both consents at any time:
- Email: Use the unsubscribe link in any email we send, or update your preferences at [PREFERENCE CENTER URL].
- SMS: Reply STOP to any SMS message, or update your preferences at [PREFERENCE CENTER URL].
- Both: Contact us at privacy@randomracingclub.com or use the preference center.
Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal. Withdrawing consent is as easy as giving it — one click.
6. Consent Audit Trail
We maintain a consents table in our database that records each time a consent is granted or withdrawn, with a timestamp. This audit trail supports our GDPR recordkeeping obligations and allows us to demonstrate the basis for any marketing communications we send.
7. How We Share Your Information
7.1 Service Providers
We share your personal information with the following service providers who process data on our behalf under data processing agreements:
| Provider | Role | Data shared |
|---|---|---|
| Supabase / Lovable | Database and web application infrastructure | All membership data you provide |
| Klaviyo | Email marketing platform | Name, email address, consent status, engagement signals |
| Shopify | Merchandise store and payment processing | Name, email, shipping address, order history |
| Discord | Community platform | Name/handle and any information you share in Discord (governed also by Discord's Privacy Policy) |
| Twilio (or similar) | SMS delivery | Phone number, SMS consent status |
| [ANALYTICS PROVIDER] | Web analytics (e.g., Plausible, PostHog) | Anonymized/pseudonymized usage data |
These providers are permitted to use your data only as necessary to provide services to us and are bound by contractual obligations to protect your information.
7.2 Legal Requirements
We may disclose your information if required by law, regulation, court order, or other legal process, or to protect the rights, property, or safety of RRC, its members, or the public.
7.3 Sponsors and Business Partners — Aggregated and Anonymized Data Only
We may share aggregated, anonymized, non-personally-identifiable community data with sponsors and business partners — for example, "X% of our members follow IMSA; Y% are in the Southwest." We do not sell or share your individual personal information with sponsors.
[NOTE FOR COUNSEL: Confirm whether this aggregated-only position is accurate for all contemplated sponsor data packages, or whether any sponsor integrations (e.g., sponsor offer emails sent via Klaviyo) involve individual-level targeting that requires additional disclosure or a separate consent mechanism. See also Section 15.]
7.4 Cross-RAFA Data Sharing — TBD, Counsel Decision Required
[NOTE FOR COUNSEL: RRC is part of the RAFA family of brands, which includes RAFA Racing Team, RAFA Racing Club, RAFA Media / The Race, RAFA Motors, 8TWELVE Wheels, 812 Brands, RAFA Entertainment, and Maximo Capital. There is a strategic possibility that member data could be shared across these entities for joint marketing, audience building, or sponsor packaging purposes. This section is intentionally left as a placeholder. Counsel must advise on: (a) whether cross-RAFA data sharing is legally permissible under the consent obtained at signup; (b) whether separate disclosure or consent is required before any cross-entity sharing occurs; (c) which legal entity or entities are joint controllers, and what GDPR Article 26 obligations apply. Until counsel resolves this, we do not share individual member data with other RAFA entities.]
7.5 Business Transfers
If RRC or RAFA Racing Club LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our site of any such change and any new choices you may have.
8. Data Retention
We retain your personal information for as long as your membership is active, plus an additional period as required by law or for legitimate business purposes.
[NOTE FOR COUNSEL: Specific retention periods to be set by counsel. Draft suggestions for discussion: active member records — for the life of membership plus [X] years; consent records — for the life of membership plus [X] years (for audit purposes); email/SMS engagement logs — [X] months; purchase records — [X] years (tax/accounting obligations); deleted accounts — [X] days post-deletion request before purge (for fraud prevention), then full deletion.]
When you request deletion of your account, we will delete or anonymize your personal information within [X] days, except where retention is required by law (e.g., financial records) or legitimate interests (e.g., fraud prevention, consent audit trail).
9. Your Rights
Depending on where you live, you have the following rights regarding your personal information:
9.1 Rights for All Members
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request that we delete your personal information ("right to be forgotten"), subject to legal retention requirements.
- Data portability / export: Request a machine-readable export of your personal information.
- Withdraw consent: Withdraw your email or SMS marketing consent at any time (see Section 5).
- Preference center: Update your communication preferences at any time at [PREFERENCE CENTER URL].
To exercise any of these rights, contact us at privacy@randomracingclub.com. We will respond within [X] days. [NOTE FOR COUNSEL: GDPR requires response within one month; CCPA/CPRA within 45 days for access/deletion. Set the policy to the more protective standard or state jurisdiction-specific periods.]
9.2 Additional Rights for EU/UK Residents (GDPR / UK GDPR)
If you are located in the European Union or United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR) or UK GDPR:
- Right to object: Object to processing based on legitimate interests.
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to lodge a complaint: File a complaint with your local data protection authority (e.g., in the UK, the Information Commissioner's Office; in the EU, your national DPA).
Legal bases for processing. Where GDPR applies, we rely on the following legal bases: (a) consent — for email and SMS marketing; (b) performance of contract — to operate your membership account, process merch orders, and administer events; (c) legitimate interests — for analytics, community improvement, and aggregated sponsor reporting; (d) legal obligation — for compliance purposes.
[NOTE FOR COUNSEL: Confirm whether RRC has EU/UK users and, if so, whether a Data Protection Officer (DPO) is required, whether Standard Contractual Clauses (SCCs) are in place with US-based processors (Supabase, Klaviyo, Shopify, Discord), and whether an EU/UK representative should be designated.]
9.3 Additional Rights for California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information, subject to certain exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell your personal information. You may also opt out of "sharing" of your personal information for cross-context behavioral advertising purposes by clicking "Do Not Sell or Share My Personal Information" at [OPT-OUT LINK / PREFERENCE CENTER URL].
- Right to limit use of sensitive personal information: To the extent we process sensitive personal information (as defined by CPRA), you may request that we limit its use.
- Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
"Do Not Sell or Share My Personal Information" — California residents may exercise this right at any time via [PREFERENCE CENTER URL] or by contacting us at privacy@randomracingclub.com. We honor opt-out requests within 15 business days.
[NOTE FOR COUNSEL: Confirm whether RRC meets CCPA thresholds (annual gross revenue >$25M, or data of >100,000 consumers/households, or >50% revenue from selling consumer data) and what disclosures are strictly required vs. best-practice.]
9.4 CAN-SPAM Compliance
All marketing emails we send comply with the CAN-SPAM Act. Every email includes: accurate sender information, a non-deceptive subject line, a physical mailing address for RAFA Racing Club LLC, and a clear, functional unsubscribe mechanism. We honor unsubscribe requests promptly. [NOTE FOR COUNSEL: Confirm physical address to use in email footer.]
10. Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, loss, or disclosure. Our database is hosted on Supabase, which employs industry-standard security controls. We use row-level security policies and access controls appropriate to the sensitivity of the data.
No method of transmission over the internet or method of electronic storage is 100% secure. If we become aware of a security breach that affects your personal information, we will notify you in accordance with applicable law.
11. Cookies and Analytics
Our web application may use cookies and similar technologies for the following purposes:
- Essential cookies: Necessary for the application to function (e.g., session management, login state). These cannot be disabled without affecting service functionality.
- Analytics: We use [ANALYTICS TOOL, e.g., Plausible / PostHog] to understand how members use the app and improve our service. We prefer privacy-respecting analytics tools that do not track individuals across sites.
- Email analytics: Klaviyo uses standard tracking pixels to measure email open rates and click rates. You can disable image loading in your email client to opt out.
[NOTE FOR COUNSEL: Confirm whether a cookie consent banner is required for EU/UK users and draft appropriate cookie policy language. Plausible Analytics, if used, is cookie-free and GDPR-compliant by design, which may simplify this requirement.]
12. Children's Privacy and the Age Gate
RRC membership requires users to confirm they are 16 years of age or older. We do not knowingly collect personal information from individuals under 16. The age gate is enforced at signup via a required checkbox. We do not independently verify age.
[NOTE FOR COUNSEL: The current gate is a self-declaration at age 16. Counsel should advise on: (a) whether 13, 16, or 18 is the appropriate floor given COPPA (13 for US), GDPR Article 8 (16, or as low as 13 if member state lowers it), and applicable state law; (b) whether enhanced verification is needed; (c) specific disclosure language for any users aged 13–17 if the threshold is lowered below 16. See Section 15.]
13. Third-Party Links and Platforms
RRC integrates with third-party platforms including Discord and Shopify. When you interact with these platforms, their own privacy policies apply. We encourage you to review:
- Discord Privacy Policy: https://discord.com/privacy
- Shopify Privacy Policy: https://www.shopify.com/legal/privacy
- Klaviyo Privacy Policy: https://www.klaviyo.com/legal/privacy-notice
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have provided your email address) and by posting a prominent notice on our website at least [30] days before the changes take effect. Your continued use of RRC after the effective date constitutes your acknowledgment of the updated policy.
15. Contact Us
For privacy-related questions, requests, or complaints, contact:
RAFA Racing Club LLC
Privacy Contact: privacy@randomracingclub.com
Mailing Address: [PHYSICAL ADDRESS]
[PREFERENCE CENTER URL]