If you create an account, Supabase Auth stores your email and authentication identifiers. Our backend stores your player profile display name, country, saved race results, controlled athlete name, course slug, split times, total time, and finish timestamp.

Simulation state used while racing is mostly held in your browser session. Completed saved results are stored server-side so they can power your race history and public course leaderboards.

We process personal data under these GDPR Article 6 bases:

• Account and saved results — performance of a contract (Art. 6(1)(b)): providing the game and the race history you signed up for.
• Product analytics — consent (Art. 6(1)(a)): collected only after you accept, and withdrawable at any time.
• Error monitoring and security — legitimate interests (Art. 6(1)(f)): keeping the service stable and secure.

When configured, we use PostHog product analytics to understand pageviews and product events such as signup, leaderboard views, race completion, and result saving. Analytics does not initialize unless you accept it.

We rely on the following providers to operate the app. Each processes only the data needed for its function:

• Supabase — authentication and PostgreSQL database (EU region, Frankfurt).
• PostHog — product analytics, EU cloud (eu.i.posthog.com); active only after you accept analytics.
• Sentry — backend error monitoring; used only when a Sentry DSN is configured for the deployment.
• Vercel — frontend hosting and content delivery.
• Railway or Fly.io — application/backend hosting.

We keep cookies and browser storage to a minimum:

• Supabase auth token (cookie, strictly necessary) — keeps you signed in; set only when you log in.
• triman-analytics-consent (local storage, strictly necessary) — remembers your analytics choice; persists until you clear or change it.
• PostHog cookies/local storage (ph_*) — set only after you accept analytics, to measure product usage. Declining or withdrawing clears them.

The backend can report unhandled production errors to Sentry when the deployment provides a Sentry DSN. The frontend captures client-side exceptions through PostHog only after analytics consent. Local development falls back to logging.

We keep your account, profile, and saved results until you delete your account or ask us to erase them. Analytics data follows PostHog's configured retention. Database backups are rotated by our database provider.

Our core services (Supabase, PostHog) process data in the EU. Some providers (for example Vercel or Sentry) may process limited data outside the EU under appropriate safeguards such as the EU Standard Contractual Clauses.

Triathlon Manager is not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and inform affected users without undue delay.

Signed-in players can export their profile and saved race results in a machine-readable JSON file.

Signed-in players can permanently delete their account, profile, and saved results. This also removes your login and cannot be undone.

Under the GDPR you have the right to access, rectify, erase, restrict, and port your data, to object to processing, and to withdraw analytics consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority.

Privacy contact: florianraeuber@gmail.com