Privacy Policy
Last updated: May 10, 2026
Your data matters to us. Because you matter to us. Here is exactly how we handle it.
Data Controller
AHL 1212 ApS (CVR 44439638)
Operating as Girls International Racing Lab (G.I.R.L.)
Strandgade 11, 4000 Roskilde, Denmark
privacy@girlsinternationalracinglab.com
1. What Data We Collect
- Account information: name, email address, date of birth, country of residence
- Event participation: registration details, event preferences, attendance records
- Communications: messages you send us, newsletter preferences
- Technical data: IP address, browser type, device information (see our Cookie Policy)
- Media: photos and videos taken at events, with separate opt-in consent
2. How We Use Your Data
- To provide and manage your G.I.R.L. membership
- To register you for events and activities
- To send updates about events, news, and community activities
- To improve our services and website
- To comply with legal obligations
3. Legal Basis
We process your data based on:
- Consent (GDPR Art. 6(1)(a)): when you join G.I.R.L. or register for events
- Contract performance (Art. 6(1)(b)): to deliver services you requested
- Legitimate interest (Art. 6(1)(f)): to improve our services and communicate with our community
- Legal obligation (Art. 6(1)(c)): when required by law
4. Children's Privacy
G.I.R.L. welcomes participants of all ages. Because our community includes minors, we take extra care to protect young participants and limit data collection to what is strictly necessary for event participation.
The age at which a person can independently consent to data processing varies by country:
| Country | Consent age |
|---|---|
| Denmark | 15 |
| Germany | 16 |
| France | 15 |
| Spain | 14 |
| Italy | 14 |
| Netherlands | 16 |
| United Kingdom | 13 |
| United States | 13 (COPPA) |
| UAE | 18 |
| All other EU/EEA | 16 (default) |
For users below the consent age in their country, we require verifiable parental or guardian consent before collecting personal data. We do not engage in profiling, targeted advertising, or automated decision-making involving minors.
5. Photography and Media at Events
G.I.R.L. events may be photographed and recorded. Photography consent is collected separately from event registration. You may participate without consenting to be photographed.
For all participants under 18, guardian consent is required for photography. You may withdraw photo consent at any time by contacting us, and we will remove your images within 30 days.
6. Service Providers and Processors
We use the following third-party services to operate our platform:
| Service | Purpose | Transfer mechanism |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt), no transfer |
| Netlify | Website hosting | US, EU-US DPF + SCCs |
| Resend | Email communications | US, SCCs |
| Google Analytics | Pseudonymised website analytics (activated only with consent) | US, EU-US DPF + SCCs |
| Google Workspace + Gmail API | Email and document handling, transactional email delivery | US, EU-US DPF + SCCs |
| GitHub | Code hosting | US, EU-US DPF + SCCs |
| Shopify | E-commerce platform for merchandise sales | Canada (Shopify Inc.), SCCs + privacy framework |
All service providers have signed data processing agreements under GDPR Article 28. For transfers outside the EU/EEA, Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (DPF) apply.
Advertising and measurement services are not currently active. If we add them in the future, they will only be activated with your explicit consent and listed here. See our Cookie Policy for details.
7. International Operations
G.I.R.L. operates internationally and currently hosts events across Europe. As we expand into additional markets, your data may be processed under both EU rules and local law. The same safeguards apply everywhere.
8. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion
- Event data: retained for 3 years after the event for insurance and legal purposes
- Technical logs: retained for 90 days
- Marketing consent: retained while subscribed, removed within 30 days of unsubscribing
- Media: retained for the duration specified in your consent, or until you request removal
9. Your Rights
Under GDPR, you have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your data
- Restriction: limit how we process your data
- Portability: receive your data in a structured format
- Objection: object to processing based on legitimate interest
- Withdraw consent: at any time, without affecting prior processing
To exercise your rights, contact us at privacy@girlsinternationalracinglab.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
11. Data Breach Notification
If a data breach puts your rights at risk, we will notify the Danish Data Protection Agency within 72 hours (GDPR Art. 33). If it poses a high risk to you personally, we will tell you directly without undue delay (GDPR Art. 34).
12. For US Residents
COPPA (under 13)
For users under 13 in the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We require verifiable parental consent before collecting personal data from children under 13. Parents may review, correct, or request deletion of their child's data at any time.
California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- The right to know what personal information we collect and why
- The right to delete your personal information
- The right to opt out of the sale or sharing of your personal information
- The right to non-discrimination for exercising your rights
To opt out of sale or sharing of your personal information, use the cookie settings in the website footer. We do not currently sell or share personal information as defined under CCPA/CPRA, and advertising cookies are not enabled yet.
13. For UK Residents
We comply with the UK GDPR and the Data Protection Act 2018. For users under 18 in the UK, we follow the Age Appropriate Design Code (AADC / Children's Code), which requires high privacy by default. All tracking and profiling is disabled for users identified as under 18.
You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
14. For Brazilian Residents
We comply with the Lei Geral de Proteção de Dados (LGPD). All users under 18 in Brazil are treated as a special category. Data processing of minors follows the best interests of the child principle. You may exercise your rights by contacting us at the email address above.
15. For Indian Residents
Under the Digital Personal Data Protection Act 2023 (DPDP Act), tracking, profiling, and targeted advertising involving users under 18 is prohibited without exception. We comply fully: no tracking cookies, analytics, or advertising pixels are activated for users identified as under 18 in India.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.
17. The Share Tool
The G.I.R.L. share tool (Make It Yours) lets you place a G.I.R.L. brand frame on a photo of your choice. Here is exactly what happens, and what does not.
Everything stays on your device. The tool runs entirely inside your browser. When you select a photo, your browser loads it into memory, draws it onto a canvas with our frame on top, and lets you download the result. The image never leaves your device. We do not upload it to any server. We do not store it. We do not see it.
No image storage. Because the image is processed locally, we have no copy of it. We cannot retrieve it later, even if you ask us to. When you close the page, the image is gone from our side - it was never on our side.
EXIF metadata is removed. When your browser draws the photo to canvas, it strips out the hidden technical data normally embedded in photo files - GPS coordinates, camera model, timestamps, device identifiers. The downloaded version contains the visible image only.
Public sharing is your choice. When you save your image and post it - to Instagram or anywhere else - that is a decision you make on a separate platform. G.I.R.L. is not the publisher. We do not push your image anywhere. We do not see where it ends up. Once it is on a public network, that network's terms apply, and the image is out of our hands and yours.
Age. The share tool is available to users aged 13 and older. Users under the digital consent age in their country (see section 4) need a parent or guardian to confirm use of the tool. We do not collect age information through the tool itself, which means parents and guardians are responsible for supervising use by minors in their care.
18. Contact
For any questions about this Privacy Policy or your personal data, contact us:
privacy@girlsinternationalracinglab.com
AHL 1212 ApS, Strandgade 11, 4000 Roskilde, Denmark