Privacy Policy
Last updated: March 28, 2026
Your data matters to us. Because you matter to us. Here is exactly how we handle it.
Data Controller
AHL 1212 ApS (CVR 44439638)
Operating as Girls International Racing Lab (G.I.R.L.)
Strandgade 11, 4000 Roskilde, Denmark
privacy@girlsinternationalracinglab.com
1. What Data We Collect
- Account information: name, email address, date of birth, country of residence
- Event participation: registration details, event preferences, attendance records
- Communications: messages you send us, newsletter preferences
- Technical data: IP address, browser type, device information (see our Cookie Policy)
- Media: photos and videos taken at events, with separate opt-in consent
2. How We Use Your Data
- To provide and manage your G.I.R.L. membership
- To register you for events and activities
- To send updates about events, news, and community activities
- To improve our services and website
- To comply with legal obligations
3. Legal Basis
We process your data based on:
- Consent (GDPR Art. 6(1)(a)): when you join G.I.R.L. or register for events
- Contract performance (Art. 6(1)(b)): to deliver services you requested
- Legitimate interest (Art. 6(1)(f)): to improve our services and communicate with our community
- Legal obligation (Art. 6(1)(c)): when required by law
4. Children's Privacy
G.I.R.L. welcomes participants of all ages. Because our community includes minors, we take extra care to protect young participants and limit data collection to what is strictly necessary for event participation.
The age at which a person can independently consent to data processing varies by country:
| Country | Consent age |
|---|---|
| Denmark | 15 |
| Germany | 16 |
| France | 15 |
| Spain | 14 |
| Italy | 14 |
| Netherlands | 16 |
| United Kingdom | 13 |
| United States | 13 (COPPA) |
| UAE | 18 |
| All other EU/EEA | 16 (default) |
For users below the consent age in their country, we require verifiable parental or guardian consent before collecting personal data. We do not engage in profiling, targeted advertising, or automated decision-making involving minors.
5. Photography and Media at Events
G.I.R.L. events may be photographed and recorded. Photography consent is collected separately from event registration. You may participate without consenting to be photographed.
For all participants under 18, guardian consent is required for photography. You may withdraw photo consent at any time by contacting us, and we will remove your images within 30 days.
6. Service Providers and Processors
We use the following third-party services to operate our platform:
| Service | Purpose | Transfer mechanism |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt), no transfer |
| Netlify | Website hosting | US, EU-US DPF + SCCs |
| Resend | Email communications | US, SCCs |
| Google Analytics | Pseudonymised website analytics | US, EU-US DPF + SCCs |
| Google Ads | Advertising measurement | US, EU-US DPF + SCCs |
| Google Workspace | Email and document handling | US, EU-US DPF + SCCs |
| Meta (Facebook/Instagram) | Advertising and measurement | US, EU-US DPF + SCCs |
| TikTok | Advertising and measurement | Singapore/US, SCCs |
| Snapchat | Advertising and measurement | US, SCCs |
| Advertising and measurement | US, EU-US DPF + SCCs | |
| Microsoft Clarity | Heatmaps and session recording | US, EU-US DPF + SCCs |
| GitHub | Code hosting | US, EU-US DPF + SCCs |
All service providers have signed data processing agreements under GDPR Article 28. For transfers outside the EU/EEA, Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (DPF) apply.
Advertising and measurement services (Meta, TikTok, Snapchat, LinkedIn, Google Ads) are only activated with your explicit consent. See our Cookie Policy for details.
7. International Operations
G.I.R.L. operates internationally and hosts events in Denmark, the UAE, Germany, and beyond. If you participate outside the EU/EEA, your data may be processed under both EU rules and local law. The same safeguards apply everywhere.
8. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion
- Event data: retained for 3 years after the event for insurance and legal purposes
- Technical logs: retained for 90 days
- Marketing consent: retained while subscribed, removed within 30 days of unsubscribing
- Media: retained for the duration specified in your consent, or until you request removal
9. Your Rights
Under GDPR, you have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your data
- Restriction: limit how we process your data
- Portability: receive your data in a structured format
- Objection: object to processing based on legitimate interest
- Withdraw consent: at any time, without affecting prior processing
To exercise your rights, contact us at privacy@girlsinternationalracinglab.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
11. Data Breach Notification
If a data breach puts your rights at risk, we will notify the Danish Data Protection Agency within 72 hours (GDPR Art. 33). If it poses a high risk to you personally, we will tell you directly without undue delay (GDPR Art. 34).
12. For US Residents
COPPA (under 13)
For users under 13 in the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We require verifiable parental consent before collecting personal data from children under 13. Parents may review, correct, or request deletion of their child's data at any time.
California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- The right to know what personal information we collect and why
- The right to delete your personal information
- The right to opt out of the sale or sharing of your personal information
- The right to non-discrimination for exercising your rights
We respect the Global Privacy Control (GPC) browser signal. To opt out of sale or sharing of your personal information, use the “Do Not Sell or Share My Personal Information” option in our cookie settings.
13. For UK Residents
We comply with the UK GDPR and the Data Protection Act 2018. For users under 18 in the UK, we follow the Age Appropriate Design Code (AADC / Children's Code), which requires high privacy by default. All tracking and profiling is disabled for users identified as under 18.
You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
14. For Brazilian Residents
We comply with the Lei Geral de Proteção de Dados (LGPD). All users under 18 in Brazil are treated as a special category. Data processing of minors follows the best interests of the child principle. You may exercise your rights by contacting us at the email address above.
15. For Indian Residents
Under the Digital Personal Data Protection Act 2023 (DPDP Act), tracking, profiling, and targeted advertising involving users under 18 is prohibited without exception. We comply fully: no tracking cookies, analytics, or advertising pixels are activated for users identified as under 18 in India.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.
17. Contact
For any questions about this Privacy Policy or your personal data, contact us:
privacy@girlsinternationalracinglab.com
AHL 1212 ApS, Strandgade 11, 4000 Roskilde, Denmark