KARTGENIUS · PRIVACY POLICY

Privacy Policy

Effective May 25, 2026 · Operator: Tonka Tech LLC (JD Solutions Group S-Corp) · Privacy Contact: [email protected]

1. Introduction

KartGenius ("the App," "we," "us," or "our") is a mobile application developed and operated by Tonka Tech LLC (JD Solutions Group S-Corp), a Minnesota limited liability company. KartGenius connects to AIM Technologies MyChron data loggers via local WiFi, downloads kart racing session telemetry, and uses artificial intelligence to generate personalized coaching insights for drivers and coaches.

This Privacy Policy describes the information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have regarding your personal data. It applies to all users of the KartGenius iOS application and the website at https://kartgenius.app.

By downloading or using KartGenius, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the App.

Important — please read KartGenius is not affiliated with, endorsed by, or otherwise connected to AIM Technologies Srl. AIM, MyChron, and related product names are trademarks or registered trademarks of AIM Technologies Srl.

CONTENTS

  1. Introduction
  2. Scope and Applicability
  3. Information We Collect
  4. How We Use Your Information
  5. How We Share Your Information
  6. Data Storage and Security
  7. Data Retention
  8. Your Privacy Rights
  9. Additional Disclosures for California Residents
  10. Additional Disclosures for EEA, UK, and Swiss Residents
  11. Children's Privacy
  12. Cookies and Tracking
  13. Changes to This Policy
  14. How to Contact Us

2. Scope and Applicability

This Policy applies to:

Additional jurisdiction-specific disclosures are provided in Section 9 (California residents), Section 10 (European Economic Area, United Kingdom, and Switzerland), and Section 11 (Children). Where a specific section conflicts with the general provisions of this Policy, the more specific section governs for residents of that jurisdiction.

3. Information We Collect

3.1 Account information

KartGenius uses anonymous authentication by default. No account, name, or email address is required to access core features. If you voluntarily choose to create a named account, we collect:

3.2 Telemetry data from AIM devices

When you connect your AIM MyChron data logger to KartGenius over local WiFi, the App downloads session telemetry stored on the device. This data originates from the device's own sensors and is not collected from your iPhone. It may include:

3.3 AI coaching data

When you request an AI coaching analysis, session telemetry is transmitted to our servers and processed by Anthropic's Claude large language model to generate coaching insights. We store:

Coaching requests are made server-side via Supabase Edge Functions. Your KartGenius API credentials are never exposed to client devices. We do not transmit your name, email address, or account identifiers to Anthropic.

3.4 Technical and usage information

We automatically collect limited technical data to operate and improve the App:

We do not collect: advertising identifiers (IDFA), device location from iPhone GPS, contacts, camera or microphone input, browsing history, health or fitness data, or data from other applications on your device.

3.5 Payment and subscription information

In-app subscription purchases are processed exclusively by Apple through the App Store. KartGenius does not collect, process, or store payment card numbers, bank account information, or other financial credentials. We receive from RevenueCat, our subscription management provider, confirmation of subscription status, product identifiers, and anonymized purchase receipts.

3.6 Local network access

KartGenius requests iOS Local Network permission to discover AIM MyChron devices connected to the same WiFi network. During discovery:

4. How We Use Your Information

We use personal data only for the purposes described below. We do not use your data to serve third-party advertising. We do not sell personal data as defined under applicable law.

Processing Activity Purpose Legal Basis (GDPR) Article
Creating and managing your account Identity and authentication Contract performance Art. 6(1)(b)
Storing session telemetry Core app functionality Contract performance Art. 6(1)(b)
Generating AI coaching reports Core app functionality Contract performance Art. 6(1)(b)
Managing subscriptions Billing and access control Contract performance Art. 6(1)(b)
Crash reporting and diagnostics App stability and security Legitimate interests Art. 6(1)(f)
Usage analytics Product improvement Legitimate interests Art. 6(1)(f)
Legal compliance Regulatory obligations Legal obligation Art. 6(1)(c)

Legitimate interests balancing test

Where we rely on legitimate interests as our legal basis, we have conducted the required balancing assessment. Our legitimate interests in maintaining App security, diagnosing crashes, and understanding feature usage are necessary to deliver a reliable service. These interests do not override your fundamental rights and freedoms because: (a) the data involved is limited and non-sensitive; (b) processing is proportionate to the purpose; (c) users have reasonable expectations that a technology service monitors its own performance; and (d) we apply appropriate safeguards including anonymization and limited retention periods.

5. How We Share Your Information

We do not sell, rent, or trade personal data to third parties for marketing purposes. We share data only in the following circumstances:

5.1 Service providers (data processors)

We engage the following companies as data processors acting on our instructions. Each has entered or is required to enter into a Data Processing Agreement (DPA) with us as required by GDPR Article 28.

Provider Purpose Data Shared Privacy Policy
Supabase Inc. Database, authentication, storage, edge functions Anonymous user ID, session telemetry, coaching reports supabase.com/privacy
Anthropic PBC AI coaching generation Session telemetry only — no name or account identifiers anthropic.com/privacy
RevenueCat Inc. Subscription management Anonymous user ID, subscription status, App Store receipt revenuecat.com/privacy
Sentry Inc. Crash reporting and error monitoring Anonymous device ID, app version, stack traces sentry.io/privacy
Apple Inc. App Store distribution, payments, Sign in with Apple Governed by Apple's own policies apple.com/privacy

5.2 Legal requirements

We may disclose personal data if required by law, regulation, legal process, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of KartGenius, our users, or others.

5.3 Business transfers

If KartGenius or its assets are acquired by or merged with another entity, personal data may be transferred as part of that transaction. We will notify you via in-app notice or email before your data becomes subject to a materially different privacy policy.

5.4 With your consent

We may share your data for other purposes with your explicit prior consent, such as if you choose to share a session file or coaching report with a coach or third party through a future feature.

6. Data Storage and Security

6.1 Storage location

Your data is stored on infrastructure operated by Supabase Inc., located in the United States (Amazon Web Services, us-east-1 region). We do not currently operate data centers in the European Economic Area.

6.2 Security measures

We implement the following security controls:

No security system is impenetrable. If we become aware of a security breach that affects your personal data, we will notify you as required by applicable law.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by applicable law. The following table sets out our standard retention schedule:

Data Category Retention Period Basis for Retention
Session telemetry (lap times, GPS, sensor data) Life of account Contract — required to provide core service
AI coaching reports Life of account Contract — required to provide core service
Anonymous user identifier Life of account Contract — required to maintain session continuity
Email address (if provided) Life of account + 30 days Contract; deleted upon account deletion request
Crash reports and error logs (Sentry) 90 days Legitimate interests — proportionate to stability purpose
Usage analytics events 24 months rolling Legitimate interests — product improvement
Subscription and purchase records 7 years from transaction Legal obligation — tax and financial recordkeeping
Server access logs 30 days Legitimate interests — security monitoring

Upon valid deletion request or account closure, we will delete or anonymize your personal data within 30 days, except where a longer retention period is required by law or legitimate business necessity (such as active fraud investigations or pending litigation).

8. Your Privacy Rights

Regardless of where you are located, you may exercise the following rights by contacting us at [email protected]:

We will respond to all requests within 30 days. We may need to verify your identity before processing requests. We will not discriminate against you for exercising any privacy right.

To submit a request, email [email protected] with subject line "Privacy Request — [type of request]."

9. Additional Disclosures for California Residents

This section supplements the general Policy for residents of California and applies to the extent KartGenius is subject to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

9.1 Categories of personal information collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

9.2 Sources

We collect information directly from you (through the App), from your AIM device (via local WiFi connection), and automatically (usage events, crash reports).

9.3 Business or commercial purpose

We collect personal information for the purposes described in Section 4 of this Policy.

9.4 Categories disclosed for business purposes

In the preceding 12 months we have disclosed personal information to service providers as described in Section 5.1 for operational purposes. We have not sold personal information.

9.5 Your CCPA rights

California residents have the right to:

To submit a verifiable consumer request, contact [email protected]. We will verify your identity before processing. You may designate an authorized agent to make requests on your behalf.

9.6 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about personal information disclosed to third parties for direct marketing purposes. We do not disclose personal information for direct marketing purposes.

10. Additional Disclosures for EEA, UK, and Swiss Residents

This section applies to users located in the European Economic Area (EEA), the United Kingdom, or Switzerland and supplements this Policy under the General Data Protection Regulation (GDPR) and applicable national implementations, including the UK GDPR and Swiss Federal Act on Data Protection (nFADP).

10.1 Data controller

Tonka Tech LLC (JD Solutions Group S-Corp) is the data controller for personal data processed through the KartGenius App. Contact: [email protected].

10.2 Legal bases for processing

The legal bases for our processing activities are set out in the table in Section 4 of this Policy. In summary:

10.3 International data transfers

Your personal data is transferred to and processed in the United States. The US does not benefit from an EU adequacy decision for all transfers. We rely on the following transfer mechanisms:

Copies of applicable transfer mechanisms are available upon request by contacting [email protected].

10.4 Data Processing Agreements

We have entered into or are required to enter into Data Processing Agreements (DPAs) with each of our processors named in Section 5.1, compliant with GDPR Article 28. These agreements impose data protection obligations on processors and restrict sub-processing without our prior consent.

10.5 Your GDPR rights

EEA, UK, and Swiss residents have the following rights under applicable data protection law:

To exercise any of these rights, contact [email protected] with "GDPR Rights Request" in the subject line. We will respond within one month. This period may be extended by two months where requests are complex or numerous; we will notify you of any extension within one month of receipt.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

10.6 Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement. A directory of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK residents may contact the Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/

Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/

We ask that you contact us at [email protected] before lodging a complaint so that we have the opportunity to address your concern directly.

11. Children's Privacy

KartGenius is designed for use by kart racing participants of all ages, including minors, under appropriate parental or guardian supervision. The App is rated 4+ on the Apple App Store.

11.1 Users under 13 (COPPA)

We do not knowingly collect personal information from children under 13 years of age without verifiable parental consent, as required by the Children's Online Privacy Protection Act (COPPA). KartGenius's default anonymous authentication mode does not require any child to provide a name, email address, or other identifying information.

If a parent or guardian believes that their child under 13 has provided personal information without consent, please contact us at [email protected] and we will promptly delete such information.

11.2 Users 13–17

Where a user between 13 and 17 years of age provides personal information (such as creating a named account), we encourage parents and guardians to review and supervise their minor's use of the App. Parents may contact [email protected] to review, request correction of, or delete information associated with a minor's account.

11.3 GDPR — Children in the EEA

For EEA users, where processing is based on consent and the user is under 16 years of age (or the lower age threshold applicable in their member state), parental or guardian consent is required. Given that KartGenius does not rely on consent as a legal basis for core processing (we rely on contract performance), this requirement applies primarily to optional features such as email communications.

12. Cookies and Tracking

The KartGenius iOS App does not use cookies. The website at https://kartgenius.app may use essential technical cookies required for page rendering and security. We do not use advertising cookies, cross-site tracking, or third-party behavioral analytics cookies on our website.

We do not use Apple's Advertising Identifier (IDFA) or any other cross-app advertising identifier.

13. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

Your continued use of KartGenius after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you should discontinue use of the App and may request deletion of your data per Section 8.

The current version of this Policy is always available at https://kartgenius.app/privacy. Prior versions are available upon request.

14. How to Contact Us

For any privacy questions, data requests, or to exercise your rights, please contact us at:

Tonka Tech LLC (JD Solutions Group S-Corp)
Privacy: [email protected]
Support: [email protected]
Website: https://kartgenius.app/privacy
State of Incorporation: Minnesota, United States

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 calendar days.