Privacy Policy
This Privacy Policy describes how bibs.run ("we," "us," or "our") collects, uses, and shares information about you when you use our website and services at bibs.run (the "Service"). Please read this policy carefully. By using the Service, you acknowledge you have read and understood it.
1. Who We Are
bibs.run is an independent service that helps runners track race registration windows and receive notifications when registration opens for their selected races. For questions about this policy, contact us at ting@bibs.run.
2. Information We Collect
Information you provide directly
- Email address — when you create an account
- Password — stored in hashed form; we never store your plaintext password
- Race selections — the races you choose to track
Information collected automatically
- Usage data — pages visited, actions taken within the Service
- Log data — IP address, browser type, referring URLs, timestamps
- Device information — browser type and operating system
Information from third parties
If you subscribe to a paid plan, your payment is processed by Stripe. We receive a customer ID and subscription status from Stripe but do not store your card number, expiration date, or CVV.
We do not collect sensitive personal information such as race, ethnicity, religion, health data, precise geolocation, or government ID numbers.
3. How We Use Your Information
We use your information to:
- Create and maintain your account
- Send email notifications when race registration opens for races you have selected
- Send transactional emails including email verification and password reset
- Process and manage your subscription payment via Stripe
- Improve and maintain the Service
- Comply with legal obligations
- Detect and prevent fraud or abuse
We do not sell your personal information. We do not use your information for advertising or share it with advertising networks.
Legal bases for processing (EU/UK GDPR)
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of a contract |
| Race notification emails | Performance of a contract / Legitimate interests |
| Transactional emails (verification, password reset) | Performance of a contract |
| Payment processing | Performance of a contract |
| Improving the Service | Legitimate interests |
| Legal compliance | Legal obligation |
4. How We Share Your Information
We share your information only as described below:
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Email address, subscription status |
| Loops | Transactional and notification email delivery | Email address, race selections |
| Cloudflare | Hosting, network infrastructure, and data storage | All data necessary to operate the Service |
We may also disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of bibs.run, our users, or the public.
We do not sell, rent, or share your personal information with third parties for their own marketing purposes.
5. Data Retention
We retain your personal information for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (for example, Stripe may retain transaction records as required by financial regulations).
6. Your Rights and Choices
All users
- Account deletion — you may delete your account at any time from the Account page. This will cancel any active subscription and delete your data.
- Email notifications — you may unsubscribe from race notification emails at any time using the unsubscribe link in any email we send, or by deleting your account.
- Password reset — you may reset your password at any time from the Account page.
California residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know — you may request that we disclose what personal information we collect, use, disclose, and sell about you.
- Right to delete — you may request that we delete your personal information, subject to certain exceptions.
- Right to correct — you may request that we correct inaccurate personal information we hold about you.
- Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined under CPRA.
- Right to non-discrimination — we will not discriminate against you for exercising any of your rights.
To exercise these rights, contact us at ting@bibs.run. We will respond within 45 days. We may need to verify your identity before fulfilling a request.
Virginia, Colorado, and Connecticut residents
If you are a resident of Virginia (VCDPA), Colorado (CPA), or Connecticut (CTDPA), you have rights similar to those described above for California residents, including rights to access, correct, delete, and obtain a copy of your personal data. To exercise these rights, contact us at ting@bibs.run.
EU and UK residents (GDPR / UK GDPR)
If you are located in the European Union or United Kingdom, you have the following rights:
- Right of access — you may request a copy of the personal data we hold about you.
- Right to rectification — you may request correction of inaccurate data.
- Right to erasure — you may request deletion of your personal data in certain circumstances.
- Right to restriction — you may request that we restrict processing of your data in certain circumstances.
- Right to data portability — you may request your data in a structured, machine-readable format.
- Right to object — you may object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise these rights, contact us at ting@bibs.run. You also have the right to lodge a complaint with your local data protection authority.
International data transfers: bibs.run is operated from the United States. If you are located in the EU or UK, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses and the data processing agreements of our sub-processors (Stripe, Loops, Cloudflare) to provide appropriate safeguards for these transfers.
7. Cookies and Tracking
We use session cookies to maintain your logged-in state. These are strictly necessary for the Service to function and cannot be disabled while using the Service.
We do not use third-party tracking cookies, advertising cookies, or behavioral analytics tools.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including encrypted data transmission (HTTPS), hashed password storage, and access controls. We comply with the data security requirements of the New York SHIELD Act.
No method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.
9. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at ting@bibs.run and we will delete it promptly.
10. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: ting@bibs.run
- Mail: bibs.run, 447 Broadway 2nd Floor #1255, New York, NY 10013
For EU/UK data protection inquiries, you may also contact your local supervisory authority.