This Policy defines the activities of the operator of the Racelane mobile application – LLC “Mobile Assistant” (hereinafter referred to as the "Operator") in connection with the processing of personal data of:

• Users of the Racelane mobile application;
• Customers of services provided by the Operator;
• Individuals featured as characters, experts, and hosts in the Operator’s advertising and informational materials;
• Representatives of parties to contracts concluded with the Operator;
• Persons who have submitted inquiries (applications, complaints, suggestions) or are mentioned in such inquiries;
• Users of social networks (hereinafter collectively referred to as the “personal data subject(s)”).

This Policy is approved in accordance with the Law of the Republic of Belarus of May 7, 2021 No. 99-З “On the Protection of Personal Data” (hereinafter referred to as the "Law").

It explains to personal data subjects how and for what purposes their personal data is collected, used, or otherwise processed, and outlines the rights of personal data subjects in connection with such processing, along with the mechanisms for exercising these rights.

1. Terms and Definitions

The following terms are used in this Policy with the meanings specified below:

1.1. Automated Processing – processing of personal data using computing tools (applications and other software, databases, computers, mobile phones, etc.).

1.2. Anonymization – a synonym for "deletion/destruction": actions that make it impossible to restore personal data in information resources (systems) containing personal data, and eliminate the possibility of associating the remaining data with a specific data subject.

1.3. Blocking – the suspension of access to personal data without deleting it.

1.4. Information Resources – the Racelane mobile application or racelane.app — an internet resource (website) hosted on information resources in the second-level domain www.racelane.app and all subdomains of the third and subsequent levels in the Internet.

1.5. Processing of Personal Data – any operation or set of operations performed on personal data, including collection, systematization, storage, modification, usage, anonymization, dissemination, provision, cross-border transfer, blocking, deletion/destruction, or anonymization of personal data. The specific list of operations depends on the purpose of processing and is provided in Section 2 of this Policy.

1.6. Personal Data – any information relating to an identified or identifiable natural person.

1.7. User – a person who has completed the registration procedure in the Racelane application.

1.8. Visitor (Guest) – a person who has not completed the registration procedure in the Racelane application.

1.9. Latest Activity in the Racelane Application – registration, authorization in the account, application/registration for an event or championship stage, editing event or stage application data, or filling out profile form fields.

1.10. Provision – actions aimed at granting access to personal data to a specific person or group of persons who are not employees of the Operator.

1.11. Dissemination of Personal Data – actions aimed at granting access to personal data to an undefined group of people (for example, by publishing competition results in the Racelane application, forming rankings based on competition results, with display of placement and other information related to the user).

1.12. Mixed Processing – processing of personal data both on paper and using computing tools (applications and other software, databases, computers, mobile phones, etc.).

1.13. Personal Data Subject – a natural person whose personal data is being processed. The list of data subjects depends on the purpose of processing and is provided in Section 2 of this Policy.

1.14. Cross-Border Transfer – the transfer of personal data to the territory of a foreign country (e.g., when using cloud-based software such as Google Drive, Google Docs, etc.).

1.15. Deletion/Destruction – actions that make it impossible to restore personal data in information resources (systems) containing personal data and/or result in the destruction of physical media containing personal data.

2. Purposes, Scope, Procedure, Methods, and Legal Grounds for the Processing of Personal Data; Retention Period

The Operator processes personal data in the following cases:

2.1. Purpose 1 – Account Activities

2.1.1. Purpose: creation and administration of a user account and formation of a competition participants database with provision and/or dissemination of data from it.

2.1.2. Data subjects: users of the Racelane mobile application.

2.1.3. Data processed: IP address, registration and authorization date and time, account activity data, user device information, first and last name, email address, mobile phone number, vehicle data (make, model, technical specs), information provided when contacting tech support.

2.1.4. Legal basis: User Agreement.

2.1.5. Methods: automated processing – collection, systematization, storage, modification (including by supplementing with other data), usage, anonymization, provision and/or dissemination (regarding participation in public sports events, vehicle information, first and last name), cross-border transfer (technical support via third-party software), blocking, deletion (anonymization).

2.1.6. Retention period: 10 years from the date of last activity in the Racelane mobile application.

2.2. Purpose 2 – Promotional Mailings

2.2.1. Purpose: sending promotional and informational materials via email.

2.2.2. Data subjects: users of the Racelane mobile application.

2.2.3. Data processed: name, email address.

2.2.4. Legal basis: User Agreement.

2.2.5. Methods: automated processing – collection, systematization, storage, modification, usage, provision, cross-border transfer (of name and email), blocking, deletion.

2.2.6. Retention period: 3 years from the date of last activity in the application.

2.3. Purpose 3 – Publishing Materials

2.3.1. Purpose: preparation and publication of informational materials (event results, rankings, photos, videos, etc.).

2.3.2. Data subjects: competition participants

2.3.3. Data processed: first name, last name, audio or video interviews, information shared during interviews, images (photos, videos with audio).

2.3.4. Legal basis: User Agreement.

2.3.5. Methods: mixed processing – collection, systematization, storage, usage, modification, anonymization, provision, dissemination (of interview results and information authorized for publication by the subject via agreement), cross-border transfer, deletion/destruction.

2.3.6. Retention period: indefinitely.

2.4. Purpose 4 – Contractual Relations

2.4.1. Purpose: conclusion and execution of contracts not related to service provision by the Operator.

2.4.2. Data subjects: representatives of contractual parties.

2.4.3. Data processed: full name, job title, phone number, email address, other data per contract.

2.4.4. Legal basis: Paragraph 15, Article 6 of the Law (contract conclusion and execution).

2.4.5. Methods: mixed processing – collection, systematization, storage, usage, modification, provision, cross-border transfer, blocking, deletion/destruction.

2.4.6. Retention period: 3 years after contract expiration and tax audit (or 10 years if no audit occurred).

2.5. Purpose 5 – Processing Inquiries

2.5.1. Purpose: handling written inquiries (applications, suggestions, complaints).

2.5.2. Data subjects: individuals submitting or mentioned in inquiries.

2.5.3. Data processed: full name, address of residence or stay, phone number or email address (for data processing-related inquiries), inquiry content, and other data provided.

2.5.4. Legal basis: Paragraph 20, Article 6 of the Law of the Republic of Belarus No. 300-З of 18.07.2011 “On Appeals of Citizens and Legal Entities.”

2.5.5. Methods: mixed processing – collection, systematization, storage, usage, modification, provision, cross-border transfer (due to use of foreign third-party software), blocking, deletion/destruction.

2.5.6. Retention period: 5 years from the date of the last inquiry.

2.6. Purpose 6 – Social Media Management

2.6.1. Purpose: management of Racelane social media accounts, including comment and message handling.

2.6.2. Data subjects: social media users.

2.6.3. Data processed: nickname, other public data provided by the user.

2.6.4. Legal basis: Paragraph 19, Article 6 of the Law (data made publicly available by the subject or with their consent).

2.6.5. Methods: automated processing – collection, storage, usage, provision, cross-border transfer (due to use of foreign third-party software), deletion.

2.6.6. Retention period: during the period of use of social media platforms, except for messages, which are deleted within 3 years* of receipt.

*Calculated from the calendar year following the year in which the message was received.

Abbreviations

Law – the Law of the Republic of Belarus of May 7, 2021, No. 99-З “On the Protection of Personal Data”

Software – computer software

3. Entities Granted Access to or Processing Personal Data (Authorized and Third Parties)

3.1. The Operator engages authorized persons to process personal data.

Authorized persons are government authorities, organizations, individual entrepreneurs, and natural persons, including foreign ones, who, on behalf of or in the interest of the Operator, carry out part or all of the operations involving personal data (i.e., data processing).

Based on executed agreements, the Operator engages the following authorized persons:

3.1.1. Google LLC

Location: 1600 Amphitheatre Parkway, Mountain View, California, USA

Engaged due to the use of corporate email on the domain racelane.app, as well as cloud storage provided by Google when using Google services such as Google Drive, Google Docs, Google Sheets, etc.

The following personal data may be transferred to this authorized person:

– Personal data submitted during support requests by users of the Racelane application,

– Personal data of individual entrepreneurs and representatives of legal entities submitted in service request forms and during the provision of services

– Other personal data.

Actions performed with personal data: systematization, storage, usage, provision, cross-border transfer, blocking, deletion.

3.1.2. Email Campaign Contractor (Service Provider)

Location: Republic of Belarus

Personal data that may be transferred: name, email address.

Actions performed with personal data: storage, usage, provision, cross-border transfer.

3.1.3. Educational and Sports Institution “SDYUSSH for Auto and Motorcycle Sports” DOSAAF

Location: Republic of Belarus, Minsk Region, Minsk District, Novodvorsky Village Council, near the village of Prilesye.

Actions performed with personal data: systematization, storage, usage, provision, cross-border transfer, blocking, deletion.

3.2. In certain cases, personal data may be transferred to third parties who process the data (collect, use, etc.) for their own purposes (hereinafter — independent controllers), or third parties may be granted access to personal data without processing it themselves (hereinafter — data access recipients).

Independent controllers may include, for example: – Banks, postal and courier services,

– Government authorities and organizations receiving personal data in accordance with legal requirements,

– Developers/providers of messaging platforms (Telegram, Viber, etc.), electronic document management systems, and more.

When publishing advertising and informational materials, independent controllers also include developers (providers) of platforms such as YouTube, and social networks like Instagram, Telegram, TikTok, VKontakte, Facebook, Twitter, Odnoklassniki, and others.

Occasionally, data access recipients may also include organizations servicing third-party software used for administrative (business) tasks, such as 1C software developers/providers, among others.

4. Cross-Border Transfer of Personal Data

4.1. The Operator's authorized persons and third parties, as well as their data centers, may be located in various regions around the world, which results in cross-border transfers of personal data.

4.2. Some authorized and third parties, including their data centers, such as:

• Google LLC
• Contractor (Service Provider) for email campaigns
• Developers (providers) of platforms such as YouTube, and social networks including Instagram, Telegram, TikTok, VKontakte, Facebook, Twitter, Odnoklassniki, etc., as well as messaging apps like Telegram, Viber, WhatsApp, and others are located in countries (such as the United States) where an adequate level of protection of personal data subjects’ rights is not ensured.

4.3. The processing of personal data in countries that do not provide an adequate level of protection of personal data subjects’ rights is associated with certain risks, which the Operator is obliged to inform the data subject about.

Examples of such risks include:

• Absence of legislation governing personal data processing
• No restrictions on the disclosure of personal data to third parties or lack of liability for such actions
• Lack of a competent authority for the protection of personal data
• Lack of measures for technical protection of personal data, including protection against leaks
• Use of personal data in an unlimited number of ways and for an indefinite period of time, among others

5. Rights of Personal Data Subjects

5.1. Personal data subjects are entitled to the following rights:

5.1.1. Withdraw their consent to the processing of personal data.

To exercise this right, the application administrator must, within 15 days:

• cease processing the personal data,
• delete the data,
• ensure that authorized persons also stop processing the data, and
• notify the subject of the actions taken.

If technical deletion is not possible, the administrator must take measures to prevent further processing, including blocking the data, and inform the data subject accordingly.

5.1.2. Request information regarding the processing of their personal data.

To exercise this right, the application administrator must, within 5 business days, either:

• provide the requested information in an accessible format, or
• inform the subject of the reason for refusal.

The response must include:

• The Operator’s location;
• Confirmation of whether personal data is being processed by the Operator;
• The personal data being processed and their source;
• Legal grounds and purposes of processing;
• The period for which consent has been granted;
• The name and location of any authorized person to whom the data is transferred.

5.1.3. Request correction of personal data if it is incomplete, outdated, or inaccurate.

To exercise this right, the application administrator must, within 15 days:

• make the necessary changes and inform the data subject, or
• inform them of the reasons for refusal.

5.1.4. Obtain information about disclosure of personal data to third parties.

To exercise this right, the application administrator must, within 15 days:

• provide details of which personal data were shared and with whom, within the one-year period preceding the request, or
• inform the subject of the reasons for refusal.

This information is provided free of charge once per calendar year.

5.1.5. Request the termination of personal data processing, including deletion, if there are no legal grounds for such processing.

To exercise this right, the application administrator must, within 15 days:

• stop processing and delete the data,
• ensure that authorized persons also stop processing the data, and
• inform the subject accordingly.

If technical deletion is not possible, the administrator must take measures to prevent further processing, including blocking the data, and inform the subject.

The Operator has the right to refuse such a request if legal grounds for processing exist, including if the data is required for the declared processing purposes, and must inform the subject accordingly.

5.1.6. Appeal the actions (or inaction) and decisions of the Operator related to personal data processing to the authorized data protection authority.

To exercise this right, the application administrator is obliged to comply with the instructions of the authorized data protection authority.

6. Procedure for Exercising the Rights of Personal Data Subjects

6.1. To exercise their rights related to the processing of personal data, the data subject must submit a written request to the Operator.

6.2. The request must include the following information:

• Last name and first name of the personal data subject
• Place of residence (or stay)
• Date of birth
• Description of the request
• Personal signature

7. Final Provisions

7.1. The Operator adopts and continuously improves organizational and technical measures to protect the personal data of data subjects.

7.2. Issues related to the processing of personal data that are not addressed in this Policy are governed by the Law of the Republic of Belarus No. 99-З of May 7, 2021 “On the Protection of Personal Data” and other legislation of the Republic of Belarus.

7.3. If any provision of this Policy is found to be in conflict with the legislation of the Republic of Belarus, the remaining provisions shall remain valid and enforceable, and any invalid provision shall be considered removed and/or amended to the extent necessary to comply with the legislation of the Republic of Belarus.

7.4. The Operator has the right, at its own discretion, to unilaterally amend and/or supplement this Policy without prior notice to data subjects by publishing a new version of the Policy in the Racelane mobile application or on the racelane.app website.

Operator details:

Limited Liability Company "Mobile Assistant"

Legal address: 91 Kropotkina St., Office 14, Room 306, Minsk, 220002, Republic of Belarus

UNP (Tax ID): 193549859