Privacy Policy

Last updated: June 1, 2026

Introduction

Welcome to MyLMU ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information. This Privacy Policy explains our practices regarding data collection when you use our service for tracking Le Mans Ultimate (LMU) race statistics.

Desktop Application Permissions

The Sync Agent operates locally on your computer. It only monitors the folder you select, and it uploads files using encrypted connections to MyLMU. You can pause syncing, switch folders, or uninstall the app at any time, which immediately stops monitoring.

Diagnostic logs remain on your device unless you choose to send them to support. If you share logs with us we treat them as personal data and handle them according to this Privacy Policy.

Information We Collect

Account Information

When you create an account, we collect:

Email address (used for authentication and communication)
Password (stored securely using industry-standard encryption)
In-game driver name (required to match your race data)
When you sign in with Google, Discord, or another OAuth provider: your display name, email address, and profile photo (or avatar) shared by that provider

Sync Agent (Desktop Application)

If you install the optional MyLMU Sync Agent for Windows or Linux, we collect additional information so the app can monitor your LMU Results folder and upload races securely:

The folder path you authorize the app to watch and related file metadata (names, hashes, sizes, timestamps, and upload status)
Basic device information such as OS version (Windows or Linux), architecture, and locale for compatibility checks
Diagnostic logs and error reports, which may include anonymized telemetry about syncing activity
A random device identifier used solely for delivering updates and preventing duplicate uploads

The Sync Agent only monitors the folder you explicitly choose and does not scan other directories on your computer.

Race Data and Telemetry

When you upload or import race results from XML files, we collect and store:

Race results (track name, car name, session type, positions, lap times)
Lap-by-lap telemetry (sector times, fuel consumption, speeds, positions)
Race metadata (date, duration, laps completed, pit stops, tire compounds)
Original XML file paths (for duplicate detection)

MyLMU Telemetry (.duckdb Files)

When you use the MyLMU Telemetry feature to upload .duckdb telemetry files:

Files may be processed in your browser for visualization; uploaded files are stored on our servers for access in the Service
Uploaded files are stored on our servers. Free and Beta accounts are limited to 3 telemetry uploads per calendar month (UTC), up to 20MB per file. Pro accounts have unlimited monthly uploads subject to per-file storage limits (up to 2GB per file). Deleting a file does not restore your monthly upload quota
Data extracted includes: speed, RPM, throttle, brake, GPS coordinates, and derived gear estimates
Files are retained until you delete them or your account is terminated

You retain full ownership of your telemetry data. We do not share raw telemetry files with third parties.

Discord Webhook Integration

If you enable the optional Discord integration for your teams or account, we collect:

The Discord webhook URL(s) you provide to send notifications
Configuration settings for which events trigger a notification (e.g., new race results)
No personal Discord account data is collected, as this integration uses webhooks only
Log data related to failed notification deliveries to help you troubleshoot your webhook connection

We do not have access to your Discord account, messages, or server data beyond what is required to send notification payloads to your provided webhook URLs.

MyLMU Coach AI

When you interact with the MyLMU Coach AI or use AI-powered features, we process the following:

Messages and queries you send to the AI assistant
Relevant race data, telemetry stats, and session context provided to the AI to generate accurate coaching and insights
Settings and preferences related to the AI widget visibility

You can disable the MyLMU Coach AI widget at any time in your settings.

Technical Information

We automatically collect certain technical information:

IP address and browser information (used for security and service optimization)
Authentication cookies (managed by Supabase for session management)
Usage data (pages visited, features used, clicks, and session behaviour) collected via PostHog analytics when you are logged in
For Sync Agent users: anonymized update checks containing your current app version, OS information (Windows or Linux), and device identifier so we can deliver new releases

GitHub Releases

The Sync Agent checks GitHub for updates. When this happens we share the app version, OS information, and a random identifier to determine if an update is available and to download the correct installer. No race data is transmitted during update checks.

How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: To provide, maintain, and improve our race tracking and analytics services
Authentication: To verify your identity and secure your account
Data Processing: To parse XML race files, extract statistics, and generate insights
Telemetry Analysis: To provide advanced telemetry visualization, lap comparisons, and performance insights
Payment Processing: To process subscription payments and Coach Credit purchases, manage billing, and handle refunds for MyLMU Pro and Coach Credits
Automatic Sync: To detect new LMU race files via the Sync Agent, upload them to MyLMU, and prevent duplicate imports
Personalization: To display your race history, preferences, and statistics in your chosen units
Communication: To send account-related notifications, password resets, and service updates
Security: To detect and prevent fraud, unauthorized access, and other security threats
Legal Compliance: To comply with applicable laws, regulations, and legal processes

Third-Party Services

Supabase

We use Supabase for authentication, database storage, and backend services. Supabase handles your authentication credentials securely and stores your data in their PostgreSQL database. Please refer to Supabase's Privacy Policy for details on how they process your data.

Google OAuth

If you choose to sign in with Google, we use Google OAuth to authenticate your identity. Google shares your name, email address, and profile photo with us so we can create and secure your account. This information is used only for authentication and personalization within MyLMU. Please review Google's Privacy Policy for more information on how Google handles your data.

Discord OAuth

If you choose to sign in with Discord, we use Discord OAuth to authenticate your identity. Discord shares your username, email address (if available on your Discord account), and profile avatar with us so we can create and secure your account. This information is used only for authentication and personalization within MyLMU. Please review Discord's Privacy Policy for more information on how Discord handles your data.

Stripe (Payments)

We use Stripe to process subscription payments for MyLMU Pro and one-time purchases of Coach Credits. When you subscribe or purchase Coach Credits, Stripe collects your payment method details (such as card number, expiration date, and CVC) directly. We do not store your full payment information on our servers. We receive only non-sensitive transaction data from Stripe, including:

Transaction amounts and status
Last four digits of your card
Billing address (if provided)
Subscription status and renewal dates

Please refer to Stripe's Privacy Policy for details on how they process your payment data.

PostHog (Analytics)

We use PostHog to understand how users interact with MyLMU and to improve the service. PostHog may collect pages visited, features used, click and interaction events, browser and device information, and IP address (used to derive approximate country). Data is processed on servers located in Frankfurt, Germany (EU). Analytics are only enabled after you log in; we do not use PostHog on public marketing pages before authentication. Please refer to PostHog's Privacy Policy for details.

Data Storage and Security

We implement industry-standard security measures to protect your data:

All data is stored in Supabase's secure, encrypted databases
Passwords are hashed and never stored in plain text
Row Level Security (RLS) ensures users can only access their own data
HTTPS encryption for all data transmission
Regular security audits and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We use cookies managed by Supabase for authentication and session management, and by PostHog for analytics. The Supabase cookies are essential for the service to function. The PostHog cookie persists a random identifier to track sessions and page visits when you are logged in. For more detailed information, please see our Cookie Policy.

Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you
Correction: Update or correct inaccurate information through your dashboard settings
Deletion: Request deletion of your account and associated data
Data Portability: Export your race data in a structured format
Opt-Out: Disable AI insights or other optional features at any time
Cookie Management: Control cookie preferences through your browser settings

To exercise these rights, email privacy@mylmu.app or delete your account directly through the settings page.

Data Retention

We retain your data for as long as your account is active or as needed to provide you with services. If you delete your account:

Your account information, race data, and telemetry will be permanently deleted
This deletion is typically completed within 30 days
Some data may be retained longer if required by law or for legitimate business purposes
Local Sync Agent logs remain on your device until you delete them; if you have shared logs with support they will be removed once the issue is resolved unless we are legally required to keep them longer

Children's Privacy

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

International Data Transfers

We design our processing so that most personal data stays in the European Economic Area (EEA). Where we use service providers outside the EEA, we rely on appropriate safeguards under GDPR—not open-ended consent to transfer your data worldwide.

Services primarily in the EU/EEA

The following processors handle personal data on infrastructure located in the European Union:

Supabase (authentication, database, and storage): hosted in the EU
PostHog (product analytics for logged-in users): processed in Frankfurt, Germany (EU)

Transfers outside the EEA

Some providers we use are established in the United States or may process data globally. When your data is transferred outside the EEA, we rely on appropriate safeguards, including:

Stripe (payments for MyLMU Pro and Coach Credits): Stripe, Inc. is based in the United States. We use Standard Contractual Clauses (SCCs) approved by the European Commission and Stripe's data processing terms where required for EEA transfers.
Google (OAuth sign-in): if you sign in with Google, Google may process data in the United States and other countries under Google's terms and transfer mechanisms, including SCCs where applicable.
Discord (OAuth sign-in): if you sign in with Discord, Discord may process data in the United States and other countries under Discord's terms and transfer safeguards, including SCCs where applicable.

You may contact us at privacy@mylmu.app to request more information about the safeguards we use for international transfers, or to exercise your rights regarding cross-border processing.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

For questions about this Privacy Policy, your personal data, or exercising your privacy rights (including access, correction, deletion, and portability), contact our privacy team at:

privacy@mylmu.app

For questions about these Terms (not privacy or personal data), email legal@mylmu.app. We do not maintain a separate Data Protection Officer (DPO); for a platform of our size this is not required under the GDPR, but privacy@mylmu.app is our dedicated contact for data protection matters.