Legal

Privacy Policy

How SplitKit LLC collects, uses, and protects personal information — for the race timing companies who connect their RaceResult account, the participants whose results pages we render, and anyone who visits splitkit.run.

Effective dateMay 2, 2026
Last updatedJune 10, 2026
OperatorSplitKit LLC, a Wyoming limited liability company
Contactprivacy@splitkit.run

1. Who we are and what this policy covers

SplitKit LLC (“SplitKit”, “we”, “us”, “our”) operates a software platform at splitkit.run and its subdomains (timer.splitkit.run, app.splitkit.run, admin.splitkit.run, api.splitkit.run, data.splitkit.run, updates.splitkit.run, and any successor or country-code subdomains we add). Our platform is a marketplace of participant-experience plugins for race timing companies that use the RaceResult timing system.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, your rights, and how to contact us. It applies to:

  • Timers — race timing companies who create an account at timer.splitkit.run and connect their RaceResult event(s) to SplitKit;
  • Participants — runners, walkers, cyclists, and other race entrants whose registration data is provided to SplitKit by a Timer through the RaceResult API, and who may visit app.splitkit.run to view results or purchase the Finisher’s Pack; and
  • Visitors — anyone who views splitkit.run or interacts with us by email, support form, or social channel.

This policy does not apply to:

  • The race timing software itself (operated by RaceResult — see their privacy policy);
  • The race director or event organizer’s own websites, registration platforms, or marketing channels; or
  • Third-party websites, apps, or services we link to.

2. Information we collect

2.1 Information you give us directly

CategoryWhat it includesWhen we get it
Timer accountEmail, name, password (hashed by Clerk), Google account ID (if you sign in with Google), business name, business address, phone, time zoneSign-up at timer.splitkit.run
Timer billingBank-account / debit-card details for payouts (handled by Stripe; we never see card numbers), tax ID where required for 1099 reportingStripe Connect onboarding (Phase 2)
Timer integration secretsYour RaceResult API key (on the API-key connect path) or your RaceResult customer ID and shared event IDs (on the share-an-event connect path) — SplitKit never collects your RaceResult username or password — plus white-label custom-domain DNS settingsConnect flow
Participant purchaseEmail, name, billing address, payment-method last 4 digits (handled by Stripe), purchased Finisher’s Pack itemsStripe Checkout on app.splitkit.run
Support correspondenceAnything you write in a support ticket, email reply, or chat messageWhen you contact us

2.2 Information we receive about Participants from a Timer’s RaceResult event

When a Timer connects an event, SplitKit reads participant data from the Timer’s RaceResult instance through the Lists API and webhooks. The exact fields are determined by the List the Timer configures, but typically include:

  • Identity: first name, last name, gender, age, age group, club / team, city, state, country
  • Contact: email, cell phone, phone (used for the Finish Line SMS and Email when the Finisher's Pack is enabled or when the Finish Line SMS Alerts add-on is activated)
  • Safety: emergency contact name, phone, relationship (used only by the optional Emergency Contact DNF Notifier plugin)
  • Bib number, event registration ID, division
  • Per-split timing data: time-of-day, predicted time-of-day, overall rank, gender rank, age-group rank, pace
  • Final results: chip time, chip rank, age-graded performance level

The Timer is the source of this data and remains the data controller for the participant data they collect at race registration. SplitKit acts as a data processor / service provider with respect to that participant data on behalf of the Timer, except where this policy or applicable law independently designates SplitKit as a controller (for example, the Finisher’s Pack purchase relationship between SplitKit and the Participant).

2.3 Information we collect automatically

CategoryWhat it includes
Device and connectionIP address, user agent, browser type, operating system, language, referring URL
UsagePages viewed, features used, button clicks (sampled via privacy-respecting analytics — no third-party advertising trackers in scope)
Cookies and similar technologiesSession cookies for authentication, security cookies, preference cookies (see §10)
Server logsRequest/response metadata, errors — retained 30 days at our observability provider (BetterStack), longer for security investigations

2.4 Information we do not collect or sell

  • We do not sell your personal information.
  • We do not “share” your personal information for cross-context behavioral advertising as that term is defined in the California Privacy Rights Act.
  • We do not run third-party advertising trackers on our properties.
  • We do not knowingly collect personal information from children under 13 (see §7).

3. How and why we use your information

UseCategories usedLawful basis (GDPR) / business purpose (CCPA)
Operate Timer accounts and the platformTimer account, integration secrets, server logsContract performance
Render Participant results pages and live event viewsParticipant data from RaceResult, deviceLegitimate interest of the Timer + Participant
Send the Finish Line transactional SMS and Email when the Finisher's Pack is enabled or the Finish Line SMS Alerts add-on is activatedParticipant phone, email, bib, finish eventLegitimate interest + flow-down consent collected by Timer at registration
Generate the Finisher’s Pack (Finisher’s Certificate, Social Media Race Story, Detailed Race Performance report, Branded Share Card)Participant identity, results, purchaseContract performance with Participant
Process payments and payoutsTimer billing, Participant purchaseContract performance
Email transactional notificationsEmailContract performance
Provide customer supportSupport correspondence, accountContract performance / legitimate interest
Detect and prevent fraud, abuse, security incidentsServer logs, device, accountLegitimate interest / legal obligation
Comply with tax, accounting, and other legal obligationsTimer billing, Participant purchaseLegal obligation
Improve the service (aggregate, deidentified analytics)UsageLegitimate interest
Communicate platform updates with consentEmailConsent (you may withdraw at any time)

Automated decision-making (CPRA ADMT disclosure): SplitKit uses the Anthropic Claude API to generate the Social Media Race Story and the Detailed Race Performance report included in the Finisher’s Pack — Participant-purchased, opt-in products. This is the only AI-based processing in our platform and it does not produce decisions that have legal or similarly significant effects on you. We do not use AI to make eligibility, pricing, or risk decisions about Timers or Participants.

4. Who we share information with

We share personal information only with the following categories of recipients, only for the purposes described in §3, and only under written contracts that require equivalent safeguards.

4.1 Subprocessors (service providers acting on our instructions)

SubprocessorServiceRegionWhat they receive
Vercel, Inc.Web hosting, edge functions, log drainUnited StatesAll data served by SplitKit web properties; metadata in logs
Amazon Web Services, Inc.Object storage (S3), CDN (CloudFront), database (DynamoDB), DNS (Route 53), encryption (KMS)us-east-1 (United States)Participant data and Timer data at rest; encrypted with customer-managed keys for sensitive fields
Clerk, Inc.Timer authentication and session managementUnited StatesEmail, name, password hash, Google account ID for SSO users
Stripe, Inc.Payment processing, Stripe Connect for Timer payoutsUnited StatesCard / bank-account details, billing address, transaction amounts
Twilio Inc.Toll-Free SMS delivery for Finish Line and related notificationsUnited StatesParticipant phone number, bib, finish time, SMS body
Resend, Inc.Transactional email deliveryUnited StatesEmail address, message content
Anthropic, PBCClaude API for Social Media Race Story and Detailed Race Performance generationUnited StatesParticipant name, race name, finish time, split times, age group (no email or phone)
Freshworks Inc. (Freshdesk)Customer support ticketingUnited StatesSupport correspondence, name, email
BetterStackLog retention, uptime monitoring, alertingEuropean Union (EU servers)Server logs (no payment, password, or sensitive PI in log content by design)
Slack Technologies, LLCInternal operational alerting and team messaging — never customer-facingUnited StatesOperational metadata only; no Participant or Timer PII routed by design
Northwest Registered Agent, LLCWyoming registered agent for legal mailUnited States (Wyoming)Business name, contact for service of process
Google LLCGoogle Cloud OAuth client backing Clerk Google SSOUnited StatesGoogle account email and name when a Timer chooses Google SSO; SplitKit never receives a Google access token directly

We update this list when subprocessors change. You may subscribe to subprocessor change notifications by emailing privacy@splitkit.run.

4.2 Other recipients

  • The Timer that created the event you participated in receives Participant data through the same RaceResult APIs they already control; SplitKit does not transmit Participant data to other Timers.
  • The Race Director of an event may receive aggregate analytics or the Race Director Analytics Report plugin output if the Timer activates that plugin; this contains only data the Timer already has.
  • Affiliated entities in the event of a corporate restructuring, merger, sale, or asset transfer — recipients will be bound by terms no less protective than this policy.
  • Government, law enforcement, or other parties when required by law, valid legal process, or to protect SplitKit’s rights, safety, or property — we resist overbroad requests where we are able.

We do not sell or share personal information with data brokers, advertisers, or marketing networks.

5. International data transfers

SplitKit is operated from the United States with components in the European Union (BetterStack EU). When personal information moves across borders we rely on lawful transfer mechanisms:

  • Standard Contractual Clauses (EU Commission 2021/914/EU and the UK IDTA / Addendum) with each subprocessor that processes data in or from the EEA, UK, or Switzerland.
  • The EU–US Data Privacy Framework where the recipient is certified.
  • Your explicit consent in the rare cases the above are unavailable.

A copy of the relevant transfer-mechanism documentation is available on request to privacy@splitkit.run.

6. Data retention

DataRetention
Timer accountFor the life of the account, plus 7 years after closure for tax / fraud / legal-hold purposes
Participant identity + results dataFor the life of the Timer’s relationship with SplitKit, plus 1 year, then deleted or deidentified
Finisher’s Pack purchases7 years (US tax record-keeping)
Stripe payment recordsPer Stripe’s retention policy and US tax law (typically 7 years)
Support correspondence3 years from last contact
SMS opt-outs (STOP keyword)Indefinite — required to honor the opt-out across future events
Idempotency cache, webhook logs24 hours to 30 days, depending on table
Aggregate / deidentified analyticsIndefinite

If you delete your Timer account, we delete or deidentify your account-level data within 30 days, except where retention is required by law or where data has been incorporated into immutable financial / audit records (Commission Ledger, Audit Log) — those records are retained for 7 years and access is denied to all Timer-facing systems immediately on deletion.

7. Children’s privacy

SplitKit is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we may have collected personal information from a child under 13 without verifiable parental consent, please contact privacy@splitkit.run and we will delete it promptly.

Many youth races (5K fun runs, kids’ events) include participants under 13. The Timer (race timing company) is responsible for collecting parental consent at race registration in compliance with COPPA and applicable state law before transmitting any under-13 personal information to SplitKit. We may, in the future, require Timers to confirm in their account that they have collected such consent before activating any plugin that processes under-13 data, and to flag under-13 registrants so we can apply additional safeguards or skip Participant-facing processing entirely.

8. Your privacy rights

We honor the rights granted by the law of your residence. Where the same right exists under multiple laws we apply the broadest available interpretation. To exercise any right, email privacy@splitkit.run with the subject line “Privacy Rights Request” and the right you wish to exercise. We respond within 45 days; if we need more time we will tell you why.

8.1 California (CCPA / CPRA, including 2026 amendments)

California residents have the right to:

  • Know what personal information we collect, use, disclose, and “sell” or “share” — disclosed in this policy.
  • Delete personal information, subject to exceptions for legal compliance, fraud prevention, and completing transactions you initiated.
  • Correct inaccurate personal information.
  • Limit the use and disclosure of sensitive personal information beyond what is necessary to provide the service.
  • Opt out of “sale” or “sharing” for cross-context behavioral advertising — SplitKit does neither, but California residents may exercise a “do not sell or share” right by emailing the address above.
  • Honor Global Privacy Control (GPC) signals as opt-out requests — we honor browser GPC signals across our properties.
  • Non-discrimination — you will not receive different service or pricing for exercising these rights.
  • Authorized agent — you may designate someone to make a request on your behalf with proof of authorization.

You may also appeal a denial by replying to our denial email; we treat appeals as a separate response track.

8.2 European Economic Area, United Kingdom, Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access your personal information (Subject Access Request);
  • Rectify inaccurate data;
  • Erase (“right to be forgotten”);
  • Restrict processing;
  • Object to processing based on legitimate interest;
  • Portability — receive your data in a structured, commonly used, machine-readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your supervisory authority (e.g., the UK ICO; or the data protection authority in your EEA member state).

If we have not designated an EU representative under GDPR Article 27 at the time you read this policy, you may direct EU/UK enquiries to privacy@splitkit.run; we will respond as the controller or processor, as applicable.

8.3 Other US states (Virginia, Colorado, Connecticut, Utah, and others as enacted)

Residents of states with applicable consumer-privacy laws have rights substantively equivalent to the California rights above (with state-specific procedural variations). Use the same email address; we apply the broadest applicable framework.

8.4 SMS-specific rights (TCPA)

For Finish Line SMS and any other SMS we send:

  • Reply STOP to opt out of all SplitKit SMS, immediately and across all events.
  • Reply HELP for help (returns sender identification and the privacy email).
  • Standard message and data rates may apply.
  • Carriers are not liable for delayed or undelivered messages.
  • We do not send marketing or promotional SMS. The Finish Line SMS is a one-time transactional message in direct response to your finish-line chip read.

For the full description of how participants opt in to SMS, the consent language collected at registration, sample messages, and opt-out mechanics, see our SMS Consent and Opt-In notice.

9. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, and destruction. These include:

  • TLS in transit on all public endpoints
  • AES-256 encryption at rest for all data stored in DynamoDB and S3
  • Customer-managed AWS KMS encryption keys for sensitive secrets (per-tenant RaceResult API tokens)
  • Least-privilege IAM policies on all backend services
  • Multi-factor authentication for all SplitKit employees and contractors with production access
  • Regular security review of dependencies and third-party services
  • Immutable audit log of privileged actions

No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we work to protect your information using safeguards consistent with the sensitivity of the data and the state of the art.

If you believe your account or personal information has been compromised, contact security@splitkit.run.

10. Cookies and similar technologies

We use cookies and similar technologies to operate the platform and to remember your preferences. We classify cookies into three categories:

CategoryPurposeExamples
Strictly necessaryAuthentication, security, load balancingClerk session cookie, CSRF token, Vercel routing cookie
FunctionalRemember preferencesLanguage selection, time zone
AnalyticsAggregate usage analytics — first-party onlyPage view counts, feature usage (no cross-site tracking)

We do not use third-party advertising cookies, retargeting pixels, or social media tracking pixels. You can manage cookies through your browser settings; blocking strictly-necessary cookies will break sign-in and core platform features.

We honor the Global Privacy Control (GPC) signal as an opt-out from any analytics or non-essential cookies.

11. Changes to this policy

We may update this policy from time to time. When we make a material change — for example, a new category of personal information, a new subprocessor that processes personal information in a new way, or a new use that materially expands the scope of processing — we will:

  1. Update the “Last updated” date at the top of this policy;
  2. Post a prominent notice on splitkit.run and timer.splitkit.run for at least 30 days;
  3. Email Timer account holders at the email on file; and
  4. Where required by law, obtain renewed consent before the change takes effect.

Non-material changes (typo fixes, clarifications, adding a subprocessor in the same category and region) will be reflected by an updated date and a changelog entry, without the email notice.

12. Contact

For any privacy question, request, or concern:

Email: privacy@splitkit.run

Mail:
SplitKit LLC
Seattle, WA (mailing address available on request)

For California consumer-privacy requests, you may also use the email above; please write “California Privacy Request” in the subject line.

For security disclosures: security@splitkit.run.

See also:Terms of Service →