PitLane Systems

Privacy Policy

Last updated: April 5, 2026

1. Who We Are

PitLane Systems LLC (“PitLane,” “we,” “us,” or “our”) is a Texas limited liability company based in Austin, TX. We operate the website pitlanesystems.com and the desktop application PitLane Director AC (collectively, the “Service”).

For questions about this policy, contact us at gray@pitlanesystems.com.

2. Data We Collect

Information you provide

  • Account information: name, email address, and password (stored as a cryptographic hash — we never store your password in plain text)
  • Payment information: processed entirely by Stripe. We do not store credit card numbers, expiration dates, or CVV codes. We receive and store your Stripe customer ID and subscription status.
  • Waitlist email: if you join our waitlist, we store your email address

Information collected automatically

  • Device identifiers: when you activate PitLane Director AC, we store a randomly generated device ID and device name to enforce per-plan device limits
  • Session data: IP address, user agent, and session tokens for authentication and security
  • Analytics data: we use Vercel Analytics, which collects anonymous, aggregated usage data without cookies or personal identifiers
  • Crash and error reports: the desktop application may send crash reports and error diagnostics to help us identify and fix issues. This includes stack traces, error messages, application version, and operating system information.
  • Usage telemetry: the desktop application may send anonymous usage data such as feature usage (which overlays are activated), session duration, application health metrics (startup success, sidecar connection status, update check outcomes), and Assetto Corsa / CSP version information. This data does not include race content such as driver names, lap times, or race results.

You may opt out of crash reporting and usage telemetry at any time via Settings in the desktop application. Opting out does not affect core functionality such as license validation, subscription management, or update checks.

3. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To process payments and manage your subscription
  • To verify your email address via one-time verification codes
  • To enforce license terms and device activation limits
  • To communicate with you about your account, subscription, or changes to our terms
  • To detect, prevent, and address fraud, abuse, and security issues
  • To understand usage patterns through anonymous analytics

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contractual necessity: account data, payment processing, and subscription management are required to provide the Service you have purchased
  • Legitimate interest: device tracking for license enforcement, session data for security, and analytics for service improvement

5. Third-Party Processors

We share data only with the following service providers, solely for the purposes described above. We do not sell, rent, or trade your personal information to any third party.

  • Stripe (San Francisco, CA) — payment processing and subscription management
  • Resend — transactional email delivery (verification codes)
  • Vercel (San Francisco, CA) — website hosting and anonymous analytics
  • Neon — database hosting (PostgreSQL)
  • Sentry (San Francisco, CA) — crash reporting and error monitoring for the desktop application
  • Cloudflare (San Francisco, CA) — content delivery and object storage (R2) for application updates and installer downloads

Each processor maintains industry-standard security practices and, where applicable, Standard Contractual Clauses for international data transfers.

6. International Data Transfers

Your data is stored and processed in the United States. If you are located outside the US, your data will be transferred to the US for processing. Our third-party processors maintain appropriate safeguards, including Standard Contractual Clauses, for transfers of personal data from the EEA.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal obligations (e.g., tax records, fraud prevention).

Waitlist email addresses are retained until we launch the product or you request removal, whichever comes first.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request that we correct inaccurate data
  • Deletion:request that we delete your personal data (“right to be forgotten”)
  • Portability: request your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interest
  • Restriction: request that we restrict processing of your data

To exercise any of these rights, contact us at gray@pitlanesystems.com. We will respond within 30 days.

EEA residents have the right to lodge a complaint with their local data protection supervisory authority.

9. Sale of Personal Information

We do not sell, rent, or trade your personal information. We have never sold personal information and have no plans to do so.

10. Cookies

We use only functional session cookies that are strictly necessary to authenticate your account and maintain your login state. We do not use cookies for advertising, tracking, or analytics purposes. Vercel Analytics, our analytics provider, operates without cookies.

11. Age Requirement

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from users under 18. If we learn that we have collected personal data from a user under 18, we will delete it promptly.

12. Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS)
  • Cryptographic password hashing (passwords are never stored in plain text)
  • RSA-2048 signed tokens for desktop application authentication
  • Secure, access-controlled database hosting

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website at least 30 days before the changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.