Draft — not yet reviewed by counsel

This document is a starting point that has not been reviewed by an attorney licensed in your jurisdiction. It is intended to be replaced with finalized terms before public launch. Until then, Holeshot is operating in a private pilot under direct agreement between Shift Labs LLC and individual track owners. If you have questions, please contact legal@holeshot.app.

Version: 2026-04-25-draft · Last updated: April 25, 2026

Privacy Policy

This Privacy Policy describes how Shift Labs LLC (“Shift Labs”, “we”) collects, uses, and shares personal information in connection with the Holeshot platform (the “Platform”).

1. Our role

Shift Labs is the controller (or, in California, the “business”) of personal information collected through your account and your interactions with the Platform itself. For information you submit specifically to register for a Track's event (such as your waiver, registration, and emergency-contact information), Shift Labs operates as a service provider / processor on behalf of the Track, and the Track is the controller of that information for purposes of its event.

[ATTORNEY: confirm controller / processor / service-provider line and whether a Data Processing Addendum is required between Shift Labs and each Track. Different state laws apply different terms (CCPA “business / service provider”, GDPR “controller / processor”); confirm a single defensible framing for the US-only pilot scope.]

2. Information we collect

a. Account information (account holders / Track owners)

  • Name, email, phone (via Clerk during sign-up)
  • Authentication credentials (managed by Clerk; we do not store passwords)
  • Track operational settings, payout / Stripe Connect status

b. Rider registration information

  • Rider first / last name and date of birth (required to compute age and check eligibility)
  • Bike make, model, displacement, plate number, transponder ID
  • Race-class selections
  • Emergency-contact name and phone
  • For minors: the parent or legal guardian's name, relationship, email, and phone
  • The signed waiver, including a captured signature image, IP address, user-agent string, and timestamp

c. Spectator / pit-pass information

  • Buyer name and email; quantity of tickets

d. Payment information

  • Card data is collected and processed directly by Stripe; Shift Labs receives only Stripe's tokenized payment-intent and charge identifiers, transaction amounts, and limited metadata. We do not store full card numbers.

e. Device and log data

  • IP address, user agent, request timestamps, error and audit logs
  • QR-code / pass-token issuance and check-in events

3. How we use information

  • To operate the Platform: register riders, run events, process payments, generate QR passes, and check riders in
  • To provide Tracks with the rider information they need to operate their events
  • To send transactional email (registration confirmation, waiver copy, refund notices)
  • To prevent fraud, abuse, and unauthorized access
  • To comply with our legal obligations

4. Sharing

We share personal information with:

  • The Track at which you register: rider, bike, waiver, race-class, payment-status, and guardian information for that Track's event.
  • Service providers we rely on to operate the Platform:
    • Stripe — payments, payouts, dispute handling
    • Clerk — authentication
    • Google Cloud Platform — database, file storage (waiver PDFs)
    • Resend — transactional email
  • Authorities when required by law, subpoena, or court order, or when necessary to investigate fraud or protect safety.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

5. Retention

We retain different categories of information for different periods:

  • Waivers, registrations, and payment records: retained for at least seven (7) years from the event date, to cover personal-injury statutes of limitations and to satisfy payment-card / financial recordkeeping obligations. For waivers signed on behalf of a minor, retained for the longer of (a) seven years and (b) the minor's applicable age-of-majority plus the personal-injury statute of limitations in the relevant state.
  • Account information: retained for the life of the account and for a reasonable period afterwards, except where required to delete on request (see “Your rights” below).
  • Logs: retained for a rolling period appropriate to security and operational diagnostics.

[ATTORNEY: confirm retention floors for each state (especially CA, NY, FL, TX); confirm whether tolling rules for minors require longer retention than “age of majority + SOL”. Confirm interaction with CCPA right-to-delete carve-outs for fraud prevention and legal compliance.]

6. Your rights

Depending on where you live, you may have rights under state or other applicable privacy laws to:

  • Know and access the personal information we have about you
  • Request correction of inaccurate information
  • Request deletion of your information, subject to legally required exceptions
  • Opt out of any sale or sharing of personal information (note: we do not sell or share for advertising)
  • Opt out of certain automated decision-making (note: we do not use it)
  • Designate an authorized agent to act on your behalf

To exercise any of these rights, email privacy@holeshot.app. We will verify your identity before responding. Note that requests to delete waiver, registration, or payment records may be denied or partially denied where retention is required by law (see “Retention” above).

[ATTORNEY: insert state-specific rights summaries (CA / CO / CT / VA / UT / TX / OR / etc.) and the required verification language for each. Confirm whether a global “Notice of Right to Opt Out” link is required even though we don't sell.]

7. Children

The Platform is not directed to children. We do not knowingly permit a person under the age of 18 to create an account on the Platform. We do, however, allow parents and legal guardians to register a minor as a rider for a Track event by completing the registration form themselves on the minor's behalf.

We do not allow registrations for riders under the age of 6 through the Platform. For riders aged 6 to 12, the parent or legal guardian is the user of the Platform; we collect from the parent or guardian only the information described above (rider name, date of birth, bike, race class, emergency contact, and the signed waiver).

If you believe we have inadvertently collected personal information from a child under 13 in violation of applicable law, please contact us at privacy@holeshot.app and we will delete it.

[ATTORNEY: confirm framing of “parent is the user, not the child” under COPPA. Confirm whether verifiable parental consent (e.g., credit-card-with-notice method tied to the registration payment) is required before allowing under-13 registrations, or whether the current process suffices because Holeshot is a B2B SaaS used by guardians on a minor's behalf, not a service directed to children.]

8. Security

We use industry-standard technical and organizational measures to protect personal information, including encryption in transit, access controls, secret rotation, and audit logging. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9. International users

The Platform is operated in and intended for users in the United States. We do not currently support EU/UK users; if you access the Platform from outside the United States, you do so on your own initiative and are responsible for compliance with local law.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email and / or notice on the Platform. The version identifier and last-updated date at the top of this page indicate the current version.

11. Contact

Shift Labs LLC
privacy@holeshot.app