Privacy Policy

Trackday Pty Ltd · Last updated 5 May 2026

1. Who we are

Trackday Pty Ltd (ACN pending) is an Australian company registered in Victoria. We operate the Trackday community platform at trackday.com.au, the Trackday mobile app (com.trackday.mobile), and the Marshal cryptographic companion app (com.trackday.marshal).

For privacy enquiries, contact [email protected].

2. What we collect

We collect the minimum information needed to provide the platform.

Account information

  • Email address
  • Phone number (verified via SMS)
  • Display name and chosen handle
  • Optional: profile photo, vehicle details you publish to your garage

Marshal app: additional data

  • Public Marshal ID (a 9-character receive-only address, never reveals personal data on its own)
  • Device attestation (Apple App Attest / Google Play Integrity): proves the request comes from a real Marshal app on a real device
  • A signature image you create on-device (drawing, typed signature, or photograph), stored encrypted on YOUR device, never on our servers
  • Cryptographic public keys (Secure Enclave / StrongBox) registered to your Marshal device: we hold the public half only, the private half never leaves your device

Usage data

  • Pages and features you use, timestamps, device type / OS version
  • IP address (used for rate limiting and SIM-swap forensics on Marshal)
  • Crash reports (Sentry): aggregated, never includes message content

What we DON'T collect

  • Marshal document plaintext: encrypted on-device, only ciphertext on our relay
  • Your private cryptographic keys (Secure Enclave on iOS, StrongBox on Android)
  • Contacts, photo library, location (unless you explicitly share an event location)
  • Messages or DMs that occur outside the Trackday platform

3. How we use it

  • Provide the platform features you signed up for
  • Verify your identity (SMS code on sign-up, biometric on Marshal sensitive actions)
  • Send transactional notifications (sign-in security, document delivery)
  • Investigate fraud, abuse, or security incidents (e.g. SIM-swap forensic trail)
  • Comply with legal obligations including the Privacy Act 1988 (Cth) and the Australian Privacy Principles

We do NOT sell your personal information. We do NOT share it with advertisers. We do NOT use it to train AI models for third parties.

4. Where we store it

Personal data is stored on Australian-resident infrastructure (Melbourne and Sydney data centres) by default. Specifically:

  • Application database: PostgreSQL on Trackday-operated servers in Australia (Equinix ME1 / SY3)
  • Object storage (photos, documents): Wasabi S3, ap-southeast-1 (Singapore)
  • Marshal cryptographic key infrastructure: OpenBao on Trackday-operated infrastructure in Australia
  • Backups: Backblaze B2 with US-based region for disaster recovery only

Some service providers (e.g. AWS for SMS delivery, Apple for push notifications) may process your data outside Australia. We require all such providers to comply with the Australian Privacy Principles.

5. How we protect it

  • TLS 1.3 in transit, AES-256 at rest
  • Argon2id password hashing (no plaintext passwords ever stored)
  • Marshal documents encrypted client-side; we hold ciphertext only with a 7-day TTL (30 days for premium subscribers)
  • Cryptographic keys: Apple Secure Enclave / Google StrongBox on device; OpenBao Transit for server-side signing keys
  • Hash-chained audit log: every Marshal account binding is cryptographically replayable
  • SOC 2-aligned operating practices; quarterly key rotation

6. Your rights

Under the Privacy Act 1988 (Cth) and Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate or out of date
  • Request deletion of your account and associated data
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, email [email protected]. We respond within 30 days.

GDPR rights for EU/UK users (right to erasure, right to data portability, right to object to processing) are honoured on the same email address.

7. Cookies and tracking

Trackday uses essential cookies for sign-in sessions and feature flags. We use Sentry for error tracking; analytics are first-party only (PostHog self-hosted on Australian infrastructure). We do NOT use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

8. Children

The Trackday platform is intended for users aged 16 and over. We do not knowingly collect information from children under 16. If you believe a child has created an account, email [email protected].

9. Changes to this policy

We post material changes to this policy here at least 30 days before they take effect, and notify active users by email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.