Introduction
This Privacy Policy explains how ApexIQ ("the Application", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our desktop application and related services.
We are committed to protecting your privacy and handling your data transparently and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK), where applicable.
By using ApexIQ, you consent to the data practices described in this policy.
Data Controller
ApexIQ is operated by Özgür Mustafa Divarcı, which acts as the data controller for your personal data.
Data We Collect
Account Data
When you register for an account, we collect:
- Username (required)
- Email address (required)
- Password (stored as a bcrypt hash; we never store your plain-text password)
Optionally, you may provide:
- Profile information: biography (max 500 characters), location (max 100 characters), favorite car (max 100 characters)
- Profile picture: an avatar image you upload
Telemetry Data
When you use ApexIQ with an active iRacing session, the Application reads live telemetry data from iRacing's shared memory. This includes but is not limited to: speed, throttle position, brake position, steering angle, lap times, sector times, lap distance, gear, engine RPM, fuel level, position data (world coordinates for track map), weather and track conditions, tire temperatures, and driver assist status (traction control, ABS).
This data is processed locally on your device and is not transmitted to our servers unless you choose to share it.
Lap Recording Data
When a lap is completed, the Application records a snapshot of the lap's telemetry data. All lap recordings are stored locally on your device and encrypted using AES-256-GCM with a per-machine encryption key. Lap recordings are only uploaded to our servers if you explicitly choose to share them with the community.
Leaderboard Data
When you set a personal best lap time, the Application automatically submits the following to our servers for leaderboard participation: track name, car name, lap time, and a validation fingerprint (derived from distance, speed, and fuel data, used solely for anti-cheat purposes). This data is associated with your user ID and username.
Community & Profile Data
When you interact with community features, we may collect team names, tags, descriptions, membership roles, event configurations, follow/unfollow relationships, profile comments, and notifications.
Usage Data
We may collect technical information about how you use the Application, including application version, operating system, feature usage statistics, and error and crash logs (stored locally; not automatically transmitted).
Data We Do NOT Collect
We do not collect your real name (unless voluntarily included in your profile), your IP address for analytics purposes, your iRacing account credentials, or location data from your device (GPS).
Legal Basis for Processing
We process your personal data based on:
- Contractual necessity - to provide the Application and fulfill your account registration.
- Legitimate interests - improving the service, preventing abuse, and maintaining security.
- Consent - for optional features such as lap sharing and AI analysis.
For users located in Türkiye, data processing is carried out in accordance with KVKK (Law No. 6698).
How We Use Data
We use the data we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Email, username, password hash |
| Displaying your profile to other users | Username, avatar, bio, location, favorite car |
| Leaderboard ranking | Lap time, track, car, username |
| Anti-cheat validation of lap submissions | Validation fingerprint derived from telemetry |
| AI Coach analysis | Aggregated telemetry statistics |
| Team and event management | Team membership data, event configurations, stints |
| Profile interactions | Follow relationships, comments |
| Email communications (verification, password reset, announcements) | Email address |
| Application improvement and debugging | Usage data, error logs (local only) |
We do not sell your personal data to third parties.
Telemetry & Lap Data Handling
Local Storage and Encryption
All telemetry and lap recordings are stored locally on your device in %APPDATA%/ApexIQ/saved_laps/<user_uuid>/.
Each lap file is encrypted using AES-256-GCM with a unique encryption key generated per machine.
Lap Sharing
You control whether to share your lap data with other users. When you share a lap, the full lap recording (gzip-compressed JSON) is uploaded to our servers. You can set your sharing preference to one of three levels:
- Public: visible to all ApexIQ users
- Friends: visible only to users who follow you
- Private: visible only to you
Your current sharing preference applies to all your existing shared laps. You may change your sharing preference at any time, and the change takes effect immediately. The Application enforces a maximum of 100 shared laps per user.
Leaderboard Auto-Submission
Lap times are automatically submitted to the public leaderboard when you set a personal best. Only your lap time, track, car, and the anti-cheat validation fingerprint are submitted. The full telemetry data remains on your local device unless you choose to share the lap separately.
AI Processing & Third Parties
AI Coach (OpenRouter)
The AI Coach feature sends aggregated telemetry statistics to our servers, which then forward them to OpenRouter (openrouter.ai) for AI-powered analysis. The data sent includes track and car identifiers, lap times and sector deltas, aggregate speed/throttle/brake/steering statistics, brake zone comparisons, and weather/tire/fuel comparisons where applicable.
What is NOT sent: Raw telemetry arrays, your username, your email address, your user ID, or any personally identifiable information. Only the statistical summary of lap comparison data is transmitted.
The OpenRouter API key is stored exclusively on our server. It is never transmitted to or stored on your device. AI Coach access is limited by role: Administrators have unlimited analyses; Testers have 5 analyses per day (reset at UTC midnight); Regular users have no access.
Email Service (Brevo)
We use Brevo (formerly Sendinblue) to send transactional emails, including account verification emails and password reset emails. Your email address is shared with Brevo solely for the purpose of delivering these emails. Brevo's use of your data is governed by their own privacy policy.
Discord Rich Presence (Optional)
The Application can display your current iRacing activity (track, car, session time) on Discord through Discord's Rich Presence feature. This is optional and can be disabled in settings. When enabled, only the track name and car name are transmitted to Discord - no personal data from your ApexIQ account is shared.
Auto-Updater (GitHub)
The Application checks GitHub Releases for updates. This process transmits only the information required to check for and download updates. No personal data is shared.
Payments and Billing Data
If you purchase a subscription, payment processing is handled by Paddle. We do not store full payment details such as credit card numbers on our servers.
We may receive limited billing information such as subscription status, transaction IDs, and payment confirmation. This data is used solely to manage your subscription and provide access to paid features.
Data Retention
Account Data
We retain your account data for as long as your account is active. If your account remains inactive for an extended period, we may contact you before taking any action.
Lap Data
- Local lap data: stored on your device until you delete it manually or uninstall the Application.
- Shared laps on our servers: retained until you delete them or your account is deleted, subject to the 100-lap maximum.
Leaderboard Data
Leaderboard entries may be retained even after you delete your account to maintain the integrity and fairness of the leaderboard. If you delete your account, your entries will be anonymized (displayed without your username).
AI Coach Data
Telemetry summaries sent for AI Coach analysis may be logged temporarily for debugging and service improvement. These logs do not contain personally identifiable information.
Upon Account Deletion
When you request account deletion:
- Your account profile, email, username, and password hash are permanently deleted.
- Your shared laps are removed from our servers.
- Your team memberships and profile comments are removed.
- Leaderboard entries are anonymized.
- Data may remain in encrypted backups for up to 30 days before being permanently purged.
User Rights (GDPR & KVKK)
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Right of Access
You may request a copy of the personal data we hold about you.
Right to Rectification
You may request that we correct any inaccurate or incomplete personal data.
Right to Erasure ("Right to be Forgotten")
You may request that we delete your personal data. This includes your account, profile, and shared content.
Right to Restrict Processing
You may request that we limit how we process your personal data.
Right to Data Portability
You may request a copy of your data in a structured, commonly used, machine-readable format.
Right to Object
You may object to our processing of your personal data based on legitimate interests.
Right to Withdraw Consent
Where processing is based on your consent, you may withdraw that consent at any time.
To exercise any of these rights, please contact us using the information in the Contact section. We will respond to your request within the timeframes required by applicable law (typically 30 days). We may need to verify your identity before processing your request.
Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption: Lap data stored locally is encrypted with AES-256-GCM. Passwords are hashed with bcrypt. Communication with our servers uses HTTPS (TLS).
- Access controls: Account access requires verified email and valid credentials. Administrative functions are restricted by role-based access control.
- WebSocket security: Local backend connections are authenticated with a one-time handshake token and restricted to localhost origins.
- Rate limiting: Our servers enforce rate limits to protect against abuse and brute-force attacks.
- Input validation: All inputs are sanitized to prevent injection attacks.
Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.
Cookies
ApexIQ does not use cookies.
The Application uses localStorage on your device to store your authentication token and user preferences. This data is local to your device and is not accessible to third parties. You may clear this data at any time by logging out of the Application or clearing your Electron application data.
Children's Privacy
ApexIQ is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us so that we may delete it.
International Data Transfers
Your data may be transferred to and processed on servers located outside your country of residence. We ensure that such transfers comply with applicable data protection laws and that appropriate safeguards are in place.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document. We may also notify you through the Application or via email for material changes.
Your continued use of ApexIQ after any changes constitutes your acceptance of the revised policy.
Contact
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:
Email: support@apexiqcoach.com
Address: İstanbul, Türkiye
Data Protection Officer: Not applicable