Privacy Policy
ApexStats by Witzora · Last updated: 2026-04-13
1. Who We Are
ApexStats is developed and operated by Witzora ("we," "us," or "our"), based in Sweden.
- Contact email: contact@witzora.com
- Privacy inquiries: contact@witzora.com
- Website: witzora.com/apexstats
We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.
We have not appointed a Data Protection Officer as our processing activities do not require one under Article 37 GDPR. For all data protection inquiries, please contact us at the email address above.
2. Scope and Applicability
This Privacy Policy applies to the ApexStats mobile application (iOS and Android), including all features, services, and content provided through it.
Age requirement: ApexStats is intended for users aged 13 or older. In some jurisdictions, the minimum age for consenting to data processing may be higher (for example, 16 in Germany and the Netherlands). If you are below the digital age of consent in your country, you must have your parent or guardian's permission to use ApexStats.
We do not knowingly collect personal data from anyone under the age of 13. See Section 13 (Children's Privacy) for details.
3. Data We Collect
We collect the following categories of data:
3.1 Account Data
When you create an account, we collect:
- Email address: Provided through your sign-in method (Google Sign-In, Apple Sign-In, or email registration). We do not collect or store passwords — authentication is handled securely by your sign-in provider or by Firebase Authentication.
- Display name: A username chosen by you. This does not need to be your real name unless you choose to use it.
- Authentication provider identifier: A technical ID from your sign-in provider used to link your account.
3.2 Usage Data
As you use the app, we collect:
- Favorite drivers, teams, and racing series
- Notification preferences and settings
- Content you interact with (race results, standings, statistics views)
3.3 Device and Technical Data
We automatically collect:
- Device type, model, and operating system version
- App version
- IP address
- Language and locale settings
- Timezone (used to display race times in your local time)
3.4 Analytics Data
Through Firebase Analytics (Google), we collect analytics data that is reported via Google Analytics (GA4). These are the same system — Firebase Analytics is the SDK in the app, and Google Analytics (GA4) is the reporting platform where the data is analyzed. Data collected includes:
- App usage events (features accessed, screens viewed)
- Session duration and frequency
- App performance metrics
- Crash and error reports
- App instance identifier (a random ID assigned to your app installation)
- General demographic and interest data (aggregated, not personally identifiable)
3.5 Advertising Data
Through Google AdMob, when you interact with advertisements:
- Ad interaction data (impressions, clicks)
- Device advertising identifier (IDFA on iOS, AAID on Android), only with your consent
- General location (country/region level, derived from IP address)
4. How We Collect Data
- Directly from you: When you create an account, set your display name, choose preferences, select favorite series or drivers, or contact us.
- Automatically: Through Firebase Analytics, AdMob, and standard technical logging when you use the app.
- From third parties: Your authentication provider (Google or Apple) shares your email address and name when you sign in.
5. Legal Basis for Processing (GDPR)
Under the GDPR, we process your data based on the following legal grounds:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| App functionality (favorites, preferences, notifications) | Performance of contract | Art. 6(1)(b) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Analytics and app improvement | Consent | Art. 6(1)(a) |
| Personalized advertising | Consent | Art. 6(1)(a) |
| Non-personalized advertising | Legitimate interest | Art. 6(1)(f) |
| Push notifications (race results, session times) | Consent | Art. 6(1)(a) |
| Responding to your requests | Performance of contract | Art. 6(1)(b) |
| Legal compliance (tax, fraud) | Legal obligation | Art. 6(1)(c) |
Legitimate interest details: Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights. Our legitimate interests include maintaining security, preventing abuse, and serving non-personalized advertisements to support the free service. You have the right to object to processing based on legitimate interest (see Section 11).
6. How We Use Your Data
We use your data to:
- Provide the service: Create and manage your account, save your preferences, deliver race data and statistics for the series you follow.
- Personalize your experience: Show relevant content based on your favorite series, drivers, and teams.
- Send notifications: Alert you about race results, upcoming sessions, and championship updates (with your consent).
- Improve the app: Analyze usage patterns to fix bugs, improve performance, and develop new features (only with your analytics consent).
- Show advertisements: Display ads through Google AdMob. Personalized ads are shown only with your explicit consent; otherwise, non-personalized ads are displayed.
- Ensure security: Detect and prevent fraud, abuse, and violations of our terms.
- Comply with legal obligations: Respond to lawful requests from authorities and maintain records as required by law.
7. Advertising and Consent
ApexStats is a free app supported by advertising through Google AdMob.
7.1 Types of Ads
- Personalized ads: Tailored to your interests based on your activity. These are only shown if you give explicit consent through the consent dialog presented when you first use the app.
- Non-personalized ads: Generic ads not based on your personal data. These are shown if you decline personalized advertising.
7.2 Consent Framework
We use Google's User Messaging Platform (UMP) to collect your advertising consent in compliance with the IAB Transparency and Consent Framework (TCF). You can change your advertising preferences at any time in the app's Settings under "Consent Management."
7.3 Data Shared with Google for Advertising
When personalized ads are enabled, the following may be shared with Google:
- Device advertising identifier
- General location (country/region)
- Ad interaction data
Google processes this data under its own privacy policy. For details, see: policies.google.com/privacy
8. Data Sharing and Third Parties
We do not sell your personal data.
We share data with the following categories of service providers, who process data on our behalf under data processing agreements:
| Service Provider | Data Shared | Purpose |
|---|---|---|
| Google Firebase (Cloud Firestore, Authentication) | Account data, preferences, settings | Core app infrastructure, data storage, authentication |
| Google Firebase Analytics | Analytics data, device data | App usage analysis and improvement |
| Google AdMob | Advertising data, device identifiers | Ad serving (personalized and non-personalized) |
| Apple / Google (sign-in providers) | Authentication tokens | Account authentication |
We may also share data:
- When required by law, regulation, or legal process.
- To protect the rights, safety, or property of Witzora, our users, or the public.
- In connection with a merger, acquisition, or sale of assets (you will be notified).
9. International Data Transfers
Witzora is based in Sweden (EU). However, our service providers, particularly Google (Firebase, Analytics, AdMob), process data in the United States and other countries outside the EU/EEA.
These transfers are protected by:
- EU-US Data Privacy Framework (DPF): Google LLC is certified under the EU-US Data Privacy Framework.
- Standard Contractual Clauses (SCCs): Google's Data Processing Terms incorporate EU-approved Standard Contractual Clauses as an additional safeguard.
For more information about Google's data processing commitments, see: firebase.google.com/support/privacy
10. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data (email, display name, profile) | Duration of your account. Permanently deleted when you request deletion. |
| Preferences and favorites | Duration of your account. Deleted together with your account upon deletion. |
| Analytics data (Firebase Analytics / GA4) | 14 months (Google's default retention period, configured in Firebase Console) |
| Advertising data (AdMob) | Per Google's retention policy (see Google's privacy policy) |
| Consent records | Duration of your account. Deleted together with your account upon deletion. |
| Authentication tokens | Session duration |
| Cloud Functions logs | 30 days (Google Cloud's default log retention) |
| Crash and error reports | 90 days (Firebase Crashlytics default) |
How deletion works
When you request account deletion:
- Your account data, preferences, favorites, and settings are permanently deleted.
- Analytics and advertising data linked to your device continue to be retained and expire per the retention periods above.
- The deletion is irreversible.
11. Your Rights
11.1 Rights Under GDPR (EU/EEA Users)
You have the right to:
- Access your personal data and receive a copy (Art. 15)
- Rectification of inaccurate or incomplete data (Art. 16)
- Erasure ("right to be forgotten") of your data (Art. 17)
- Restriction of processing in certain circumstances (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest, including profiling (Art. 21)
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7)
- Not be subject to automated decision-making with legal or significant effects (Art. 22)
11.2 Rights Under CCPA/CPRA (California Residents)
You have the right to:
- Know what personal information we collect, use, and share
- Delete your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of your personal information
- Limit the use of sensitive personal information
- Non-discrimination for exercising your rights
11.3 Rights Under Other US State Laws
Residents of Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of targeted advertising and data sales. Contact us to exercise these rights.
11.4 How to Exercise Your Rights
You can exercise your rights in two ways:
- In the app: Go to Settings to manage consent, or delete your account.
- By email: Send your request from the email address associated with your account to contact@witzora.com. This allows us to verify your identity and protect against unauthorized requests.
Response times:
- GDPR requests: within 30 days
- CCPA/CPRA requests: within 45 days
- We will confirm receipt and may request additional verification
We will never discriminate against you for exercising your privacy rights.
12. California-Specific Disclosures (CCPA/CPRA)
12.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories (as defined by the CCPA):
| CCPA Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Email address, display name, device ID, IP address | Yes |
| B. Personal information (Cal. Civ. Code § 1798.80) | Name, email address | Yes |
| D. Commercial information | In-app purchase history (when applicable) | Not yet |
| F. Internet or electronic network activity | App usage, browsing history within app, ad interactions | Yes |
| G. Geolocation data | Country/region (from IP address) | Yes |
| K. Inferences | Ad personalization profiles (by Google AdMob) | Yes (with consent) |
12.2 Sale and Sharing of Personal Information
We do not sell personal information.
When you consent to personalized advertising, your device advertising identifier and ad interaction data may be shared with Google AdMob for targeted advertising purposes. Under the CCPA/CPRA, this may constitute "sharing" of personal information.
To opt out: Go to Settings and disable personalized advertising. You can also adjust settings through the consent dialog shown at app launch.
12.3 Sensitive Personal Information
We collect account login credentials (email via third-party authentication). We do not use or disclose sensitive personal information for purposes beyond providing the service.
13. Children's Privacy
ApexStats is not directed at children under 13. We do not knowingly collect personal data from children under 13 years of age.
If we discover a child's data: If we become aware that we have collected personal data from a child under 13, we will promptly delete the account and all associated data. If you believe a child under 13 has created an account, please contact us at contact@witzora.com.
EU age variations: In EU member states where the digital age of consent is higher than 13 (for example, 16 in Germany and the Netherlands), users below that age must have parental or guardian consent. By using the app, users (or their parents/guardians) confirm they meet the applicable age requirement in their jurisdiction.
COPPA compliance: As a service not directed at children under 13, we comply with COPPA by not knowingly collecting data from children. Parents or guardians with questions may contact us at contact@witzora.com.
14. Automated Decision-Making and Profiling
Ad personalization: When you consent to personalized advertising, Google AdMob uses automated profiling to select ads relevant to your interests. This profiling is based on your device identifier, ad interaction history, and general location. It does not produce legal effects or similarly significantly affect you.
You can opt out of ad personalization at any time through Settings. When opted out, only non-personalized ads are shown.
No other automated decisions: We do not use automated decision-making for account actions or access to features.
15. Cookies and Similar Technologies
The mobile app does not use traditional browser cookies. However, Firebase and AdMob use similar technologies:
- App instance ID: A random identifier assigned to your app installation by Firebase Analytics, used to count unique users and track sessions.
- Device advertising identifier: IDFA (iOS) or AAID (Android), used for ad personalization only with your consent.
- Local storage: Used to cache your preferences, notification settings, and content data on your device for offline access.
16. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Firebase Security Rules restricting data access
- Authentication via trusted providers (Google, Apple)
- Access controls limiting who can access production data
- Regular review of security practices
No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that poses a risk to your rights, we will notify you and the relevant authorities as required by law.
17. Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority.
Our lead supervisory authority is:
Integritetsskyddsmyndigheten (IMY)
Swedish Authority for Privacy Protection
Box 8114, 104 20 Stockholm, Sweden
Website: www.imy.se
Email: imy@imy.se
Phone: +46 8 657 61 00
You also have the right to lodge a complaint with the supervisory authority in your country of residence.
18. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make changes:
- We will update the "Last updated" date at the top of this policy.
- For significant changes, we will notify you through the app (via a notice or consent prompt).
- If changes affect processing based on your consent, we will request new consent where required.
Continued use of ApexStats after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.
19. Contact Us
If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights:
Email: contact@witzora.com
Website: witzora.com/apexstats
We aim to respond to all inquiries within 30 days.