Privacy Policy

This policy explains what data HeroLap collects, why we collect it, and what your choices are. We try to keep it short and concrete.

1. What we collect

1.1 Account data

• Name, email address, hashed password
• Role (driver / instructor / admin) and email-verification status
• Profile and cover photos you upload
• Instructor profile: bio, headline, slug, public photo, Discord meeting URL

1.2 Driver content

• Video files you upload for review (stored on AWS S3)
• Optional telemetry files (.csv, .ld, .ibt, etc.)
• Notes you write to the Instructor on each upload
• Comments you post on a delivered review

1.3 Live training data

• Booked time slots and the products attached to them
• Messages exchanged with the Instructor about a booking

1.4 Payment data

Stripe processes payments on our behalf. We store the Stripe payment intent identifier and the gross/fee amounts; we do not store full card numbers, CVCs, or bank-account details. Instructors connect their own Stripe Connected Account; we store the account ID and onboarding status.

1.5 Operational data

• Server logs (request paths, IP, user-agent, timestamps)
• Error reports from the application
• Email delivery events from our outbound mail provider

2. How we use it

• To run the Service: authenticate you, route messages, charge payments, deliver reviews, send transactional emails.
• To improve the Service: aggregate usage and error patterns to prioritize fixes.
• To enforce our Terms of Service and prevent abuse.
• To comply with legal obligations (e.g. tax reporting, subpoenas).

We do not sell your personal data. We do not use your Driver Content to train AI models without your separate, opt-in consent.

3. Who we share it with

• Stripe — payments and Connected Account processing.
• AWS — hosting and S3 storage of video and photo uploads.
• SendGrid — outbound transactional email.
• Your Instructor (or Driver) — anything you upload or message in the context of an order or booking is shared with the counterparty.
• Authorities — if compelled by valid legal process.

Each subprocessor accesses only the minimum data needed for their function and is bound by contractual obligations to protect it.

4. Where we store it

Data is stored in AWS us-east-1 unless otherwise noted. If you are outside the United States, your data is transferred to and processed in the United States. We use standard contractual clauses or equivalent mechanisms where required.

5. How long we keep it

• Account data: while your account is active, plus 90 days after deletion (for support and chargeback purposes), then purged.
• Video uploads: until you delete the upload, your account, or two years after the last related order is closed — whichever comes first.
• Payment records: at least seven years for tax and accounting purposes.
• Server logs: 30 days.

6. Your rights

You can:

• access, update, or correct your account data from Settings;
• delete a video upload from your uploads list;
• delete your account by emailing [email protected];
• request a copy of your personal data, or its deletion, by emailing [email protected].

Residents of the EU/UK have rights under GDPR, and California residents have rights under CCPA. Contact us at the address above to exercise them.

7. Children

The Service is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe a child has used the Service, contact us and we’ll delete the account.

8. Security

We use industry-standard practices: TLS in transit, hashed passwords (bcrypt), least-privilege access to production, S3 bucket policies for storage, and Stripe-managed PCI scope for payments. No system is perfect; if you discover a vulnerability please report it responsibly to [email protected].

9. Changes

We may update this policy. Material changes will be emailed to the address on your account at least 14 days before they take effect. The last-updated date at the top of this page tracks any change.

10. Contact

Privacy questions: [email protected].