// legal
Privacy Policy
Effective: 16 April 2026
This Privacy Policy explains what information PitStop Data collects when you use our website (pitstopdata.com) and our Formula 1 data API (the "Service"), why we collect it, how we use it, and what rights you have. It applies to everyone who visits pitstopdata.com or calls our API, regardless of where you are located.
1. Who We Are
PitStop Data is an independent project that provides a read-only Formula 1 data API distributed through the RapidAPI marketplace. For privacy questions you can reach us at [email protected].
2. What We Collect
We deliberately keep data collection to the minimum needed to run the Service. Specifically:
| Data | Purpose | Source |
|---|---|---|
| RapidAPI user ID | Identify which subscriber is calling the API, so we can apply the correct tier and quota | Forwarded in the X-RapidAPI-User request header by the RapidAPI gateway |
| Subscription tier | Enforce per-tier rate limits | X-RapidAPI-Subscription header |
| Request metadata | Security, abuse prevention, quality monitoring, debugging | Method, path, query parameters, response status, response time, cache hit flag, error code — recorded per request |
We do not collect:
- your name, email, postal address, or phone number (these stay with RapidAPI, which handles authentication and billing);
- payment information of any kind;
- IP addresses in our own application logs (our upstream CDN may record them at the network layer for security — see Section 5);
- browser cookies set by us. The pitstopdata.com landing page does not use first-party cookies, analytics scripts, or third-party trackers.
3. How We Use What We Collect
We use the data described above only to:
- deliver API responses and enforce plan limits;
- detect and prevent abuse, fraud, and attacks on the Service;
- diagnose errors and improve performance and reliability;
- generate aggregated, non-identifying statistics (for example, most-called endpoints).
We do not use your data for advertising, we do not build user profiles for marketing, and we do not sell personal data.
4. Legal Bases (GDPR)
If you are in the EU or UK, we rely on the following legal bases under the GDPR:
- Contract: processing needed to deliver the API you have subscribed to (tier enforcement, request routing);
- Legitimate interests: security, abuse prevention, service reliability, and aggregated analytics. These interests are weighed against your rights and freedoms.
5. Service Providers
We rely on a small set of infrastructure providers who process data on our behalf under their own terms. Each is bound to treat operational data confidentially.
- RapidAPI — authentication, subscription management, and billing for API access.
- Cloudflare — edge CDN, TLS termination, and DDoS protection. Cloudflare may process IP addresses and connection metadata at the network layer.
- Railway — application hosting in the European Union.
We do not share request metadata with any third party beyond what is technically required to operate through these providers.
6. International Transfers
Our application servers are hosted in the European Union. If you access the Service from outside the EU, your requests pass through our CDN and are processed on EU-based infrastructure. Where personal data is transferred outside your home region, we rely on the safeguards offered by our service providers (including standard contractual clauses where applicable).
7. Retention
We retain request metadata only as long as necessary for the purposes described in Section 3 — typically a rolling window suitable for operational diagnostics and abuse prevention — and then delete or aggregate it. Aggregated statistics that contain no identifiers may be retained indefinitely.
8. Your Rights
Depending on where you live, you may have some or all of the following rights with respect to your personal data:
- the right to know what personal data we hold about you and to request a copy;
- the right to correct inaccurate data;
- the right to ask us to delete your data;
- the right to restrict or object to certain processing;
- the right to data portability;
- the right to withdraw any consent you have given;
- the right to lodge a complaint with your local data protection authority.
Because the only identifier we hold is an opaque user ID issued by RapidAPI, to exercise rights over your account-level data (name, email, payment details) you should contact RapidAPI directly. To exercise rights over the request metadata tied to your RapidAPI user ID, email [email protected] and we will respond within a reasonable time, typically within 30 days.
9. California Residents
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA/CPRA) similar to those described in Section 8. We do not "sell" or "share" personal information as those terms are defined under the CCPA.
10. Children
The Service is intended for developers and is not directed to children under 16. We do not knowingly collect data from children under 16. If you believe a child has used the Service, please contact us and we will investigate and delete any data we find.
11. Security
We use industry-standard measures to protect the data we hold — HTTPS for all traffic, encrypted storage where appropriate, access controls over our infrastructure, and regular review of our systems. No system is perfectly secure; if we discover a breach affecting your data we will notify affected users without undue delay.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the Effective date at the top of this page and, where practical, announce the change on pitstopdata.com. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
13. Contact
Privacy questions, requests, or complaints can be sent to [email protected].