ROLLS&DIGS

Run the numbers · share the moment

Required reading

Privacy Policy

Last updated: June 8, 2026·Version 2.0·All legal docs ↗

Rolls & Digs is operated by Technooptics ("we", "us"). This Privacy Policy describes what personal data we collect, how we use it, who we share it with, and the rights you have. Questions: email privacy@rollsanddigs.com.

Quick summary

  • We never sell or rent your personal data.
  • Location is sampled only when a race / cruise / drive is active, or when you ask us to find nearby tracks / stations / shops.
  • You can export, correct, restrict, or delete your data at any time.
  • You can opt out of all non-essential cookies per category.
  • Children under 18 are not permitted on the Service.

1. Who we are

Technooptics, the operator of Rolls & Digs, is the data controller for the personal data described in this Policy. Contact: privacy@rollsanddigs.com or, for general inquiries, contact@technooptics.org.

2. What we collect

Personal data we may collect, depending on which features you use:

Account & profile

  • Email address, handle, display name, avatar image, country / region / locality (if you set them), preferred units (mph / km/h), display title, achievement points.
  • OAuth provider identifiers when you sign in with Google, Microsoft, or Apple — we receive only the basic profile your account exposes (sub-identifier, email, name, avatar URL).
  • Passkey credentials — credential id (random byte string), public key, signature counter, and friendly name.

Garage & community

  • Vehicle data: year, make, model, trim, color, modifications, horsepower estimate, photos, AI-rendered hero shots, build notes, business attributions.
  • Social graph: friendships, group memberships, follows.
  • Chat messages, group posts, and reactions.
  • Achievement records, badges earned, races finished, lap-time history.

Telemetry & location

  • GPS samples (latitude, longitude, speed, heading, accuracy, timestamp) collected only during an active race, cruise, drive, lap session, or hazard report.
  • Crowd-sourced public hazard pins (cop / crash / debris / gas / issue) — coordinates of the report only; never your user identity to other drivers.
  • Pulled-over recorder uploads (video / audio) — stored encrypted in your private "safety" bucket; only you can read these files.

Device & technical

  • App version, OS version, browser user-agent, language, time-zone, IP address (kept short-term for security and rate-limiting), crash diagnostics.

Payments

  • Stripe handles all card data; we never see card numbers, CVCs, or full bank details. We receive a customer id, last-4 of the card, brand, plan, billing cycle, and invoice metadata.

3. How we use it

  • To provide and operate the Service you signed up for.
  • To compute lap times, leaderboards, achievements, and live group sessions.
  • To recommend nearby tracks, events, businesses, E85 stations, and shops in your region.
  • To run safety features (sanctioned-event geofence, hazard clusters, jump-start detection).
  • To process payments and prevent fraud or abuse.
  • To respond to support requests, send service announcements, and notify you of legally required updates.
  • With your separate consent, to send marketing communications (you can unsubscribe any time).
  • To comply with legal obligations and to defend our rights.

4. Lawful bases (GDPR / UK GDPR)

If you are in the UK, EEA, or Switzerland, we process personal data on the following bases:

  • Contract — to provide the Service you signed up for, including session history, lap timing, payments.
  • Consent — for optional cookies, marketing, precise location, and AI-assistant chat content.
  • Legitimate interests — to keep the Service safe, prevent fraud, secure our infrastructure, and improve the product. Where we rely on legitimate interests we have balanced our interests against your rights and interests.
  • Legal obligation — to meet tax, accounting, and law-enforcement requirements.

5. Location data

Location is the most sensitive thing we touch. We sample precise GPS only:

  • While a race / cruise / drive / lap session is active.
  • When you tap "Use my current location" in the location picker.
  • When you optionally toggle nearby-discovery features (E85 stations, shops, events, tracks).

We never sell location data, never share precise location with third parties, and never run a passive background location service. The crowd-sourced public hazards feed shows only the geographic cluster centroid when at least 5 unique reporters agree within ~500 m in the last 15 minutes — individual reporters are never exposed.

6. Sensitive data

We do not request or process special categories of data (racial / ethnic origin, political opinions, religious beliefs, genetic / biometric, health, sexual orientation) other than:

  • Biometric authenticator output: when you register a passkey we store the cryptographic public key generated by your device, not the underlying biometric (Face ID / Touch ID / Windows Hello fingerprint never leave your device).
  • Pulled-over recordings: video / audio you choose to capture lives in a private bucket only you can access.

7. Cookies & tracking

See our Cookie Policy for the full list and per-category controls. Strictly-necessary cookies (auth session, CSRF, locale) cannot be disabled. Analytics and personalisation cookies are off until you opt in.

8. Sharing & sub-processors

We rely on the following sub-processors to deliver the Service. Each is bound by data-processing terms equivalent to ours:

  • Supabase — managed Postgres, Auth, Storage, Realtime (US).
  • Vercel — application hosting and CDN (US).
  • Stripe — subscription billing & PCI compliance.
  • Anthropic — Bella AI assistant (chat content you send is processed to produce a reply; we do not retain training data).
  • Google, Microsoft, Apple — OAuth identity providers (only when you sign in via them).
  • Photon by Komoot, OSRM Project, MapLibre / OpenStreetMap, CARTO, TomTom (where used) — map tiles and geocoding (your typed query is forwarded; your identity is not).
  • Hugging Face — image background removal + car detection during the AR Hero Shot capture.
  • NHTSA vPIC — vehicle make / model lookup from a VIN (you provide the VIN; we forward it).

Beyond these sub-processors, we share personal data only when (a) required by law (warrant, subpoena, court order), (b) necessary to defend against fraud or harm, or (c) you direct us to (e.g., when you join a public group, your handle / avatar become visible to other members).

We do not sell or rent personal data, and we do not engage in "sharing" for cross-context behavioural advertising as defined under the CCPA / CPRA.

9. International transfers

Our infrastructure is hosted in the United States. If you are located in the UK, EEA, Switzerland, or another region with cross-border restrictions, transfers happen under the Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, plus applicable supplementary measures (encryption in transit and at rest, access controls, data- minimisation).

10. Retention

  • Account data — kept while your account is active. Deletion within 30 days of account closure, save where retention is required by law (tax / accounting / fraud prevention).
  • Race & lap telemetry — kept as long as the parent race / session exists. Deleting a race or session removes the trace.
  • Pulled-over recordings — kept until you delete them. We never auto-delete.
  • Logs & security data — typically 30–90 days.
  • Backups — encrypted backups roll forward and age out within 30 days.

11. Your rights

Depending on where you live (GDPR, UK GDPR, Swiss FADP, LGPD, PIPEDA, etc.) you may have rights to:

  • Access the personal data we hold about you.
  • Receive a copy of it in a portable format.
  • Correct inaccurate data.
  • Delete data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with your local supervisory authority.

Email privacy@rollsanddigs.com or use the in-app controls in /settings and /profile. We will respond within 30 days.

12. US state-specific rights

California (CCPA / CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana, Iowa, Tennessee, and Washington residents may have the following rights, in addition to those above:

  • Right to know what personal information we collect, use, disclose, and (if applicable) sell.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information (we do neither, but the right exists).
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of the above.

To exercise any right, email privacy@rollsanddigs.com. Authorised agents may submit requests on a consumer's behalf with a signed permission. We may need to verify your identity before fulfilling a request.

13. Children

The Service is intended for adults aged 18+. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA / UK). If you believe a child has provided personal data to us, contact privacy@rollsanddigs.com and we will delete it.

14. Automated decisions & AI features

Some features rely on automated processing or generative AI:

  • Bella (the in-app assistant) is powered by Anthropic. Your messages are sent to Anthropic to produce a reply; we tell Anthropic not to retain training data.
  • AI car detection & background removal (Hugging Face DETR & RMBG-1.4) runs on the photos you upload during Hero Shot capture.
  • Achievement & PR detection compares your lap / race results against your prior best.

We do not use AI to make decisions producing legal or similarly significant effects on you. You can decline AI features at any time by not using them.

15. Security

We implement administrative, technical, and physical safeguards designed to protect personal data: encryption in transit (TLS 1.3), encryption at rest (AES-256 via the underlying cloud), per-row Row-Level Security in the database, signed cookies and httpOnly auth tokens, scoped service-role keys, WebAuthn / passkey support, audit logging of administrative access, and secrets management. No system is impenetrable — we do not warrant absolute security.

16. Changes

We will notify you of material changes by email and an in-app banner before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

17. Contact & data-protection officer

Privacy enquiries: privacy@rollsanddigs.com
General: contact@technooptics.org
Postal address: provided on request via the email above.

We are not currently required to appoint a Data Protection Officer under Article 37 GDPR; the privacy contact above acts as our designated point of contact for data-protection matters.

© 2026 Rolls & Digs · Operated by Technooptics · Legal centre