Privacy Policy

Effective May 2026 · DRAFT — pending attorney review · Tonka Tech LLC (JD Solutions Group S-Corp)

KartGenius ("the App") is a mobile application operated by Tonka Tech LLC (JD Solutions Group S-Corp) ("we," "us," or "our"), a Minnesota-based technology company. KartGenius is designed to help kart racing drivers and coaches improve performance by connecting to AIM Technologies MyChron data loggers, downloading session telemetry, and generating AI-powered coaching insights.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have regarding your personal data. By using KartGenius, you agree to the practices described in this policy.

1. Information We Collect

1.1 Account information

KartGenius uses anonymous authentication by default. Most users are not required to create an account or provide any personal information to use core features. If you choose to sign in with email or Apple ID, we collect:

• Email address
• Display name (optional)
• Apple ID token (if Sign in with Apple is used)

1.2 Telemetry data from your AIM device

When you connect to an AIM MyChron data logger, the App downloads session telemetry from the device over your local WiFi network. This data is stored in your account and may include:

• Lap times and sector splits
• GPS trace data (latitude, longitude, speed) recorded by the MyChron device
• Longitudinal and lateral acceleration (AccX, AccY)
• RPM and exhaust gas temperature (EGT)
• Session metadata (date, track name, pilot name as configured on the device)

1.3 AI coaching usage

When you request an AI coaching analysis, your session telemetry data is sent to our servers and processed by Anthropic's Claude AI. We collect:

• Session telemetry used to generate the coaching report
• The generated coaching report text
• Timestamp and session identifiers

We do not send identifying personal information (name, email) to Anthropic. API calls are made server-side via Supabase Edge Functions. No KartGenius API keys are exposed to the client.

1.4 Device and usage information

We automatically collect certain technical information when you use the App:

• Anonymous device identifier (generated at first launch)
• App version and iOS version
• Feature usage patterns (which screens are opened, actions taken)
• Crash reports and error logs via Sentry

We do not collect: device advertising identifiers (IDFA), precise device location, contacts, camera or microphone input, or any data from other apps on your device.

1.5 Subscription and payment information

Subscription purchases are processed by Apple through the App Store. We do not collect or store credit card numbers or payment details. We receive confirmation of subscription status from RevenueCat, our subscription management provider.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing AI coaching analysis and session insights
• Storing and displaying your session history across devices
• Managing your subscription and entitlements
• Diagnosing technical issues and improving app stability
• Improving the accuracy and relevance of our AI coaching models
• Complying with legal obligations

We do not use your data to serve third-party advertising. KartGenius does not sell personal data to third parties for marketing purposes.

3. Third-Party Services

We share data with the following third-party service providers to operate the App. Each provider's own privacy policy governs their use of data.

3.1 Supabase

Supabase provides our database, authentication, file storage, and server-side processing (Edge Functions). Your session data, coaching reports, and account information are stored on Supabase infrastructure.

• Data stored: anonymous user ID, session telemetry, coaching reports, device registry
• Location: United States (AWS us-east-1)
• Privacy policy: supabase.com/privacy

3.2 Anthropic

Anthropic's Claude AI processes session telemetry to generate coaching insights. Data is sent to Anthropic via server-side API calls only.

• Data sent: session telemetry (lap times, speed, braking, RPM, EGT, GPS trace)
• Data NOT sent: name, email, account identifiers
• Privacy policy: anthropic.com/privacy

3.3 RevenueCat

RevenueCat manages in-app subscription status and purchase validation.

• Data shared: anonymous user ID, subscription status, App Store receipt
• Privacy policy: revenuecat.com/privacy

3.4 Sentry

Sentry receives crash reports and error logs to help us diagnose technical issues.

• Data shared: anonymous device ID, app version, stack traces, error context
• No personally identifiable information is included in crash reports
• Privacy policy: sentry.io/privacy

3.5 Apple

The App is distributed through the Apple App Store. Apple's privacy practices apply to App Store interactions, Sign in with Apple, and in-app purchase processing.

• Privacy policy: apple.com/privacy

4. Data Storage and Security

Your data is stored on Supabase servers located in the United States. We implement the following security measures:

• All data transmitted between the App and our servers uses HTTPS/TLS encryption
• Database access is controlled by row-level security (RLS) policies — users can only access their own data
• API keys and service credentials are stored as server-side secrets and never exposed in the client app
• Supabase anonymous authentication ensures sessions are isolated per user

5. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

• Session telemetry and coaching reports: retained indefinitely while your account is active
• Anonymous user accounts: retained until you request deletion
• Crash logs via Sentry: 90 days
• Subscription records: retained as required by Apple and tax regulations

If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or legitimate business purposes (such as fraud prevention).

6. Your Privacy Rights

6.1 For all users

Regardless of location, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your session data

To exercise these rights, contact us at privacy@kartgenius.app.

6.2 California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

We do not sell personal information as defined by the CCPA. To submit a verifiable consumer request, contact us at privacy@kartgenius.app.

6.3 European Economic Area, UK, and Swiss residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under GDPR including:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ('right to be forgotten')
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent where processing is based on consent

Our legal bases for processing personal data are: (a) contract performance — to provide the services you've requested; (b) legitimate interests — to maintain security, prevent fraud, and improve our services; and (c) consent — where you have given explicit consent.

To exercise your GDPR rights, contact us at privacy@kartgenius.app. You also have the right to lodge a complaint with your local data protection authority.

7. Children's Privacy

KartGenius is rated 4+ on the App Store and is intended for use by kart racing participants of all ages, including children under 13, under parental supervision.

We do not knowingly collect personal information from children under 13 without verifiable parental consent. KartGenius's default mode uses anonymous authentication — no name, email, or identifying information is required. Where a child does provide personal information (such as an email address for account sign-in), we require that a parent or guardian review and consent to such collection.

Parents or guardians may contact us at privacy@kartgenius.app to review, correct, or delete information associated with a child's use of the App.

8. Local Network Access

KartGenius requests Local Network access permission to discover AIM MyChron devices on your WiFi network. Specifically:

• The App scans your local network (your WiFi router's /24 subnet) for devices listening on TCP port 2000, which is the standard AIM STCP protocol port
• No data is transmitted to the internet during the device scan
• All communication with the MyChron device occurs entirely on your local network
• We do not collect, store, or transmit your home or facility network configuration, IP addresses, or device inventory

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by email (if you have provided one) at least 30 days before the changes take effect. Your continued use of KartGenius after changes become effective constitutes acceptance of the updated policy.

The current version of this policy is always available at kartgenius.app/privacy.

10. Contact Us

For privacy questions, data requests, or to exercise your rights, contact us at:

Tonka Tech LLC (JD Solutions Group S-Corp)
Privacy contact: privacy@kartgenius.app
General support: support@kartgenius.app
Website: kartgenius.app
Minnesota, United States