What we collect, why we collect it, and what you can do about it — across Maintenance, Learn, and Race.
This policy covers all three FleetFixer platforms and everyone who interacts with them — club admins, maintenance staff, inventory managers, learners, coaches, athletes, parents, and visitors to our marketing site.
Club admins and staff managing fleets, jobs, and inventory.
Sailors using guides, quizzes, and interactive content.
Athletes, coaches, parents, and squad administrators.
| Category | Examples |
|---|---|
| Account info | Name, email, club or squad name, role, username |
| Maintenance data | Boat records, jobs, fault reports, inventory, uploaded photos |
| Learn activity | Quiz results, lesson progress, badges earned, time spent |
| Race data | Daily training logs, wellness questionnaires, coach notes, squad rosters, session photos and videos |
| Wearable health data (optional, opt-in only) | Activity summaries (type, duration, distance, calories), heart-rate samples during scheduled training sessions you confirm attendance for, daily resting heart rate, total sleep duration, derived load and recovery labels. See section 5 for detail. |
| Usage data | Pages visited, features used, browser and device info |
| Contact form | Name, email, club, and message content |
We use what we collect to:
Photos and videos uploaded to any FleetFixer platform — fault photos, maintenance images, athlete training clips, squad media, and anything else — are treated as special content under our Terms of Service.
FleetFixer reserves full rights to all photos and videos uploaded to the platform. By uploading, you grant us a perpetual, worldwide, royalty-free licence to use that media for operating, promoting, and improving the Service, including marketing, case studies, and training our product features.
You must have consent from any identifiable people in the media (and parental consent for minors) before uploading. To request removal of a specific photo or video, email hello@fleetfixer.io.
Athletes on the Race platform can choose to link a wearable device (Garmin, Polar, Suunto today, with other platforms added over time). This data is collected only with the athlete's explicit consent, and only to the narrow extent described below. It is classed as special category or sensitive personal data under most privacy regimes and we treat it as such.
Lawful basis. Explicit consent under UK GDPR Article 9(2)(a) and EU GDPR Article 9(2)(a); equivalent consent bases under UAE PDPL, Saudi PDPL, Qatar Data Protection Law, Bahrain PDPL, Israeli Protection of Privacy Law, and US state laws including California CCPA/CPRA and Washington MHMDA.
What we store.
What we do not store. SPO2, raw heart-rate variability traces, detailed sleep stages, GPS routes, or location.
Who sees what. Your coach sees activities you confirm against a scheduled session, plus any activity you manually share. Load and recovery labels are shared only if you opt in. Heart-rate traces are overlaid on training videos only when the video is tied to a scheduled session you attended and you have opted in to video overlays. Minute-by-minute heart rate outside those windows is never visible to a coach.
Audit log. Every time a coach views your heart-rate overlay we record the access in a log you can read from the parent portal or your own profile. This is the transparency counterweight to coach visibility.
Not medical advice. This data is for training context. It is not diagnostic and must not be relied on for medical decisions.
Withdraw, delete, export. You can disconnect a device at any time, toggle any sharing scope off, delete every wearable record, or export a machine-readable copy of everything stored. Deletion flags your data as inaccessible the instant you tap the button and triggers a background worker that clears the physical records and tells the upstream Open Wearables instance to delete its copy.
The Race platform is used by junior athletes, some of whom are under 18. We take this seriously. Accounts for users under 18 must be created or approved by a parent, guardian, or club administrator, and parent portal access is available for visibility.
Wearable linking applies a stricter age threshold than the rest of the platform. Under 16 requires parental consent (through the parent portal or a magic-link email). In the United Arab Emirates, Saudi Arabia, Qatar, Bahrain and Israel that threshold rises to under 18 because those jurisdictions treat everyone under 18 as a minor. Between the local threshold and 18, athletes can self-consent with an explicit confirmation screen and any linked parent receives an informational notification.
Read our Safeguarding Policy for the full picture, including how we handle concerns, reporting channels, and our commitments to clubs running junior programmes.
Your data is stored on Google Cloud Platform via Firebase (Firestore, Authentication, Cloud Storage, and Cloud Functions). Data sits in secure, SOC 2 compliant data centres. All traffic is encrypted in transit (TLS) and all stored data is encrypted at rest.
Multi-tenant data is strictly scoped per club: one club cannot see another's records, and Firestore security rules enforce this at the database layer. Wearable health data is segmented a second time: an athlete-only tree holds raw samples, a coach-visible tree holds only what the athlete has opted to share. Every coach read of heart-rate data is logged and visible to the athlete.
The Open Wearables service (an open-source project we self-host) provides the unified API between wearable vendors and the race app. It runs on infrastructure we control in a single region documented per environment on our sub-processor page.
We retain your account-level data while your account is active. If you delete your account we remove your personal data within 30 days. Aggregated, anonymised data may be retained for analytics and product development.
Media content uploaded under the licence in section 4 may be retained beyond account deletion for the purposes granted by that licence.
Wearable health data follows a stricter, rolling schedule so we only keep what is genuinely useful:
| Service | Purpose |
|---|---|
| Google Firebase | Authentication, database, file storage, hosting |
| Google Cloud Functions | Server-side logic for Race and Maintenance |
| Google Fonts | Web font delivery |
| Font Awesome CDN | Icon delivery |
| Stripe | Subscription billing (when on a paid plan) |
| Open Wearables (self-hosted) | Unified API between wearable vendors and the race app |
| Garmin Connect | Source of activity data when you link a Garmin account |
| Polar Flow | Source of activity data when you link a Polar account |
| Suunto | Source of activity data when you link a Suunto account |
Each of these services has its own privacy policy governing how they process data. Our complete, always-current sub-processor list lives at sub-processors.
We serve athletes, coaches and clubs across the UK, European Economic Area, United States, and Middle East. Storage and processing happen in a single region per environment, disclosed on our sub-processor page. If your data is transferred outside your home jurisdiction, we rely on the following legal mechanisms:
Athletes in Washington state should additionally read our Consumer Health Data Privacy Policy which meets the specific format requirements of the Washington My Health My Data Act.
If you are in the UK or the European Economic Area you have the following rights:
For wearable data specifically, the same rights are available as in-app controls on your profile page (Connect, Disconnect, scope toggles, Download my data, Delete all my wearable data).
Depending on where you live, your rights are backed by different laws. The full list: UK GDPR and Data Protection Act 2018, EU GDPR, California CCPA/CPRA, Washington My Health My Data Act, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas, Oregon, UAE PDPL and DIFC Data Protection Law, Saudi PDPL, Qatar Data Protection Law 13/2016, Bahrain PDPL 2018, Israeli Protection of Privacy Law, Australian Privacy Act, New Zealand Privacy Act, and Canadian PIPEDA. If your regime is not listed and you believe it should apply, write to us and we will confirm our position within 30 days.
To exercise any of these, email hello@fleetfixer.io and we'll respond within 30 days. You also have the right to complain to your local data-protection authority (for example the UK Information Commissioner's Office, your EU member-state DPA via the lead authority, your US state Attorney General, the UAE Data Office, or SDAIA in Saudi Arabia).
We may update this policy from time to time. We'll notify registered users of significant changes by email. The "last updated" date at the top of this page will always reflect the most recent revision.
Our team will get back to you within 30 days — usually much faster.
hello@fleetfixer.io