Trust & Security

This page is maintained by the team behind Women Cycling Race Data Hub to answer common questions about privacy, security and data handling on womencyclingracedata.com. It describes the controls we actually use today; it is not an independent audit or certification.

At a glance

Independent, non-commercial site — no advertising, no cross-site tracking, no data sold.
Public race information (calendar, results, GPX, roadbooks) served to anyone.
Administrative actions require a signed-in account with an explicit admin role.
Data is hosted in the EU on a managed Postgres backend.
All traffic is served over HTTPS.

What data we collect

Contact form submissions: name, email and message, used only to reply to you.
Visitor logs: per-pageview IP address, country (derived from the cf-ipcountry request header set by Cloudflare), path, referrer, user-agent and timestamp. Used for audience measurement, abuse prevention and diagnostics. See the Privacy Policy for the full legal basis and retention details.
Accounts: sign-up is open via email/password (with email confirmation) or Google sign-in. A new account stores only the email, hashed password (or Google identity) and confirmation timestamps in our managed auth provider. Administrative access requires a separate admin role row that is granted manually by an existing administrator — it is never assigned automatically on sign-up, so a self-created account has no elevated access to site data.
Cookies: a minimal set described in the Cookie Policy. No advertising or cross-site tracking cookies.

Security controls

Transport: HTTPS everywhere, terminated by our hosting and CDN platform.
Authentication: email/password and Google sign-in via our managed auth provider. Passwords are stored hashed; we never see them in cleartext.
Authorisation: admin actions are gated by a server-side role check. Roles live in a dedicated table and are evaluated by a SECURITY DEFINER database function so they cannot be escalated from client code.
Row-Level Security: every table in our database has Row-Level Security enabled with explicit policies; public data is exposed read-only through narrow API routes that return only safe columns.
File uploads: admin file uploads (logos, emblems, PDFs, GPX) validate MIME types against a strict per-kind allowlist and are served with X-Content-Type-Options: nosniff to prevent browser type-sniffing.
Audit logging: administrative actions and asset changes are recorded to append-only audit tables that cannot be written from the client.
Secrets: service credentials live in server-only environment variables and never reach the browser bundle.

Subprocessors

We share information only with the service providers needed to run the site. None of them receive data for advertising purposes.

Lovable Cloud (Supabase, EU region) — managed Postgres database, authentication, file storage and serverless functions that host the application.
Cloudflare — application runtime (edge workers), content delivery, DDoS protection and privacy-friendly web analytics. As the network layer in front of the site, Cloudflare processes all request metadata.
Google (Sign-In) — optional OAuth provider used only for administrator sign-in. No end-user data is shared with Google.
Google Drive API — read-only ingestion of race data files (results, roadbooks, GPX) that race organisers publish on Google Drive. We call the API with a service key; no visitor data is sent to Google here.
Lovable Emails — transactional email delivery (contact form confirmations, auth emails) sent from notify.womencyclingracedata.com, processed in the EU.

Data retention & deletion

Contact form submissions are kept as long as needed to handle your enquiry. Visitor log entries (including full IP address) are kept indefinitely under the legitimate-interests basis described in the Privacy Policy. You can request erasure or restriction of records tied to your IP address by emailing us — we will honour valid requests unless an overriding legal obligation requires retention.

Your rights

If you are in the EEA or the UK, you have rights of access, rectification, erasure, restriction, objection and portability under the GDPR. The full list and the procedure to exercise them live in the Privacy Policy.

Reporting a security issue

If you believe you have found a security vulnerability or a privacy issue, please email info@womencyclingracedata.com with a clear description and reproduction steps. We will acknowledge your report and work with you in good faith to investigate and resolve it. Please give us a reasonable window to fix the issue before any public disclosure.

Status & updates

This is a small, independent project — there is no 24/7 support desk and no formal SLA. We strive for high availability but do not guarantee it. Material changes to the controls described on this page will be reflected here with a new “last updated” date.