Privacy Policy
This policy explains what personal data OnCut (“we”, “us”, “our”) collects, why, and what rights you have. OnCut is a third-party tool for Assetto Corsa / No Hesi that captures your runs and shows pace coaching — it is operated by OnCut, an individual based in the United Kingdom, who is the “data controller” for the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018).
Questions or requests about your data: support@oncut.app.
1. What we collect
Account data — your email address, username, and a securely hashed password. If you sign in with Discord, we receive your Discord ID, username, and avatar. If you link Steam, we store your SteamID (and, where available, your Steam persona name and avatar).
In-game telemetry — when you use the OnCut app in-game, we collect data about your driving sessions on No Hesi servers: your SteamID, the track/map, lap and sector times, scores, run replay frames (vehicle position, speed and related telemetry sampled over time), and related run metadata.
Technical & usage data — IP address, browser/user-agent, and timestamped server logs, used for security, abuse prevention (rate-limiting), and diagnosing problems.
Cookies — a single essential session cookie to keep you logged in (we store only a hashed token, never your password). Our sign-up and verification pages may load Cloudflare Turnstile, which sets its own cookie to tell humans from bots. See “Cookies” below.
2. How we use your data, and our lawful basis
- To run your account and the service (sign-in, syncing your runs and personal bests, showing your dashboard) — lawful basis: performance of a contract with you.
- To verify your email and keep accounts secure (verification links, rate-limiting, captcha, fraud/abuse prevention) — lawful basis: legitimate interests in operating a secure service, and legal obligation where applicable.
- To capture and store your runs/telemetry so you can review them and compare pace — lawful basis: performance of a contract (it’s the core feature you signed up for).
- To maintain logs for security and troubleshooting — lawful basis: legitimate interests.
We do not sell your personal data, and we do not use it for third-party advertising.
Your runs, personal bests, and stats are private to your account. We do not display them publicly or to other users.
3. Who we share it with (processors & third parties)
We use a small number of service providers that process data on our behalf:
- Resend — sends our account emails (e.g. verification links). Receives your email address.
- Cloudflare — provides the Turnstile captcha on sign-up/verification. Receives your IP and interaction signals to detect bots.
- Discord — if you choose to sign in with Discord (OAuth). Governed by Discord’s own privacy policy.
- Steam (Valve) — if you choose to link Steam. Governed by Valve’s own privacy policy.
- Our hosting provider — the server (located in the EU/UK region) where the application and database run.
We may also disclose data if required by law, or to protect our rights, users, or the security of the service. Where we are legally permitted to, we will notify you before disclosing your data in response to a law-enforcement or other legal request.
4. International transfers
Some providers (e.g. Resend, Cloudflare) may process data outside the UK/EEA, including in the United States. Where they do, the transfer is covered by appropriate safeguards such as the UK International Data Transfer Addendum / EU Standard Contractual Clauses, or an adequacy decision.
5. Cookies
- Session cookie (essential) — keeps you signed in. The service cannot function without it; no consent banner is required for strictly necessary cookies.
- Cloudflare Turnstile — set on the sign-up/verification pages to prevent automated abuse.
We do not use advertising or analytics tracking cookies.
6. How long we keep it
We keep your account data for as long as your account exists. If you delete your account (Settings → Delete account), your account and its associated runs and personal bests are removed from our live systems promptly, normally within 7 days of your request. Server logs and backups are retained for a limited period (typically up to 30–90 days) for security and recovery, then rotated out, after which any residual copies are overwritten. Transient records (e.g. email-verification tokens, pairing requests) expire automatically.
7. Your rights
Under UK GDPR you have the right to: access a copy of your data; correct inaccurate data; delete your data (“right to be forgotten”); restrict or object to certain processing; data portability; and, where our processing relies on your consent (such as the anti-bot cookie), to withdraw that consent at any time. You can exercise account deletion yourself in Settings, or contact us at support@oncut.app for any other request. We’ll respond within one month.
You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk if you think we’ve mishandled your data — though we’d appreciate the chance to put things right first.
8. Security
Passwords are hashed with a strong algorithm (Argon2). Session and pairing tokens are stored only as hashes. Traffic is encrypted in transit (HTTPS/WSS). No system is perfectly secure, but we take reasonable measures to protect your data.
If a personal data breach affects your data, we will notify you without undue delay where it is likely to result in a high risk to you, and we will report the breach to the ICO as required by UK GDPR (within 72 hours of becoming aware of it).
9. Age
OnCut is not directed at children. You must be at least 13 years old (and have a parent/guardian’s permission if under 16) to create an account. If you believe a child has given us personal data, contact us and we’ll remove it.
10. Changes to this policy
We may update this policy as the service evolves. We’ll change the “last updated” date above, and for significant changes we’ll notify you (e.g. by email or an in-app notice).
11. Contact
Data controller: OnCut, an individual based in the United Kingdom. Contact: support@oncut.app.