Privacy Policy & GDPR Compliance Statement

Last modified: 9 October 2025

1. Who We Are

This Privacy Policy explains how we handle personal data collected through our websites and services related to Ahotu and World’s Marathons.

1.1 Company Information

Ahotu and World’s Marathons are brands of World’s Sports Group AB, with registration number 559044-2454 (“Ahotu,” “World’s Marathons,” “we,” “us,” or “our”).

We are registered in Sweden with our official address at Brahegatan 4, 113 59 Stockholm.

1.2 What We Do

Ahotu and World’s Marathons operate online platforms with a global calendar that lists endurance events such as marathons, triathlons, trail runs, and other sports worldwide.

Our platforms enable users to discover events, and depending on the organizer’s setup:

• Some events can be booked directly through our platform, where World’s Marathons acts as an intermediary or service provider for the Event Organizer.
• Other events are listed by us but we do not have a direct relationship with the organizer. These events often include links to official registration channels or third-party ticketing platforms, where users may complete their booking externally.

In addition to event listings, we:

• Share event data (such as race information, dates, and results) to selected partners and third-party services, including sports-technology and training platforms.
• Promote and sell complementary third-party products and services, such as personalized medal engravings or event-related offers, in collaboration with verified partners.

We process and protect personal data in each of these contexts in accordance with the principles of this Privacy Policy and the EU General Data Protection Regulation (GDPR).

1.3 Who’s Who

When this Privacy Policy uses the term “Event Organizer,” we mean the individuals or organizations that create, manage, or promote Events using our platform 

Events refers to events and races we list in our global calendar.

Participants are individuals who browse, register for, or engage with Events through our platform — either directly or via external registration links to official channels.

Partners include third-party service providers and commercial collaborators such as payment processors, merchandise providers, or sports-technology platforms with whom we share or integrate event data.

Visitors are users who browse our site or app with or without registering an account or making a booking.

Collectively, Event Organizers, Participants, Partners, and Visitors are referred to as “Users,” “you,” or “your.” All Users are subject to this Privacy Policy to the extent that we process their personal data.

Depending on the context, World’s Marathon’s may act as either a data controller or a data processor, as explained in Section 17.

1.4 Our Legal Framework

World’s Sports Group AB is a company established in Sweden, operating under the jurisdiction of Swedish and European Union law.

Our data-protection practices are primarily governed by the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Swedish Data Protection Act (Dataskyddslagen 2018:218).

As an EU-based organization, we comply with the high standards of privacy and security required under EU law, which are widely recognized as among the most protective in the world.  While we are not formally subject to the California Consumer Privacy Act (CCPA) or other non-EU state privacy laws, we voluntarily follow similar principles — including transparency, user rights, and control over personal information — to ensure that all users, regardless of location, enjoy a high level of privacy protection.

2. Our Commitment to Data Protection

We take privacy and data protection seriously. This Privacy Policy explains how we collect, use, store, share, and protect personal data under the GDPR and other applicable laws.

We apply the principles of lawfulness, fairness, transparency, data minimization, integrity, and accountability, and have implemented technical and organizational security measures to protect data.

3. Personal Data We Collect

When you use or interact with our platform, we may collect different types of personal data depending on how you use the Services — for example, when you browse the calendar, create an account, or register for an Event.

3.1 Information You Provide to Us

We collect personal data that you voluntarily provide, including when you:

• Create or manage an account
• Register for an Event hosted on our platform
• Contact our support team or fill out forms

• Subscribe to newsletters or request event notifications

  
  

The personal data we collect may include, depending on the context:

• Basic information: name, email address, phone number, country of residence
• Event-registration details: date of birth, gender, nationality, club affiliation, emergency contact, t-shirt size, race category, and any other information required by the Event Organizer
• Payment and billing information: payment method, transaction reference, currency, and related details (handled securely through our payment processor Stripe)

• Communication preferences and responses (e.g., consents, marketing opt-ins)

  
  
  

When you create an account with World’s Marathons, you acknowledge that we will store certain personal data for as long as your account remains active.

In this context, World’s Marathons acts as the data controller — meaning we determine how this account data is used to:

• Provide and personalize your experience
• Maintain your event history, saved events, and preferences

• Communicate relevant updates and service information

  
  

When we manage the registration process for an Event, however, we act as a data processor on behalf of the Event Organizer, who determines what information is required for participation. In that case, we share relevant registration data with the Organizer and their appointed service providers (e.g., timing companies) so participants can be granted an entry, appear on start lists, receive race details, and be included in official results.

All such processing and sharing are governed by Data Processing Agreements that comply with the GDPR and applicable laws.

3.2 Information Collected Automatically

When you visit our site or app, and subject to your consent where required, we automatically collect certain technical and behavioural information, including:

• IP address and device identifiers
• Browser type, operating system, and access timestamps
• Page views, referral sources, and interaction data
• Data collected via cookies, pixels, and similar technologies

For details about cookies and how to manage your preferences, please see our Cookie Policy.

4. How We Use Personal Data

We collect and process personal data only where we have a valid legal basis under the GDPR, such as contract necessity, legitimate interest, consent, or legal obligation.

We do not sell your personal data. We also do not engage in automated decision-making or profiling that produces legal or similarly significant effects for users.

5. Data Processors and Subprocessors

We engage third parties for hosting, payments, marketing, and analytics. Each has a signed Data Processing Agreement (DPA) ensuring compliance.

Main Subprocessors

Our up-to-date list of subprocessors is maintained internally and available upon request.

6. Data Transfers Outside the EEA

Some subprocessors are located outside the European Economic Area (EEA), including in the United States, where certain personal data may be stored or accessed.

We ensure that all such transfers and storage comply with the requirements of GDPR Chapter V by applying the following safeguards:

• EU–US Data Privacy Framework (DPF): For US-based subprocessors certified under the DPF (e.g., Microsoft, Google), transfers are conducted under this approved adequacy mechanism.
• Standard Contractual Clauses (SCCs): For partners or vendors not certified under the DPF, we rely on the European Commission’s SCCs.
• Additional safeguards: Encryption, strict access controls, and internal policies protect personal data during transfer and storage.

Our primary data storage for the platform is hosted by Microsoft Azure, AWS and Google Cloud within the European Union.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing users with access to their full booking and participation history.

• Active accounts: Personal data is retained for the entire duration of the user’s account to enable continuous access to booking records, event history, and related services.
• Inactive or closed accounts: If you close your account or request deletion, your personal data will be deleted or anonymized upon request, unless retention is required by law (e.g., accounting or dispute resolution obligations). We do not automatically delete user data after a fixed period, as it may be necessary to preserve booking history for user access and legitimate business purposes.

• Backups and archives: Backup data may be retained for limited periods for legal, tax, security, and disaster-recovery reasons before being securely overwritten or anonymized.

  
  

We regularly review stored personal data to ensure it remains relevant to our service purposes and is not kept longer than necessary.

8. Security Measures

We have implemented technical and organizational safeguards to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures include password protection and access control, encryption of sensitive data in transit and at rest, regular security audits, and data-protection impact assessments where appropriate.

In the unlikely event of a personal data breach, we will notify affected individuals and relevant supervisory authorities without undue delay and in accordance with Articles 33 and 34 of the GDPR.

9. Your Rights

You have the following rights under the GDPR:

• Access your personal data
• Request rectification or deletion
• Restrict or object to processing
• Request data portability
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority (e.g., IMY)

You can contact the Swedish Authority for Privacy Protection (IMY) at: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden or via imy.se.

You can exercise these rights via your account settings or by contacting us at privacy@worldsmarathons.com.

Please note:

If you have an active booking for an upcoming race, we may need to retain your personal data until the event has taken place tofulfill our contractual obligations to you and the Event Organizer. Deleting this data before the event may make it impossible for you to participate or for us (or the Organizer) to deliver associated services, such as timing, results, or communication about the race. Once these obligations are fulfilled, you may request deletion at any time, and we will process such requests without undue delay.

10. Cookies and Tracking

We use cookies and similar technologies to:

• Enable core site functionality
• Measure performance and traffic
• Deliver relevant content and ads

You can manage or withdraw consent anytime through our Cookie Preferences.

11. Children’s Data

Some events listed or hosted on our platform include children’s or youth categories, and in such cases, we may process limited personal data about minors to enable their participation.

When an Event registration involves a child, the registration must be completed by a parent or legal guardian, who provides consent for the processing of the child’s personal data for the purposes of registration, race administration (such as inclusion on start lists), and official results.

We only collect the minimum data necessary for these purposes — typically including the child’s name, age or date of birth, gender, and contact details for a parent or guardian.

This information is securely shared with the Event Organizer and relevant service providers (such as timing or results companies) under strict data-protection agreements.

We do not use children’s data for marketing or profiling purposes.

If you believe that personal data about a child has been submitted without appropriate consent, please contact us at privacy@worldsmarathons.com, and we will review and delete the data as required.

12. Changes to This Policy

We may update this policy periodically.

All updates will be posted on this page with a revised “Last Modified” date.

If material changes occur, we will notify users through email or in-app notices.

13. Contact Us

For any privacy-related inquiries, please contact us at privacy@worldsmarathons.com.

14. Regulatory Reference

This policy is based on:

• Regulation (EU) 2016/679 (General Data Protection Regulation)
• Guidance from the European Data Protection Board (EDPB)
• Recommendations from the Swedish Authority for Privacy Protection (IMY)

15. Version Control

This Privacy Policy applies to all websites, applications, and digital services operated by Ahotu and World’s Marathons, brands of World’s Sports Group AB.