This Privacy Policy explains how Stable ("Stable", "we", "us") processes personal data when you use stable.se and related apps/services (the "Service").
Stable is part of the Compact family of products. For the company-wide privacy policy that covers your Compact account and every Compact app, see compact.se/legal/privacy. This page describes what is specific to Stable.
1. Controller Identity and Contact Details
1.1 Data controller (B2C and certain B2B data)
Stable (Swedish company)
Organisation number: 559XXX-XXXX
Registered address: Stockholm, Sweden
Email (privacy): privacy@stable.se
1.2 Controller vs processor (B2B customer data)
- When a stable, riding school, or other organisation ("Customer") uses the Service to manage its operations, the Customer is typically the data controller for personal data about its staff, riders, horse owners, and other end users that the Customer inputs or otherwise provides ("Customer Data").
- In those cases, Stable acts as the Customer's data processor for Customer Data, processing it only on documented instructions from the Customer and under a data processing agreement (DPA).
- Stable may still be an independent controller for certain data (e.g., Customer admin account details, billing, security logs, and compliance).
If you are an end user invited by a Customer (e.g., a rider or horse owner) and have questions about the Customer's processing, you should contact the Customer first. You may also contact Stable at privacy@stable.se and we will help route your request.
2. Scope and How We Receive Personal Data
We obtain personal data:
- Directly from you (e.g., you create an account, enter information, contact support).
- From a Customer (e.g., a stable admin creates your account, assigns you to horses, schedules, bookings, roles).
- From your device and our infrastructure automatically (e.g., security logs, IP address, timestamps).
- From payment providers or financial institutions in connection with payment status (not full card details).
3. Categories of Personal Data We Process
The personal data processed depends on whether you use the Service as an individual (B2C) or through a Customer (B2B).
3.1 Account and identity data
- Name
- Email address
- Phone number (if provided)
- Username/profile information
- Role/permissions (e.g., staff/admin)
- Stable/organisation affiliation (if applicable)
3.2 Service usage, analytics, and technical data
- Login events, timestamps
- IP address, device/browser/app version, operating system
- Security and audit logs (e.g., failed logins, permission changes)
- Approximate location derived from IP for security/fraud prevention (not precise GPS, unless your device/app explicitly provides it for a feature)
On our marketing site we use privacy-friendly, EU-hosted product analytics (PostHog EU) and advertising-conversion measurement (such as Google Ads). Both are consent-gated: in the EEA and UK they stay off until you opt in, they are treated as two separate purposes you can accept independently, and you can change your choice at any time (see Section 5). We also capture campaign parameters (such as UTM tags and ad click identifiers) only with your marketing consent. We do not sell personal data.
3.3 Booking, scheduling, and operational data
- Bookings, attendance, cancellations
- Schedules, assignments, staffing rosters
- Messages and notes associated with operations (e.g., stable notes, reminders)
3.4 Communication data
- Support requests and correspondence
- Emails we send (service messages, confirmations, billing notices)
- Delivery and engagement signals needed to operate email (e.g., bounce/complaint status)
3.5 Billing and transaction data
- Subscription plan, invoices, VAT/business information (where applicable)
- Payment status, timestamps, amounts
- Limited payment identifiers from payment providers (e.g., last four digits, payment method type, transaction IDs)
Note: Payment card details are processed by our payment provider(s) and not stored by Stable.
3.6 Content and user-generated data
Data you upload or enter into the Service, such as:
- Horse owner contact details
- Staff contact details
- Notes, attachments, documents, photos (if enabled)
- Communications within the Service (if enabled)
3.7 Horse-related records
Horse health/veterinary records are primarily about animals and are not personal data by themselves. However, they may contain personal data if they include names/contact details of owners, riders, trainers, veterinarians, or human-related safety notes. We recommend not entering sensitive information about people unless strictly necessary and you have a valid legal basis to do so.
4. Purposes of Processing and Legal Bases
Where Stable acts as a processor, the Customer determines the legal basis; Stable processes on the Customer's instructions.
| Purpose | Examples | Legal basis |
|---|
| Provide the Service | Create accounts, enable features, manage horses/stables, bookings, schedules | Contract (Art. 6(1)(b)) |
| Customer administration (B2B) | Manage Customer relationship, admin accounts, onboarding | Legitimate interests (Art. 6(1)(f)) and/or Contract |
| Billing and payments | Invoicing, subscription management, payment confirmations | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for accounting |
| Security and fraud prevention | Access controls, audit logs, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Support and communications | Respond to requests, troubleshoot issues | Contract (Art. 6(1)(b)) and/or Legitimate interests |
| Product improvement | Diagnose errors, performance, reliability improvements using server-side logs | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Respond to lawful requests, enforce terms | Legal obligation (Art. 6(1)(c)) and/or Legitimate interests |
4.2 Special category data (if processed)
Stable does not require special category personal data (e.g., human health data) to provide core functionality. If such data is nevertheless processed: for B2C, we rely on your explicit consent (Art. 9(2)(a)) where applicable; for B2B, the Customer is responsible for identifying a valid Art. 9 condition.
5. Cookies and Similar Technologies
We use strictly necessary cookies/local storage to:
- Keep you signed in
- Maintain session security
- Remember basic settings essential to providing the Service
- Protect forms from abuse (Cloudflare Turnstile)
On our marketing site we also use consent-based cookies and similar technologies for two separate purposes you can accept independently:
- Analytics — EU-hosted product analytics (PostHog EU) to understand how the site is used. Uses a first-party cookie scoped to stable.se.
- Marketing — advertising-conversion measurement and campaign attribution (such as Google Ads via Google Consent Mode, and UTM/ad click-ID capture).
In the EEA and UK these non-essential cookies are off by default and load only after you opt in. We show a cookie consent banner to visitors in those regions, and you can change or withdraw your choices at any time. We do not use these for cross-context behavioural advertising beyond measuring our own campaigns.
6. Sharing and Disclosure of Personal Data
We share personal data only when necessary to provide the Service, comply with law, or protect rights and security.
Categories of recipients:
- Cloud hosting, storage, and infrastructure providers (including backups and monitoring)
- Payment providers (e.g., Stripe) for processing payments and preventing fraud
- Email and communication providers for sending transactional emails
- Product analytics and error-monitoring providers (e.g., PostHog EU, Sentry)
- Advertising and conversion-measurement providers (e.g., Google), only with your marketing consent
- Customer support tooling where needed to handle requests
- Professional advisers (lawyers, auditors) under confidentiality
- Authorities or law enforcement when legally required
- Potential acquirers/investors in a business transaction (subject to confidentiality)
We do not sell personal data.
7. International Transfers
Some of our vendors may be located in, or process data from, countries outside the EU/EEA (including the United States).
When personal data is transferred outside the EU/EEA, we use appropriate safeguards, such as:
- European Commission Standard Contractual Clauses (SCCs) (Art. 46)
- Where applicable, reliance on an adequacy framework (e.g., the EU-US Data Privacy Framework) for certified vendors
- Supplementary measures when needed (e.g., encryption in transit and at rest, strict access controls, data minimisation)
You can request information about the safeguards applicable to a specific transfer by contacting privacy@stable.se.
8. Retention Periods
We keep personal data only as long as necessary for the purposes described above, then delete or anonymise it, unless longer retention is required by law.
| Data category | Typical retention |
|---|
| Account profile data | Until account deletion, plus up to 30 days for restoration |
| Customer Data (B2B) | Duration of Customer contract; deletion/return per DPA |
| Support correspondence | Up to 24 months after resolution |
| Security logs and audit logs | Typically 90-180 days |
| Billing, invoices, accounting records | Up to 7 years (Swedish accounting rules) |
| Backups | Rolling backups up to 30-60 days |
9. Your Rights (GDPR) and How to Exercise Them
Depending on context (controller/processor) you have the right to:
- Access: obtain confirmation and a copy of your personal data (Art. 15)
- Rectification: correct inaccurate or incomplete data (Art. 16)
- Erasure: request deletion in certain cases (Art. 17)
- Restriction: restrict processing in certain cases (Art. 18)
- Portability: receive data you provided in a structured, commonly used format (Art. 20)
- Object: object to processing based on legitimate interests (Art. 21)
- Withdraw consent: where processing is based on consent, at any time (Art. 7(3))
How to exercise:
- Email privacy@stable.se with your request and the email tied to your account.
- We may ask you to verify identity before fulfilling the request.
- We respond without undue delay and normally within one month.
9.1 Right to lodge a complaint (IMY)
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY"):
- Website: imy.se
- Address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden
10. Security Measures
We implement technical and organisational security measures appropriate to risk, including:
- Encryption in transit (TLS) and encryption at rest where appropriate
- Access controls (least privilege), authentication safeguards, and logging
- Segregation of environments and role-based permissions
- Backups and disaster recovery routines
- Monitoring for security incidents and abuse
- Vendor security assessment and contractual protections
No method of transmission or storage is 100% secure, but we work to maintain appropriate safeguards.
11. Children and Minors (Junior Riders)
The Service may be used in contexts involving minors (e.g., junior riders).
- Age thresholds: In Sweden, children under 13 generally cannot consent on their own to information society services. Users must be at least 13 to create a standalone account, and users under 18 should have permission from a parent/guardian.
- B2B context: If a Customer creates accounts for minors (e.g., junior riders), the Customer is responsible as controller for ensuring a valid legal basis, providing notices, and obtaining any required parental consent.
- Data minimisation:We encourage limiting minors' data to what is necessary (e.g., name, guardian contact, scheduling details). Avoid recording sensitive human health data unless strictly necessary and legally justified.
12. Data Return, Export, and Deletion
- B2B Customers: Upon contract termination, we provide a reasonable opportunity to export Customer Data in a commonly used, machine-readable format (e.g., CSV/JSON) upon request, for a limited period (typically 30 days), unless otherwise agreed.
- After the export period, we delete or anonymise Customer Data in accordance with the DPA, except for data we must retain for legal obligations, security, or dispute resolution.
- B2C users: You can request a copy of your data and deletion by contacting privacy@stable.se or using in-app controls (if available).
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in the Service, legal requirements, or our practices. We will post the updated version on stable.se and update the effective date. If changes are material, we will provide additional notice where appropriate.
Effective Date: 11 January 2026 · Last updated: 3 July 2026