Privacy Policy

1. Controller Identity and Contact Details

1.1 Data controller (B2C and certain B2B data)

1.2 Controller vs processor (B2B customer data)

• When a stable, riding school, or other organisation ("Customer") uses the Service to manage its operations, the Customer is typically the data controller for personal data about its staff, riders, horse owners, and other end users that the Customer inputs or otherwise provides ("Customer Data").
• In those cases, Stable acts as the Customer's data processor for Customer Data, processing it only on documented instructions from the Customer and under a data processing agreement (DPA).
• Stable may still be an independent controller for certain data (e.g., Customer admin account details, billing, security logs, and compliance).

If you are an end user invited by a Customer (e.g., a rider or horse owner) and have questions about the Customer's processing, you should contact the Customer first. You may also contact Stable at privacy@stable.se and we will help route your request.

2. Scope and How We Receive Personal Data

We obtain personal data:

• Directly from you (e.g., you create an account, enter information, contact support).
• From a Customer (e.g., a stable admin creates your account, assigns you to horses, schedules, bookings, roles).
• From your device and our infrastructure automatically (e.g., security logs, IP address, timestamps).
• From payment providers or financial institutions in connection with payment status (not full card details).

3. Categories of Personal Data We Process

The personal data processed depends on whether you use the Service as an individual (B2C) or through a Customer (B2B).

3.1 Account and identity data

• Name
• Email address
• Phone number (if provided)
• Username/profile information
• Role/permissions (e.g., staff/admin)
• Stable/organisation affiliation (if applicable)

3.2 Service usage and technical data (no client-side tracking)

• Login events, timestamps
• IP address, device/browser/app version, operating system
• Security and audit logs (e.g., failed logins, permission changes)
• Approximate location derived from IP for security/fraud prevention (not precise GPS, unless your device/app explicitly provides it for a feature)

We do not use third-party analytics tools for client-side tracking (e.g., no Google Analytics, no PostHog) and we do not sell personal data.

3.3 Booking, scheduling, and operational data

• Bookings, attendance, cancellations
• Schedules, assignments, staffing rosters
• Messages and notes associated with operations (e.g., stable notes, reminders)

3.4 Communication data

• Support requests and correspondence
• Emails we send (service messages, confirmations, billing notices)
• Delivery and engagement signals needed to operate email (e.g., bounce/complaint status)

3.5 Billing and transaction data

• Subscription plan, invoices, VAT/business information (where applicable)
• Payment status, timestamps, amounts
• Limited payment identifiers from payment providers (e.g., last four digits, payment method type, transaction IDs)

Note: Payment card details are processed by our payment provider(s) and not stored by Stable.

3.6 Content and user-generated data

Data you upload or enter into the Service, such as:

• Horse owner contact details
• Staff contact details
• Notes, attachments, documents, photos (if enabled)
• Communications within the Service (if enabled)

3.7 Horse-related records

Horse health/veterinary records are primarily about animals and are not personal data by themselves. However, they may contain personal data if they include names/contact details of owners, riders, trainers, veterinarians, or human-related safety notes. We recommend not entering sensitive information about people unless strictly necessary and you have a valid legal basis to do so.

4. Purposes of Processing and Legal Bases

Where Stable acts as a processor, the Customer determines the legal basis; Stable processes on the Customer's instructions.

4.2 Special category data (if processed)

Stable does not require special category personal data (e.g., human health data) to provide core functionality. If such data is nevertheless processed: for B2C, we rely on your explicit consent (Art. 9(2)(a)) where applicable; for B2B, the Customer is responsible for identifying a valid Art. 9 condition.

5. Cookies and Similar Technologies

We use only strictly necessary cookies/local storage needed to:

• Keep you signed in
• Maintain session security
• Remember basic settings essential to providing the Service

We do not use cookies for behavioural advertising or cross-site tracking. Because we do not use non-essential tracking cookies, a cookie consent banner is generally not required. If this changes, we will update this policy and implement appropriate consent mechanisms.

6. Sharing and Disclosure of Personal Data

We share personal data only when necessary to provide the Service, comply with law, or protect rights and security.

Categories of recipients:

• Cloud hosting, storage, and infrastructure providers (including backups and monitoring)
• Payment providers (e.g., Stripe) for processing payments and preventing fraud
• Email and communication providers for sending transactional emails
• Customer support tooling where needed to handle requests
• Professional advisers (lawyers, auditors) under confidentiality
• Authorities or law enforcement when legally required
• Potential acquirers/investors in a business transaction (subject to confidentiality)

We do not sell personal data.

7. International Transfers

Some of our vendors may be located in, or process data from, countries outside the EU/EEA (including the United States).

When personal data is transferred outside the EU/EEA, we use appropriate safeguards, such as:

• European Commission Standard Contractual Clauses (SCCs) (Art. 46)
• Where applicable, reliance on an adequacy framework (e.g., the EU-US Data Privacy Framework) for certified vendors
• Supplementary measures when needed (e.g., encryption in transit and at rest, strict access controls, data minimisation)

You can request information about the safeguards applicable to a specific transfer by contacting privacy@stable.se.

8. Retention Periods

We keep personal data only as long as necessary for the purposes described above, then delete or anonymise it, unless longer retention is required by law.

9. Your Rights (GDPR) and How to Exercise Them

Depending on context (controller/processor) you have the right to:

• Access: obtain confirmation and a copy of your personal data (Art. 15)
• Rectification: correct inaccurate or incomplete data (Art. 16)
• Erasure: request deletion in certain cases (Art. 17)
• Restriction: restrict processing in certain cases (Art. 18)
• Portability: receive data you provided in a structured, commonly used format (Art. 20)
• Object: object to processing based on legitimate interests (Art. 21)
• Withdraw consent: where processing is based on consent, at any time (Art. 7(3))

How to exercise:

• Email privacy@stable.se with your request and the email tied to your account.
• We may ask you to verify identity before fulfilling the request.
• We respond without undue delay and normally within one month.

9.1 Right to lodge a complaint (IMY)

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY"):

• Website: imy.se
• Address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden

10. Security Measures

We implement technical and organisational security measures appropriate to risk, including:

• Encryption in transit (TLS) and encryption at rest where appropriate
• Access controls (least privilege), authentication safeguards, and logging
• Segregation of environments and role-based permissions
• Backups and disaster recovery routines
• Monitoring for security incidents and abuse
• Vendor security assessment and contractual protections

No method of transmission or storage is 100% secure, but we work to maintain appropriate safeguards.

11. Children and Minors (Junior Riders)

The Service may be used in contexts involving minors (e.g., junior riders).

• Age thresholds: In Sweden, children under 13 generally cannot consent on their own to information society services. Users must be at least 13 to create a standalone account, and users under 18 should have permission from a parent/guardian.
• B2B context: If a Customer creates accounts for minors (e.g., junior riders), the Customer is responsible as controller for ensuring a valid legal basis, providing notices, and obtaining any required parental consent.
• Data minimisation: We encourage limiting minors' data to what is necessary (e.g., name, guardian contact, scheduling details). Avoid recording sensitive human health data unless strictly necessary and legally justified.

12. Data Return, Export, and Deletion

• B2B Customers: Upon contract termination, we provide a reasonable opportunity to export Customer Data in a commonly used, machine-readable format (e.g., CSV/JSON) upon request, for a limited period (typically 30 days), unless otherwise agreed.
• After the export period, we delete or anonymise Customer Data in accordance with the DPA, except for data we must retain for legal obligations, security, or dispute resolution.
• B2C users: You can request a copy of your data and deletion by contacting privacy@stable.se or using in-app controls (if available).

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service, legal requirements, or our practices. We will post the updated version on stable.se and update the effective date. If changes are material, we will provide additional notice where appropriate.

14. Contact

For privacy questions or to exercise your rights:

privacy@stable.se

For legal/contract questions:

legal@stable.se