Privacy Policy

StableFlow (“we”, “us”) is operated by Stableflow ltd, a company registered in the United Kingdom. We provide a software platform for equestrian businesses. For the purposes of UK GDPR and the EU GDPR, we are the data controller for our marketing website and a data processor for personal data processed on behalf of our customers within the platform.

Contact: privacy@stableflowequine.io.

We collect different categories of data depending on how you interact with us.

Marketing website visitors

• IP address and approximate location (country) for pricing localisation and security.
• Cookie data necessary for site function and, with consent, analytics.
• Contact form submissions: name, email, phone, message.

Account holders (stable owners, instructors, professionals)

• Account details: name, email, role, hashed password, 2FA settings.
• Billing details processed by our payment partners (Stripe, GoCardless).
• Activity logs for security and audit purposes.

End users (riders, families, students)

Where the platform stores data about end users on behalf of our customers (riding schools, livery yards, etc.), we act as a processor. The customer is the data controller. Categories may include name, contact details, emergency contacts, medical notes, lesson attendance, billing history, and signed waivers.

• Contract: processing necessary to provide the platform to account holders.
• Legitimate interests: service security, fraud prevention, product analytics.
• Consent: marketing communications and non essential cookies.
• Legal obligation: retention of financial records, response to lawful requests.

• To operate, secure and improve the platform.
• To process subscription and transaction payments.
• To send transactional emails (account, billing, security).
• To respond to support and contact form enquiries.
• To send marketing emails, only with consent and with an unsubscribe link.

We share personal data with sub processors that help us run the service:

• Hosting: Vercel (United States, EU region for EU data).
• Database: Neon (United States, EU region for EU data).
• Payments: Stripe, GoCardless.
• Email: SendGrid or equivalent transactional email provider.
• SMS: Twilio.
• Error monitoring: Sentry.
• AI processing: Anthropic for our Intelligence Layer features.

Each sub processor is bound by a data processing agreement and we apply Standard Contractual Clauses where data is transferred outside the UK or EEA.

We retain account data for as long as the account is active. After cancellation we retain data for 90 days to allow reactivation, then delete or anonymise it except where retention is legally required (for example, financial records kept for 7 years for tax purposes).

Under UK and EU data protection law you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure (the “right to be forgotten”).
• Restrict or object to processing.
• Data portability.
• Withdraw consent at any time.
• Complain to the Information Commissioner's Office or equivalent supervisory authority.

To exercise these rights, email privacy@stableflowequine.io. We respond within 30 days.

We use industry standard security measures including encryption in transit (TLS), encryption at rest, role based access controls, audit logging, login lockout, two factor authentication for admin accounts, and regular security reviews.

The platform is not directed to children under 13. Where customers (such as riding schools) store data about minor riders, the customer is responsible for obtaining the appropriate parental or guardian consent.

We use strictly necessary cookies for authentication and session management. We use analytics cookies only with your consent. You can manage your preferences via the cookie banner shown on first visit, or by clearing cookies in your browser.

We may update this policy. The effective date at the top will change. Material changes will be notified by email to account holders.

Questions: privacy@stableflowequine.io. Postal address available on request.