Privacy Policy

Last updated: 17 March 2026

Data hosted in the EU/UK— London & Ireland. GDPR compliant.

1. Who we are

StableSync is operated by James Watt (sole trader) based in the United Kingdom. We provide a multi-tenant software-as-a-service platform for equestrian livery yard management.

For the purposes of data protection law, James Watt trading as StableSync is the data controller for platform-level data (account registration, authentication, tenant management). Each livery yard that uses StableSync acts as a data controller for the data they collect about their clients, staff, and horses through the platform, with StableSync acting as a data processor on their behalf.

2. What laws apply

StableSync complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Because we also serve users in France and Spain, we additionally comply with the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679).

3. What data we collect

Account and profile data

  • Full name, email address, phone number
  • Password (stored securely and encrypted — we never see or store your actual password)
  • Profile photo (avatar URL)
  • Role and permissions within your yard
  • Language/locale preference
  • Last login timestamp

Horse data

  • Horse name, breed, colour, age, height, sex
  • Microchip number and passport number
  • Livery type and stable number
  • Feed requirements, exercise regimes, rugging plans, turnout routines
  • Health records (vet visits, dental records, vaccinations, worming, farrier visits, weight history)
  • Care reminders and scheduling data
  • Emergency contact details (name, phone, email, relationship)

Operational data

  • Staff rota shifts, task assignments, and completion records
  • Facility bookings (arena, facilities)
  • Calendar events
  • Service requests
  • Yard settings and configuration

Billing and financial data

  • Invoices, invoice line items, payment status
  • Livery rates and hourly rates
  • VAT information

Consent and compliance data

  • Consent records (what you consented to, when, and any withdrawals)
  • IP address and user agent at the time of consent (for audit purposes)
  • Audit logs of actions taken within the platform

Technical data

  • Push notification subscriptions (Web Push endpoints, FCM device tokens)
  • Authentication tokens and session data
  • Tenant/yard association data

Tenant (yard) registration data

  • Yard name, subdomain, owner name, owner email
  • Branding preferences (logo, colours)
  • Feature configuration and plan information
  • Locale and language settings

4. Why we collect it and our legal basis

PurposeLegal basis
Providing the StableSync service (account management, horse profiles, bookings, rotas, billing)Performance of contract (Art. 6(1)(b))
Authenticating you and keeping your account securePerformance of contract (Art. 6(1)(b))
Sending transactional emails (password resets, invitations, notifications)Performance of contract (Art. 6(1)(b))
Push notifications about your yard (care reminders, booking updates, shift changes)Consent (Art. 6(1)(a)) — you choose to enable push notifications
Translating content into your preferred languageLegitimate interest (Art. 6(1)(f)) — providing the service in your language
Recording consent and maintaining audit logsLegal obligation (Art. 6(1)(c)) — GDPR accountability requirements
Generating invoices and maintaining financial recordsLegal obligation (Art. 6(1)(c)) — tax and accounting requirements
Maintaining and improving the platformLegitimate interest (Art. 6(1)(f)) — ensuring the service works reliably

5. Who we share your data with

We do not sell your data. We do not share your data with advertisers. We only share data with the following sub-processors, which are necessary to provide the service:

Sub-processorPurposeData location
Vercel Inc.Application hosting and serverless functionsLondon, UK (lhr1 region)
Neon Inc.PostgreSQL database hostingEU-West-2, London, UK
Resend Inc.Transactional email delivery (password resets, invitations)European Union (Ireland, eu-west-1)
Google LLCOAuth authentication (social sign-in) and Firebase Cloud Messaging (push notifications)United States
Meta Platforms Inc.OAuth authentication (social sign-in via Facebook)United States
DeepL SEMachine translation of user-generated contentEuropean Union (Germany)

Within the platform, your yard manager and other authorised users at your yard may see your data as part of normal yard operations (e.g. staff can see horse care plans, managers can see shift rotas and invoices). Data is isolated between yards — users at one yard cannot access data from another.

6. International data transfers

Your data is primarily stored in the United Kingdom (Vercel London region, Neon EU-West-2 London). Some sub-processors are based in the United States (Google, Meta). Where data is transferred outside the UK or EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
  • The sub-processor's compliance with applicable data protection frameworks

7. How long we keep your data

  • Account data: Retained for as long as your account is active. If you request account deletion, we delete or anonymise your personal data within 30 days, except where we are legally required to retain it.
  • Horse and care data: Retained for as long as the yard account is active. Deleted when the yard owner closes their yard or requests deletion.
  • Financial records: Retained for 7 years after creation to comply with UK tax and accounting obligations (HMRC requirements).
  • Consent records and audit logs: Retained for 7 years to demonstrate GDPR compliance and maintain an audit trail.
  • Soft-deleted records: Some records are soft-deleted (marked as inactive rather than removed) to maintain referential integrity. These are permanently purged according to the retention periods above.

8. Your rights

Under UK GDPR and EU GDPR, you have the following rights:

  • Right of access — You can request a copy of all personal data we hold about you.
  • Right to rectification — You can ask us to correct inaccurate or incomplete data. You can also update most of your data directly through the platform.
  • Right to erasure — You can request deletion of your personal data directly from your profile settings in the dashboard. Deletion requests are processed within 30 days of approval, with a cooling-off period during which you can cancel. Financial records (invoices) are retained for 7 years as required by UK tax law, but are fully anonymised. You will receive email confirmation when deletion is complete.
  • Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability — You can request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
  • Right to object — You can object to processing based on legitimate interests.
  • Right to withdraw consent — Where processing is based on consent (e.g. push notifications), you can withdraw consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email us at hello@stablesync.app. We will respond within one month. If your request is complex, we may extend this by a further two months, but we will let you know.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • France: Commission nationale de l'informatique et des libertés (CNIL) — cnil.fr
  • Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es

9. Data security

We take the security of your data seriously. Measures include:

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Database connections are encrypted
  • Passwords are encrypted — we never store or see your actual password
  • Login sessions use secure tokens that can't be accessed by other websites
  • Each yard's data is kept completely separate — people at one yard cannot see another yard's information
  • Access controls restrict what each person can see and do within a yard
  • Audit logging tracks significant actions for accountability

10. Children's data

StableSync is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental or guardian consent. If you believe we have inadvertently collected data from a child under 16, please contact us at hello@stablesync.app and we will delete it promptly.

Yards may store information about horses owned by or associated with minors. In such cases, the yard (as data controller) is responsible for obtaining appropriate parental consent.

11. Cookies and local storage

We use a small number of cookies that are strictly necessary for the service to function, plus one functional cookie for your language preference. We do not use any advertising or analytics cookies.

For full details, see our Cookie Policy.

12. Third-party links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.

13. Changes to this policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through a notice on the platform. The “Last updated” date at the top of this page will always reflect when the policy was last revised.

14. Contact us

If you have any questions about this privacy policy or how we handle your data, please contact us: