Privacy Policy

Openstable is an online marketplace connecting horse owners with livery yards and activity providers across the UK. We are operated by [COMPANY NAME], a company registered in England and Wales (company number [COMPANY NUMBER]), whose registered office is at [REGISTERED ADDRESS].

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, we are the data controller of your personal data.

We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER].

If you have any questions about how we use your personal data, please contact us at privacy@openstable.co.uk.

We collect the following categories of personal data:

Account data

• Email address (required to create an account)
• Your role on the platform (horse owner or yard owner)
• OAuth profile information if you sign in with Google or Facebook (name, email, profile picture)

Horse owner profile data

• Your first name
• Your horse’s name and type
• Livery preferences, timeline, and riding level
• A brief situation note you choose to share with yards
• Your search postcode and preferred search radius
• Horse photo (if uploaded)

Yard owner profile and listing data

• Yard name, postcode, county, and geographic coordinates (derived from your postcode)
• Contact name, phone number, email address, and website
• Yard description, facilities, services, and photos
• Availability information and activity slot details

Communication data

• Enquiry messages sent between horse owners and yard owners
• Reviews and ratings you submit
• Yard owner responses to reviews

Payment and subscription data

• Your subscription tier (Free, Pro, or Enterprise)
• Stripe customer ID and subscription ID
• We do not store your payment card details. All payment processing is handled directly by Stripe. Please review Stripe’s Privacy Policy for details of how they handle your payment data.

Technical and usage data

• Session tokens and authentication data (managed by Supabase)
• IP address and browser information (collected automatically by our infrastructure)
• Pages visited and features used on the platform
• Saved yards and shortlists

We collect personal data in the following ways:

• Directly from you — when you register, complete your profile, post a listing, send an enquiry, write a review, or contact us.
• Automatically — when you use the platform, we collect technical data such as session tokens, IP addresses, and usage information through cookies and our infrastructure provider, Supabase.
• From third parties — if you choose to sign in using Google or Facebook, we receive basic profile information (name and email) from those providers.

Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

• Performance of a contract (Article 6(1)(b)) — to provide you with our platform services, including creating and managing your account, enabling enquiries and messaging between horse owners and yard owners, and processing subscription payments.
• Legitimate interests (Article 6(1)(f)) — to operate and improve the platform, prevent fraud and abuse, ensure platform security, and send transactional notifications (such as new enquiry alerts and message notifications). Our legitimate interests do not override your rights and freedoms.
• Consent (Article 6(1)(a)) — for optional marketing communications and email notifications that you can control in your account settings. You may withdraw your consent at any time.
• Legal obligation (Article 6(1)(c)) — to retain payment records as required by UK tax law (currently 7 years).

We use your personal data to:

• Create and manage your account
• Display your yard listing or horse owner profile to relevant users
• Enable enquiries and messaging between horse owners and yard owners
• Show search results and availability based on your preferences and location
• Process subscription payments and manage your billing
• Send transactional emails (such as new enquiry notifications, message alerts, and availability expiry reminders)
• Send review prompt emails following a secured livery placement (where you have not opted out)
• Display and facilitate user reviews
• Improve platform functionality, fix bugs, and develop new features
• Detect and prevent fraud, abuse, or violations of our Terms & Conditions
• Comply with our legal obligations

We share your personal data only with trusted third-party service providers who process data on our behalf. All processors are bound by data processing agreements and must handle your data securely.

• Supabase — our database and authentication infrastructure provider. Your data is stored on servers located in the EU. Supabase acts as a data processor on our behalf.
• Google — we use the Google Geocoding API to convert postcodes to geographic coordinates for search functionality. We also support Google as an OAuth sign-in provider. Google may process your data in accordance with their privacy policy.
• Facebook / Meta — supported as an optional OAuth sign-in provider only.
• Stripe — our payment processor for subscription billing. Stripe processes payment card data directly and is PCI-DSS compliant.
• Resend — our transactional email delivery provider. Resend receives your email address and the content of emails sent on your behalf.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We will disclose your data to the ICO or other law enforcement authorities if required by law.

Your data is primarily stored in the EU via Supabase. Where we use third-party processors based outside the UK or EEA (including Google, Stripe, and Resend), we ensure that appropriate safeguards are in place, including reliance on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner, or the equivalent international transfer mechanism.

We retain your personal data for the following periods:

• Active accounts — for as long as your account remains active, plus 90 days following account deletion to allow for any disputes or recovery requests.
• Deleted accounts — personal data is anonymised or deleted within 30 days of account deletion. Some aggregated, anonymised data (such as review scores without personal identifiers) may be retained for platform quality purposes.
• Payment and billing records — retained for 7 years as required by UK financial regulations.
• Messages and enquiries — retained for the duration of your account and deleted or anonymised upon account deletion.

You have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you (a Subject Access Request).
• Right to rectification — you can ask us to correct inaccurate or incomplete data. Most profile data can be updated directly in your account settings.
• Right to erasure — you can request deletion of your personal data. You can delete your account directly from the settings page. Certain data may be retained where we have a legal obligation to do so.
• Right to data portability — you can request a copy of your data in a structured, machine-readable format.
• Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.
• Right to object — you can object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent — where processing is based on your consent (e.g. marketing emails), you can withdraw it at any time via your account settings or by contacting us.

To exercise any of these rights, please contact us at privacy@openstable.co.uk. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

We use cookies and similar technologies to operate the platform. The cookies we use are:

• Essential / session cookies — used by Supabase to manage your authenticated session. These are strictly necessary for the platform to function and cannot be disabled.

We do not currently use third-party advertising or tracking cookies. If this changes, we will update this policy and request your consent where required.

Openstable is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us at privacy@openstable.co.uk and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email before the changes take effect. The date at the top of this page reflects when the policy was last updated. Continued use of the platform after changes take effect constitutes your acceptance of the updated policy.

For any questions or concerns about this Privacy Policy or how we handle your data, please contact our privacy team at:

Email: privacy@openstable.co.uk
Post: [COMPANY NAME], [REGISTERED ADDRESS]