Your Privacy Matters to Us. Equestria Riding Club Ltd. ("Equestria", "we", "us") is committed to protecting the personal information you share with us. We process your data lawfully, fairly, and transparently — only for the purposes described in this policy and only for as long as necessary.
This Privacy Policy applies to all personal data collected through our website, booking systems, yard operations, events, and any other interaction you have with Equestria. Please read it carefully.
Who We Are
Data Controller: Equestria Riding Club Ltd., registered in the State of [State], USA (Company No. [000000]), with registered address at [Ranch Address], [City], [State] [ZIP].
Data Protection Officer (DPO): [DPO Name], contactable at privacy@equestria.com or by post at the registered address above, marked "FAO: Data Protection Officer."
As data controller, we determine the purposes and means of processing your personal data. We are registered with the relevant data protection authority and comply with applicable privacy laws including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable US state privacy laws.
If you are a resident of California, Virginia, Colorado, Connecticut, or Utah, you may have additional rights under state privacy law. See Section 11 for details, or contact our DPO directly.
Data We Collect
We collect different categories of personal data depending on how you interact with us. The following table summarises what we collect and why:
| Category | Data Collected | Purpose |
|---|---|---|
| Identity Data | Full name, date of birth, gender | Account creation, booking management, age verification |
| Contact Data | Email address, phone number, postal address | Communications, booking confirmations, emergency contact |
| Booking & Transaction Data | Service booked, dates, payment amounts, booking history | Service delivery, invoicing, dispute resolution |
| Payment Data | Card type, last 4 digits, billing address (full card numbers are never stored) | Payment processing via our PCI-compliant payment processor |
| Health & Special Category Data | Medical conditions, disabilities, medications, allergies, pregnancy | Safety management, instructor briefings, emergency response |
| Children's Data | Child's name, age, medical info, guardian details | Kids program delivery, safeguarding compliance |
| Horse / Animal Data | Horse name, breed, age, passport number, vet records (livery only) | Livery management, health monitoring, competition administration |
| Usage & Technical Data | IP address, browser type, pages visited, time on site, device data | Website improvement, security, analytics |
| Marketing Preferences | Communication preferences, opt-in/opt-out records | Ensuring we only contact you in ways you've approved |
| CCTV & Photographic Data | CCTV footage from yard cameras, event photography | Safety, security, marketing (with consent) |
Health and medical information is classified as "special category" or "sensitive" personal data under applicable privacy laws. We only collect this information where it is necessary for your safety or the safety of others (e.g. medical conditions that affect your ability to ride safely, or allergies relevant to on-site catering). We process special category data on the basis of your explicit consent and/or our legal obligation to maintain a safe environment.
You may decline to provide health information; however, we may be unable to provide certain services safely without it and may need to exclude you from participation on safety grounds.
We do not collect, store, or process: full payment card numbers (these are handled exclusively by our PCI-DSS compliant payment processor), government identification numbers (e.g. Social Security Numbers) unless specifically required by law, biometric data, or any data we are not required to collect in connection with our services.
How We Collect Your Data
We collect most data directly from you when you:
- Create an account or become a member on our website
- Make a booking online, by phone, or in person
- Complete a registration, enrolment, or medical disclosure form
- Contact us by email, phone, post, or live chat
- Attend one of our sessions, events, or clinics
- Sign in at our yard reception
- Subscribe to our newsletter or marketing communications
- Participate in a survey, competition, or promotion
- Purchase a gift voucher or merchandise
We collect certain technical data automatically when you visit our website via cookies and similar technologies. This includes your IP address, browser type, operating system, pages visited, time spent on pages, and referring URLs. See Section 10 for full details of our cookie use.
We may occasionally receive data about you from third parties including:
- Payment processors (transaction confirmation and fraud-check data)
- Governing bodies (e.g. British Dressage, USEF) for competition administration
- Review platforms (where you have chosen to leave a public review)
- Social media platforms (if you connect your account or interact with our social pages)
- Referral partners (e.g. if another yard or riding school refers you to us)
In all cases, we ensure that any third party providing us with data has the legal right to share it with us.
Legal Basis for Processing
We only process your personal data where we have a valid legal basis to do so. The legal bases we rely on are:
| Legal Basis | When We Use It |
|---|---|
| Contract performance | Processing your booking, delivering the service you have paid for, invoicing, managing your membership |
| Legitimate interests | Operating our business securely, improving our services, fraud prevention, CCTV for yard security, sending service-related communications |
| Legal obligation | Safeguarding children, accident reporting, tax and financial record-keeping, responding to court orders or regulatory requests |
| Consent | Marketing emails and SMS, optional cookies, photography consent for Minors, processing special category health data |
| Vital interests | Emergency situations where sharing health data with emergency services may be necessary to protect life |
Where we rely on consent as our legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent, contact us at privacy@equestria.com.
How We Use Your Data
Your data is used primarily to provide the services you book with us — confirming reservations, matching you with the right horse and instructor, processing payment, managing your membership, and communicating essential information about your bookings and sessions.
Health and medical data you provide is used exclusively to ensure your safety and the safety of others on the yard. This information is shared only with the instructors, yard managers, and first-aiders directly involved in your sessions. In a genuine emergency, it may be shared with emergency services.
Children's data is processed in accordance with our Safeguarding Policy and applicable child protection legislation. We maintain records as required and may be legally obligated to share information with child protection authorities in certain circumstances, regardless of consent.
We may contact you by email, phone, or post for the following purposes:
- Transactional — booking confirmations, reminders, invoices, cancellation notices (no opt-out required; these are service-related)
- Safety — yard notices, schedule changes, health and welfare alerts (no opt-out required)
- Marketing — newsletters, promotions, new services, event announcements (requires opt-in consent; you may opt out at any time)
We process and retain certain data as required by applicable law, including financial records for tax purposes (typically 7 years), accident records (as required by health and safety legislation), and safeguarding records (as required by child protection law).
Anonymised or aggregated data (which cannot identify you) is used to understand how our website is used, which services are most popular, and how we can improve our offering. This analysis does not involve your identifiable personal data.
Sharing Your Data
We do not sell, rent, or trade your personal data to third parties for marketing or commercial purposes. Your data is shared only in the limited circumstances described below.
We share data with carefully selected third-party processors who help us deliver our services. All processors are bound by data processing agreements and are not permitted to use your data for any purpose other than providing services to us. Our key processors include:
- Payment processor — for secure card payment handling (PCI-DSS compliant)
- Booking & management software — for session scheduling and client management
- Email marketing platform — for sending newsletters and promotional emails (marketing opt-ins only)
- Website hosting & analytics — for website operation and performance analysis
- Accounting software — for invoicing and financial record-keeping
- Cloud storage provider — for secure document and record storage
For competition entries, we may share competitor and horse registration data with relevant governing bodies (e.g. British Dressage, British Showjumping, USEF) as required for entry processing and results publication. This is a condition of entering affiliated competitions.
We may disclose your data to law enforcement, courts, regulators, or other authorities where required to do so by law, court order, or to protect the vital interests of any person. We will only disclose the minimum data necessary for the specific purpose.
In the event of a merger, acquisition, or sale of all or part of our business, personal data held by us may be transferred to the acquiring entity as part of that transaction. We will notify you by email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
International Data Transfers
Where we transfer personal data to third-party processors based outside the United States, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by relevant data protection authorities
- Binding Corporate Rules where applicable
- Transfers to countries that provide an adequate level of data protection as determined by relevant authorities
You may request a copy of the safeguards we use for international transfers by contacting our DPO.
Data Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention periods are as follows:
| Data Type | Retention Period | Reason |
|---|---|---|
| Booking & payment records | 7 years from transaction date | Tax law and financial record requirements |
| Member & account data | 3 years after membership ends | Potential re-enrolment, dispute resolution |
| Health & medical disclosures | Duration of participation + 3 years | Safety documentation, potential personal injury claims |
| Accident & incident records | Minimum 6 years (adults); until child turns 25 (Minors) | Personal injury limitation periods |
| Children's program records | Until child reaches age 25 | Child protection and safeguarding legal requirements |
| Livery horse records | 3 years after horse departs | Veterinary and liability documentation |
| Marketing consent records | Duration of consent + 2 years | Evidence of consent |
| CCTV footage | 31 days (overwritten automatically) | Operational security (longer if incident reported) |
| Website analytics data | 26 months (anonymised) | Trend analysis and service improvement |
At the end of the applicable retention period, data is securely and permanently deleted or anonymised. If you would like your data deleted sooner, please see Section 11 (Your Rights).
Children's Privacy
We take the privacy of children exceptionally seriously. Our Kids Training Programs and Summer Camp collect personal data relating to Minors (persons under 18) only with the explicit consent of a parent or legal Guardian.
For children enrolled in our programs, we collect: the child's name, date of birth, photograph (with parental consent), medical and health information, emergency contact details, and progress and assessment records.
Children's data is used exclusively for: program delivery and safety, safeguarding compliance, communication with parents and guardians, and (with explicit consent) marketing materials such as event photographs.
Parents and Guardians have the right to access, correct, or request deletion of their child's personal data at any time. Requests can be made by contacting our DPO at privacy@equestria.com. We will verify the identity and parental relationship of anyone making such a request before acting on it.
Our website is not directed at children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe we have inadvertently collected data from a child under 13 without consent, please contact our DPO immediately and we will delete it promptly.
Cookies & Tracking Technologies
Our website uses cookies and similar technologies (web beacons, pixels, local storage) to improve your experience and help us understand how the site is used.
Cookies are small text files stored on your device when you visit a website. They allow the website to recognise your device and remember information about your visit — such as your preferences, login status, or items in a cart. Cookies cannot carry viruses or access other data on your device.
| Cookie Type | Name / Provider | Purpose | Duration |
|---|---|---|---|
| session_id, csrf_token | Maintain your session, protect against cross-site attacks, enable core website functionality | Session / 24 hrs | |
| user_prefs, cookie_consent | Remember your cookie preferences, language, and display settings | 12 months | |
| Google Analytics (_ga, _gid) | Understand how visitors use our website — pages visited, time spent, traffic source. Data is anonymised. | 2 years / 24 hrs | |
| Hotjar (_hjid, _hjSession) | Heatmaps and session recordings to understand user behaviour (anonymised; no keystroke logging) | 1 year | |
| Meta Pixel (_fbp, _fbc) | Measure effectiveness of social media advertising; show relevant ads on Facebook/Instagram | 90 days | |
| Google Ads (NID, IDE) | Track conversions from Google Ads; enable remarketing to website visitors | 6 months |
Essential cookies cannot be disabled as they are necessary for the website to function. Analytics, preferences, and marketing cookies require your consent and can be managed via our cookie consent banner when you first visit the site, or at any time through your browser settings.
Most browsers allow you to view, delete, and block cookies. Visit allaboutcookies.org for guidance on managing cookies in your specific browser. Please note that disabling analytics or marketing cookies will not affect the core functionality of our website.
Some browsers send a "Do Not Track" (DNT) signal to websites. Our website does not currently alter its data collection practices in response to DNT signals because there is no consistent industry standard for how to respond. We honour opt-out requests made through our cookie banner and by adjusting your browser settings.
Your Rights
Depending on your location, you have a number of rights regarding your personal data. We will respond to all verified requests within 30 days (or sooner where required by law).
To exercise any of your rights, please contact our Data Protection Officer at privacy@equestria.com or by post to the address in Section 1, clearly stating your request. We will ask you to verify your identity before we can action your request.
If you are a California resident, you have additional rights under the CCPA and CPRA, including the right to know what categories of personal information we collect and disclose, the right to opt out of the sale or sharing of personal information (we do not sell personal information), the right to correct inaccurate personal information, and the right to limit the use of sensitive personal information. To exercise these rights, contact us using the details in Section 16. We will not discriminate against you for exercising your rights.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with applicable privacy laws have similar rights regarding access, correction, deletion, portability, and opt-out of targeted advertising. Please contact our DPO to exercise any of these rights.
Marketing & Opt-Out
We only send marketing communications — newsletters, promotions, new service announcements, and event previews — where you have given us explicit consent to do so (opt-in). We never send unsolicited bulk marketing emails.
You can unsubscribe from marketing communications at any time by:
- Clicking the "Unsubscribe" link in any marketing email we send you
- Emailing privacy@equestria.com with "Marketing Opt-Out" in the subject line
- Calling us at +1 (555) 000-1234 during office hours
- Updating your preferences in your online account settings
We will process your opt-out within 10 business days. Please note that opting out of marketing will not stop you receiving transactional or safety-related communications, which are necessary for your bookings.
With your consent, we use Meta Pixel and Google Ads cookies to show you relevant Equestria advertising on social media and Google search. You can opt out of this at any time via our cookie banner, your browser settings, or your social media platform's ad preferences settings.
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. Our security measures include:
- Encryption — All data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security). Stored sensitive data is encrypted at rest.
- Access controls — Personal data is accessible only to staff members who genuinely need it to perform their role. All access is logged and reviewed.
- Payment security — Full card payment details are never processed or stored by Equestria. All payments are handled by our PCI-DSS Level 1 compliant payment processor.
- Staff training — All staff complete mandatory data protection training and are bound by confidentiality obligations in their employment contracts.
- Incident response — We maintain a data breach response procedure and will notify affected individuals and relevant authorities within the legally required timeframe in the event of a breach.
- Physical security — Our on-premises servers and filing systems are secured with physical access controls. Visitor access to administrative areas is restricted.
Despite our best efforts, no method of electronic transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at privacy@equestria.com.
Third-Party Links
Our website may contain links to third-party websites, social media platforms, and services (e.g. British Dressage, YouTube, Instagram, booking partners). These third-party sites have their own privacy policies, which we do not control and are not responsible for.
We encourage you to read the privacy policy of any third-party site you visit via links on our website. Linking to a third-party site does not constitute our endorsement of that site's privacy practices.
Embedded content on our website (e.g. YouTube videos, social media feeds) may set their own cookies on your device. Our cookie banner covers cookies set by our website; you may need to manage cookies from embedded third parties separately through those platforms' privacy settings.
Changes to This Policy
We review and update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify registered members and newsletter subscribers by email
- Display a notice on our website for a minimum of 30 days
- Where required by law, seek fresh consent for any new processing activities
We encourage you to check this policy periodically. Your continued use of our services after the effective date of any update constitutes your acknowledgement of the revised policy. If you disagree with any changes, you may contact us to discuss your options or close your account.
Contact Us & Complaints
If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact our Data Protection Officer:
Equestria Riding Club Ltd.
[Ranch Address]
[City], [State] [ZIP]
United States
We aim to respond to all privacy-related enquiries and rights requests within 10 business days of receipt. For Subject Access Requests (SARs), we will respond within 30 days as required by law. If we need more time, we will notify you with an explanation within the initial 30-day period.
If you are not satisfied with how we handle your personal data or respond to your privacy request, you have the right to lodge a complaint with the relevant supervisory authority. For US residents, this may include:
- California residents — California Privacy Protection Agency (CPPA): cppa.ca.gov
- All US residents — Federal Trade Commission (FTC): ftc.gov
- Your state Attorney General's office — for state-level privacy complaints
We always welcome the opportunity to resolve any concern directly before you contact a regulatory authority, and encourage you to contact our DPO first.