Saddl

Privacy Policy

Last updated: Draft, not yet in effect

⚠️

Draft, pending legal review

This document has not been reviewed by a solicitor or data protection specialist and is not yet in effect. It should not be relied upon until formally approved and the draft notice removed.

1. Who we are

Saddl ([full legal entity name], company number [company number], registered address [registered address]) is the data controller for personal data collected through this website.

We operate saddl.co.uk, an equestrian venue directory for riders in the United Kingdom.

If you have any questions about this policy or how we handle your data, contact us at [privacy contact email]. [Solicitor to advise: is a Data Protection Officer required? If so, DPO contact details should appear here.]

2. Personal data we collect

We collect personal data only where necessary to operate the Site. The table below summarises what we collect, why, and on what legal basis under UK GDPR.

CategoryData collectedPurposeLegal basis
Venue claimName, email addressTo verify identity of venue owner/manager and process the listing claimLegitimate interests (operating the directory); Contract (where a commercial relationship exists)
Transactional emailEmail addressTo send claim verification emails and listing notificationsLegitimate interests
Analytics[To confirm: page views, referrers, device type]Understanding how the Site is used to improve it[Confirm: Legitimate interests if privacy-preserving / Consent if cookies used]
Server logsIP address, browser type, pages visitedSecurity monitoring, debuggingLegitimate interests

[Solicitor to review: confirm legal basis for each category; check if legitimate interests assessment (LIA) is required; confirm whether analytics constitute cookies under PECR and whether consent is needed]

3. How we use your data

We use personal data to:

  • Process and verify venue listing claims.
  • Send transactional emails relating to your claim or listing.
  • Maintain the security and integrity of the Site.
  • Improve the Site based on usage patterns.

We do not use your personal data for marketing without your explicit consent. We do not sell personal data to third parties.

4. Third-party services and data processors

We use the following third-party services which may process personal data on our behalf. Where these services are based outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for international transfers.

Supabase

Purpose: Database and authentication

Location: EU region [confirm exact region]

Stores venue claim data including name and email address.

Vercel

Purpose: Website hosting and deployment

Location: United States (SCCs apply)

Processes server logs including IP addresses. DPA available.

Mapbox

Purpose: Interactive maps on venue pages

Location: United States (SCCs apply)

May receive approximate location data when maps are loaded.

[Email provider, e.g. Resend / Postmark]

Purpose: Transactional email delivery

Location: [Confirm location]

Processes email addresses for claim verification messages.

[Solicitor to review: confirm data processing agreements are in place with each processor; verify transfer mechanisms are adequate; check Mapbox usage constitutes processing of personal data]

5. How long we keep your data

We retain personal data only for as long as necessary for the purposes described in this policy.

  • Venue claim data (name, email): retained for the duration of the listing relationship plus [[X months/years, solicitor to advise]] thereafter.
  • Server logs: retained for [[X days, confirm]] for security purposes.
  • Analytics data: [[confirm retention period]].

6. Your rights under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

Right of accessYou can request a copy of the personal data we hold about you.
Right to rectificationYou can ask us to correct inaccurate or incomplete data.
Right to erasureYou can ask us to delete your personal data in certain circumstances.
Right to restrict processingYou can ask us to limit how we use your data in certain circumstances.
Right to data portabilityYou can request your data in a structured, machine-readable format where processing is based on consent or contract.
Right to objectYou can object to processing based on legitimate interests.

To exercise any of these rights, contact us at [privacy contact email]. We will respond within one calendar month. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

[Solicitor / technical review required. Confirm: (1) What cookies the site actually sets, check Mapbox, Vercel Analytics, Supabase auth; (2) Whether any are non-essential and therefore require consent under PECR; (3) Whether a cookie consent mechanism is needed. If only essential cookies are used, a simpler notice is sufficient.]

The Site uses cookies that are strictly necessary for its operation, including for session management. [If analytics or third-party cookies are present, list them here with their purpose, provider, and duration.]

8. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. Where changes are material, we will take reasonable steps to inform you. The date at the top of this page indicates when the policy was last updated.

9. Contact and complaints

For questions about this policy or to exercise your data rights, contact us at [privacy contact email].

If you have a complaint about how we handle your data, you can contact the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk

Manage your cookie preferences

You can review and change your cookie settings at any time.