Privacy Policy

Lee Bliss, trading as EquiList.app ("EquiList", "we", "us") provides a platform for arranging equine transport services. This policy explains what personal data we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy & Electronic Communications Regulations 2003 (PECR).

1. Data we collect

• Account data: name, email, password hash, role (owner / transporter / admin), profile picture (if you sign in via Google).
• Horse data: name, breed, age, height, medical history, photos — provided by owners.
• Transporter business data: business name, DEFRA Type 1 / Type 2 authorisation number, vehicle types, insurance certificate, operator licence (processed by Gemini OCR), care & custody insurance, fleet photos, on-call status, current location (only while on-call).
• Job & emergency data: postcodes, dates, bid amounts, status, ratings, chat messages.
• EquiList marketplace data: listing title, description, photos, price (GBP), region, category-specific attributes, seller contact details, subscription tier & ad-quota usage, internal messages between buyer and seller.
• Stable management data: calendar events (title, type, postcode & coordinates, dates, attendees, packing checklist), recurring health-action entries, the Expense Ledger, and Care Contacts — provided voluntarily by owners.
• Location data for routing: if you pin a postcode in a calendar event we call postcodes.io (a free, no-auth UK postcode lookup service) to resolve lat/lng. We only send the postcode you entered.
• Web analytics (only if enabled): when EquiList is configured with a Google Analytics 4 Measurement ID, anonymised page-view events are sent to GA4 with anonymize_ip=true. Admin pages are excluded.
• Technical data: IP address, browser user-agent, device type, basic page-view logs.

2. How we use it

• To match owners with verified transporters within geo-fenced search radii.
• To dispatch SOS emergencies and notify destination hospitals.
• To verify documents via OCR and admin review.
• To run the EquiList marketplace and route buyer enquiries through the internal message system.
• To power the personal Stable Management surface.
• To send service emails (job updates, SOS confirmations, magic-link sign-ins, marketplace message notifications) via Resend.
• To send optional Web Push and email notifications (opt-in per channel).
• To process payments and subscriptions through Stripe Connect.
• To detect fraud and enforce platform rules.

3. Legal basis (UK GDPR Article 6)

We process personal data on the basis of (a) contract (Art. 6(1)(b)) — to provide the platform you signed up for; (b) legitimate interest (Art. 6(1)(f)) — to keep the network safe, verify operator credentials, and auto-redact phone/email from marketplace messages; and (c) consent (Art. 6(1)(a)) — for optional marketing emails and any non-essential cookies.

4. Sharing

We share data only with:

• The transporter you matched with — they see your name, contact phone, postcodes, and horse details for the booked job.
• The destination hospital on an SOS — they see horse name, breed, conditions, medical history snapshot, and live driver position.
• Marketplace buyers who view your listing — they see whatever contact details you chose to make public.
• Stripe Connect — to process payments and recurring subscriptions (regulated UK financial institution, FCA reference 900461).
• Resend — to send transactional emails.
• Google Gemini Vision — to OCR documents you uploaded (one-shot processing, no model training on your data).
• UK / EU law enforcement when legally compelled (e.g. Schedule 2 Part 1 DPA 2018).

We never sell personal data. Ever.

5. International transfers

Data is stored in UK / EU MongoDB clusters. Some processors (Stripe, Google) may transfer data outside the UK; in those cases we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus the UK's adequacy decisions for the EEA.

6. Retention

• Active account data: kept until you delete your account.
• Completed job records: retained for 6 years to satisfy HMRC tax and dispute-resolution requirements (Limitation Act 1980 s.5).
• SOS / emergency records: retained for 6 years for safety auditing.
• EquiList listings: kept for 12 months after marked sold/removed.
• Marketplace message threads: 24 months after the last reply, then anonymised.
• Server logs: 90 days rolling.
• Document images (insurance, licence): kept for the document's stated validity period plus 12 months.

7. Your UK GDPR rights

You have the right to:

• Access your personal data (Article 15).
• Rectify inaccurate data (Article 16).
• Erasure / "right to be forgotten" (Article 17).
• Restrict processing (Article 18).
• Data portability in machine-readable format (Article 20).
• Object to processing based on legitimate interest (Article 21).
• Withdraw consent at any time where consent is the legal basis.

To exercise these rights, email support@equilist.app from the email on your account. We respond within one month per UK GDPR Article 12(3).

If you are unhappy with our response, you can lodge a complaint with the UK supervisory authority: the Information Commissioner's Office (ICO), ico.org.uk/make-a-complaint, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, tel. 0303 123 1113.

8. Cookies

EquiList uses essential session cookies only (to keep you logged in). Non-essential cookies (Google Analytics 4, where configured) load only after you accept the cookie banner shown on first visit, in line with PECR Regulation 6.

9. Children

EquiList is not directed to children under 16. We do not knowingly collect data from minors.

10. Contact & complaints

Data controller: Lee Bliss T/A EquiList.app, United Kingdom · Privacy queries & UK GDPR requests: support@equilist.app.