Personal data

Privacy policy

In line with Articles 13 and 14 of the General Data Protection Regulation (GDPR) and French Law no. 78-17 of 6 January 1978 (as amended).

1. Scope

This policy covers the two services operated by Hoofbook:

— the marketing site hoofbook.app (information about the product);
— the platform go.hoofbook.app (application that farriers can access after creating an account).

It is structured in two parts: the first describes the data processed when you visit the marketing site; the second, more detailed, describes the data processed when you use the platform.

2. Data controller

0x Technologies LLC

Legal form: Limited Liability Company (LLC) under US law, registered in the State of Wyoming, United States
Address: Northwest Registered Agent Service, Inc.
30 N Gould St, Ste N
Sheridan, WY 82801
United States
Wyoming Secretary of State — Filing ID: 2025-001740476
GDPR contact: [email protected]

Hoofbook is a product published and operated by 0x Technologies LLC.

Representative in the European Union (Article 27 GDPR)

0x Technologies LLC is a controller established outside the European Union. The Publisher does not, at this stage, designate a representative in the European Union within the meaning of Article 27 of the GDPR: it considers that the processing remains occasional in view of the size and nature of the activity, that it does not involve special categories of data (Article 9) or data relating to criminal convictions (Article 10) on a large scale, and that it is not likely to result in a high risk to the rights and freedoms of data subjects — the conditions provided for in Article 27(2) of the GDPR.

To exercise your rights or for any data-protection question, the address [email protected] remains the main point of contact. No Data Protection Officer (DPO) has been designated, as this designation is not mandatory given the Publisher's activity.

3. Hoofbook: a dual role with respect to data

When you use Hoofbook, two distinct processing activities coexist:

a. Hoofbook is the controller

For your own personal data as a farrier — your account, your billing, usage and security logs. This policy covers that processing.

b. Hoofbook is a processor

For the personal data of the people you enter into the platform — your clients, stable owners, their contacts. You remain the controller for that data. The terms are governed by the Data Processing Agreement (DPA).

Part I

Data on the marketing site (hoofbook.app)

4. Data collected on the site

The marketing site has no forms, no newsletter sign-up, no cookies and no third-party trackers. Two data flows can nonetheless exist:

a. Connection data

When you visit a page, your browser automatically sends our host — Cloudflare, Inc. — certain technical information: IP address, browser type, page visited, referrer page, timestamp. This data is recorded in server logs.

Legal basis: legitimate interest — security, fraud prevention, operation and improvement of the service (Article 6.1.f GDPR).

b. Email correspondence

If you write to [email protected], we receive and keep your email address and the content of your message for the time needed to handle your request.

Legal basis: legitimate interest, or — if the request precedes a contract — pre-contractual measures (Article 6.1.b GDPR).

Part II

Data on the platform (go.hoofbook.app)

5. Categories of data processed on the platform

a. Account data

Email address, password (hashed by Supabase Auth, never transmitted to Hoofbook in cleartext), display name.

b. Billing data

Handled by Paddle (see section 7). Hoofbook only receives subscription metadata (status active/expired, plan chosen) and never stores card numbers.

c. Business data you enter

Information about your clients (name, phone, address), about horses (name, photos, care notes), about stables (addresses), about scheduling and hourly rates. For this data, Hoofbook acts as a processor — see the Data Processing Agreement (DPA).

d. Technical data

IP address, user agent, session timestamps, error logs.

e. Location data

GPS coordinates of stables and clients (computed via Mapbox when a point is placed), routes (computed via HERE), local fuel prices (from the public API of the French government — see below).

Public data source — fuel prices: the platform queries the public API data.economie.gouv.fr (Etalab programme) to suggest the cheapest fuel stops on a route. Only geographic coordinates are sent; no user identifier is transmitted. This public data source does not constitute a processor relationship.

6. Purposes and legal bases

Purpose	Legal basis
Provide the service (account, business data)	Performance of the contract (Art. 6.1.b GDPR)
Billing and subscription tracking	Performance of the contract (Art. 6.1.b GDPR)
Transactional emails (trial reminders, password reset)	Performance of the contract (Art. 6.1.b GDPR)
Error tracking (Sentry)	Legitimate interest — security and reliability (Art. 6.1.f GDPR)
Non-essential cookies and mapping telemetry	Consent (Art. 6.1.a GDPR)
Retention of invoices and accounting records	Legal obligation — French Commercial Code Art. L123-22

7. Sub-processors and recipients

No data is sold or rented to any third party. Platform data may be processed by the sub-processors below, acting on Hoofbook's instructions and under GDPR-compliant agreements meeting Article 28.

Sub-processor no. 1

Supabase, Inc.

Role: Database, authentication, file storage, edge functions
Region: EU-West (Ireland)
Data received: All account and business data — farrier's account, client list, horses, stables, schedule, addresses, photos
Transfer mechanism: No transfer outside the EU
Privacy policy: supabase.com/privacy

Sub-processor no. 2

Vercel Inc.

Role: Frontend hosting for go.hoofbook.app
Region: United States (HQ), global edge
Data received: IP address, user agent, request logs (no personal payload — application rendered client-side)
Transfer mechanism: SCCs + Data Privacy Framework
Privacy policy: vercel.com/legal/privacy-policy

Sub-processor no. 3

Mapbox, Inc.

Role: Mapping, geocoding, point picker for client and stable addresses
Region: United States
Data received: GPS coordinates of viewed points, public API token. Anonymous telemetry via events.mapbox.com
Transfer mechanism: SCCs + Data Privacy Framework
Privacy policy: www.mapbox.com/legal/privacy

Sub-processor no. 4

HERE Technologies

Role: Route calculation and toll matrix for the 'Cheapest route' mode
Region: EU (Netherlands)
Data received: Coordinates of every stop on a route and any departure time
Transfer mechanism: No transfer outside the EU
Privacy policy: legal.here.com/privacy

Sub-processor no. 5

Functional Software, Inc. (Sentry)

Role: Frontend error tracking
Region: EU (Germany — ingest.de.sentry.io)
Data received: Stack traces, browser version, URL where the error occurred. May incidentally include personal data if present in strings
Transfer mechanism: No transfer outside the EU
Privacy policy: sentry.io/privacy

Sub-processor no. 6

Paddle.com Market Limited

Role: Payment collection — Merchant of Record (Paddle is the official seller, not Hoofbook)
Region: United Kingdom + EU
Data received: Name, email, billing address, VAT number, payment data
Transfer mechanism: Adequacy decision (United Kingdom)
Privacy policy: www.paddle.com/legal/privacy

Sub-processor no. 7

Resend, Inc.

Role: Sending transactional emails (trial reminders, password reset)
Region: United States
Data received: Email address, name, email content
Transfer mechanism: SCCs + Data Privacy Framework
Privacy policy: resend.com/legal/privacy

8. Transfers outside the European Union

Several sub-processors involve transferring data outside the European Union. For each of them, the transfer is framed by a mechanism provided for in Chapter V of the GDPR:

— Vercel (United States) — Standard Contractual Clauses (SCCs) + EU–US Data Privacy Framework membership;
— Mapbox (United States) — SCCs + Data Privacy Framework;
— Resend (United States) — SCCs + Data Privacy Framework;
— Paddle (United Kingdom) — European Commission adequacy decision for the United Kingdom.

The other sub-processors (Supabase, HERE, Sentry) process data within the European Union and involve no transfer outside the EU.

9. Retention periods

Category	Duration
Active account	Duration of the subscription
After termination	30 days (export available), then permanent deletion
Billing data	10 years (Article L123-22 of the French Commercial Code)
Sentry error logs	90 days
Resend email logs	30 days
Essential cookies and sessions	See the cookie policy

10. Security

The technical and organisational measures in place include in particular:

— TLS 1.2 or higher on all connections;
— encryption at rest on Supabase databases;
— Postgres Row Level Security: multi-tenant isolation at the database level — one user cannot technically access another's data;
— mandatory email verification on sign-up;
— automatic daily backups via Supabase;
— connection audit log.

Common part

Your rights and other provisions

11. Cookies

The marketing site uses no cookies and no third-party trackers. The platform, on the other hand, relies on a few essential cookies (authentication) and, after your consent, on some measurement and mapping cookies. The full breakdown is in the cookie policy .

12. Your rights

Regarding data about you, you have the following rights:

— right of access;
— right to rectification;
— right to erasure;
— right to restriction of processing;
— right to object;
— right to portability — a full CSV export of your data is available at any time from your account settings, including in read-only mode.

To exercise these rights, write to [email protected] . A reply is sent within one month, in line with Article 12.3 GDPR.

You also have the right to lodge a complaint with the French data-protection authority, the Commission nationale de l'informatique et des libertés (CNIL) — 3 place de Fontenoy, TSA 80715, 75334 Paris cedex 07 — cnil.fr.

13. Changes to this policy

Any substantial change will be announced 30 days in advance by email and via a banner in the platform. Continued use after that date constitutes acceptance of the new terms. The last-updated date is shown below.