Horselino
Privacy Policy
Last updated: 23 June 2026
The protection of your personal data is important to us. This Privacy Policy informs you, in accordance with the GDPR, about which data we process in the "Horselino" App, for which purposes, and on which legal basis.
1.1 Controller
Melanie Donner, Allee 16, 3435 Erpersdorf, Austria · Email: support@horselino.app
Based on the current assessment, there is no obligation to appoint a Data Protection Officer.
1.2 What Data We Process
a) Account and profile data — first name, last name, email address, encrypted password, optional profile photo (avatar), optional horse photos, chosen personal accent color.
b) Content you enter — horse master data, training sessions, templates, training series, ratings/feedback, recorded or subsequently added rides (including optional GPS route, see c), goals, tasks, calendar entries, and health entries for your horse (e.g. appointments for veterinarian, farrier, vaccination). This health data concerns the animal, not your own health, and does not constitute a special category within the meaning of Art. 9 GDPR.
c) Location data (GPS) — Only if you use "Record ride" and grant location permission do we process GPS position data to record distance and route. The route is assigned to your ride and stored in your account.
d) Shared horses / team — When you share a horse with other people, the assigned content and your display name become visible to them. This is a closed sharing feature for people you invite — there is no public community function. You are responsible for sharing content with invited persons.
e) Location for the weather preview (optional) — If you store a location (e.g. postal code and town), we save it as well as the coordinates derived from it in order to show you a weather preview for calendar appointments. Providing this information is voluntary; without it, no weather preview is retrieved. For the query, rounded coordinates are transmitted to our weather service; the conversion of postal code/town into coordinates is handled server-side via MapTiler, and the map display likewise via MapTiler (see 1.4). This location is independent of the GPS recording for rides (c) and does not require the device's location permission.
f) Technical data — For stability and troubleshooting, we process device and crash data (e.g. device type, operating system version, error logs).
g) Connection and log data — When accessing our servers (Supabase) and when loading map tiles, technically necessary connection data is processed, in particular your IP address, the time of access, and the requested resource. This serves the provision, security and stability of the service.
1.3 Purposes and Legal Bases
| Purpose | Legal basis |
|---|---|
| Provision of the account and the App functions | Art. 6(1)(b) GDPR (performance of a contract) |
| Location recording during rides | Art. 6(1)(a) GDPR (consent) |
| Storage of horse photos as part of horse documentation | Art. 6(1)(b) GDPR (performance of a contract) |
| Profile photo (avatar) and access to camera/photos | Art. 6(1)(a) GDPR (consent) |
| Local reminders (appointment notifications) | Art. 6(1)(a) GDPR (consent) |
| Weather preview for appointments (location, map display) | Art. 6(1)(a) GDPR (consent) |
| Processing of subscriptions | Art. 6(1)(b) GDPR (performance of a contract) |
| Provision via connection/log data | Art. 6(1)(b) and (f) GDPR |
| Stability, error analysis, security | Art. 6(1)(f) GDPR (legitimate interest in stable, secure and error-free operation of the App) |
1.4 Recipients / Processors
We use carefully selected service providers with whom data processing agreements (Art. 28 GDPR) are in place:
- Supabase – hosting, database, authentication, file storage. Server location EU (Ireland, AWS eu-west-1). US processing by the parent company, where applicable, on the basis of EU Standard Contractual Clauses.
- Mailjet SAS (France) – sending of transactional and system emails (e.g. registration confirmation, password reset). Server location EU.
- RevenueCat, Inc. (USA) – subscription management/validation. In this context, store identifiers, purchase information and subscription status may be processed. Transfer to the USA on the basis of SCCs or the EU-US Data Privacy Framework.
- Sentry (Functional Software, Inc., USA; hosting in the European Union (EU) region) – error and crash reports. We technically limit the transmission of personal data to what is necessary (in particular, no transmission of personal identifiers by default). Any access from the USA takes place on the basis of SCCs or the EU-US Data Privacy Framework.
- OpenWeather Ltd (United Kingdom) – weather preview. Coordinates rounded to the locality level are transmitted (via our server). Transfer to the UK on the basis of the EU adequacy decision.
- MapTiler AG (Switzerland) – map display. Two uses: (a) map tiles for the map and tracking views – maps are loaded only when you open a feature that shows a map (e.g. recording rides or walks), not at app start. According to MapTiler, no end-user tracking takes place and MapTiler does not itself process the IP addresses of map users. When tiles are loaded, your IP address is only briefly processed by the content delivery network used (Cloudflare, data centres in the EU) for security and logging purposes and is deleted after about 20 minutes. (b) geocoding – the conversion of postal code/town into coordinates for the weather preview is performed server-side via our server; your IP address is not transmitted in the process. Transfer to Switzerland on the basis of the EU adequacy decision.
- Apple Inc. and Google LLC – provision via App Store / Google Play and payment processing of in-app purchases. Reminders are generated locally on the device; no data is sent to push servers (APNs/FCM).
Payment data for in-app purchases is processed exclusively by Apple/Google; we do not receive complete payment data.
1.5 Transfer to Third Countries
Insofar as data is transferred to the USA (in particular RevenueCat, Sentry, and where applicable Apple/Google): EU Standard Contractual Clauses and/or the EU-US Data Privacy Framework. Transfers to the United Kingdom (OpenWeather): EU adequacy decision for the United Kingdom (most recently renewed with validity until December 2031). Transfer to Switzerland (MapTiler): EU adequacy decision for Switzerland.
1.6 Retention Period
We store your account and content data for as long as your account exists. If you delete your account (Settings → Delete account), your personal data is deleted, unless statutory retention obligations apply.
Error and crash data (Sentry) is stored only temporarily for error analysis and is automatically deleted after no more than 30 days. Backups are maintained in a rolling procedure and overwritten after no more than 7 days.
Connection and log data (server logs) on our infrastructure (Supabase) is deleted after no more than 7 days.
We do not retain any payment data ourselves, since purchase and billing are handled via Apple or Google.
1.7 Data Security
We take appropriate technical and organizational measures in accordance with Art. 32 GDPR to protect your data against loss, misuse and unauthorized access. These include in particular encrypted data transmission (TLS/HTTPS), encrypted storage of passwords, row-based access restrictions (Row Level Security), access controls, and hosting within the EU. However, complete security of data transmission over the internet cannot be guaranteed.
1.8 App Permissions
The App requests – in each case only when needed: location (ride recording), camera/photos (profile and horse photos), notifications (local appointment reminders). Reminders are scheduled locally on the device; there is no sending via external push services. Each permission can be revoked at any time in the device settings.
1.9 Your Rights
Access (Art. 15), rectification (16), erasure (17), restriction (18), data portability (20), objection (21). You can export a copy of your data at any time in the App (Settings → "Export my data"). You can delete individual content (horses, rides, training sessions, health entries, goals, tasks, calendar) directly in the App; deletion of individual/all data without account deletion can be requested informally at support@horselino.app; the entire account via Settings → Delete account. Consents can be withdrawn at any time with effect for the future (support@horselino.app).
1.10 Right to Lodge a Complaint
Competent authority in Austria: Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at.
1.11 No Automated Decision-Making
No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.
1.12 Children / Minimum Age
The App is intended for users of legal age and not for children. Insofar as processing is based on consent, in Austria this requires a minimum age of 14 years pursuant to Art. 8 GDPR; for younger persons, the consent of the legal guardians is required. We do not knowingly collect data from children below this age.
1.13 Changes
We adapt this policy when data processing or the legal situation changes. The version available in the App/website at any given time applies.
This English version is a translation provided for your convenience. The legally binding version of this Privacy Policy is the German version. In the event of any discrepancy between the German and English versions, the German version shall prevail.