This policy describes how EQUI-SCAN collects, uses and protects your personal data. It has been drawn up in accordance with Regulation (EU) 2016/679 (GDPR) and the amended French Data Protection Act.
1. Data controller
The data controller for personal data collected via EQUI-SCAN is L&L; FRANCE, a simplified joint-stock company (SAS) with a share capital of €1,000, registered with the Bordeaux Trade and Companies Register under number 910 953 256.
Head office : Bordeaux, France
GDPR Contact : support@equi-scan.com
Given our size, we have not appointed a Data Protection Officer (DPO) — this is not mandatory under Article 37 of the GDPR. Any queries regarding the protection of your data may be addressed to the above address.
2. Data collected and purposes
We collect only the data strictly necessary for the purposes described below. Each processing operation is based on a specific legal basis within the meaning of Article 6 of the GDPR.
(a) Management of the manager’s account
Data : surname, first name, email address, telephone number, password (hashed), name and address of the riding school.
Purpose : account creation, authentication, access to the service.
Legal basis : performance of the contract (Article 6(1)(b) of the GDPR).
b) Horse records and operational data
Data : name, photo, age, breed, ability level, daily routine, care requirements, and the instructor’s instructions. This information relates to the animal and does not constitute personal data within the meaning of the GDPR, unless it includes details that could identify the owners.
Purpose : provide stable management services.
Legal basis : performance of the contract (Article 6(1)(b) of the GDPR).
(c) Invoicing and payment
Data : billing information, Stripe customer ID (credit card details never pass through our servers).
Purpose : collection of subscription fees, issuing invoices, bookkeeping.
Legal basis : performance of the contract and legal obligations (Articles 6(1)(b) and 6(1)(c) of the GDPR — ten-year retention period for accounting purposes).
(d) Transactional emails
Data : email, first name.
Purpose : sending service-related notifications (password reset, payment confirmation, subscription expiry).
Legal basis : performance of the contract (Article 6(1)(b) of the GDPR).
(e) Newsletters and marketing communications
Data : email, first name.
Purpose : sending product information and promotional offers.
Legal basis : explicit consent (Article 6(1)(a) of the GDPR), which may be withdrawn at any time via the unsubscribe link included in every email.
(f) Audience measurement and service improvement
Data : anonymised IP address, pages viewed, duration, browsing path, device type, anonymous session logs.
Purpose : usage statistics, bug detection, usability improvements.
Legal basis : consent (Art. 6(1)(a) of the GDPR), via the cookie banner. No analytical cookies are set until you have given your consent.
3. Subcontractors and recipients
Your data is shared only with technical service providers that are strictly necessary for the operation of the service. Each is bound by a contract in accordance with Article 28 of the GDPR.
- OVH (accommodation, France) — databases, application servers, emails. Location: European Union.
- Stripe Payments Europe Ltd. (payments, Ireland) — Credit card processing and subscriptions. Data transfers to the United States governed by the Standard Contractual Clauses and the Data Privacy Framework.
- Google Ireland Ltd. (audience measurement, Ireland, subject to your consent) — Google Analytics 4 via Google Tag Manager. Technical transfer to the United States governed by the Standard Contractual Clauses and the Data Privacy Framework.
- Microsoft Ireland Operations Ltd. (heat maps, Ireland, subject to your consent) — Microsoft Clarity, anonymous session recordings. Transfer as described above.
4. Shelf life
- Active account : for the entire duration of the subscription.
- Inactive account (hasn't logged in for 3 years) : automatic deletion following a warning email.
- Account closed at the customer’s request : deletion within 30 days.
- Invoices and accounting data : 10 years (legal requirement, Article L.123-22 of the Commercial Code).
- Technical and security logs : A maximum of 12 months.
- Audience measurement cookies : A maximum of 13 months (CNIL recommendation).
- Cookie consent options : 6 months (after that, the banner reappears).
5. Your rights
In accordance with the GDPR, you have the following rights regarding your data at any time:
- Right of access (to find out what data we hold about you).
- Right to rectification (correcting inaccurate data).
- Right to erasure (‘right to be forgotten’).
- Right to restriction of processing.
- Right to data portability (to receive your data in a machine-readable format).
- Right to object to processing.
- You have the right to withdraw your consent at any time (analytical cookies, newsletter).
- The right to set out post-mortem instructions regarding what should happen to your data.
To exercise a right, email support@equi-scan.com with the details of your request. We will reply within one month at the latest.
If you believe your rights are not being respected, you have the right to lodge a complaint with the CNIL (3 place de Fontenoy, 75007 Paris).
6. Cookies and trackers
EQUI-SCAN uses three categories of cookies; details of these and how to manage them can be found in the consent banner displayed when you first visit the site:
-
Strictly necessary cookies
(session, authentication, CSRF protection, language selection) — always active, exempt from consent (section 82 of the Data Protection Act).
-
Audience measurement cookies
(Google Analytics 4) — stored only after you have given your explicit consent.
-
Heatmap cookies
(Microsoft Clarity) — collected only with your explicit consent.
7. Safety
We implement technical and organisational measures to protect your data: TLS 1.3 encryption for all communications, bcrypt hashing of passwords, daily encrypted backups, restricted access for administrators, and logging of sensitive access.
In the event of a data breach that is likely to pose a risk to your rights and freedoms, you will be notified as soon as possible, in accordance with Article 34 of the GDPR.
8. Changes to this policy
This policy may be subject to change to reflect changes to the service, our subcontractors or the relevant regulations. You will be notified of any substantial changes by email and/or via a banner displayed on the website before they come into effect.