Privacy Policy

1. Introduction

This Privacy Policy explains how SaddleSync collects, uses, shares, and protects your personal information. It applies to all users of saddlesync.app and all barn subdomains operated on the platform.

2. Information We Collect

Account Data: When you create an account, we collect your name, email address, phone number, and a hashed version of your password.

Child and Rider Data: Parents and guardians provide information about their children, including name, date of birth, skill level, emergency contact name and phone number, and optional medical notes or allergies. This data is provided with parent or guardian consent.

Barn Data: Barn owners provide their barn name, subdomain, timezone, logo, and administrative settings.

Financial Data: Payment information is processed and stored by Stripe. SaddleSync does not store credit card numbers or full bank account details.

Waiver Data: Digital signatures, typed legal names, and agreement timestamps are collected and stored when parents sign liability waivers.

Usage Data: We collect session data, login timestamps, and notification preferences to operate the platform.

3. How We Use Your Information

We use your information to provide the core SaddleSync service: lesson scheduling, enrollment management, makeup token tracking, payment processing (via Stripe), email and SMS notifications (via Resend and Twilio), calendar synchronization (via Google Calendar API, when enabled by a barn administrator), and platform administration and support.

4. How We Share Your Information

With Barn Administrators: Parent and child data is shared with the administrators of the barn where the family is enrolled. Barn administrators can view rider details, enrollment history, and payment records for their barn only.

With Payment Processors: Stripe receives payment-related data necessary to process transactions between parents and barns.

With Communication Providers: Resend receives email addresses for transactional email delivery. Twilio receives phone numbers for SMS notifications, when enabled.

With Cloud Storage: Amazon Web Services (AWS S3) stores waiver documents and digital signatures.

With Google: Calendar event data is shared with Google Calendar when a barn administrator enables calendar synchronization.

With Analytics Providers: PostHog receives anonymized usage data and product analytics to help us improve the platform. Upstash processes IP addresses for rate limiting and security purposes.

With Accounting Providers: When a barn administrator connects QuickBooks Online or Xero, invoice and payment data is synced to the connected accounting platform for that barn's records.

We do not sell your personal data to third parties. We do not share your data with advertisers.

5. Children's Privacy

SaddleSync does not collect personal information directly from children under 13. All child data is provided by a parent or legal guardian during the registration process.

Child data collected is limited to what is necessary for lesson management: name, date of birth, skill level, emergency contacts, and medical notes.

Parents may request access to, correction of, or deletion of their child's data at any time through their dashboard or by contacting support.

6. Data Security

We use industry-standard security measures to protect your data, including HTTPS encryption for all data in transit, hashed passwords, and role-based access controls.

Payment data is handled by Stripe, which is PCI DSS compliant. SaddleSync does not process or store raw payment card data.

7. Data Retention

Account data is retained for as long as your account is active. Waiver records are retained in accordance with legal requirements. Payment records are retained per Stripe's data retention policies.

Upon account deletion, your personal data will be removed within a reasonable processing period, except where retention is required by law.

8. Multi-Tenancy and Data Isolation

Each barn on SaddleSync operates as an independent tenant. Barn administrators can only access data for users enrolled at their barn. Data from one barn is not visible to administrators of another barn.

Platform administrators have limited access to barn and user data for the purposes of support, billing, and enforcing these terms.

9. Your Rights

You may access and update your personal information through your SaddleSync dashboard at any time. You may request a copy of your data or request that your account and data be deleted by contacting support@saddlesync.app.

You may opt out of non-essential notifications through your notification preferences. Transactional notifications (such as booking confirmations) cannot be fully disabled while your account is active.

10. Cookies and Tracking

SaddleSync uses session cookies for authentication purposes. We use Sentry for error tracking and application monitoring, and PostHog for product analytics (usage patterns, feature adoption, and performance metrics).

We do not use third-party advertising trackers or sell data to ad networks.

11. Data Retention Periods

Account data is retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except as noted below.

Financial and payment records are retained for 7 years in accordance with tax and accounting regulations. Waiver records (including digital signatures) are retained for a minimum of 3 years after the last activity date, or longer as required by applicable law. Notification logs are retained for 90 days. Analytics data is retained in anonymized form and is not subject to deletion requests.

12. Cross-Border Data Transfers

SaddleSync's services are hosted in the United States. If you access the platform from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using SaddleSync, you consent to the transfer of your data to the United States. We rely on industry-standard security measures to protect your data during transfer and storage.

13. Data Breach Notification

In the event of a data breach that compromises your personal information, SaddleSync will notify affected users via email within 72 hours of confirming the breach. Notification will include the nature of the breach, the types of data affected, steps we are taking to address it, and recommended actions you can take to protect yourself.

We will also notify applicable regulatory authorities as required by law.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions (such as legal retention requirements).

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: SaddleSync does not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at support@saddlesync.app. We will verify your identity before processing your request and respond within 45 days.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. Continued use of SaddleSync after changes take effect constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy or your data, please contact us at support@saddlesync.app.