Privacy & Cookies Policy
Effective: 25th March 2026
1. Who We Are
This website and platform are operated by Jack Joynson Software Limited (“JJS”, “we”, “us”, “our”), a company incorporated in England and Wales with company number 12530292. JJS is registered with the Information Commissioner’s Office (ICO) under registration reference ZB177498.
Contact: support@jack.joynson.software
2. Our Role: Platform Provider
JJS is the Data Controller for your account and platform data (see section 3).
The riding centre ("Centre") using this instance of the platform is an independent business. The Centre is the Data Controller for its own operational data (bookings, lesson records, payments, instructor notes, etc.). JJS acts only as a Data Processor for that data, processing it solely on the Centre's instructions. The Centre's own privacy notice governs how they use your data.
3. Data We Collect as Controller
JJS only processes the following data in its own right as Data Controller. All other data held on the platform (bookings, payments, medical notes, addresses, etc.) is processed on behalf of the Centre.
| Data | Examples | Lawful Basis (UK GDPR) |
|---|---|---|
| Account credentials | Email address, display name, password (hashed) | Art. 6(1)(b) — necessary to provide the service |
| Security & technical data | Authentication tokens, server logs (IP address, timestamps) | Art. 6(1)(b) & 6(1)(c) — necessary to provide the service and to comply with legal obligations (including fraud prevention under PSD2) |
| Support & enquiry data | Name and email address included in messages sent to us directly (e.g. to support@jack.joynson.software) | Art. 6(1)(a) — consent (you voluntarily provide this when contacting us; you may request deletion at any time) |
| Usage & performance data | Aggregated and anonymised usage patterns, error logs, performance metrics | Not applicable — genuinely anonymised data is not personal data and falls outside the scope of UK GDPR |
4. Health and Medical Data
Riders may optionally enter health and medical information (e.g. disabilities, allergies, medications). This is special category data under UK GDPR Art. 9. The Centre is the Data Controller for this information and determines how it is used (for safety, horse allocation, and insurance purposes).
JJS stores this data solely as Data Processor on the Centre's behalf. Please refer to the Centre's own privacy notice for details of how your health data is handled and your rights in relation to it.
5. Third-Party Processors
For JJS account data (email, display name, password):
| Processor | Purpose | Privacy Policy |
|---|---|---|
| Google Firebase (Google LLC) | Authentication | policies.google.com/privacy |
Sub-processors used when acting on the Centre's behalf: The Centre, as Data Controller, is responsible for the lawful use of the below. JJS uses these services solely to operate the platform on the Centre's instructions.
| Sub-processor | Purpose | Privacy Policy |
|---|---|---|
| Google Firebase (Google LLC) | Database and cloud hosting | policies.google.com/privacy |
| Stripe, Inc. | Payment processing and fraud prevention | stripe.com/gb/privacy |
| GoCardless Ltd | Payment processing and fraud prevention | gocardless.com/privacy |
| Amazon Web Services | Transactional email delivery | aws.amazon.com/privacy |
No personal data is sold or shared with advertisers, analytics providers, or other third parties beyond those listed above.
6. International Data Transfers
JJS is based in the United Kingdom and primarily processes data here. However, some of the third-party processors listed in section 5 (Google Firebase and Amazon Web Services) may process data outside the UK and European Economic Area (EEA).
Where data is transferred internationally, it is protected by appropriate safeguards — typically the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs). Please refer to the relevant processor's privacy policy for details of the safeguards they apply.
7. Data Retention
- Account credentials (email, display name) are retained for as long as your account is active.
- On account closure, your account credentials are deleted promptly.
- Encrypted backups are retained for up to 90 days, after which they are permanently purged. Any deletion requests are re-applied on backup restoration.
- All other data (bookings, payments, medical notes, etc.) is held on behalf of the Centre. Retention of that data is governed by the Centre's own policies.
- JJS's own business records (e.g. subscription invoices to the Centre) are retained for 7 years to comply with HMRC requirements.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, JJS will notify the ICO within 72 hours and inform affected individuals without undue delay. Where a breach affects data held on behalf of a Centre, we will also notify that Centre promptly so they can fulfil their own notification obligations to their users.
8. Cookies & Browser Storage
This site uses cookies for authentication, security, payment processing, and platform analytics. No advertising or marketing cookies are used.
| Category | What it includes | Why we use it | Lawful basis |
|---|---|---|---|
| Authentication & Security | Google (SID, __Secure-*), Cloudflare (CF_*) | To keep you logged in, verify your identity, and protect our servers from automated bot attacks. | Art. 6(1)(b) & 6(1)(c) — contract performance and legal obligation (fraud and bot prevention) |
| Payment & Fraud Prevention | Stripe (__stripe_mid, __stripe_sid, machine_identifier) | To process payments securely and prevent fraudulent transactions. | Art. 6(1)(b) — contract performance |
| Site Preferences | cookieCompliancyAccepted | To remember that you've already seen our cookie notice so it isn't shown again. | Strictly necessary (PECR exempt) — set solely to honour your choice not to see the notice again; no GDPR lawful basis required |
| Platform Analytics | ajs_anonymous_id | To understand how users move through the booking process and improve the platform. | Not applicable — this identifier is not linked to any personal data held by JJS and is not used to re-identify individuals |
Session Storage
In addition to cookies, we use session storage to temporarily cache data (such as your current booking selection) so the app stays fast and responsive as you navigate between pages. This data is cleared automatically when you close your browser tab.
Local Storage
We also use local storage for longer-term cached data that persists across sessions, including your basic account and display settings. This data remains on your device until cleared via your browser settings.
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Access — request a copy of your personal data.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data where conditions are met.
- Restriction — request that we limit processing of your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.
For data JJS controls (your account credentials, security data, and support enquiries — see section 3), contact us at support@jack.joynson.software. We will respond within one calendar month. Subject Access Requests are free of charge.
For all other data (bookings, payments, medical notes, etc.), the Centre is the Data Controller. Please refer to the Centre's own privacy policy and contact them directly to exercise your rights in relation to that data.
10. Complaints
If you have concerns about how we handle your data, please contact us first at support@jack.joynson.software. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
11. Children
This platform is not directed at children under 13. Riders aged under 13 must have an account created and managed by a parent or guardian, who is responsible for ensuring all information provided is accurate and appropriate.
12. Changes to This Policy
We may update this policy from time to time. The effective date at the top of this page indicates when the policy was last revised. Continued use of the platform after a change is posted constitutes acceptance of the updated policy.
← Back to Dashboard