Privacy policy

Growvit GmbH ("Hoofine", "we") is the data controller (Verantwortlicher) within the meaning of Art. 4(7) GDPR for personal data collected through the Hoofine platform. Full company details are in our Imprint. This policy explains what we collect, why, and your rights.

We follow the principles of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the UK GDPR, and the California Consumer Privacy Act (CCPA).

Account data: name, email address, phone number, password hash, locale and timezone.

KYC and verification data: government-issued ID, proof of address, and for sellers a Stripe Connect onboarding record. Verification of horses may include microchip IDs, registry records and vet-sighted photographs.

Transaction data: listings, messages, escrow transactions, payout accounts, and dispute evidence.

Technical data: IP address, device and browser identifiers, referring URLs and coarse-grained location, collected through cookies and server logs.

To perform our contract with you (operate the marketplace, process escrow, deliver verification).

To comply with legal obligations (KYC, anti-money-laundering, tax reporting).

For our legitimate interests in preventing fraud, ensuring animal welfare, and improving the Service.

With your consent, for optional marketing communications and non-essential analytics cookies.

Service providers (processors) acting under contract: OVH (server and database hosting, in the EU), Cloudflare (CDN, reverse proxy and R2 media storage), Stripe (payments and KYC), and Resend (transactional email). Each is bound by a data-processing agreement to process data only under our instructions.

Authentication and analytics providers: Google (Google Sign-In/OAuth, and — only with your analytics consent — Google Analytics 4, including server-side measurement of conversion events) and Meta Platforms (Facebook Login, only if you choose to sign in with Facebook). These providers act as independent controllers or processors for the limited data described in our Cookie Policy; analytics data is pseudonymised and never linked to your account.

Registries and partner vets, only as needed to verify a specific horse or transaction.

Law enforcement, when legally required — and documented in our transparency report.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

Account and transaction records are retained for as long as your account is active, plus up to 7 years to meet tax and anti-fraud obligations.

KYC records are retained for 5 years after the end of the business relationship, as required by AML rules.

Analytics data is retained for up to 25 months in anonymised form.

You can access, correct and export your personal data from the account page. Account closure and erasure requests are handled by emailing [email protected] or [email protected] — self-service account deletion is not offered, because Hoofine accounts hold ongoing escrow and listing obligations (see Terms §11). We honour statutory erasure rights to the extent required by applicable law, and may retain minimal records where law requires (tax, AML, fraud prevention, dispute history). Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). You may withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with the data protection supervisory authority of your habitual residence; the supervisory authority for Growvit GmbH (registered seat in Hamburg) is the Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 20459 Hamburg, https://datenschutz-hamburg.de.

California residents have the rights to know, delete and correct under the CCPA, and may designate an authorised agent to make requests. Deletion requests are processed by emailing [email protected].

Growvit GmbH is established in Germany, and our servers and primary database are hosted within the EU (OVH). Some personal data may be transferred to the United States and other countries — in particular to Stripe (payments and KYC), Cloudflare (storage and CDN), Resend (transactional email), and — where you use the relevant feature — Google (Sign-In and, with consent, Analytics) and Meta Platforms (Facebook Login). Where the recipient country is not covered by an EU adequacy decision, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the EU-U.S. Data Privacy Framework (under which Stripe, Google and Meta self-certify).

We use strictly-necessary cookies to authenticate sessions and prevent fraud. We use optional analytics cookies (including Google Analytics 4) only with your consent. A full, itemised cookie table — names, purposes, durations and the party that sets each — is published in our Cookie Policy at /cookies.

Hoofine is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] for deletion.

Privacy and data protection enquiries, and all data-subject requests: [email protected]. As the controller is established in Germany (within the EU/EEA), no Art. 27 GDPR EU representative is required; for UK GDPR matters you may also write to the same address.