Legal

Privacy policy

What data we hold, why we hold it, and how to control it. Aligned with GDPR, UK GDPR and CCPA.

Last updated 2026-06-13

1. Overview

Growvit GmbH ("Hoofine", "we") is the data controller (Verantwortlicher) within the meaning of Art. 4(7) GDPR for personal data collected through the Hoofine platform. Full company details are in our Imprint. This policy explains what we collect, why, and your rights.

We follow the principles of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the UK GDPR, and the California Consumer Privacy Act (CCPA).

2. What we collect

Account data: name, email address, phone number, password hash, locale and timezone.

KYC and verification data: government-issued ID, proof of address, and for sellers a Stripe Connect onboarding record. Verification of horses may include microchip IDs, registry records and vet-sighted photographs.

Biometric data (special category under Art. 9 GDPR): when you obtain the Verified member badge, our identity-verification provider Stripe Identity captures a short selfie and liveness video and applies biometric facial-recognition technology to confirm that your photo ID belongs to you. Stripe collects your explicit consent before this capture and returns to us only a pass/fail result together with the verified identity fields (such as name and date of birth) — we never receive or store the underlying biometric template, selfie or document images.

Transaction data: listings, messages, escrow transactions, payout accounts, and dispute evidence.

Technical data: IP address, device and browser identifiers, referring URLs and coarse-grained location, collected through cookies and server logs.

4. Who we share with

Service providers (processors) acting under contract: OVH (server and database hosting, in the EU), Cloudflare (CDN, reverse proxy and R2 media storage), Stripe (payments, KYC, and biometric identity verification via Stripe Identity), and Resend (transactional email). Each is bound by a data-processing agreement to process data only under our instructions.

Authentication and analytics providers: Google (Google Sign-In/OAuth, and — only with your analytics consent — Google Analytics 4, including server-side measurement of conversion events) and Meta Platforms (Facebook Login, only if you choose to sign in with Facebook). These providers act as independent controllers or processors for the limited data described in our Cookie Policy; analytics data is pseudonymised and never linked to your account.

Registries and partner vets, only as needed to verify a specific horse or transaction.

Law enforcement, when legally required — and documented in our transparency report.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

5. Retention

Account and transaction records are retained for as long as your account is active, plus up to 7 years to meet tax and anti-fraud obligations.

KYC records are retained for 5 years after the end of the business relationship, as required by AML rules.

Analytics data is retained for up to 25 months in anonymised form.

6. Your rights

You can access, correct and export your personal data from the account page. Account closure and erasure requests are handled by emailing [email protected] or [email protected] — self-service account deletion is not offered, because Hoofine accounts hold ongoing escrow and listing obligations (see Terms §11). We honour statutory erasure rights to the extent required by applicable law, and may retain minimal records where law requires (tax, AML, fraud prevention, dispute history). Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). You may withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with the data protection supervisory authority of your habitual residence; the supervisory authority for Growvit GmbH (registered seat in Hamburg) is the Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 20459 Hamburg, https://datenschutz-hamburg.de.

California residents have the rights to know, delete and correct under the CCPA, and may designate an authorised agent to make requests. Deletion requests are processed by emailing [email protected].

7. International transfers

Growvit GmbH is established in Germany, and our servers and primary database are hosted within the EU (OVH). Some personal data may be transferred to the United States and other countries — in particular to Stripe (payments and KYC), Cloudflare (storage and CDN), Resend (transactional email), and — where you use the relevant feature — Google (Sign-In and, with consent, Analytics) and Meta Platforms (Facebook Login). Where the recipient country is not covered by an EU adequacy decision, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the EU-U.S. Data Privacy Framework (under which Stripe, Google and Meta self-certify).

8. Cookies

We use strictly-necessary cookies to authenticate sessions and prevent fraud. We use optional analytics cookies (including Google Analytics 4) only with your consent. A full, itemised cookie table — names, purposes, durations and the party that sets each — is published in our Cookie Policy at /cookies.

9. Children

Hoofine is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] for deletion.

10. Business directory listings

Hoofine publishes a directory of equine businesses (stud farms, vets, farriers, riding schools, transporters and similar). Some directory entries are not created by the business itself: we compile them from publicly accessible sources, including public business directories and online map services, so that the directory is useful from day one. Where a listing concerns a sole proprietor or a freelancer, the business contact details (name, address, phone, email) are personal data within the meaning of the GDPR.

We process this data on the basis of our legitimate interests under Art. 6(1)(f) GDPR — operating a comprehensive, searchable directory that helps horse owners find equine services, and helping businesses reach customers. The categories of data are limited to business-identifying and contact information: name, category, address and location, phone, email, website and public social links. We do not copy third-party review text onto Hoofine; where ratings exist, we link out to the original source rather than republishing them.

Because this data is not collected directly from you, Art. 14 GDPR applies. Providing individual notice to every listed business would involve disproportionate effort given the number of entries, so under Art. 14(5)(b) GDPR we make this information publicly available here instead. The source of a given entry is the public source described above.

If you are the subject of a seeded listing you can object at any time (Art. 21 GDPR) and have it removed (Art. 17 GDPR). Every seeded listing carries a self-service "Request removal" option that verifies control of the listing's published contact details and takes the entry down — no Hoofine account is required. You can also claim a listing to manage it yourself, or write to [email protected] and we will action the request.

11. Contact

Privacy and data protection enquiries, and all data-subject requests: [email protected]. As the controller is established in Germany (within the EU/EEA), no Art. 27 GDPR EU representative is required; for UK GDPR matters you may also write to the same address.

See also: Terms of service, Anti-fraud policy.