1. Overview
Growvit GmbH ("Hoofine", "we") is the data controller (Verantwortlicher) within the meaning of Art. 4(7) GDPR for personal data collected through the Hoofine platform. Full company details are in our Imprint. This policy explains what we collect, why, and your rights.
We follow the principles of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the UK GDPR, and the California Consumer Privacy Act (CCPA).
2. What we collect
Account data: name, email address, phone number, password hash, locale and timezone.
KYC and verification data: government-issued ID, proof of address, and for sellers a Stripe Connect onboarding record. Verification of horses may include microchip IDs, registry records and vet-sighted photographs.
Biometric data (special category under Art. 9 GDPR): when you obtain the Verified member badge, our identity-verification provider Stripe Identity captures a short selfie and liveness video and applies biometric facial-recognition technology to confirm that your photo ID belongs to you. Stripe collects your explicit consent before this capture and returns to us only a pass/fail result together with the verified identity fields (such as name and date of birth) — we never receive or store the underlying biometric template, selfie or document images.
Transaction data: listings, messages, escrow transactions, payout accounts, and dispute evidence.
Technical data: IP address, device and browser identifiers, referring URLs and coarse-grained location, collected through cookies and server logs.
3. Why we process it
To perform our contract with you (operate the marketplace, process escrow, deliver verification).
To comply with legal obligations (KYC, anti-money-laundering, tax reporting).
For our legitimate interests in preventing fraud, ensuring animal welfare, and improving the Service.
For biometric identity verification, on the basis of your explicit consent under Art. 9(2)(a) GDPR, which Stripe Identity collects at the point of capture. Providing this is optional — if you decline, the Verified member badge is simply unavailable and the rest of the Service remains fully usable.
With your consent, for optional marketing communications and non-essential analytics cookies.
5. Retention
Account and transaction records are retained for as long as your account is active, plus up to 7 years to meet tax and anti-fraud obligations.
KYC records are retained for 5 years after the end of the business relationship, as required by AML rules.
Analytics data is retained for up to 25 months in anonymised form.
6. Your rights
You can access, correct and export your personal data from the account page. Account closure and erasure requests are handled by emailing [email protected] or [email protected] — self-service account deletion is not offered, because Hoofine accounts hold ongoing escrow and listing obligations (see Terms §11). We honour statutory erasure rights to the extent required by applicable law, and may retain minimal records where law requires (tax, AML, fraud prevention, dispute history). Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). You may withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with the data protection supervisory authority of your habitual residence; the supervisory authority for Growvit GmbH (registered seat in Hamburg) is the Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 20459 Hamburg, https://datenschutz-hamburg.de.
California residents have the rights to know, delete and correct under the CCPA, and may designate an authorised agent to make requests. Deletion requests are processed by emailing [email protected].
7. International transfers
Growvit GmbH is established in Germany, and our servers and primary database are hosted within the EU (OVH). Some personal data may be transferred to the United States and other countries — in particular to Stripe (payments and KYC), Cloudflare (storage and CDN), Resend (transactional email), and — where you use the relevant feature — Google (Sign-In and, with consent, Analytics) and Meta Platforms (Facebook Login). Where the recipient country is not covered by an EU adequacy decision, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the EU-U.S. Data Privacy Framework (under which Stripe, Google and Meta self-certify).
9. Children
Hoofine is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] for deletion.
10. Business directory listings
Hoofine publishes a directory of equine businesses (stud farms, vets, farriers, riding schools, transporters and similar). Some directory entries are not created by the business itself: we compile them from publicly accessible sources, including public business directories and online map services, so that the directory is useful from day one. Where a listing concerns a sole proprietor or a freelancer, the business contact details (name, address, phone, email) are personal data within the meaning of the GDPR.
We process this data on the basis of our legitimate interests under Art. 6(1)(f) GDPR — operating a comprehensive, searchable directory that helps horse owners find equine services, and helping businesses reach customers. The categories of data are limited to business-identifying and contact information: name, category, address and location, phone, email, website and public social links. We do not copy third-party review text onto Hoofine; where ratings exist, we link out to the original source rather than republishing them.
Because this data is not collected directly from you, Art. 14 GDPR applies. Providing individual notice to every listed business would involve disproportionate effort given the number of entries, so under Art. 14(5)(b) GDPR we make this information publicly available here instead. The source of a given entry is the public source described above.
If you are the subject of a seeded listing you can object at any time (Art. 21 GDPR) and have it removed (Art. 17 GDPR). Every seeded listing carries a self-service "Request removal" option that verifies control of the listing's published contact details and takes the entry down — no Hoofine account is required. You can also claim a listing to manage it yourself, or write to [email protected] and we will action the request.
11. Contact
Privacy and data protection enquiries, and all data-subject requests: [email protected]. As the controller is established in Germany (within the EU/EEA), no Art. 27 GDPR EU representative is required; for UK GDPR matters you may also write to the same address.