Cavaliq

Legal

Privacy policy

Effective:
17 May 2026
Last updated:
17 May 2026

In short: We collect the data we need to run bookings, payments, and horse care at your club — nothing else. We never sell personal data. Medical notes about riders and horses are encrypted at rest. You can access, correct, or delete your data at any time by contacting info@cavaliq.com.

1. Who we are

Cavaliq is an equestrian club management platform operated under the brand “Cavaliq” from the United Arab Emirates. The operating legal entity is in the process of being registered; once registration is complete, the entity name, trade licence number, and registered office address will be published in this section. Until then, Cavaliq operates as an unincorporated business and the founder is the data controller of record.

For the purposes of this policy:

  • “Cavaliq”, “we”, “us”, or “our” means the entity described above.
  • “You” means any individual whose personal data we process — a club staff member, coach, rider, parent, guardian, horse owner, or visitor to our website.
  • “Club” means a riding stable or equestrian club that subscribes to Cavaliq and uses it to manage bookings, riders, horses, and payments.

2. Who controls your data

Cavaliq plays two different roles depending on the data:

  • When you sign up directly on cavaliq.com (e.g. as a rider browsing stables, a club owner starting a trial, or a visitor to our marketing pages), Cavaliq is the data controller for your account, billing, and product-usage data.
  • When a club uses Cavaliq to manage its riders, horses, bookings, and finances, the club is the data controller of that operational data. Cavaliq is the data processor, processing the data on the club’s documented instructions. The relationship between Cavaliq and the club is governed by the Data Processing Addendum.

If you need to exercise data subject rights against operational data that a specific club manages (for example, asking your stable to delete its records about you), please contact that club directly. We will help facilitate the request.

3. What we collect

We only collect the personal data we need for the purposes set out in section 4. Categories:

3.1 Account data

  • Name, email address, phone number (optional), profile photo (optional).
  • Authentication identifiers from Clerk (our identity provider) — user ID, sign-in timestamps, IP address of the device used to sign in.
  • Role within a club (e.g. admin, coach, rider, parent, owner, groom).

3.2 Booking and lesson data

  • Lesson types booked, dates, arenas, horses assigned, coaches assigned.
  • Cancellation and no-show history.
  • Notes coaches make about lessons (skill progression, observations).

3.3 Rider profile data

  • Date of birth, skill level, weight, height (when relevant to horse matching).
  • Emergency contact name and phone number.
  • Medical notes and allergies — only when the rider or their parent chooses to provide them, so coaches and staff can keep the rider safe. Encrypted at rest.
  • For minors: parent or guardian name and contact details.

3.4 Horse profile and health data

  • Horse name, breed, age, sex, markings, weight limits, skill match.
  • Veterinary records, vaccination dates, farrier visits, dental visits, medications, feed plans. The clinically sensitive parts are encrypted at rest.
  • Owner contact information for ownership records.

3.5 Payment data

  • Amount, currency, payment method type, last 4 digits of the card (where the payment processor returns this), transaction reference.
  • We never see or store full card numbers, CVV codes, or bank credentials. All card data is handled by Stripe, Ziina, or Network International (N-Genius) directly from your browser. We receive only tokens and references.
  • Billing address and VAT details for invoicing the club’s subscription.

3.6 Product-usage and technical data

  • Pages visited, features used, approximate location derived from IP, browser and device type, time zone, language preference.
  • Crash reports and performance traces collected by Sentry to help us fix bugs. These exclude form values and authentication tokens.
  • Audit log entries — who did what, when — so clubs can investigate disputes and so we can investigate security incidents.

4. Why we process your data (purposes and legal bases)

Under UAE PDPL (Federal Decree-Law No. 45 of 2021) and the GDPR (where it applies), we must identify a lawful basis for every processing activity. Our purposes and bases:

  • To provide the service. Manage bookings, payments, horse care, and staff rotas. Legal basis: performance of the contract you (or your club) have with us.
  • To keep riders and horses safe. Surface allergies, weight limits, and medical alerts to authorised staff. Legal basis: protection of vital interests and, for sensitive data, your explicit consent given when you completed the profile.
  • To bill your club. Invoice subscriptions, send renewal reminders, handle refunds and chargebacks. Legal basis: performance of the contract.
  • To comply with law. Tax records, anti-fraud screening, retention of payment records, response to lawful requests from regulators. Legal basis: legal obligation.
  • To improve the product and keep it secure. Crash analytics, abuse detection, rate limiting. Legal basis: our legitimate interests in running a reliable, secure service, balanced against your interests.
  • To communicate with you. Service announcements, security notices, and — if you opt in — product updates and marketing. Legal basis: performance of the contract for service messages; consent for marketing.

5. Sensitive data

Two categories of data we process can be considered sensitive under most data protection laws:

  • Rider medical notes and allergies. Provided voluntarily by the rider or their guardian. Stored encrypted at rest. Visible only to club staff with a role that needs to see them (admin, manager, coach). Never used for marketing, analytics, or any purpose other than rider safety.
  • Horse veterinary and medication records. Strictly speaking these are animal-health records, not personal data — but they are treated with the same protections to maintain trust with owners and clubs.

We rely on your explicit consent to process medical notes. You can withdraw consent at any time by deleting the data from your rider profile or by emailing info@cavaliq.com. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

6. Who we share your data with

We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes in section 4:

  • Your club and its authorised staff. The club sees data about its own riders, horses, and staff in order to run its operations.
  • Our subprocessors — listed publicly on the subprocessors page. Each subprocessor is bound by written terms equivalent to those in our Data Processing Addendum.
  • Payment processors that your club has connected — Stripe, Ziina, or Network International (N-Genius). Cavaliq is not a payment processor; the club’s chosen processor receives card data directly from your browser, and Cavaliq is given only the tokens and references needed to reconcile transactions.
  • Professional advisers (lawyers, auditors, accountants) under strict confidentiality, when their advice requires it.
  • Regulators, courts, and law enforcement, where we are legally compelled and the request is valid under applicable law.
  • An acquirer, if Cavaliq is sold, merged, or restructured. Any transfer would be subject to confidentiality and the protections in this policy.

We do not sell personal data. We do not share personal data with advertising networks or data brokers.

7. International transfers

Cavaliq is operated from the United Arab Emirates, but the infrastructure that runs the service is global. The following transfers occur in normal operation:

  • Database (Neon Postgres) — United States. Our primary database is hosted in a US region.
  • Edge hosting and CDN (Cloudflare) — global edge. Your request is served from the nearest Cloudflare data centre; routing data may transit through multiple regions.
  • Authentication (Clerk) — United States.
  • Transactional email (Resend) — United States and EU.
  • Error monitoring (Sentry) — United States or EU, depending on configuration.

We rely on the following safeguards for these transfers:

  • Contractual commitments equivalent to the EU Standard Contractual Clauses (SCCs) with each subprocessor.
  • Technical measures: encryption in transit (TLS 1.2+) and at rest, application-level encryption for medical fields, strict access controls, and audit logging.
  • Tenant-level data isolation enforced in the application layer, so one club’s data is never returned to another club.

If your jurisdiction requires a specific transfer mechanism (for example, prior approval from SDAIA for Saudi residents, or an adequacy mechanism for UAE PDPL), we will work with you and your club to put the appropriate safeguards in place.

8. How long we keep your data

We retain personal data only for as long as we need it for the purposes set out in this policy, after which we delete or anonymise it. Typical retention:

  • Account data — for the life of your account, plus 30 days after deletion (to allow recovery of accidentally deleted accounts).
  • Booking history — 7 years, to support tax records, dispute resolution, and rider-progression reporting requested by the club.
  • Payment records — 7 years, to comply with UAE Federal Tax Authority record-keeping rules and similar GCC requirements.
  • Audit log — minimum 1 year, longer for incidents under investigation.
  • Rider medical notes — deleted when the rider leaves the club or earlier if you ask us to remove them.
  • Marketing-list subscriptions — until you unsubscribe, plus a short suppression-list retention to ensure we honour your opt-out.

If you ask us to delete your data and we are legally required to retain certain records (e.g. tax invoices), we will isolate and minimise those records for the remaining retention period rather than continuing to process them.

9. Your rights

Depending on where you live, you may have any of the following rights:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure / deletion — ask us to delete data, subject to legal retention requirements.
  • Restriction — ask us to limit processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing carried out under our legitimate interests.
  • Withdraw consent — for any processing based on consent, at any time.
  • Lodge a complaint — with the UAE Data Office, the SDAIA in Saudi Arabia, your national supervisory authority in the EU/UK, or another competent regulator for your jurisdiction.

To exercise any of these rights, email info@cavaliq.com or use the support page. We will verify your identity before fulfilling a request to make sure we’re not handing your data to someone else. We aim to respond within 30 days; if a request is complex we may take longer and will tell you why.

10. Children

Many riders are minors. Cavaliq is built to handle this responsibly:

  • We do not offer direct accounts to children under 16. A parent or guardian creates the account and manages the rider profile on the child’s behalf.
  • We do not knowingly collect personal data directly from a child under 13.
  • We do not profile, target advertising at, or apply automated decision-making to minors.
  • A parent or guardian can request access to, correction of, or deletion of their child’s data at any time.

See the dedicated children’s data statement for more.

11. Security

We protect your data with technical and organisational measures appropriate to the sensitivity of the data and the risk of harm. These include:

  • TLS 1.2+ for all data in transit; HSTS enforced.
  • Encryption at rest at the storage layer and field-level encryption for medical data.
  • Role-based access control inside Cavaliq, with multi-factor authentication on Clerk-managed sign-in.
  • Tenant isolation enforced in the application layer on every database query, so one club’s data is never returned to another.
  • Per-request audit logging.
  • A documented incident response process with breach notification within statutory timeframes (72 hours under GDPR and Saudi PDPL; without undue delay under UAE PDPL).

Read more on the security overview.

12. Cookies

We use the smallest set of cookies needed to keep you signed in, deliver the service, and protect against abuse. Details, including how to manage cookies, are on the cookie policy.

13. Automated decision-making

Cavaliq does not make decisions about you that produce legal or similarly significant effects on you using purely automated means. The horse-matching feature offers suggestions to coaches; the coach makes the final call.

14. Changes to this policy

We may update this policy from time to time. When we do, we’ll update the “Last updated” date at the top and, if the changes are significant, notify you by email or an in-product banner before they take effect.

15. Contact

For any privacy question or to exercise your rights:

If you live in the UAE, you can complain to the UAE Data Office. If you live in Saudi Arabia, you can complain to the SDAIA. If you live in the EU or UK, you can complain to your national supervisory authority.

Privacy policy · Cavaliq