Document version: 1.0
Effective date: Monday, June 30, 2025
Last updated: Monday, June 30, 2025

Canterly (“we,” “us,” or “our”) is committed to safeguarding the personal data of everyone who interacts with our equestrian-management platform, mobile apps, and websites (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect that information. It applies to three groups: (i) Subscribers—equestrian businesses that use Canterly for Business and their authorised staff; (ii) End Users—riders, horse owners, parents or guardians, customers, and partners who engage with those Subscribers through the Services; and (iii) Visitors—individuals who browse our public-facing sites or content without logging in. Unless another notice is presented at the point of collection, the terms below govern every visit to our websites, every use of our apps, and all emails, messages, or other interactions delivered via the Services, including:

• Our online business-management platform (“Software Service”);
• Our business-facing mobile and web apps (“Apps”);
• Our websites and official social media pages;
• HTML-formatted emails or messages that link to this Privacy Policy;
• Any Canterly-branded product or integration that references this Policy; and
• Emails, chat, SMS, or in-app messages sent to End Users on a Subscriber’s behalf (“End-User Communications”).

By accessing or using the Canterly Services you confirm that you have read, understood, and agree to the practices described in this Privacy Policy, which constitutes our notice to you at—or, where required, before—the moment we collect personal data.

If you are a Subscriber, any End-User data that we process on your behalf is subject not only to this Privacy Policy but also to our Data Processing Agreement ("DPA"), which is incorporated by reference into, and forms part of, the Main Agreement as defined in our Terms of Service.

1. Definitions

The following terms are used throughout this Privacy Policy. Capitalised terms not defined below have the meanings given in Section 15 of our Terms of Service.

• “Subscriber” means the company, organisation, or other legal entity that has entered into this Agreement with Canterly to access and use the Services, whether on a paid or unpaid basis. This includes the Subscriber’s authorised Users, such as its employees, staff, contractors, or other personnel acting on its behalf.
• “End User” means any individual or entity that interacts with a Subscriber (i.e., a customer of Canterly) through the Canterly Services. This includes, but is not limited to, riders, horse owners, parents or guardians, partners, or other individuals or organisations engaging with a Subscriber’s business. End Users may book, schedule, subscribe to, or purchase products or services; receive communications or marketing sent via the Services; be targeted through the platform; or otherwise access, browse, or use the Services as authorised by the Subscriber. End Users may also include individuals whose Personal Data is collected or processed on behalf of Subscribers in connection with their use of the Services.
• “Visitor” means any individual who accesses or interacts with Canterly’s websites, content, or communications without logging into an account or using the Services as a Subscriber or End User. This includes individuals browsing our marketing pages, learning about our offerings, or engaging with Canterly’s public-facing channels in other ways.
• “Personal Data” (also referred to as ‘personal information’ in some jurisdictions) means any information that directly or indirectly identifies, relates to, describes, or is reasonably capable of being associated with a particular individual or, where applicable, a household. This includes, but is not limited to: names, contact details (such as email addresses and phone numbers), postal addresses, unique identifiers (such as user IDs or IP addresses), account information, location data, and any other data that can be used to identify or link to a specific person, either alone or when combined with other information.
• “Sensitive Personal Data” means a subset of Personal Data that is subject to heightened protection under applicable data protection laws due to its sensitive nature. This includes, but is not limited to: government-issued identification numbers (e.g., NRIC, passport numbers), financial account or payment information, health or medical information, biometric data, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, and any information concerning a person’s criminal history or precise geolocation.
• “Other data” (or “Other information”) means data that does not, on its own, identify a specific individual and is not reasonably capable of being used to identify an individual. This may include de-identified, aggregated, or anonymised data, such as usage metrics, device information, or statistical analytics derived from interactions with the Services.
• “Subprocessor” (or “Sub-processor”) means any third party engaged by Canterly that processes Personal Data on Canterly’s behalf.”
• “Transaction” means any action initiated through the Services—financial or non-financial—that results in a discrete operational, scheduling, or financial outcome involving a Subscriber, End User, or third party. Transaction records may include limited associated Personal Data, depending on the context. Transactions include, but are not limited to:
  
  • Financial Transactions such as payments, refunds, charges, credits, or invoices processed through Canterly or third-party providers (e.g., Stripe); and

• • Non-Financial Transactions such as bookings, service orders, appointment confirmations, horse assignments, attendance confirmations, or system-generated messages, records, or notifications—regardless of whether a payment is involved.

When we refer to “data” or “information” in this Privacy Policy, we mean Personal Data, Sensitive Personal Data, or Other Information, depending on the context.

2. Roles and Responsibilities

Canterly operates as a business-to-business-to-consumer (B2B2C) platform. We provide our Services to Subscribers (e.g., equestrian businesses), who in turn use the platform to manage and engage with their clients and partners (“End Users”). Under data protection laws (e.g., GDPR, UK GDPR, Singapore PDPA), our role—as Data Controller or Data Processor—depends on the specific category of data involved:

• Subscriber admin and billing data—such as the business owner’s name, billing address, and VAT/GST number—is collected by Canterly for our own operational purposes (e.g., account setup, invoicing, support). We act as the Data Controller for this data.
• End-User operational data—such as lesson bookings, rider height or weight, and medical notes (where recorded by a Subscriber)—is collected and controlled by the Subscriber. In this case, Canterly acts solely as the Data Processor, processing data on behalf of and under the documented instructions of the Subscriber.
• Product telemetry and aggregated analytics—including click paths, error logs, and de-identified usage metrics—are automatically generated by the platform. Canterly uses this information to secure, maintain, and improve the Services, and therefore acts as the Data Controller for this data.
• Full payment-card details—such as the primary account number, expiration date, and CVV—are handled directly by our third-party payment processor (e.g., Stripe), who acts as the Data Controller for cardholder data. Canterly never stores full card numbers and receives only masked or tokenised references and metadata to reconcile transactions.

When acting as a Processor, Canterly follows the Subscriber’s documented instructions, enters into sub-processor agreements with appropriate safeguards, and assists with data subject rights and incident response.

When acting as a Controller, Canterly determines the lawful basis for processing, presents this Privacy Policy (and cookie banners or consent notices where required), and manages rights requests directly.

Subscribers, as Controllers of their End-User data, must ensure a valid legal basis, obtain necessary consents (especially for minors or health data), and honour individual rights. This Policy describes our obligations in both roles, based on the information Subscribers or other Controllers make available to us. The detailed obligations that apply when Canterly acts as your Data Processor are set out in our DPA.

3. Categories of Personal Data

The Personal Data we collect depends on how you interact with Canterly and the specific Services you use. This may include, but is not limited to:

• Contact information, such as name, postal address, email address, phone number, and emergency contact details;
• Personal identifiers and characteristics, including date of birth, nationality, government-issued ID, height, and weight;
• Financial and transaction data, including payment information, billing and shipping details, purchase history, and tax or identification numbers (where required for compliance or invoicing);
• Health-related information, such as height, weight, and medical details collected or input by Subscribers (e.g. to support rider safety or horse-rider matching);
• Service-related activity, including support requests, feedback, preferences, and usage logs and metrics;
• Uploaded content: such as photos, documents, or media submitted by you or a Subscriber to the Canterly Services;
• Technical and usage data: including IP address, device IDs, browser type, and operating system;
• Cookie and tracking data: We may use cookies and similar technologies to operate, secure, and improve the Canterly Services. The type of cookies we use depends on how you interact with us. On public websites, we may use essential cookies for core functionality and, with your consent, analytics or marketing cookies. On the Subscriber Platform, we may use essential cookies to support logins and platform features, and optional analytics cookies—with your explicit consent. You can manage or withdraw preferences at any time via the “Cookie Settings” link or through your browser or device controls.

Health-related information collected for safeguarding purposes, such as notes on medical conditions, injuries, allergies, or other relevant rider health details, may be maintained to support appropriate horse-rider matching and help ensure participant safety during lessons or equestrian activities. This type of information may be classified as health-related or sensitive personal data under certain data protection laws (e.g., the EU GDPR or California privacy laws). Where required, we apply heightened safeguards and limit processing to what is necessary for service delivery, safety, and compliance.

Where we maintain de-identified information, we commit not to re-identify individuals unless required or permitted by law for the operation of the Services.

4. How do we collect Personal Data

The personal data we collect depends on your relationship with Canterly and how you interact with our Services:

If you are a Subscriber (e.g., an equestrian business), we collect data when you sign up for the Canterly platform or engage with us directly:

• Business identity: Legal or trading name, registered address, locations, email, and phone number;
• Billing and payments: VAT/GST numbers or other tax IDs, invoicing address and contact, preferred payment method (e.g., card-on-file, bank details);
• Authorised users: Names, roles, and contact information of employees or contractors who manage or have access to the Subscriber account, health-related information you require for safety or compliance (e.g., relevant medical notes for on-site staff); and
• Engagement and feedback: Questions or comments from demos, webinars, events, or support tickets, feature usage and activity logs that help us maintain and improve the platform

If you are an End User (for example, a rider, horse owner, parent/guardian, or other individual interacting with a Canterly Subscriber), the Subscriber—i.e., the equestrian business you deal with—decides what data to collect and why. Canterly merely processes that data on the Subscriber’s instructions.

• Identity and contact: Full name, email, phone number, postal address;
• Billing and payments: Billing address and country, VAT/TAX registration or national-ID numbers required for invoicing or regulatory compliance, payment identifiers (e.g., masked card digits or transaction tokens); full card data is handled only by our payment processor and never stored by Canterly;
• Emergency details: Primary emergency contact name and phone number; and
• Safety & suitability data: Date of birth or age band, height, weight, relevant medical or health notes (e.g. allergies, injuries, relevant conditions) and parent/guardian details, all of which are used only to match the client or participant age-appropriate horses, activities, instructors, and supervision, and to safeguarding laws.

Canterly processes this data solely on behalf of and following the instructions of the Subscriber.

If you are a Visitor—someone who browses our public-facing websites without logging in—we automatically collect limited analytics to measure and improve site performance:

• IP address & coarse location (country/region only);
• Browser and device details – browser type/version, device model, operating system; and
• Usage metrics – pages viewed, time spent, click paths, scroll depth, and other interaction statistics.

We use this information solely to safeguard the site, enhance content and layout, and produce aggregated marketing insights; it is not linked back to a named individual.

In some cases, Canterly may collect data directly—for example, when you interact with our website, respond to End User Communications, contact our support team, or otherwise engage with our system-generated content on behalf of the Subscriber:

• Website forms and chats: Details you type into contact forms, wait-list sign-ups, or live-chat widgets (e.g., name, email, enquiry message);
• Replies to system emails, communications or SMS: Information included in your response, such as confirmations, cancellations, or feedback;
• Support requests: Name, email, phone, and the contents of your ticket, call, or screen-share session, diagnostic logs or screenshots you choose to send; and
• Other engagement with system-generated content: Clicks on magic links, notification preferences, and in-app survey answers.

If you are a Subscriber or End User logging into a Canterly App or Website, Canterly uses secure authentication mechanisms (e.g., via Amazon Cognito) to manage user access, verify credentials, and protect account integrity:

• Identifiers processed during login may include: Name, email address, phone number, encrypted password or authentication token

When you engage in Transactions—such as booking, invoicing, messaging, or scheduling—Canterly collects only the information necessary to support the action:

• Operational transactions (e.g. booking, scheduling, messaging, invoicing): Name, contact details, booking or invoice reference, booking notes;
• Financial transactions (e.g. paying for a booking, refunds, invoice generation): Only the data required to process the payment on the Subscriber’s behalf, card details entered in secure, embedded fields hosted by our payment processor (e.g., Stripe). Canterly never sees or stores the full card number—only limited metadata such as payment status, masked digits, or tokenised references;
• Role of the payment processor: The processor acts as an independent Data Controller for card data and handles it under its own privacy policy. Where acting as a sub-processor, we ensure contractual safeguards and transfer protections are in place (see Section 7); and
• Related communications: Transactions may trigger system emails or SMS (confirmations, receipts, payment reminders) sent on the Subscriber’s behalf. A Subscriber can also initiate a charge or refund for you; in those cases, your explicit confirmation may be required before we proceed.

When you interact with Canterly Services, we automatically capture limited technical information to secure your account, prevent fraud and abuse, optimise performance, and satisfy legal or regulatory duties, including:

• Automatic technical data collected: IP address, Browser type and version, device model and operating system, usage metrics (pages visited, click paths, session duration), general location (country/region inferred from IP or browser settings).

You can manage or disable precise location sharing in your device or browser settings; doing so will not affect core functionality.

We may obtain your Personal Data from sources other than your direct interaction with Canterly. These sources include:

• Subscribers who enter their details in our Apps or share them during onboarding or support requests;
• Third-party providers such as payment processors, analytics tools, and integration partners that pass us limited data needed to complete a transaction or deliver a feature;
• Publicly accessible sources – such as official registers, social-media profiles, or information that contacts of yours have chosen to share; and
• Joint-marketing or referral partners that lawfully supply contact lists or lead information.

You may choose not to share certain requested details, but doing so can limit access to specific features or services. Any personal data we do collect is kept only for as long as it is needed to achieve the purposes described in this Policy or to satisfy legal and contractual requirements.

5. Legal Bases for Collection

We process personal data under one or more lawful bases, depending on your relationship with Canterly and your interactions with our Services. These bases include contractual necessity, legitimate interest, legal obligation, consent, and, where applicable, substantial public interest. We rely on each lawful basis only where permitted by applicable law and obtain your consent where required.

More specifically, Canterly relies on the following legal bases to process personal data:

• Contractual necessity – When processing is necessary to deliver the Services, fulfil our contractual obligations (e.g., account creation, bookings, transactions), or take steps at your request before entering into a contract.
• Legitimate interest – When processing supports our business operations in ways that are proportionate and do not override your rights or freedoms. This includes fraud detection, platform improvement, analytics, and communications related to usage or system updates. Where we rely on legitimate interests, we conduct a balancing test and implement safeguards.
• Consent – When you have provided clear, affirmative consent for specific purposes, such as receiving marketing communications or processing sensitive data (e.g., health information or data about minors). You may withdraw your consent at any time by following the instructions in our messages or contacting us.
• Legal obligation – When we are required to process data to comply with applicable laws or regulations, including tax, financial, safeguarding, or child protection obligations.
• Substantial public interest – Where permitted under applicable law, we may process sensitive personal data (e.g., health-related information for safety purposes) where necessary for reasons of substantial public interest, including safeguarding or regulatory requirements.

6. How we use Personal Data

A. Deliver and secure the core service

• Create and manage Subscriber and End-User accounts.
• Enable bookings, scheduling, invoicing, and payment flows.
• Verify identity, issue and reset credentials, and monitor log-ins to keep accounts secure.

B. Communicate with you

• Send essential notices—booking confirmations, receipts, service updates, policy changes.

• Send product news or marketing messages when you have opted in; you can opt out at any time via the message footer or your account settings.

C. Run safety and decision-support tools

• We may use limited forms of automated processing, such as horse-rider matching or fraud scoring, to support scheduling decisions and operational safety. These tools help recommend suitable options (e.g., suggesting a horse based on a rider’s weight, age, or riding ability to ensure horse wellbeing and rider safety) but do not make binding decisions or produce legal or similarly significant effects without human involvement.
• If we ever introduce fully automated decision-making that produces such effects, we will notify affected individuals and provide a way to request human intervention or contest the decision, as required by applicable law.

D. Improve the platform

• Analyse aggregated usage data, run A/B tests, and review feedback to refine features and user experience.
• Develop and validate new capabilities before broad release.

E. Meet legal, regulatory, and contractual duties

• Satisfy tax, accounting, safeguarding, and industry-specific obligations.
• Respond to lawful requests from competent authorities.
• Maintain audit logs and records; establish, exercise, or defend legal claims.

F. Work with trusted providers

• Share limited data with third-party processors—such as Stripe (payments), AWS (infrastructure), HubSpot (communications)—under strict contractual safeguards and only for authorised purposes.

G. Support day-to-day operations

• Conduct internal reporting, risk assessments, backups, and business-continuity planning.
• We may also allow limited, role-based access by authorized Canterly personnel to a Subscriber’s account environment to deliver onboarding assistance, troubleshoot issues, configure features, or provide training. Such access is granted solely for legitimate business support purposes, restricted to the minimum necessary, and governed by strict confidentiality, logging, and data protection controls.

H. Honour your privacy rights

• Record and action requests for access, correction, deletion, restriction, objection, or portability in line with applicable law and your account settings.

I. Use de-identified or aggregated data responsibly

• Create anonymised statistics for analytics, benchmarking, and product development.
• Never attempt to re-identify such data unless legally required or expressly necessary to deliver the Services.

7. Sharing with Third Parties

Canterly engages a limited number of trusted third-party service providers (“subprocessors”) to help deliver, operate, and improve our Services. These subprocessors process personal data on our behalf under written agreements that include contractual safeguards, data protection obligations, and confidentiality provisions in accordance with applicable law.

Our key subprocessors include:

• Amazon Web Services (AWS) – for secure cloud hosting, file storage (e.g., Amazon S3), identity verification and user authentication (Amazon Cognito), and system monitoring and diagnostics (AWS CloudWatch) (AWS Privacy Notice)
• Google Analytics – for website and app usage analytics and performance insights (Google’s Privacy & Terms, Safeguarding your data)
• HubSpot – For customer communications, support, and marketing automation (HubSpot Privacy Policy)
• Stripe – for billing, invoicing, and secure payment processing (Stripe Privacy Policy)
• Vercel – for application deployment and front-end hosting (Vercel Privacy Policy)

These providers may access limited personal data only as necessary to perform their functions. Canterly does not sell personal data, and each subprocessor is independently responsible for its own privacy and security practices.

We may also use personal data to support business continuity, conduct audits, assess risk, or engage additional subprocessors under equivalent contractual protections. A current list of subprocessors is available upon request or as required by law.

8. International Data Transfers

Canterly operates on globally distributed infrastructure hosted primarily by Amazon Web Services (AWS) and other trusted service providers. As a result, your personal data may be transferred to, stored in, or processed in countries outside your country of residence—such as Singapore, the United States, or member states of the European Economic Area (EEA). 

When personal data is transferred internationally, we ensure an adequate level of protection by:

• Implementing appropriate and approved contractual safeguards for international data transfers under applicable Data Protection Law;
• Applying supplementary technical and contractual safeguards as needed or mandated (e.g., encryption, access controls); and
• Conducting transfer impact assessments where required.

These measures help ensure that your personal data remains protected in accordance with applicable data protection laws such as the EU/UK GDPR, Singapore PDPA, or equivalent frameworks.

By using the Services, you acknowledge and consent to these transfers, subject to the safeguards described above. 

9. How We Retain Data

We keep personal data no longer than necessary:

• Subscriber billing data – for the duration of the contract and up to six (6) years thereafter to satisfy tax and audit requirements, subject to local laws.
• End-User operational data is stored for the life of the Subscriber’s account and for up to twelve (12) months after the account is closed, unless the Subscriber instructs us to erase it sooner. While the account is active, the Subscriber can at any time export, archive, or permanently delete an individual End-User’s information. If a Subscriber deletes an End-User record (or deletes its own account), we immediately anonymise the relevant data—e.g., replacing the name with “Deleted Client”—so it can no longer be linked back to the individual.
• Payment metadata (e.g. last 4 digits of card number; transaction amount, currency, status and date) – up to seven (7) years after the transaction date to satisfy tax, accounting, and chargeback-defence obligations. After that period, the records are permanently deleted or irreversibly anonymised. Full card numbers are never stored by Canterly.
• Support tickets and system logs – three (3) years after the ticket is closed.
• Marketing leads – We keep prospect-contact data for up to twenty-four (24) months after the last recorded engagement (e.g., email open, click, reply, event registration). Shortly before that period ends, we send a one-time “re-permission” email asking whether you still wish to hear from us. If we do not receive a fresh, affirmative opt-in within thirty (30) days, the record is permanently deleted (or fully anonymised) at the 24-month mark.
• Continuous back-ups (e.g. in the event of a schema error, accidental delete, or ransomware) are encrypted and can be retained for up to thirty-five (35) days before automated overwrite.
• Snapshot backups, also known as archival backups (e.g. continuous logs, audit reports), can be retained for up to seven (7) years. 

We may retain aggregated, anonymised, or otherwise irreversibly de-identified information indefinitely, as it can no longer be linked to you. Retention schedules are subject to annual review. They may be paused or extended to comply with legal obligations, resolve disputes, enforce contracts, or protect our rights, should the preservation of specific records be necessary.

10. Your rights

This section applies to individuals in jurisdictions that provide specific privacy rights under applicable data protection laws, including (but not limited to) the European Economic Area, the United Kingdom, jurisdictions in Asia such as Singapore and Thailand, U.S. states with comprehensive privacy laws, and other regions with similar legal frameworks.

Depending on your location, you may have the right to:

• Access or portability – Request a copy of the personal data we hold about you, in a format that allows you to transmit it to another entity. 
• Correction/rectification – Request correction of inaccurate or incomplete personal data.
• Deletion – Request deletion of your personal data, subject to lawful exceptions (e.g., compliance, security, or contractual obligations).
• Objection or restriction – Object to certain types of processing or request that we restrict processing of your data.
• Withdraw consent – Withdraw any previously given consent (e.g., unsubscribe from marketing emails), without affecting the lawfulness of processing before withdrawal.
• Non-discrimination – You will not be discriminated against for exercising your privacy rights.
• Appeal – Appeal our decision if we decline to act on a request, where applicable law provides this right.
• Lodge a complaint – File a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law.

You can submit a request to access, delete, correct, or export the personal data we hold about you by contacting us at privacy@canterly.com with the subject line “Data Subject Request”. We may need to verify your identity and the scope of your request. Where allowed, an authorised agent may also submit a request on your behalf.

To confirm your identity, we may ask you to verify yourself, for example, by providing a recent booking ID or replying from the email address we have on file. We respond to all valid requests within 30 days, unless the law allows us to extend that period. Requests will be provided free of charge, unless they are demonstrably unfounded or excessively burdensome.

If you are an End User (e.g. rider, horse owner, or parent/guardian) using Canterly through a Subscriber (e.g. equestrian facility), your data is typically controlled by that Subscriber. In such cases, Canterly acts as a Data Processor and is not authorised to respond to certain requests (such as access, correction, or deletion) directly. If you submit a request to Canterly, we may refer your request to the appropriate Subscriber, who is responsible for reviewing and responding following applicable laws. If you’re unsure who the Subscriber is, we will help you identify and contact the appropriate organisation where possible.

Your rights and our obligations under this Privacy Policy may vary depending on your country or region. Where required, we provide additional region-specific disclosures or processes. If applicable, please refer to any local notices or supplements provided alongside this Policy.

11. Security measures

Canterly implements reasonable administrative, technical, and physical safeguards to protect personal data under our control from unauthorised access, loss, misuse, or alteration. These measures are tailored to the nature and sensitivity of the data and are designed to uphold its confidentiality, integrity, and availability.

Security measures include, but are not limited to:

• Secure cloud hosting infrastructure (e.g., AWS);
• Role-based access controls and user authentication;
  
• Encryption of data in transit and at rest;
• Regular access reviews and audit logging; and
  
• Ongoing staff training and internal security policies

While we strive to use industry best practices to protect your information, no system can guarantee absolute security. We encourage you to take steps to protect your data, such as keeping login credentials confidential.

12. Minors’ Data

Canterly’s Services are not intended for unsupervised use by children or minors. If you are below the digital age of consent in your country of residence (typically 13–16 years old, depending on jurisdiction), you may only access the Services with the verified consent and ongoing oversight of a parent or legal guardian.

We do not knowingly permit minors to independently register, manage accounts, or engage with the Services without proper authorisation. If we discover that we have collected Personal Data from a minor without verified parental or guardian consent, we will promptly disable the account and delete the data, unless we are legally required to retain it.

Subscribers are solely responsible for:

• Determining the lawful basis for processing minors’ data under applicable law (e.g., COPPA, GDPR Article 8, PDPA);
• Obtaining verifiable parental or legal guardian consent before collecting or submitting any Personal Data about a minor through the Canterly platform;
• Maintaining records of such consent and providing them upon request;
• Supervising all platform usage by minors (e.g. workers, volunteers) in accordance with applicable safety, safeguarding, and consent requirements; and
• Deleting or updating minor-related data as required by law or upon request.

Canterly, as a Data Processor, will:

• Process minors’ data solely on the documented instructions of the Subscriber;
• Implement data minimisation, access controls, and security safeguards specifically for minor-related data;
• Prohibit unsupervised in-app messaging or platform interactions involving minors; and
• Investigate any report of unauthorised collection or exposure of minors’ data and take appropriate corrective action.

If you believe that a minor’s data has been collected without proper consent or oversight, please contact us immediately at privacy@canterly.com.

If you are a parent or legal guardian of a minor who uses Canterly through an equestrian facility, you have the right to access, correct, or request deletion of their personal data. We recommend contacting the facility directly, as they control the data. 

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to our Services, legal obligations, or data practices. Where required by law, we will notify you of any material changes—such as through email, in-app messages, or other appropriate channels—before they take effect. The “Last Updated” date at the top of this page reflects the most recent revisions. Continued use of the Services after an update constitutes your acceptance of the revised policy, unless otherwise required by applicable law.

Depending on your location—for example, under the GDPR, UK GDPR, CCPA, or PDPA—you may have additional rights or regulatory protections. Where applicable, we provide supplemental notices to comply with local data protection laws.

14. Contact us

If you have any questions, concerns, or requests related to this Privacy Policy or how we handle data, please contact us at privacy@canterly.com.