006 PRIVACY

Privacy policy

UK GDPR · DPA 2018 · last updated 10 June 2026

Stable and Hoof ("we", "us") is the data controller for personal data collected through stableandhoof.com. This policy explains what we collect, why, and your rights under the UK GDPR and Data Protection Act 2018.

1. Data we collect

When you place an order

  • Name, email address, postal address, phone (optional)
  • Payment details — handled directly by Stripe; we never see or store your card number
  • Personalisation details: horse name, breed, colour, yard name (optional)
  • For portrait orders: the photo you upload

Automatically

  • Technical error data via Sentry (anonymised stack traces; no personal browsing history)
  • Server logs from Cloudflare (IP address, user agent — retained ~24 hours)

2. Why we use it

  • Fulfilling your order (lawful basis: contract) — to print your product, collect payment, ship to you, and send order/tracking emails.
  • Fraud prevention & payment security (lawful basis: legitimate interests) — Stripe screens transactions for fraud.
  • Service reliability (lawful basis: legitimate interests) — Sentry alerts us when something breaks.
  • Legal obligation — keeping invoice records for HMRC for at least 6 years.

3. Who we share it with

We only share what's needed to fulfil your order:

  • Stripe — payment processing
  • Gelato — print and ship your product (we send name, address, the print file)
  • Resend — order confirmation emails
  • Cloudflare — site hosting, R2 storage, D1 database
  • For portrait orders only: OpenRouter and Replicate process your uploaded photo to generate the portrait

We do not sell your data to anyone.

4. Where your data is stored

Order data sits in Cloudflare's UK/EU data centres. Photo uploads are deleted from our system after the portrait is generated and shipped. Stripe stores payment data per their own policy.

5. How long we keep it

  • Order records: 6 years (HMRC requirement)
  • Uploaded photos: deleted after order ships
  • Email address: kept while you may want a re-order; we'll honour deletion requests
  • Server logs: ~24 hours

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct anything inaccurate
  • Erasure — ask us to delete your data (subject to our 6-year HMRC obligation for orders)
  • Restriction — limit how we use it
  • Portability — get your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, where consent is the lawful basis

To exercise any of these rights, email hello@stableandhoof.com. We'll respond within 30 days.

7. Cookies

We use only strictly-necessary cookies:

  • Stripe session cookie during checkout (essential — payment processing)
  • A short-lived session ID for cart persistence

We do not use marketing cookies, tracking pixels, or third-party analytics. No cookie consent banner is shown because no consent is required for strictly-necessary cookies under the PECR.

8. Complaints

If you're not happy with how we've handled your data, please contact us first at hello@stableandhoof.com. You can also complain to the UK Information Commissioner's Office at ico.org.uk.

9. Changes to this policy

We'll update the "Last updated" date at the top whenever we change this policy. Material changes will be notified via email if we have your address.