Protecting your data is very important to us. This privacy policy explains what personal data we collect when you use the “StalliQ” app, how we process it, and what rights you have.
We process your data in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.
1. Data Controller
The data controller within the meaning of Art. 4(7) GDPR is:
StalliQ Labs
Inhaber: Christian Sabel
Am Weyerbach 13
56291 Norath, Germany
Email: datenschutz@stalliq.de
2. Overview: What Data Do We Collect?
StalliQ is an equine management app. We only collect data that is necessary to provide the app's features. We do not display advertising, do not use tracking tools such as Google Analytics, and do not collect location data (GPS).
3. Registration and User Account
A user account is required to use StalliQ. During registration, we collect:
| Data | Purpose |
|---|---|
| Email address | Unique account identification, password reset, support |
| Password | Authentication (stored only as a cryptographic hash) |
Alternatively, you may register using Apple Sign-In or Google Sign-In. In this case, we receive an identity token, your email address, and optionally your name from Apple or Google respectively. No password is stored on our servers. Authentication is handled by the respective provider.
During registration, we also store the time of registration and your consent declarations (terms of service, privacy policy, health data processing where applicable), including the document version and app version.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
4. User Profile
After registration, you may voluntarily provide additional data in your profile:
- Display name and full name - so other users can identify you, e.g., when sharing a horse
- Profile picture - for visual identification
- Phone number - for contact by stable members (optional)
- Preferred language (German/English)
- Notification settings (push notifications, email notifications, quiet hours, reminder days)
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); for optional data, Art. 6(1)(a) GDPR (consent).
5. Horse Data
You can create one or more horse profiles. The following data may be recorded:
Basic information: Name, nickname, gender, date of birth, breed, color, height, country of birth, profile picture and photo gallery.
Identification data: UELN (Universal Equine Life Number), chip number, FEI ID, passport number, national ID, pedigree (sire, dam, breeder).
Additional data: Character notes, markings, purchase price and date (optional).
This data is used for managing your horse, health care, and - when the UELN is provided - unique identification.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
6. Horse Diary
You can create daily diary entries for your horse. The following data is recorded: activity type (e.g., dressage, trail ride, groundwork), horse mood, weather conditions, duration, notes, and optionally a photo. Diary photos are automatically added to the horse's photo gallery.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
7. Health Data
StalliQ offers comprehensive health management features for your horse. Processing of this data only occurs after your explicit consent during the onboarding process.
The following health data may be recorded:
- Health records: Vet visits, vaccinations, deworming, dental care, farrier visits, injuries, illnesses, surgeries, check-ups
- Weight tracking: Weight in kg, measurement method (scale, tape, estimate), timestamp
- Allergies: Allergen, type (feed, medication, environment, contact), severity, reaction description
- Chronic conditions: Diagnosis, severity, treatment plan, medication
- Symptom documentation: Category, severity (1–5), description, observation time, photos, follow-up observations
- Health timeline: Chronological view of all health data (records, symptoms, observations)
- Health documents: Medical reports, vaccination records, receipts (as photo or PDF)
Legal basis: Art. 6(1)(a) GDPR (explicit consent). You may withdraw this consent at any time.
8. AI-Powered Document Analysis
StalliQ offers the option to automatically scan health documents using AI. The process works as follows:
- The document (image or PDF) is sent to the Claude API (Anthropic, Inc.)
- The extracted text and structured data are stored in your account
- The AI request is routed exclusively through our servers (Supabase Edge Function) - your identity is not transmitted to Anthropic
For each AI interaction, we store: the type of request, the model used, token usage, and status - not the content of the request itself.
Notice pursuant to Art. 50 of the EU AI Act (Regulation (EU) 2024/1689): The AI-powered document analysis uses an AI system (Claude, Anthropic). Results are clearly marked as AI-generated within the app. The extracted data serves informational purposes only and does not constitute a veterinary diagnosis or recommendation.
Legal basis: Art. 6(1)(a) GDPR (consent for health data processing).
9. Appointments and Contacts
You can create appointments (vet, farrier, riding lessons, etc.) with title, description, location, time, reminders, and recurrence rules. You can also store service providers with name, company, phone, email, address, and notes. This data is used exclusively for appointment management within the app.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
10. Costs and Expenses
You can record expenses for your horse (category, amount, date, receipts, recurring costs). This data is used exclusively for your personal cost overview.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
11. Stable Management
When you join or manage a stable, the following data is processed:
- Stable profile: Name, address, contact details, logo, opening hours, rules
- Membership: Your affiliation with the stable, your role (owner, manager, instructor, member), skill level
- Riding lessons: Bookings, series bookings, waitlist positions, attendance, cancellations
- Lesson cards: Quotas, transactions (deductions, credits)
- Arena occupancy: Resource bookings, capacities, weekly schedule view
- Announcements: Notices published by the stable operator
- Statistics: Aggregated, anonymized booking and utilization data for stable operators (no individual personal data)
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); for processing by stable operators, Art. 6(1)(f) GDPR (legitimate interest in stable management) may also apply.
12. Public Events and Clinics
You can create or participate in public events (clinics, courses, competitions). The following data is processed:
- Event data: Title, description, date, location, slots, disciplines, skill levels
- Booking data: Your booking, slot assignment, booking status
- Participant lists: Visible to organizers after assignment publication
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
13. Horse Sharing and Permissions
You can invite other users to co-manage your horse (e.g., co-rider, vet, trainer). The invitation, assigned role, and individual permissions are stored. Invited users can only see data for which they have been granted permission.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
14. Private Messages and System Messages
StalliQ provides an internal messaging feature. Message content, timestamps, read status, and any sent images are stored. You can block other users. Messages can be deleted by you (soft delete). You can clear or leave conversations.
Additionally, the system sends automated notifications (e.g., lesson cancellations) via a dedicated system account. These system messages cannot be replied to and serve to transparently inform you about relevant events.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
15. Push Notifications
With your consent, we send you push notifications (e.g., appointment reminders, new messages, booking confirmations, cancellation notices). For this purpose, we store a device-specific push token, which is deleted upon logout. Delivery is handled by Expo (Expo, Inc., USA) - see Section 17.
Legal basis: Art. 6(1)(a) GDPR (consent).
16. Offline Functionality
StalliQ works without an internet connection. To enable this, your data is cached locally on your device and automatically synchronized when a connection is available. The local database is completely deleted upon logout.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest in offline usability).
17. Sub-Processors and Third-Party Services
We use the following service providers as sub-processors:
| Service Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, serverless functions | Frankfurt, DE (EU) |
| Expo, Inc. | Push notifications, build service | USA |
| Anthropic, Inc. | AI document analysis (Claude API) | USA |
| RevenueCat, Inc. | In-app purchases, subscription management | USA |
| Sentry, Inc. | Error monitoring | USA |
| PowerSync (JourneyApps) | Offline synchronization | EU |
| Hetzner Online GmbH | Website hosting (stalliq.app) | Germany (EU) |
| Resend, Inc. | Transactional emails | USA |
When signing in via Apple Sign-In or Google Sign-In, identity data is transmitted by the respective provider (Apple Inc. / Google LLC). These providers are independent data controllers for their authentication services, not sub-processors.
Data processing agreements pursuant to Art. 28 GDPR are in place with all sub-processors.
Important: We do not use any analytics or tracking tools (no Google Analytics, no Firebase Analytics, no Facebook SDK). We do not display advertising and do not share your data with advertisers.
18. Data Transfers to Third Countries
Some of our service providers are based in the USA (Expo, Anthropic, RevenueCat, Sentry, Resend). Data transfers are based on:
- Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or
- the EU-US Data Privacy Framework (Art. 45 GDPR), where the respective provider is certified
Your core data (profile, horses, health data, messages, appointments) is stored exclusively on servers in Frankfurt, Germany.
19. Data Retention
- Account data: Stored as long as your account is active. Deleted or anonymized immediately upon account deletion.
- Health data: Stored until you delete it or delete your account.
- Messages: Deleted messages are marked as deleted and permanently removed upon account deletion.
- Log data and error reports: Automatically deleted by Sentry after 90 days.
- Consent records: Stored for the duration of statutory retention periods (up to 3 years after withdrawal).
20. Account Deletion and Data Export
Account Deletion
You can delete your account at any time in the app settings. Upon deletion:
- Your horse ownership rights are transferred to a co-owner, or the horse profile is deleted
- All your files (profile pictures, horse photos, documents) are irrevocably deleted
- Your profile is anonymized (name becomes “Deleted User”, email is anonymized)
- Your authentication account is deleted
- All locally stored data on your device is deleted
Data Export
You have the right to receive a copy of all data stored about you in a machine-readable format (JSON) at any time. This feature is available in the app settings.
21. Data Security
- Encryption: All data transmissions use HTTPS/TLS
- Access control: Row-Level Security (RLS) at the database level ensures each user can only access their own data
- Input validation: All inputs are validated server-side
- Passwords: Stored exclusively as cryptographic hashes (bcrypt)
- Files: Health documents are only accessible via time-limited, signed URLs (15 minutes)
- Error monitoring: Sentry only receives your user ID - no names, email addresses, or health data
- Offline security: All locally stored data is deleted upon logout
22. Your Rights
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent - at any time with effect for the future
To exercise your rights, simply send an informal message by email to datenschutz@stalliq.de.
You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR).
23. Minors
StalliQ is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has created an account, we will promptly delete the account and associated data.
24. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or new app features. For material changes, we will notify you in advance by email or in-app notification.
25. Contact
If you have questions about the collection, processing, or use of your personal data, please contact:
StalliQ Labs
Inhaber: Christian Sabel
Email: datenschutz@stalliq.de
Am Weyerbach 13, 56291 Norath, Germany