GDPR — Article 28
Data Processing Agreement (DPA)
This agreement is entered into between 0x Technologies LLC, publisher of Hoofbook ("the Processor"), and any person using the go.hoofbook.app platform in a professional capacity ("the Customer"). The full identity of the Processor is set out on the legal notice page.
Preamble
Hoofbook is an online service for farriers. When you, the Customer, enter into the platform any information about your own clients (horse owners, stable managers, related contacts), Hoofbook acts as a processor within the meaning of Article 4.8 of the GDPR, and you remain the controller.
This agreement, compliant with Article 28 of the GDPR, sets out the terms under which Hoofbook processes that data on your behalf. It is accepted when you create your account and may evolve under the conditions set out in section 11.
1. Subject matter
As a processor, Hoofbook processes the personal data of third parties (the farrier's clients, stable owners, related contacts) that the Customer enters into the go.hoofbook.app platform.
2. Duration
This agreement takes effect when the account is created and remains in force for the entire duration of the subscription, plus a further 30 days from termination, intended to allow the Customer to export their data.
3. Nature of the operations
The operations performed on the data include: collection (via Customer input), storage, organisation, consultation, modification, deletion, export and transmission to the sub-processors listed in section 6.
4. Purpose
To allow the Customer to manage their farriery business: scheduling, client records, tracking the care provided to horses, route optimisation, simplified bookkeeping.
5. Types of data and data subjects
Types of data processed under this agreement
- — end-client identity: surname, first name, phone, optional email;
- — postal addresses and GPS coordinates of stables;
- — business data: horse names and photos, care notes, visit history, hourly rates;
- — client billing data (amounts and dates).
Categories of data subjects
The Customer's clients (horse owners, stable managers) and any related contacts the Customer enters.
Special categories (Article 9 GDPR)
None by default. The Customer undertakes not to enter, in the platform, identifiable health data about natural persons, nor biometric data. Veterinary data about horses does not fall under the GDPR (animal data).
6. Sub-processors
Hoofbook uses the sub-processors listed below to provide the Service. The Customer hereby grants Hoofbook general authorisation to use them. Any addition or replacement will be subject to 30 days' notice by email, allowing the Customer to object on legitimate grounds — in which case Hoofbook may terminate the contract.
Sub-processor no. 1
Supabase, Inc.
- Role
- Database, authentication, file storage, edge functions
- Region
- EU-West (Ireland)
- Data processed
- All account and business data — farrier's account, client list, horses, stables, schedule, addresses, photos
- Transfer mechanism
- No transfer outside the EU
- Privacy policy
- supabase.com/privacy
Sub-processor no. 2
Vercel Inc.
- Role
- Frontend hosting for go.hoofbook.app
- Region
- United States (HQ), global edge
- Data processed
- IP address, user agent, request logs (no personal payload — application rendered client-side)
- Transfer mechanism
- SCCs + Data Privacy Framework
- Privacy policy
- vercel.com/legal/privacy-policy
Sub-processor no. 3
Mapbox, Inc.
- Role
- Mapping, geocoding, point picker for client and stable addresses
- Region
- United States
- Data processed
- GPS coordinates of viewed points, public API token. Anonymous telemetry via events.mapbox.com
- Transfer mechanism
- SCCs + Data Privacy Framework
- Privacy policy
- www.mapbox.com/legal/privacy
Sub-processor no. 4
HERE Technologies
- Role
- Route calculation and toll matrix for the 'Cheapest route' mode
- Region
- EU (Netherlands)
- Data processed
- Coordinates of every stop on a route and any departure time
- Transfer mechanism
- No transfer outside the EU
- Privacy policy
- legal.here.com/privacy
Sub-processor no. 5
Functional Software, Inc. (Sentry)
- Role
- Frontend error tracking
- Region
- EU (Germany — ingest.de.sentry.io)
- Data processed
- Stack traces, browser version, URL where the error occurred. May incidentally include personal data if present in strings
- Transfer mechanism
- No transfer outside the EU
- Privacy policy
- sentry.io/privacy
Sub-processor no. 6
Paddle.com Market Limited
- Role
- Payment collection — Merchant of Record (Paddle is the official seller, not Hoofbook)
- Region
- United Kingdom + EU
- Data processed
- Name, email, billing address, VAT number, payment data
- Transfer mechanism
- Adequacy decision (United Kingdom)
- Privacy policy
- www.paddle.com/legal/privacy
Sub-processor no. 7
Resend, Inc.
- Role
- Sending transactional emails (trial reminders, password reset)
- Region
- United States
- Data processed
- Email address, name, email content
- Transfer mechanism
- SCCs + Data Privacy Framework
- Privacy policy
- resend.com/legal/privacy
7. Hoofbook's obligations (as processor)
Hoofbook undertakes to:
- — process the data only on documented instructions from the Customer. The actions the Customer takes in the platform constitute those instructions;
- — ensure the confidentiality of personnel with access to the data and require them to commit, by contract, to that confidentiality;
- — implement the technical and organisational measures described in the annex (section 8), in line with Article 32 of the GDPR;
- — assist the Customer in handling data subject rights requests (access, rectification, erasure, objection, portability, restriction);
- — assist the Customer with personal data breach notifications — 72-hour notice (see section 9);
- — assist the Customer in carrying out data protection impact assessments (DPIAs) where applicable;
- — return or delete the data at the end of the contract, at the Customer's choice (see section 11);
- — maintain a record of processing activities, in line with Article 30.2 of the GDPR.
8. Security measures (annex)
Hoofbook implements the following technical and organisational measures:
- — TLS 1.2 or higher for all transfers;
- — AES-256 encryption at rest on Supabase databases;
- — Postgres Row Level Security: multi-tenant isolation at the database level, so that one account cannot technically access another's data;
- — email and password authentication with mandatory email verification;
- — daily Supabase backups with a 7-day retention (point-in-time recovery available);
- — connection audit log;
- — documented incident response plan;
- — security updates managed continuously by Hoofbook and its sub-processors.
9. Breach notification
Hoofbook notifies the Customer within 72 hours of becoming aware of a personal data breach. The notification is sent by email to the Customer's GDPR contact recorded in the account settings. It describes:
- — the nature of the breach;
- — the categories and approximate number of data subjects affected;
- — the likely consequences;
- — the measures taken or planned to address it.
10. Audit
The Customer may request an audit once a year, by appointment and with reasonable notice of 30 days. For technical audits, Hoofbook may provide the audit reports of its own sub-processors (Supabase, Vercel, Paddle) in place of direct access to the infrastructure.
11. End of contract
- — a full CSV export of the data is available for up to 30 days after termination;
- — permanent deletion takes place within 90 days after the export window expires, including in backups;
- — a certificate of deletion can be provided on written request sent to [email protected].
Contact
For any question relating to this agreement, write to [email protected] . Other data processing carried out by Hoofbook is described in the privacy policy .