1. Summary
horsenose is a multi-tenant software service for running a riding school — scheduling lessons, tracking participation and how riders paid, managing passes and gift vouchers, calculating instructor earnings, and giving each stable’s customers a view of their own bookings. Multi-tenant means many independent stables share one platform, separated from one another by strict, database-enforced isolation. The data your stable enters is yours; another stable’s data is theirs; and neither can see the other’s.
This policy exists to keep horsenose safe and fair for every stable, every instructor, and every rider on the platform. It sets out what you can and cannot do with the Service. It applies to everyone who uses horsenose — stable administrators, instructors, customers and riders, and anyone signed in to an account on the platform.
If you use horsenose, you agree to follow this policy. Breach can lead to a feature or account being suspended or terminated (§5). The Terms of Service incorporate this policy by reference.
2. Permitted uses
You may use horsenose to:
- Operate a riding school that you own, manage, or work at — schedule lessons; record attendance and how riders paid; manage passes and gift vouchers; calculate instructor earnings; communicate operational announcements to your customers; and otherwise run the day-to-day administration of the stable.
- Participate as a rider or customer of a stable you belong to — view and manage your own bookings, your own pass and voucher balances, your own payment history, and your own profile data.
- Manage your own personal data — view what we hold about you, correct it, export it, or delete your account, through the in-product self-service features described in the Privacy Policy.
- Communicate with us in good faith about the Service, including reporting bugs, asking questions, or reporting a suspected security vulnerability under the disclosure policy in Security & Trust §9.
If you have a legitimate but unusual use case — for example, an unusual integration request, a research enquiry, or a one-off bulk-data need — talk to us first at support@horsenose.eu. It is easier to set expectations up front than to debug a suspended account after the fact.
3. Prohibited uses
You may not use horsenose to do any of the following. These categories overlap; conduct that fits more than one is correspondingly more serious.
3.1 Cross the line between stables ("multi-tenant integrity")
This is the most important category for a shared platform.
- Do not attempt to access, view, copy, modify, or interfere with another stable’s data, another rider’s records, or any data outside the stable(s) you are a member of. Each stable’s data is isolated by database-enforced row-level security and role gates; staying within your own tenant is non-negotiable.
- Do not attempt to exploit, circumvent, probe, or test the Service’s row-level security, role checks, or any other tenant-isolation mechanism — except as part of good-faith security research that follows the responsible-disclosure safe harbour in Security & Trust §9.
- Do not use shared, borrowed, or test credentials, multiple accounts, or any technique to cross tenant boundaries or to access data you would not see if you signed in with your own identity.
- Do not induce a stable administrator, instructor, or customer to share credentials or to grant you access for the purpose of accessing data you are not entitled to.
3.2 Misuse other people’s personal data
The data you can see inside your stable — riders’ names and contact details, guardians’ details, instructor information, payment-tracking labels, free-text notes — is there so you can run the stable. It is not yours to repurpose.
- Do not use rider, guardian, instructor, or staff personal data accessible to you for purposes outside the stable’s legitimate operation — for example, do not sell it, rent it, share it with unrelated third parties, scrape it, or use it for marketing, profiling, or any campaign the stable has not authorised on a lawful basis.
- Children’s data warrants particular care. A significant share of riders are minors, and their personal data is processed under the safeguards described in the Privacy Policy and the DPA. Process children’s data only for the stable’s lawful operational purpose (the lesson it relates to, the pass it tracks, the contact with a guardian it requires) — never for any unrelated purpose, and never beyond what that operational purpose needs.
- Do not enter into the Service any personal data about a person for which the stable has no lawful basis to collect or process. See also §3.7 on what must not go into free-text fields.
3.3 Attack or disrupt the Service
- Do not attempt unauthorised access to the Service, to any account or stable other than your own, or to any underlying infrastructure.
- Do not run denial-of-service attacks, load-generation attempts, or any other activity intended or likely to degrade availability for other users.
- Do not scrape, crawl, or otherwise harvest the platform — including other users’ personal data, stable schedules, customer lists, or instructor information — by automated means, except for your own data via the official export endpoints.
- Do not probe for vulnerabilities outside the responsible-disclosure safe harbour in Security & Trust §9. Within that safe harbour, good-faith research that stays in your own accounts, avoids degrading the Service for others, and does not access other users’ data is welcome and will not be treated as a violation of this policy.
- Do not interfere with bot protection, rate limiting, or audit-logging mechanisms (Cloudflare Turnstile, Upstash rate counters, the append-only audit log) — for example by trying to bypass them, suppress entries, or falsify events.
3.4 Unlawful use
- Do not use the Service to stalk, harass, threaten, intimidate, dox, or otherwise harm any natural person — including any rider, guardian, instructor, staff member of another stable, or a member of the public.
- Do not use the Service in a way that infringes intellectual-property, privacy, publicity, or other applicable rights of any third party.
- Do not use the Service to facilitate, encourage, or carry out any activity that violates applicable EU or Member-State law, including Polish criminal, consumer-protection, data-protection, and electronic-services law.
3.5 Misrepresentation and impersonation
- Do not impersonate another stable, another instructor, another customer, or horsenose itself.
- Do not create fake stable accounts, fake invitations, or fake rider records — for example to evade enforcement under this policy or to mislead customers about who they are dealing with.
- Do not use the Service to send communications that appear to come from horsenose (the operator) when they do not — for example, by styling a one-way announcement so a reader would reasonably believe it was sent by the platform rather than by your stable.
3.6 Reverse engineering and interference with the Service
- Do not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or internal structure of the Service, except to the extent applicable law expressly permits and you have given us prior written notice.
- Do not copy, modify, or create derivative works of the Service’s software, user interface, or content beyond what the Terms or applicable law permit.
- Do not remove or obscure notices, watermarks, attribution, or in-product disclosures that the Service displays.
- Do not use the Service to benchmark against competing services for publication or to build a competing product, without horsenose’s prior written permission.
3.7 Special-category and other prohibited content in free-text fields
Free-text fields (notes on passes, payments, riders, horses; one-way announcement bodies; profile fields) exist for operational notes. They are not the place for sensitive personal data.
- Do not enter special-category data under Article 9 GDPR into free-text fields — in particular health data about a rider (a diagnosis, a medication, an injury, or any condition), data revealing racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic or biometric data, or data concerning sex life or sexual orientation. The Service has not been designed to hold this kind of content.
- Do not enter criminal-conviction or offence data under Article 10 GDPR into free-text fields.
- Notes about a horse (for example, a rest period or a veterinary note about the animal) are about an animal, not a person, and fall outside this restriction — but do not use such a field to record health information about a rider.
For the avoidance of doubt, this restriction is also reflected in the DPA (Annex I.E) and binds each stable as Controller under that DPA.
4. Reporting abuse
If you believe someone is breaching this policy — for example, attempting to access another stable’s data, scraping the platform, harassing a rider, or misusing personal data inside a stable — email support@horsenose.eu with `Abuse Report` in the subject line. Include enough detail for us to investigate.
For suspected security vulnerabilities rather than abuse, follow the dedicated route in Security & Trust §9 (support@horsenose.eu with `Security` in the subject line).
We will investigate reports in good faith and will not disclose a reporter’s identity without consent unless required by law. We are not a law-enforcement body and cannot compel disclosure from third parties or take enforcement action against people outside the Service; where a matter warrants police, regulatory, or judicial process, that path is yours or your counsel’s to initiate. Our role is limited to operating the Service honestly and honouring legally grounded requests we receive.
5. Enforcement and appeals
5.1 Our usual ladder
If we believe you have breached this policy, we will generally take the following steps in order:
- Contact the responsible account-holder (a stable administrator, an instructor, or the rider whose account is involved), describe what we observed, and give them a chance to respond.
- Require correction of the behaviour — for example, deleting data that should not have been entered, ceasing automated scraping, or restoring a misconfigured role.
- Suspend the specific feature, account, or stable while we investigate, or as a corrective measure if the breach is not resolved.
- Terminate the account or the stable’s access to the Service for severe or repeated breach.
5.2 Fast-track suspension
For clear, serious harm — for example, an attempt to exfiltrate another stable’s data in progress, an ongoing attack on the Service, or unlawful use that puts other users at risk — we may skip the early steps and suspend immediately, then contact the account-holder. We do this only where the harm is concrete and proceeding through the usual ladder would make it worse.
5.3 Refunds where we terminate
Where horsenose terminates an account or a stable’s subscription without cause attributable to the account-holder, we will refund the unused portion of any pre-paid subscription on a pro-rata basis (for non-Polish stables, the refund is issued through Dodo Payments as seller of record — see Terms of Service §4.5). We will not refund where the termination follows from intentional fraud, illegal use, or a severe breach of this policy where the account-holder bears responsibility.
5.4 Appeals
If we suspend or terminate your account, or restrict a stable’s access, and you believe the decision was in error, email support@horsenose.eu with `Account Appeal` in the subject line. A human — not an automated system — will review your appeal and respond as soon as reasonably practicable. If we are not persuaded, we will explain why in writing so that you can assess your next steps, including escalation to a supervisory authority where applicable. Where your appeal is a statutory data-subject request under the GDPR, we will comply with the statutory time-limits in Article 12(3) GDPR regardless of this section.
5.5 Responsible security research is not a violation
For the avoidance of doubt: good-faith security research that follows the responsible-disclosure policy in Security & Trust §9 — staying within your own accounts, avoiding degradation of the Service for others, and not accessing other users’ data — is not a breach of this policy and will not trigger enforcement under this section.
6. Changes
We may update this policy as new patterns of misuse emerge, as the Service evolves, or as the law develops. Material changes will be announced by email to active subscribers and by an in-product notice with reasonable advance notice before they take effect (immediate effect where the change is required by law or a security situation). The current version is shown at the top of this page.
7. Contact
Questions about what’s allowed: support@horsenose.eu.
- Abuse reports — subject line `Abuse Report`.
- Account appeals — subject line `Account Appeal`.
- Security vulnerabilities — follow Security & Trust §9 (subject line `Security`).
Operator: DF Daniel Fojcik, ul. Goplany 36a, 44-321 Marklowice, Poland · NIP 6472592229 · REGON 387798601. Trading as Nose / horsenose.