1. Foundation facts
This is the canonical sub-processor list for horsenose. The Privacy Policy, the DPA, and the Security & Trust page link here rather than duplicating the table.
- Operator / data controller (own data): DF Daniel Fojcik, a Polish sole proprietorship (jednoosobowa działalność gospodarcza, JDG) registered in CEIDG. NIP 6472592229 · EU VAT PL6472592229 · REGON 387798601. Principal place of business: ul. Goplany 36a, 44-321 Marklowice, Poland. Trading as Nose / horsenose for this product.
- Legal / privacy contact: support@horsenose.eu. No formal Data Protection Officer is designated; the proprietor is the privacy contact.
- Supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl.
- Two roles (see Privacy Policy §1.1 and the DPA): controller — for marketing-site visitors, the account/billing data of stable admins & instructors, product analytics, and security/abuse-prevention data; processor — for the operational data a stable enters about its riders/customers (the stable is the controller; governed by the customer-facing DPA).
- Data residency posture (honest): EU-by-default — the primary stores, email, analytics, error monitoring, and rate-limit counters run in the EEA (Supabase Frankfurt; Vercel fra1; Brevo France; PostHog EU Cloud; Sentry EU data region; Upstash Regional EU-only in Frankfurt). It is not 100% EEA: Cloudflare runs a global edge network for DNS, CDN, and Turnstile bot protection, and Google OAuth (offered as an optional sign-in) is operated from the United States. Those two non-EEA edges are covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (see the table).
- Retention posture: data is kept for the life of the active account; on rider erasure (Art. 17), direct identifiers are stripped after a 30-day grace (pseudonymisation under Art. 4(5) GDPR — ride/financial lines retain a non-resolving pointer to the stripped profile, not full anonymisation under Recital 26); on stable offboarding, data is retained max 90 days, exported only on request, then deleted. The 5-year tax-record duty is the stable’s (and horsenose’s only for its own subscription invoices) — horsenose does not hold rider personal data for 5 years. Full detail in the Privacy Policy §8 and the DPA Annex I.G.
- Payments: no rider payments are processed (cash / pass / voucher / BLIK remain tracking labels). Subscription billing (a stable’s subscription to horsenose) is live: Stripe bills Polish stables directly in PLN (horsenose issues the PL faktura). Dodo Payments is the Merchant of Record for all non-Polish stables (EUR/GBP/USD) — Dodo is the legal seller of the subscription, issues the tax-compliant invoice/receipt, and calculates and remits VAT/sales tax in the destination jurisdiction. Both process the stable administrator’s billing-identity data on horsenose’s behalf. As Merchant of Record, Dodo is more than a processor — it is an independent seller/controller for the transaction itself. Any future change to the billing providers follows the advance-notice and objection mechanics in DPA §10.
2. Sub-processor master list
Each sub-processor receives only the data necessary to perform its function. "Region" is the data-processing region; several vendors are US-incorporated but offer EU data regions, so a DPA + SCC/DPF backstop covers any incidental access by the vendor entity.
| Sub-processor | Purpose | Personal-data categories | Region | Transfer mechanism |
|---|---|---|---|---|
| Supabase Inc. | Application database, authentication, file storage | Account + profile data; all stable/rider operational data | EU — eu-central-1 (Frankfurt) | Intra-EEA data region; DPA + SCCs for incidental vendor access |
| Vercel Inc. | Hosting, serverless compute, cron | Request logs, IP address | EU — fra1 primary; global edge network | DPA + SCCs |
| Brevo (Sendinblue SAS) | Transactional + magic-link email | Name, email address, message/links | EU (France) | Intra-EEA |
| PostHog Inc. (analytics + masked session replay — consent-gated) | Product analytics; masked session recording | Pseudonymous id, autocaptured events, pages viewed, device/browser; masked session replay (all on-screen text and all form inputs masked client-side before the recording leaves the browser). IP addresses are discarded at ingestion. | EU Cloud (eu.posthog.com) | Intra-EEA data region; DPA + SCCs for incidental vendor access |
| Sentry (Functional Software, Inc.) | Error monitoring | Error traces; tags: user UUID, stable id, locale, procedure (email / phone / message body / notes / tokens scrubbed before send) | EU (data storage region) | Intra-EEA |
| Upstash, Inc. | Rate-limit counters + idempotency keys | IP-derived keys (IP = personal data) | EU — Regional database in eu-central-1 (Frankfurt, AWS); no cross-region replication | Intra-EEA |
| Cloudflare, Inc. | Turnstile bot protection, DNS, CDN edge | Request metadata, IP address | Global edge | DPF + SCCs |
| Google LLC (Google OAuth — optional sign-in only) | Returns a persistent account identifier on Google sign-in | OAuth account identifier | United States | EU-U.S. DPF + SCCs fallback |
| Stripe Payments Europe, Ltd. (subscription billing — Poland) | Subscription billing for Polish stables (PLN); Nose is invoice issuer (faktura) | Billing name, country, Stripe-held card token, last 4 | EU + US | Live since 2026-07-01 — DPA via account acceptance + SCCs |
| Dodo Payments (Merchant of Record — non-Poland subscription billing) | Legal seller of the subscription for non-Polish stables (EUR/GBP/USD): issues the tax-compliant invoice/receipt + calculates & remits VAT/sales tax | Billing name, email, billing country/address, Dodo-held card token, last 4 | Global (MoR) — Dodo entity + its own sub-processors | Live since 2026-07-01 — DPA via TOS acceptance + SCCs / EU-U.S. DPF |
3. Changes to this list
Change-of-sub-processor commitment: when horsenose adds, replaces, or removes a sub-processor, it updates this list and — for active subscribers / stables — gives advance written notice sufficient to allow a reasonable opportunity to object on data-protection grounds before the change takes effect (sooner only where urgent for security or service continuity). The mechanics are set out in DPA §10.
4. Processor-DPA register
Each vendor above publishes a standard Data Processing Addendum that applies via its Terms of Service or via in-console acceptance — none of them signs a bilateral wet-PDF DPA, and GDPR Art. 28(3) does not require one. horsenose keeps an internal register with each vendor’s DPA URL, the version relied on, the acceptance mechanism, and the date last verified. That register is distinct from the customer-facing DPA (stable ↔ horsenose).