1. Summary
horsenose is a software service for running a riding school — scheduling lessons, tracking participation and how riders paid, managing passes and gift vouchers, boarding horses and billing for the care and services a stable provides, calculating instructor earnings, and giving each stable’s customers a view of their own bookings, balances, and charges. A stable can also let riders pay online; when it does, horsenose is never a party to the payment and never handles card or bank data — the money runs through a regulated payment provider straight into the stable’s own account. The data your stable enters is yours; another stable’s data is theirs; and neither can see the other’s.
This policy exists to keep horsenose safe and fair for every stable, every instructor, and every rider on the platform. It sets out what you can and cannot do with the Service. It applies to everyone who uses horsenose — stable administrators, instructors, customers and riders, and anyone signed in to an account on the platform.
If you use horsenose, you agree to follow this policy. Breach can lead to a feature or account being suspended or terminated (see “Enforcement and appeals” below). The Terms of Service incorporate this policy by reference.
2. Permitted uses
You may use horsenose to:
- Operate a riding school that you own, manage, or work at — schedule lessons; record attendance and how riders paid; manage passes and gift vouchers; board and stable horses and bill for the care and services you provide (feeding, grooming, farrier and vet visits, and the like); calculate instructor earnings; communicate operational announcements to your customers; and otherwise run the day-to-day administration of the stable.
- Take payment for what your stable provides — record how a rider paid (cash, pass, voucher, or transfer) and, where you switch it on, let riders and the guardians of child riders top up their balance or settle what they owe online. The money runs through a regulated payment provider straight into the stable’s own account; horsenose supplies the software, is never a party to the payment, and never handles card or bank data. Use the payment and billing features for your stable’s own legitimate charges only.
- Participate as a rider or customer of a stable you belong to — view and manage your own bookings, your own pass and voucher balances, any boarding and care charges for your horse, your own payment history, and your own profile data — and, where your stable offers it, pay or top up your balance online.
- Manage your own personal data — view what we hold about you, correct it, export it, or delete your account, through the in-product self-service features described in the Privacy Policy.
- Communicate with us in good faith about the Service, including reporting bugs, asking questions, or reporting a suspected security vulnerability under the disclosure policy in Security & Trust → “Responsible disclosure”.
If you have a legitimate but unusual use case — for example, an unusual integration request, a research enquiry, or a one-off bulk-data need — talk to us first at support@horsenose.eu. It is easier to set expectations up front than to debug a suspended account after the fact.
3. Prohibited uses
You may not use horsenose to do any of the following. These categories overlap; conduct that fits more than one is correspondingly more serious.
3.1 Cross the line between stables ("multi-tenant integrity")
This is the most important category for a shared platform.
- Do not attempt to access, view, copy, modify, or interfere with another stable’s data, another rider’s records, or any data outside the stable(s) you are a member of. Each stable’s data is isolated by database-enforced row-level security and role gates; staying within your own tenant is non-negotiable.
- Do not attempt to exploit, circumvent, probe, or test the Service’s row-level security, role checks, or any other tenant-isolation mechanism — except as part of good-faith security research that follows the responsible-disclosure safe harbour in Security & Trust → “Responsible disclosure”.
- Do not use shared, borrowed, or test credentials, multiple accounts, or any technique to cross tenant boundaries or to access data you would not see if you signed in with your own identity.
- Do not induce a stable administrator, instructor, or customer to share credentials or to grant you access for the purpose of accessing data you are not entitled to.
3.2 Misuse other people’s personal data
The data you can see inside your stable — riders’ names and contact details, guardians’ details, instructor information, payment-tracking labels, free-text notes — is there so you can run the stable. It is not yours to repurpose.
- Do not use rider, guardian, instructor, or staff personal data accessible to you for purposes outside the stable’s legitimate operation — for example, do not sell it, rent it, share it with unrelated third parties, scrape it, or use it for marketing, profiling, or any campaign the stable has not authorised on a lawful basis.
- Children’s data warrants particular care. A significant share of riders are minors, and their personal data is processed under the safeguards described in the Privacy Policy and the DPA. Process children’s data only for the stable’s lawful operational purpose (the lesson it relates to, the pass it tracks, the contact with a guardian it requires) — never for any unrelated purpose, and never beyond what that operational purpose needs.
- Do not enter into the Service any personal data about a person for which the stable has no lawful basis to collect or process. See also “Special-category and other prohibited content in free-text fields” below on what must not go into free-text fields.
3.3 Attack or disrupt the Service
- Do not attempt unauthorised access to the Service, to any account or stable other than your own, or to any underlying infrastructure.
- Do not run denial-of-service attacks, load-generation attempts, or any other activity intended or likely to degrade availability for other users.
- Do not scrape, crawl, or otherwise harvest the platform — including other users’ personal data, stable schedules, customer lists, or instructor information — by automated means, except for your own data via the official export endpoints.
- Do not probe for vulnerabilities outside the responsible-disclosure safe harbour in Security & Trust → “Responsible disclosure”. Within that safe harbour, good-faith research that stays in your own accounts, avoids degrading the Service for others, and does not access other users’ data is welcome and will not be treated as a violation of this policy.
- Do not interfere with bot protection, rate limiting, or audit-logging mechanisms (Cloudflare Turnstile, Upstash rate counters, the append-only audit log) — for example by trying to bypass them, suppress entries, or falsify events.
3.4 Unlawful use
- Do not use the Service to stalk, harass, threaten, intimidate, dox, or otherwise harm any natural person — including any rider, guardian, instructor, staff member of another stable, or a member of the public.
- Do not use the Service in a way that infringes intellectual-property, privacy, publicity, or other applicable rights of any third party.
- Do not use the Service to facilitate, encourage, or carry out any activity that violates applicable EU or Member-State law, including Polish criminal, consumer-protection, data-protection, and electronic-services law.
- Do not use the payment and billing features for anything other than your stable’s own legitimate charges — not as a general-purpose payment processor for third parties, and not to move or launder funds you are not entitled to receive. Do not issue boarding or care charges, or record payments, that you know to be false.
3.5 Misrepresentation and impersonation
- Do not impersonate another stable, another instructor, another customer, or horsenose itself.
- Do not create fake stable accounts, fake invitations, or fake rider records — for example to evade enforcement under this policy or to mislead customers about who they are dealing with.
- Do not use the Service to send communications that appear to come from horsenose (the operator) when they do not — for example, by styling a one-way announcement so a reader would reasonably believe it was sent by the platform rather than by your stable.
3.6 Reverse engineering and interference with the Service
- Do not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or internal structure of the Service, except to the extent applicable law grants you a right that cannot be limited by agreement (advance notice to us is appreciated but is not a precondition to exercising such a right).
- Do not copy, modify, or create derivative works of the Service’s software, user interface, or content beyond what the Terms or applicable law permit.
- Do not remove or obscure notices, watermarks, attribution, or in-product disclosures that the Service displays.
- If you are a Business Customer, do not use the Service to benchmark it against competing services for publication or to build a competing product, without horsenose’s prior written permission.
3.7 Special-category and other prohibited content in free-text fields
Free-text fields (notes on passes, payments, riders, horses; one-way announcement bodies; profile fields) exist for operational notes. They are not the place for sensitive personal data.
- Do not enter special-category data under Article 9 GDPR into free-text fields — in particular health data about a rider (a diagnosis, a medication, an injury, or any condition), data revealing racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic or biometric data, or data concerning sex life or sexual orientation. The Service has not been designed to hold this kind of content.
- Do not enter criminal-conviction or offence data under Article 10 GDPR into free-text fields.
- Notes about a horse (for example, a rest period or a veterinary note about the animal) are about an animal, not a person, and fall outside this restriction — but do not use such a field to record health information about a rider.
For the avoidance of doubt, this restriction is also reflected in the DPA and binds each stable as Controller under that DPA.
4. Reporting abuse
If you believe someone is breaching this policy — for example, attempting to access another stable’s data, scraping the platform, harassing a rider, or misusing personal data inside a stable — email support@horsenose.eu with `Abuse Report` in the subject line. Include enough detail for us to investigate.
For suspected security vulnerabilities rather than abuse, follow the dedicated route in Security & Trust → “Responsible disclosure” (support@horsenose.eu with `Security` in the subject line).
We will investigate reports in good faith and will not disclose a reporter’s identity without consent unless required by law. We are not a law-enforcement body and cannot compel disclosure from third parties or take enforcement action against people outside the Service; where a matter warrants police, regulatory, or judicial process, that path is yours or your counsel’s to initiate. Our role is limited to operating the Service honestly and honouring legally grounded requests we receive.
Notices of illegal content. Anyone — with or without a horsenose account — may notify us of specific content stored on the Service that they believe is illegal by emailing support@horsenose.eu with "Illegal Content Notice" in the subject line, including the content’s exact location (a link or a precise description), an explanation of why you consider it illegal, and your name and contact details, together with a statement that your notice is made in good faith and is accurate. We will confirm receipt without undue delay and decide on the notice — and tell you the outcome — in a diligent, objective, and timely manner, as Article 16 of the EU Digital Services Act requires.
Suspected criminal offences. If we become aware of information giving rise to a suspicion that a criminal offence involving a threat to a person’s life or safety has taken place, is taking place, or is likely to take place, we will promptly inform the competent law-enforcement or judicial authorities of the Member State(s) concerned (or Europol, where the Member State cannot be identified), as Article 18 of the EU Digital Services Act requires.
5. Enforcement and appeals
5.1 Our usual ladder
If we believe you have breached this policy, we will generally take the following steps in order:
- Contact the responsible account-holder (a stable administrator, an instructor, or the rider whose account is involved), describe what we observed, and give them a chance to respond.
- Require correction of the behaviour — for example, deleting data that should not have been entered, ceasing automated scraping, or restoring a misconfigured role.
- Suspend the specific feature, account, or stable while we investigate, or as a corrective measure if the breach is not resolved.
- Terminate the account or the stable’s access to the Service for severe or repeated breach.
5.2 Fast-track suspension
For clear, serious harm — for example, an attempt to exfiltrate another stable’s data in progress, an ongoing attack on the Service, or unlawful use that puts other users at risk — we may skip the early steps and suspend immediately, then contact the account-holder. We do this only where the harm is concrete and proceeding through the usual ladder would make it worse.
5.3 Refunds where we terminate
Where horsenose terminates an account or a stable’s subscription without cause attributable to the account-holder, we will refund the unused portion of any pre-paid subscription on a pro-rata basis (for non-Polish stables, the refund is issued through Dodo Payments as seller of record — see the Terms of Service → “Subscription and billing”). We will not refund where the termination follows from intentional fraud, illegal use, or a severe breach of this policy where the account-holder bears responsibility.
5.4 Appeals
If we suspend or terminate your account, or restrict a stable’s access, and you believe the decision was in error, email support@horsenose.eu with `Account Appeal` in the subject line. A human — not an automated system — will review your appeal and respond as soon as reasonably practicable. If we are not persuaded, we will explain why in writing so that you can assess your next steps, including escalation to a supervisory authority where applicable. Where your appeal is a statutory data-subject request under the GDPR, we will comply with the statutory time-limits in Article 12(3) GDPR regardless of this section.
5.5 Responsible security research is not a violation
For the avoidance of doubt: good-faith security research that follows the responsible-disclosure policy in Security & Trust → “Responsible disclosure” — staying within your own accounts, avoiding degradation of the Service for others, and not accessing other users’ data — is not a breach of this policy and will not trigger enforcement under this section.
6. Changes
We may update this policy as new patterns of misuse emerge, as the Service evolves, or as the law develops. Material changes will be announced by email to active subscribers and by an in-product notice with reasonable advance notice before they take effect (immediate effect where the change is required by law or a security situation). The current version is shown at the top of this page.
7. Contact
Questions about what’s allowed: support@horsenose.eu.
- Abuse reports — subject line `Abuse Report`.
- Account appeals — subject line `Account Appeal`.
- Security vulnerabilities — follow Security & Trust → “Responsible disclosure” (subject line `Security`).
Operator: DF Daniel Fojcik, ul. Goplany 36a, 44-321 Marklowice, Poland · NIP 6472592229 · REGON 387798601. Trading as Nose / horsenose.