This Privacy Policy explains how Jean-Alexandre LEGRAS, an individual conducting business in France as a micro-entrepreneur (auto-entrepreneur), registration pending (“RideBase”, “we”, “us”, or “our”), collects, uses, discloses, retains and protects your personal data when you use the RideBase website, mobile application and Groom Portal (collectively, the “Service”). RideBase is committed to processing your personal data in compliance with Regulation (EU) 2016/679 (“GDPR”) and the French Act n°78-17 of 6 January 1978 on data protection (“Loi Informatique et Libertés”).
Disclaimer: this document is a template and does not constitute legal advice. A qualified French lawyer should review it before reliance.
1. Who We Are — Data Controller
The data controller within the meaning of Article 4(7) GDPR is:
- Jean-Alexandre LEGRAS, micro-entrepreneur (registration pending);
- Contact: scjaljumping@gmail.com;
- Postal address: [PLACEHOLDER — to be inserted upon registration].
1.1 Data Protection Officer
We have not appointed a Data Protection Officer (DPO) because we do not fall within the mandatory designation cases of Article 37 GDPR: we have fewer than 250 employees and we do not carry out, as our core activity, large-scale processing of special-category data or systematic monitoring of individuals on a large scale. All data-protection requests should be addressed to the contact email above.
2. Scope
This Privacy Policy applies to all processing of personal data carried out by RideBase in connection with:
- the website at ridebase.app (and any subdomain);
- the mobile applications (iOS, Android, Capacitor-wrapped);
- the Groom Portal (token-protected upload link);
- any related communication, including support emails.
Third-party services to which we link or that you choose to integrate are governed by their own privacy policies.
3. Data We Collect
We collect the following categories of personal data:
3.1 Account data
- Email address
- Hashed password (we never have access to your clear-text password)
- Display name / first name / last name (if provided)
- Locale (FR / EN) and theme preference (light / dark / system)
- Account creation date and last-login timestamp
3.2 Profile and commercial data
- Personal referral code generated by the Service
- Code of the User who referred you (if any)
- Current Subscription tier (Free trial / Basic / Pro)
- Subscription history (when paid plans launch)
- Billing data (handled by Stripe — see Section 7)
3.3 Session data
- Training and competition session entries: date, type (training/competition), discipline, class height, venue name, location, horse(s) used
- Horse profile data you record: name, age, breed, height, level, notes, ownership status
- Fault details, results, ranking, time, refusals, eliminations
- Free-text session notes
- Voice notes (audio is processed for transcription, then stored as text — see Section 6 below regarding AI)
3.4 Rider-state self-reports
Self-reported wellbeing indicators (sleep, energy, focus, confidence, motivation, body feel) on a numeric scale. These are not medical assessments and are not collected for any medical purpose; we treat them as personal-wellbeing data and do not consider them to fall within Article 9 GDPR special categories, since they are self-reported subjective indicators rather than clinical health data. They are nevertheless handled with particular care (access strictly limited to you).
3.5 Uploaded media
- Videos (MP4, MOV, WebM, M4V — up to 250 MB per file)
- Documents (PDF, JPG, PNG, HEIC, WebP, DOC, DOCX — up to 25 MB per file): vet reports, x-rays, contracts, insurance documents, owner authorisations, etc.
3.6 Mike (AI assistant) chat history
- Text messages you exchange with Mike
- Session-context snippets that Mike uses to respond (your recent sessions, rider-state, horse details)
3.7 Technical and log data
- IP address (truncated where possible)
- Device type, operating system, browser type and version
- Application version
- Timestamps of requests
- Pages or routes accessed
- Error logs, crash reports
3.8 Authentication cookies and similar technologies
- Session cookie or local token (strictly necessary for authentication)
- We do not use analytics, advertising or tracking cookies.
3.9 Legal acceptance records
- Timestamp, IP address and user-agent string captured at the moment you accept the Terms of Service or the Privacy Policy
- Version of the legal document accepted
These records are required to evidence your consent in case of dispute.
4. Sources of Data
We collect personal data:
- Directly from you, when you fill in forms, upload files, write notes, chat with Mike or send us an email;
- Automatically, when you use the Service (technical logs, cookies);
- From a referrer, when you sign up using another User’s referral code;
- From a Groom, when a person you have authorised uploads Content via the Groom Portal — you remain the data controller in respect of that Content vis-à-vis third parties; we act as a processor for the Groom on your behalf.
5. Purposes and Legal Bases of Processing
For each purpose, we identify the corresponding legal basis under Article 6 GDPR.
5.1 Performance of contract — Article 6(1)(b)
- Creating and managing your Account
- Providing the Service (logging sessions, storing media, displaying analytics)
- Authentication
- Billing and processing Subscription payments (once paid plans launch)
- Customer support
- Sending service-related transactional emails (password reset, security alerts, end-of-trial notice)
5.2 Legal obligation — Article 6(1)(c)
- Keeping accounting records and invoices for ten (10) years (Article L123-22 of the French Commercial Code)
- Responding to lawful requests from competent authorities
- Complying with tax obligations
- Implementing right-of-withdrawal procedures
5.3 Legitimate interest — Article 6(1)(f)
- Security and abuse detection, fraud prevention (including referral-program fraud)
- Service stability monitoring and debugging
- Improvement of Mike and Ben using anonymised data only (any personal identifier is stripped before use for improvement)
- Defending or asserting legal claims
- Sending non-marketing service-improvement updates (limited frequency)
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override your fundamental rights. You may object at any time (see Section 11).
5.4 Consent — Article 6(1)(a)
- Any future marketing emails (currently none)
- Future optional analytics or tracking, if introduced (a consent banner will be displayed before any non-strictly-necessary cookie is set)
- Processing of voice notes that may capture identifiable third-party voices — by uploading, you confirm that you have obtained the consent of any identifiable third party recorded
- Any future processing requiring consent under the GDPR or the ePrivacy Directive
You may withdraw your consent at any time, without prejudice to the lawfulness of processing performed prior to withdrawal.
6. AI Processing — Specific Notice
6.1 How Mike works
When you send a message to Mike, the Service forwards to OpenAI, via a Supabase Edge Function proxy hosted in the EU:
- the text of your message;
- a contextual summary of your recent activity (recent sessions, rider-state averages, horse profiles relevant to the conversation);
- system prompts internal to RideBase.
OpenAI processes the request to generate a response, which we return to you. OpenAI’s enterprise/API processing terms apply, including a contractual commitment that API content is notused to train OpenAI’s models.
6.2 What you should not share
You should not paste into Mike: passwords, payment card numbers, government identifiers, medical records of identifiable third parties, or any data you would not want exposed in the event of a security incident. The conversation history is stored to allow Mike to be useful across sessions.
6.3 Opt-out
You can disable Mike at any time in Settings → Mike → Disable AI Assistant. You can also delete individual conversations and full chat history.
6.4 Transcription
Voice notes are transcribed via the same proxy. Audio files are processed transiently and the text transcript is what we store. Raw audio may be retained for a short technical retention window (≤30 days) for quality control before being deleted.
6.5 Statistical analytics — Ben
Ben performs statistical aggregation on your own session data to derive patterns and trends. Ben does not constitute automated individual decision-making within the meaning of Article 22 GDPR; it produces no legal effect on you.
7. Recipients and Subprocessors
We share personal data only with the following categories of recipients, each of whom is bound by appropriate contractual safeguards (Data Processing Agreement under Article 28 GDPR):
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Authentication, Postgres database, Edge Functions (Mike proxy, transcription) | EU (Ireland / Frankfurt); HQ in the USA | SCC / EU-US Data Privacy Framework |
| Cloudflare R2 (Cloudflare Inc.) | Object storage for videos and documents | Global edge | SCC / EU-US Data Privacy Framework |
| Vercel Inc. | Application hosting, edge network | USA + global edge | SCC / EU-US Data Privacy Framework |
| OpenAI, L.L.C. (via Supabase Edge proxy) | LLM behind Mike and transcription | USA | SCC / DPF; API content not used for model training |
| FEI / data.fei.org | Read-only competition calendar — no personal User data sent | International | N/A — no transfer of personal data |
| Stripe Payments Europe Ltd. (planned, not yet active) | Payment processing once paid plans launch | EU (Ireland) | N/A — EU transfer |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
7.1 Disclosure to authorities
We may disclose personal data to public authorities where required by law, court order, or duly substantiated criminal investigation. We will notify you of such requests where legally permitted.
8. International Transfers
Some of our subprocessors are based in or operate from the United States. Whenever personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under Articles 44 to 49 GDPR:
- Standard Contractual Clauses (SCC) adopted by the European Commission (Implementing Decision (EU) 2021/914);
- EU-US Data Privacy Framework (DPF) certification of the recipient where applicable;
- additional technical and organisational measures (encryption in transit and at rest, access controls, pseudonymisation where relevant);
- a transfer impact assessment performed on a case-by-case basis.
You may request a copy of the safeguards in place by emailing scjaljumping@gmail.com.
9. Retention
| Data category | Retention period |
|---|---|
| Account data | Duration of the Account |
| Profile and session data | Duration of the Account |
| Uploaded media | Duration of the Account |
| Mike chat history | Duration of the Account (deletable by you) |
| Billing data and invoices | 10 years from end of financial year (L123-22 Code de commerce) |
| Authentication / security logs | ≤12 months |
| Application / technical logs | ≤12 months |
| Raw voice audio (transient) | ≤30 days |
| Legal acceptance records | 5 years after Account deletion |
| Inactivity-related closure | Account deleted after 24 months of inactivity, after 30-day reminder |
| Backups | ≤30 days rolling |
After deletion of your Account, we delete or irreversibly anonymise personal data within thirty (30) days, except for the legally-mandated retention items above.
10. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Password hashing using industry-standard algorithms (bcrypt-equivalent) by Supabase Auth — clear-text passwords are never stored
- HTTPS / TLS in transit for all connections
- Row-Level Security (RLS) in the Postgres database, so that each User can access only their own rows
- Signed, time-limited URLs for video and document access; private buckets by default
- Encryption at rest at each major subprocessor (Supabase, Cloudflare R2, Vercel)
- Restricted administrative access with strong authentication
- Regular dependency security audits and secret-rotation procedures
- Backups with limited retention
- Incident response procedures, including notification to the supervisory authority (CNIL) within 72 hours where required under Article 33 GDPR, and to affected Users where required under Article 34 GDPR.
No system is 100 % secure. You play an essential role in security by using a strong unique password and keeping your devices safe.
11. Your Rights Under the GDPR
You have the following rights with respect to your personal data:
- Right of access (Article 15 GDPR) — to obtain confirmation that we process your data and a copy of it.
- Right to rectification (Article 16) — to correct inaccurate or incomplete data.
- Right to erasure / right to be forgotten (Article 17) — to obtain deletion in specific cases.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Article 21), in particular to processing based on legitimate interest.
- Right to withdraw consent at any time, without affecting prior lawful processing.
- Right not to be subject to a fully automated decision producing legal effects or similarly significantly affecting you (Article 22).
- Right to lodge a complaint with the supervisory authority — for France: the CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, www.cnil.fr.
- Right to give post-mortem instructions (Article 85 Loi Informatique et Libertés).
11.1 How to exercise your rights
To exercise your rights, send an email to scjaljumping@gmail.com indicating clearly the right you wish to exercise and the data concerned. To protect your privacy and prevent fraud, we may ask for additional information to verify your identity. We will respond within one (1) month of receipt, extendable by two further months for complex or numerous requests, with notice.
Many actions can also be performed directly from your Settings (data export, Account deletion, conversation deletion, locale change, theme change, opt-out from Mike).
12. Cookies and Similar Technologies
The Service currently uses only strictly necessary cookies and local-storage items for authentication and basic functionality. We do not use:
- analytics cookies (e.g., Google Analytics) — none;
- advertising cookies — none;
- social-network cookies — none;
- behavioural-tracking pixels — none.
Should we introduce any non-strictly-necessary cookie in the future, we will deploy a CNIL-compliant consent banner allowing you to accept or refuse each category with equal ease.
13. Children
The Service is not intended for children under sixteen (16) years of age. We do not knowingly collect personal data from anyone under 16. Users aged sixteen (16) or seventeen (17) may use the Service with parental authorization (see Sections 1.2 and 3.1 of the Terms of Service). The personal data of minors aged 16–17 is processed with particular care; certain features (notably Mike) may be subject to additional restrictions or parental-control settings in the future.
If you are a holder of parental authority and you learn that a child under 16 has provided us with personal data, or if you wish to exercise the rights of a minor user on their behalf, please contact scjaljumping@gmail.com so that we can promptly delete the data and close the Account.
14. Automated Decision-Making and Profiling
We do not carry out fully automated individual decision-making producing legal effects on you or similarly significantly affecting you within the meaning of Article 22 GDPR.
Ben provides statistical analytics based on your own data (e.g., your fault patterns, success rates by class, evolution over time). These analytics are decision-support tools to help you reflect on your own riding; no decision is taken about you automatically as a result.
Mike provides motivational and mental-coaching responses. These responses are conversational outputs, not decisions. They are non-binding and do not affect your legal rights, Subscription status or eligibility for any feature.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes (e.g., introduction of new processing purposes, new categories of subprocessors, change of legal basis, expansion of retention) will be notified at least fifteen (15) days in advance by email and via an in-app banner. For material changes that require it, we will request a renewed acceptance before you can continue using the Service. Non-material changes (clarifications, typo corrections) take effect upon publication. We will always keep an archive of past versions available on request.
16. Contact and Supervisory Authority
For any privacy question, complaint or rights-exercise request:
- By email: scjaljumping@gmail.com
- Postal: Jean-Alexandre LEGRAS — micro-entrepreneur (registration pending) — [PLACEHOLDER address]
You also have the right to lodge a complaint with the CNIL at any time, without first contacting us, although we encourage you to give us the opportunity to address your concerns directly.
CNIL — Commission Nationale de l’Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 — France
www.cnil.fr — +33 (0)1 53 73 22 22