Privacy Policy
Last updated: 6 June 2026
This policy explains how [Equiwings legal entity name] ("Equiwings", "we", "us", "our") collects, uses, shares, stores, and protects your personal data, and the rights you have over it under India's Digital Personal Data Protection Act 2023 (the "DPDP Act") and the Digital Personal Data Protection Rules 2025. Please read it alongside our Terms of Service.
1. Who we are and our role
Equiwings is operated by [Equiwings legal entity name], a company incorporated in India with its registered office at [Registered office address]. We provide a software-as-a-service platform that equestrian academies and clubs use to manage riders, horses, exams, fees, and certificates.
Under the DPDP Act, "personal data" is any data about an individual who is identifiable by or in relation to that data; a "Data Principal" is the individual the data is about; and a "Data Fiduciary" is whoever decides why and how that data is processed.
- As a Data Processor: for the rider, parent, staff, and horse records that an academy enters to run its own operations, the academy is the Data Fiduciary and decides the purposes. We process that data only on the academy's documented instructions, under our agreement with it.
- As a Data Fiduciary: for the data we decide the purpose of ourselves — account administration, billing for the subscription, security, and improving the product — we are the Data Fiduciary and this policy governs directly.
If your data was entered by an academy you belong to, that academy is your first point of contact for access or correction; we will support and, where required, act on its instructions.
2. The personal data we process
- Account & identity: name, email address, phone number, role, login credentials (passwords are stored only as salted hashes), and two-factor settings.
- Rider profile: name, date of birth, age, gender, address, photograph, school, and parent/guardian contact details.
- Government identifiers (only when you choose to provide them): Aadhaar, PAN, and bank/UPI details for payouts or KYC. We collect these only where needed and treat them as sensitive.
- Training records: attendance, batch/lesson schedules, skill progression, exam score cards, certificate serial numbers.
- Health & safety records: rider injury logs and, for horses, veterinary, medication, and care records.
- Horse records: ownership, allocations, vaccination/deworming/farriery logs, feed plans, and insurance details.
- Financial data: invoices, fee plans, payment references, GSTIN, and billing address. Card and bank details for payments are handled by our payment processors — we do not store full card numbers.
- Communications: in-app messages and the email, SMS, and WhatsApp notifications sent through the platform.
- Technical & audit data: IP address, browser/user-agent, session timestamps, and an audit log of significant actions, kept for security and accountability.
3. Children's data
Many riders are below 18. The DPDP Act treats everyone under 18 as a child and requires verifiable consent from a parent or lawful guardian before a child's personal data is processed. Accordingly:
- A child's profile is created and consented to by a parent or guardian, whose identity and age we verify at the point of consent.
- We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children, and we do not process children's data in any way likely to cause harm.
- A parent or guardian can review, correct, or withdraw consent for their child's data at any time (see sections 9–11).
Withdrawal of consent does not affect records we or the academy are legally required to keep (for example, financial records under tax and companies law).
4. Why we process your data
- To run the academy's training, attendance, exam, and certificate workflows.
- To raise and reconcile fees and to process payments.
- To send operational notifications — class reminders, fee-due alerts, exam results, and certificates.
- To provide parent and rider portals with read access to the relevant rider's own records.
- To keep the service secure, prevent abuse, and maintain audit trails.
- To meet legal obligations (tax, GST, and record-keeping).
- To improve the service using aggregated, de-identified usage data only.
5. The legal basis for processing
We process personal data on the basis of (a) your consent, given at registration or when you provide the data, for the purposes notified to you; (b) "certain legitimate uses" permitted by the DPDP Act, such as complying with a legal obligation or responding to a medical emergency; and (c) the instructions of the academy that subscribes to the platform, where we act as its Data Processor.
6. Consent and how to withdraw it
Where we rely on consent, we ask for it through a clear notice in plain language that describes the data, the purpose, and how to exercise your rights. You may withdraw consent at any time — through the relevant setting in your account, or by writing to info@equiwings.com. Withdrawing consent is as easy as giving it, and we will stop the related processing, except where the law requires or permits us to continue. Withdrawal does not make earlier, lawful processing invalid.
7. Who we share data with
We never sell personal data. We share it only as follows:
- The academy you belong to — this is the core purpose of the platform.
- Sub-processors who help us run the service, each bound by contract to use the data only for that purpose:
- Vercel — application hosting and content delivery.
- Supabase — managed PostgreSQL database and encrypted backups, hosted in the Mumbai (ap-south-1) region.
- Razorpay and/or Stripe — payment processing.
- SendGrid — transactional email delivery.
- Twilio (via DLT-registered Indian carriers) — SMS delivery.
- Meta Platforms — WhatsApp Business Cloud API for WhatsApp notifications.
- Government agencies or authorities when we are legally required to disclose (for example, under a valid court order or statutory request).
- A successor entity in the event of a merger, acquisition, or reorganisation, subject to this policy.
8. Where your data is stored
The primary database and backups are hosted in India (Supabase, Mumbai / ap-south-1 region). Static assets are served through a global content delivery network for performance, and some communication gateways (email, SMS, and WhatsApp) necessarily transmit message content through their own infrastructure to deliver it. We do not transfer personal data to any country or territory restricted by the Central Government under the DPDP Act.
9. How long we keep it
We keep operational data for as long as the academy's subscription is active and you maintain an account. After that, we retain it only as long as needed for the purpose, or as the law requires — financial and tax records, for example, are kept for the period mandated by the Income Tax Act and the Companies Act 2013 (up to eight years). Audit logs are pruned after two years. When you ask us to delete your data, we schedule deletion 30 days from the request (so an accidental request can be reversed), after which the personal data is permanently deleted and any retained audit entries are anonymised.
10. Your rights as a Data Principal
The DPDP Act gives you the right to:
- Access — obtain a summary of the personal data we process about you and how we process it.
- Correction and updating — have inaccurate or incomplete data corrected or completed.
- Erasure — have your personal data erased where it is no longer needed for the purpose and the law does not require us to keep it.
- Nomination — nominate another individual to exercise your rights on your behalf in the event of death or incapacity.
- Grievance redressal — have any grievance addressed by us before approaching the Data Protection Board (section 12).
- Withdraw consent — at any time, as described in section 6.
11. How to exercise your rights
You can do most of this yourself in the app: edit your profile to correct it, use Account → Export to obtain a copy, and use Account → Delete to request erasure. You can also write to info@equiwings.com. We will verify your identity before acting and respond within the timelines required by law. If an academy entered your data, we may need to route your request through it as the Data Fiduciary.
You also have a duty under the DPDP Act not to file false or frivolous complaints and not to impersonate another person when exercising rights.
12. Grievance Officer & the Data Protection Board
If you have a concern about how your data is handled, contact our Grievance Officer first:
Grievance Officer
[Name of Grievance Officer]
info@equiwings.com
[Registered office address], India
We will acknowledge your grievance on receipt and resolve it within 90 days. If you are not satisfied with our response, you may make a complaint to the Data Protection Board of India established under the DPDP Act.
13. How we keep data secure
We apply reasonable security safeguards, including encryption in transit (HTTPS), encrypted backups, salted password hashing, two-factor authentication for privileged accounts, rate-limited login and password-reset endpoints, security headers, role-based access control, and tenant isolation at the database layer. No system is perfectly secure; if you believe your account or data has been compromised, write to info@equiwings.com and we will investigate promptly.
14. Personal data breaches
If a personal data breach occurs, we will notify the Data Protection Board of India and each affected Data Principal in the manner and within the timelines required by the DPDP Act and the DPDP Rules 2025, describing the nature of the breach, its likely consequences, and the measures we are taking. Where we act as a Data Processor, we will also inform the relevant academy without undue delay.
15. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and to secure your session. We do not use third-party advertising or cross-site tracking cookies.
16. Changes to this policy
We may update this policy from time to time. We will notify the primary account holder by email at least 14 days before material changes take effect, and we will update the "Last updated" date above.
17. Contact us
For any privacy question, or to reach our Data Protection Officer:
Data Protection Officer
[Name of Data Protection Officer]
info@equiwings.com
[Equiwings legal entity name]
[Registered office address], India
By using Equiwings you agree to this policy and our Terms of Service.