BLACK SADDLE BOOKING CONDITIONS

 

 

PRIVACY POLICY

Data Controller: Dreamy Ponies Limited t/a Black Saddle · Company No. 12990748

Contact: rides@black-saddle.com

Last updated: May 2026

1. Our role

Dreamy Ponies Limited, trading as Black Saddle, is the data controller for the personal data described in this policy. As an agent, we collect personal data from you to facilitate your booking and share relevant information with our ride operators. Once your data is shared with the operator, the operator becomes a separate data controller for their own purposes, governed by their own privacy obligations.

2. What personal data we collect

We collect personal data in the following contexts:

  • Rider forms: Full name, date of birth, nationality, home address, email, phone, weight, height, Instagram handle, emergency contact details, dietary requirements, riding experience and history, medical conditions, insurance details.

  • Booking and payment: Name, email, address, payment method (processed by Stripe — we do not store card numbers).

  • Newsletter signups: Email address and name.

  • General enquiries: Name, email, and any information you choose to share in your message.

  • Website analytics: Anonymised data on pages visited, device type, and session duration via our analytics provider.

When you provide emergency contact details on a rider form, you are responsible for informing that person that their details have been shared with us. We will only contact them in the event of an emergency.

3. How we use your data

  • To process and manage your booking and communicate with you about it

  • To assess your suitability for a ride and share relevant information with the operator

  • To send transactional emails (deposit requests, confirmations, balance reminders, pre-trip information)

  • To send marketing emails to existing customers about new rides and departures (you may opt out at any time)

  • To send our newsletter to subscribers (consent-based, with an unsubscribe link in every email)

  • To use photographs and video taken during your holiday for marketing purposes, in accordance with our Booking Conditions (you may opt out at any time)

  • To maintain accounting and legal records

  • To improve our website and services through analytics

4. Legal basis for processing

  • Contract performance: Processing necessary to fulfil your booking, including rider forms, booking management, payment, and operator communications.

  • Legitimate interests: Marketing to existing customers about similar holidays, fraud prevention, service improvement, and the use of trip photography and video for marketing purposes. We have balanced these interests against your rights and freedoms. You may object to processing on this basis at any time.

  • Consent: Newsletter subscriptions and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

  • Legal obligation: Retaining financial records as required by HMRC.

  • Vital interests: Processing health information in an emergency where you are unable to give consent.

5. Special category data (health and medical)

Rider forms collect health and medical information. This is special category data under UK GDPR. We process this data on the basis of your explicit consent, given when you submit the rider form. In an emergency where you are unable to give consent, we may also process this data on the basis of vital interests.

Medical information is shared with the ride operator solely for the purpose of safe horse matching and trip planning. It is not used for any other purpose, is not shared with any other third party (except as required for emergency medical care), and is not used for marketing.

You may request deletion of your health data at any time, subject to our obligation to retain it while a booking remains live.

6. Who we share your data with

  • Ride operators: Your rider form and booking details are shared with the operator of your confirmed ride. Operators act as separate data controllers and are bound by their own privacy obligations.

  • Stripe: Payment processing. Stripe acts as a separate data controller and processes card data directly. We do not store card numbers. See Stripe's privacy policy at stripe.com/privacy.

  • Resend (email service provider): Used to deliver our transactional and marketing emails on our behalf. Resend acts as our data processor.

  • Sanity (content management system): Stores booking and content data on our behalf. Sanity acts as our data processor.

  • Squarespace (website host): Hosts our website and processes website usage data. Squarespace acts as our data processor.

  • Analytics provider: Anonymised website usage data only — no personal identification.

We do not sell your data. We do not share your data with advertising networks. We do not use your data for automated decision-making or profiling.

7. International data transfers

Our ride operators are based around the world, including in Argentina, Botswana, Chile, France, Iceland, Ireland, Kenya, Kyrgyzstan, Namibia, New Zealand, Pakistan, Spain, Tajikistan, and Uzbekistan. When we share your rider form with an operator, your data is transferred to their jurisdiction.

The UK has adequacy decisions in place for some of these countries (including Argentina, France, Iceland, Ireland, New Zealand, and Spain). For other destinations (including Botswana, Chile, Kenya, Kyrgyzstan, Namibia, Pakistan, Tajikistan, and Uzbekistan), no UK adequacy decision is currently in place.

For transfers to non-adequate countries, we rely on the derogation in Article 49(1)(b) UK GDPR — that the transfer is necessary for the performance of your contract with us — supported by your explicit consent given at the point of submitting your rider form.

We mitigate the risks of these transfers by:

  • Sharing only the minimum data necessary for the operator to deliver your holiday safely

  • Confirming with operators that they may only use your data for the purpose for which it was shared

  • Sharing data only once a booking has been confirmed

You should be aware that data protection standards in some destination countries may not be equivalent to those in the UK. By completing a rider form, you acknowledge and consent to this transfer.

8. How we keep your data secure

We use appropriate technical and organisational measures to protect your data, including:

  • Storage of booking and rider data in a secure, access-controlled content management system

  • Encryption of data in transit (HTTPS) and at rest where supported by our service providers

  • Limiting access to personal data to those who need it for the purposes set out in this policy

  • Regular review of our security practices and providers

No system is completely secure. If we become aware of a personal data breach affecting your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) as required by law.

9. Data retention

  • Booking and rider form data: Retained for 7 years from the date of the holiday, in line with HMRC requirements for financial records. Health data is retained for the same period unless you request earlier deletion.

  • Newsletter subscriptions: Until you unsubscribe.

  • General enquiries (no booking placed): Deleted within 12 months.

  • Website analytics: Aggregated and anonymised — not subject to retention limits.

10. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access: Request a copy of the personal data we hold about you.

  • Right to rectification: Ask us to correct inaccurate or incomplete data.

  • Right to erasure: Ask us to delete your data where there is no compelling reason for us to continue processing it.

  • Right to restriction: Ask us to restrict processing in certain circumstances.

  • Right to data portability: Receive your data in a machine-readable format where processing is based on consent or contract.

  • Right to object: Object to processing based on legitimate interests, including direct marketing (which you can also opt out of via the unsubscribe link in any marketing email).

  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

  • Right not to be subject to automated decision-making: We do not make automated decisions about you.

To exercise any of these rights, email rides@black-saddle.com. We will respond within one calendar month of your request, or sooner where reasonably possible.

11. Cookies

Our website uses the following types of cookies:

  • Strictly necessary cookies: Required for the site to function (session, security, preferences). These do not require consent under PECR.

  • Analytics cookies: Used to understand how visitors use our site. These are only set with your consent.

Our website is hosted by Squarespace, which sets cookies for site functionality, security, and analytics. For a full list of cookies set by Squarespace, see their cookie policy at squarespace.com/cookie-policy.

You can manage cookie preferences in your browser settings. Blocking strictly necessary cookies may affect site functionality. Where we use analytics or other non-essential cookies, you will be asked to consent on your first visit.

12. Marketing communications

We send marketing emails on the following bases:

  • To existing customers: Under PECR Regulation 22 (the "soft opt-in"), we send marketing about similar holidays to clients who have previously booked with us. You may opt out at any time, including via the unsubscribe link included in every marketing email.

  • To newsletter subscribers: On the basis of your consent, given when you sign up. You may withdraw consent at any time via the unsubscribe link in every newsletter.

If you opt out of marketing, we will continue to send you transactional communications relating to any active booking.

13. Children

Our services are intended for adults aged 20 and over. The party leader for any booking must be 20 or over. Where minors travel with a party, we collect their personal data only as necessary for the booking, and only with the consent of a parent or legal guardian acting as party leader. We do not knowingly collect data from anyone under 13.

14. Changes to this policy

We will review and update this policy periodically. Material changes will be communicated to newsletter subscribers and clients with active bookings. The "last updated" date at the top of this policy will indicate the most recent revision.

15. Contact us and how to complain

For any privacy-related questions or to exercise your rights, contact us at rides@black-saddle.com.

We are not currently required to appoint a Data Protection Officer.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

  • Website: ico.org.uk

  • Helpline: 0303 123 1113

  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Clients based in the EU or EEA may also have the right to complain to their local supervisory authority.