Privacy Policy
Last updated: 2026-02-24
1. Data Controller
The data controller for your personal data is:
2. Data Protection Contact
Bad Pony Club is not required to appoint a Data Protection Officer under GDPR Article 37. For any privacy-related queries, contact us at privacy@badpony.online. We aim to respond within 30 days.
3. Categories of Personal Data Collected
We collect the following categories of personal data:
| Category | Data collected |
|---|---|
| Identity data | Username, display name, email address, date of birth |
| Profile data | Bio, avatar image, professional title, website URL |
| Content data | Posts, comments, images, videos, ride listings |
| Social data | Follows, blocks, mutes, likes |
| Communication data | Direct messages and message metadata |
| Analytics data | Page views, impressions, clicks (when consent is given) |
| Financial data | Campaign budgets, payment information (processed by Stripe — we do not store card details) |
| Technical data | Cookies, consent records, device type |
4. Purposes and Legal Basis
We process your personal data for the following purposes under the stated legal bases (GDPR Article 6):
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| Content sharing (posts, rides, comments) | Performance of contract (Art. 6(1)(b)) |
| Direct messaging | Performance of contract (Art. 6(1)(b)) |
| Analytics and service improvement | Consent (Art. 6(1)(a)) |
| Marketing campaigns and promotions | Consent (Art. 6(1)(a)) |
| Content moderation and platform safety | Legitimate interest (Art. 6(1)(f)) |
| Age verification | Legal obligation (Art. 6(1)(c)) |
5. Retention Periods
We retain your data for the following periods:
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account + 30-day grace period |
| Posts and comments | Until account deletion (anonymised on deletion) |
| Direct messages | Until account deletion (message content deleted) |
| Analytics events | 90 days |
| Stories | 24 hours active + 30 days retention |
| Notifications | 180 days |
| Data exports | 7 days (then automatically deleted) |
6. Third-Party Processors
We share your data with the following processors who act on our behalf:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU |
| Stripe | Payment processing | US (EU SCCs) |
| Cloudflare | CDN, video delivery | Global (EU SCCs) |
| Vercel | Application hosting | US (EU SCCs) |
| Upstash | Rate limiting, caching | EU |
| Resend | Email delivery | US (EU SCCs) |
7. International Transfers
Some of our processors are located outside the European Economic Area (EEA). Where personal data is transferred to the US or other non-EEA countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of data protection. You can request copies of the relevant SCCs by contacting us at privacy@badpony.online.
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Account Settings > Download My Data — receive a copy of your personal data in JSON format |
| Rectification (Art. 16) | Account Settings > Edit Profile — update your personal information directly |
| Erasure (Art. 17) | Account Settings > Delete Account — your account enters a 30-day grace period before permanent deletion |
| Restrict processing (Art. 18) | Contact us at privacy@badpony.online to request restriction of processing |
| Data portability (Art. 20) | Account Settings > Download My Data — export in machine-readable JSON format |
| Object (Art. 21) | Account Settings > Privacy — opt out of processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Cookie settings page or Account Settings > Privacy — withdraw consent at any time without affecting prior processing |
To exercise any right not available through the platform, email privacy@badpony.online. We will respond within 30 days.
9. Withdrawing Consent
Where we process your data based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent by:
- Updating your cookie preferences on the cookie settings page
- Visiting Account Settings > Privacy to manage consent preferences
- Emailing privacy@badpony.online
10. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. We encourage you to contact us first so we can attempt to resolve your concern.
11. Required vs Optional Data
To create an account, you must provide an email address, username, and date of birth. This data is necessary for us to provide the service and verify your age. All other profile information (bio, avatar, website, etc.) is optional. You can use core platform features without providing optional data.
12. Automated Decision-Making
We do not currently use automated decision-making or profiling that produces legal or similarly significant effects on you. If this changes, we will update this policy and notify you before any such processing begins.
13. Cookies
We use essential cookies for authentication and session management. Analytics cookies are only set with your consent. For full details and to manage your preferences, see our Cookie Settings.
14. Changes to This Policy
We may update this policy from time to time. The version date at the top of this page indicates when the policy was last revised. For material changes, we will notify you through the platform (via notification or banner) before the changes take effect. Continued use of Bad Pony after notification constitutes acceptance of the updated policy.