Privacy Policy

1. Information We Collect

We collect information in the following categories:

• Account information — name, email address, phone number, password (encrypted), and authentication tokens.
• Profile information — your full name, role (owner, bloodstock agent, trainer, breeder, enthusiast), seller role, location/region, optional stable name, optional bio, and optional profile photo.
• Listing information — horse names, pedigrees, race records, photographs, asking prices, location, descriptions, fractional-interest preferences, Equibase URLs, and other content you add to listings.
• Verification documents — government-issued photo identification, business formation documents, Jockey Club registration certificates, bills of sale, signed authorization letters. See Section 1A below for detailed handling.
• Communications — messages you send to other users, offers you make or receive, and support inquiries you submit.
• Usage and analytics — pages viewed, features used, time spent, search terms, and interaction patterns.
• Device information — device model, operating system version, unique device identifier, IP address, and crash diagnostics.
• Location information — general region you select during onboarding (e.g., Pacific Northwest); we do NOT collect precise GPS location.
• Push notification tokens — when you grant push notification permission, we store the device token assigned by Apple Push Notification Service (APNs) so we can deliver notifications to your device.
• Payment information — handled exclusively by Apple In-App Purchase. We do not receive or store your full payment card details.
• Cookies and similar — local storage tokens for session persistence and authentication.

1A. Verification Documents — Detailed Handling

Verification documents are the most sensitive information Quarter Pole collects. This section explains, in detail, what we do and do not do with them.

What we collect. To list a horse on the Platform, Quarter Pole requires you to submit verification documents. The document categories are: government-issued photo identification (driver's license, passport, state ID); business formation documents (operating agreements, partnership agreements, articles of incorporation, syndicate prospectuses); Jockey Club registration certificates; bills of sale; signed authorization letters from registered owners; and any additional documents Quarter Pole reasonably requests.

Where it is stored. All verification documents are stored in a private cloud storage bucket operated on Supabase's infrastructure (United States data center). The bucket is configured as private — not publicly accessible by URL or any other means. Documents are encrypted at rest using Supabase's managed encryption (AES-256). Encryption in transit is enforced (TLS 1.2 or higher) for all uploads.

Who can access it. Access is technically restricted via Row-Level Security policies enforced at the database layer. The only parties able to view a document are: (i) the user who uploaded it; and (ii) Quarter Pole administrators identified by the database flag profiles.is_admin = true. Access by administrators occurs through temporary signed URLs that expire within five (5) minutes of generation. No third party — including Supabase staff under normal operation, advertisers, marketers, other users, the public, or any other entity — has access to the document files.

How we use it. Verification documents are used solely to: review your eligibility to list a horse; confirm your identity; verify your right to sell the specific horse you wish to list; satisfy our trust-and-safety requirements; create an audit trail of the verification decision; respond to legal process if compelled; and investigate suspected fraud, abuse, or violation of our Terms. We do NOT use verification documents for any marketing, advertising, analytics, machine-learning training, profiling, or any other purpose.

Retention and deletion. Upon completion of administrator review (whether approved or rejected), Quarter Pole DELETES the actual document file from storage as soon as reasonably practicable, typically within minutes of the review decision. Only an audit record is retained: the document type submitted, the timestamp of submission, the timestamp and identity of the reviewing administrator, the review outcome, and any reviewer notes. The actual image or PDF is purged.

Sharing. Verification documents are NEVER shared with other users, NEVER sold or rented, NEVER used for marketing, NEVER provided to advertisers, and NEVER transferred outside of Quarter Pole except: (a) where required by valid legal process; (b) to law enforcement if Quarter Pole reasonably suspects the document is fraudulent; or (c) in connection with a sale of substantially all of Quarter Pole's assets, in which case the acquiring entity will be bound by privacy commitments at least as protective as this Policy.

Suspected fraud. If Quarter Pole reasonably suspects any submitted document is forged, altered, falsified, or otherwise fraudulent, Quarter Pole reserves the right to retain copies indefinitely and share them with law enforcement, The Jockey Club, applicable state racing commissions, or any other appropriate authority.

Your rights. You may request access to, correction of, or deletion of any verification document in our possession by emailing privacy@quarterpole.com. Requests will be processed in accordance with applicable law.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and improve the Platform.
• Authenticate you and maintain your session.
• Display your listings, profile, and messages to other users you interact with.
• Verify your identity and ownership of horses listed.
• Send you transactional notifications (new messages, offers, listing alerts).
• Respond to support requests and communicate about service updates.
• Detect, prevent, and address fraud, abuse, security incidents, and Terms violations.
• Comply with applicable laws, regulations, and legal process.
• Conduct analytics to improve the Platform and develop new features.

3. Sharing of Information

Quarter Pole does not sell, rent, lease, or otherwise transfer your personal information or any verification documents to any third party for any monetary or non-monetary consideration. We do not monetize your data. We do not share data with data brokers, advertising networks, or any entity that would use it for marketing, profiling, or any purpose other than operating the Platform on Quarter Pole's behalf.

We share your information only as described below:

• With other Users — your profile and listings are visible to other Quarter Pole users. Messages are visible only to the parties of that conversation.
• With service providers — Supabase (database, authentication, storage, edge functions), Apple (iOS, push notifications, IAP, Sign In with Apple), Google (Sign In with Google), Equibase (public pedigree and race-record data; we do not transmit your personal information to Equibase), Expo (mobile build infrastructure, push routing, crash analytics), news content publishers (we hit their public RSS feeds without sharing user information).
• For legal reasons — when disclosure is required by law, regulation, legal process, or governmental request, or to protect Quarter Pole's rights, property, or safety, or that of our users or the public.
• For fraud investigation — verification documents reasonably suspected to be fraudulent may be shared with law enforcement, The Jockey Club, applicable state racing commissions, or other appropriate authorities.
• In a business transfer — if Quarter Pole is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred.
• With your explicit consent — for any purpose disclosed at the time of consent.

4. Third-Party Services

The Platform integrates with services provided by third parties. Each operates under its own privacy policy. Quarter Pole does NOT integrate with any analytics platform that profiles users, any retargeting platform, any advertising network, or any data broker. The list below is exhaustive — these are the only third parties that touch user data on Quarter Pole's behalf.

• Supabase Inc. — database, authentication, file storage (including the encrypted private bucket containing verification documents), edge functions.
• Apple Inc. — iOS, App Store, Sign In with Apple, In-App Purchase, push notification delivery via APNs.
• Google LLC — Sign In with Google.
• Equibase Company LLC — public pedigree and race-record data. We retrieve publicly available data on your behalf when you list a horse; we do not share your personal information with Equibase.
• Expo Inc. — mobile app build infrastructure, push notification routing, JavaScript update delivery, crash analytics.
• News content publishers — we retrieve publicly available RSS feeds from third-party horse racing publications without sharing user information.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Platform, comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we delete or de-identify your personal information within 90 days, except where we are required to retain it for legal, regulatory, tax, or audit purposes.

6. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request that we delete your personal information.
• Portability — receive a copy of your data in a structured, machine-readable format.
• Objection or Restriction — object to or restrict certain processing of your data.
• Marketing opt-out — unsubscribe from non-essential communications.

7. California Residents (CCPA)

California residents have specific rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights. To exercise these rights, contact privacy@quarterpole.com.

8. EU/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your personal information is (a) the performance of our contract with you, (b) compliance with our legal obligations, (c) our legitimate interests in operating the Platform, and (d) where applicable, your consent.

9. Children's Privacy

The Platform is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 18. If we learn we have collected personal information from a child under 18, we will delete it promptly. If you believe we have inadvertently collected information about a child under 18, please contact privacy@quarterpole.com.

10. International Data Transfers

Quarter Pole is based in the United States. Information we collect may be transferred to, stored, and processed in the United States or any other country in which Quarter Pole or its service providers maintain facilities. By using the Platform, you consent to the transfer of your information to the United States and other jurisdictions, which may have data protection laws different from those in your country.

11. Security Measures

We implement industry-standard security measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS) for all data exchanged between your device and our servers.
• Encryption at rest for sensitive data stored in our database.
• Row-level security policies on all database tables, enforced at the data layer.
• Authentication tokens stored securely in iOS Keychain (via secure storage).
• Auto-rotating session tokens with automatic refresh.
• Hashed passwords (Bcrypt) — we never store plain-text passwords.
• Restricted access to production systems with multi-factor authentication for staff.
• Regular security advisory monitoring and remediation of identified vulnerabilities.

12. Data Breach Notification

In the event of a data breach involving your personal information, we will notify affected users without undue delay, in accordance with applicable laws. Notifications will be sent via the email address associated with your account and may also be posted within the Platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most current version will be posted on the Platform with an updated effective date. If we make material changes, we will notify you through the Platform or via the email address associated with your account, and we may require you to re-accept the updated Policy. Your continued use of the Platform after the effective date of any update constitutes your acceptance.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at: privacy@quarterpole.com

For security incidents or vulnerabilities, please contact: security@quarterpole.com