Privacy Policy

This Privacy Policy applies to all users of the RanchOS platform, including ranch administrators, instructors, staff members, riders, and parents or legal guardians of minor riders. By using the Service, you agree to the collection and use of your information as described in this Policy.

This Policy is incorporated into and forms part of our Terms of Service (available at ranchos.live/terms). Terms not defined here have the meaning given in the Terms of Service.

RanchOS is designed to facilitate the management of equestrian operations. In doing so, we process personal information on behalf of the ranches that use our platform. When a ranch administrator enters data about riders, instructors, or other individuals, DDDG acts as a data processor on behalf of that ranch, and the ranch acts as the data controller for such information. This distinction is important for understanding responsibility for data management, particularly for information about minor riders.

We collect the following categories of personal information:

2.1 — Account & Registration Information. When you create a RanchOS account or are added to the platform by a ranch administrator, we collect:

• Full name
• Email address
• Account role (ranch_admin, instructor, staff, rider, parent)
• Ranch or organization association
• Password (stored in hashed, encrypted form — never in plain text)
• Timezone preference
• Date and version of Terms of Service acceptance

2.2 — Rider Profile Data. For rider accounts (including minor riders), we collect:

• Full name
• Riding level or program classification
• Parent or guardian contact email (for minor riders)
• Lesson enrollment and attendance history
• Skill ratings and assessment scores entered by instructors
• Rider achievements and milestone records
• Notes entered by instructors or ranch administrators

2.3 — Ranch Operational Data. Ranch administrators and staff may enter the following operational data:

• Lesson schedules, dates, times, and locations
• Instructor assignments
• Horse and stall information (names, health notes, assignments)
• Inventory items and quantities
• Task assignments and completion records
• Summer camp enrollment and scheduling information
• Documents uploaded to the platform

2.4 — Payment Information. When billing features are activated, payment information (credit card numbers, bank account details) is collected and processed directly by Stripe, Inc. DDDG does not store complete payment method information on its servers. DDDG may receive and store limited payment metadata from Stripe, such as: last four digits of a card, card expiration date, billing zip code, payment status, and transaction identifiers.

2.5 — Usage Data. We automatically collect certain technical and usage information when you access or use the Service, including:

• IP address and approximate geographic location
• Browser type and version
• Device type and operating system
• Pages and features accessed within the Service
• Time and date of access
• Referring URLs
• Session duration and feature interaction data

2.6 — Team Inbox Messages. For users with staff-level roles (ranch_admin, instructor, staff), we collect and store the content of internal messages sent and received through the Team Inbox feature, including: message subject, body text, sender identity, recipient role or specific recipients, message timestamps, and read/unread status. Team Inbox messages are accessible to the sender, designated recipients, and ranch administrators within the same ranch. DDDG may access message content to the extent required to provide the Service, investigate violations of these Terms, or comply with legal obligations. Team Inbox messages are not accessible to riders, parents, or volunteers.

2.7 — Workflow Configurations. When ranch administrators or instructors configure automated workflows, we collect and store: workflow rule names and descriptions, selected frequency and scheduling parameters (days of week, time of day), task definitions (title, category, priority, description), assignee role or specific person assignments, and workflow execution logs (timestamps, tasks created, status, error messages).

2.8 — Ranch Alerts. When ranch administrators create Ranch Alert Banner entries, we collect and store: alert title, body content, severity level (info/warning/critical), activation and expiration timestamps, and the identity of the creating administrator.

2.9 — AI Advisor Interaction Data. The RanchOS Guide (in-app AI advisor) analyzes ranch operational data — including task status, inventory levels, lesson schedules, and horse care records — to generate operational suggestions. The inputs and outputs of this analysis are derived from data already stored in your ranch account. We do not collect additional personal data for AI advisor purposes beyond what is described elsewhere in this Policy. AI suggestions are generated algorithmically and are not reviewed by DDDG personnel before display.

2.10 — Communications. If you contact DDDG via email or any support channel, we collect and retain the content of your communications and your contact information for the purpose of responding to your inquiry and improving our services.

DDDG uses the data we collect for the following purposes:

3.1 — Service Operation. To provide, operate, maintain, and improve the RanchOS platform, including processing lesson schedules, displaying skill ratings, enabling rider progress tracking, and managing all platform features.

3.2 — Account Management. To create and manage your account, authenticate your identity, and enable role-based access to appropriate features.

3.3 — Billing & Payments. To process subscription payments, manage billing history, and (when activated) facilitate payments between ranches and their clients through Stripe Connect.

3.4 — Communications. To send transactional communications related to your account, including email verification, password reset, and billing notifications. We do not send marketing or promotional emails without your consent.

3.5 — Safety & Security. To detect, prevent, and address fraud, security incidents, unauthorized access, and other prohibited or illegal activities.

3.6 — Legal Compliance. To comply with applicable legal obligations, including responding to lawful requests from government authorities, and to enforce our Terms of Service.

3.7 — Platform Improvement. To analyze usage patterns and improve the functionality, usability, and performance of the Service. We use aggregated and anonymized data for product analytics and development.

DDDG does not use personal information for any purpose not described in this Privacy Policy without your prior consent, except as required by law.

DDDG does not sell, rent, or trade your personal information to third parties for marketing purposes.

We share personal information only in the following circumstances:

4.1 — Service Subprocessors. DDDG engages the following third-party subprocessors to provide the Service. Each subprocessor is bound by contractual data processing agreements and is only authorized to process your data as instructed by DDDG and as necessary to provide their respective services:

4.2 — Within Your Ranch. Data entered into RanchOS (e.g., rider profiles, lesson schedules, skill ratings) is accessible to authorized users within your ranch account, including ranch administrators, instructors, and staff, based on their assigned roles and permissions.

4.3 — Legal Obligations. DDDG may disclose personal information when required to do so by law, regulation, court order, subpoena, or other legal process, or when we believe in good faith that such disclosure is necessary to: (a) comply with applicable law; (b) protect the rights or property of DDDG; (c) prevent a crime or protect national security; or (d) protect the personal safety of users or the public.

4.4 — Business Transfers. If DDDG is involved in a merger, acquisition, asset sale, reorganization, or other business combination, your personal information may be transferred as part of that transaction. We will notify you (via email and/or in-app notice) of any such transaction and any resulting changes to this Privacy Policy.

4.5 — With Your Consent. DDDG may share your personal information with third parties for any purpose with your prior explicit consent.

RanchOS is not directed to children under the age of 13. DDDG does not knowingly collect personal information directly from children under the age of 13 ("children") without verifiable parental consent.

However, because RanchOS is a ranch management platform, ranch administrators may enter profile information about minor riders — including children under 13 — into the platform on behalf of the ranch. When this occurs:

• The ranch administrator is acting as the data controller for the child's information and is solely responsible for obtaining verifiable parental consent from the child's parent or legal guardian before entering any information about that child into RanchOS.
• DDDG processes the child's data solely at the direction of the ranch administrator and only to the extent necessary to provide the Service.
• Parents and legal guardians of children under 13 may contact DDDG at dataddgroup@gmail.com to: (a) review their child's personal information; (b) request correction of their child's personal information; or (c) request deletion of their child's personal information. DDDG will coordinate with the applicable ranch administrator to fulfill such requests.
• If DDDG discovers that personal information of a child under 13 has been collected or entered into the platform without appropriate parental consent, DDDG will take commercially reasonable steps to promptly delete such information.

For the Parent Portal: The Parent Portal feature allows verified parents and guardians to view their minor child's riding progress, lesson history, and skill ratings. By accessing the Parent Portal, you represent that you are the parent or legal guardian of the minor rider associated with your account and that you consent to the collection and display of your child's riding progress data as described in this Policy.

If you believe your child's personal information has been collected by RanchOS without your consent, please contact DDDG immediately at dataddgroup@gmail.com.

5.1 — Minor Data Access, Correction & Deletion Requests. Parents and legal guardians have the right to:

• Request access to their child's personal information stored in RanchOS
• Request correction of inaccurate information about their child
• Request deletion of their child's personal information (subject to the ranch's record-keeping obligations)
• Revoke consent for the collection and use of their child's data

To exercise any of these rights, contact the ranch administrator directly or email DDDG at dataddgroup@gmail.com. Requests will be processed within 30 days. Note that deleting a minor's data may affect the ranch's ability to maintain safety records and lesson history.

5.2 — Minor Data in the Rider Portal. When a minor rider has a portal account, their skill ratings, lesson history, and achievement data are accessible to: (a) the minor rider directly, (b) their linked parent or guardian via the Parent Portal, (c) their ranch administrators and instructors. This data is never shared with other riders, made publicly accessible, or used for any purpose outside of ranch operations.

If you are a resident of the State of California, you have the following rights under the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA"):

6.1 — Right to Know. You have the right to request that DDDG disclose the following information regarding the personal information DDDG has collected about you in the preceding twelve (12) months: (a) the categories of personal information collected; (b) the categories of sources from which personal information was collected; (c) the business or commercial purpose for collecting personal information; (d) the categories of third parties with whom DDDG shares personal information; and (e) the specific pieces of personal information collected about you.

6.2 — Right to Delete. You have the right to request that DDDG delete personal information collected from you, subject to certain exceptions permitted under applicable law (e.g., information needed to complete a transaction, fulfill a legal obligation, or for internal uses reasonably aligned with your expectations).

6.3 — Right to Correct. You have the right to request correction of inaccurate personal information maintained by DDDG.

6.4 — Right to Opt Out of Sale or Sharing. DDDG does not sell or share personal information (as defined under the CCPA/CPRA) to third parties for cross-context behavioral advertising or any other commercial purpose. You therefore do not need to submit an opt-out request.

6.5 — Right to Limit Use of Sensitive Personal Information. DDDG does not use or disclose sensitive personal information beyond the purposes permitted under the CPRA without first obtaining your consent.

6.6 — Right to Non-Discrimination. DDDG will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying you services, charging different prices, or providing a different level or quality of service.

6.7 — Exercising Your Rights. To exercise any of the rights described in this Section, California residents may submit a request by emailing dataddgroup@gmail.com with the subject line "CCPA Rights Request." DDDG will verify your identity before processing your request and will respond within the timeframes required by applicable law (generally 45 days, with a possible 45-day extension).

6.8 — Authorized Agent. California residents may designate an authorized agent to submit CCPA requests on their behalf. The authorized agent must provide written authorization signed by the California resident. DDDG may still require you to directly verify your identity.

If you are located in the European Union ("EU") or European Economic Area ("EEA"), the following additional provisions apply to our processing of your personal data under Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR").

7.1 — Data Controller. For personal data collected directly through RanchOS account registration, Data Driven Design Group, LLC acts as the data controller. For rider data entered by ranch administrators, the applicable ranch acts as the data controller, and DDDG acts as a data processor.

7.2 — Lawful Basis for Processing. DDDG processes personal data under the following lawful bases:

• Contract (Article 6(1)(b)): Processing necessary for the performance of the subscription contract between DDDG and the account holder, including account management, service delivery, and billing.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal obligations, including responding to lawful requests from authorities and maintaining required financial records.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for DDDG's legitimate business interests, including fraud prevention, platform security, and service improvement, where such interests are not overridden by your data protection rights.
• Consent (Article 6(1)(a)): For processing activities where we have obtained your explicit consent, such as sending marketing communications (if any).

7.3 — Your Rights Under the GDPR. You have the following rights with respect to your personal data:

• Right of Access (Article 15): You may request a copy of the personal data DDDG holds about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to certain exceptions (e.g., legal retention obligations).
• Right to Restriction (Article 18): You may request that DDDG restrict its processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You may request that DDDG provide your personal data in a structured, commonly used, machine-readable format for transfer to another controller, where technically feasible.
• Right to Object (Article 21): You may object to DDDG's processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

7.4 — International Data Transfers. DDDG is based in the United States. By using the Service, you acknowledge that your personal data may be transferred to and processed in the United States and other countries where our subprocessors operate. Such countries may have data protection laws that differ from those in your country. DDDG uses appropriate safeguards for international transfers, including Standard Contractual Clauses approved by the European Commission, where required.

7.5 — DPO Contact & Supervisory Authority. To exercise your GDPR rights or raise a privacy concern, contact DDDG at: dataddgroup@gmail.com. You also have the right to lodge a complaint with your local data protection supervisory authority if you believe DDDG has processed your personal data in violation of applicable law.

7.6 — Data Retention. DDDG retains personal data for as long as necessary to fulfill the purposes described in this Policy, to perform our contract with you, and to comply with legal obligations. Specific retention periods are described in Section 9 below.

RanchOS uses a minimal number of cookies strictly necessary for the operation and security of the Service. We do not use third-party tracking cookies, advertising cookies, or behavioral analytics cookies.

8.1 — Session Cookies. RanchOS uses session cookies to authenticate users and maintain your login state during an active session. These cookies are essential to the operation of the Service and cannot be disabled without affecting functionality. Session cookies are temporary and are deleted when you close your browser or log out of the Service.

8.2 — Authentication Tokens. RanchOS uses secure, encrypted authentication tokens (managed via Supabase Auth) to maintain your login session. These tokens are stored in your browser's local storage or secure cookie storage and expire after a defined period of inactivity.

8.3 — No Third-Party Advertising Cookies. RanchOS does not use advertising networks, retargeting services, or any third-party cookies for behavioral advertising or cross-site tracking.

8.4 — Local Storage. RanchOS may use browser local storage for certain user preferences (e.g., parent consent acknowledgment) that persist across sessions. Local storage data is not transmitted to DDDG servers unless explicitly described in this Policy.

8.5 — Cookie Management. You may configure your browser to refuse or delete cookies. However, disabling essential session cookies will prevent you from logging into and using the Service. Because we use only essential cookies, no separate cookie consent banner is currently required under most applicable laws. If our cookie practices change, we will update this Policy accordingly.

9.1 — Active Accounts. We retain personal information associated with active accounts for as long as the account remains active and the subscription is in force.

9.2 — Account Deletion. When an account is deleted or a subscription is terminated, DDDG will purge associated personal data from our production systems within ninety (90) calendar days of the deletion or termination date, subject to the exceptions described below.

9.3 — Data Export Window. Following cancellation or termination, ranch administrators have thirty (30) days to export their ranch's User Data. After this period, DDDG may permanently delete User Data.

9.4 — Legal & Financial Records. Certain records may be retained beyond account deletion as required by applicable law, including: (a) billing and financial transaction records (typically 7 years for U.S. tax and accounting purposes); (b) records required by legal hold or litigation; and (c) records required by applicable data protection law.

9.5 — Anonymized Data. DDDG may retain aggregated, anonymized data (from which no individual can be identified) indefinitely for product analytics and improvement purposes.

9.6 — Backup Systems. Personal data may persist in encrypted backup systems for up to 90 days following deletion from production systems. Backups are not actively accessible during normal operations and are purged on a rolling cycle.

9.7 — Requesting Deletion. To request deletion of your personal data, contact DDDG at dataddgroup@gmail.com. DDDG will respond within the timeframes required by applicable law. Note that deletion requests for rider data entered by ranch administrators must be coordinated with the applicable ranch administrator, as the ranch is the data controller for such data.

DDDG implements commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption of sensitive data at rest
• Hashed storage of passwords (using bcrypt or equivalent)
• Role-based access controls limiting access to personal data within DDDG
• Secure authentication infrastructure through Supabase Auth
• Regular security assessments and vulnerability monitoring

However, no method of electronic transmission or storage is 100% secure. DDDG cannot guarantee absolute security of your data. If you believe your account or data has been compromised, please contact us immediately at dataddgroup@gmail.com.

In the event of a data breach that affects your personal information, DDDG will notify you as required by applicable law, including applicable state breach notification laws and, where applicable, the GDPR (within 72 hours of discovery for GDPR-covered breaches).

The Service may contain links to third-party websites, services, or resources that are not operated by DDDG. These links are provided for your convenience only. DDDG has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of any third-party website you visit.

DDDG may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When changes are made, we will update the "Effective Date" at the top of this page. For material changes, we will provide at least thirty (30) days advance notice via email to the ranch administrator's registered address and/or through a prominent in-app notification.

Your continued use of the Service after the effective date of any changes to this Policy constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Service.

We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

DDDG will respond to privacy-related inquiries within a reasonable timeframe and in accordance with applicable legal requirements. For GDPR requests, we aim to respond within 30 days. For CCPA requests, we aim to respond within 45 days.