Privacy Policy

1. Who we are

MyNamedHorse ("we", "us") is operated by Luke Wilkinson, a sole trader based in the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, Luke Wilkinson is the data controller for any personal data processed through the Service.

You can contact us about anything in this Privacy Policy by emailing luke.fluxr@gmail.com.

2. What data we collect

We only collect the data we need to operate the Service. Specifically:

When you sign up:

• Your email address, which we use as your login identifier
• A password, which we never see in plain text — it is hashed and stored by our authentication provider (Supabase)
• The fact that you confirmed you were 18 or older at the time of sign-up

When you use the Service:

• The keywords you add to your account
• Any pre-filled stake amount or each-way preference you set against a keyword (stored as a preference only — we never use it to place a bet)
• A record of which horse names have matched one of your keywords on which race date

When you enable notifications:

• A push notification subscription for your device (a URL endpoint and cryptographic keys issued by your browser's push service)
• The User-Agent string of the browser you enabled notifications in, so we can help you identify which devices you have notifications enabled on

When you sign in or use an authenticated page:

• A session cookie issued by our authentication provider, so we know you're logged in
• Your IP address, logged by our hosting provider (Vercel) for security and abuse prevention

We do not use any third-party analytics, advertising, or behavioural tracking on the Service. We do not load Google Analytics, Meta Pixel, or similar.

3. What data we do NOT collect

For the avoidance of doubt, MyNamedHorse does not collect or store:

• your real name
• your home address
• your date of birth
• your phone number
• any bank account, debit card, or credit card details
• any bet you place with a third-party operator (we never see your stakes, results, balances, or account information at Betfair, Bet365, or any other operator)
• your location beyond what your IP address implies

4. How we use your data

We use your data only for the following purposes:

• Providing the Service to you. Matching your keywords against today's declared runners; showing you your matches; letting you manage your keywords and preferences; signing you in securely.
• Sending notifications you asked for. If you enable push notifications, we send a notification at around 9am UK time on days when a horse matching one of your keywords is running.
• Keeping the Service secure. Blocking abuse, preventing fraud, responding to security incidents.
• Communicating with you. Responding to your questions if you email us.

We do not profile you, we do not use your data for advertising, we do not sell or rent your data, and we do not share it with advertisers.

5. Legal basis for processing (UK GDPR)

Under UK GDPR, we rely on the following legal bases:

• Contract (Article 6(1)(b)): processing that is necessary to provide the Service to you under the Terms of Service you agreed to when signing up — this covers your email, password, keywords, and match history.
• Legitimate interests (Article 6(1)(f)): processing that is necessary for our legitimate interests in keeping the Service secure and preventing abuse, balanced against your rights — this covers IP address logging and basic device/User-Agent information for push subscriptions.
• Consent (Article 6(1)(a)): processing that depends on an opt-in choice — this covers push notifications. You can withdraw consent at any time by turning notifications off in the app or in your device settings.

6. Who we share your data with

We share your data only with the service providers strictly necessary to operate the Service:

• Supabase ( supabase.com) — our database and authentication provider. Hosts your account, keywords, match history, and push subscriptions in a European region (eu-west-2, London). Subject to Supabase's own privacy policy and UK GDPR obligations.
• Vercel ( vercel.com) — our application hosting provider. Serves the Service to you and logs request metadata (including IP address) for security. Subject to Vercel's own privacy policy.
• The Racing API (theracingapi.com) — our source of horse racing declaration data. We send API requests to The Racing API to pull each day's runners; we do not share any of your personal data with them. They do not know who you are.

We do not share your data with any third-party betting operator. When you tap a "Place bet" link in the Service, you are redirected to that operator's own website or app. They see normal browser and network information because you are visiting them directly, but they do not receive any data from your MyNamedHorse account. Their privacy policy applies to anything you do on their site.

We may disclose your data if required to do so by law, by a court order, or by a regulatory authority — but we will resist overbroad requests and tell you unless legally prohibited from doing so.

7. International transfers

We host your data in the European region (Supabase eu-west-2, London). If any of our service providers transfer your data outside the UK or EEA — for example, Vercel may route requests through non-EU edge locations — those transfers are protected by appropriate safeguards such as the UK International Data Transfer Addendum and the EU Standard Contractual Clauses.

8. How long we keep your data

We keep your data only for as long as we need it:

• Account email, password, keywords, match history, push subscriptions: kept until you delete your account, or until you ask us to delete them, whichever comes first.
• Server access logs (including IP address): kept by Vercel for a short period (typically 30 days) for security purposes, then deleted automatically.
• Backups: our database backups may retain deleted data for up to 30 days after account deletion before being overwritten in the normal course of backup rotation.

9. Your rights

Under UK GDPR, you have the right to:

• Be informed about how we use your data — this Policy is how we do that
• Access the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (the "right to be forgotten"), subject to some limited exceptions
• Restrict processing in certain circumstances
• Data portability — ask us to provide your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent for any processing based on consent (e.g. push notifications)

To exercise any of these rights, email us at luke.fluxr@gmail.com. We will respond within one month.

You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk. We'd appreciate the chance to address any concerns directly before you do so.

10. Cookies

The only cookies the Service uses are essential session cookies set by our authentication provider (Supabase) to remember that you are logged in. We do not use tracking cookies, analytics cookies, or advertising cookies, so there is no cookie consent banner — none is legally required for strictly necessary cookies.

11. Children

The Service is for users aged 18 and over only. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account with us, please email luke.fluxr@gmail.com and we will delete the account and any associated data.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the effective date below and, for significant changes, notify you by email or in the app before the change takes effect.

13. Contact

Questions, data requests, or complaints? Email luke.fluxr@gmail.com.

Effective date: 11 April 2026.