EquiShoots
CompetitionsPhotographersAbout Us
Sign In
Home

GDPR Compliant

In accordance with EU Regulation 2016/679 & Swedish IMY guidelines

Privacy Policy

Last updated: February 5, 2026

1. Data Controller

NHC Ventures AB (Org. nr: 559455-4262) is the data controller for all personal data processed through the EquiShoots platform ("the Service").

Contact: oscar@equishoots.com

2. What Data We Collect

Photographers (account holders)

Name, email, business information (F-skatt/org.nr), payout details, uploaded photos and EXIF metadata.

Buyers (guest checkout)

Name and email address provided at purchase. No account creation required.

Riders depicted in photos

Photos may contain identifiable individuals. We process this data based on the photographer's legitimate interest (GDPR Art. 6(1)(f)) with additional safeguards for minors.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)) - processing photographer accounts and purchases.
  • Legitimate interest (Art. 6(1)(f)) - displaying competition photos for the equestrian community.
  • Consent (Art. 6(1)(a)) - for minors' photos and optional marketing communications.
  • Legal obligation (Art. 6(1)(c)) - tax and bookkeeping requirements under Swedish law.

4. Protection of Minors

In accordance with GDPR Art. 8, Swedish supplementary provisions and the Swedish Sports Confederation's guidelines for image handling:

  • For children under 16, consent from a guardian is recommended for more extensive publication or commercial use.
  • If a guardian wants an image of a child removed, a deletion request can be submitted via our deletion page.

5. Your Rights

  • Right of access (Art. 15) - request a copy of your personal data.
  • Right to rectification (Art. 16) - correct inaccurate data.
  • Right to erasure (Art. 17) - request deletion of photos or personal data.
  • Right to restriction (Art. 18) - restrict processing in certain circumstances.
  • Right to data portability (Art. 20) - receive data in a structured format.
  • Right to object (Art. 21) - object to processing based on legitimate interest.

To exercise any of these rights, contact us at oscar@equishoots.com or use the Request Deletion page. We will respond within 30 days.

6. ID Verification for Rights Requests

To protect our users' privacy, NHC Ventures AB may require proof of identity (e.g. photo ID) before erasure or data access requests are carried out. This only occurs when reasonable doubt exists regarding the applicant's identity, in accordance with IMY's guidance on proportionality in identification (GDPR Art. 12.6).

  • ID documents are uploaded via encrypted channel (HTTPS/TLS) and stored in an isolated environment.
  • Verification is performed manually by authorized personnel.
  • ID documents and associated metadata are permanently deleted within 72 hours after verification is complete.
  • Only a receipt that verification was performed (without PII data) is retained in the log.

7. Data Storage & Security

All data is processed within the EU/EEA. Photos are stored with encrypted-at-rest object storage. Original (unwatermarked) photos are never publicly accessible and are only delivered via time-limited signed URLs after purchase.

8. Cookies and Local Storage

We only use essential cookies and local storage for authentication:

  • es_session - HttpOnly session cookie for server authentication.
  • es_auth - localStorage with 12-hour TTL for client authentication.

No third-party tracking cookies are used.

9. Retention Periods

  • Financial data and DAC7 data: 10 years (Bookkeeping Act and Swedish Tax Agency requirements).
  • ID documents for rights requests: Deleted within 72 hours after verification is complete.
  • Photographer accounts: Retained as long as the account is active. Deleted on request.
  • Photos: Retained as long as the photographer's account is active. The photographer controls removal of their own content.
  • Purchase data: Retained for 10 years per the Bookkeeping Act.
  • Session cookies: Removed on logout or after 12 hours.

10. Sub-processors

We use the following services to operate the platform:

  • Stripe (Stripe, Inc.) - Payment processing. Data is processed in the EU.
  • Resend (Resend, Inc.) - Email delivery. Data is processed in the EU (eu-west-1).
  • Supabase (Supabase, Inc. / AWS) - Database and file storage. Data is processed in the EU.
  • Vercel (Vercel, Inc.) - Web hosting and serverless functions. EU nodes are used.

11. Supervisory Authority

If you believe your data has been processed unlawfully, you have the right to file a complaint with the Swedish Authority for Privacy Protection: Integritetsskyddsmyndigheten (IMY).

EquiShoots

All your competition photos, gathered in one place.

info@equishoots.com

For Riders

  • Competitions

For Photographers

  • How It Works
  • Sign In

Company

  • About Us
  • Contact
  • Privacy & GDPR
  • Request Deletion

© 2026 NHC Ventures AB

Responsible editor: Oscar Pettersson