Privacy Policy — Pet Vibe
Last updated: 2026-05-31 (v1 draft — reviewed by Claude; AK + legal counsel finalize before public launch.)
This Policy describes what personal data Pet Vibe collects, why, and how to exercise your GDPR rights.
Controller
Pet Vibe (operating entity TBD; AK fills before launch). Contact: privacy@pet.brave-robots.com.
Data we collect
| Category | Purpose | Retention |
|---|---|---|
| Email, name, locale | Account identity | Life of account + 30 days |
| Password hash (bcrypt) | Authentication | Life of account |
| Shop business info (name, address, tax ID) | Verification, account use | Life of account + 30 days |
| Verification documents (PDF / image, ≤10 MB each, ≤5 per shop) | Tier 2 review | 24 months after Tier 2 decision |
| Server logs (IP, user-agent, request path, status) | Security, debugging | 30 days |
Audit trail (ShopAuditLog, UserAuditLog) | Security, compliance | 24 months |
Why we process it
| Purpose | Lawful basis (GDPR Art 6) |
|---|---|
| Run your account, deliver the service | Contract |
| Verification (Tier 2) | Contract + legitimate interest |
| Security monitoring + rate-limiting | Legitimate interest |
| Marketing emails about the service | Consent (you can opt out) |
Cookies
We use only essential cookies:
web_app_demo_refresh— your refresh-token reference (HttpOnly, Secure, SameSite=None, Path=/, TTL 30 days).cookie_notice_acked_v1(localStorage, not a cookie) — your dismissal of the cookie banner.
No tracking cookies. No third-party analytics in v1.
Third parties
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Resend (resend.com) | Transactional email | Email + display name | EU + US |
| Hetzner (host) | Hosting + backups | Everything stored on the server | Germany / Finland |
We do not sell personal data.
Your rights (GDPR Art 12–22)
- Access — request a copy of your data: email privacy@pet.brave-robots.com.
- Rectification — edit in cabinet, or email us.
- Erasure — close your account yourself under Settings → Account → Danger zone. We erase your personal data (email, name) and revoke your sessions; order and review history is anonymized and retained. You can also email privacy@pet.brave-robots.com.
- Restriction / objection — email us.
- Portability — download a machine-readable copy of your data any time under Settings → Account → Your data. You can also request it at privacy@pet.brave-robots.com.
- Lodge a complaint with your local supervisory authority.
International transfers
Data is stored in the EU (Hetzner Finland + secondary German box). Resend processes email in EU + US under Standard Contractual Clauses.
Children
Pet Vibe is a B2B service. Not directed at minors. Accounts confirming under 18 are removed.
Security
- HTTPS-only (HSTS, preload-eligible).
- bcrypt password hashing (cost ≥ 10 in production).
- Defense-in-depth headers (spec § 8.7).
- Nightly encrypted backups to a second Hetzner box.
- Audit trail for sensitive actions.
Changes
We may update this Policy. Material changes will be communicated by email at least 14 days before they take effect.