Privacy Policy — Pet Vibe
Last updated: 2026-05-31 (v1 draft — reviewed by Claude; AK + legal counsel finalize before public launch.)
This Policy describes what personal data Pet Vibe collects, why, and how to exercise your GDPR rights.
Controller
Pet Vibe (operating entity TBD; AK fills before launch). Contact: privacy@pet.brave-robots.com.
Data we collect
| Category | Purpose | Retention |
|---|---|---|
| Email, name, locale | Account identity | Life of account + 30 days |
| Password hash (bcrypt) | Authentication | Life of account |
| Shop business info (name, address, tax ID) | Verification, account use | Life of account + 30 days |
| Verification documents (PDF / image, ≤10 MB each, ≤5 per shop) | Tier 2 review | 24 months after Tier 2 decision |
| Server logs (IP, user-agent, request path, status) | Security, debugging | 30 days |
Audit trail (ShopAuditLog, UserAuditLog) | Security, compliance | 24 months |
Why we process it
| Purpose | Lawful basis (GDPR Art 6) |
|---|---|
| Run your account, deliver the service | Contract |
| Verification (Tier 2) | Contract + legitimate interest |
| Security monitoring + rate-limiting | Legitimate interest |
| Marketing emails about the service | Consent (you can opt out) |
Cookies
We use only essential cookies:
web_app_demo_refresh— your refresh-token reference (HttpOnly, Secure, SameSite=None, Path=/, TTL 30 days).cookie_notice_acked_v1(localStorage, not a cookie) — your dismissal of the cookie banner.
No tracking cookies. No third-party analytics in v1.
Third parties
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Resend (resend.com) | Transactional email | Email + display name | EU + US |
| Hetzner (host) | Hosting + backups | Everything stored on the server | Germany / Finland |
We do not sell personal data.
Your rights (GDPR Art 12–22)
- Access — request a copy of your data: email privacy@pet.brave-robots.com.
- Rectification — edit in cabinet, or email us.
- Erasure — in v1, email privacy@pet.brave-robots.com; admin processes the request within 30 days (spec § 8.8 — self-service erasure is v1.1).
- Restriction / objection — email us.
- Portability — request export at privacy@pet.brave-robots.com (admin-handled in v1; endpoint stub
POST /api/me/export-datareturns 501 today). - Lodge a complaint with your local supervisory authority.
International transfers
Data is stored in the EU (Hetzner Finland + secondary German box). Resend processes email in EU + US under Standard Contractual Clauses.
Children
Pet Vibe is a B2B service. Not directed at minors. Accounts confirming under 18 are removed.
Security
- HTTPS-only (HSTS, preload-eligible).
- bcrypt password hashing (cost ≥ 10 in production).
- Defense-in-depth headers (spec § 8.7).
- Nightly encrypted backups to a second Hetzner box.
- Audit trail for sensitive actions.
Changes
We may update this Policy. Material changes will be communicated by email at least 14 days before they take effect.