Privacy Policy — Petadd

Last updated: 2026-05-31

This Policy describes what personal data Petadd collects, why, and how to exercise your GDPR rights.

Controller

Petadd. Contact: privacy@pet.brave-robots.com.

Data we collect

CategoryPurposeRetention
Email, name, localeAccount identityLife of account + 30 days
Password hash (bcrypt)AuthenticationLife of account
Shop business info (name, address, tax ID)Verification, account useLife of account + 30 days
Verification documents (PDF / image, ≤10 MB each, ≤5 per shop)Tier 2 review24 months after Tier 2 decision
Server logs (IP, user-agent, request path, status)Security, debugging30 days
Audit trail for sensitive account and shop actionsSecurity, compliance24 months

Why we process it

PurposeLawful basis (GDPR Art 6)
Run your account, deliver the serviceContract
Verification (Tier 2)Contract + legitimate interest
Security monitoring + rate-limitingLegitimate interest
Marketing emails about the serviceConsent (you can opt out)

Cookies

We use only essential cookies:

  • web_app_demo_refresh — your refresh-token reference (HttpOnly, Secure, SameSite=None, Path=/, TTL 30 days).
  • cookie_notice_acked_v1 (localStorage, not a cookie) — your dismissal of the cookie banner.

No tracking cookies. No third-party analytics in v1.

Third parties

VendorPurposeData sharedRegion
Resend (resend.com)Transactional emailEmail + display nameEU + US
Hetzner (host)Hosting + backupsEverything stored on the serverGermany / Finland

We do not sell personal data.

Your rights (GDPR Art 12–22)

  • Access — request a copy of your data: email privacy@pet.brave-robots.com.
  • Rectification — edit in cabinet, or email us.
  • Erasure — close your account yourself under Settings → Account → Danger zone. We erase your personal data (email, name) and revoke your sessions; order and review history is anonymized and retained. You can also email privacy@pet.brave-robots.com.
  • Restriction / objection — email us.
  • Portability — download a machine-readable copy of your data any time under Settings → Account → Your data. You can also request it at privacy@pet.brave-robots.com.
  • Lodge a complaint with your local supervisory authority.

International transfers

Data is stored in the EU (Hetzner Finland + secondary German box). Resend processes email in EU + US under Standard Contractual Clauses.

Children

Petadd is a B2B service. Not directed at minors. Accounts confirming under 18 are removed.

Security

  • HTTPS-only (HSTS, preload-eligible).
  • bcrypt password hashing (cost ≥ 10 in production).
  • Defense-in-depth security headers.
  • Nightly encrypted backups to a second Hetzner box.
  • Audit trail for sensitive actions.

Changes

We may update this Policy. Material changes will be communicated by email at least 14 days before they take effect.