Privacy Policy

PawDash ("PawDash," "we," "us") is a software-as-a-service platform that gives independent pet-care freelancers a booking page, scheduling, and payment-routing tools. We're the company behind pawdash.app.

PawDash handles two distinct categories of personal information differently, and it's important to understand the split:

• Freelancer data - the account, profile, and business information that a Freelancer creates when they sign up for PawDash. PawDash is the data controller of this data.
• End Customer (Client) data - the information a Client enters when booking through a Freelancer's PawDash-hosted storefront (their contact info, pet details, uploaded vaccination records, booking notes, messages). The Freelancer is the data controller of this data and is responsible for having a lawful basis to process it and for providing their own privacy notice to their Clients where required. PawDash acts as a data processor on the Freelancer's behalf - we process Client data only as instructed by the Freelancer's use of the Service and as described in this policy.

If you are a Client booking with a Freelancer and have a question about your data, please contact that Freelancer first. For technical issues with our platform, you may also reach us at privacy@pawdash.app.

When you sign up and use PawDash as a Freelancer, we collect:

• Account credentials. Email address and a password (stored hashed by Supabase Auth, never in plain text).
• Profile information. Display name, bio, location, phone (optional), profile photos, banner image, accent color, and any other information you choose to publish on your Storefront.
• Business configuration. Services you offer, prices, durations, add-ons, cancellation policies, availability schedule, vaccination requirements, subscription tier and status.
• Payments connectivity. Your Stripe Connect account ID, onboarding status, and subscription/customer IDs from Stripe Billing.
• Support and communications. Messages you send to us, transactional and marketing emails we send to you, and your preferences.
• Technical data. IP address, browser/device type, timestamps, and authentication cookies necessary to keep you signed in.

When a Client books through your Storefront, you (the Freelancer) instruct PawDash to collect and store the following on your behalf:

• Client contact info. Name, email, phone (optional).
• Pet information. Name, type, breed, age, weight, vaccination status, allergies, medications, vet contact, emergency contact.
• Property notes for overnight/boarding services (gate codes, key location, etc.).
• Vaccination records uploaded as files when you require them for a service (stored in Supabase Storage).
• Booking record. Service selected, date/time, add-ons, tip amount, status changes.
• Conversation thread. Messages exchanged between you and the Client through the per-booking thread.
• Payment metadata. Stripe payment intent ID, amount, status. Card details are never seen or stored by PawDash - Stripe handles them directly.

We process this data only as needed to operate the Service for you and as documented in this policy and the PawDash Terms. We do not use Client data for our own purposes, do not sell it, and do not use it to train any AI models. On request, we will enter into a Data Processing Addendum ("DPA") with you covering GDPR/UK processing terms - email privacy@pawdash.app.

For Freelancer data (controller), we use the information to:

• Operate your Account and provide the Service;
• Route payments, calculate Platform Fees, and bill your Subscription;
• Send transactional emails about your account, bookings, cancellations, payouts, and service updates;
• Send marketing emails only with your consent, which you may withdraw at any time;
• Detect, prevent, and investigate fraud, abuse, and policy violations;
• Comply with law, respond to lawful requests, enforce our Terms;
• Improve and secure the Service.

For Client data (processor), we use the information only as instructed by the Freelancer's use of the Service:

• Show the Freelancer the Booking and pet details;
• Send the Client a booking confirmation, reminders, and other Booking-related emails;
• Provide the Client a thread to message the Freelancer;
• Provide the Freelancer with access to vaccination records the Client uploaded;
• Pass payment metadata between Stripe and the Freelancer's dashboard.

Where GDPR applies, the legal bases on which PawDash relies are:

• Contract performance (Art. 6(1)(b)) - to deliver the Service to Freelancers and execute Bookings;
• Legitimate interests (Art. 6(1)(f)) - to secure the Service, prevent fraud, improve and develop new features, and process aggregated/anonymized analytics;
• Legal obligation (Art. 6(1)(c)) - to comply with tax, accounting, and law-enforcement requests;
• Consent (Art. 6(1)(a)) - for marketing emails and for any non-essential cookies (we currently use only essential auth cookies);

For Client data we process on a Freelancer's behalf, the Freelancer is responsible for identifying and recording the appropriate legal basis for collecting that data from their Client.

We do not sell personal information. We share information only as needed to operate the Service:

• Between you and your Clients. When a Client books with you, their information (and the pet details they entered) appears in your dashboard so you can serve them. Likewise, your Storefront information is shown to the Client.
• Sub-processors we rely on (each listed below in Section 7).
• Professional advisers - accountants, auditors, lawyers, bankers, and insurers under confidentiality obligations, only as needed.
• Law and safety. We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of PawDash, our users, or the public.
• Corporate transactions. If PawDash is involved in a merger, acquisition, financing, or sale of assets, personal information may transfer as part of that transaction; you'll be notified if your data becomes subject to a different privacy policy.

We rely on the following sub-processors to deliver the Service:

• Supabase (Postgres database, authentication, object storage) - hosted in the United States. Privacy policy.
• Stripe (payments via Stripe Connect, subscription billing) - global, PCI-DSS Level 1. Privacy policy. Stripe processes card data directly; PawDash does not see or store full card numbers. For payment-related privacy questions, please consult Stripe's policy.
• Resend (transactional and automation emails). Privacy policy.
• Vercel (application hosting, edge network, request logs). Privacy policy.

We update this list when we add or change sub-processors. By continuing to use the Service after a sub-processor change you agree to the change; if you object, your remedy is to terminate the Service.

PawDash is operated from the United States. Information you give us is processed in the U.S. If you use the Service from outside the U.S., your information is transferred to and stored in the U.S., where data-protection laws may differ from those in your country.

For EEA, UK, and Swiss users, we rely on European Commission Standard Contractual Clauses and (where applicable) the UK International Data Transfer Addendum or Swiss equivalent to provide appropriate safeguards for transfers.

We retain Account, Profile, and Booking records for as long as your Account is active and for a reasonable period afterward to comply with tax, accounting, audit, and legal obligations (typically up to 12 months for active data and up to 7 years for financial records, depending on jurisdiction). You can request deletion of your Account at any time (see your rights below); we will delete or anonymize personal data unless retention is required by law.

For Client data PawDash processes on a Freelancer's behalf, the Freelancer determines the retention period through how they use the Service (e.g., deleting bookings, archiving an Account). When a Freelancer's Account is deleted, the associated Client data is deleted or anonymized per the same schedule.

PawDash uses only cookies that are strictly necessary to operate the Service - primarily Supabase Auth cookies that keep you signed in. We do not use advertising cookies, do not fingerprint your device, and do not embed third-party analytics, ad, or social-network trackers. We do not currently require a cookie consent banner because no non-essential cookies are set; we will add one if we ever introduce non-essential tracking.

We protect personal information with industry-standard measures, including:

• TLS encryption for all traffic in transit;
• Encryption at rest via Supabase (Postgres) and Stripe infrastructure;
• Row-level security policies in Postgres scoping each user's data;
• Principle-of-least-privilege access controls and audit logs on production data;
• Payment data handled entirely by Stripe (PCI-DSS Level 1).

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you in accordance with applicable law.

Depending on where you live, you may have rights under GDPR, UK GDPR, CCPA/CPRA, or similar laws, including the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Delete your account and associated data;
• Export your data in a portable format;
• Object to or restrict certain processing (where the legal basis is legitimate interests);
• Withdraw consent at any time (where the legal basis is consent);
• Opt out of marketing emails - every marketing email has an unsubscribe link. Transactional emails about active bookings cannot be opted out of without ending the Service.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information are collected and the right to non-discrimination for exercising these rights. PawDash does not "sell" or "share" personal information as those terms are defined under the CCPA.

To exercise any of these rights, email privacy@pawdash.app from the address associated with your Account. If your data is held by PawDash as a processor on a Freelancer's behalf (i.e., you are a Client of a Freelancer), please contact the Freelancer first; we will assist them in responding.

PawDash does not make automated decisions with legal or similarly significant effects on you. Our automations (review request emails, rebook nudges, appointment reminders) are informational only.

The Service is intended for users 18 and older. We do not knowingly collect personal information from children under 18. If you believe a child has provided information to us, please contact us and we will delete it.

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. We will provide notice of material changes through the Service or by email to your account address.

Privacy questions or requests: privacy@pawdash.app. For legal notices: legal@pawdash.app.