EN CA ES

Privacy Policy

Effective 2026-04-27.

1. Who we are

Paws Residence ("we", "us") operates the Paws Residence software-as-a-service ("the Service"). For data we collect to run the Service itself (your account, billing) we are the data controller. For data your customers provide to your pet residence which we store on your behalf (their pets, bookings, contact details) we are the data processor and your residence is the controller.

Contact for privacy queries: privacy@pawsresidence.com.

2. What data we collect

2.1 Operator account data (we are the controller)

  • Email address (for sign-in and notifications)
  • Name and role (admin / worker)
  • Sign-in timestamps and IP addresses (for security)
  • Browser session cookies (essential — no consent required)

2.2 Tenant content (we are the processor)

Whatever your residence enters into the application:

  • Customer contact details (name, phone, email, address, NIF)
  • Pet records (names, breed, medical notes, food)
  • Booking details (dates, services, prices, payments)
  • Internal observations entered by your staff

3. Why we process this data

  • Contract performance — running the Service for you (Article 6(1)(b) GDPR).
  • Legitimate interest — fraud prevention, audit logging, security monitoring (Article 6(1)(f)).
  • Legal obligation — invoicing records, accounting law (Article 6(1)(c)).

4. Sub-processors

We share specific data with the following sub-processors, all under written agreements:

  • Hetzner Cloud GmbH (Germany / Finland) — server hosting + database storage
  • Resend, Inc. (United States) — outbound transactional email (your email address + email content)
  • Functional Software, Inc. dba Sentry (United States) — error tracking (request URL, user identifier, stack traces; sensitive fields scrubbed before sending)
  • Healthchecks.io / SIA Monkey See Monkey Do (Latvia) — uptime monitoring (no customer data)
  • Wow Mountain SRL dba UptimeRobot (Romania) — uptime monitoring (no customer data)
  • GitLab Inc. (United States) — source code, container registry, CI (no customer data)

US-based sub-processors are bound by Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable. We will notify you in advance of any change to this list.

5. Retention

  • Operator accounts: kept while the account is active; deleted within 30 days of account closure.
  • Tenant content: kept while your subscription is active; deleted within 90 days of subscription end (after a grace period for export).
  • Backups: 30-day rolling retention.
  • Audit + sign-in logs: 12 months.
  • Invoices: 7 years (Spanish accounting law).

6. Your rights (GDPR)

You can ask us to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict or object to processing
  • Port your data to another provider in machine-readable form

Exercise any of these by emailing privacy@pawsresidence.com. We respond within 30 days. You also have the right to complain to the Spanish data-protection authority (AEPD, aepd.es).

7. Security

  • HTTPS-only; no plaintext data in transit
  • Database access restricted to the application server, no public network exposure
  • Passwords stored bcrypt-hashed; magic-link tokens 15-minute expiry, single-use
  • Server-side error tracking with sensitive-field scrubbing
  • Encrypted off-site backups, weekly restore drill

8. Cookies

We use only essential session cookies required for sign-in and CSRF protection. We do not use analytics or advertising cookies. No cookie banner is required under EU law for essential cookies.

9. Children

The Service is not directed at children under 16 and we do not knowingly collect their data.

10. Changes

We will update this page when the policy changes; the "effective" date above tracks the most recent revision. Material changes are notified to operators by email.

11. Contact

Paws Residence
[Registered office address — TBD]
Privacy: privacy@pawsresidence.com
General: support@pawsresidence.com