Privacy Policy
Last updated: March 27, 2026
1. Data Controller
Viktoriia Valietova, sole proprietor operating under the trade name PawsN'Surf, NIF 310768918, with professional premises at Rua General Taborda 7, 1070-138 Lisboa, Portugal, is the controller of your personal data processed through the websites pawsnsurf.com and academy.pawsnsurf.com and related services.
For any questions regarding this Privacy Policy or your data, contact us at care@pawsnsurf.com.
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Data you provide directly
- Identity data: full name.
- Contact data: email address, telephone number.
- Account data: login credentials (email/password or Google OAuth provider identifiers).
- Pet data: pet name, breed, size, date of birth, and grooming notes (which may include health-related observations such as skin conditions, allergies, or behavioral notes).
- Booking data: appointment dates, times, services selected, groomer assigned, and booking status.
- Payment data: transaction amounts and payment references. We do not store full credit card numbers - all card processing is handled by Stripe.
- Academy data: course enrollments, lesson progress, video watch position, quiz responses, certificates earned, and content language preference.
- Communication data: content of messages sent to us via email or contact forms.
2.2 Data collected automatically
- Technical data: IP address, browser type, device type, operating system, and access timestamps collected through server logs.
- Analytics data: page views, navigation patterns, and interaction events collected via Google Analytics (see Section 8 on Cookies).
- Language preference: your preferred language, detected from browser settings or chosen explicitly, stored in a cookie.
3. Purposes and Legal Basis
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Managing bookings and providing grooming services | Contract (Art. 6(1)(b)) |
| Delivering purchased course content and tracking progress | Contract (Art. 6(1)(b)) |
| Issuing certificates of course completion | Contract (Art. 6(1)(b)) |
| Creating and managing your user account | Contract (Art. 6(1)(b)) |
| Sending booking confirmations and reminders (email, WhatsApp) | Contract (Art. 6(1)(b)) |
| Sending academy notifications (enrollment, completion, certificates) | Contract (Art. 6(1)(b)) |
| Browser push notifications about appointments | Consent (Art. 6(1)(a)) |
| Website analytics (Google Analytics) | Consent (Art. 6(1)(a)) |
| Responding to inquiries and support requests | Legitimate interest (Art. 6(1)(f)) |
| Improving our website and services | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
4. Pet Health-Related Data
Grooming notes about your pet may include observations about skin conditions, allergies, coat health, or behavioral notes. While this data relates to your animal (not you personally), we treat it with the same care as personal data. This information is:
- Collected solely to provide safe and appropriate grooming services.
- Visible only to PawsN'Surf staff assigned to your pet's grooming.
- Never shared with third parties except where required by law.
- Deletable upon request (see Section 10 on Your Rights).
5. Data Sharing and Processors
We share your personal data with the following service providers, all bound by data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) |
| Stripe Inc. | Payment processing for course purchases | USA/EU |
| Vercel Inc. | Website hosting and content delivery | USA/Global |
| Resend Inc. | Transactional email delivery | USA |
| WaSender | WhatsApp message delivery (booking notifications) | USA |
| Bunny CDN (BunnyWay d.o.o.) | Video streaming for course lessons | EU (Slovenia) |
| Google LLC | OAuth authentication, website analytics | USA |
We do not sell your personal data. We may also share data with professional advisors (accountants, lawyers) and public authorities (tax/regulatory bodies) where required by law.
6. International Transfers
Some of our processors (Vercel, Resend, Stripe, WaSender, Google) are based in or process data in the United States. Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on the EU-U.S. Data Privacy Framework.
7. Data Retention
- Account data: retained for as long as your account is active. Upon account deletion, data is erased within 30 days.
- Booking records: retained for 5 years after the last appointment for tax and legal compliance.
- Academy data: course enrollment, progress, and certificates are retained for as long as your account is active. Certificates are retained indefinitely for verification purposes.
- Payment records: retained for 10 years as required by Portuguese tax law.
- Communication data: retained for 2 years from the date of the last interaction.
- WhatsApp message logs: booking-related message metadata (phone number, message type, delivery status) retained for 1 year.
- Technical/analytics logs: retained for a maximum of 14 months (Google Analytics default).
- Push notification subscriptions: retained until you unsubscribe or revoke browser permission.
8. Cookies and Tracking
8.1 Essential Cookies
These cookies are necessary for the Website to function and cannot be disabled:
- Authentication cookies (sb-*): maintain your login session. Set by Supabase.
- Language preference (locale): stores your chosen language. Duration: 1 year.
8.2 Analytics Cookies
With your consent, we use Google Analytics 4 (measurement ID: G-WCZ27SBM8B) to understand how visitors interact with the Website. Google Analytics uses cookies to collect anonymized data about page views, navigation patterns, and device information. This data helps us improve the Website.
Analytics cookies are only loaded after you provide consent via our cookie consent banner. You can withdraw consent at any time by clearing your cookies or using the cookie settings on the Website.
For more information, see Google's Privacy Policy.
8.3 Local Storage
We use browser local storage (not cookies) for:
- Shopping cart: stores your academy course cart items locally on your device.
- UI preferences: stores whether you have dismissed the push notification or app install prompts.
Local storage data never leaves your device and is not transmitted to our servers.
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) for all data transmission.
- Encryption at rest for database storage.
- Secure authentication with hashed passwords and optional OAuth.
- Row-level security policies ensuring users can only access their own data.
- Role-based access controls for staff and administrators.
- Content Security Policy (CSP) headers to prevent cross-site scripting.
10. Your Rights
Under the GDPR, you have the following rights:
- Access - obtain a copy of the personal data we hold about you.
- Rectification - request correction of inaccurate or incomplete data.
- Erasure - request deletion of your data ("right to be forgotten"). Note: we may retain certain data where required by law (e.g., tax records).
- Restriction - request limitation of processing in certain circumstances.
- Data portability - receive your data in a structured, machine-readable format.
- Objection - object to processing based on legitimate interests.
- Withdraw consent - where processing is based on consent (e.g., analytics cookies, push notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at care@pawsnsurf.com. We will respond within 30 days. If the request is complex, we may extend this by an additional 60 days with prior notice.
11. Children
Our services are not directed at individuals under 13 years of age. We do not knowingly collect personal data from children under 13. Users between 13 and 18 must have the consent of a parent or legal guardian. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.
12. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissao Nacional de Protecao de Dados - CNPD) at www.cnpd.pt.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised "Last updated" date. For material changes, we will make reasonable efforts to notify registered users by email.
14. Contact
For any privacy-related questions or to exercise your rights:
- Viktoriia Valietova (trading as PawsN'Surf)
- NIF: 310768918
- Rua General Taborda 7, 1070-138 Lisboa, Portugal
- Email: care@pawsnsurf.com
- Phone: +351 969 668 496