🐾
PawGroom
Sign InGet Started

Privacy Policy

Last updated: November 4, 2025

1. Data Controller and Contact Information

This privacy policy applies to PawGroom, a digital platform operated by Grove OÜ, a company based in Estonia. Under the General Data Protection Regulation (GDPR), we act as the data controller for your personal information.

Data Controller: Grove OÜ
Address: Männimäe/1, Pudisoo küla, Kuusalu vald, Harju maakond, 74626, Estonia
Email: [email protected]
Business Registration: 17348977

2. Legal Basis and Information We Collect

2.1 Personal Data We Collect

We collect and process the following categories of personal data, always based on a lawful basis under GDPR:

Account and Profile Information:

  • Personal identifiers (name, email address, phone number)
  • Account credentials and preferences
  • Professional information (for groomers: business details, certifications)

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

Pet and Service Information:

  • Pet details (name, breed, age, weight, special requirements)
  • Pet photographs (when uploaded voluntarily)
  • Service history and appointment records
  • Reviews and ratings

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

Payment and Transaction Data:

  • Payment information (processed securely by Stripe - PCI DSS compliant)
  • Transaction history and receipts
  • Billing addresses

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) and Legal obligation (Art. 6(1)(c) GDPR) for tax records

Location and Technical Data:

  • Location data (only when searching for nearby groomers, with your consent)
  • Device information and browser type
  • IP address and session data
  • Usage patterns and preferences

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) for platform security and improvement

2.2 Analytics and Website Usage

Self-Hosted Matomo Analytics:

We use Matomo, a privacy-focused analytics platform, hosted on AWS Europe (Ireland) datacenter. This ensures your data never leaves our control and is not shared with any third-party analytics providers.

  • Website usage statistics (pages visited, time spent, bounce rate)
  • Anonymized user behavior patterns
  • Technical information (browser, OS, screen resolution)
  • Referrer information (how you found our site)

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) for improving user experience
Data Retention: 24 months, after which data is automatically deleted
IP Anonymization: IP addresses are anonymized by removing the last 2 bytes
Do Not Track: We respect DNT browser signals and opt-out preferences

3. How We Use Your Personal Data

We process your personal data for the following purposes, always ensuring we have a valid legal basis:

Essential Services:

  • Account management and authentication
  • Processing appointments and bookings
  • Payment processing and invoicing
  • Customer support and communications

Platform Improvement:

  • Analytics and usage optimization
  • Security monitoring and fraud prevention
  • Service quality assurance
  • Platform feature development

Marketing Communications (Opt-in Only):

We will only send marketing communications if you have explicitly consented. You can withdraw consent at any time.

Legal Basis: Consent (Art. 6(1)(a) GDPR)

4. Data Sharing and Third-Party Services

We implement a strict data minimization principle and only share data when necessary:

Within the Platform:

  • Groomers receive necessary contact and pet information for booked services
  • Pet owners can view groomer profiles and reviews
  • Service reviews are displayed publicly (with user consent)

Third-Party Processors (GDPR Art. 28 Compliant):

  • Stripe: Payment processing (PCI DSS compliant, GDPR compliant processor, US-based with data adequacy agreements)
  • Cloudinary: Image hosting and optimization (EU servers, GDPR compliant)
  • Email Service: Transactional emails only (appointment confirmations, receipts)

All third-party processors are bound by Data Processing Agreements (DPAs) and must comply with GDPR requirements.

Legal Requirements:

We may disclose personal data when required by Estonian or EU law, court orders, or to protect the rights, property, or safety of our users and platform.

5. Data Retention and Deletion

Retention Periods:

  • Account Data: Retained while account is active + 3 years after account closure
  • Transaction Records: 7 years (Estonian tax law requirement)
  • Analytics Data: 24 months maximum, then automatically deleted
  • Support Communications: 2 years from last contact
  • Marketing Consent: Until withdrawn or account deleted

After retention periods expire, data is securely and permanently deleted from our systems. You can request earlier deletion (subject to legal requirements) through your account settings or by contacting us.

6. Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data. You can exercise these rights free of charge:

Access and Portability:

  • Right to access your data (Art. 15)
  • Right to data portability (Art. 20)
  • Download your data in machine-readable format

Correction and Control:

  • Right to rectification (Art. 16)
  • Right to restrict processing (Art. 18)
  • Right to object to processing (Art. 21)

Deletion and Consent:

  • Right to erasure / "Right to be forgotten" (Art. 17)
  • Right to withdraw consent at any time (Art. 7)
  • Account deletion available in settings

Complaints and Appeals:

  • Right to lodge complaints with supervisory authority
  • Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
  • European Data Protection Board (EDPB)

How to Exercise Your Rights:

You can exercise most rights directly through your account settings. For other requests, contact us at:

📧
🕐 Response Time: Within 30 days (1 month) as required by GDPR
🆔 Identity Verification: May be required for security purposes

7. Data Security and Technical Measures

We implement comprehensive technical and organizational measures to ensure data security (GDPR Art. 32):

Technical Safeguards:

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • Regular security audits and penetration testing
  • Automated security monitoring and alerts
  • Multi-factor authentication for admin access

Organizational Measures:

  • Staff training on data protection principles
  • Access controls and principle of least privilege
  • Regular backup and disaster recovery procedures
  • Incident response and breach notification procedures
  • Privacy by design in system development

Data Breach Notification:

In the event of a personal data breach, we will notify the Estonian supervisory authority (Andmekaitse Inspektsioon) within 72 hours and affected users without undue delay, as required by GDPR Articles 33 and 34.

8. Cookies and Tracking Technologies

Cookie Categories and Consent:

🔧 Essential Cookies (No consent required)

Authentication, security, and basic functionality. These cannot be disabled.

📊 Analytics Cookies (Consent required)

Self-hosted Matomo analytics with IP anonymization. Helps us improve the platform.

⚙️ Functional Cookies (Consent required)

Remember preferences, language settings, and user choices.

Privacy-First Analytics:

  • Self-hosted Matomo - no data sharing with third parties
  • IP address anonymization enabled by default
  • Respects "Do Not Track" browser signals
  • Easy opt-out mechanism available
  • Data stored on AWS Europe (Ireland) datacenter

9. International Data Transfers

EU Data Residency:

All personal data is processed and stored within the European Union, on AWS Europe (Ireland) datacenter. We do not transfer personal data outside the EU/EEA except for:

  • Stripe Payments: May process payments through adequacy decision countries or with appropriate safeguards
  • Support Services: Limited technical support may access data under strict contractual obligations

Any international transfers comply with GDPR Chapter V requirements, including adequacy decisions or appropriate safeguards such as Standard Contractual Clauses (SCCs).

10. Children's Privacy

Our services are not intended for children under 16 years of age (minimum age under GDPR). We do not knowingly collect personal data from children under 16 without appropriate parental consent.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected] and we will take steps to remove such information.

11. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. When we make material changes:

  • We will notify you via email and/or platform notification
  • We will post the updated policy on our website with a new "Last updated" date
  • For significant changes affecting your rights, we may seek renewed consent
  • Previous versions will be available upon request

Continued use of our services after policy updates constitutes acceptance of the revised policy.

12. Contact Information and Complaints

Data Protection Contact:

📧
Response Time: 30 days maximum
Languages: Estonian, English

Supervisory Authority:

Estonia - Andmekaitse Inspektsioon
Estonian Data Protection Inspectorate
Website: aki.ee
Email: [email protected]

Business Information:

Company: Grove OÜ
Jurisdiction: Estonia (European Union)
Business Registration: 17348977
VAT Status: Not liable for VAT