GDPR Compliance
Your data protection rights matter to us
We are committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR).
1. What is GDPR?
🇪🇺 General Data Protection Regulation
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all companies that process personal data of individuals in the European Union, regardless of where the company is located.
Core GDPR Principles We Follow:
Lawfulness & Fairness
We process data lawfully, fairly, and transparently
Purpose Limitation
Data is collected for specified, explicit, and legitimate purposes
Data Minimisation
We only collect data that is necessary for our purposes
Accuracy
We keep personal data accurate and up to date
Storage Limitation
Data is kept only as long as necessary
Security
We implement appropriate security measures
2. Your GDPR Rights
Under GDPR, you have comprehensive rights regarding your personal data. Here's what you can do:
Right to Access (Article 15)
What it means: You can request a copy of all personal data we hold about you.
What we provide: A complete overview of your data, processing purposes, recipients, and retention periods.
Response time: Within 1 month (free of charge)
Right to Rectification (Article 16)
What it means: You can request correction of inaccurate or incomplete personal data.
How we help: We'll update your information immediately and notify any third parties if necessary.
Response time: Within 1 month
Right to Erasure (Article 17)
What it means: You can request deletion of your personal data ("right to be forgotten").
When it applies: When data is no longer necessary, you withdraw consent, or data was unlawfully processed.
Exceptions: We may retain data for legal compliance or legitimate interests.
Right to Restrict Processing (Article 18)
What it means: You can request us to limit how we use your data.
When it applies: While we verify accuracy, during legal proceedings, or when you object to processing.
Effect: We'll store the data but not process it further.
Right to Data Portability (Article 20)
What it means: You can request your data in a structured, machine-readable format.
Transfer option: We can send your data directly to another service provider if technically feasible.
Format: CSV, JSON, or other structured formats
Right to Object (Article 21)
What it means: You can object to processing based on legitimate interests or for direct marketing.
Marketing: We'll stop all marketing communications immediately.
Other processing: We'll assess and stop unless we have compelling legitimate grounds.
Rights Related to Automated Decision-Making (Article 22)
What it means: You have rights regarding automated decisions that significantly affect you.
Pawtul's position: We don't use automated decision-making or profiling that significantly affects users.
If we did: You'd have the right to human intervention and to challenge the decision.
3. How We Process Your Data
📋 Data Processing Activities
As a pet care business management platform, we process different types of data for specific purposes:
👤 Business Customer Data
Data we collect:
- Contact information (name, email, phone)
- Business details (company name, address)
- Account credentials and preferences
- Payment and billing information
Purpose: Provide our software service, billing, customer support
Retention: Duration of business relationship + 7 years for financial records
🐕 Pet Owner Data (processed by our customers)
Data our customers may store:
- Pet owner contact details
- Pet information (name, breed, medical records)
- Booking and appointment details
- Photos and notes about pets
Our role: Data processor for our business customers
Customer's role: Data controller responsible for their clients' data
🌐 Website Visitor Data
Data we collect:
- IP address and browser information
- Pages visited and time spent
- Cookies and similar technologies
- Contact form submissions
Purpose: Website analytics, security, marketing, customer inquiries
Retention: 13 months for analytics, 3 years for inquiries
4. Legal Basis for Processing
Under GDPR, we must have a valid legal basis for processing your personal data. Here are the legal bases we rely on:
Contract (Article 6(1)(b))
When we use it: Processing necessary to provide our software services to business customers.
Examples: Account management, billing, service delivery, customer support.
Consent (Article 6(1)(a))
When we use it: Marketing communications, non-essential cookies, newsletter subscriptions.
Your control: You can withdraw consent at any time through your account settings or unsubscribe links.
Legitimate Interest (Article 6(1)(f))
When we use it: Website analytics, security monitoring, business development, fraud prevention.
Balancing test: We ensure our interests don't override your rights and freedoms.
Legal Obligation (Article 6(1)(c))
When we use it: Tax records, financial compliance, legal requests from authorities.
Examples: Keeping financial records for 7 years as required by UK law.
5. Data Security & Protection
🛡️ Our Security Commitment
We implement appropriate technical and organizational measures to ensure the security of your personal data and protect against unauthorized access, alteration, disclosure, or destruction.
🔧 Technical Measures
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Multi-factor authentication and role-based access
- Infrastructure: Secure cloud hosting with regular security updates
- Monitoring: 24/7 security monitoring and intrusion detection
- Backups: Regular encrypted backups with tested restore procedures
👥 Organizational Measures
- ISO 27001 Certification: Internationally recognized security management
- Staff Training: Regular data protection and security awareness training
- Data Protection Officer: Dedicated DPO overseeing compliance
- Privacy by Design: Data protection built into all new features
- Incident Response: Comprehensive breach response procedures
🚨 Data Breach Procedures
In the unlikely event of a data breach:
Within 72 hours
We'll notify the relevant supervisory authority (ICO in the UK)
Without undue delay
We'll notify affected individuals if there's a high risk to their rights
Comprehensive records
We maintain detailed records of all security incidents
6. International Data Transfers
🌍 Data Transfer Policy
We primarily process data within the European Economic Area (EEA). When we need to transfer data outside the EEA, we ensure appropriate safeguards are in place.
🇪🇺 Within EEA
Primary processing: Our main data processing servers are located within the EEA, ensuring full GDPR protection.
Cloud providers: We use EU-based cloud infrastructure where possible.
🌐 Outside EEA
When it happens: Some third-party services (analytics, customer support tools) may process data outside the EEA.
Safeguards we use:
- Adequacy decisions: Transfers to countries deemed adequate by the EU Commission
- Standard Contractual Clauses (SCCs): EU-approved contracts with data processors
- Binding Corporate Rules: For multinational service providers
- Certification schemes: Providers certified under recognized data protection frameworks
🤝 Third-Party Service Providers
We work with carefully selected third parties who help us provide our services:
☁️ Cloud Infrastructure
EEA-based servers with GDPR-compliant hosting providers
📊 Analytics
Website analytics with data anonymization and EU servers
💳 Payment Processing
PCI DSS compliant payment processors with appropriate safeguards
📧 Email Services
GDPR-compliant email providers for customer communications
7. Contact Our Data Protection Officer
👨💼 Data Protection Officer (DPO)
Our Data Protection Officer is responsible for overseeing our data protection strategy and ensuring GDPR compliance. You can contact our DPO for any data protection matters.
📮 Post
Data Protection Officer
Pawtul LTD
Suite G04 1 Quality Court
Chancery Lane, London
England, WC2A
1HR
📋 How to Make a GDPR Request
Contact Us
Email our DPO with your request and include sufficient information to verify your identity
Identity Verification
We may ask for additional information to confirm your identity and protect your data
Processing
We'll process your request and respond within the required timeframe (usually 1 month)
Response
You'll receive a comprehensive response or explanation if we cannot fulfill your request
8. Supervisory Authority
🛡️ Your Data, Your Rights
We're committed to protecting your privacy and ensuring you have full control over your personal data. If you have any questions or want to exercise your rights, we're here to help.