Privacy Policy | The Paws Society

FLOWEDGE AI LTD (“we”, “us”, “our”, or “the Company”) operates The Paws Society (“the Platform”), a marketplace connecting pet owners with professional dog groomers at www.thepawssociety.com.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Platform. It applies to all users: pet owners (“Owners”), professional groomers (“Groomers”), and visitors.

We are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Principles (APPs).

1. Data Controller

The data controller responsible for your personal data is:

FLOWEDGE AI LTD
Company Number: registered in England & Wales
193 Cambridge Street, Aylesbury, Buckinghamshire, HP20 1BQ, United Kingdom

privacy@flowedgeai.com+44 7955 482 319

2. Information We Collect

We collect the following categories of personal data depending on how you interact with the Platform:

2.1 Account & Identity Data

Full name and display name
Email address
Phone number (optional)
Profile photograph
Password (hashed; or OAuth token if signing in via Google)
Account role (Owner or Groomer)

2.2 Pet Data (Owners)

Pet name, breed, age, weight, and gender
Coat type (short, medium, long, curly, wire)
Pet photographs uploaded to the Platform
Special notes: allergies, temperament, medical conditions, grooming instructions

2.3 Business & Professional Data (Groomers)

Business name and professional biography
Services offered, pricing, and appointment duration
Business address, city, postcode, and geocoded coordinates (latitude/longitude)
Working hours, break times, and availability schedule
Professional credentials: liability insurance certificates, qualification documents, and certification names
Portfolio images and cover photos
Subscription tier and billing cycle
Stripe customer ID and subscription ID

2.4 Booking & Transaction Data

Appointment date, time, service selected, and price
Booking status (pending, approved, confirmed, completed, cancelled, declined, no-show)
Booking source (directory or direct link)
Deposit amount, payment status, and Stripe payment intent ID
Cancellation window and decline reasons
Special booking notes and mobile service address
No-show count (Owners) for platform integrity

2.5 Review & Feedback Data

Star rating (1–5), review text, and reviewer display name
Dog breed associated with the review
Groomer responses to reviews

2.6 Technical & Device Data

IP address and approximate geolocation (city, country) derived from Vercel hosting headers
Browser type and version, operating system, screen resolution
Pages visited, referral source, and session duration
Device identifiers and cookies (see Section 8)

2.7 AI-Processed Data

Coat Analysis: Dog photographs submitted for AI breed and coat analysis via Google Gemini. Images are processed in real time and are not stored by the Platform after analysis.
Bio Generation: Free-text notes submitted by Groomers to generate professional biography suggestions. Notes are processed in real time and not retained.
Document Validation: Credential images (insurance certificates, qualification documents) are analysed by AI for authenticity verification. The original documents are stored in cloud storage; AI analysis results are stored in your groomer profile.

3. How We Use Your Data & Legal Basis

Under UK GDPR Article 6, we process your personal data on the following legal bases:

Purpose	Legal Basis	Data Used
Account creation & authentication	Contract (Art. 6(1)(b))	Name, email, password/OAuth, role
Facilitating bookings between Owners and Groomers	Contract (Art. 6(1)(b))	Contact info, pet details, appointment data
Processing payments and deposits via Stripe	Contract (Art. 6(1)(b))	Email, payment tokens, transaction amounts
Sending booking notifications and confirmations	Contract (Art. 6(1)(b))	Email, name, booking details, pet info
Groomer directory listing and map display	Legitimate Interest (Art. 6(1)(f))	Business name, address, coordinates, services, rating
AI coat analysis (Google Gemini)	Consent (Art. 6(1)(a))	Dog photograph
AI bio generation (Google Gemini)	Consent (Art. 6(1)(a))	Free-text groomer notes
AI credential validation (Google Gemini)	Legitimate Interest (Art. 6(1)(f))	Insurance/qualification document images
No-show tracking and account restriction	Legitimate Interest (Art. 6(1)(f))	No-show count, booking history
Fraud prevention and platform security	Legitimate Interest (Art. 6(1)(f))	IP address, auth tokens, rate-limit data
Tax reporting and financial compliance	Legal Obligation (Art. 6(1)(c))	Payment records, invoices, transaction IDs
Displaying reviews and ratings	Legitimate Interest (Art. 6(1)(f))	Reviewer name, rating, review text
IP geolocation for personalised homepage	Legitimate Interest (Art. 6(1)(f))	Approximate city from IP (not stored)

Where we rely on Legitimate Interest, we have conducted a Legitimate Interest Assessment (LIA) and concluded that our interests do not override your fundamental rights and freedoms.

4. Data Sharing & Third-Party Processors

We share your personal data only when necessary to provide the Platform. We never sell your data.

4.1 Service Providers (Data Processors)

Provider	Purpose	Data Shared	Safeguard
Google Firebase (Google LLC, USA)	Authentication, database (Firestore), Cloud Functions	Account data, all Platform data	SCCs, EU data processing terms
Stripe (Stripe Inc., USA)	Payment processing, subscriptions	Email, name, payment method tokens, amounts	PCI-DSS Level 1, SCCs
Google Gemini AI (Google LLC, USA)	Coat analysis, bio generation, document OCR	Dog photos, groomer notes, credential images	Google AI data processing terms
Google Maps Platform (Google LLC, USA)	Address geocoding, map display	Business addresses, coordinates	SCCs, Google data processing terms
Cloudflare R2 (Cloudflare Inc., USA)	Image and file storage	Pet photos, groomer images, credential documents	Encryption at rest, Cloudflare DPA
Resend (Resend Inc., USA)	Transactional email delivery	Email address, name, booking details	TLS encryption, Resend DPA
Vercel (Vercel Inc., USA)	Website hosting, edge delivery, logging	IP address, geo headers, server logs	Vercel DPA, SOC 2 Type II

4.2 Other Recipients

Between Users: When an Owner books a Groomer, we share the Owner's name, email, phone number, and pet details with that Groomer. Conversely, Groomer business information (name, address, services) is visible to Owners on the directory.
Professional Advisers: Lawyers, auditors, and insurers where necessary for legal, audit, or insurance purposes.
Law Enforcement: If required by law, court order, or to protect our legal rights.

5. International Data Transfers

Our Cloud Functions run in europe-west2 (London, UK) to keep processing close to our registered office. However, some processors (Google, Stripe, Cloudflare, Resend, Vercel) are headquartered in the United States and may process data globally.

For all international transfers, we rely on one or more of the following safeguards:

Adequacy Decisions: Transfers to countries the UK Secretary of State has deemed adequate.
Standard Contractual Clauses (SCCs): EU/UK-approved model clauses incorporated into our processor agreements.
Supplementary Measures: Encryption in transit (TLS 1.2+) and at rest, pseudonymisation, and access controls.

6. Data Retention

We retain your data only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period
Account & profile data	Until you delete your account + 30-day grace period
Pet profiles & photos	Until you delete the pet or your account
Booking records	7 years from appointment date (UK tax/legal compliance)
Payment & transaction records	7 years (retained by Stripe per their policy; metadata in our database)
Reviews	Until you delete your account or request removal
Credential documents	Until the Groomer deletes them or their account
AI-processed images (coat analysis)	Not stored — analysed in real time only
Server logs	7–30 days (Vercel and Firebase defaults)
Session cookies	14 days or until logout

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption in Transit: All data transmitted via HTTPS/TLS 1.2+. Strict-Transport-Security headers enforced.
Encryption at Rest: Firestore, Cloudflare R2, and Stripe encrypt stored data by default.
Password Security: Passwords are salted and hashed by Firebase Authentication (bcrypt-equivalent). We never store plaintext passwords.
Access Control: API endpoints verify Firebase ID tokens server-side. Users can only access their own data. Groomers can only manage their own bookings.
Rate Limiting: Public API endpoints are rate-limited to prevent abuse (geocoding: 10 req/min, availability: 30 req/min, locations: 20 req/min per IP).
Input Sanitisation: All user input is validated and sanitised to prevent injection attacks (XSS, SQL injection).
PII Redaction: Email addresses and phone numbers are redacted in server logs.
Webhook Verification: Stripe webhook signatures are cryptographically verified before processing.
Security Headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy headers are set on all responses.

8. Cookies & Local Storage

8.1 Cookies We Set

Cookie	Type	Purpose	Lifetime
`__session`	Essential	Stores your user role for route protection and access control	14 days

8.2 Third-Party Cookies

The following services may set their own cookies when you interact with the Platform:

Firebase Authentication: Session management and security tokens.
Stripe: Fraud detection and payment processing during checkout.
Google Maps: Map rendering and interaction when viewing the groomer directory.

8.3 Local Storage

Cookie consent preference: Your choice (essential-only or all cookies) is stored in your browser's localStorage under paws-cookie-consent.

8.4 Managing Cookies

You can manage your cookie preferences through the cookie consent banner shown on your first visit. You can also clear cookies at any time through your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

9. Your Legal Rights

Depending on your location, you have the following rights under applicable data protection laws:

9.1 UK & EU Residents (UK GDPR / EU GDPR)

Right of Access (Art. 15) — Request a copy of all personal data we hold about you. You can export your data at any time from your account Settings, or email us.
Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”). You can delete your account from Settings, which cascade-deletes all associated data (profile, pets, bookings, reviews, uploaded files).
Right to Restriction (Art. 18) — Request that we limit how we process your data.
Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable JSON format via our data export feature.
Right to Object (Art. 21) — Object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent (e.g., AI coat analysis), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right Not to be Subject to Automated Decision-Making (Art. 22) — Our no-show restriction system automatically restricts accounts after 3 or more no-shows. You may request human review of this decision by contacting us.

9.2 California Residents (CCPA/CPRA)

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected.
Right to Delete: You may request deletion of your personal information.
Right to Opt-Out of Sale: We do not sell your personal information. We do not share data with third parties for cross-context behavioural advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

9.3 Canadian Residents (PIPEDA)

You have the right to access your personal information, challenge its accuracy, and withdraw consent for non-essential processing. Contact us to exercise these rights.

9.4 Australian Residents (APPs)

Under the Australian Privacy Principles, you have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC).

9.5 How to Exercise Your Rights

To exercise any of these rights:

Self-service: Use the data export and account deletion features in your account Settings.
Email: Send a request to privacy@flowedgeai.com. We will verify your identity and respond within 30 days (or sooner where required by law).
Post: Write to our Data Protection Officer at the address in Section 1.

We will not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, providing reasons.

10. Account Deletion

You can delete your account and all associated data at any time:

Self-service: Navigate to Settings → Delete Account. This permanently removes your profile, pets, bookings, reviews, and all uploaded files.
By email: Contact privacy@flowedgeai.com and we will process your request within 30 days.

Upon deletion, your Firebase Authentication account is disabled immediately and fully purged within 30 days. Certain anonymised transaction records may be retained for 7 years as required by UK tax law.

11. Children's Privacy

The Platform is not intended for use by anyone under the age of 16 (or 13 in jurisdictions where permitted). We do not knowingly collect personal data from children. If we discover that a child has provided us with personal data without parental consent, we will delete it promptly. If you believe a child has submitted personal data to us, please contact privacy@flowedgeai.com.

12. Automated Decision-Making

We use limited automated decision-making on the Platform:

No-Show Restriction: If an Owner accumulates 3 or more no-shows (as reported by Groomers), their account is automatically restricted from making new bookings. This protects Groomers from repeated no-shows. Owners may request a human review by contacting support.
Credential Validation: AI analyses uploaded insurance and qualification documents for authenticity indicators. A human may review flagged documents.
AI Bio & Coat Analysis: These are advisory tools only and do not result in decisions that produce legal effects or similarly significant effects on you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a prominent notice on the Platform or sending you an email. The “Last Updated” date at the top of this page will always reflect the most recent revision.

Continued use of the Platform after changes take effect constitutes your acceptance of the revised policy. If you do not agree with any changes, you should stop using the Platform and delete your account.

14. Data Protection Officer

For any data protection queries or to exercise your rights, please contact our Data Protection Officer:

Email: dpo@flowedgeai.com
Post: DPO, FLOWEDGE AI LTD, 193 Cambridge Street, Aylesbury, HP20 1BQ, United Kingdom

15. Supervisory Authority & Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the relevant supervisory authority:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
European Union: Your local Data Protection Authority (DPA)
California: California Attorney General — oag.ca.gov/privacy
Canada: Office of the Privacy Commissioner — priv.gc.ca
Australia: Office of the Australian Information Commissioner — oaic.gov.au

We would appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at privacy@flowedgeai.com.