PRIVACY POLICY

Effective Date: January 15, 2025 Last Updated: January 15, 2025

INTRODUCTION

Manuel Echavarria, operating as BPetit ("BPetit," "we," "us," or "our"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the BPetit application and related services (the "Service").

This Privacy Policy applies to:

Our website at https://bpetit.app
Our mobile and web applications
Any related services, features, or content we offer

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.

Information We Collect
How We Use Your Information
Legal Bases for Processing (GDPR)
How We Share Your Information
International Data Transfers
Data Security
Data Retention
Your Privacy Rights
Children's Privacy
Cookies and Tracking Technologies
Third-Party Services
Do Not Track Signals
California Privacy Rights (CCPA/CPRA)
European Privacy Rights (GDPR)
Changes to This Privacy Policy
Contact Us

1. INFORMATION WE COLLECT

We collect several types of information from and about users of our Service.

1.1 Information You Provide to Us

(a) Account Registration Information

When you create an account, we collect:

Full name (first and last name)
Email address
Password (stored in hashed/encrypted form only)
Phone number (optional)
Postal address (street, city, state, zip code, country) (optional)
Profile avatar/photo (optional)
Language preference
Notification preferences

(b) Pet Profile Information

When you add a pet to your account, we collect:

Pet name
Species (dog, cat, bird, rabbit, other)
Breed
Date of birth
Microchip ID (optional but recommended)
Neutered/spayed status
Profile photograph (optional)

(c) Pet Health Records (Sensitive Information)

You may choose to provide detailed health information about your pet, including:

Weight history (measurements, dates, notes)
Medical conditions (condition name, diagnosis date, clinical notes)
Allergies (allergen name, type, severity, reaction description, diagnosis date, notes)
Current medications (name, dosage, frequency, administration times, start/end dates, schedule)
Vaccination records (vaccine name, date administered, next due date, provider, notes, documents)
Veterinary visit records (date, clinic, veterinarian, reason, diagnosis, notes, prescribed medications, follow-up appointments)
Blood type
Emergency veterinarian information (name, phone, address)
Diet and feeding information (food type, brand, amount, frequency, recipes)
Medical documents (uploaded PDFs, images, lab results, x-rays, certificates)

IMPORTANT: Pet health information is considered sensitive personal data under many privacy laws (including GDPR Article 9). While this data relates to animals rather than humans, we treat it with the highest level of protection and require your explicit consent to process it.

(d) Communication Content

When you communicate with us or use communication features, we collect:

AI Chat messages and conversation history
Community posts and comments
Email correspondence with our support team
Contact form submissions (name, email, phone, message)
Lost pet contact submissions (finder's name, email, phone, message)
Reports and moderation feedback

(e) User-Generated Content

You may upload various types of content:

Photographs (pet photos, user avatars, community post images)
Documents (medical records, vaccination certificates, veterinary reports)
Text content (posts, comments, notes, health records)

1.2 Information We Collect Automatically

(a) Device and Usage Information

When you access the Service, we automatically collect:

IP address
Browser type and version
Device type (desktop, mobile, tablet)
Operating system
Access times and dates
Pages viewed and links clicked
Referring/exit pages
Service usage patterns

(b) Cookies and Tracking Technologies

We use cookies and similar technologies to:

Authenticate your account (session management)
Remember your preferences
Analyze usage patterns
Improve Service functionality

See Section 10 for detailed cookie information.

(c) Push Notification Data

If you opt in to push notifications, we collect:

Push notification subscription data (endpoint, authentication keys)
Notification delivery status
Device notification preferences

1.3 Information from Third Parties

(a) Social Media

If we add social login features in the future, we may collect information from social media platforms when you choose to connect your account.

(b) Service Providers

We receive information from third-party service providers we use to operate the Service:

Cloudinary (image upload confirmation, file metadata)
Email delivery services (email open/click rates, delivery status)
Payment processors (if implemented in the future)

1.4 Aggregated and De-Identified Data

We may create aggregated, anonymized, or de-identified data from the information we collect. This data cannot reasonably identify you and is not considered personal data under privacy laws. We may use and share this data without restriction for research, analytics, and service improvement purposes.

2. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

2.1 To Provide and Maintain the Service

Create and manage your account
Process your requests and transactions
Provide pet health tracking and record-keeping features
Generate medication and appointment reminders
Enable AI Vet Chat functionality
Facilitate lost pet emergency contact features
Provide community forum features
Deliver notifications and alerts
Provide customer support

2.2 To Improve and Develop the Service

Analyze usage patterns and trends
Understand how users interact with features
Identify and fix technical issues
Develop new features and functionality
Conduct research and analytics
Test new features and improvements
Train and improve AI models (through third-party providers)

2.3 To Communicate with You

Send transactional emails (account verification, password resets, appointment reminders)
Send service-related notifications (system updates, security alerts, policy changes)
Respond to your inquiries and support requests
Send marketing communications (with your consent, where required)
Notify you of lost pet contacts

2.4 To Ensure Safety and Security

Verify your identity
Prevent fraud and abuse
Enforce our Terms of Service
Protect our rights and property
Comply with legal obligations
Respond to law enforcement requests
Detect and prevent security incidents
Monitor and moderate community content

2.5 For Legal and Compliance Purposes

Comply with applicable laws and regulations
Respond to legal requests (subpoenas, court orders)
Establish, exercise, or defend legal claims
Protect the rights, privacy, safety, or property of you, us, or others
Maintain records as required by law

2.6 With Your Consent

Any other purpose for which you provide specific consent
Send marketing emails (where opt-in consent is required)
Process sensitive personal data (explicit consent)
Share data with third parties for purposes not covered here

3. LEGAL BASES FOR PROCESSING (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data only when we have a legal basis to do so:

3.1 Consent

You have given explicit consent for processing your personal data for specific purposes, including:

Processing sensitive pet health data
Sending marketing communications
Using AI Chat features (which send data to third-party AI providers)
Enabling public lost pet features

You may withdraw consent at any time by contacting us or adjusting your account settings.

3.2 Contract Performance

Processing is necessary to perform our contract with you (Terms of Service), including:

Creating and managing your account
Providing the Service features you request
Processing your requests and transactions
Providing customer support

3.3 Legal Obligation

Processing is necessary to comply with legal obligations, such as:

Responding to law enforcement requests
Complying with tax or accounting requirements
Maintaining records as required by law
Reporting suspected illegal activity

3.4 Legitimate Interests

Processing is necessary for our legitimate interests (or those of a third party), where such interests are not overridden by your rights, including:

Improving and developing the Service
Preventing fraud and ensuring security
Analyzing usage to optimize features
Conducting business analytics
Marketing our own services to existing users
Enforcing our Terms of Service

You have the right to object to processing based on legitimate interests (see Section 8).

3.5 Vital Interests

In rare cases, processing may be necessary to protect vital interests (life or death situations), such as using emergency contact information in urgent circumstances.

4. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information to third parties. We share your information only as described below:

4.1 Third-Party Service Providers

We share information with trusted third-party service providers who perform services on our behalf:

(a) Cloudinary Inc. (Image and Document Storage)

Headquarters: United States
Data Shared: Uploaded images and documents (pet photos, medical records, user avatars, community images)
Purpose: Cloud storage and content delivery
Privacy Policy: https://cloudinary.com/privacy
Safeguards: Data Processing Agreement, Standard Contractual Clauses

(b) MongoDB, Inc. (Database Hosting)

Headquarters: United States
Data Shared: All application data (user accounts, pet profiles, health records, messages, posts)
Purpose: Database hosting and management
Privacy Policy: https://www.mongodb.com/legal/privacy-policy
Safeguards: Data Processing Agreement, Standard Contractual Clauses

(c) Brevo (formerly Sendinblue) (Email Service)

Headquarters: France (EU)
Data Shared: Email addresses, names, email content (transactional and notification emails)
Purpose: Transactional email delivery (account verification, password resets, notifications)
Privacy Policy: https://www.brevo.com/legal/privacypolicy/
Safeguards: GDPR compliant, EU-based data processing

(d) Anthropic PBC (AI Service Provider)

Headquarters: United States
Data Shared: AI Chat messages, conversation history, context information
Purpose: Providing AI-powered veterinary information and chat assistance
Privacy Policy: https://www.anthropic.com/privacy
Data Use: Anthropic may use conversations to improve AI models (subject to their terms)
Safeguards: Standard Contractual Clauses, data minimization

(e) OpenAI (Alternative AI Provider)

Headquarters: United States
Data Shared: AI Chat messages, conversation history (if OpenAI is selected as provider)
Purpose: Providing AI-powered chat functionality
Privacy Policy: https://openai.com/privacy
Data Use: Subject to OpenAI's data usage policies
Safeguards: Standard Contractual Clauses

Third-Party Obligations: All service providers are contractually required to:

Use your data only for specified purposes
Implement appropriate security measures
Comply with applicable data protection laws
Not sell or share your data for their own purposes (except as permitted in their policies)

4.2 Public Features

(a) Community Forums

When you post in community forums:

Your username and content are visible to all users (including non-registered visitors)
Your profile picture may be visible if you've uploaded one
Other users can view, copy, share, and comment on your posts
Posts remain public even if you later change privacy settings (though you can delete them)

(b) Lost Pet Feature

When you enable the lost pet feature for a pet:

Pet health information becomes publicly accessible to anyone with the microchip ID
Information displayed includes: name, photo, allergies, medical conditions, medications, blood type, emergency vet
Your personal contact information is NOT publicly displayed
Finders can submit their contact information, which is shared with you

You must explicitly enable this feature and understand that sensitive information will be public.

4.3 Business Transfers

If BPetit is involved in a merger, acquisition, asset sale, bankruptcy, or similar transaction, your information may be transferred as part of that transaction. We will:

Provide notice before your information is transferred
Ensure the new entity is bound by this Privacy Policy or a substantially similar policy
Offer you choices regarding your data (where feasible)

4.4 Legal Requirements and Protection

We may disclose your information if required or permitted by law:

To comply with legal obligations (subpoenas, court orders, legal processes)
To protect rights and safety (enforce Terms of Service, investigate fraud or security issues)
To law enforcement (respond to valid requests, report criminal activity)
In emergencies (prevent imminent harm to persons or property)
To professional advisors (lawyers, accountants, auditors) under confidentiality obligations

4.5 With Your Consent

We may share your information with third parties when you provide explicit consent for specific purposes not covered above.

4.6 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably identify you:

For research and analytics
With business partners
For industry reports and benchmarks
To improve services

5. INTERNATIONAL DATA TRANSFERS

5.1 Where We Operate

BPetit is operated from Malaysia by Manuel Echavarria (Spanish and Colombian national). However, the Service is available worldwide, and our service providers are located in various countries.

5.2 Data Transfer Locations

Your information may be transferred to, stored, and processed in:

United States (Cloudinary, MongoDB, Anthropic, OpenAI)
European Union (Brevo - France)
Other countries where our service providers maintain facilities

These countries may have data protection laws that differ from the laws of your country of residence.

5.3 Safeguards for International Transfers

(a) For EU/EEA/UK Residents

When we transfer your personal data outside the EEA or UK, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs):

We use EU Commission-approved Standard Contractual Clauses with service providers in non-adequate countries
SCCs are legally binding data protection obligations that ensure adequate safeguards

Adequacy Decisions:

We rely on EU Commission adequacy decisions where available (e.g., for transfers to certain countries deemed to have adequate protection)

Additional Safeguards:

Supplementary measures beyond SCCs (encryption, access controls, data minimization)
Regular assessments of transfer risks and safeguards
Contractual obligations requiring service providers to protect your data

(b) For Other Jurisdictions

We implement reasonable safeguards for all international transfers, including:

Contractual data protection clauses
Technical and organizational security measures
Regular vendor assessments

5.4 Your Consent

By using the Service, you understand and consent to the transfer of your information to countries outside your country of residence, including the United States, which may have different data protection laws.

For EU residents, this consent is obtained separately for transfers not covered by adequacy decisions or SCCs.

6. DATA SECURITY

6.1 Security Measures

We implement reasonable technical and organizational measures to protect your personal information from unauthorized access, use, alteration, and destruction, including:

Technical Safeguards:

Encryption in transit: HTTPS/TLS encryption for data transmission
Encryption at rest: Password hashing using bcrypt (12 rounds)
Secure authentication: JWT tokens with short expiration periods
HTTP-only cookies: Authentication tokens not accessible to JavaScript
Access controls: Role-based access restrictions
Rate limiting: Protection against brute-force attacks
Secure password requirements: Minimum 8 characters

Organizational Safeguards:

Limited access: Only authorized personnel access personal data
Confidentiality obligations: Service providers bound by confidentiality agreements
Security training: Ongoing security awareness
Vendor management: Regular security assessments of third-party providers

Operational Safeguards:

Regular backups: Data backup and disaster recovery procedures
Monitoring: Security monitoring and incident detection
Updates: Regular software updates and security patches

6.2 Security Limitations

No method of transmission or storage is 100% secure. While we strive to protect your personal information:

We cannot guarantee absolute security
Internet transmission always carries some risk
Unauthorized access, hardware/software failure, and other factors may compromise security

You are responsible for:

Maintaining the confidentiality of your password
Choosing a strong, unique password
Logging out of your account on shared devices
Notifying us immediately of any security breach

6.3 Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify supervisory authorities within 72 hours (GDPR requirement)
Notify affected users without undue delay if the breach poses a high risk
Describe the breach, including categories and approximate number of affected individuals
Explain potential consequences and measures taken to mitigate harm
Provide contact information for further inquiries

7. DATA RETENTION

7.1 Retention Periods

We retain your personal information only as long as necessary for the purposes set out in this Privacy Policy and to comply with legal obligations.

Active Accounts:

Account and profile data: Retained while your account is active
Pet health records: Retained while your account is active (you can delete individual records at any time)
AI Chat history: Retained while your account is active (you can delete conversations)
Community posts: Retained while your account is active (you can delete posts)

Deleted Accounts:

Personal data: Permanently deleted within 30 days of account deletion request
Backup copies: May remain in backup systems for up to 90 days
Legal hold data: Retained longer if required for legal, accounting, or dispute resolution purposes

Specific Retention Periods:

Authentication tokens: 15 minutes (access tokens), 7 days (refresh tokens)
Password reset tokens: 24 hours
Email communications: Up to 2 years (for legal/audit purposes)
Transaction records: As required by law (typically 7 years for accounting purposes)
Logs and analytics: Up to 12 months

7.2 Retention Criteria

We determine retention periods based on:

Purpose of processing: How long the data is needed to fulfill the purpose
Legal obligations: Laws requiring data retention (tax, accounting, employment)
Consent duration: If processing is based on consent, until consent is withdrawn
Legitimate interests: Business needs for analytics, security, and improvement
Statute of limitations: Periods for legal claims

7.3 Anonymization

After retention periods expire, we may:

Permanently delete your data, or
Anonymize your data so it can no longer identify you (for research and analytics)

7.4 Right to Erasure

You may request deletion of your data before the end of retention periods (see Section 8). However, we may retain certain information where legally required or permitted.

8. YOUR PRIVACY RIGHTS

Depending on your location, you may have the following rights regarding your personal information:

8.1 Rights Available to All Users

(a) Access and Review

Right to access: Request a copy of the personal information we hold about you
Right to review: View your data through your account dashboard

(b) Correction

Right to rectification: Correct inaccurate or incomplete information
How to exercise: Update your account and pet information through your account settings

(c) Deletion

Right to deletion: Request deletion of your account and personal data
How to exercise: Use the account deletion feature in settings or email bpetit.contact@gmail.com
Timeline: Deletion completed within 30 days

(d) Objection

Right to object: Object to certain processing of your data
Marketing emails: Unsubscribe via email footer or account settings
Push notifications: Disable in device settings

8.2 Additional Rights for EU/EEA/UK Residents (GDPR)

Under the General Data Protection Regulation (GDPR), you have additional rights:

(a) Data Portability

Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format
Transfer: Request direct transfer to another controller (where technically feasible)
How to exercise: Email bpetit.contact@gmail.com with a portability request
Timeline: Fulfilled within 30 days

(b) Restriction of Processing

Right to restriction: Request that we stop processing your data (while retaining it) in certain circumstances:
- Accuracy is contested
- Processing is unlawful but you prefer restriction over deletion
- Data is no longer needed but you require it for legal claims
- You've objected to processing (pending verification of legitimate grounds)

(c) Withdraw Consent

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
Effect: We will stop processing (but prior processing remains lawful)
How to exercise: Email bpetit.contact@gmail.com or use account settings

(d) Lodge a Complaint

Right to complain: File a complaint with your national data protection authority
EU Residents: Contact your local supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en
UK Residents: Contact the ICO: https://ico.org.uk/

(e) Automated Decision-Making

Right to object to automated decisions: The Service does not make automated decisions with legal or similarly significant effects
AI Chat: AI responses are advisory only and do not constitute automated decision-making

8.3 Additional Rights for California Residents (CCPA/CPRA)

See Section 13 for detailed California privacy rights.

8.4 How to Exercise Your Rights

Online:

Access most data through your account dashboard
Update profile and pet information in account settings
Delete account through settings

Email Requests:

Send requests to: bpetit.contact@gmail.com
Include: Your name, email, description of request, verification information

Verification:

We must verify your identity before fulfilling requests
May require additional information or authentication
Protects against fraudulent requests

Timeline:

We respond to verified requests within 30 days (may extend to 60 days for complex requests)
We will inform you if an extension is needed

No Fee:

We fulfill requests free of charge
May charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests

Limitations:

Certain rights have exceptions or limitations under applicable law
We may deny requests if legally permitted or required to retain data
We will explain if we cannot fulfill a request

9. CHILDREN'S PRIVACY

9.1 Age Restriction

The Service is not intended for children under 18 years of age.

We do not knowingly collect personal information from children under 18. By using the Service, you represent that you are at least 18 years old.

9.2 Parental Notification

If we learn that we have collected personal information from a child under 18:

We will delete that information as soon as possible
We will terminate the account
We will notify parents/guardians (if contact information is available)

9.3 Parental Rights

If you believe we have collected information from a child under 18, please contact us immediately at bpetit.contact@gmail.com with:

The child's name and date of birth
Your relationship to the child
Verification of your authority

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently and provide information to site owners.

10.2 Cookies We Use

(a) Essential Cookies (Strictly Necessary)

These cookies are required for the Service to function and cannot be disabled:

Authentication Cookies:

auth-token: Stores your login session token
- Duration: 15 minutes
- Purpose: Authenticate your account
- Type: HTTP-only, Secure (in production)
refresh-token: Stores your refresh token for session renewal
- Duration: 7 days
- Purpose: Maintain your login session
- Type: HTTP-only, Secure (in production)

Admin Cookies:

admin-session: For admin dashboard access (admin users only)
- Duration: Session-based
- Purpose: Admin authentication
- Type: HTTP-only, Secure

(b) Functional Cookies

These cookies enhance functionality and personalization:

Language preference: Remember your selected language
User preferences: Remember your settings and choices
Local storage: Cache certain data for faster loading

(c) Analytics Cookies (Future Implementation)

Currently NOT implemented. If we add analytics in the future:

We will update this policy with details
We will provide opt-out options
We will obtain consent where required

10.3 Local Storage

We use browser local storage to:

Cache user preferences
Store temporary data for better performance
Manage service worker registration (for PWA features)
Store draft content (community posts)

10.4 Push Notifications

If you opt in to push notifications:

We store push subscription data (endpoint, keys)
You can disable notifications anytime in device settings
Disabling does not require account changes

10.5 Your Cookie Choices

Essential Cookies:

Cannot be disabled (required for Service functionality)
Disabling will prevent you from using the Service

Optional Cookies:

You can control through browser settings
Most browsers allow you to refuse cookies or alert you when cookies are being sent

Browser Controls:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies
Safari: Preferences > Privacy > Cookies
Edge: Settings > Privacy, search, and services > Cookies

Note: Disabling cookies may impair Service functionality.

10.6 Third-Party Cookies

We currently do not use third-party cookies (advertising, social media, analytics). If this changes, we will update this policy and provide opt-out options.

11. THIRD-PARTY SERVICES

11.1 Third-Party Links

The Service may contain links to third-party websites, applications, or services. We:

Do not control these third parties
Are not responsible for their privacy practices
Do not endorse their content or services

Your interactions with third-party sites are governed by their privacy policies, not ours. We encourage you to read their policies before providing personal information.

11.2 Third-Party Service Providers

We use third-party service providers as described in Section 4.1. These providers are contractually obligated to protect your data, but their privacy policies also apply to their processing:

Cloudinary: https://cloudinary.com/privacy
MongoDB: https://www.mongodb.com/legal/privacy-policy
Brevo: https://www.brevo.com/legal/privacypolicy/
Anthropic: https://www.anthropic.com/privacy
OpenAI: https://openai.com/privacy

11.3 Social Media Integration

We currently do not integrate with social media platforms. If we add social login or sharing features in the future:

We will update this policy
We will clearly disclose what information is shared
You will have the choice to use these features

12. DO NOT TRACK SIGNALS

Some web browsers have "Do Not Track" (DNT) features that signal to websites that users do not want their online activities tracked.

We do not currently respond to DNT signals because:

There is no industry standard for how to respond to DNT
We do not use third-party tracking technologies
We do not track users across third-party websites

If industry standards are established, we will reassess our DNT practices and update this policy accordingly.

13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

13.1 Applicability

This section applies to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

13.2 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories:

Category	Examples	Collected
Identifiers	Name, email, phone number, IP address, device ID	Yes
Personal Information (CA Civil Code § 1798.80)	Name, address, phone, email	Yes
Protected Classifications	Age (date of birth - 18+ verification)	Limited
Commercial Information	Purchase history, payment information	No (not yet implemented)
Biometric Information	Fingerprints, faceprints, voiceprints	No
Internet/Network Activity	Browsing history, search history, interaction with Service	Yes
Geolocation Data	Physical location	No (not collected)
Sensory Information	Audio, visual, electronic information	Yes (pet photos, user avatars, documents)
Professional/Employment Information	Job title, employer	No
Education Information	School, degree	No
Inferences	Preferences, behavior, attitudes	Limited (usage patterns)
Sensitive Personal Information	Pet health data (see below)	Yes

13.3 Sensitive Personal Information

We collect the following sensitive personal information:

Pet health data: While this relates to animals (not humans), we treat it with heightened protection
Account credentials: Passwords (stored in hashed form only)

We do not collect:

Social Security numbers
Driver's license numbers
Financial account information (not yet implemented)
Precise geolocation
Racial or ethnic origin
Religious or philosophical beliefs
Union membership
Genetic or biometric data (human)
Health information (human)
Sex life or sexual orientation information

13.4 Sources of Personal Information

We collect personal information from:

Directly from you: Account registration, profile creation, Service use
Automatically: Device and usage information through cookies and similar technologies
Third parties: Service providers (Cloudinary, AI providers) when you use their features

13.5 Business and Commercial Purposes

We use personal information for the following business/commercial purposes:

Providing the Service (fulfilling transactions, customer service)
Security and fraud prevention
Debugging and repair
Internal research and development
Quality control and improvement
Marketing (with your consent)

See Section 2 for detailed use descriptions.

13.6 Categories of Third Parties with Whom We Share Information

We share personal information with:

Service providers (Cloudinary, MongoDB, Brevo, Anthropic, OpenAI)
Law enforcement (when required by law)
Professional advisors (lawyers, accountants)

We do NOT:

Sell personal information
Share personal information for cross-context behavioral advertising
Share sensitive personal information except as necessary to provide the Service

13.7 Data Retention

See Section 7 for detailed retention periods. Generally:

Active accounts: Duration of account plus 30 days
Deleted accounts: 30 days for permanent deletion, up to 90 days in backups
Legal requirements: As required by law

13.8 Your California Privacy Rights

(a) Right to Know

You have the right to request:

Categories of personal information we collected
Categories of sources from which information was collected
Business purposes for collecting or selling information
Categories of third parties with whom we share information
Specific pieces of personal information we collected about you

(b) Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, service provision).

(c) Right to Correct

You have the right to request correction of inaccurate personal information.

(d) Right to Opt-Out of Sale/Sharing

We do NOT sell your personal information or share it for cross-context behavioral advertising.

Therefore, we do not provide a "Do Not Sell or Share My Personal Information" link. If this changes, we will update this policy and provide an opt-out mechanism.

(e) Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information for purposes other than providing the Service. Therefore, a limitation right does not apply. If this changes, we will provide a limitation mechanism.

(f) Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA rights. We will not:

Deny goods or services
Charge different prices or rates
Provide different quality of service
Suggest different prices or quality

13.9 How to Exercise Your California Rights

Submit a Request:

Email: bpetit.contact@gmail.com
Subject Line: "California Privacy Rights Request"
Include: Your name, email, description of right you're exercising

Verification:

We must verify your identity before processing requests
May require additional information or authentication

Authorized Agent:

You may designate an authorized agent to make requests on your behalf
Provide written authorization and verify your identity

Timeline:

We respond within 45 days (may extend by 45 days if reasonably necessary)
We will notify you if an extension is needed

No Fee:

Requests are fulfilled free of charge
May charge reasonable fee for excessive or manifestly unfounded requests

13.10 California "Shine the Light" Law

Under California Civil Code Section 1798.83:

California residents may request information about disclosure of personal information to third parties for direct marketing purposes

We do not share personal information with third parties for their direct marketing purposes.

If this changes, we will provide an opt-out mechanism and respond to "Shine the Light" requests.

13.11 California Minors

If you are a California resident under 18 and a registered user:

You may request removal of content you posted publicly
Email bpetit.contact@gmail.com with specific content to be removed

Note: Removal does not ensure complete deletion (content may remain in backups, be cached, or have been copied by others).

The Service is not intended for users under 18. We do not knowingly collect information from minors.

14. EUROPEAN PRIVACY RIGHTS (GDPR)

14.1 Applicability

This section applies to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR) and UK GDPR.

14.2 Data Controller

Manuel Echavarria (operating as BPetit) is the data controller responsible for your personal data.

Contact Information:

Email: bpetit.contact@gmail.com
Postal Address: Jalan Medang Serai, Kuala Lumpur, Malaysia

14.3 Legal Bases for Processing

See Section 3 for detailed legal bases.

14.4 Your GDPR Rights

See Section 8.2 for comprehensive GDPR rights, including:

Right to access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object
Right to withdraw consent
Right to lodge a complaint with supervisory authority

14.5 International Data Transfers

See Section 5 for details on:

Where your data is transferred
Safeguards for international transfers (Standard Contractual Clauses)
Your rights regarding transfers

14.6 Data Protection Officer

We are not currently required to appoint a Data Protection Officer (DPO) under GDPR Article 37 because:

We are not a public authority
Our core activities do not require large-scale monitoring
Our processing of special categories is not on a large scale

If this changes, we will appoint a DPO and update this policy with contact information.

For privacy inquiries, contact: bpetit.contact@gmail.com

14.7 Supervisory Authority

You have the right to lodge a complaint with your national data protection supervisory authority.

Find Your Supervisory Authority:

EU/EEA: https://edpb.europa.eu/about-edpb/board/members_en
UK: Information Commissioner's Office (ICO) - https://ico.org.uk/

BPetit's Lead Supervisory Authority (expected):

Spanish Data Protection Agency (AEPD) - https://www.aepd.es/ (if company is formed in Spain)

14.8 Automated Decision-Making

We do not engage in automated decision-making (including profiling) that produces legal or similarly significant effects.

AI Chat: AI responses are informational only and do not constitute automated decision-making under GDPR Article 22. You are not obligated to follow AI advice, and decisions about your pet's care remain entirely within your control.

14.9 Special Category Data

Pet health data may be considered special category data under GDPR Article 9 (despite relating to animals, due to its sensitive nature).

We process this data based on your explicit consent:

Obtained during account setup and when adding health information
Can be withdrawn at any time
Withdrawal does not affect prior lawful processing

15. CHANGES TO THIS PRIVACY POLICY

15.1 Updates

We may update this Privacy Policy from time to time to reflect:

Changes in our practices
Changes in applicable law
New features or services
User feedback

15.2 Notification of Changes

We will notify you of material changes by:

Posting the updated Privacy Policy on the Service with a new "Last Updated" date
Sending an email notification to your registered email address
Displaying a prominent notice within the Service
For significant changes: requesting your consent where required by law

15.3 Your Acceptance

Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

If you do not agree to changes:

Stop using the Service
Delete your account
Contact us to discuss concerns

15.4 Prior Versions

We maintain prior versions of this Privacy Policy for your reference. Contact us to request previous versions.

16. CONTACT US

16.1 Privacy Inquiries

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: bpetit.contact@gmail.com Subject Line: Include "Privacy Inquiry" for faster response Postal Address: Jalan Medang Serai, Kuala Lumpur, Malaysia

Response Time: We aim to respond within 7 business days (30 days for formal rights requests under GDPR/CCPA).

16.2 Data Protection Requests

To exercise your privacy rights (access, deletion, correction, portability):

Email: bpetit.contact@gmail.com Subject: "Data Subject Rights Request" or "California Privacy Rights Request" Include:

Your full name
Email address associated with account
Description of request
Verification information (we may request additional details)

16.3 General Support

For general customer support (not privacy-specific):

Email: bpetit.contact@gmail.com Website: https://bpetit.app

16.4 Security Issues

To report security vulnerabilities or data breaches:

Email: bpetit.contact@gmail.com Urgent: Use "URGENT - SECURITY ISSUE" in subject line

ACKNOWLEDGMENT

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO ITS TERMS.

Last Updated: January 15, 2025 Effective Date: January 15, 2025 Version: 2.0