Legal

Privacy Policy

Effective date: May 2, 2026 · Last updated: May 2, 2026

Plain English summary: We collect your name and email when you sign up. We use trusted third-party services to run the platform. We never sell your data. This policy explains everything in full.

Contents

1. Who We Are
2. Data We Collect
3. How We Use Your Data
4. Legal Basis (GDPR)
5. Third-Party Processors
6. Data Retention
7. Your Rights
8. Cookies
9. Security
10. International Transfers
11. Children's Privacy
12. Changes to This Policy
13. Contact

1. Who We Are

The Groomers Base ("we", "us", "our") is a cloud-based business management platform for independent dog groomers and small grooming salons, operated from the Republic of Cyprus within the European Union.

For the purposes of applicable data protection law, The Groomers Base is the data controller for groomer account data. When groomers collect and store client and pet data through our platform, The Groomers Base acts as a data processor on behalf of the groomer, who remains the data controller for that client data.

Contact: support@groomersbase.com

2. Data We Collect

2.1 Groomer Account Data

First name, business name, email address
Password (bcrypt-hashed — we never store plain-text passwords)
Business address, phone number, timezone, currency preference
Profile photo / business logo (optional, stored in Supabase Storage)
Social media links (optional)
Billing information — processed and stored by Stripe; we store only transaction references and subscription status, never raw card numbers

2.2 Client & Pet Data (Collected by Groomers)

Groomers use our platform to manage their own clients. Data entered by groomers or submitted by clients through the public booking page may include:

Client: full name, email address, phone number, home address (for mobile visits)
Pet: name, breed, size, weight, health notes, behavioural notes, photo
Appointment history, service records, groom report cards, before/after photos

Groomers are responsible for ensuring they have obtained any necessary consent from their clients before entering client data into The Groomers Base.

2.3 Usage & Technical Data

Server logs, IP addresses, browser type, and pages visited — used strictly for security, debugging, and service reliability. Not used for profiling or advertising.

2.4 Data We Do NOT Collect

We do not use advertising cookies, tracking pixels, or third-party analytics networks. We do not collect biometric data or any sensitive personal categories under GDPR Article 9.

3. How We Use Your Data

Create and maintain your groomer account
Provide booking, calendar, client management, and reporting features
Send transactional emails: booking confirmations, appointment reminders, groom report cards, subscription and payment notices
Send transactional SMS notifications to your clients (Pro plan only — coming soon, not yet active). When live, SMS will only be sent to clients who have given explicit opt-in consent via a checkbox on the booking page. Clients may opt out at any time by replying STOP to any SMS.
Process subscription payments and manage your billing relationship with us
Respond to support requests
Comply with legal obligations including financial record-keeping
Improve the platform using aggregated, anonymised usage data

We will neversell, rent, or share your data or your clients' data with third parties for advertising, profiling, or any purpose unrelated to operating the Service.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases under GDPR:

Contract performance (Art. 6(1)(b))

Processing your account data and providing the Service you subscribed to — including all booking, calendar, and notification features.

Legitimate interests (Art. 6(1)(f))

Improving the platform, preventing fraud, maintaining security, and providing customer support. We have carried out a balancing test and assessed that these interests do not override your rights.

Legal obligation (Art. 6(1)(c))

Retaining certain financial records as required by Cypriot and EU law (up to 7 years).

Consent (Art. 6(1)(a))

Marketing emails, where you have explicitly opted in. You may withdraw consent at any time by clicking "Unsubscribe" in any email we send.

5. Third-Party Processors

We share only the minimum data necessary for each service to function. All providers are bound by data processing agreements (DPAs). We do not share data with advertising networks or data brokers.

Supabase

Database & Authentication

Data shared: All account, client, pet, and appointment data

Processing region: EU (Frankfurt, Germany)

View Supabase privacy policy →

Stripe

Payment Processing

Data shared: Billing information, subscription data, transaction records

Processing region: USA (Standard Contractual Clauses)

View Stripe privacy policy →

Resend

Transactional Email Delivery

Data shared: Recipient email address, name, appointment details included in email body

Processing region: USA (Standard Contractual Clauses)

View Resend privacy policy →

Twilio

SMS Notifications — Coming Soon (Pro plan)

Data shared: Recipient phone number, appointment reminder message text. Not yet active — no data is currently processed by Twilio.

Processing region: USA (Standard Contractual Clauses)

View Twilio privacy policy →

Vercel

Hosting & Serverless Infrastructure

Data shared: Server request logs, IP addresses, response metadata

Processing region: EU (Dublin, Ireland)

View Vercel privacy policy →

6. Data Retention

Active account: Data retained for the duration of your subscription.
After cancellation: Data retained for 30 days to allow export and reactivation. After 30 days, all data is permanently deleted from our systems.
Financial records: Certain payment and invoice records are retained for up to 7 years as required by law.
Server logs: Retained for up to 90 days for security and debugging, then automatically purged.

7. Your Rights

Depending on your location, you have the following rights regarding your personal data. We respond to all verified requests within 30 days.

Right of Access

Request a copy of all personal data we hold about you.

Right to Rectification

Ask us to correct inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing

Ask us to pause processing while a dispute is resolved.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests at any time.

Withdraw Consent

Unsubscribe from marketing emails at any time using the link in any email.

Lodge a Complaint

Contact your national supervisory authority if you believe your data has been mishandled.

To exercise any of these rights, email support@groomersbase.com with the subject line "Data Request". We may ask you to verify your identity before processing your request. If you are in the EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority.

8. Cookies

We use only essential cookies required for authentication and security. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

See our Cookie Policy for the full list of cookies we set and how to manage them.

9. Security

We implement industry-standard security measures including:

TLS 1.2+ encryption for all data in transit
Encrypted storage for all data at rest (Supabase EU region)
Row-level security — each groomer can only access their own data
Bcrypt-hashed passwords — we cannot read your password
Rate limiting on authentication and public-facing booking endpoints
Regular dependency updates and security patch management

In the unlikely event of a data breach affecting your rights or freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

10. International Data Transfers

The Groomers Base operates from within the European Union. Our primary database and authentication (Supabase) and hosting infrastructure (Vercel) use EU-region servers.

Some processors (Stripe, Resend, and Twilio once SMS is activated) process data in the United States. All such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46, ensuring adequate protection of your personal data.

11. Children's Privacy

The Groomers Base is a professional business tool intended solely for adults (18+). We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact support@groomersbase.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days in advanceand update the "Last updated" date above.

We will never materially reduce your rights under this policy without explicit notice and, where required, renewed consent.

13. Contact

For any questions, data requests, or concerns about this Privacy Policy:

The Groomers Base

Email: support@groomersbase.com

Subject line: "Privacy Request" or "Data Request"

We aim to respond within 5 business days and to complete data subject requests within 30 days as required by law.