Paw & Story — Privacy Policy
Version 0.9 (DRAFT) — Effective: [DATE]
DRAFT — pending owner/lawyer review. This is a template, not legal advice. Bracketed items are owner/counsel decisions and must be resolved before launch.
Your photos and memories are yours. This policy explains, plainly, what we collect, how we keep it safe, and how you stay in control.
1. Who is responsible
The data controller is [COMPANY_LEGAL_NAME], [REGISTERED_ADDRESS] ("we"). Contact: [hello@pawandstory.com].
2. What we collect
- Photos and videos you upload of your pet (your own content, with your consent, and with the consent of any people who appear in them).
- The answers you provide in the questionnaire.
- Basic account and purchase records (email, order details). Payment is handled by Stripe as merchant of record; we never receive or store your card data.
3. Why and on what legal basis
- To create and deliver your memorial book, tribute film, and memorial page — performance of a contract (GDPR Art. 6(1)(b)).
- To keep purchase records where the law requires it — legal obligation (Art. 6(1)(c)).
- To answer your messages and keep the Service secure — legitimate interest (Art. 6(1)(f)), balanced with care given the sensitive moment these orders often come at.
We do not use your uploads or answers for advertising, and we never sell your data.
4. How we store it
- EU-hosted, S3-compatible object storage.
- Encrypted at rest.
- We never use your uploads to train any model.
- Every image in your tribute is a real photo you uploaded — we never generate synthetic images of your pet.
5. Retention
- Originals and generated outputs are automatically deleted 90 days after delivery, unless you keep an active memorial page.
- You can erase everything immediately via /account/delete.
- Purchase records are kept only as long as tax and accounting law requires ([RETENTION_PERIOD_PER_JURISDICTION]).
6. Who receives data
- Stripe (merchant of record) — checkout, invoicing, tax, refunds.
- Our print partner ([PRINT_PARTNER_NAME]) — only for printed orders: the print file and your shipping address.
- EU hosting and storage providers ([HOSTING_PROVIDER_NAME]) acting as processors under GDPR Art. 28 agreements.
We do not transfer your photos outside the EU/EEA. If a transfer ever becomes necessary, it will rest on adequacy decisions or standard contractual clauses, and this policy will be updated first.
7. Your rights
Under the GDPR you have the right of access, correction, deletion, restriction, objection, and portability, and the right to withdraw consent at any time. Write to [hello@pawandstory.com] and we will respond within one month. You may also lodge a complaint with your local supervisory authority ([SUPERVISORY_AUTHORITY]).
8. Cookies and analytics
The Service uses only what is needed to work: session essentials and privacy-respecting, cookie-free analytics. No advertising trackers run on memorial pages. [Owner: confirm final analytics setup before launch.]
9. Changes
If this policy changes in a way that matters, we will post the new version here with a new effective date and, for significant changes, let you know by email.