PetBoard

Privacy Policy

Last updated: 12 February 2026

1. Introduction & Scope

PetBoard ("we", "us", "our") is a two-sided marketplace that connects pet owners with pet boarding and care providers across India. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the PetBoard mobile application and associated services.

This policy applies to all users of the PetBoard platform, including pet owners, service providers, and visitors. It covers data processed digitally within India and data of Indian residents processed in connection with our services.

This policy is published in compliance with:

Digital Personal Data Protection Act, 2023 (DPDPA)
Digital Personal Data Protection Rules, 2025 (DPDP Rules)
Information Technology Act, 2000 and the Sensitive Personal Data or Information Rules, 2011 (SPDI Rules)

2. Definitions

Term	Meaning
Data Principal	You — the individual whose personal data is being processed
Data Fiduciary	PetBoard — the entity that determines the purpose and means of processing your data
Data Processor	Third parties that process data on our behalf (e.g., Supabase, Razorpay)
Personal Data	Any data about an individual who is identifiable by or in relation to such data
SPDI	Sensitive Personal Data or Information — includes financial information, identity documents, biometric data, and passwords
Processing	Any operation performed on personal data, including collection, storage, use, sharing, and deletion

3. Personal Data We Collect

Category	Data Points	Sensitivity
Identity	Full name, email address, phone number, profile photo	Personal Data
Pet Information	Pet name, species, breed, age, weight, size category, medical notes, photos	Personal Data
Location	GPS coordinates, address, city, service area	Personal Data
KYC Documents	PAN card, driving licence, or passport scans; selfie photo	SPDI
Financial	Payment method details (processed via Razorpay), transaction history	SPDI
Communications	In-app chat messages between owners and providers	Personal Data
Device & Technical	Device type, OS version, app version, push notification tokens	Personal Data
Usage	Search history, booking history, app interaction patterns	Personal Data

We do not collect Aadhaar data. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, Sections 29 and 37, prohibits private entities from collecting or storing Aadhaar numbers without a licence from UIDAI.

4. Purpose of Data Collection

Data Category	Purpose
Identity	Account creation, authentication, communication, customer support
Pet Information	Matching with suitable providers, displaying pet profiles, service customisation
Location	Finding nearby providers, displaying service areas, delivery of location-based services
KYC Documents	Identity verification of service providers for trust and safety. Documents are automatically deleted after verification review is complete.
Financial	Processing payments, refunds, invoicing, tax compliance (via Razorpay)
Communications	Facilitating pre-booking and during-booking communication between owners and providers
Device & Technical	Delivering push notifications, debugging, security monitoring
Usage	Improving the app experience, analytics, detecting misuse

We process your data only for the purposes stated above. We will not use your data for purposes beyond what is disclosed here without obtaining fresh consent (DPDPA, Section 6).

5. Legal Basis & Consent

We rely on the following legal bases for processing your data:

Consent (primary basis) — We obtain your free, specific, informed, and unambiguous consent before collecting personal data. Consent is collected through clear affirmative actions (no pre-ticked boxes).
Performance of contract — Processing necessary to fulfil a booking or service agreement you have entered into.
Legal obligation — Processing required to comply with applicable laws (e.g., tax records, law enforcement requests).
Legitimate uses under DPDPA Section 7 — Processing for responding to medical emergencies or ensuring safety of individuals.

For KYC documents and financial data (classified as SPDI), we obtain explicit written consent as required under SPDI Rules 2011, Rule 5.

6. Children's Data

Under the DPDPA, any individual under 18 years of age is classified as a child. PetBoard does not knowingly collect data from or provide services to children under 18 without verifiable parental or guardian consent.

If we become aware that we have collected data from a child without appropriate parental consent, we will delete that data promptly. We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

7. Data Storage & Retention

Storage Location

All data is stored on Supabase, hosted on AWS infrastructure in Mumbai, India (ap-south-1). Your data resides within Indian territory in compliance with data localisation requirements.

Retention Periods

Data Type	Retention Period
Account data	While your account is active, plus 90 days after deletion request
KYC documents (files)	Automatically deleted immediately after verification review. Safety-net purge within 7 days for any files not cleaned up.
KYC metadata (status, timestamps)	Retained for the duration of the provider relationship to maintain verification status
Booking & payment records	Minimum 7 years (Income Tax Act, GST compliance)
Webhook payment metadata	Sanitised subset only (event type, payment ID, order ID, status, amount, method). Full Razorpay payloads are not stored.
Chat messages	Duration of the service relationship plus 90 days
Location data	Stored for matching and booking purposes; historical location data anonymised or deleted after 1 year
Push notification tokens	While notifications are enabled; deleted when disabled or account is deleted
Server logs	180 days (CERT-In Directions 2022)
System/security logs	Minimum 1 year (DPDP Rules 2025)

Inactivity rule: If your account is inactive for more than 1 year, we will send you a notification 48 hours in advance before erasing your personal data, unless retention is required by law (DPDP Rules 2025).

We share data only as necessary for delivering our services. We do not sell personal data to third parties.

Third Party	Data Shared	Purpose
Razorpay	Payment details, transaction amounts, user identity	Payment processing, refunds, fraud prevention. Razorpay Privacy Policy
Supabase	All stored data (as data processor)	Database hosting, file storage, authentication infrastructure. Supabase Privacy Policy
Expo / FCM / APNs	Device tokens, notification content	Delivering push notifications
Other platform users	Limited profile info (name, business name, ratings, service area)	Facilitating marketplace discovery and bookings
Government / regulators	As required by law	Legal compliance, law enforcement, tax authorities

All third-party data processors are contractually obligated to process data only for the stated purpose and to implement adequate security safeguards.

9. Cross-Border Transfers

Your primary data is stored in India (Supabase on AWS Mumbai). Certain third-party services (push notification infrastructure, analytics) may process limited data outside India.

Under the DPDPA, personal data may be transferred outside India unless the Central Government has restricted transfer to the destination country. Where data is transferred outside India, we ensure adequate protections are in place through contractual safeguards with the data processors.

10. Data Security

We implement reasonable security practices commensurate with the sensitivity of the data we process:

Encryption in transit — All data transmitted over TLS/SSL (HTTPS)
Encryption at rest — Database and file storage encrypted at rest via Supabase/AWS
Row Level Security (RLS) — Database-level access controls ensuring users can only access their own data
Access controls — Role-based access; admin operations require authenticated admin accounts
KYC document security — Stored in private storage bucket with provider-scoped RLS policies; auto-deleted after review
Signed URLs — KYC document access via time-limited (1-hour) signed URLs for admin review only
Authentication — Secure token-based authentication via Supabase Auth

We maintain security practices aligned with IS/ISO/IEC 27001 standards and conduct periodic security reviews as required under SPDI Rules 2011, Rule 8.

11. Data Breach Notification

In the event of a personal data breach:

We will notify the Data Protection Board of India within 72 hours of discovering the breach, providing details of the nature, extent, timing, and likely consequences.
We will notify affected Data Principals without unreasonable delay, describing the breach and the steps we are taking to mitigate it.
We will take immediate steps to contain the breach and prevent further unauthorised access.

12. Your Rights

Under the DPDPA and SPDI Rules, you have the following rights. We will respond to all requests within 90 days:

Right to Access — Obtain a summary of all personal data we hold about you and the processing activities performed on it.
Right to Correction — Request correction of inaccurate, incomplete, or misleading personal data.
Right to Erasure — Request deletion of your personal data when the purpose for which it was collected has been fulfilled, or when you withdraw consent. You can delete your entire account in-app via Profile → Delete My Account. This permanently removes your profile, pets, messages, notifications, and provider data; bookings and reviews are anonymised. KYC document data can also be erased separately via Profile → Verification → "Delete all my verification data".
Right to Withdraw Consent — Withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal. See Section 13 for details.
Right to Nominate — Nominate another person to exercise your rights on your behalf in case of death or incapacity.

To exercise any of these rights, contact us at privacy@petboard.in or use the in-app settings.

You may withdraw your consent at any time through:

In-app settings — Navigate to Profile → Privacy Settings to manage your consent preferences
Email — Send a withdrawal request to privacy@petboard.in

Withdrawal of consent is as easy as giving it, in compliance with DPDPA requirements.

Consequences of withdrawal: If you withdraw consent for essential processing (e.g., account data), we may be unable to provide our services and your account may be deactivated. We will inform you of the specific consequences before processing your withdrawal.

14. KYC Document Handling

Service providers may optionally complete identity verification (KYC) to earn a "Verified" trust badge. Our KYC process is designed with privacy by default:

Accepted documents: PAN card, driving licence, or passport only. We do not accept or store Aadhaar data (Aadhaar Act S.29/37).
Explicit consent required: You must provide informed consent before submitting documents. The consent purpose is: "Identity verification for provider trust badge on PetBoard marketplace."
Auto-deletion: Document and selfie files are automatically deleted from storage immediately after an admin completes the verification review. A daily automated safety-net process purges any remaining files within 7 days of review.
Metadata retained: Only the verification status (approved/rejected), timestamps, and document type are retained — not the document files themselves.
Right to erasure: You can delete all your verification data (files and records) at any time via Profile → Verification → "Delete all my verification data".
Access control: Documents are stored in a private storage bucket accessible only to you and authorised admin reviewers via time-limited signed URLs.

15. Location Data

When collected: Location is collected when you grant permission through the OS-level location dialog, for finding nearby providers and setting your service area.
Background collection: We do not collect location data in the background. Location is accessed only when the app is in active use.
How stored: GPS coordinates are stored as geographic points in our database for proximity search functionality.
Address privacy: Provider full addresses are only revealed to pet owners after a booking is confirmed. Search results show only the general area (e.g., "Andheri West, Mumbai").
Disabling: You may revoke location permissions at any time via your device settings. This will prevent location-based search from functioning but will not affect other app features.

16. In-App Chat & Messaging

Chat messages are stored to facilitate communication between pet owners and service providers.
Storage: Messages are stored in plaintext in our database. Data is encrypted in transit via TLS and at rest via AWS AES-256 disk-level encryption. Messages are not end-to-end encrypted.
Access: Messages are accessible only to the two parties in the conversation and to PetBoard for moderation, safety, and dispute resolution purposes.
Content moderation: Messages are automatically scanned for phone numbers and external contact details to maintain platform safety. Flagged messages may be reviewed by our team for abuse detection and platform safety enforcement.
Retention: Messages are retained for the duration of the service relationship plus 90 days, after which they are deleted.
Deletion: When you delete your account, all messages you sent are permanently deleted and conversations you participated in are removed.

17. Push Notifications

We use push notifications to send booking updates, messages, and occasional service reminders.
Data used: Device push tokens (Expo push tokens) and your notification preferences.
Opt-out: You may disable push notifications at any time via your device settings or in-app notification preferences.
Push tokens are stored only while notifications are enabled and are deleted when disabled or when your account is deleted.

18. Cookies & Tracking

The PetBoard mobile application does not use cookies. Our admin dashboard (web-based) uses browser session storage for authentication persistence only — no analytics or marketing cookies are used.

We do not use third-party analytics or advertising trackers in the mobile app.

19. Grievance Redressal

In accordance with the DPDPA and SPDI Rules 2011, Rule 5(9), we have appointed a Grievance Officer to address your concerns:

Grievance Officer

Name: Sahil Verman

Email: grievance@petboard.in

Phone: +91 9740551629

Address: G-128 Brigade Lakefront, Seetharampalya Hoodi Road, EPIP Zone, Bangalore, Karnataka 560048

We will acknowledge your grievance within 48 hours and resolve it within 30 days of receipt.

If you are not satisfied with our resolution, you may file a complaint with the Data Protection Board of India established under the DPDPA 2023.

20. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will notify you via in-app notification and/or email
The "Last updated" date at the top of this policy will be revised
For material changes that affect how we process your data, we will seek fresh consent where required

21. Contact Us

PetBoard

Email: privacy@petboard.in

Website: petboard.in

Registered Address: G-128 Brigade Lakefront, Seetharampalya Hoodi Road, EPIP Zone, Bangalore, Karnataka 560048