Back to websiteChat on WhatsApp

Legal

Data Processors

The third-party service providers (data processors under DPDP §17) that handle parts of your personal data on our behalf, what each one receives, and where.

Effective date: 2026-05-30

Privacy PolicyTerms & ConditionsCancellation PolicyRefund PolicyCookies PolicyCommunication PolicyData Processors

Overview

Effective: 30 May 2026 (temporary version pending counsel review) Version: 1.0.0

Under §17 of the DPDP Act, when we engage another company to process your personal data on our behalf (a data processor), we remain responsible and must tell you who they are. This page lists every data processor we use, what data each one receives, and where they are based.

If you have questions, contact our Grievance Officer (see Privacy Policy §11).

Infrastructure

Vercel Inc. (USA)

  • What they do: Hosts our website and runs the server-side code.
  • What they receive: Every request to our site, including any personal data you submit in forms. Function execution logs (scrubbed of PII per our internal policy).
  • Privacy notice: https://vercel.com/legal/privacy-policy
  • Cross-border: USA. Standard contractual terms apply.

Supabase Inc. (USA / region-dependent)

  • What they do: Hosts our primary database (Postgres) and uploaded media files (object storage).
  • What they receive: All structured customer data, pet profiles, bookings, uploaded photos and videos.
  • Privacy notice: https://supabase.com/privacy
  • Cross-border: Database and storage are configured in the AWS region we've chosen. Some metadata may transit through Supabase's USA control-plane.

Amazon Web Services (AWS) India / global

  • What they do: Underlying cloud infrastructure for Supabase. Our object storage uses an S3-compatible interface.
  • What they receive: Same data as Supabase — they are Supabase's processor.
  • Privacy notice: https://aws.amazon.com/privacy/

Payment

Razorpay Software Pvt. Ltd. (India)

  • What they do: Processes online payments (UPI, cards, net banking, wallets).
  • What they receive: Your name, phone number, booking amount, order ID. Your actual card or UPI details go directly to Razorpay — we do not see or store them.
  • Privacy notice: https://razorpay.com/privacy/
  • Cross-border: India.

Communication

Meta Platforms Inc. (USA) — WhatsApp Cloud API

  • What they do: Delivers WhatsApp messages from us to you (booking confirmations, updates, etc.).
  • What they receive: Your WhatsApp-enabled phone number and the message content for each message we send.
  • Privacy notice: https://www.whatsapp.com/legal/privacy-policy
  • Cross-border: USA / EU.

Combirds (India) — backup WhatsApp gateway

  • What they do: Alternate WhatsApp message delivery gateway, used when Meta is unavailable.
  • What they receive: Same as Meta — phone number + message body.
  • Privacy notice: https://combirds.com/privacy
  • Cross-border: India.

Telegram FZ-LLC (UAE)

  • What they do: Receives operational alert messages for our grooming teams (e.g., "your next booking is in 60 minutes").
  • What they receive: Customer first name, slot time, masked phone number, action URL to the admin panel.
  • Privacy notice: https://telegram.org/privacy
  • Cross-border: UAE. We acknowledge this is a non-Indian processor; please review with the lawyer if any additional safeguards are required for the specific data we send.

AI / Internal operations tooling

OpenAI, L.L.C. (USA)

  • What they do: Powers parts of our internal operations tooling — operational summaries and reply drafting for our team.
  • What they receive: De-identified operational snapshots and prompts. We strip names, phone numbers, email addresses, exact addresses, and GPS coordinates before sending.
  • Privacy notice: https://openai.com/policies/privacy-policy
  • Cross-border: USA. OpenAI's stated retention for API data is up to 30 days for abuse monitoring; they do not train on API data by default.

Anthropic, PBC (USA)

  • What they do: Same role as OpenAI — internal operations tooling tasks.
  • What they receive: Same as OpenAI — de-identified content.
  • Privacy notice: https://www.anthropic.com/legal/privacy
  • Cross-border: USA.

Observability / Error monitoring

Functional Software, Inc. d/b/a Sentry (USA)

  • What they do: Captures uncaught errors and a small fraction of performance traces from our website and server so we can fix bugs quickly. Stores stack traces and minimal request metadata.
  • What they receive: Error type and message, file paths and line numbers from stack traces (symbolicated via source maps we upload), HTTP method and URL (NOT the body), the deployment release identifier, and the environment (production / preview). We do not send: request bodies, cookies, authentication headers, customer name / phone / email / address, GPS coordinates, or any field that matches our PII pattern list. Sentry's "Session Replay" feature, which would record customer screens, is disabled.
  • Cross-border: USA (Sentry's default ingest region). Standard processor terms apply.
  • Retention: Sentry's default plan retains issue data for 30 days (free) or 90 days (paid) — confirm against your plan.
  • Privacy notice: https://sentry.io/privacy/
  • Sub-processors: https://sentry.io/legal/subprocessors/

Analytics (only with your consent — see Cookies Policy)

Google LLC (USA) — Google Analytics 4, Google Ads

  • What they do: Measures how visitors use the site (GA4) and tracks ad conversion (Google Ads).
  • What they receive: De-identified browser events when you visit pages and conversion signals on bookings made via Google Ads, only if you have consented to marketing cookies. With Google Consent Mode v2, anonymised modeled measurement may also be sent if you consent to analytics-only — no persistent identifier is set in that mode.
  • Privacy notice: https://policies.google.com/privacy

Meta Platforms Inc. (USA) — Meta Pixel, Meta Conversions API

  • What they do: Measures Meta ad campaign performance.
  • What they receive: Two distinct signal paths. (a) Browser Meta Pixel — only loads and only fires if you have consented to marketing cookies. (b) Server-side Conversions API — fires on completed paid bookings regardless of cookie preferences, sending SHA-256 hashes of your phone, name, and city (hashes only, never plain text) plus the standard IP and user-agent of the request. The server-side signal is a one-time hashed transaction event, never sent on browsing alone, and does not place any cookie or identifier in your browser. We operate this carve-out under DPDP §7 legitimate-use for ad-effectiveness measurement on completed paid transactions.
  • Privacy notice: https://www.facebook.com/policy.php

Vercel Inc. (USA) — Vercel Analytics and Speed Insights

  • What they do: Measures site performance.
  • What they receive: Page-view and performance events; Vercel claims no PII is collected. Loaded only with analytics consent.
  • Privacy notice: https://vercel.com/legal/privacy-policy

Our internal handling

In addition to these third parties, our own engineering and operations team in India has access to customer data on a need-to-know basis. Internal access is logged.

Updates

When we add, remove, or change processors, we update this page and bump the version at the top. If a material change happens, we will notify you via WhatsApp or the cookie banner.

Document version: 1.0.0

Grievance OfficerDPDP Act, 2023 · §13

Pranay Panwar

Grievance Officer / DPO · All Tails

Email: hello@alltails.in

Phone: +91 97178 78052

Response window: within 30 days

If your concern is not resolved within 30 days, you may escalate to the Data Protection Board of India.

Manage your data & rights →

Need help with a booking?

For booking, payment, cancellation, or refund questions, contact hello@alltails.in or WhatsApp +91 97178 78052.