Privacy Policy

Effective: 30 May 2026 (temporary version pending counsel review) Version: 2.0.0 Operator: All Tails (operated by Petsie Technologies (OPC) Private Limited — CIN U72900HR2022OPC107548 — registered office at 512, Golf Course Ext Rd, Badshahpur, Sector 66, Gurugram, Haryana 122018)

This policy explains what personal data All Tails collects from you, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the rules made under it.

If anything here is unclear, contact our Grievance Officer (see §11).

---

All Tails is a doorstep pet grooming service operated by Petsie Technologies (OPC) Private Limited (CIN U72900HR2022OPC107548), registered office 512, Golf Course Ext Rd, Badshahpur, Sector 66, Gurugram, Haryana 122018. We are the Data Fiduciary for the personal data described in this policy.

You — the person booking a service for your pet or browsing our website — are the Data Principal under the DPDP Act.

---

We collect only what we need to deliver our service safely and to run our business. Specifically:

About you (the customer)

• Name
• Phone number (used as your account identifier and for service updates)
• Service address, landmark, pincode, and approximate GPS coordinates of the service location
• City
• Communication you send us on WhatsApp, phone, or other channels

About your pet

• Pet name, breed, weight, date of birth (if you provide it)
• Species (dog, cat, etc.) and the number of pets in your household that you register with us
• Temperament notes, medical conditions you flag for us
• Photos or videos you upload to help us prepare for the service
• Styling references you upload

About your bookings

• Service selected, date, time slot, add-ons
• Payment method (the actual card/UPI details go directly to our payment partner — we do not store them)
• Razorpay order and payment identifiers (so we can support you in case of payment issues)
• Booking history, cancellations, refunds
• Loyalty programme counters and reward eligibility

About how you reach us

• The link or campaign you clicked to find us (UTM tags, Google Ads click ID, Meta click ID)
• The pages you visit and the steps you complete in the booking flow
• Cookies set by analytics partners — these are described in our Cookies Policy

About service delivery (collected during the visit)

• The grooming team's en-route GPS pings on the day of your service
• Standard Operating Procedure (SOP) completion logs (e.g., dress-check, sanitisation, oil application, shampoo step, post-service clean-up)
• Before/after grooming photos or videos taken by our team for quality control
• Customer feedback and ratings you give us after the service

Quality Assurance (QA) records

• Step-by-step SOP completion timestamps and any proof images attached to each step
• Internal QA review notes, ratings, and outcomes (pass / coaching / re-do)
• Dispute and complaint resolution notes attached to the booking
• Coaching artefacts and salary-impact entries derived from a QA review (visible to the operations team only — never shared externally)

These QA records are used strictly for service-quality monitoring, safety auditing, dispute resolution, and internal team coaching. They are not used for advertising, profiling, or any decision that materially affects you without human review.

We do not knowingly collect data about children under 18 without verifiable parental consent. If you believe a minor has provided data to us, please contact our Grievance Officer and we will remove it.

---

We use your data only for the purposes listed below. Each purpose is independent — you can withdraw consent for any opt-in purpose without affecting the others.

---

We do not sell your data. We share it only with the following categories of recipients, and only the minimum data each needs to do its job. The full processor list with what each one receives is published at /legal/data-processors.

Our grooming team — receives your name, phone, address, pet details, and service brief for the booked appointment.

Payment partner — Razorpay — receives your name, phone, and order details to process payment. We do not store full card details on our servers.

Communication partners — Meta WhatsApp Cloud API and Combirds — receive your phone number and the message body to deliver booking updates.

Hosting and storage partners — Vercel, Supabase, AWS — host our website, database, and uploaded media files. They process data on our instructions; their privacy notices govern their handling.

Analytics partners — Google Analytics, Meta Pixel, Google Ads — receive de-identified browser event data and hashed identifiers only if you have consented to the relevant cookie category. The browser Pixel and the _ga / _gcl_* cookies never load without your consent.

Meta Conversions API — server-side, fires on completed paid bookings regardless of cookie preferences. When you complete a paid booking, our server sends a single hashed conversion event to Meta containing SHA-256 hashes of your phone, name, and city (hashes only, never plain text) and the standard IP + user-agent. No cookie or identifier is placed in your browser by this event. It runs under DPDP §7 legitimate-use for measuring the effectiveness of advertising on completed paid transactions. The full carve-out is detailed in the Cookies Policy §3.

AI partners — OpenAI and Anthropic — receive de-identified operational summaries used by our internal operations tooling. We strip names, phone numbers, exact addresses, and GPS coordinates before sending.

Operations team alerts — Telegram — when we need to alert our grooming team about an upcoming visit, we send the customer's first name, the slot, and a partially-masked phone number to a private Telegram group.

Error monitoring — Sentry — we use Sentry to capture uncaught errors and a small fraction of performance traces so we can fix bugs quickly. Before any event leaves your browser or our server, we run a scrubber that removes request bodies, cookies, authentication headers, and any personal data (names, phones, emails, addresses, GPS) that appears in error messages or breadcrumbs. We do not enable Sentry's Session Replay feature, which would record your screen.

Legal authorities — we may disclose data if required by Indian law (court order, regulator request) or to protect against fraud, safety threats, or breach of our terms.

---

Our primary database and uploaded media files are hosted by Supabase with primary infrastructure in the AWS region we have configured. The website itself is hosted on Vercel. Both providers operate globally, which means parts of the storage and serving infrastructure may be located outside India.

Other recipients listed above (Meta, OpenAI, Anthropic, Telegram) process data outside India.

The Indian government has not, as of the effective date of this policy, notified any restricted countries under §16 of the DPDP Act.

---

Our internal operations tooling uses Large Language Model (LLM) providers (OpenAI and Anthropic) to:

• Generate reply drafts for customer-care messages (an operator reviews before sending)
• Summarise platform activity into operational reports
• Surface signals and recommendations to our team

Before sending anything to an LLM provider, we run a PII scrubber that removes customer names, phone numbers, email addresses, exact street addresses, and GPS coordinates. The scrubber is conservative by design — when in doubt, it redacts.

LLM providers retain prompts for a limited time per their stated policies (typically 30 days). We do not use prompts to train models. We do not use AI to make automated decisions about your bookings that materially affect you (cancellations, refunds, refusals) without human review.

---

We keep data only as long as we need it for the purpose collected, plus any period required by Indian law. Specifics:

We may keep a piece of data longer if there is a live dispute, complaint, refund process, or legal hold; we'll tell you if your erasure request is delayed for that reason.

---

You have the following rights. The mechanism to exercise each is on your Privacy & Data Rights page:

Right to access — get a copy of the personal data we hold about you, the purposes, and the recipients we've shared it with.

Right to correction and updating — fix anything that's inaccurate or out of date.

Right to erasure — ask us to delete your data when the purpose is complete or you've withdrawn consent. We may retain a minimal record if there's a legal obligation (e.g., tax law) or an active dispute.

Right to withdraw consent — for any consent you've given. Withdrawing consent is as easy as giving it: there's a toggle on your Privacy & Data Rights page for each purpose. Withdrawal doesn't affect anything we did lawfully before you withdrew, and doesn't apply to purposes that don't rely on consent (e.g., tax records).

Right to grievance redressal — raise a complaint with our Grievance Officer (see §11). We respond within 30 days.

Right to nominate — you can nominate another individual to exercise your rights if you die or become incapacitated.

We will verify your identity before fulfilling a rights request (typically via OTP on your registered phone). Honest mistake or fraud — verification protects you.

---

We use commercially reasonable safeguards to protect your data:

• All website traffic over HTTPS
• Customer-facing service tokens are HMAC-signed
• Staff passwords are stored as scrypt hashes
• Database access is restricted to a small set of operators
• Administrative reads of customer data are logged (forthcoming as of effective date)
• Customer-uploaded media is moved to private storage with on-demand signed URLs (forthcoming as of effective date)
• PII is redacted from production logs and from AI prompts

No internet system can be guaranteed completely secure. If we discover a data breach affecting your data, we will notify the Data Protection Board of India and the affected customers as required by DPDP Rules §7.

---

Our website uses cookies and similar technologies for three purposes:

1. Essential — required to make the site work (your session, your cart, security). Always on.
2. Analytics — Google Analytics and Vercel Analytics, to measure traffic and improve the site. Off by default; on only with your consent.
3. Marketing — Meta Pixel, Google Ads conversion tracking, our marketing attribution. Off by default; on only with your consent. Server-side Meta Conversions API on completed paid bookings is a separate, narrow carve-out — see the Cookies Policy §3.

You can change these preferences anytime via the cookie banner footer link or your Privacy & Data Rights page. Details in our Cookies Policy.

---

If you have a question, concern, or complaint about how we handle your data, contact:

Pranay Panwar Grievance Officer / Data Protection Officer All Tails Email: hello@alltails.in Phone: +91 97178 78052 Address: 512, Golf Course Ext Rd, Badshahpur, Sector 66, Gurugram, Haryana 122018, India

We will acknowledge your complaint within 3 working days and respond substantively within 30 days.

If your concern is not resolved to your satisfaction within 30 days, you may escalate to the Data Protection Board of India under §13 of the DPDP Act.

---

We may update this policy when our service, the law, or our processors change. We will:

• Bump the version number at the top
• Update the Effective date
• Notify you by WhatsApp or email if the change is material
• Archive the previous version so we can show you what you originally agreed to

The version live at the time you give consent is the one you're consenting to; subsequent material changes won't apply to past consents until you accept the new version.

---

For anything not covered above:

• General enquiries: hello@alltails.in
• WhatsApp: +91 97178 78052
• Grievance Officer: see §11

---

Last reviewed by counsel: Pending — temporary version published 30 May 2026 Document version: 2.0.0