Privacy Policy

Introduction

Pet Breeder Hub, operated by SARL MACHETTO DOUGLAS ("PBD," "we," "our," or "us"), respects your privacy and is committed to protecting the personal data of all users of our platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use petbreederdirectory.com, any associated mobile applications, APIs, and related digital properties (collectively, the "Platform"), and any of our online and, where applicable, offline services (collectively, the "Services").

This Privacy Policy applies to all users of the Platform, including prospective pet owners ("Pet Owners"), breeders ("Breeders"), and visitors. It is designed to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the French Data Protection Act (Loi Informatique et Libertés), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and all other applicable US state and international privacy laws.

This Privacy Policy should be read in conjunction with our Terms of Service, Cookie Policy, and Acceptable Use Policy, which are incorporated by reference.

If we make material changes to this Privacy Policy, we will notify you by email (sent to the address associated with your account), by posting a prominent notice on the Platform, or both, at least thirty (30) days before the changes take effect. Your continued use of the Platform after the effective date of any modifications constitutes your acceptance of the revised Privacy Policy.

1. Data Controller & Data Protection Officer

1.1 Data Controller

For the purposes of the GDPR and applicable EU/EEA data protection law, the data controller responsible for your personal data is:

SARL MACHETTO DOUGLAS ("PBD")
161 rue de la Confrérie, 74500 Publier, France
Email: [email protected]

1.2 Data Protection Officer

PBD has appointed a Data Protection Officer ("DPO") who can be contacted regarding any questions or concerns about this Privacy Policy, data processing activities, or to exercise your data protection rights:

Email: [email protected]
Address: 161 rue de la Confrérie, 74500 Publier, France

1.3 EU Representative

PBD is established in France. As our registered office is within the EU, no separate EU representative under GDPR Article 27 is required.

1.4 Lead Supervisory Authority

PBD's lead supervisory authority under the GDPR is the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris CEDEX 07, France (www.cnil.fr).

2. Personal Data We Collect

We collect personal data from multiple sources depending on how you interact with the Platform and Services. "Personal data" means any information relating to an identified or identifiable natural person.

2.1 Personal Data You Provide Directly

Account Registration & Profile: When you create an account, you provide us with your name, email address, password, location (city, state/region, country, ZIP/postal code), and account type (Pet Owner or Breeder). Breeders additionally provide business name, breeding license numbers, breed specializations, kennel/cattery name, website URL, phone number, social media handles, and business address.

Breeder Listings & Profiles: Breeders may provide detailed information about their breeding program, including animal breed, health testing results, photographs and videos of animals and facilities, pricing, availability, pedigree and lineage information, veterinary references, and any certifications or accreditations.

Pet Owner Inquiries & Communications: When you contact a Breeder or use our messaging system, we collect the content of your messages, inquiry details, communication preferences, and any information you choose to share in those messages.

Reviews & Ratings: When you submit a review or rating, we collect your review content, star rating, photographs or media you upload, and the date and time of your submission.

Concierge & Matching Services: If you use our concierge services, you may provide preferences such as breed preferences, budget range, household information (yard size, children, other pets), lifestyle information, geographic search radius, and experience level with pets.

Payment & Billing Information: When you subscribe to a paid plan or make a purchase, you provide payment information (credit/debit card number, billing address, payment method details). Payment data is processed directly by our payment processor, Stripe, Inc. PBD does not store full credit card numbers on our servers. We receive from Stripe only a tokenized reference, last four digits, card type, expiration date, and billing address for record-keeping purposes.

Customer Support & Feedback: If you contact our support team, submit feedback, complete surveys, or report an issue, we collect your name, email address, the content of your communication, and any attachments you provide.

Identity Verification (Breeders): When Breeders apply for Verified or Trusted badges, they may provide government-issued identification, business registration documents, breeding licenses, veterinary references, facility photographs, and inspection reports. These documents are processed solely for verification purposes and are stored securely with limited access.

2.2 Personal Data Collected Automatically

Usage Data: We automatically collect information about how you interact with the Platform, including pages viewed, features used, search queries (breed, location, price range), click patterns, session duration, referring/exit pages, and interactions with listings and profiles.

Device & Technical Data: We collect device type, operating system and version, browser type and version, screen resolution, hardware model, unique device identifiers, IP address, mobile network information, and language and locale settings.

Location Data: We collect approximate location data (city/region level) derived from your IP address. If you enable location services on your device, we may collect precise geolocation data to provide location-based search results. You may revoke location permissions through your device settings at any time.

Cookies & Tracking Technologies: We use cookies, web beacons, pixels, local storage, and similar technologies to collect data about your browsing activity. See Section 8 and our Cookie Policy for full details.

2.3 Personal Data from Third-Party Sources

Social Media & Single Sign-On (SSO): If you register or log in using Google OAuth, we receive personal data that the authentication provider discloses to us, such as your name, email address, profile picture, and unique account identifier. We encourage you to review their privacy policies.

Analytics & Advertising Partners: We may receive aggregated or pseudonymized data from analytics providers (e.g., Cloudflare Web Analytics), advertising networks, and marketing platforms to measure Platform performance, advertising effectiveness, and user engagement.

Publicly Available Sources: We may collect information from publicly available databases, government registries (e.g., USDA breeder license databases), breed registries (e.g., AKC, FCI), and publicly available social media profiles to verify Breeder credentials and maintain directory accuracy.

Breeder-Provided Pet Owner Data: In some cases, Breeders may provide information about prospective Pet Owners when facilitating introductions through the Platform. Breeders are required to ensure they have the necessary consent or legal basis before sharing any third-party personal data with PBD.

3. How We Use Your Personal Data (Purposes & Legal Bases)

We process your personal data for the following purposes. For EU/EEA/UK users, we identify the legal basis under the GDPR for each purpose.

• Service Delivery — Creating and managing your account; facilitating breeder-pet owner connections; processing payments; providing concierge services; responding to inquiries. Legal basis: Performance of contract (Art. 6(1)(b)).
• Platform Improvement — Analyzing usage patterns; conducting research; improving features, search algorithms, and user experience; A/B testing. Legal basis: Legitimate interest (Art. 6(1)(f)).
• Breeder Verification — Verifying breeder identity, credentials, licenses, and facility information for trust and safety badges. Legal basis: Legitimate interest (Art. 6(1)(f)); Consent (Art. 6(1)(a)) for sensitive documents.
• Security & Fraud Prevention — Detecting, preventing, and investigating fraud, abuse, security incidents, animal trafficking, and violations of our Terms of Service. Legal basis: Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)).
• Communications — Sending transactional emails, service updates, security alerts, policy changes, and account notifications. Legal basis: Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)).
• Marketing — Sending promotional offers, newsletters, breed alerts, and personalized recommendations (with consent where required). Legal basis: Consent (Art. 6(1)(a)); Legitimate interest (Art. 6(1)(f)) for existing customers (soft opt-in).
• Analytics & Advertising — Measuring advertising effectiveness; delivering relevant ads; understanding user demographics and interests. Legal basis: Consent (Art. 6(1)(a)) via cookie consent.
• Legal Compliance — Complying with applicable laws, regulations, legal processes, and governmental requests; responding to lawful subpoenas; reporting suspected animal trafficking or cruelty. Legal basis: Legal obligation (Art. 6(1)(c)); Vital interests (Art. 6(1)(d)) for animal welfare reporting.
• Dispute Resolution — Establishing, exercising, or defending legal claims; managing complaints and disputes. Legal basis: Legitimate interest (Art. 6(1)(f)).

Note: Where we rely on legitimate interest as a legal basis, we have conducted a legitimate interest assessment (LIA) balancing our interests against your rights and freedoms. You have the right to object to processing based on legitimate interest at any time. See Section 9 for details.

4. How We Share Your Personal Data

PBD does not sell your personal data in the traditional sense. We may share your personal data with the following categories of recipients:

4.1 Service Providers & Processors

We engage trusted third-party companies to perform services on our behalf, including:

• Hosting & Infrastructure: Contabo GmbH (VPS hosting, Germany/US); Cloudflare, Inc. (CDN, DDoS protection, DNS)
• Payment Processing: Stripe, Inc. (payment processing, billing)
• Search & Database: Meilisearch (search engine); PostgreSQL with PostGIS (database); Redis (caching)
• Object Storage: MinIO (self-hosted media and document storage)
• Communications: Twilio, Inc. (SMS verification, notifications); email service providers
• Analytics: Cloudflare Web Analytics; Google Analytics (where consent is obtained)
• Authentication: Google OAuth (single sign-on)

These service providers are contractually bound to process personal data only on our instructions, to maintain confidentiality, and to implement appropriate technical and organizational security measures. Where required by the GDPR, we have entered into Data Processing Agreements (DPAs) with all processors.

4.2 Breeders & Pet Owners (Platform Interactions)

When you submit an inquiry to a Breeder, your name, email address, and the content of your inquiry are shared with that Breeder. When a Breeder responds, their contact information is shared with you. This sharing is necessary to facilitate the Platform's core purpose. PBD is not responsible for how Breeders or Pet Owners use personal data received through the Platform.

4.3 Legal & Regulatory Disclosures

We may disclose your personal data where required or permitted by law, including:

• In response to valid legal process (court orders, subpoenas, warrants)
• To comply with applicable laws, regulations, and governmental requests
• To law enforcement or animal welfare authorities when we have a good-faith belief that disclosure is necessary to report suspected animal trafficking, cruelty, or illegal breeding activity
• To protect the rights, property, or safety of PBD, our users, animals, or the public
• To enforce our Terms of Service and other agreements

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, dissolution, or sale of all or substantially all of PBD's assets, your personal data may be transferred to the acquiring entity or successor. We will notify you via email and/or a prominent notice on the Platform of any such change in ownership or control of your personal data.

4.5 With Your Consent

We may share your personal data with other third parties when you have given us your explicit consent to do so.

4.6 Aggregated & De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for industry research, market analysis, benchmarking, and public reporting. Such data is not considered personal data under applicable law.

5. International Data Transfers

5.1 Transfer Mechanisms

PBD is headquartered in France (EU). However, our Platform infrastructure includes servers located in the United States. When your personal data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to processors and controllers in the United States and other third countries
• Data Processing Agreements: All third-party processors outside the EEA are subject to binding DPAs that incorporate SCCs and require equivalent data protection standards
• Supplementary Measures: Where required by the Schrems II decision (CJEU Case C-311/18), we implement supplementary technical and organizational measures, including encryption in transit and at rest, pseudonymization, and access controls

5.2 EU-US Data Privacy Framework

Where applicable, we may rely on third-party processors that have certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, and/or the Swiss-U.S. DPF for transfers of personal data to the United States.

5.3 Your Rights Regarding Transfers

You have the right to request a copy of the safeguards used for international transfers of your personal data by contacting [email protected].

6. Data Retention

6.1 General Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, contractual, regulatory, or reporting obligations.

6.2 Specific Retention Periods

• Account data (active accounts): Duration of account plus 30 days after deletion request — Performance of contract
• Account data (inactive accounts): 24 months of inactivity, then anonymized or deleted — Legitimate interest
• Payment & billing records: 10 years from transaction date — French Commercial Code (Art. L123-22); tax law obligations
• Breeder verification documents: Duration of Breeder account plus 5 years — Regulatory compliance; anti-trafficking investigations
• User reviews & ratings: Duration of account; anonymized upon deletion — Legitimate interest (directory integrity)
• Messages & communications: 12 months from last message in thread — Performance of contract; dispute resolution
• Server logs & security data: 12 months — Security; legal obligation (LCEN, France)
• Cookie & analytics data: 13 months maximum — Per CNIL Recommendation on Cookies (2020)
• Animal trafficking investigation records: Minimum 5 years from report date — Legal obligation; public interest
• Marketing consent records: Duration of consent plus 3 years — Proof of consent (GDPR Art. 7(1))

After the applicable retention period expires, personal data is securely deleted, anonymized, or de-identified using industry-standard methods.

7. Security Measures

PBD implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32 and industry best practices.

Technical Measures

• Encryption of all data in transit using TLS 1.2+ (HTTPS enforced via Cloudflare)
• Encryption of sensitive data at rest (AES-256)
• Self-hosted infrastructure on dedicated virtual private servers (Contabo VPS)
• Database access restricted to authenticated and authorized services only
• Regular automated backups with encrypted offsite storage
• Web Application Firewall (WAF) and DDoS protection via Cloudflare
• Rate limiting and bot detection on authentication endpoints
• Multi-factor authentication available for all user accounts
• Regular security patching and vulnerability assessments

Organizational Measures

• Role-based access controls with the principle of least privilege
• Staff and contractor confidentiality agreements
• Data protection training for all personnel with access to personal data
• Documented incident response and data breach notification procedures
• Regular review and audit of data processing activities
• Data Processing Agreements with all third-party processors

Important: Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected unauthorized access.

8. Cookies & Tracking Technologies

8.1 Types of Cookies

• Strictly Necessary Cookies: Essential for Platform operation (authentication, security, load balancing). These cannot be disabled. Legal basis: legitimate interest.
• Functional Cookies: Remember your preferences (language, region, display settings). Legal basis: consent.
• Analytics Cookies: Help us understand how users interact with the Platform (page views, session duration, error reports). Legal basis: consent.
• Marketing/Advertising Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. Legal basis: consent.

8.2 Cookie Consent (EU/EEA)

In compliance with the ePrivacy Directive (Directive 2002/58/EC), CNIL guidance, and applicable national laws, we obtain your affirmative, informed, freely given, specific, and unambiguous consent before placing non-essential cookies on your device. You may manage, modify, or withdraw your cookie consent at any time through the cookie settings tool accessible from every page of the Platform. Refusing non-essential cookies will not affect your ability to use the Platform's core features.

8.3 Cookie Consent (US)

For US users, you may manage your cookie preferences through the "Your Privacy Choices" link in the Platform footer. We honor opt-out preference signals, including the Global Privacy Control (GPC). See Section 13 for details.

8.4 Third-Party Cookies

Some cookies are placed by third parties (e.g., Cloudflare, Google Analytics, Stripe). These third parties have their own privacy policies governing the use of cookies. PBD does not control these third-party cookies.

For complete details, please refer to our separate Cookie Policy.

9. Your Rights — EU/EEA/UK (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of Access (Article 15): Obtain confirmation of whether we process your personal data and access a copy of that data.
• Right to Rectification (Article 16): Request correction of inaccurate personal data and completion of incomplete data.
• Right to Erasure (Article 17): Request deletion of your personal data where it is no longer necessary, where you withdraw consent, where you object to processing, or where it has been unlawfully processed. Subject to exceptions for legal obligations and defense of legal claims.
• Right to Restriction (Article 18): Request that we restrict processing while we verify accuracy, resolve an objection, or where processing is unlawful but you prefer restriction to erasure.
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interest or public interest at any time. You have an absolute right to object to direct marketing at any time.
• Right Regarding Automated Decision-Making (Article 22): Not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. See Section 16.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint (Article 77): Lodge a complaint with a supervisory authority, in particular the CNIL (France).

How to Exercise Your Rights

Contact our Data Protection Officer at [email protected] or by mail to: DPO, SARL MACHETTO DOUGLAS, 161 rue de la Confrérie, 74500 Publier, France. We will respond within thirty (30) days. If the request is complex, we may extend this period by an additional sixty (60) days with notice. We will verify your identity before processing your request. There is no fee unless requests are manifestly unfounded or excessive.

10. Your Rights — United States (State Privacy Laws)

Depending on your US state of residence, you may have certain privacy rights, including:

• Right to Know/Access: Confirm whether we process your personal data and access the categories and specific pieces collected.
• Right to Delete: Request deletion of personal data collected from you, subject to certain exceptions.
• Right to Correct: Correct inaccurate personal data we maintain about you.
• Right to Data Portability: Obtain a copy of your personal data in a portable, readily usable format.
• Right to Opt Out of Sale/Sharing: Opt out of the sale or sharing of your personal data for targeted advertising purposes (see Section 17).
• Right to Opt Out of Profiling: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights.
• Right to Appeal: If we deny your request, you may appeal by contacting [email protected] with the subject line "Privacy Appeal."

How to Exercise Your Rights

Email us at [email protected], use the interactive privacy request form at petbreederdirectory.com/privacy-request, or call us at our toll-free number. We will verify your identity before processing your request.

11. Notice to California Residents (CCPA/CPRA)

This section applies solely to California residents as required by the CCPA/CPRA.

11.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information (see Appendix A for the detailed table):

• Identifiers (name, email, IP address, account name)
• Personal information described in Cal. Civ. Code § 1798.80(e) (name, address, telephone number, financial information)
• Commercial information (subscription history, transaction records)
• Internet or electronic network activity (browsing history, search history, Platform interactions)
• Geolocation data (approximate location from IP address)
• Inferences drawn from the above (breed preferences, engagement level, user type)

11.2 Sources of Personal Information

We collect personal information directly from you, automatically through your use of the Platform, from third-party authentication providers (Google OAuth), from analytics providers, from publicly available sources, and from Breeders who facilitate introductions.

11.3 Business & Commercial Purposes

We collect personal information for the purposes described in Section 3, including: service delivery, Platform improvement, security and fraud prevention, communications, marketing, analytics, legal compliance, and dispute resolution.

11.4 Sale and Sharing

PBD does not "sell" personal information in the traditional sense (i.e., for monetary consideration). However, under the CCPA's broad definition, our use of certain cookies and tracking technologies may constitute a "sale" or "sharing" of personal information with third-party advertising and analytics partners. The categories that may be "sold" or "shared" include: identifiers (online identifiers, IP address, device ID) and internet activity information (browsing history, interactions), shared with analytics and advertising networks.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

11.5 Sensitive Personal Information

We do not use or disclose sensitive personal information (as defined by the CCPA) for purposes beyond those permitted under CCPA regulations.

11.6 Your California Rights

California residents have the rights described in Section 10, plus:

• Right to Opt Out of Sale/Sharing: Click "Do Not Sell or Share My Personal Information" in the Platform footer, enable the Global Privacy Control (GPC) signal, or email [email protected].
• Shine the Light (Cal. Civ. Code § 1798.83): Request information about our disclosure of personal information to third parties for their direct marketing purposes by emailing [email protected] with the subject line "Shine the Light Request."

11.7 Financial Incentives

PBD does not currently offer financial incentives or loyalty programs that require the collection of personal information in exchange for price differences or discounts.

11.8 Verification & Authorized Agents

We will verify your identity before processing CCPA requests by matching information you provide against your account records. Authorized agents must provide proof of written authorization and we may contact you directly to confirm the request.

12. US State-Specific Supplementary Disclosures

12.1 Virginia (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising, sale of personal data, and profiling. Appeals may be directed to [email protected]. If we deny your appeal, you may contact the Virginia Attorney General.

12.2 Colorado (CPA)

Colorado residents have the rights listed above and may exercise them by contacting us using the methods in Section 10. We honor authenticated opt-out preference signals including the GPC. Appeals may be directed to the Colorado Attorney General.

12.3 Connecticut (CTDPA)

Connecticut residents have the rights listed above. We will respond within 45 days. Appeals may be directed to the Connecticut Attorney General.

12.4 Other States

Residents of Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Utah (UCPA), Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland have privacy rights under their respective comprehensive consumer privacy laws. The specific rights vary by state but generally include the right to access, delete, correct, and opt out of sale, targeted advertising, and profiling. To exercise these rights, contact [email protected].

12.5 Illinois (BIPA)

PBD does not collect biometric data (fingerprints, facial recognition data, voiceprints, retina scans, or hand/face geometry). If biometric data collection becomes part of the Service in the future, PBD will comply with the Illinois Biometric Information Privacy Act (740 ILCS 14) and obtain written informed consent before collection.

12.6 Washington (My Health My Data Act)

PBD does not collect consumer health data as defined by Washington's My Health My Data Act. If this changes, we will update this Policy and obtain the required consent.

13. Universal Opt-Out Mechanisms

13.1 Global Privacy Control (GPC)

The Platform recognizes and honors the Global Privacy Control ("GPC") browser signal. If your browser or browser extension sends a GPC opt-out preference signal, we will treat it as a valid request to opt out of the sale and sharing of personal data and targeted advertising, as applicable under the laws of your jurisdiction. To enable GPC, visit globalprivacycontrol.org.

13.2 Do Not Track (DNT)

Some browsers include a "Do Not Track" (DNT) feature. Because there is no universally accepted standard for how to interpret DNT signals, PBD does not currently respond to DNT signals. However, we do honor the GPC signal as described above, which provides equivalent functionality.

13.3 Cookie Opt-Out

You may opt out of non-essential cookies at any time through the cookie settings tool available on every page of the Platform, or through the "Your Privacy Choices" link in the Platform footer.

14. Children's Privacy

The Platform and Services are not intended for, directed to, or designed to attract children under the age of sixteen (16). We do not knowingly collect, use, sell, or disclose personal data from children under 16. In the EU/EEA, we comply with the age thresholds set by each Member State under GDPR Article 8. In the United States, we comply with the Children's Online Privacy Protection Act ("COPPA") for children under 13.

If you are a parent or legal guardian and believe that your child under 16 has provided us with personal data, please contact us immediately at [email protected] with the subject line "Children's Data Privacy Request." We will take steps to delete such data promptly upon verification.

15. Third-Party Links & Services

The Platform may contain links to third-party websites, applications, and services that are not owned or controlled by PBD. This Privacy Policy does not apply to those third-party services. When you interact with the following third-party services through the Platform, their respective privacy policies apply:

• Stripe, Inc.: Payment processing (stripe.com/privacy)
• Google (OAuth): Authentication (policies.google.com/privacy)
• Cloudflare, Inc.: CDN, security, analytics (cloudflare.com/privacypolicy)
• Twilio, Inc.: SMS notifications (twilio.com/legal/privacy)

16. Automated Decision-Making & Profiling

16.1 Current Practices

PBD may use automated processes to:

• Rank and sort search results based on relevance, location, and user preferences
• Detect and prevent fraud, spam, and fake reviews
• Identify potential animal trafficking or welfare violations based on behavioral patterns
• Deliver personalized breed recommendations based on your stated preferences

16.2 No Solely Automated Decisions with Legal Effect

PBD does not currently make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects concerning you. All decisions with potential significant impact (e.g., account termination, Breeder badge revocation, content removal) involve human review.

16.3 Your Rights

If we introduce automated decision-making that produces legal or similarly significant effects, we will: (a) inform you of the existence of such processing; (b) provide meaningful information about the logic involved; (c) explain the significance and envisaged consequences; and (d) provide a mechanism to request human review. EU/EEA users have the right under GDPR Article 22 not to be subject to such solely automated decisions.

17. Do Not Sell or Share My Personal Information

If you are a resident of California or another US state with a "right to opt out of sale" provision, you may direct PBD to stop selling or sharing your personal information by:

• Clicking the "Do Not Sell or Share My Personal Information" link in the Platform footer
• Enabling the Global Privacy Control (GPC) signal on your browser
• Emailing [email protected] with the subject line "Do Not Sell or Share"

Once we process your opt-out request, we will cease selling or sharing your personal information to third parties for targeted advertising purposes. We will not ask you to re-authorize the sale or sharing for at least twelve (12) months after we receive your opt-out request, unless you initiate a transaction that requires disclosure as an integral part of the transaction.

18. Data Breach Notification

18.1 EU/EEA (GDPR)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, PBD will notify the CNIL within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, in accordance with GDPR Article 34.

18.2 United States

PBD will comply with all applicable US federal and state data breach notification laws, including but not limited to the California Data Breach Notification Law (Cal. Civ. Code § 1798.29 and § 1798.82), and equivalent laws in all US states where affected individuals reside.

18.3 Breach Response

Our data breach response plan includes: immediate containment and investigation; assessment of risk to affected individuals; notification to supervisory authorities and affected individuals as required by law; remediation of the vulnerability; and post-incident review and documentation.

19. Accessibility

PBD is committed to ensuring this Privacy Policy is accessible to individuals with disabilities. If you wish to access this Privacy Policy in an alternative format (e.g., large print, audio, braille, or screen-reader-compatible), please contact us at [email protected].

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. If we make material changes, we will provide you with prominent notice as described in the Introduction. The "Last Updated" date at the top of this document indicates when this Privacy Policy was most recently revised. If you continue to use the Platform after the effective date of a revised Privacy Policy, you are deemed to have accepted the changes.

21. How to Contact Us

• General Privacy Inquiries: [email protected]
• Data Protection Officer: [email protected]
• DMCA/Copyright: [email protected]
• Accessibility: [email protected]

Mailing Address:
SARL MACHETTO DOUGLAS
Attn: Privacy / Data Protection Officer
161 rue de la Confrérie
74500 Publier, France

EU Supervisory Authority (Lead): CNIL — www.cnil.fr
EU ODR Platform: https://ec.europa.eu/consumers/odr

Appendix A: Categories of Personal Data Collected (CCPA Table)

The following identifies the categories of personal information collected in the preceding twelve (12) months, the sources, business purposes, and categories of third parties to whom each category is disclosed, sold, or shared.

• Identifiers (name, email, IP, account name) — Sources: directly from you; SSO providers; automatically. Purposes: service delivery; security; communications; marketing. Disclosed to: hosting providers; payment processors; Breeders (upon inquiry); email services. Sold/shared to: analytics providers; advertising networks (via cookies).
• Personal info per Cal. Civ. Code § 1798.80(e) (name, address, phone, financial info) — Sources: directly from you. Purposes: service delivery; payments; legal compliance. Disclosed to: payment processors (Stripe); hosting providers. Not sold/shared.
• Commercial information (subscription records, transactions) — Sources: directly from you; payment processor. Purposes: service delivery; billing; analytics. Disclosed to: payment processors; hosting providers. Not sold/shared.
• Internet/electronic activity (browsing, search, clicks) — Sources: automatically via cookies and tracking. Purposes: analytics; Platform improvement; security. Disclosed to: analytics providers; hosting providers. Sold/shared to: analytics providers; advertising networks (via cookies).
• Geolocation data (approximate, from IP) — Sources: automatically. Purposes: location-based search; analytics. Disclosed to: hosting providers; CDN. Not sold/shared.
• Inferences (preferences, engagement, user type) — Sources: derived from collected data. Purposes: personalization; recommendations; marketing. Not disclosed, sold, or shared.

We do not knowingly collect, sell, or share the personal information of consumers under 16 years of age. We do not use sensitive personal information for purposes other than those permitted under the CCPA and its regulations.

Appendix B: Data Processing Activities Summary (GDPR Article 30)

The following is a summary of PBD's principal data processing activities as required by GDPR Article 30. A complete Record of Processing Activities (ROPA) is maintained internally and is available to supervisory authorities upon request.

• Account registration — Data subjects: Pet Owners, Breeders. Categories: name, email, password, location. Legal basis: Contract (Art. 6(1)(b)). Recipients: hosting provider; SSO provider. Transfers: US (SCCs + DPA).
• Breeder verification — Data subjects: Breeders. Categories: ID documents, licenses, facility photos. Legal basis: Consent (Art. 6(1)(a)); Legitimate interest. Recipients: internal review only. Transfers: none (processed in EU).
• Payment processing — Data subjects: subscribers. Categories: payment card data (tokenized), billing address. Legal basis: Contract (Art. 6(1)(b)). Recipients: Stripe (processor). Transfers: US (Stripe DPF + SCCs).
• Messaging — Data subjects: Pet Owners, Breeders. Categories: message content, metadata. Legal basis: Contract (Art. 6(1)(b)). Recipients: hosting provider. Transfers: US (SCCs + DPA).
• Analytics — Data subjects: all users. Categories: usage data, device data, IP. Legal basis: Consent (Art. 6(1)(a)). Recipients: Cloudflare; Google Analytics. Transfers: US (SCCs; DPF).
• Marketing emails — Data subjects: opted-in users. Categories: name, email, preferences. Legal basis: Consent (Art. 6(1)(a)). Recipients: email service provider. Transfers: per provider (SCCs).
• Fraud & safety — Data subjects: all users. Categories: IP, device, behavioral patterns. Legal basis: Legitimate interest (Art. 6(1)(f)). Recipients: internal; law enforcement (if required). Transfers: none.