This DPA governs how Groomfiy processes personal data on behalf of Groomers (data controllers) who use our platform.
This Data Processing Agreement ("DPA") applies to Groomers who use Groomfiy to manage their pet grooming business. When you use Groomfiy, your customers' personal data is processed through our platform. Under data protection laws (including GDPR), you are the data controller and Groomfiy is the data processor. This DPA defines our responsibilities for protecting that data. This DPA is incorporated into and forms part of the Terms of Use.
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Use.
This DPA applies to all Personal Data processed by Groomfiy on behalf of the Controller in connection with the provision of the Platform services.
| Element | Details |
|---|---|
| Subject Matter | Processing of Personal Data as necessary to provide the Groomfiy platform services, including appointment scheduling, customer management, payment processing, and communications. |
| Duration | For the duration of the Controller's subscription to Groomfiy, plus 30 days for active data deletion/return after termination (backup copies purged within 90 days per Section 9). |
| Nature of Processing | Collection, storage, organization, retrieval, use, disclosure (to Controller and authorized Sub-processors), and deletion of Personal Data. |
| Purpose | To enable the Controller to manage their pet grooming business, including: customer bookings, appointment management, payment processing, SMS/email communications, and analytics. |
| Categories of Data Subjects | Customers (pet owners) of the Controller, and their pets. |
| Types of Personal Data | Contact information (name, email, phone), addresses, pet information (name, breed, weight, photos, vaccination status, groomer notes), booking history, payment references (tokenized), and communication records. |
Groomfiy, as the Processor, shall:
3.1 Processing Instructions: Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If Groomfiy becomes aware that an instruction from the Controller infringes Data Protection Laws, it shall promptly notify the Controller.
3.2 Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 (Security Measures) of this DPA.
3.4 Sub-processor Management: Not engage another processor (Sub-processor) without the prior general written authorization of the Controller, as detailed in Section 5 (Sub-processors) of this DPA.
3.5 Data Subject Rights: Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests, as detailed in Section 6 (Data Subject Rights).
3.6 Breach Notification: Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data, as detailed in Section 8 (Security Incidents).
3.7 Deletion/Return: Upon termination of the agreement, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires retention, as detailed in Section 9 (Data Deletion & Return).
3.8 Audit Cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as detailed in Section 10 (Audit Rights).
The Controller (Groomer) is responsible for:
5.1 General Authorization: The Controller hereby provides general written authorization for Groomfiy to engage Sub-processors to process Personal Data. The current list of Sub-processors is provided in Annex 1 below.
5.2 Notification of Changes: Groomfiy shall notify the Controller at least 30 days in advance of any intended changes to the list of Sub-processors (additions or replacements), giving the Controller the opportunity to object to such changes.
5.3 Right to Object: If the Controller objects to a new Sub-processor within 14 days of receiving notice, Groomfiy shall make reasonable efforts to provide an alternative solution. If no alternative is available, the Controller may terminate the affected services by providing written notice within 30 days.
5.4 Sub-processor Obligations:Groomfiy shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA, by way of a written contract. Groomfiy remains fully liable to the Controller for the performance of each Sub-processor's obligations.
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing (customer payments, groomer payouts) | United States | EU-US DPF / SCCs |
| Creem.io | Subscription billing management | European Union (Estonia) | SCCs |
| Twilio, Inc. | SMS notifications (booking confirmations, reminders) | United States | EU-US DPF / SCCs |
| Resend | Email delivery (confirmations, receipts) | United States | EU-US DPF / SCCs |
| Sentry (Functional Software, Inc.) | Error monitoring (anonymized technical data only) | United States | SCCs |
| Vercel, Inc. | Frontend hosting (Next.js application) | United States | SCCs |
| Railway Corp. | Backend hosting (Node.js/Express API) | United States | SCCs |
| Neon, Inc. | PostgreSQL database hosting (serverless Postgres) | United States (us-east-1) | SCCs |
Last Updated: May 8, 2026. To be notified of Sub-processor changes, ensure your account email is current.
6.1Groomfiy shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including:
6.2If Groomfiy receives a request from a Data Subject directly, Groomfiy shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.
6.3 Groomfiy provides self-service tools (data export, account deletion) that Controllers can use to fulfill Data Subject requests. For requests requiring additional assistance, contact privacy@groomfiy.com. Groomfiy shall respond to Controller assistance requests within 10 business days.
Groomfiy implements the following technical and organizational security measures to protect Personal Data (GDPR Article 32):
Breach Notification Commitment
Groomfiy will notify affected Controllers within 72 hours of becoming aware of any Security Incident affecting Personal Data.
8.1 Groomfiy shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident that affects the Controller's Personal Data.
8.2 The notification shall include:
8.3 Groomfiy shall cooperate with the Controller and provide reasonable assistance in investigating the Security Incident, fulfilling notification obligations to supervisory authorities and Data Subjects, and mitigating the effects of the breach.
8.4 Notification of a Security Incident shall not be construed as an acknowledgement of fault or liability by Groomfiy.
9.1 Upon termination of the Controller's subscription or upon written request, Groomfiy shall, at the Controller's choice:
9.2 Groomfiy shall complete the deletion or return within 30 days of receiving the request or termination, except where:
9.3 Backup copies may contain Personal Data for up to 90 days after deletion, after which they are permanently purged through standard backup rotation cycles.
9.4 Upon Controller request, Groomfiy shall provide written certification confirming that Personal Data has been securely deleted.
10.1 Groomfiy shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
10.2 The Controller may, upon at least 30 days' written notice and no more than once per year (unless a Security Incident has occurred), conduct an audit or appoint a qualified third-party auditor to verify Groomfiy's compliance with this DPA. The auditor must enter into a confidentiality agreement acceptable to Groomfiy.
10.3 Groomfiy may satisfy audit requests by providing:
10.4 The Controller shall bear the costs of any audit, unless the audit reveals a material breach by Groomfiy, in which case Groomfiy shall bear the reasonable costs.
11.1 Groomfiy is based in the United States. Personal Data from the EU/EEA and UK will be transferred to and processed in the United States.
11.2 For transfers of Personal Data from the EU/EEA to the United States, Groomfiy relies on the following transfer mechanisms:
11.3 For transfers from the UK, Groomfiy relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
11.4 Groomfiy shall inform the Controller if it becomes aware that US laws or practices materially affect its ability to comply with this DPA, and shall cooperate with the Controller to implement additional safeguards where necessary.
12.1 Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Use.
12.2 Groomfiy shall indemnify the Controller for direct damages arising from Groomfiy's breach of this DPA or its obligations under Data Protection Laws, subject to the liability cap in the Terms of Use.
12.3 The Controller shall indemnify Groomfiy for any claims or damages arising from the Controller's processing instructions that infringe Data Protection Laws or from the Controller's failure to fulfill its obligations as data controller.
13.1 This DPA commences on the date the Controller creates a Groomfiy account and continues for the duration of the Controller's use of the Platform.
13.2 This DPA automatically terminates when the Controller's subscription ends and all Personal Data has been deleted or returned in accordance with Section 9.
13.3 The following provisions survive termination: Security Incidents (Section 8), Data Deletion & Return (Section 9), Liability (Section 12), and any obligations that by their nature should survive.
14.1 Governing Law: This DPA shall be governed by the same governing law as the Terms of Use.
14.2 Conflicts: In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data processing matters.
14.3 Amendments: Groomfiy may update this DPA from time to time to reflect changes in Data Protection Laws or our processing practices. We will notify Controllers of material changes at least 30 days in advance.
14.4 Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
14.5 Entire Agreement: This DPA, together with the Terms of Use and Privacy Policy, constitutes the entire agreement between the parties regarding data processing.
For questions about this DPA or data processing matters:
Version: 1.1
Last Updated: May 8, 2026
Effective Date: May 8, 2026
Next Review: November 8, 2026