Data Processing Agreement

This DPA governs how Groomfiy processes personal data on behalf of Groomers (data controllers) who use our platform.

Who Is This For?

This Data Processing Agreement ("DPA") applies to Groomers who use Groomfiy to manage their pet grooming business. When you use Groomfiy, your customers' personal data is processed through our platform. Under data protection laws (including GDPR), you are the data controller and Groomfiy is the data processor. This DPA defines our responsibilities for protecting that data. This DPA is incorporated into and forms part of the Terms of Use.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Use.

  • "Controller" means the Groomer who determines the purposes and means of processing Personal Data through the Platform (i.e., you).
  • "Processor" means Hollmerz LLC, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Platform.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (e.g., your customers and their pet information).
  • "Sub-processor" means any third party engaged by Groomfiy to process Personal Data on behalf of the Controller.
  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection legislation.
  • "Security Incident" or "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries (Commission Implementing Decision 2021/914).

2. Scope & Purpose of Processing

This DPA applies to all Personal Data processed by Groomfiy on behalf of the Controller in connection with the provision of the Platform services.

ElementDetails
Subject MatterProcessing of Personal Data as necessary to provide the Groomfiy platform services, including appointment scheduling, customer management, payment processing, and communications.
DurationFor the duration of the Controller's subscription to Groomfiy, plus 30 days for active data deletion/return after termination (backup copies purged within 90 days per Section 9).
Nature of ProcessingCollection, storage, organization, retrieval, use, disclosure (to Controller and authorized Sub-processors), and deletion of Personal Data.
PurposeTo enable the Controller to manage their pet grooming business, including: customer bookings, appointment management, payment processing, SMS/email communications, and analytics.
Categories of Data SubjectsCustomers (pet owners) of the Controller, and their pets.
Types of Personal DataContact information (name, email, phone), addresses, pet information (name, breed, weight, photos, vaccination status, groomer notes), booking history, payment references (tokenized), and communication records.

3. Processor Obligations

Groomfiy, as the Processor, shall:

3.1 Processing Instructions: Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If Groomfiy becomes aware that an instruction from the Controller infringes Data Protection Laws, it shall promptly notify the Controller.

3.2 Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 (Security Measures) of this DPA.

3.4 Sub-processor Management: Not engage another processor (Sub-processor) without the prior general written authorization of the Controller, as detailed in Section 5 (Sub-processors) of this DPA.

3.5 Data Subject Rights: Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests, as detailed in Section 6 (Data Subject Rights).

3.6 Breach Notification: Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data, as detailed in Section 8 (Security Incidents).

3.7 Deletion/Return: Upon termination of the agreement, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires retention, as detailed in Section 9 (Data Deletion & Return).

3.8 Audit Cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as detailed in Section 10 (Audit Rights).

4. Controller Obligations

The Controller (Groomer) is responsible for:

  • Lawful Basis: Ensuring that there is a valid legal basis for the processing of Personal Data, including obtaining any necessary consents from Data Subjects.
  • Data Accuracy: Ensuring the accuracy of Personal Data provided to Groomfiy.
  • Instructions: Providing documented processing instructions that comply with applicable Data Protection Laws.
  • Data Protection Impact Assessments: Conducting DPIAs where required by Data Protection Laws.
  • Data Subject Communication: Being the primary point of contact for Data Subjects regarding their rights and responding to their requests (with assistance from Groomfiy where needed).
  • Data Minimization: Ensuring that only necessary Personal Data is submitted to the Platform.

5. Sub-processors

5.1 General Authorization: The Controller hereby provides general written authorization for Groomfiy to engage Sub-processors to process Personal Data. The current list of Sub-processors is provided in Annex 1 below.

5.2 Notification of Changes: Groomfiy shall notify the Controller at least 30 days in advance of any intended changes to the list of Sub-processors (additions or replacements), giving the Controller the opportunity to object to such changes.

5.3 Right to Object: If the Controller objects to a new Sub-processor within 14 days of receiving notice, Groomfiy shall make reasonable efforts to provide an alternative solution. If no alternative is available, the Controller may terminate the affected services by providing written notice within 30 days.

5.4 Sub-processor Obligations:Groomfiy shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA, by way of a written contract. Groomfiy remains fully liable to the Controller for the performance of each Sub-processor's obligations.

Annex 1: Current Sub-processors

Sub-processorPurposeLocationTransfer Safeguard
Stripe, Inc.Payment processing (customer payments, groomer payouts)United StatesEU-US DPF / SCCs
Creem.ioSubscription billing managementEuropean Union (Estonia)SCCs
Twilio, Inc.SMS notifications (booking confirmations, reminders)United StatesEU-US DPF / SCCs
ResendEmail delivery (confirmations, receipts)United StatesEU-US DPF / SCCs
Sentry (Functional Software, Inc.)Error monitoring (anonymized technical data only)United StatesSCCs
Vercel, Inc.Frontend hosting (Next.js application)United StatesSCCs
Railway Corp.Backend hosting (Node.js/Express API)United StatesSCCs
Neon, Inc.PostgreSQL database hosting (serverless Postgres)United States (us-east-1)SCCs

Last Updated: May 8, 2026. To be notified of Sub-processor changes, ensure your account email is current.

6. Data Subject Rights

6.1Groomfiy shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including:

  • Right of access (GDPR Article 15)
  • Right to rectification (GDPR Article 16)
  • Right to erasure / right to be forgotten (GDPR Article 17)
  • Right to restriction of processing (GDPR Article 18)
  • Right to data portability (GDPR Article 20)
  • Right to object (GDPR Article 21)

6.2If Groomfiy receives a request from a Data Subject directly, Groomfiy shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.

6.3 Groomfiy provides self-service tools (data export, account deletion) that Controllers can use to fulfill Data Subject requests. For requests requiring additional assistance, contact privacy@groomfiy.com. Groomfiy shall respond to Controller assistance requests within 10 business days.

7. Security Measures

Groomfiy implements the following technical and organizational security measures to protect Personal Data (GDPR Article 32):

Technical Measures

  • Encryption in Transit: All data transmitted between clients and servers uses TLS 1.3 encryption.
  • Encryption at Rest: All databases, backups, and stored data encrypted using AES-256.
  • Access Controls: Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication for all administrative access.
  • Password Security: User passwords hashed using bcrypt with appropriate cost factor. No plaintext storage.
  • Network Security: Firewalls, intrusion detection, and DDoS protection on all production systems.
  • CSRF Protection: All state-changing API requests require CSRF token validation.
  • Rate Limiting: Authentication endpoints rate-limited to prevent brute-force attacks.
  • Security Headers: HSTS, Content Security Policy, X-Frame-Options, and other security headers enforced via Helmet.js.
  • PCI Compliance: Payment card data handled exclusively by Stripe (PCI-DSS Level 1 certified). Groomfiy never stores, processes, or transmits full card numbers.

Organizational Measures

  • Confidentiality: All personnel with access to Personal Data are bound by confidentiality obligations.
  • Data Minimization: Only data necessary for service delivery is collected and processed.
  • Regular Backups: Automated daily backups with geographic separation and encryption.
  • Incident Response: Documented incident response procedures with defined escalation paths.
  • Secure Development: Security-by-design principles applied throughout the software development lifecycle.

8. Security Incidents & Data Breach Notification

Breach Notification Commitment

Groomfiy will notify affected Controllers within 72 hours of becoming aware of any Security Incident affecting Personal Data.

8.1 Groomfiy shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident that affects the Controller's Personal Data.

8.2 The notification shall include:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of the point of contact for further information
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects

8.3 Groomfiy shall cooperate with the Controller and provide reasonable assistance in investigating the Security Incident, fulfilling notification obligations to supervisory authorities and Data Subjects, and mitigating the effects of the breach.

8.4 Notification of a Security Incident shall not be construed as an acknowledgement of fault or liability by Groomfiy.

9. Data Deletion & Return

9.1 Upon termination of the Controller's subscription or upon written request, Groomfiy shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format (JSON or CSV); or
  • Delete all Personal Data and certify in writing that deletion has been completed.

9.2 Groomfiy shall complete the deletion or return within 30 days of receiving the request or termination, except where:

  • Applicable law requires continued retention (e.g., financial records for 7 years under US tax law)
  • Data is needed for the establishment, exercise, or defense of legal claims

9.3 Backup copies may contain Personal Data for up to 90 days after deletion, after which they are permanently purged through standard backup rotation cycles.

9.4 Upon Controller request, Groomfiy shall provide written certification confirming that Personal Data has been securely deleted.

10. Audit Rights

10.1 Groomfiy shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

10.2 The Controller may, upon at least 30 days' written notice and no more than once per year (unless a Security Incident has occurred), conduct an audit or appoint a qualified third-party auditor to verify Groomfiy's compliance with this DPA. The auditor must enter into a confidentiality agreement acceptable to Groomfiy.

10.3 Groomfiy may satisfy audit requests by providing:

  • Copies of relevant security certifications or audit reports (e.g., SOC 2 Type II, ISO 27001, penetration test summaries)
  • Written responses to reasonable compliance questionnaires
  • Documentation of technical and organizational security measures

10.4 The Controller shall bear the costs of any audit, unless the audit reveals a material breach by Groomfiy, in which case Groomfiy shall bear the reasonable costs.

11. International Data Transfers

11.1 Groomfiy is based in the United States. Personal Data from the EU/EEA and UK will be transferred to and processed in the United States.

11.2 For transfers of Personal Data from the EU/EEA to the United States, Groomfiy relies on the following transfer mechanisms:

  • EU-US Data Privacy Framework (DPF): Where applicable, for Sub-processors certified under the DPF.
  • Standard Contractual Clauses (SCCs): EU Commission Implementing Decision 2021/914, Module Two (Controller to Processor), incorporated by reference into this DPA.

11.3 For transfers from the UK, Groomfiy relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

11.4 Groomfiy shall inform the Controller if it becomes aware that US laws or practices materially affect its ability to comply with this DPA, and shall cooperate with the Controller to implement additional safeguards where necessary.

12. Liability & Indemnification

12.1 Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Use.

12.2 Groomfiy shall indemnify the Controller for direct damages arising from Groomfiy's breach of this DPA or its obligations under Data Protection Laws, subject to the liability cap in the Terms of Use.

12.3 The Controller shall indemnify Groomfiy for any claims or damages arising from the Controller's processing instructions that infringe Data Protection Laws or from the Controller's failure to fulfill its obligations as data controller.

13. Term & Termination

13.1 This DPA commences on the date the Controller creates a Groomfiy account and continues for the duration of the Controller's use of the Platform.

13.2 This DPA automatically terminates when the Controller's subscription ends and all Personal Data has been deleted or returned in accordance with Section 9.

13.3 The following provisions survive termination: Security Incidents (Section 8), Data Deletion & Return (Section 9), Liability (Section 12), and any obligations that by their nature should survive.

14. General Provisions

14.1 Governing Law: This DPA shall be governed by the same governing law as the Terms of Use.

14.2 Conflicts: In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data processing matters.

14.3 Amendments: Groomfiy may update this DPA from time to time to reflect changes in Data Protection Laws or our processing practices. We will notify Controllers of material changes at least 30 days in advance.

14.4 Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.5 Entire Agreement: This DPA, together with the Terms of Use and Privacy Policy, constitutes the entire agreement between the parties regarding data processing.

15. Contact

For questions about this DPA or data processing matters:

  • Privacy Email: privacy@groomfiy.com
  • Security Email: security@groomfiy.com
  • Postal Address: Hollmerz LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, United States

Version: 1.1

Last Updated: May 8, 2026

Effective Date: May 8, 2026

Next Review: November 8, 2026