Privacy Policy
Effective April 22, 2026 · PawXchange LLC · Version 1.0
Applicable to members in the United States, Canada, and the European Union/EEA
Contents
1. Introduction
PawXchange LLC ("PawXchange", "we", "us", "our") is a Delaware limited liability company operating a community-based pet care exchange platform accessible via pawxchange.com and the PawXchange mobile application.
This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you use our services. We act as data controller for personal information collected from our members.
For members in the EU/EEA, our representative under GDPR Article 27 is VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland (contact details at pawxchange.com/eu-representative). For Québec members, the French-language version at pawxchange.com/fr/confidentialite prevails in the event of any conflict. For California residents, this Policy is provided in accordance with CalOPPA (Cal. Bus. & Prof. Code §§22575–22579).
By creating an account and using PawXchange, you acknowledge that you have read and understood this Privacy Policy.
2. What Data We Collect
2.1 — Identity Verification (via Stripe Identity)
To become a verified member, you must complete Stripe Identity verification. We collect, through Stripe: a live selfie (biometric liveness detection — where this constitutes biometric data under GDPR Article 9 or analogous laws, we rely on your explicit consent); a government-issued photo ID; and a proof of residence document (utility bill, bank statement, or lease less than 3 months old). Verification documents are reviewed by Stripe's automated systems and, where necessary, human reviewers.
2.2 — Address & Location Data
We collect your physical residential address, stored in a private Firebase subcollection (members/{uid}/private) — never shown publicly. It is converted to a geohash for approximate map positioning (neighborhood/distance only) and never disclosed as an exact street address to other members.
2.3 — Personal References
You provide the email addresses of 3 personal references. We collect each reference's email, their verification timestamp, and a secure token (expires after 30 days). Reference emails are not used for marketing.
2.4 — Pet Information
Species, breed, name, photographs, age, compatibility notes, and special needs. Photos are stored in Firebase Storage.
2.5 — Service History & Treats
All bookings, Treats transactions, reviews, and messages exchanged in connection with services. Retained for the duration of your membership and for 7 years thereafter for tax and regulatory compliance.
2.6 — GPS Tracking During Dog Walks
For dog walking services only, real-time GPS location is transmitted from the sitter's device to the owner during the active walk period. Captured only during an active walk, stored for 30 days in a dedicated Firestore collection, then automatically deleted. Requires your explicit consent via operating system permission prompts.
2.7 — Check-in / Check-out Photos & AI Verification
During every service, the sitter uploads a check-in photo (at service start) and a check-out photo (at service end). Each photo is stored in Firebase Storage and analyzed by Anthropic's Claude API (Haiku 4.5 model) to verify pet visibility and flag common issues. Photos are retained for the duration of the booking and deleted 90 days after service completion.
Photos sent to Anthropic are processed ephemerally via a single API call and are not retained by Anthropic beyond that request. The AI does not identify or analyze humans — it only verifies animal presence and photo quality.
2.8 — Payment Data
All payment processing is handled by Stripe. We receive transaction metadata (amount, date, membership tier, transaction ID) but never raw payment credentials.
2.9 — Device & Usage Data
Device type, operating system version, app version, session timestamps, and error logs — used for platform maintenance and stability.
3. How We Use Your Data
- Identity verification — to confirm you are who you say you are before granting verified member access
- Address verification — to confirm a genuine physical address for map positioning
- Reference verification — to build community trust before unlocking full platform access
- Service facilitation — to enable bookings, Treats transactions, GPS tracking, chat, reviews, and check-in/check-out verification
- Safety & security — to detect fraud, investigate reports, and protect members and animals
- Communications — booking confirmations, Treats balance updates, service reminders, and platform notifications
- Legal compliance — tax reporting, fiscal reporting, and responses to data subject requests
- Platform improvement — anonymized usage analytics and error diagnostics
4. Who We Share Data With
4.1 — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Identity verification, security deposit authorization | USA |
| Google LLC (Firebase) | Database, authentication, file storage, serverless functions | USA (us-central1) |
| Anthropic, PBC | Photo wellbeing verification & pet bio generation (Claude Haiku 4.5) | USA |
| DeepL GmbH | In-app translation (11 languages) | Germany (EU) |
| Mapbox, Inc. | Map display and geolocation | USA |
| Resend, Inc. | Transactional email delivery | USA |
PawXchange does not sell your personal data. PawXchange does not share your data with advertisers. PawXchange does not permit any sub-processor to use your data to train AI or machine-learning models.
4.2 — Other Members
Visible to other verified members: your first name, profile photo, pet profiles, service ratings, reviews, neighborhood (not exact address), and approximate distance.
4.3 — Legal Disclosures
We may disclose personal data when required by applicable law, court order, subpoena, or when necessary to protect the rights, safety, or property of PawXchange, our members, or the general public.
5. Your Rights
5.1 — All Members
- Right of access — request a copy of the personal data we hold about you
- Right of rectification — correct inaccurate or incomplete data
- Right of deletion — request deletion of your account and data, subject to legal retention obligations
- Right to withdraw consent — for optional data processing, at any time
5.2 — EU/EEA Members (GDPR Articles 15–22)
- Right to data portability (Art. 20)
- Right to restriction of processing (Art. 18)
- Right to object to processing (Art. 21)
- Rights regarding automated decision-making (Art. 22)
- Right to lodge a complaint with your national Data Protection Authority
5.3 — California Residents
Right to know, delete, correct inaccurate personal information, opt out of sale (PawXchange does not sell personal information), and non-discrimination. Requests: tiffany@pawxchange.com — response within 45 days.
5.4 — Québec Residents (Law 25)
Right to data access, rectification, deletion, portability, and to withdraw consent. You may also request that automated decision-making be reviewed by a human.
5.5 — Canadian Residents (PIPEDA)
Right to access, correction, withdrawal of consent, and to file a complaint with the Office of the Privacy Commissioner of Canada. Privacy Officer: privacy@pawxchange.com (subject line: "Privacy Officer: Canada"). In the event of a security breach creating a real risk of significant harm, PawXchange will notify you and the OPC as soon as feasible.
5.6 — How to Exercise Your Rights
Contact privacy@pawxchange.com. We respond within 30 days (extendable once by a further 60 days under GDPR Article 12(3), with notice). Identity verification proportionate to the sensitivity of the request may be required.
6. Data Retention
| Data category | Retention period |
|---|---|
| Active account data | Duration of membership |
| Check-in/check-out photos | 90 days after service completion, then auto-deleted |
| GPS tracking data | 30 days after walk completion, then auto-deleted |
| Booking records & Treats transactions | 7 years after account closure (tax/regulatory compliance) |
| Reference verification records | Duration of membership |
| Identity verification data (Stripe) | Per Stripe's retention policy (stripe.com/privacy) |
| Marketing consent | Until withdrawn |
| Deleted account data | Purged within 30 days of request, except where legal retention applies |
7. International Data Transfers
PawXchange is a US-based company. For data transfers from the EU/EEA to the United States, we rely on:
- EU–U.S. Data Privacy Framework — where the sub-processor is self-certified (Stripe, Google LLC, Anthropic, PBC are currently certified; verifiable at dataprivacyframework.gov)
- EU Standard Contractual Clauses (Module 2 or 3) — for any sub-processor not DPF-certified, supplemented by a Transfer Impact Assessment and technical measures including TLS 1.2+ encryption in transit and at rest
DeepL GmbH is located in Germany — translation data does not leave the EEA.
8. Security
- TLS 1.2+ encryption for all data in transit
- Firebase Security Rules enforcing per-user access control
- Stripe's PCI-DSS compliant payment infrastructure
- API keys stored exclusively in Firebase Cloud Functions configuration — never in client-side code
- Role-based access controls limited to the minimum necessary
- Regular security reviews and automated vulnerability scanning
In the event of a breach posing a risk to your rights and freedoms, we will notify competent supervisory authorities within 72 hours (GDPR Article 33) and affected individuals without undue delay (GDPR Article 34).
9. Children's Privacy
PawXchange is not intended for individuals under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it and terminate the associated account. Contact privacy@pawxchange.com if you believe a minor has created an account.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email with at least 30 days' advance notice. For material changes affecting EU residents, we will seek renewed consent where required by GDPR. The current version is always available in the app and at pawxchange.com/privacy.
11. Contact & Supervisory Authorities
Privacy inquiries: privacy@pawxchange.com
General support: tiffany@pawxchange.com
EU Digital Services Act notices: dsa-notices@pawxchange.com
EU/EEA
- France: CNIL — www.cnil.fr
- Spain: AEPD — www.aepd.es
- Germany: BfDI — www.bfdi.bund.de
- All EU/EEA authorities: edpb.europa.eu
Canada
- Federal: Office of the Privacy Commissioner — www.priv.gc.ca
- Québec: Commission d'accès à l'information — www.cai.gouv.qc.ca
United States
- California AG — oag.ca.gov/privacy
PawXchange LLC · privacy@pawxchange.com · pawxchange.com · Incorporated in Delaware, USA · Version 1.0 — April 22, 2026