1.1 Information You Provide Directly

• Account Information: Name, email address, phone number, business name, business address, GST identification number (GSTIN), and role within the organisation.
• Customer Data: Pet owner details (name, phone, email, address), pet records (name, breed, age, medical history, vaccination records, photos), booking details, invoices, payment records, staff information, and communications sent through the platform.
• Payment Information: Billing address and payment method details. Payment processing is handled by third-party payment gateways; we do not store complete credit/debit card numbers or UPI PINs on our servers.
• Communications: Emails, WhatsApp messages, support tickets, and feedback you send to us or through the Service.

1.2 Information Collected Automatically

• Device & Browser Information: IP address, browser type, operating system, device identifiers, screen resolution, and language preferences.
• Usage Data: Pages visited, features used, time spent, click patterns, search queries, and interaction logs.
• Cookies & Similar Technologies: Session cookies, authentication tokens, and analytics identifiers. See Section 7 for details.

1.3 Information from Third Parties

• WhatsApp Business API: Delivery status, read receipts, and message metadata for notifications sent on your behalf.
• Payment Gateways: Transaction status, payment confirmation, and settlement details.

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the CuroPaw platform, including managing bookings, generating invoices, and sending notifications.
• Account Management: To create and manage your account, authenticate access, and enforce multi-tenancy isolation.
• Communication: To send transactional emails, WhatsApp notifications, booking confirmations, payment receipts, and service updates.
• Billing: To process subscriptions, generate GST-compliant invoices, and manage payment collections.
• Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
• Improvement: To analyse usage patterns, improve features, fix bugs, and develop new functionality.
• Analytics: To generate aggregated, anonymised insights about platform usage (no individual identification).
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.

We process your information based on the following legal grounds under Indian law:

• Consent: You provide consent when creating an account and agreeing to these terms.
• Contractual Necessity: Processing is necessary to perform our obligations under the Terms of Service.
• Legitimate Interest: Improving the Service, preventing fraud, and ensuring security.
• Legal Obligation: Compliance with the IT Act, GST regulations, and other applicable laws.

We do not sell, rent, or trade your personal information. We may share information with:

• Service Providers: Third-party vendors who assist in operating the Service (cloud hosting, payment processing, email delivery, WhatsApp Business API, analytics). These providers are bound by contractual obligations to protect your data.
• Within Your Organisation: Authorised Users within your Organisation can access Customer Data as permitted by the role-based access controls configured by your Organisation administrator.
• Legal Requirements: When required by law, regulation, legal process, or enforceable government request (including under the IT Act, 2000).
• Business Transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the successor entity, subject to equivalent privacy protections.
• With Your Consent: For any purpose not described here, we will seek your explicit consent before sharing.

5.1 Storage Location. Customer Data is stored on secure cloud infrastructure. Our primary database servers are hosted in data centres located in India. Backups may be stored in geographically distributed locations for disaster recovery.

5.2 Security Measures. We implement reasonable security practices and procedures as required under the SPDI Rules, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access controls and multi-tenant data isolation;
• Regular security assessments and vulnerability testing;
• Secure password hashing (bcrypt);
• Audit logging of administrative actions;
• Automated backups with encrypted storage.

5.3 Incident Response. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by applicable law, without unreasonable delay.

We retain your information for as long as necessary to fulfil the purposes described in this policy:

• Active Accounts: Customer Data is retained for the duration of your subscription.
• Post-Termination: Upon account termination, Customer Data is retained for 30 days to allow data export, after which it is permanently deleted.
• Legal Retention: Certain records (invoices, transaction records, GST-related data) may be retained for up to 8 years as required under Indian tax and accounting regulations.
• Anonymised Data: Aggregated, de-identified data may be retained indefinitely for analytics purposes.

We use the following types of cookies and similar technologies:

We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Service functionality.

The Service integrates with or relies on the following categories of third-party services:

• Cloud Infrastructure: For hosting, storage, and content delivery.
• Payment Gateways: For processing subscription payments and business transactions.
• WhatsApp Business API: For sending booking notifications, reminders, and updates to pet owners on your behalf.
• Email Delivery: For transactional emails (receipts, password resets, notifications).
• Analytics: For understanding Service usage (anonymised data only).

Each third-party service operates under its own privacy policy. We encourage you to review their policies. We select providers who demonstrate appropriate data protection standards.

The Service is designed for use by businesses, not individual consumers. We do not knowingly collect personal information from individuals under the age of 18. If you are under 18, you may not create an account or use the Service. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

Under the Information Technology Act, 2000, the SPDI Rules, 2011, and applicable Indian law, you have the following rights:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete personal information.
• Right to Withdraw Consent: You may withdraw consent for processing at any time by contacting us. Withdrawal of consent may affect your ability to use the Service.
• Right to Data Portability: Upon termination, you may request your Customer Data in a structured, machine-readable format (CSV or JSON) within 30 days.
• Right to Grievance Redressal: You may raise concerns with our Grievance Officer (see Section 13).

To exercise any of these rights, please contact us at hello@curopaw.com. We will respond to your request within 30 days.

Our primary data storage is in India. However, some third-party service providers may process data outside India for purposes such as backup, content delivery, or analytics. Where data is transferred outside India, we ensure that the receiving party provides a comparable level of data protection through contractual safeguards, in compliance with the SPDI Rules.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or in-app notification at least 15 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

In accordance with the Information Technology Act, 2000 and the SPDI Rules, 2011, we have appointed a Grievance Officer to address your concerns regarding data processing:

For questions or concerns about this Privacy Policy, please contact us: