Privacy Policy

This Privacy Policy explains how Lion Den SL, operating the Petme platform, collects, uses, stores, and shares your personal data when you use our services. It applies to the Petme mobile application (the "App"), the website at https://petme.social (the "Website"), our blog, and any related products or services (together, the "Platform").

This Policy applies to all users of the Platform, including pet owners and pet sitters. Where specific provisions apply only to sitters, or only to users in particular markets, this is clearly indicated.

This Policy is compliant with Regulation (EU) 2016/679 (the "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable privacy laws referenced in Section 13.

This Privacy Policy was last updated on 15 May 2026.

1. Data Controller

The data controller for personal data processed through the Platform is:

Lion Den SL
Registered in the Commercial Register of Spain, number B23836067
Registered office: Av. Maisonnave 41, 3ºB, 03003 Alicante, Spain
Privacy contact: privacy@petme.social

References to "Petme", "we", "us", or "our" in this Policy mean Lion Den SL.

2. Data Protection Contact

We have designated a data protection contact responsible for overseeing compliance with this Policy and applicable data protection law. You may contact them for any privacy query or to exercise your rights at privacy@petme.social.

We have assessed our processing activities and determined that a formal Data Protection Officer (DPO) designation under Article 37 GDPR is not mandatory at our current scale. We keep this assessment under review. Our data protection contact fulfils the function of a point of accountability for all data protection matters.

3. What Data We Collect

3.1 Data you provide to us

When you create an account, you provide: your name, email address, mobile phone number, date of birth, gender (male, female, or prefer not to say), username, and password.

When you create a pet profile, you may optionally provide: species, breed, age, gender, weight, energy level, temperament (behaviour with children and other pets), microchip status, spayed or neutered status, feeding instructions, alone-time tolerance, general care instructions, and veterinary contact information. None of these fields are mandatory. Pet profile data is shared with your confirmed sitter as a necessary part of the pet sitting service.

When you book a pet sitting service or register as a sitter, we collect the information necessary to process and manage that booking, including booking dates, service type, and your approximate location.

When you use our in-app messaging feature, we store the messages exchanged between you and other users in connection with your bookings.

You may also provide data voluntarily when you contact our support team, respond to surveys, or submit feedback.

3.2 Data from third-party login

You may register and log in using your Google or Apple account. In that case, we receive limited profile information from those providers — specifically your name and email address — in accordance with their own privacy policies and your settings with them. We use this data solely to create and authenticate your Petme account.

3.3 Data we collect automatically

When you use the Platform, we automatically collect the following data.

Log and device data: IP address, browser type and version, operating system, pages visited, access times, and device identifiers.

Approximate location derived from IP address: We use your IP address to determine an approximate location. This is used to show you sitters in your area and to ensure compliance with local laws. This is necessary for the core service and based on our legitimate interests in providing a localised experience.

Precise GPS location: With your explicit consent, we may access your device's GPS location to refine sitter search results. You may grant or withdraw this consent at any time through your device settings. Withdrawing consent does not affect your ability to use the Platform.

App analytics data: We use Firebase Analytics in the App to understand how users interact with features such as search, booking, and messaging. Firebase Analytics collects data such as screens viewed, session duration, and in-app events using a device-level installation identifier stored in app storage. This is not active on the Website. You can disable this through the App's privacy settings or your device's privacy controls.

Profile view data: When a logged-in user views a sitter profile, we record that a view occurred, along with the profile owner's user ID, the viewer's user ID, and time spent on the profile. This data is used to display view counts to profile owners as part of the Platform service. Non-logged-in visitors are not individually identified. No cross-profile behavioural tracking is performed.

App crash and stability data: We use Firebase Crashlytics to detect and diagnose technical errors in the App. This involves collection of device type, operating system version, and crash logs. No personally identifiable data is intentionally collected for this purpose.

Security data: We use Google reCAPTCHA on the Platform to protect against automated abuse and fraudulent registrations. reCAPTCHA collects device and behavioural interaction data to assess whether you are a human user. This is based on our legitimate interest in securing the Platform.

3.4 Identity verification data — sitters only

If you apply to become a sitter on the Platform, you are required to complete an identity verification process provided by Didit Technologies ("Didit"), an identity verification service. The verification process involves the collection of your full name, home address, identity document number and scan, a selfie photograph, biometric facial recognition data, and phone number verification. Your verification session video is recorded by Didit.

Before beginning verification, you will be presented with Didit's End User Terms and Privacy Notice, which you must accept. By accepting those terms, you give your explicit consent to Didit's processing of your biometric data for identity verification purposes under Didit's own terms, accessible at didit.me/terms/consumer and didit.me/terms/verification-privacy-notice.

Didit's automated biometric systems are not infallible. For this reason, Petme's team conducts a manual review of your verification records — including your identity document scan, selfie photograph, and biometric verification output — in order to make the final decision on whether to approve or reject your sitter application. This human oversight is a safeguard against erroneous automated outcomes. Before proceeding with your sitter application, you will be asked to give your explicit consent to Petme's team reviewing your identity verification records for this purpose.

We do not independently download or store raw biometric data outside of Didit's platform. Retention of verification records on Didit's platform is described in Section 9.

3.5 Payment data

All payment processing on the Platform is handled by Stripe, Inc. Stripe is an independent data controller for all payment-related data. We do not collect, see, or store your payment card details, bank account information, or any identity documents you submit directly to Stripe as part of their own payout verification process. Payment data is entered directly into Stripe's secure interface and is never transmitted through Petme's servers. For details on how Stripe processes your personal data, please refer to Stripe's Privacy Policy at stripe.com/privacy.

3.6 Blog and website — non-authenticated users

Our blog, hosted on the Website and accessible without logging in, displays advertisements served by Google AdSense. These ads are served using cookies placed by Google on your device. Consent for these cookies is sought through our cookie consent banner when you visit the Website. Google AdSense is used exclusively on the blog; it is not used within the App or any authenticated section of the Platform.

3.7 Protection Plan claims data

If you submit a request for consideration under the Petme Protection Plan, we will collect the information necessary to assess that request, which may include a description of the incident, photographic evidence, and relevant supporting documentation such as veterinary receipts. We do not store medical records or clinical documents beyond what you voluntarily submit as part of your request. Retention of this data is described in Section 9.

4. How and Why We Use Your Data

We use your personal data only for the specific purposes and on the lawful bases set out below. We do not use your data for any purpose incompatible with those stated here without first notifying you.

4.1 Account creation and management

Lawful basis: Performance of a contract — Article 6(1)(b) GDPR.

We use your registration data to create and manage your account, authenticate your identity, and provide you with access to the Platform.

4.2 Providing the pet sitting service

Lawful basis: Performance of a contract — Article 6(1)(b) GDPR.

We use your booking data, pet profile data, approximate location, and in-app messages to match you with suitable sitters, facilitate bookings, enable communications between users, and operate the pet sitting service.

4.3 Sitter identity verification

Lawful basis: Legitimate interests — Article 6(1)(f) GDPR for the verification requirement itself. Explicit consent — Article 9(2)(a) GDPR for Petme's manual review of biometric data from Didit verification records.

We require sitters to complete identity verification before accepting bookings. Because automated verification is not always accurate, a Petme team member manually reviews each result before a final decision is made. Sitters give explicit consent to this review at the point of application.

4.4 Analytics and Platform improvement

Lawful basis: Legitimate interests — Article 6(1)(f) GDPR.

We use Firebase Analytics (App only) and Firebase Crashlytics data to understand how users interact with the App, identify and fix errors, and improve functionality. Analytics data is collected at an aggregated level and does not involve identifying individual users for profiling or decision-making purposes. Google Analytics is not currently active on the Website.

4.5 Platform security and fraud prevention

Lawful basis: Legitimate interests — Article 6(1)(f) GDPR.

We use reCAPTCHA data, log data, and device information to prevent automated abuse, fraudulent registrations, and other security threats. We also use identity verification records to prevent banned users from re-registering under a different identity.

4.6 Transactional and service communications

Lawful basis: Performance of a contract — Article 6(1)(b) GDPR.

We send booking confirmations, reminders, account notifications, password reset emails, and security alerts via email and push notification. These are service communications, not marketing. They cannot be opted out of while your account remains active.

4.7 Marketing communications

Lawful basis: Consent — Article 6(1)(a) GDPR, or legitimate interests under the soft opt-in rule — Article 6(1)(f) GDPR and Article 21(2) of Directive 2002/58/EC as implemented in Spain under Article 21(2) of the LSSI-CE.

Where you have given your separate, explicit consent, or where we are entitled to rely on the soft opt-in for existing customers in respect of similar services, we may send you newsletters, feature updates, and promotional offers by email and push notification. You may opt out at any time as described in Section 10.

4.8 Legal compliance

Lawful basis: Legal obligation — Article 6(1)(c) GDPR.

We may process and retain your data to comply with applicable Spanish and EU law, respond to lawful requests from public authorities, and meet our tax and accounting obligations.

4.9 Enforcement and protection of rights

Lawful basis: Legitimate interests — Article 6(1)(f) GDPR.

We may use your data to investigate and resolve disputes, enforce our Terms of Service, and protect the rights, safety, and property of Petme, our users, and third parties.

5. Automated Processing, Content Ranking and Profile Views

The Platform uses automated ranking to order sitter search results by proximity to your location (using your IP-derived approximate location or, with your consent, your precise GPS location). This is the only automated ranking applied to search results.

The Platform records profile views and displays aggregate view counts to profile owners. This is a service feature, not an analytics or profiling operation. Logged-in viewers are identified by their user ID for deduplication purposes only. Non-logged-in visitors are not identified. View data is not used to build behavioural profiles or influence any decision affecting any user's rights or access to the Platform.

We do not use your data for behavioural profiling, interest-based targeting, or any automated individual decision-making that produces legal or similarly significant effects. Article 22 GDPR rights do not apply to our current processing. We will update this Policy if our practices change.

6. Third-Party Processors and Independent Controllers

We share your data with third parties only as described in this Policy. Processors acting on our behalf are bound by contractual obligations that restrict their use of your data to the specified purpose.

6.1 Processors acting on our behalf

Google LLC — Firebase Analytics (App analytics), Firebase Crashlytics (App crash reporting), Firebase Cloud Messaging (push notifications), and reCAPTCHA (security). Google processes data under Google's own privacy terms and under the EU–US Data Privacy Framework adequacy arrangement. Google Analytics is not currently active on the Website.

Amazon Web Services, Inc. (AWS) — Cloud infrastructure and transactional email delivery. Some AWS services used by Petme operate in the US East region. Transfers to AWS are covered by AWS's certification under the EU–US Data Privacy Framework. See Section 7.

n8n — Self-hosted workflow automation tool operated by Petme on our own infrastructure. Used for automated transactional email and internal notification workflows. Email delivery is routed through AWS.

Listmonk — Self-hosted email list management tool operated by Petme on our own infrastructure. Used for newsletter and marketing email campaigns.

MongoDB, Inc. (Atlas) — Cloud database services, hosted on EU-region servers.

6.2 Independent controllers

Didit Technologies — Identity verification for sitters. Users interact with Didit directly and accept Didit's own end-user terms before the verification process begins. Didit acts as an independent data controller for the biometric verification process. See Section 3.4 for details of Petme's access to Didit verification records.

Stripe, Inc. — Payment processing. Stripe acts as an independent data controller for all payment data submitted through its interface. See Stripe's privacy policy at stripe.com/privacy.

Google LLC (AdSense) — Display advertising on the Petme blog only (Website, accessible without login). Google sets its own advertising cookies subject to your cookie consent. This does not apply to the App or any part of the Platform that requires login.

Apple Inc. / Google LLC — Sign In with Apple and Sign In with Google. Where you use social login, those providers act as independent data controllers for their own data processing.

7. International Data Transfers

Lion Den SL is established in Spain and processes personal data primarily within the European Economic Area. Some of our third-party providers operate infrastructure outside the EEA, including in the United States. We ensure that all such transfers are subject to appropriate safeguards in accordance with Chapter V GDPR.

Google LLC and Amazon Web Services, Inc. are certified under the EU–US Data Privacy Framework (DPF), which the European Commission recognised as providing an adequate level of data protection in its Implementing Decision of 10 July 2023. Transfers of personal data to these providers are made on the basis of that adequacy decision.

For any transfers to the United States involving providers not covered by the DPF, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914).

Transfers of personal data from the EEA to the United Kingdom are made on the basis of the European Commission's adequacy decision in respect of the UK, adopted under Article 45 GDPR.

8. How We Store and Protect Your Data

We store your data on infrastructure operated by Amazon Web Services and MongoDB Atlas. Our primary storage is located within the European Union. For AWS services operating in the US East region, transfers are covered by the safeguards in Section 7.

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or alteration. These include encrypted connections (HTTPS and TLS), access controls, and regular security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Agencia Española de Protección de Datos (AEPD) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR.

We retain personal data only for as long as necessary for the purposes described in this Policy, subject to applicable legal retention obligations. The following periods apply.

Account data (name, email address, profile information): retained for the duration of your active account. Following account closure, data is moved to a restricted archive and hard-deleted within 90 days, subject to the exceptions below.

Pet profile data: hard-deleted within 90 days of account closure.

Booking and transaction records: retained for 4 years from the date of each transaction, to comply with Spanish tax and accounting law (Ley General Tributaria, Article 66; Código de Comercio, Article 30).

In-app messages: retained for 12 months after the end of the associated booking, then deleted. Messages in active accounts are retained for the life of the account.

Analytics and crash data: retained in Google's infrastructure in accordance with the retention periods configured in our Google Analytics and Firebase settings, set to the minimum available period.

Identity verification records — sitters (Didit): retained on Didit's platform for 5 years from the date your sitter account is closed, on the basis of our legitimate interest in preventing fraudulent or duplicate re-registrations. If your account was closed due to a material breach of our Terms of Service, we may retain a record of the verification outcome for a longer period proportionate to the risk. We do not retain raw biometric data independently of Didit's platform.

Suspended accounts: where an account is suspended for breach of our Terms of Service, we retain the minimum data necessary to enforce the suspension and prevent re-registration for as long as the suspension is in force.

Protection Plan assistance data: retained for 5 years from the date of Petme's decision on the request, on the basis of potential legal proceedings and our legitimate interest in maintaining accurate records of outcomes. This period runs from the date of Petme's written decision, not from the date of submission.

On account deletion, data is initially moved to a restricted archive collection that is inaccessible to active users and systems, and is not used for any active processing purpose. This archive is hard-deleted at the end of each applicable retention period above. Access to the archive is restricted internally to the data protection contact and, where required by law, competent authorities.

10. Marketing Communications

We may send you newsletters, feature updates, and promotional communications by email and push notification.

Where you have given your explicit, separate consent at registration, we rely on that consent as the basis for marketing. Where we are permitted to do so on the basis of an existing customer relationship (soft opt-in), we may send marketing communications about similar services without fresh consent, subject to your right to opt out at any time.

You may opt out of all marketing communications at any time by: clicking the unsubscribe link in any marketing email; adjusting your notification preferences in the App settings; or contacting us at privacy@petme.social. Opting out does not affect transactional communications related to your account or active bookings.

You have an unconditional right to object to direct marketing at any time. We will act on any such objection immediately.

11. Cookies

We use cookies and similar technologies on the Website and App. For a full description of every cookie in use, its purpose, legal basis, and duration, please refer to our Cookie Policy.

All cookies currently active on the Website are either strictly necessary for the Website to function or are placed on the basis of our legitimate interest in security. No analytics or advertising cookies are currently in use on the Website. No prior consent is therefore required under Article 22(2) of the LSSI-CE for any cookie we currently set.

If we introduce analytics or advertising cookies in the future, we will update the Cookie Policy and implement a consent mechanism before those cookies are activated. You will be informed and given the opportunity to accept or decline before any non-essential cookies are placed on your device.

For cookies and similar technologies used in the App (Firebase Analytics, Firebase Crashlytics, Firebase Cloud Messaging), you can manage your preferences through the App's privacy settings or your device's privacy controls.

12. Minors

The Platform is not intended for use by anyone under the age of 16. By creating an account, you confirm that you are at least 16 years old. Sitters must be at least 18 years old; this is verified through our identity verification process with Didit.

Age at registration is confirmed by self-declared date of birth entry. We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will immediately suspend and delete their account and all associated data.

If you are a parent or guardian and believe your child has created an account on the Platform, please contact us immediately at privacy@petme.social and we will take prompt action.

13. Your Data Protection Rights

13.1 Rights under GDPR — EEA users

If you are located in the European Economic Area, you have the following rights under GDPR in respect of your personal data.

Right of access (Article 15): you may request a copy of the personal data we hold about you.

Right to rectification (Article 16): you may request correction of inaccurate or incomplete personal data.

Right to erasure (Article 17): you may request deletion of your personal data where no overriding legitimate reason exists for continued processing. Certain data may be retained where we have legal obligations or legitimate grounds as described in Section 9.

Right to restriction of processing (Article 18): you may request that we limit how we use your data in certain circumstances, for example while a rectification or objection request is pending.

Right to data portability (Article 20): you may request a copy of data you have provided to us in a structured, commonly used, machine-readable format.

Right to object (Article 21): you may object to processing based on legitimate interests. Your right to object to direct marketing is unconditional — we will act on it immediately without requiring any justification.

Right not to be subject to solely automated decision-making (Article 22): you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. As described in Section 5, we do not engage in such processing.

Right to lodge a complaint (Article 77): you have the right to lodge a complaint with a supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement. See Section 16 for supervisory authority contacts.

Right to judicial remedy (Article 79): you have the right to an effective judicial remedy against a data controller or processor if you consider that your rights have been infringed.

To exercise any of the above rights, please contact us at privacy@petme.social from the email address associated with your Petme account. We will respond within one month of receiving your request. For complex or numerous requests, we may extend this period by a further two months. We will notify you of any extension and its reasons within the first month.

We may ask you to confirm your identity before processing your request. Requests submitted from an email address other than the one registered to your Petme account will not be processed until your identity is verified.

13.2 Rights under UK GDPR — UK users

If you are located in the United Kingdom, you have equivalent rights under the UK GDPR as retained under the Data Protection Act 2018. To exercise your rights, contact us at privacy@petme.social. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

13.3 Rights under US state privacy laws — US users

If you are a resident of California, Virginia, Colorado, Connecticut, Texas, Florida, or any other US state with applicable comprehensive privacy legislation, you may have additional rights under those laws, which may include rights to access, delete, correct, and obtain a portable copy of your personal data, and to opt out of the sale or sharing of your personal data for targeted advertising or cross-context behavioural advertising purposes.

We do not sell your personal data to third parties. We do not use your data for targeted advertising within the App. We share limited technical data with Google through Google Analytics (Website and App) and with Google AdSense (blog, Website only). If applicable law treats this sharing as "selling" or "sharing for targeted advertising" purposes, you may opt out by: declining analytics and advertising cookies through our cookie consent banner; or contacting us at privacy@petme.social to request that your data be excluded from analytics processing.

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the right to know the categories of personal information collected, the right to know the purposes for which it is used, and the right to know the categories of third parties with whom it is shared. This information is set out in Sections 3 and 6 of this Policy. You may submit a verifiable consumer request to privacy@petme.social. We will not discriminate against you for exercising your CCPA/CPRA rights and do not offer any financial incentive in exchange for personal data.

13.4 Rights under Australian privacy law — Australian users

If you are located in Australia, your personal data is processed in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as amended by the Privacy and Other Legislation Amendment Act 2024. You have the right to access and correct your personal data and to raise privacy complaints with us before escalating to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13.5 Rights under Canadian privacy law — Canadian users

If you are located in Canada, your personal data is processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You have the right to access and correct your personal data and to withdraw consent where consent is the applicable lawful basis. To exercise these rights, contact privacy@petme.social. You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

14. Changes to This Policy

We keep this Privacy Policy under regular review. Where we make changes that materially affect your rights or how we use your data, we will notify you by email or in-app notification before those changes take effect. The date of the most recent update is stated at the top of this Policy.

Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.

15. How to Contact Us

For any questions about this Privacy Policy, to exercise your data protection rights, or to raise a privacy concern, please contact us at privacy@petme.social.

Postal address: Lion Den SL, Av. Maisonnave 41, 3ºB, 03003 Alicante, Spain.

We aim to acknowledge all privacy queries within 5 business days and to resolve them within one month.

16. Supervisory Authorities

The lead supervisory authority for Lion Den SL under GDPR's one-stop-shop mechanism (Article 56) is the Agencia Española de Protección de Datos (AEPD), as Lion Den SL's main establishment is in Spain.

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
Tel: +34 900 293 183
www.aepd.es

If you are resident in another EU member state, you also have the right under Article 77 GDPR to lodge a complaint with the supervisory authority in your country of habitual residence or place of work.

Comissão Nacional de Proteção de Dados (CNPD) - Portugal - www.cnpd.pt

Garante per la protezione dei dati personali - Italy - www.garanteprivacy.it

Commission Nationale de l'Informatique et des Libertés (CNIL) - France -www.cnil.fr

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) - Germany - www.bfdi.bund.de

Information Commissioner's Office (ICO) - United Kingdom - www.ico.org.uk

Office of the Australian Information Commissioner (OAIC) - Australia - www.oaic.gov.au

Office of the Privacy Commissioner of Canada - Canada - www.priv.gc.ca