Data Processing Addendum

1. Why this document exists

This is a short, plain-English agreement about how PetBoard handles the personal data of your pet parents (and their pets) when you use PetBoard as your operations tool. It supplements — but does not replace — PetBoard's general Terms and Conditions (version 1.6 or later) which you already accepted when you signed up.

This document is designed to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and to clearly define our respective responsibilities. It is written in plain English on purpose. If anything is unclear, email hello@petboard.in before accepting.

2. Consideration

The mutual consideration for this agreement is: (a) PetBoard providing you access to the platform and data processing services described in Section 6; and (b) you providing the warranties in Section 5 and paying (or committing to pay) any applicable subscription fees under PetBoard's published pricing. Both parties acknowledge that this mutual exchange constitutes sufficient and valid consideration under the Indian Contract Act, 1872.

3. Our roles under the DPDP Act

• You (the Operator) are the Data Fiduciary. You collect personal data from your pet parents for your own business purposes (boarding, sitting, training, daycare, etc.). You hold the direct relationship with the pet parent. You are accountable to them under the DPDP Act.
• PetBoard is the Data Processor. We host and process your pet parent data on your behalf and under your instructions. We do not use your data for our own purposes, do not share it with other operators, and do not sell it to anyone.

You are responsible for having a lawful basis to collect the data in the first place, for having a privacy notice that tells your pet parents how their data is used, and for responding to requests from parents about their data. PetBoard's job is to give you the tools to do that efficiently and to keep the data secure.

4. What data this covers

This agreement covers all personal data relating to your pet parents (and their pets) that is stored in PetBoard as a result of your use of the product. This includes but is not limited to:

• Parent names, phone numbers, email addresses, home addresses
• Emergency contacts, veterinarian contacts
• Pet names, breeds, ages, pet profile photos, medical history, vaccination certificates, behavioural notes, feeding instructions
• Stay records, activity logs, care notes, training session records
• Messages sent to or received from pet parents via PetBoard

What this agreement does NOT cover: care photos and videos (photos or videos of pets taken during their stay by you or your staff). As of v1.4, PetBoard does not store, process, or transmit care photos or videos. They are delivered directly to pet parents via WhatsApp from your or your staff's own device. PetBoard never receives a copy. The sole exception is a brief temporary-storage window when you have enabled the staff review workflow — see §6.9 Media non-retention below.

This agreement also covers any data bulk-imported from your previous tools (spreadsheets, Notion, other software) into PetBoard at your request. See Section 9 for import-specific terms.

5. Your warranties

By accepting this document, you confirm the following:

1. Lawful basis. You collected the personal data of your pet parents lawfully, through your existing business relationships, with their knowledge and (where required) their consent.
2. Authorization. You have the authority to share this data with PetBoard as your technology partner for the purpose of running your operations.
3. Privacy notice. Your own parent-facing privacy notice (or terms of service, waivers, intake forms) either covers the use of third-party technology service providers, or you commit to updating it within a reasonable time to do so.
4. Accuracy. To the best of your knowledge, the data you share with PetBoard is accurate. You will use PetBoard to correct it when you learn of inaccuracies.
5. Indemnity. If any of the above turns out to be materially untrue and PetBoard suffers losses, claims, or regulatory penalties as a direct result, you agree to cover the reasonable costs. For ordinary losses, this indemnity is capped at the fees you have paid PetBoard in the 12 months preceding the claim, or ₹10,000 if no fees have been paid, whichever is higher. This cap does not apply to regulatory fines or penalties levied by the Data Protection Board of India or any other competent authority where PetBoard's exposure arose directly from a breach of your warranties in this Section 5 — in those cases, you shall indemnify PetBoard for the full penalty amount attributable to your breach.

6. PetBoard's obligations

PetBoard commits to the following:

1. Process only on your instructions. We will only use your pet parent data to operate and improve the PetBoard product for you. We will not use it for our own commercial purposes, we will not sell it, and we will not share it with other operators or third parties except as listed in Section 6.
2. Security. We use industry-standard security measures: HTTPS/TLS encryption in transit, encryption at rest (via Supabase defaults), database-level access controls (Row Level Security with service-role enforcement), rate limiting, secure authentication, and security headers. The pet parent database of record is stored in AWS Mumbai (ap-south-1) and the primary data store never leaves India. Some transactional-email metadata (recipient name, email address, subject line) is processed by Resend (USA) or Brevo (EU) for delivery purposes, as disclosed in Section 7.
3. Breach notification. If we become aware of a personal data breach involving your data, we will notify you within 72 hours of discovery, including what happened, what data is affected, and what we are doing about it. This is so you can meet your own notification obligations under the DPDP Act.
4. Data subject requests. When you instruct us to delete, correct, or export specific pet parent data, we will execute the instruction within 15 working days. For urgent requests, we will move faster if notified in writing.
5. No data retention beyond necessity. We will not retain your data longer than necessary to provide the service. If you terminate your account, see Section 8.
6. Confidentiality. All PetBoard personnel, contractors, and agents (present and future) are bound by confidentiality in handling your data, under written confidentiality obligations that survive the end of their engagement with PetBoard.
7. Cooperation with regulators. If the Data Protection Board of India or any other competent authority makes a lawful inquiry about data we process on your behalf, we will cooperate and notify you (unless legally prohibited from doing so).
8. Staff access restrictions. PetBoard personnel will access your pet parent data only in the following circumstances: (a) providing support at your request; (b) executing a Data Subject Request you have instructed us to perform; (c) investigating a security incident or bug that requires access to diagnose; (d) complying with a lawful regulatory or legal obligation; (e) performing bulk imports or migrations you have requested. We do not browse, review, or process your client data for any other purpose — including product development, analytics, marketing, or quality assurance. We commit to building and maintaining an internal audit trail of all such staff access events, and to making it available to you on reasonable request. Until that audit trail is live in the product, each staff access event to your pet parent personal data is preceded by a written note in our internal runbook identifying the reason, scope, and timestamp.
9. §6.9 Media non-retention. As of v1.4 of this DPA, PetBoard does not store, process, or transmit care photos or videos of pets under your care. When you or your staff send a care update through PetBoard, the photos and videos are delivered directly to the pet parent via WhatsApp from your own device. PetBoard only records the structured activity (note text, timestamp, recipient list). The sole exception is the staff review workflow: if you enable "require review" for a staff member, photos and videos uploaded by that staff member are stored temporarily on PetBoard-controlled infrastructure so you can approve or reject them. Upon approval or rejection — whichever comes first — PetBoard automatically deletes the stored copy from its object storage and nulls the database pointer within seconds. Rejected uploads are deleted immediately. No retention beyond the review window.
10. Cross-operator isolation. PetBoard will never pre-fill, auto-complete, share, or otherwise route a pet parent's personal data from one operator account to another. Each operator's client data is logically and physically scoped by operator_id. A pet parent who has provided data to Operator A and later interacts with Operator B starts a fresh intake. This isolation is a hard product rule with no opt-out or "shared identity" mode.

7. Subprocessors

PetBoard uses a small number of trusted subprocessors to run the product. Each of these has their own privacy and security commitments. By accepting, you consent to their use:

We will notify you in writing (email or WhatsApp) at least 15 days before adding or changing a subprocessor. If you object to a new subprocessor, you may terminate this agreement and we will help you export and delete your data.

8. Data subject rights

Under the DPDP Act, your pet parents have the right to:

• Know what data you hold about them
• Correct inaccurate data
• Request deletion ("right to erasure")
• Withdraw previously given consent
• Raise grievances about data handling

How we handle these as processor:

1. Primary route: Parents should contact you (the Operator / Data Fiduciary), because you are the entity they have the direct relationship with.
2. Alternative route: If a parent contacts PetBoard directly at hello@petboard.in asking about their data, we will forward the request to you within 2 working days and ask you how to handle it. We will not independently act on the request without your instructions.
3. Execution: Once you instruct us, we will:
   • Delete: Soft-delete within 24 hours, hard-delete within 30 days (subject to any legal holds you flag). If you have active litigation or regulatory proceedings requiring preservation of specific records, email hello@petboard.in with the record IDs and we will suspend deletion until you release the hold in writing.
   • Export: Provide a JSON or CSV export of the parent's data within 15 working days
   • Correct: Update the records immediately on receipt of the corrected information
4. Response SLA: Under the DPDP Act, the Data Fiduciary (you) must respond within a reasonable time. PetBoard will enable you to meet any reasonable deadline you commit to.

9. Termination and data return

If you decide to stop using PetBoard:

1. Export window. For up to 30 days after termination, you may request a complete export of your data in JSON or CSV format. We will provide this at no cost.
2. Soft delete. On termination, your data is soft-deleted immediately (invisible in the product) but recoverable for 30 days.
3. Hard delete. After 30 days, your data is permanently deleted from our primary systems.
4. Backups. Backup copies may persist in our encrypted backup storage for up to a further 30 days before being overwritten, for disaster recovery purposes. Backups are not accessible to PetBoard staff in the normal course of business.
5. No lock-in. PetBoard commits to not hold your data hostage. If you want out, we help you leave.

10. Bulk imports

If PetBoard imported data for you from an existing tool (Notion, Excel, Google Sheets, another software product like Pettle) as part of your onboarding, this section applies.

1. Your attestation and ratification. You confirm that the imported data was originally collected by you under a lawful basis (your own existing privacy notice, consent, or legitimate business relationship), and that you are authorized to transfer it to PetBoard as your technology service provider. By accepting this DPA, you ratify and confirm your consent to the terms hereof with retrospective effect from the date of the import, as if this DPA had been in place at that time.
2. Source tracking. PetBoard will record that the data was imported, the source reference, and the date of import in our internal systems. If a pet parent ever asks "when did you get my data?", we can trace it to the import.
3. Review window. For 14 days after the import, you agree to review a sample of imported records for accuracy. If you find errors, we will correct them.
4. Prior tool cleanup. If you intend to stop using your previous tool after migration, you are responsible for ensuring that data is appropriately handled (deleted or retained) in that tool, subject to its own terms.

11. Changes to this agreement

If PetBoard needs to update this DPA (for example, because DPDP Rules get notified and we need to tighten a clause), we will notify you and show the updated version in your dashboard. You will be asked to re-accept the new version. If you do not accept within a reasonable period, we will discuss it in good faith; if we cannot agree, either party may terminate.

12. Limitation of liability

Other than the indemnity in Section 5(5), each party's total liability under this agreement is limited to the fees paid by the Operator to PetBoard in the 12 months preceding the claim, or ₹10,00,000 (ten lakh rupees) if no fees have been paid, whichever is higher. This limit does not apply to:

• Wilful breach of data protection obligations
• Gross negligence
• Fraud
• Breach of confidentiality

13. Governing law and disputes

This agreement is governed by the laws of India. Any dispute, controversy, or claim arising out of or relating to this agreement, or its breach, termination, or validity, shall be resolved as follows:

1. Negotiation. The parties will first attempt to resolve the dispute in good faith through direct discussion for at least 30 days from the date of written notice of the dispute.
2. Arbitration. If negotiation fails, the dispute shall be referred to and finally resolved by arbitration under the Arbitration and Conciliation Act, 1996 (as amended from time to time), with a sole arbitrator appointed by mutual agreement (or by the courts in Bangalore if agreement cannot be reached within 15 days). The seat of arbitration shall be Bangalore, Karnataka. The language of arbitration shall be English. The arbitral award shall be final and binding on both parties.
3. Emergency relief. Nothing in this clause prevents either party from seeking emergency injunctive or interim relief from courts in Bangalore, Karnataka before or during arbitration where delay would cause irreparable harm.

14. Term

This agreement starts on the effective date above and continues for as long as the Operator uses PetBoard. Sections 6 (Our obligations), 8 (Data subject rights), 9 (Termination and data return), and 12 (Liability) survive termination for as long as PetBoard holds any of the Operator's data.

15. Acknowledgment

By clicking "I Agree" in your PetBoard dashboard, you acknowledge:

1. You have read and understood this agreement
2. You are authorized to enter into it on behalf of your business
3. The representations in Section 5 are true and accurate
4. You will comply with the obligations described here

Your acceptance is recorded in our systems with a timestamp for audit purposes. You can request a copy of your acceptance record at any time by emailing hello@petboard.in.