Privacy Policy

Last updated: October 20, 2025

Version: 1.1 (Updated with International Law Firm recommendations)

1. DATA CONTROLLER

The Data Controller is:

PETS-HOUSE LIMITED

2nd Floor College House

17 King Edwards Road

Ruislip, London

United Kingdom

Email: ao@pets-house.co.uk

Privacy Email: privacy@pets-house.co.uk

Phone: +44 1655 887077

Privacy Officer: Pets-House Privacy Team

Designated DPO: Angelo Orlandi

Direct Privacy Email: privacy@pets-house.co.uk

Response Time: Receipt confirmation within 5 business days, complete response within 30 days

2. GENERAL INFORMATION

Pets-House ("we", "our", "the Platform") is a social network dedicated to pet lovers. This Privacy Policy describes how we collect, use, store, and protect users' personal data in accordance with:

GDPR (General Data Protection Regulation - EU Regulation 2016/679)
UK GDPR (UK General Data Protection Regulation)
Data Protection Act 2018 (UK)
ePrivacy Directive (2002/58/EC) and UK PECR

Minimum age: Pets-House is intended exclusively for users aged 18 years or older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor, we will proceed immediately with deletion.

3. PERSONAL DATA COLLECTED

3.1 Data Provided Directly by Users

During registration and use of the Platform, we collect:

Identification Data:

First and last name
Email address
Date of birth
Password (encrypted with bcrypt)
Profile photo and cover image

Contact Data:

Phone number (optional)
City of residence
Hometown
Social media handles (Instagram, Facebook, TikTok, WhatsApp)
Personal website (optional)

Extended Profile Data:

Occupation/job
Personal biography
Pet ownership information (pet owner since, housing type, experience level)
Veterinarian reference
Favorite pet shop
Preferred association/shelter
Volunteer availability
Hobbies with pets
Certifications
Competitions won
Favorite breeds

Pet Data:

Pet name, type, breed, gender, age, date of birth
Pet profile gallery: Up to 3 photos + 1 video per pet profile (technical gallery limit)
Unlimited photos and videos: Through posts, albums, video feed, reels/pclips (no limit)
Photos with identifiable people: If pet photos include recognizable human faces (e.g., owner + pet selfie, family + animal), reinforced legal bases Art. 9 GDPR apply (see section 3.4)
Description and notes
Health documents (vaccination records, veterinary certificates, medical reports) - Special categories Art. 9 GDPR
Memorial information (if pet deceased)

User-Generated Content:

Text posts
Photos and videos uploaded in posts (unlimited)
Photo albums (unlimited, hundreds of photos possible)
Video feed (unlimited)
Reels/PClips (short videos, unlimited)
Comments and likes
Private chat messages
Event descriptions
Lost pet announcements

Event Data:

Title, description, date, time, duration
Precise geographic location (latitude, longitude, address) - Requires separate explicit consent
Event visibility (public/private)

Privacy Preferences:

Visibility settings for each profile field (public/friends/private)
Account type (Personal, Business, Nonprofit)
Specific consents (geolocation, cookies, communications)

3.2 Automatically Collected Data

Technical Data:

IP address
Browser type and version
Operating system
Device identifiers
Pages visited and session duration
Referrer URL
Cookies and session identifiers

Usage Data:

Platform interactions (likes, comments, shares)
Video views
Searches performed
Platform browsing history
Time spent on pages
Behavioral patterns (internal analytics only, not profiling)

Geolocation Data:

Approximate location (city/region) derived from IP address
Precise location (latitude, longitude GPS) - Only if voluntarily provided with explicit consent for:

- Events (event venue location)

- Lost pet announcements (loss location)

3.3 Data from Third-Party Services

Google OAuth (Sign in with Google):

When you sign in via Google, we receive from Google:

Full name
Email address
Profile photo
Google user ID (hash)
Preferred locale/language

This data is provided by Google with your explicit consent through Google's authorization screen and in accordance with Google's Privacy Policy.

Legal basis: Consent (Art. 6(1)(a)) + Contract performance (Art. 6(1)(b))

3.4 Biometric Data and Photos with People (Art. 9 GDPR)

IMPORTANT: Photos including identifiable people

When you upload photos or videos that include recognizable human faces (selfies with animals, family + pet photos, events with friends, etc.), you are providing biometric data that falls under special categories of personal data pursuant to Art. 9 GDPR.

Reinforced legal basis for photos with people:

1. Owner/User in photo (YOU):

Art. 9(2)(e) GDPR - Data manifestly made public by the data subject

By voluntarily uploading a photo of yourself (selfie with pet, profile photo, etc.) and actively choosing to make it public or visible to friends, you make your biometric data manifestly public
This is a derogation to the general prohibition on processing special categories (Art. 9(1))
You have full privacy control: you can set each photo as:

- Private (only you)

- Friends (only confirmed friends)

- Public (everyone, including search engines)

You can modify privacy or delete photos at any time

2. Other people in photo (identifiable THIRD PARTIES):

Art. 9(2)(a) GDPR - Explicit consent required

YOU ARE LEGALLY RESPONSIBLE for obtaining explicit, prior and documented consent from all identifiable people before uploading photos that include them
Consent must be:

- Freely given: Person can refuse without consequences

- Specific: For this photo, on this platform

- Informed: Explain where it will be visible (public/friends)

- Unambiguous: Written (message, email) or recorded verbal

- Documented: Keep proof of consent

Pets-House DOES NOT verify third-party consent (technically impossible) - it is your sole responsibility
Violations: May result in:

- Immediate content removal

- Account suspension (7-30 days)

- Permanent ban (serious or repeated violations)

- Personal legal liability towards harmed third parties

3. Minors in photos (under 18 years):

ABSOLUTE PROHIBITION (except exceptions)

FORBIDDEN to upload photos of minors without being the parent/legal guardian with parental responsibility
Even if you are a parent:

- Minor photos must be always private (owner only, never public)

- Pets-House disclaims responsibility for minor photos published in violation

Violations: Result in immediate account deletion + report to competent authorities if appropriate

Best Practice Recommendations:

✅ DO:

Prefer photos of the animal only without people
If including people, always ask prior consent
Keep proof of consent (message screenshot, email)
Use "Friends" or "Private" privacy for sensitive photos

❌ DON'T:

Upload photos from private events without participant consent
Publish photos of minors
Ignore removal requests from third parties

4. PURPOSES AND LEGAL BASIS OF PROCESSING

4.1 Performance of Contract (Art. 6(1)(b) GDPR) + Special Categories (Art. 9 GDPR)

Main purposes:

Create and manage your user account
Provide access to the Platform and its services
Allow you to create pet profiles
Manage social features (posts, comments, likes, shares)
Enable chat between users
Manage events and participations
Publish lost pet announcements
Manage photo and video albums

Data processed: Identification data, contacts, profile, content, messages, pet data

Consequences of refusal: Inability to use the Platform

SPECIAL CATEGORIES PROCESSING - Pet Health Data (Art. 9 GDPR)

Data relating to animal health (health records, vaccination certificates, veterinary documents) fall under special categories of personal data pursuant to Art. 9 GDPR.

Reinforced legal basis:

1. Art. 9(2)(e) GDPR - Data manifestly made public

Applicable when you voluntarily upload and make health documents public

2. Art. 9(2)(a) GDPR - Explicit consent

Required when uploading health documents → Mandatory consent checkbox at upload time
Specific informed consent
Revocable at any time

Documents always private by default:

Health documents are always private upon creation
To share them requires explicit action with consent confirmation

4.2 Legitimate Interest (Art. 6(1)(f) GDPR)

Purposes:

Improve and optimize the Platform
Analyze usage (internal analytics, not profiling)
Ensure security and prevent fraud
Detect and prevent abuse, spam, inappropriate content
Protect rights of Pets-House and users
Manage disputes and legal claims
Technical maintenance and debugging
Backup and disaster recovery

Data processed: Usage data, technical data, access logs, IP address

Right to object: You can object by contacting privacy@pets-house.co.uk

4.3 Consent (Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR)

Purposes:

Precise geolocation for lost pet announcements
Marketing communications (future implementation)
Non-necessary cookies (analytics, marketing)
Upload pet health documents and their sharing
Upload photos with human faces

Valid consent characteristics:

✅ Freely given, specific, informed, unambiguous

✅ Separate (unbundled)

✅ Documented

✅ Easily revocable

4.4 Legal Obligation (Art. 6(1)(c) GDPR)

Purposes:

Respond to requests from competent authorities
Retain cookie consent records (12 months)
Notify data breaches to authorities (72h)
Retain logs for cybercrime investigations
Comply with court orders

5. PROCESSING METHODS

5.1 Processing Means

Personal data is processed with electronic and automated tools:

Infrastructure:

MySQL 8.0 database with encryption at rest (AES-256)
Google Cloud Storage with encryption and versioning
Laravel 11 application server on GCP
Cloudflare CDN for static content

Security protocols:

HTTPS/TLS 1.3 for all communications
OAuth 2.0 for authentication
Bcrypt hashing for passwords (cost factor 12)
CSRF tokens on all forms
Rate limiting (100 req/min per IP)

Backup:

Automatic daily at 02:00 UTC
Incremental every 6 hours
AES-256 encryption
30-day retention
Multi-region (EU + UK)

5.2 Data Access

Access limited according to need-to-know principle:

Authorized personnel:

System administrators: 2 people
Backend developers: 3 people
Customer support: 2 people
DPO/Privacy Officer: 1 person

Tracked access:

Every access logged (who, when, what data)
Logs retained 12 months
Quarterly anomaly review

Third-party data processors:

Google LLC (hosting, OAuth, email)
Cookie-Script (consent management)
All bound by DPA Art. 28 GDPR

5.3 Data Security (Art. 32 GDPR)

Technical Measures:

Encryption:

In transit: HTTPS/TLS 1.3
At rest: AES-256 for database and storage
Passwords: Irreversible bcrypt
Backup: AES-256

Application security:

Web Application Firewall (WAF) Cloudflare
24/7 Intrusion Detection
CSRF protection
SQL Injection prevention (prepared statements)
XSS prevention (HTML escaping, CSP)
Rate limiting and DDoS protection

Organizational Measures:

Annual mandatory GDPR training
Security awareness training
Password policy (min 16 characters staff, 2FA)
Incident Response Plan
72h data breach notification

Data Breach Response:

1. Detection and containment (1 hour)

2. Severity assessment (4 hours)

3. ICO/Garante notification (72 hours)

4. User notification (24-72 hours if high risk)

5. Remediation and post-mortem

6. DATA SHARING AND DISCLOSURE

6.1 Sharing with Other Users (Social Network Nature)

Pets-House is a public social network.

Public Content:

Visible to everyone (including search engines):

User profile (if set public)
Public posts
Public pet profiles
Public events
Lost pet announcements (always public)

Friends-Only Content:

Visible only to confirmed friends:

"Friends-only" posts
"Friends-only" pet profiles
Private events

Private Content:

Visible only to you:

Pet health documents (always private)
Chat messages (sender + recipient)
Profile fields set as "private"

Granular Privacy Control:

Each field has toggle: public/friends/private
Modifiable at any time
Safe defaults for sensitive content

6.2 Sharing with Third-Party Services (Data Processors)

Google LLC (USA)

Services: GCP hosting, OAuth, Gmail SMTP

Data shared: All user data, content, logs

Location: EU primary (Belgium, London), USA backup

Transfer legal basis: Standard Contractual Clauses (SCC) 2021/914

Additional safeguards:

Encryption in transit and at rest
Limited access policies
Data residency options (EU/UK primary)
Transparency reports

Privacy Policy: https://policies.google.com/privacy

DPA: https://cloud.google.com/terms/data-processing-addendum

Cookie-Script (EU/USA)

Service: Consent Management Platform (CMP)

Data: Pseudonymized IP, cookie preferences, timestamp

Location: Frankfurt (EU) primary, Virginia (USA) backup

Legal basis: SCC

Retention: 12 months

Cloudflare (Global)

Service: CDN, DDoS protection, WAF

Data: IP, HTTP headers, Cloudflare cookies

Legal basis: Legitimate interest (security)

Privacy: https://www.cloudflare.com/privacypolicy/

6.3 No Data Sale

WE EXPLICITLY DECLARE:

❌ We DO NOT sell your data

❌ We DO NOT rent email lists

❌ We DO NOT exchange data with brokers

❌ We DO NOT share for third-party marketing

6.4 Disclosures for Legal Obligations

We may disclose data if legally obligated:

✅ Valid court order

✅ Authority request with warrant

✅ Defense of rights in legal proceedings

✅ Prevention of serious harm to life/health

✅ Serious crimes (CSAM, terrorism)

Procedure:

1. Verify request legitimacy

2. Limit disclosure to minimum necessary

3. Notify user (if possible)

4. Document every disclosure

7. INTERNATIONAL DATA TRANSFERS

7.1 Extra-EU/UK Transfers

Countries involved: United States (USA)

Providers with USA servers:

Google LLC (backup/DR)
Cookie-Script (backup)
Cloudflare (global network)

Volumes: 90% EU/UK, 10% USA (backup/DR)

7.2 Adequate Safeguards (Art. 46 GDPR)

Standard Contractual Clauses (SCC)

Version: EU Decision 2021/914 (post-Schrems II)

Module: Controller → Processor

Additional safeguards:

✅ TLS 1.3 + AES-256 encryption

✅ Pseudonymization where possible

✅ Data minimization

✅ Access controls (least privilege, MFA)

✅ EU/UK primary data residency

✅ Legal challenge commitment

✅ Transparency reports

Certifications:

Google: ISO 27001, SOC 2, ISO 27017/27018
Cloudflare: ISO 27001, SOC 2, PCI DSS

SCC copy: Available on request at privacy@pets-house.co.uk

7.3 Transfer Impact Assessment (TIA) - Post-Schrems II

We have conducted TIA to assess USA transfer risks.

Methodology:

1. Data flow mapping to USA

2. USA surveillance laws analysis (FISA 702, E.O. 12333, CLOUD Act)

3. Government access risk assessment

4. Additional safeguards verification

5. Proportionality test

TIA Outcome: Transfers LAWFUL

✅ SCC validly implemented

✅ Adequate additional safeguards

✅ USA gov access risk: very low (pet social startup, no intelligence interest)

✅ Proportionate balancing

Mitigating factors:

Pets-House is not "Electronic Communication Service Provider" under FISA
Data has no "foreign intelligence value"
Google challenges over-broad requests
EU primary data residency
Robust encryption

TIA Review: Every 12 months or when circumstances change

Next review: October 2026

Full documentation: Available for authorities on request

Transparency: To date (October 2025) zero requests from USA agencies

7.4 Your Right to Information and Objection

Rights:

✅ Right to information (this policy)

✅ Right to SCC copy (request at privacy@pets-house.co.uk)

✅ Right to object (Art. 21 GDPR)

✅ Right to lodge complaint with ICO/Garante

How to object:

Email privacy@pets-house.co.uk with reasoning

Note: Objecting to USA transfers means unable to use Pets-House (Google infrastructure necessary)

8. DATA RETENTION PERIODS

8.1 General Principles (Art. 5(1)(e) GDPR)

We retain data only for the time necessary for purposes, unless longer legal obligations.

Criteria:

Processing purpose
Legal obligation
User consent
Legitimate interest
Limitation period (10 years UK)

8.2 Specific Retention Periods

Data Type	Retention	Legal Basis
Active Account	Until deletion	Contract performance
Deleted Account	30-day grace period	Security
Content (posts, photos)	Until deletion + 30 days	Contract performance
Pet Data	Until deletion + 30 days	Contract performance
Health Documents	Until deletion + 30 days	Art. 9 GDPR
Chat	Until account deletion + 30 days	Contract performance
Access Logs	12 months	Legitimate interest + Legal obligation
Cookie Consents	12 months	Legal obligation GDPR
Backups	30-day cycle	Disaster recovery
Data Breach Records	5 years	GDPR Art. 33(5) obligation

8.3 Account Deletion

Phase 1: Soft Delete (Immediate)

Account deactivated
Content hidden
Login disabled

Phase 2: Grace Period (30 days)

Data in "pending deletion" state
You can recover account
After 30 days: irreversible

Phase 3: Hard Delete (Day 31)

Permanent deletion from database
Deletion from backups
Anonymization of non-deletable content

What is deleted:

✅ Personal data, profile photos

✅ Pet data and documents

✅ Own posts

✅ Chat messages

✅ Albums and galleries

What is anonymized:

⚠️ Comments on others' posts → "Deleted User"

⚠️ Likes and event participations → Anonymized

Reason: Art. 17(3)(b) GDPR - Limitation for freedom of expression

8.4 Selective Deletion

Before deleting account, you can selectively delete:

Individual posts (immediate hard delete)
Photos/videos (hard delete)
Pet documents (secure delete with overwrite)
Pet profile (7-day grace period)

8.5 Backup and Disaster Recovery

Daily backups:

Created at 02:00 UTC
30-day cyclic retention
AES-256 encryption
Multi-region

Deletion implication:

After 30 days from account deletion: zero copies in backups

8.6 Longer Legal Retention Obligations

Exceptions:

1. Legal proceedings: Data frozen until conclusion

2. Authority requests: Retention per instructions

3. Permanent ban: Email hash retained indefinitely (prevent re-registration)

4. Data breach: Record retained 5 years (Art. 33(5) obligation)

Continue with PART 2 (Sections 9-15): Cookies, User Rights, Complaints, Minors

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files (max 4KB) stored in your browser when you visit a website. They allow the site to:

Recognize you on subsequent visits
Store preferences and settings
Analyze how you use the site
Provide targeted advertising (if consent)

Types:

First-party: Set by pets-house.com
Third-party: Set by third-party domains
Session: Deleted when you close browser
Persistent: Remain until expiry

9.2 Cookies Used by Pets-House (Currently)

We currently use ONLY strictly necessary cookies:

Cookie Name	Type	Duration	Purpose	Data
XSRF-TOKEN	First-party Session	2 hours	CSRF protection (form security)	Random token
pets_house_session	First-party Session	2 hours	Session management and authentication	Encrypted session ID

GDPR legal basis: Art. 6(1)(f) - Legitimate interest / Art. 6(1)(b) - Contract necessity

ePrivacy legal basis: Exemption from consent pursuant to:

Art. 5(3) ePrivacy Directive 2002/58/EC
UK PECR Regulation 6(4) - "Strictly necessary cookies"
EDPB Guidelines 5/2020 on cookies

Why NO consent required:

These cookies are strictly necessary to:

✅ Provide service requested by user (login, navigation)

✅ Ensure security (prevent CSRF attacks)

✅ Technical functioning (without these, site doesn't work)

NOT used for:

❌ Profiling

❌ Advertising

❌ Cross-site tracking

❌ Behavioral analytics

Reference: EDPB Guidelines 05/2020, para. 41-45 (essential technical cookies exempt from consent)

Cannot be disabled:

These cookies cannot be disabled (essential). Disabling them = unable to use Pets-House.

9.3 Future Cookies (Not Yet Implemented - Consent Required)

Analytics Cookies (Performance)

Google Analytics GA4 - If implemented:

Cookie	Duration	Purpose
_ga	24 months	Distinguish users (anonymous ID)
_ga_CONTAINER_ID	24 months	Persist session state
_gid	24 hours	Distinguish users (short-term)

Purpose: Traffic analysis, UX optimization, performance

Legal basis: Consent (Art. 6(1)(a) + ePrivacy)

Privacy safeguards:

IP Anonymization enabled
Google data sharing OFF
Remarketing disabled
User-ID feature disabled
Retention: 14 months

Opt-out: Do Not Track + Google Analytics Opt-out Add-on

Marketing Cookies (Targeting/Advertising)

Facebook Pixel / Meta Pixel - If implemented:

Cookie	Duration	Purpose
_fbp	90 days	Identify browser for ads
_fbc	90 days	Store last visit from FB ad

Purpose: Remarketing, custom audiences, conversion tracking

Legal basis: Explicit consent

Safeguards:

Advanced Matching OFF
Limited Data Use enabled
Retention: 90 days

Note: Will NEVER be active without explicit consent via cookie banner

9.4 Cookie Consent Management (Cookie-Script CMP)

We use Cookie-Script as Consent Management Platform (CMP).

Compliance:

GDPR Art. 7
ePrivacy Directive Art. 5(3)
UK PECR Reg. 6
EDPB Guidelines 05/2020

Features:

✅ Consent banner before loading non-necessary cookies

✅ Cookie categories with clear description

✅ Granular consent (Necessary, Analytics, Marketing)

✅ Consent documentation (timestamp, IP, choices - 12 months)

✅ Proof of consent for ICO/Garante

✅ Easy revocation (🍪 icon always visible)

✅ Auto-blocking (cookies blocked until consent)

First-visit banner:

1. Banner covers screen with notice

2. Link to Privacy Policy and Cookie Policy

3. Buttons: "Accept All" | "Reject All" | "Customize"

4. Consent saved (12 months)

5. Cookies loaded only if accepted

Consent revocation:

Click 🍪 icon in navbar
Modify preferences
Save → Rejected cookies deleted

GDPR/ePrivacy compliant consent:

✅ Prior consent (before loading)

✅ Informed (link to detailed info)

✅ Specific (granular per category)

✅ Freely given ("Reject All" as easy)

✅ Unambiguous (positive action)

✅ Documented (saved with timestamp)

✅ Revocable (icon always visible)

Dedicated Cookie Policy: https://www.pets-house.com/cookies-en

9.5 How to Disable Cookies

Necessary Cookies:

❌ Cannot be disabled (essential)

Analytics/Marketing Cookies (future):

Via Banner:

1. Click 🍪 in navbar

2. Toggle OFF for category

3. Save

Via Browser:

Chrome: Settings > Privacy > Cookies

Firefox: Preferences > Privacy > Cookies

Safari: Preferences > Privacy > Cookies

Edge: Settings > Privacy > Cookies

Plugins: uBlock Origin, Privacy Badger, Ghostery

Do Not Track: We will respect DNT when implementing Analytics/Marketing

Consequences:

Necessary disabled = site doesn't work
Analytics disabled = no impact
Marketing disabled = no personalized ads

9.6 Third-Party Cookies (Embedded Content)

YouTube embed: Use "youtube-nocookie.com" (privacy-enhanced)

Google Maps embed: Block until consent

Facebook/Instagram embed: Block until consent

Recommendation: No third-party embed or click-to-load

9.7 Cookie Policy Link

Complete Cookie Policy:

https://www.pets-house.com/cookies (Italian)
https://www.pets-house.com/cookies-en (English)

Updated monthly with exhaustive cookie list.

10. USER RIGHTS (GDPR/UK GDPR - Art. 15-22)

10.1 Right of Access (Art. 15 GDPR)

What you can obtain:

Confirmation we are processing your data
Copy of all your personal data
Information about processing (purposes, recipients, retention)

How to exercise:

Email: privacy@pets-house.co.uk

Subject: "Data Access Request - Art. 15 GDPR"

Include:

Full name
Account email
Copy of ID document
Preferred format (PDF, JSON, CSV)

Response time: 30 days (extendable to 60-90 if complex)

Cost:

First request: Free
Subsequent (within 12 months): £10 if unfounded/excessive

Format:

PDF for structured data
JSON/CSV for massive data (machine-readable)
Download link for heavy data (valid 30 days)

What we include:

✅ Complete profile

✅ Posts, photos, videos

✅ Chat

✅ Pet data

✅ Access logs (12 months)

✅ Consents

❌ Other people's data

❌ Confidential business info

Package password protected (sent separately)

10.2 Right to Rectification (Art. 16 GDPR)

What you can do:

Correct inaccurate data
Complete incomplete data
Update outdated information

Self-service (immediate):

Settings > Edit Profile > Modify > Save

Via email:

privacy@pets-house.co.uk

Subject: "Rectification Request - Art. 16 GDPR"

Time: 30 days (self-service immediate)

Limitations:

You cannot "rectify" true data with false data

10.3 Right to Erasure - "Right to be Forgotten" (Art. 17 GDPR)

When applicable:

✅ Data no longer necessary

✅ Consent withdrawal

✅ Objection Art. 21

✅ Unlawful processing

✅ Legal obligation to erase

Limitations:

❌ Freedom of expression (public comments)

❌ Legal obligation to retain

❌ Defense of legal rights

Self-service:

Settings > Account > "Delete Account"

Process:

1. Confirm password

2. Irreversible deletion notice

3. Confirmation checkbox

4. Email with finalize link

5. 30-day grace period (recoverable)

6. Day 31: Irreversible hard delete

Via email:

privacy@pets-house.co.uk

Subject: "Erasure Request - Art. 17 GDPR"

Time: 30 days

Effect:

Immediate: Account deactivated
30 days: Recovery period
Day 31: Complete deletion

Anonymization vs Erasure:

Content with third-party interactions → Anonymized ("Deleted User")
Art. 17(3)(b) - Limitation for freedom of expression

Google de-indexing:

Request to Google: https://support.google.com/websearch/answer/9673730

10.4 Right to Restriction (Art. 18 GDPR)

When applicable:

✅ Contest data accuracy (during verification)

✅ Unlawful processing but prefer restriction

✅ We don't need but you need (legal defense)

✅ You exercised objection (during verification)

How to exercise:

privacy@pets-house.co.uk

Subject: "Restriction Request - Art. 18 GDPR"

Time: 30 days

Effect:

Data retained (no deletion)
NO active processing
Exceptions: storage, your consent, legal defense

10.5 Right to Data Portability (Art. 20 GDPR)

What you can do:

Receive data in structured, machine-readable format (JSON/CSV)

When applicable:

✅ Processing based on consent or contract

✅ Automated processing

Portable data:

✅ Profile, posts, pet data

✅ Likes, friendships, participations

✅ Media links (download)

❌ Access logs

❌ Other people's data

How to exercise:

privacy@pets-house.co.uk

Subject: "Data Portability Request - Art. 20 GDPR"

Format: JSON (default), CSV, XML

Time: 30 days

JSON output:

json
{
"user_profile": {...},
"posts": [...],
"pets": [...],
"friendships": [...]
}

Download: Link valid 30 days, password-protected ZIP

Cost: Free

10.6 Right to Object (Art. 21 GDPR)

When applicable:

✅ Processing based on legitimate interest (Art. 6(1)(f))

✅ Direct marketing (absolute objection, always granted)

Direct marketing:

Click "Unsubscribe" in emails
Settings > Notifications > Marketing OFF
Immediate effect

Legitimate interest:

privacy@pets-house.co.uk

Subject: "Objection to Processing - Art. 21 GDPR"

Reasoning required (grounds relating to your particular situation)

Time: 30 days

Assessment:

We assess compelling legitimate grounds
If our interests prevail → Continue processing (explain why)
If no grounds → Cease processing

Examples:

✅ Marketing objection: Always granted

✅ Analytics objection: Likely granted

❌ Security logs objection: Likely refused (necessary)

10.7 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

Current situation:

Pets-House DOES NOT use:

❌ Decisions based solely on automated processing

❌ Profiling with legal/significant effects

Automated elements present (NOT Art. 22):

✅ Feed post ranking (no legal effect)

✅ Spam detection (human review before ban)

✅ Content moderation (human review)

In the future:

If we implement profiling:

We will request explicit consent
Notice on logic and consequences
Right to human intervention
Right to express opinion

10.8 Right to Withdraw Consent (Art. 7(3) GDPR)

You can withdraw consent at any time.

Effect:

Future: We cease processing from withdrawal moment
Past: Prior processing was lawful

How to withdraw:

Cookies: 🍪 → Toggle OFF → Save

Geolocation: Delete announcement

Marketing: Unsubscribe in emails

Health documents: Privacy "Private"

Biometric photos: Delete or privacy "Private"

Other consents: privacy@pets-house.co.uk

Time: Immediate or within 48h

10.9 How to Exercise Your Rights

Privacy/DPO Contacts:

📧 Email: privacy@pets-house.co.uk

📧 Alternative: ao@pets-house.co.uk

📞 Phone: +44 1655 887077 (Mon-Fri 9-17 GMT)

📬 Mail: Pets-House Privacy Team, 2nd Floor College House, 17 King Edwards Road, Ruislip, London, UK

DPO: Angelo Orlandi

What to include:

✅ Identification (name, account email)

✅ Identity verification (ID document)

✅ Clear request (which right Art. X)

✅ Reasoning (if applicable)

Times:

📅 30 days standard

📅 60-90 days if complex (notice within 30)

📅 5 days receipt confirmation

Costs:

💰 Free (most)

💰 £10-25 (unfounded/excessive requests)

Manifestly unfounded/excessive requests:

We may refuse if:

Manifestly unfounded
Excessive (50 identical requests/month)
Abusive

If we refuse:

Explain reason
Inform right to lodge complaint with ICO/Garante
Inform right to judicial remedy

Response form:

📧 Email (default)

📄 Mail (if requested)

💾 Download link (massive data)

Language: Italian or English (specify preference)

11. COMPLAINTS AND SUPERVISORY AUTHORITY

11.1 Right to Lodge a Complaint

If you believe GDPR/UK GDPR violation, you can complain:

UK users:

Information Commissioner's Office (ICO)

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

United Kingdom

🌐 Website: https://ico.org.uk/

📞 Phone: +44 303 123 1113

📧 Email: casework@ico.org.uk

EU/Italian users:

Garante per la Protezione dei Dati Personali

Piazza Venezia, 11

00187 Roma

Italy

🌐 Website: https://www.garanteprivacy.it/

📞 Phone: +39 06 696771

📧 Email: garante@gpdp.it

11.2 Amicable Resolution

Before complaining, we invite you to contact us:

📧 privacy@pets-house.co.uk

We will try amicable resolution within 30 days.

12. MINORS POLICY

12.1 Minimum Age

Pets-House is for users 18+ years.

GDPR Art. 8 and UK GDPR:

We DO NOT collect data from minors under 18
We DO NOT allow registration under 18

12.2 Age Verification

During registration, users declare being 18+ years.

We reserve right to request proof of age if doubts.

12.3 If We Discover a Minor

If we discover user under 18:

1. Immediate account block

2. Data deletion within 48h

3. Parent/guardian notification (if identifiable)

12.4 Reporting Minors

If you are a parent/guardian and discover your minor child registered:

📧 Contact: privacy@pets-house.co.uk

Provide:

Username
Account email
Proof of being parent/guardian

We delete account within 24h of report.

13. CHANGES TO PRIVACY POLICY

13.1 Updates

Pets-House reserves right to modify Privacy Policy to:

Comply with new regulations
Reflect service changes
Improve transparency
Correct errors

13.2 Notice of Changes

Substantial changes:

We publish new version with updated date
Email notification 30 days before effective date
Platform notice at next login

Minor changes (typos) no notification.

13.3 Acceptance of Changes

By continuing to use Pets-House after changes, you accept new Privacy Policy.

If you don't accept:

Right to delete account before effective date
Contact us: privacy@pets-house.co.uk

13.4 Version History

We maintain version history available on request.

14. PETS-HOUSE SPECIFIC SECTIONS

14.1 Pet Profiles

Default privacy: Pet profiles public by default (pet social network nature).

You can choose:

Private profile (friends only or you only)
Hide specific information
Private profiles (visible only to you)

Health documents: Always private (owner only)

Memorial Pets:

Profile can be in "Memorial" section (public)
You can choose private profile
Memorial message visible according to chosen privacy

14.2 Chat System

Private messages:

Encrypted in transit (HTTPS/TLS 1.3)
Stored in database (NOT end-to-end encrypted)
Visible only to sender and recipient
Pets-House can access only for:

- Technical support (your authorization)

- Abuse investigation (after report)

- Authority order

- Serious crime prevention (CSAM, terrorism)

Roadmap: We are evaluating end-to-end encryption for future release

Chat requests: To chat with non-friends requires accepted request

Abuse: If you receive inappropriate messages:

Use "Report"
Contact us: privacy@pets-house.co.uk
We block user and investigate

14.3 Events and Geolocation

Event location:

You can enter precise location (lat, lon)
Location visible to invitees and (if public) everyone
You can omit precise location (city only)

Private vs public events:

Private: Visible only to invitees
Public: Visible to all users

Invites: Internal notification (no automatic emails)

14.4 Lost Pets

Announcements always public (maximize finding chance).

Data included:

Pet photo
Name, type, breed, description
Loss location (lat, lon, address)
Owner contacts (email, phone optional)

Privacy: Precise geolocation is sensitive but essential. By posting announcement, you explicitly consent to data publication.

Expiry: Auto-expire after 90 days (archived)

Deletion: You can delete announcement anytime

14.5 Posts, Photos and Videos

Visibility:

Public: Visible to everyone (even non-registered via link)
Friends: Only confirmed friends
Private: Not implemented

Inappropriate content:

Offensive, violent, sexually explicit, illegal → Prohibited
Right to remove content violating TOS
Repeat offenders → Ban

Copyright:

By uploading, you guarantee having rights
Pets-House does not claim ownership of your content
You grant us limited license to provide service (display, storage)

14.6 Business and Nonprofit Accounts

Business/nonprofit accounts have additional fields:

Business name, address, registration number, tax ID
Business hours, description, country
Business verified badge (after verification)

Business verification: We may request company documents

Privacy: Business data public by nature (similar to business page)

15. USER RESPONSIBILITIES

15.1 Account Security

You are responsible for:

Keeping password secure
Not sharing credentials
Notifying us of unauthorized access

Recommendations:

Strong password (12+ characters, letters/numbers/symbols)
Don't reuse passwords from other sites
Enable 2FA (if implemented)

15.2 Data Accuracy

You are responsible for:

Providing accurate and up-to-date data
Updating changed information
Not providing false or third-party data

15.3 Uploaded Content and Third-Party Photo Responsibility

You are responsible for:

Ensuring you have rights to content
Obtaining explicit consent from identifiable people before upload
Not uploading minor photos (except parent with private privacy)
Not violating third-party rights (copyright, privacy, image)
Respecting TOS
Not uploading illegal content

Photos with people - Your Responsibility:

Before upload obtain written/verbal consent
Inform that photo will be on Pets-House
Keep proof of consent (message, email)
If contested, must provide proof or remove

Third-party rights violation:

Pets-House is not responsible for user content
We cooperate with authorities to remove illegal content
Violation reporting procedure (DMCA, image rights)
Removal within 24h of valid report
We may suspend/ban repeat offenders

Continue with PART 3 (Sections 16-22): Legal Basis Summary, DPIA, Data Breach, Contacts, Glossary, Languages, Applicable Law, Final Statement

16. LEGAL BASIS SUMMARY

Purpose	GDPR Legal Basis	Art. Reference
Account creation and management	Performance of contract	Art. 6(1)(b)
Platform service provision	Performance of contract	Art. 6(1)(b)
Chat, posts, events management	Performance of contract	Art. 6(1)(b)
Service and UX improvement	Legitimate interest	Art. 6(1)(f)
Security and fraud prevention	Legitimate interest	Art. 6(1)(f)
Usage analysis (logs, analytics)	Legitimate interest	Art. 6(1)(f)
Necessary cookies (session, CSRF)	Legitimate interest / Contract necessity	Art. 6(1)(f)/(b)
Analytics cookies (future)	Consent	Art. 6(1)(a)
Marketing cookies (future)	Consent	Art. 6(1)(a)
Direct marketing (future)	Consent	Art. 6(1)(a)
Cookie consent retention	Legal obligation	Art. 6(1)(c)
Authority request response	Legal obligation	Art. 6(1)(c)
Pet health documents	Explicit consent / Data made public	Art. 9(2)(a)/(e)
Photos with human faces (biometrics)	Explicit consent / Data made public	Art. 9(2)(a)/(e)
Precise geolocation	Explicit consent	Art. 6(1)(a) + Art. 9(2)(a)

17. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Pets-House has conducted Data Protection Impact Assessments (DPIA) for high-risk processing:

DPIAs conducted:

✅ Precise geolocation (events, lost pets)
✅ Chat messaging system
✅ User photo/video storage
✅ Pet health data (Art. 9 GDPR)
✅ Biometric data in photos with people (Art. 9 GDPR)
✅ Profiling (if implemented in future)

Risk assessment:

For each processing:

1. Processing and purpose description

2. Necessity and proportionality assessment

3. User rights risk identification

4. Risk mitigation measures

5. Implemented safeguards and guarantees

Result: All high-risk processing has adequate measures to mitigate risks.

DPIA documentation: Available on request for competent authorities (ICO, Garante).

18. DATA BREACH NOTIFICATION

In case of personal data breach:

18.1 Notification to Authority

If breach poses risk to user rights:

We notify competent authority (ICO/Garante) within 72 hours of discovery
We provide details:

- Breach nature

- Categories and number of affected

- Data categories and quantity

- Likely consequences

- Measures adopted/proposed

Art. 33 GDPR

18.2 Notification to Users

If breach poses HIGH risk to user rights:

We notify you without undue delay
Via email and/or Platform notice
We describe:

- Breach nature

- Measures adopted

- Recommendations to protect yourself

Art. 34 GDPR

High risk examples:

Password database theft (even if hashed)
Health documents leak
Unauthorized access to private chats
Financial data theft (if implemented)

No user notification examples:

Anonymous logs leak (no identification)
Content breach (measures make data incomprehensible - encryption)

18.3 Breach Register

We maintain internal register of all breaches (even non-notifiable) in compliance with Art. 33(5) GDPR.

Register contains:

Discovery date and time
Breach nature
Data involved
Number of impacted users
Consequences
Measures adopted
Notification made (yes/no, when, to whom)

Retention: 5 years

Inspections: Available for ICO/Garante audits

19. CONTACT AND INFORMATION

19.1 Privacy Contacts

For questions, requests or exercise of rights:

PETS-HOUSE LIMITED

2nd Floor College House

17 King Edwards Road

Ruislip, London

United Kingdom

📧 General Email: ao@pets-house.co.uk

📧 Privacy Email: privacy@pets-house.co.uk

📞 Phone: +44 1655 887077

Privacy Officer: Pets-House Privacy Team

Designated DPO: Angelo Orlandi

Direct Privacy Email: privacy@pets-house.co.uk

Support Hours: Monday-Friday, 9:00-17:00 GMT

Response Time:

⏱️ Receipt confirmation: 5 business days
⏱️ Complete response: 30 days (extendable to 60-90 if complex)

19.2 Data Protection Officer (DPO)

Currently: Pets-House is not required to have a DPO (Art. 37 GDPR), but Privacy Team performs similar functions.

Designated DPO: Angelo Orlandi

If we appoint formal DPO in future, we will update this section.

19.3 EU Representative (if applicable)

Art. 27 GDPR: If Pets-House offers services primarily to EU users without EU establishment, we will appoint an EU representative.

Currently: Pets-House is UK-based. If EU representative needed, we will update here.

20. GLOSSARY

Personal Data: Any information relating to an identified or identifiable natural person.

Data Controller: Entity determining purposes and means of processing (Pets-House).

Data Processor: Entity processing data on behalf of controller (e.g., Google Cloud).

Data Subject: Natural person to whom personal data relates (you, user).

Processing: Any operation on data: collection, recording, storage, modification, consultation, use, disclosure, deletion.

Consent: Freely given, specific, informed and unambiguous indication of wishes.

Profiling: Automated processing to evaluate personal aspects (preferences, behavior, interests). Pets-House currently DOES NOT profile.

Pseudonymisation: Processing making data no longer attributable without additional information.

Anonymisation: Processing making identification of data subject impossible (anonymous data is NOT personal data).

Data Breach: Security violation resulting in destruction, loss, alteration, unauthorized disclosure or access to personal data.

Special Categories of Data (Art. 9 GDPR): Sensitive data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life/sexual orientation. Require enhanced protection.

Biometric Data: Personal data resulting from specific technical processing relating to physical, physiological or behavioral characteristics enabling unique identification (e.g., facial recognition, fingerprints).

21. LANGUAGES

This Privacy Policy is available in:

Italian (primary version)
English (translation)

In case of discrepancies: Italian version prevails for Italian users, English version for UK/international users.

Version links:

🇮🇹 https://www.pets-house.com/privacy
🇬🇧 https://www.pets-house.com/privacy-en

22. APPLICABLE LAW AND JURISDICTION

22.1 Applicable Law

This Privacy Policy is governed by United Kingdom law:

UK GDPR (UK General Data Protection Regulation)
Data Protection Act 2018
UK Privacy and Electronic Communications Regulations (PECR)

For EU/Italian users: EU GDPR (Regulation 2016/679) and Italian national regulations also apply where applicable.

22.2 Jurisdiction

For disputes relating to this Privacy Policy:

Primary venue: Courts of United Kingdom (England and Wales)

EU consumer alternative: You may bring proceedings in courts of your country of residence for consumer disputes (Brussels I-bis Regulation, EU Reg. 1215/2012).

Example: Italian user can sue Pets-House in competent Italian court.

22.3 Dispute Resolution

Before proceeding legally:

1. Contact us: privacy@pets-house.co.uk - Attempt amicable resolution (30 days)

2. ICO/Garante complaint: If unsatisfied, complain to authority (free)

3. Mediation: Possible recourse to mediation/arbitration

4. Legal action: Only as last resort

Authority complaints and legal actions are independent rights: You can complain to ICO/Garante AND sue simultaneously.

23. FINAL STATEMENT

PETS-HOUSE LIMITED commits to:

✅ Process personal data lawfully, fairly and transparently

✅ Collect data only for specific, explicit and legitimate purposes

✅ Limit processing to what is necessary

✅ Ensure data accuracy and updates

✅ Retain data only for necessary time

✅ Protect data with adequate security measures

✅ Respect all user rights provided by GDPR/UK GDPR

You have read and understood this Privacy Policy.

By using Pets-House, you accept the processing of your personal data as described in this document.

You can withdraw consent or exercise your rights at any time by contacting:

📧 privacy@pets-house.co.uk

## 📋 COMPLETE PRIVACY POLICY INDEX

1. Data Controller

2. General Information

3. Personal Data Collected

- 3.1 Data provided directly

- 3.2 Automatically collected data

- 3.3 Data from third-party services

- 3.4 Biometric Data and Photos with People (Art. 9 GDPR)

4. Purposes and Legal Basis of Processing

- 4.1 Performance of Contract + Special Categories (Art. 9)

- 4.2 Legitimate Interest

- 4.3 Consent

- 4.4 Legal Obligation

5. Processing Methods

- 5.1 Processing Means

- 5.2 Data Access

- 5.3 Data Security (Art. 32 GDPR)

6. Data Sharing and Disclosure

- 6.1 Sharing with Other Users

- 6.2 Sharing with Third-Party Services (Data Processors)

- 6.3 No Data Sale

- 6.4 Disclosures for Legal Obligations

7. International Data Transfers

- 7.1 Extra-EU/UK Transfers

- 7.2 Adequate Safeguards (SCC)

- 7.3 Transfer Impact Assessment (TIA) - Post-Schrems II

- 7.4 Your Right to Information and Objection

8. Data Retention Periods

- 8.1 General Principles

- 8.2 Specific Retention Periods

- 8.3 Account Deletion

- 8.4 Selective Deletion

- 8.5 Backup and Disaster Recovery

- 8.6 Longer Legal Retention Obligations

9. Cookies and Tracking Technologies

- 9.1 What Are Cookies

- 9.2 Cookies Used (Currently)

- 9.3 Future Cookies (Consent Required)

- 9.4 Cookie Consent Management (Cookie-Script CMP)

- 9.5 How to Disable Cookies

- 9.6 Third-Party Cookies

- 9.7 Cookie Policy Link

10. User Rights (GDPR/UK GDPR - Art. 15-22)

- 10.1 Right of Access (Art. 15)

- 10.2 Right to Rectification (Art. 16)

- 10.3 Right to Erasure - "Right to be Forgotten" (Art. 17)

- 10.4 Right to Restriction (Art. 18)

- 10.5 Right to Data Portability (Art. 20)

- 10.6 Right to Object (Art. 21)

- 10.7 Right Not to Automated Decision-Making (Art. 22)

- 10.8 Right to Withdraw Consent (Art. 7(3))

- 10.9 How to Exercise Your Rights

11. Complaints and Supervisory Authority

- 11.1 Right to Lodge a Complaint (ICO/Garante)

- 11.2 Amicable Resolution

12. Minors Policy

- 12.1 Minimum Age (18+)

- 12.2 Age Verification

- 12.3 If We Discover a Minor

- 12.4 Reporting Minors

13. Changes to Privacy Policy

- 13.1 Updates

- 13.2 Notice of Changes

- 13.3 Acceptance of Changes

- 13.4 Version History

14. Pets-House Specific Sections

- 14.1 Pet Profiles

- 14.2 Chat System

- 14.3 Events and Geolocation

- 14.4 Lost Pets

- 14.5 Posts, Photos and Videos

- 14.6 Business and Nonprofit Accounts

15. User Responsibilities

- 15.1 Account Security

- 15.2 Data Accuracy

- 15.3 Uploaded Content and Third-Party Photo Responsibility

16. Legal Basis Summary

17. Data Protection Impact Assessment (DPIA)

18. Data Breach Notification

- 18.1 Notification to Authority

- 18.2 Notification to Users

- 18.3 Breach Register

19. Contact and Information

- 19.1 Privacy Contacts

- 19.2 Data Protection Officer (DPO)

- 19.3 EU Representative

20. Glossary

21. Languages

22. Applicable Law and Jurisdiction

- 22.1 Applicable Law

- 22.2 Jurisdiction

- 22.3 Dispute Resolution

23. Final Statement

Last updated: October 20, 2025

Version: 1.1 (Updated with International Law Firm recommendations)

Effective from: October 20, 2025

For questions or concerns: privacy@pets-house.co.uk

Thank you for trusting Pets-House! 🐾

END COMPLETE PRIVACY POLICY

Document composed of 3 parts:

✅ PART 1: Sections 1-8
✅ PART 2: Sections 9-15
✅ PART 3: Sections 16-23 (this part)

To create complete Blade file: Assemble the 3 parts in order.

📋 Table of Contents

1. DATA CONTROLLER

2. GENERAL INFORMATION

3. PERSONAL DATA COLLECTED

3.1 Data Provided Directly by Users

Identification Data:

Contact Data:

Extended Profile Data:

Pet Data:

User-Generated Content:

Event Data:

Privacy Preferences:

3.2 Automatically Collected Data

Technical Data:

Usage Data:

Geolocation Data:

3.3 Data from Third-Party Services

Google OAuth (Sign in with Google):

3.4 Biometric Data and Photos with People (Art. 9 GDPR)

1. Owner/User in photo (YOU):

2. Other people in photo (identifiable THIRD PARTIES):

3. Minors in photos (under 18 years):

4. PURPOSES AND LEGAL BASIS OF PROCESSING

4.1 Performance of Contract (Art. 6(1)(b) GDPR) + Special Categories (Art. 9 GDPR)

SPECIAL CATEGORIES PROCESSING - Pet Health Data (Art. 9 GDPR)

4.2 Legitimate Interest (Art. 6(1)(f) GDPR)

4.3 Consent (Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR)

4.4 Legal Obligation (Art. 6(1)(c) GDPR)

5. PROCESSING METHODS

5.1 Processing Means

5.2 Data Access

5.3 Data Security (Art. 32 GDPR)

6. DATA SHARING AND DISCLOSURE

6.1 Sharing with Other Users (Social Network Nature)

Public Content:

Friends-Only Content:

Private Content:

6.2 Sharing with Third-Party Services (Data Processors)

Google LLC (USA)

Cookie-Script (EU/USA)

Cloudflare (Global)

6.3 No Data Sale

6.4 Disclosures for Legal Obligations

7. INTERNATIONAL DATA TRANSFERS

7.1 Extra-EU/UK Transfers

7.2 Adequate Safeguards (Art. 46 GDPR)

Standard Contractual Clauses (SCC)

7.3 Transfer Impact Assessment (TIA) - Post-Schrems II

7.4 Your Right to Information and Objection

8. DATA RETENTION PERIODS

8.1 General Principles (Art. 5(1)(e) GDPR)

8.2 Specific Retention Periods

8.3 Account Deletion

8.4 Selective Deletion

8.5 Backup and Disaster Recovery

8.6 Longer Legal Retention Obligations

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

9.2 Cookies Used by Pets-House (Currently)

9.3 Future Cookies (Not Yet Implemented - Consent Required)

Analytics Cookies (Performance)

Marketing Cookies (Targeting/Advertising)

9.4 Cookie Consent Management (Cookie-Script CMP)

9.5 How to Disable Cookies

Necessary Cookies:

Analytics/Marketing Cookies (future):

9.6 Third-Party Cookies (Embedded Content)

9.7 Cookie Policy Link

10. USER RIGHTS (GDPR/UK GDPR - Art. 15-22)

10.1 Right of Access (Art. 15 GDPR)

10.2 Right to Rectification (Art. 16 GDPR)

10.3 Right to Erasure - "Right to be Forgotten" (Art. 17 GDPR)

10.4 Right to Restriction (Art. 18 GDPR)

10.5 Right to Data Portability (Art. 20 GDPR)

10.6 Right to Object (Art. 21 GDPR)

10.7 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

10.8 Right to Withdraw Consent (Art. 7(3) GDPR)

10.9 How to Exercise Your Rights

11. COMPLAINTS AND SUPERVISORY AUTHORITY