Data Processing Agreement
Last updated: February 27, 2026Version: 1.0
Summary
This document explains how Bubba processes personal data as a pet services marketplace — including our roles as data controller and processor, the sub-processors we engage, international data transfer safeguards, and the technical and organizational measures we use to protect your data. It supplements our Privacy Policy.
- Bubba's Role in Data Processing
Bubba acts in different data protection roles depending on the type of processing activity:
1.1 Bubba as Data Controller
Bubba is the data controller (GDPR Art. 4(7)) for the following processing activities, where we determine the purposes and means of processing:
| Processing activity | Purpose | Legal basis |
|---|---|---|
| User account management | Creating, maintaining, and authenticating user accounts | Art. 6(1)(b) — contract |
| Platform analytics | Understanding platform usage to improve features and user experience | Art. 6(1)(a) — consent |
| Search and discovery | Enabling users to find service providers | Art. 6(1)(b) — contract |
| Review management | Publishing and moderating user reviews | Art. 6(1)(f) — legitimate interest |
| Marketing communications | Sending promotional content to opted-in users | Art. 6(1)(a) — consent |
| Consent tracking | Recording and managing user consent preferences | Art. 6(1)(c) — legal obligation |
| Fraud prevention and security | Protecting users and the platform from misuse | Art. 6(1)(f) — legitimate interest |
1.2 Bubba as Processor
When a pet owner books a service through the platform, Bubba acts as a data processor (GDPR Art. 4(8)) for certain data that is transmitted to the service provider (business partner) for the purpose of service delivery. In this context, the service provider is the controller for the data necessary to deliver the booked service.
1.3 Service Providers as Separate Controllers
Service providers (business partners) on Bubba are independent data controllers for:
- Service delivery data — information they collect and process to perform the booked service.
- Client relationship management — data they manage within the Console app about their clients.
- Staff management — employment-related data about their team members.
Bubba and service providers are not joint controllers for service delivery. Each party processes data under its own controllership, with appropriate data sharing governed by contractual terms (see our Business Terms & Conditions).
- Sub-Processors
Bubba engages the following sub-processors to deliver its services. Each sub-processor processes personal data only for the specific purposes described and under contractual data protection obligations compliant with GDPR Article 28.
| Sub-processor | Purpose | Data processed | Location | Transfer safeguard | DPA status |
|---|---|---|---|---|---|
| Convex (convex.dev) | Backend database and real-time data engine | All platform data (accounts, bookings, pets, reviews, chat, consent records) | United States | EU Standard Contractual Clauses (SCCs), Module 2 (Controller-to-Processor) | Convex standard DPA signed |
| Cloudflare (cloudflare.com) | CDN, DDoS protection, DNS, edge caching | IP addresses, request metadata, cached content | Global (EU-preferred routing) | EU SCCs, Module 2 | Cloudflare standard DPA in effect |
| Adyen (adyen.com) | Payment processing (tokenization, payouts, KYC/KYB) | Payment data, transaction details, business verification data | Netherlands (EU) | No international transfer — EU-based | Adyen standard DPA signed |
| PostHog (posthog.com) | Product analytics (consent-gated) | Anonymized analytics events, device info, feature flags | EU (eu.posthog.com) | EU data residency — no international transfer | PostHog EU DPA in effect |
| Resend (resend.com) | Transactional email delivery | Email address, recipient name, email content | United States | EU SCCs, Module 2 | Resend standard DPA signed |
| Google (accounts.google.com) | OAuth authentication (Google Sign-In) | OAuth tokens, email address | United States | EU adequacy decision (Data Privacy Framework) | Google standard DPA |
| Apple (appleid.apple.com) | OAuth authentication (Sign in with Apple) | OAuth tokens, email address (may be relayed) | United States / Ireland | EU SCCs | Apple standard terms |
| OpenRouter (openrouter.ai) | AI-assisted chat (LLM routing) | Chat messages, conversation context | EU-based infrastructure | EU data residency | OpenRouter standard DPA |
2.1 Changes to Sub-Processors
We will notify users via email and/or platform notification at least 30 days before engaging a new sub-processor or making material changes to existing sub-processor arrangements. Users have the right to object to such changes; if we cannot accommodate the objection, the user may terminate their account and request data erasure (see GDPR Rights).
- International Data Transfers
Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), we ensure an adequate level of protection through:
3.1 Transfer Mechanisms
| Mechanism | When used |
|---|---|
| EU adequacy decisions | Transfers to countries with adequate protection (e.g., US companies under the Data Privacy Framework) |
| Standard Contractual Clauses (SCCs) | Primary mechanism for US-based sub-processors not covered by adequacy or as supplementary safeguard. We use the European Commission's SCCs (Decision 2021/914) with the appropriate module |
| EU data residency | Used where possible — PostHog EU, OpenRouter EU, Adyen NL |
3.2 Standard Contractual Clause Modules
| SCC Module | Relationship | Sub-processors |
|---|---|---|
| Module 2 (Controller → Processor) | Bubba as controller, sub-processor as processor | Convex, Cloudflare, Resend |
| Module 3 (Processor → Processor) | Where sub-processors further sub-process on Bubba's behalf | As applicable per sub-processor chain |
3.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for all international data transfers to countries without an EU adequacy decision. TIAs evaluate:
- The legal framework of the recipient country, including government access to data.
- The supplementary measures applied (encryption, pseudonymization, access controls).
- The specific categories of data transferred.
- Whether the transfer mechanism provides effective protection in practice.
- Pet Health Data Processing
4.1 Classification
Pet health data (vaccination records, medications, medical events, veterinary records) relates to animals, not humans, and is therefore not classified as special category data under GDPR Article 9. However, because pet health records can be linked to identifiable pet owners, we treat this data with heightened care.
4.2 Processing Basis
Pet health data is processed under Art. 6(1)(a) GDPR — your explicit consent. You may withdraw consent for pet health data processing at any time without affecting access to other platform features.
4.3 Access Controls
| Who can access | What they can access | When |
|---|---|---|
| Pet owner | All their own pets' health records | Always |
| Authorized service providers | Health records for pets linked to an active booking | During active service engagement |
| Platform (system) | Metadata for display and reminder functionality | Automated processing for reminders and display |
| Platform administrators | Health data as part of DSR (data subject request) processing | Only when processing data export or deletion requests |
4.4 Encryption and Storage
- Pet health data is encrypted in transit (TLS 1.2+) and at rest via the database provider's encryption.
- Access is controlled via role-based permissions and authenticated API endpoints.
- No pet health data is shared with analytics or marketing systems.
4.5 Retention
Pet health data is retained for the duration of your account plus any legally mandated retention period. Upon account deletion, pet health data is anonymized as part of the standard data erasure process (see Section 5).
- Processor Obligations (Provider Data)
When a pet owner books a service through the Bubba platform, the service provider is the data controller for the personal data necessary to deliver the booked service. Bubba acts as a data processor for this data, processing it only to facilitate the booking, communication, and payment between the pet owner and the Provider.
This section governs Bubba's processing obligations in that capacity, in compliance with GDPR Article 28.
5.1 Lawful Processing
Bubba shall:
- Process personal data only on the documented instructions of the Provider, including transfers to third countries (unless required by EU or Member State law).
- Not process personal data for any purpose other than facilitating the booked service.
5.2 Confidentiality
Bubba shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Data Subject Requests
Bubba shall assist the Provider in fulfilling its obligation to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing prompt notification when a data subject request is received that relates to the Provider's data.
- Providing technical mechanisms to fulfill requests, including data export and anonymization.
- Not independently responding to data subject requests concerning the Provider's data without first informing the Provider, unless legally required.
5.4 Data Return and Deletion
Upon termination of the Provider's account:
- Bubba shall, at the Provider's choice, return all personal data processed on behalf of the Provider or delete it, and delete existing copies, unless EU or Member State law requires storage.
- Providers can export their data through the Console app before account termination.
- Data anonymization is used instead of hard deletion for records required for reporting integrity and legal compliance (e.g., tax records, per GDPR Art. 17(3)(e)).
5.5 Sub-Processor Obligations
Bubba shall:
- Impose the same data protection obligations on each sub-processor by way of a contract.
- Remain fully liable to the Provider for the performance of the sub-processor's obligations.
- Data Retention Schedule
The following table summarizes our data retention periods by category. For detailed information, see our Privacy Policy, Section 2.
| Data category | Retention period | Legal basis for retention | Post-expiry action |
|---|---|---|---|
| Account data | Duration of account + 12 months | Art. 6(1)(b) — contract | Anonymization |
| Pet data | Duration of account + 12 months | Art. 6(1)(b) — contract | Anonymization |
| Pet health data | Duration of account | Art. 6(1)(a) — consent | Anonymization |
| Booking & order data | 10 years | Art. 6(1)(c) — legal obligation (tax/accounting law) | Anonymization |
| Payment data | 10 years | Art. 6(1)(c) — legal obligation (accounting law) | Anonymization |
| Communication data | Duration of account | Art. 6(1)(b) — contract | Anonymization |
| Review data | Duration of account | Art. 6(1)(f) — legitimate interest | Anonymization |
| Analytics data | 24 months | Art. 6(1)(a) — consent | Deletion |
| Marketing data | Until consent withdrawal | Art. 6(1)(a) — consent | Deletion |
| Authentication data | Duration of session/account | Art. 6(1)(b) — contract | Deletion |
| Device tokens | Duration of account | Art. 6(1)(b) — contract | Permanent deletion |
| Consent audit trail | 5 years | Art. 6(1)(c) — legal obligation (demonstrating compliance) | Deletion |
- Data Erasure Approach
7.1 Anonymization Over Hard-Deletion
When you request data erasure (Right to Erasure, GDPR Art. 17), your data is processed through anonymization rather than hard-deletion. This approach:
- Replaces all personally identifiable information (PII) with
[REDACTED]placeholders. - Replaces user identifiers with non-reversible
DELETED_USERplaceholders. - Covers 16 entity types: user profile, pets, orders, reviews, chat sessions, form submissions, favorites, consents, device tokens, gift card balances, recurring bookings, rebooking notifications, client profiles, export requests, core user record, and consent audit log.
- Permanently deletes device tokens and export file blobs.
7.2 Why Anonymization
Anonymized records are retained to maintain:
- Reporting integrity — aggregate booking and revenue data remains accurate.
- Legal compliance — tax and accounting records must be retained for 10 years per Lithuanian commercial law (GDPR Art. 17(3)(e)).
- Review integrity — anonymized reviews preserve marketplace trust without identifying the reviewer.
Once anonymized, the data is no longer "personal data" under GDPR, as it can no longer be linked to an identifiable person.
- Technical and Organizational Measures (GDPR Art. 32)
We implement the following measures to ensure a level of security appropriate to the risk:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all data transmission |
| Encryption at rest | Database-level encryption via Convex; file storage encryption via Cloudflare |
| Access control | Role-based access control (owner/manager/member); least privilege principle |
| Authentication security | Passkeys, OAuth 2.0, strong password requirements (8+ characters), session management |
| Payment security | PCI-DSS compliant via Adyen — no raw card data stored on Bubba servers |
| Audit logging | All significant actions logged for compliance and monitoring |
| Consent audit trail | Immutable log of all consent changes (grants, withdrawals, re-consents) |
| Data minimization | Only data necessary for the stated purpose is collected |
| Incident response | Breach notification within 72 hours per GDPR Art. 33-34 |
| Regular review | Periodic assessment of technical and organizational measures |
For more details, see our Security Policy.
- Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects:
- Supervisory authority notification: We will notify the Valstybinė duomenų apsaugos inspekcija (VDAI) within 72 hours of becoming aware of the breach per GDPR Art. 33.
- Data subject notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay per GDPR Art. 34.
- Sub-processor notification: Our sub-processors are contractually required to notify us without undue delay upon discovering a personal data breach.
- Provider notification: Where Bubba processes data on behalf of a service provider (as processor), we will notify the Provider without undue delay — and in any event within 48 hours — after becoming aware of a breach affecting their data.
- Data Protection Impact Assessments (DPIAs)
We conduct Data Protection Impact Assessments where required by GDPR Art. 35, particularly for:
- Processing activities involving new technologies.
- Processing that is likely to result in a high risk to data subject rights.
- Large-scale processing of special categories of data.
Currently, no processing activities conducted by Bubba have required a DPIA under the criteria of GDPR Art. 35(3), as:
- Pet health data relates to animals (not special category data under Art. 9).
- Analytics data is consent-gated and anonymized.
- We do not conduct systematic monitoring of public areas.
- Audit Rights
Bubba shall make available to service providers all information necessary to demonstrate compliance with the obligations under GDPR Article 28 and shall allow for and contribute to audits, including inspections, conducted by the Provider or an auditor mandated by the Provider.
Bubba may satisfy this obligation by:
- Providing its most recent SOC 2 report or equivalent third-party audit report (when available).
- Providing written responses to reasonable audit questionnaires.
- Facilitating on-site inspections with reasonable advance notice (at least 30 days), during business hours, and subject to confidentiality obligations.
The Provider shall bear the costs of any audit it initiates.
- Contact
For questions about our data processing practices or to request a copy of our Data Processing Agreement:
| privacy@bubba.pet | |
| Postal address | MB Bubba, Žirmūnų g. 57-50, LT-09110 Vilnius, Lithuania |
- Related Documents
- Privacy Policy — Comprehensive data protection and privacy practices.
- Cookie Policy — Information about cookies and tracking technologies.
- Security Policy — Technical and organizational security measures.
- Your Data Rights (GDPR) — How to exercise your data protection rights.
- Business Terms & Conditions — Terms governing service provider data processing obligations.
This document is provided for transparency purposes. Formal Data Processing Agreements with individual sub-processors are maintained as separate, non-public contractual documents. If you are a business partner requiring a formal DPA with Bubba, please contact legal@bubba.pet.