Privacy Policy
Last updated: February 27, 2026Version: 1.0
Summary
This privacy policy explains how Bubba collects, uses, stores, and protects your personal data when you use our platform. We comply with the GDPR and applicable EU privacy laws, and provide you with full control over your data through in-app privacy settings.
This privacy policy explains how MB Bubba ("Bubba", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our platform, including the Bubba website, mobile applications (Client and Console), and related services.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive (2002/58/EC), and applicable national data protection laws.
- Data Controller
| Controller | MB Bubba, MB (mažoji bendrija) |
| Registered address | Žirmūnų g. 57-50, LT-09110 Vilnius, Lithuania |
| privacy@bubba.pet | |
| Phone | +37060569477 |
Data Protection Officer
Given the nature and scale of our data processing activities, we are not required to appoint a Data Protection Officer under GDPR Article 37. For privacy inquiries, please contact us at privacy@bubba.pet.
- What Data We Collect
We process the following categories of personal data, each with a specific legal basis:
2.1 Account Data
| Data | Name, email address, password (hashed), profile photo, phone number |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | Duration of your account plus 12 months after account closure |
2.2 Pet Data
| Data | Pet name, species, breed, birthdate, weight, height, photos, microchip number |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | Duration of your account plus 12 months after account closure |
2.3 Pet Health Data
| Data | Vaccination records, medications, medical events, veterinary records, weight/height logs, health reminders |
| Legal basis | Art. 6(1)(a) GDPR — your explicit consent. Pet health data relates to animals and is not classified as special category data under Art. 9 GDPR; however, we treat it with heightened care given its sensitive nature and process it only with your explicit consent. |
| Retention | Duration of your account plus any legally mandated retention period |
You can withdraw your consent for pet health data processing at any time through the Privacy Settings in your app, without affecting the lawfulness of processing performed before withdrawal.
2.4 Booking & Order Data
| Data | Appointment details, service type, service variants, add-ons, staff assignment, location, pricing, order status, timestamps |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | 10 years (required by tax and commercial law) |
2.5 Payment Data
| Data | Transaction IDs, amounts, payment method type, payout information. We do not store full card numbers — payment processing is handled by Adyen, which tokenizes payment credentials. |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) GDPR — legal obligation (accounting and tax law) |
| Retention | 10 years (required by accounting law) |
2.6 Communication Data
| Data | Chat messages between pet owners and service providers, call metadata (duration, timestamps) |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | Duration of your account (no automatic expiry; deleted upon account closure or erasure request) |
2.7 Review Data
| Data | Ratings, review text, photos attached to reviews |
| Legal basis | Art. 6(1)(f) GDPR — legitimate interest (marketplace trust and transparency). Our legitimate interest is maintaining a trustworthy marketplace where consumers can make informed decisions based on authentic reviews. We have balanced this against your privacy rights and concluded that the minimal privacy impact of publishing reviews (which you voluntarily submit) does not override our legitimate interest. |
| Retention | Duration of your account; anonymized reviews may be retained for marketplace integrity |
2.8 Analytics Data
| Data | Page views, clicks, feature usage, device type, browser type, IP address (anonymized) |
| Legal basis | Art. 6(1)(a) GDPR — your consent |
| Retention | 24 months |
Analytics data is collected via PostHog only after you grant analytics consent through our cookie consent banner or privacy settings. Until consent is granted, PostHog operates in memory-only mode and does not store cookies or track your activity. See our Cookie Policy for details.
2.9 Marketing Data
| Data | Email preferences, push notification tokens, marketing consent status |
| Legal basis | Art. 6(1)(a) GDPR — your consent |
| Retention | Until you withdraw consent |
2.10 Location Data
| Data | City used for service provider search, partner business locations |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract (finding nearby service providers); Art. 6(1)(f) GDPR — legitimate interest |
| Retention | Transient (session-based); not stored long-term |
2.11 Authentication Data
| Data | OAuth tokens (Google, Apple), passkey credentials, session tokens |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | Duration of session or account |
2.12 Device Data
| Data | Push notification tokens (FCM), device platform, app version |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract (delivering push notifications) |
| Retention | Duration of your account |
2.13 Consent Data
| Data | Consent preferences (analytics, marketing, third-party), consent timestamps, policy version accepted, jurisdiction detection, anonymous visitor fingerprint ID (a randomly generated UUID used solely for consent tracking — not shared with analytics or any third party) |
| Legal basis | Art. 6(1)(c) GDPR — legal obligation (demonstrating consent compliance) |
| Retention | Duration of your account plus 5 years for audit trail |
- How We Use Your Data
We use your personal data for the following purposes:
- Providing the Bubba platform — creating and managing your account, facilitating bookings, processing payments, enabling communication between pet owners and service providers.
- Pet health management — storing and displaying pet health records, generating reminders (with your consent).
- Search and discovery — enabling you to find service providers by service type, location, ratings, and availability.
- Reviews and ratings — publishing verified reviews, calculating provider ratings, maintaining marketplace trust.
- Analytics and improvement — understanding how the platform is used to improve features and user experience (with your consent).
- Communication — sending transactional emails (booking confirmations, password resets), push notifications, and marketing communications (with your consent).
- Legal compliance — fulfilling tax, accounting, and regulatory obligations; responding to lawful requests from authorities.
- Security and fraud prevention — protecting the platform and users from unauthorized access and fraudulent activity.
- Data Recipients and Sub-Processors
We share your data with the following third-party service providers (sub-processors), each of whom processes data only for the purposes described and under contractual data protection obligations:
| Recipient | Purpose | Data shared | Location | Safeguard |
|---|---|---|---|---|
| Convex (convex.dev) | Backend database and real-time data engine | All platform data | US | EU Standard Contractual Clauses (SCCs) |
| Cloudflare | CDN, DDoS protection, DNS | IP addresses, request metadata | Global (EU-preferred routing) | EU SCCs |
| Adyen | Payment processing | Payment data, KYC/KYB data | Netherlands (EU) | EU-based processor; no international transfer |
| PostHog | Product analytics (consent-gated) | Analytics events, device info (anonymized IP) | EU (eu.posthog.com) | EU data residency |
| Resend | Transactional email delivery | Email address, name, email content | US | EU SCCs |
| Google (OAuth) | Authentication | OAuth tokens, email address | US | EU adequacy decision / SCCs |
| Apple (Sign-In) | Authentication | OAuth tokens, email address | US/Ireland | EU SCCs |
| OpenRouter | AI-assisted chat (LLM routing) | Chat messages, context | EU (EU-based infrastructure) | EU data residency |
We do not sell your personal data to third parties.
- International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). For each transfer, we ensure an adequate level of data protection through one of the following mechanisms:
- EU adequacy decisions — for transfers to countries the European Commission has determined provide adequate data protection.
- Standard Contractual Clauses (SCCs) — approved by the European Commission (Decision 2021/914), using the appropriate module (Controller-to-Processor or Processor-to-Processor as applicable).
- Supplementary measures — where required by the circumstances of the transfer, including encryption in transit and at rest, data minimization, and access controls.
We conduct Transfer Impact Assessments (TIAs) for transfers to countries without an adequacy decision to ensure the effectiveness of the safeguards applied.
- Your Rights
Under the GDPR, you have the following rights regarding your personal data:
6.1 Right of Access (Art. 15)
You have the right to obtain a copy of all personal data we process about you. You can exercise this right through the "Download My Data" feature in your app's Privacy Settings (Settings → Privacy), which generates a downloadable JSON export of your data.
6.2 Right to Rectification (Art. 16)
You can correct inaccurate or incomplete personal data at any time by editing your profile, pet information, or other data directly in the app.
6.3 Right to Erasure (Art. 17)
You have the right to request the deletion of your personal data. You can exercise this right through the "Erase My Account" feature in your app's Privacy Settings.
How erasure works: Upon your request and administrative approval, your personal data is anonymized across all platform records. This means:
- All personally identifiable information (PII) is replaced with
[REDACTED]placeholders. - Your user identifier is replaced with a non-reversible
DELETED_USERplaceholder. - This anonymization covers 16 entity types: user profile, pets, orders, reviews, chat sessions, form submissions, favorites, consents, device tokens, gift card balances, recurring bookings, rebooking notifications, client profiles, export requests, core user record, and consent audit log.
- Device tokens and export file blobs are permanently deleted.
- Anonymized records are retained solely for reporting integrity and legal compliance (e.g., tax records) per GDPR Art. 17(3)(e).
6.4 Right to Restrict Processing (Art. 18)
You can request that we limit how your data is processed. Contact us at privacy@bubba.pet.
6.5 Right to Data Portability (Art. 20)
You can receive your personal data in a structured, commonly used, machine-readable format (JSON) via the data export feature in Privacy Settings.
6.6 Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest (e.g., review data, search ranking). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
6.7 Right to Withdraw Consent (Art. 7(3))
You can withdraw consent for optional data processing at any time:
- Analytics, marketing, and third-party data sharing: Through the cookie consent banner (website) or Privacy Settings in the app.
- Pet health data: Through Privacy Settings in the app.
- Withdrawal does not affect the lawfulness of processing performed before withdrawal.
6.8 Right Not to Be Subject to Automated Decisions (Art. 22)
We do not make decisions based solely on automated processing that produce legal effects or significantly affect you. Search result ranking is informational and does not constitute automated decision-making under Art. 22.
6.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Bubba is:
Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate) L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania https://www.ada.lt
How to Exercise Your Rights
- In-app: Use the Privacy Settings page (
Settings → Privacy) for data export, account erasure, and consent management. - On the website: Use the Cookie Settings page for consent management.
- By email: Send your request to privacy@bubba.pet.
We will respond to your request within one month. In cases of complexity or high volume, this period may be extended by up to two additional months, and we will inform you of any such extension within the first month. Exercising your rights is free of charge, except for requests that are manifestly unfounded or excessive.
- Automated Decision-Making and Profiling
Search Ranking
Our platform ranks service providers in search results based on factors such as service type match, location relevance, review rating, number of reviews, and availability. This ranking is informational and does not constitute automated decision-making with legal or similarly significant effects.
AI-Powered Chat
Bubba offers an AI-assisted chat feature. When you use this feature:
- Your chat messages may be processed by a third-party large language model (LLM) routing service (OpenRouter), which routes requests to EU-based model providers.
- AI responses are generated for informational purposes only and do not constitute professional, veterinary, or legal advice.
- AI chat data is processed under Art. 6(1)(b) GDPR (contract performance) for registered users.
- The LLM provider acts as a sub-processor under contractual data protection obligations. See Section 4 for details.
- Children's Data
Bubba's services are not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from children below this age. If we become aware that we have collected data from a child, we will delete it promptly.
- Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest.
- Authentication: We support secure authentication methods including passkeys, OAuth, and strong password requirements.
- Access control: Role-based access controls limit data access to authorized personnel.
- Payment security: Payment data is processed by Adyen, which is PCI-DSS certified. We do not store raw card numbers.
- Infrastructure security: Our hosting providers (Convex, Cloudflare) maintain industry-standard security certifications.
- Incident response: We maintain an incident response plan and will notify affected users and the relevant supervisory authority within 72 hours of a confirmed personal data breach, as required by GDPR Articles 33-34.
For more information, see our Security Policy.
- Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. Key points:
- Strictly necessary cookies (authentication, language preference, consent state) do not require consent and are set automatically.
- Analytics cookies (PostHog) are set only after you grant consent through our cookie consent banner or privacy settings. Until consent is granted, analytics operates in memory-only mode with no persistent cookies.
- Marketing and third-party cookies are currently not in use but infrastructure exists for future consent-gated deployment.
- The
bubba_consentcookie stores your consent preferences, including a randomly generated fingerprint ID used solely for anonymous consent tracking. This ID is never shared with PostHog or any other analytics/tracking system. - The
bubba_jurisdictioncookie stores your geo-detected jurisdiction (EU/GDPR, CCPA, or other) for 24 hours to apply appropriate consent defaults.
You can manage your cookie preferences at any time through our Cookie Settings page or the Privacy Settings in your app.
- Changes to This Privacy Policy
We may update this privacy policy from time to time. When we do:
- Material changes will be communicated via email and/or in-app notification.
- The "Last updated" date and version number at the top will be revised.
- Where changes affect processing that relies on your consent, we will request your renewed consent through our re-consent mechanism before the changes take effect.
- You can review previous versions through our policy versioning system.
If you disagree with any changes, you may exercise your right to erasure as described in Section 6.3.
- Contact Us
For any questions or concerns about this privacy policy or our data processing practices:
| privacy@bubba.pet | |
| Postal address | Žirmūnų g. 57-50, LT-09110 Vilnius, Lithuania |
| DPO | Not appointed — contact privacy@bubba.pet |
This privacy policy is provided in English. Translations may be available; in case of any discrepancy, the English version prevails.