Privacy Policy
Last updated: April 7, 2026
1. Introduction
SmashTech Ltd ("Company", "we", "us", "our"), registered in Athens, Greece, operates the Tails Up platform, including the website at https://tailsup.gr and the Tails Up mobile application (iOS and Android) (collectively, the "Service").
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Service. It also describes your rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Greek data protection law (Law 4624/2019).
We are committed to protecting your privacy and processing your personal data lawfully, fairly, and transparently. Please read this Privacy Policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller for personal data processed through the Service is:
SmashTech Ltd Athens, Greece
Privacy Contact: privacy@tailsup.gr General Support: support@tailsup.gr
If you have any questions or concerns about how we process your personal data, please contact us at the email addresses above.
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1. Data You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Information | Email address, password (encrypted), display name | Account creation and authentication |
| Profile Information | Phone number, location (city/address), bio, website URL, avatar/profile photo, timezone, preferred language | Profile personalisation and communication |
| Pet Information | Pet name, species, breed, date of birth, gender, colour/markings, medical notes, microchip number | Pet profile management |
| Pet Media | Pet photos, medical documents (vaccination certificates, insurance, registration, pedigree, licences) | Pet record-keeping |
| Pet Health Data | Veterinary appointment records, vaccination history, medication schedules, treatment notes, feeding plans, weight tracking | Pet health management and event scheduling |
| Business Information | Business name, description, email, phone, full address (street, city, postal code, country), geographic coordinates, business hours, business type, service tags, logo/images | Business profile and discovery |
| Review Content | Ratings, written reviews of businesses | Community trust and business evaluation |
| Payment Information | Subscription tier, billing period (monthly/yearly) | Subscription management |
| Communications | Support requests, feedback messages | Customer support |
3.2. Data Collected Automatically
| Category | Data Elements | Purpose |
|---|---|---|
| Usage Data | Pages/screens visited, features used, actions taken, timestamps, session duration | Service improvement and analytics |
| Device Information | Device type, operating system, app version, device identifier, screen resolution | Technical support and compatibility |
| Log Data | IP address, browser type, user agent, request timestamps, request identifiers | Security, debugging, and fraud prevention |
| Location Data | GPS coordinates (mobile, with your permission), approximate location from IP address | Nearby business discovery and map features |
| Analytics Events | Feature usage events, subscription events, navigation patterns | Product analytics and improvement |
3.3. Data from Third Parties
| Source | Data Elements | Purpose |
|---|---|---|
| Google OAuth | Email address, display name, Google account identifier | Account creation via Google Sign-In |
| Apple Sign-In | Email address (may be relayed), Apple account identifier | Account creation via Apple Sign-In |
| Stripe | Payment status, subscription status, invoice data (we do not receive or store full card numbers) | Payment processing and subscription management |
| RevenueCat (mobile) | Subscription status, entitlements, purchase history | Mobile subscription management |
| Apple App Store / Google Play Store | Transaction receipts, subscription status | In-app purchase verification |
3.4. Special Categories of Data
We may process data that relates to pet health (veterinary records, vaccination history, medical notes). While pet health data is not classified as a special category of personal data under the GDPR (which applies to natural persons), we treat this data with heightened care given its sensitive nature.
We do not intentionally collect special categories of personal data as defined in Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data for identification, health data of natural persons, or data concerning sex life or sexual orientation).
Biometric authentication (Face ID, Touch ID, fingerprint) is processed entirely on your device by the operating system. We never collect, receive, or store your biometric data.
4. Legal Basis for Processing
Under the GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Performance of Contract (Art. 6(1)(b)) | Account creation and management, providing the Service features, processing subscriptions and payments, pet profile management, pet sharing, event scheduling, business listings |
| Consent (Art. 6(1)(a)) | Push notifications, marketing communications, analytics tracking (PostHog, Firebase Analytics), location data collection (GPS), cookies (non-essential) |
| Legitimate Interests (Art. 6(1)(f)) | Service improvement and analytics, fraud prevention and security monitoring, error tracking and debugging (Sentry), enforcing our Terms and Conditions, protecting our legal rights |
| Legal Obligation (Art. 6(1)(c)) | Tax and accounting records for financial transactions, responding to lawful requests from public authorities, data retention requirements under applicable law |
Where we rely on consent, you may withdraw your consent at any time (see Section 9). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.
5. How We Use Your Data
We use your personal data for the following purposes:
5.1. Service Delivery
- Creating and managing your account.
- Providing pet profile management, event scheduling, and reminder features.
- Enabling pet sharing between users with role-based permissions.
- Displaying business listings and enabling reviews.
- Processing payments and managing subscriptions.
- Providing training programs and content.
- Delivering push notifications, email notifications, and in-app notifications.
5.2. Communication
- Sending transactional emails (account verification, password resets, payment receipts).
- Sending event reminders and pet care notifications.
- Responding to support requests and feedback.
- Sending marketing communications (with your consent).
5.3. Service Improvement
- Analysing usage patterns and feature adoption.
- Identifying and fixing technical issues.
- Developing new features and improving existing ones.
- Conducting A/B testing for product improvements.
5.4. Safety and Security
- Detecting and preventing fraud, abuse, and security threats.
- Monitoring for unauthorised access and suspicious activity.
- Enforcing our Terms and Conditions.
- Maintaining audit logs for accountability and compliance.
- Rate limiting to protect service integrity.
5.5. Legal and Regulatory
- Complying with applicable laws, regulations, and legal processes.
- Establishing, exercising, or defending legal claims.
- Maintaining records required by tax and financial regulations.
6. Data Sharing and Disclosure
We do not sell your personal data. We share your data only in the following circumstances:
6.1. Third-Party Service Providers (Data Processors)
We use the following third-party service providers who process data on our behalf under data processing agreements:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Firebase (Google) | Authentication, push notifications (FCM) | Email, user ID, device tokens, FCM tokens | EU/US (Google Cloud) |
| Stripe | Payment processing (web) | Stripe customer ID, payment status, subscription data (not full card numbers) | EU/US |
| RevenueCat | Mobile subscription management | User ID, subscription status, purchase history | US |
| Cloudflare R2 | File storage (photos, documents) | Uploaded files (pet photos, documents, business images) | Global (auto-region) |
| Resend | Transactional email delivery | Email address, email content | US |
| PostHog | Product analytics | Usage events, user ID, device info, IP address | EU (eu.i.posthog.com) |
| Sentry | Error tracking and monitoring | Error logs, device info, user context | EU/US |
| Google Maps | Map display and business locations | Location queries, map interactions | EU/US |
| AWS KMS | Data encryption key management | Encryption keys (not personal data directly) | EU |
| Google Gemini API | AI-generated content | Content prompts (not personal user data) | EU/US |
| Apple | iOS in-app purchases, Apple Sign-In | Apple ID, transaction data | US |
| Android in-app purchases, Google Sign-In | Google account ID, transaction data | EU/US |
6.2. Other Users
When you use pet sharing features, the users you share with will have access to your pet's data based on the permissions you configure. Your display name and avatar may be visible to users you interact with (e.g., when leaving reviews or sharing pets).
6.3. Business Information
If you register as a business owner, your business profile information (name, address, contact details, hours, services) will be publicly visible to other users of the Service.
6.4. Legal Requirements
We may disclose your personal data if required to do so by law, or if we believe in good faith that such action is necessary to:
- Comply with a legal obligation or valid legal process.
- Protect and defend our rights or property.
- Prevent fraud or protect the safety of our users or the public.
- Respond to requests from competent public authorities.
6.5. Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.
7. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States, where some of our third-party service providers are located.
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
- Adequacy decisions by the European Commission, where applicable.
- EU-US Data Privacy Framework certification of the receiving entity, where applicable.
You may request a copy of the safeguards in place by contacting us at privacy@tailsup.gr.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Service delivery and account recovery |
| Pet profiles and media | Duration of account (deleted with account) | Service delivery |
| Payment and subscription records | 7 years after last transaction | Greek tax and accounting law (Law 4174/2013) |
| Activity/audit logs (low severity) | 30 days | Security monitoring |
| Activity/audit logs (medium severity) | 90 days | Security monitoring |
| Activity/audit logs (high severity) | 180 days | Security investigation |
| Activity/audit logs (critical severity) | 365 days | Legal compliance and fraud prevention |
| Analytics data | 24 months | Service improvement |
| Guest account data | 15 days after trial expiration (web), 7 days (mobile) | Trial period management |
| Email verification records | 24 hours after verification | Security |
| Security threat logs | 365 days | Investigation and legal compliance |
| Notification delivery logs | 90 days | Delivery tracking and debugging |
| Backup data | 30 days (rolling) | Disaster recovery |
After the retention period, data is permanently deleted or anonymised so that it can no longer be associated with you.
9. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
9.1. Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
9.2. Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most of your data directly through your account settings.
9.3. Right to Erasure ("Right to Be Forgotten") (Art. 17)
You have the right to request deletion of your personal data. You can delete your account through the Service, which will trigger deletion of your data in accordance with our retention schedule. Note that we may retain certain data where we have a legal obligation or legitimate interest to do so.
9.4. Right to Restriction of Processing (Art. 18)
You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
9.5. Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
9.6. Right to Object (Art. 21)
You have the right to object to processing of your personal data based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights. You have an absolute right to object to processing for direct marketing purposes.
9.7. Right to Withdraw Consent (Art. 7(3))
Where processing is based on your consent, you may withdraw consent at any time. You can manage your consent preferences through:
- Push notifications: Device settings or in-app notification preferences.
- Marketing emails: Unsubscribe link in emails or notification preferences.
- Analytics: Contact us to opt out.
- Location data: Device settings (revoke location permission).
- Cookies: Browser settings or cookie preferences (see Cookies Policy).
9.8. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority in Greece is:
Hellenic Data Protection Authority (HDPA) Kifissias 1-3, 115 23, Athens, Greece Website: www.dpa.gr Email: contact@dpa.gr Phone: +30 210 6475600
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.
9.9. Exercising Your Rights
To exercise any of these rights, please contact us at privacy@tailsup.gr. We will respond to your request within 30 days, as required by the GDPR. If your request is complex, we may extend this period by a further 60 days, in which case we will inform you of the extension and the reasons for it.
We may need to verify your identity before processing your request. We will not charge a fee for exercising your rights, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act on the request.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
10.1. Technical Measures
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/SSL.
- Encryption at rest: Sensitive data is encrypted using industry-standard encryption (AWS KMS).
- Secure authentication: Passwords are hashed and never stored in plain text. Authentication tokens are stored in encrypted secure storage on mobile devices.
- Access controls: Role-based access controls restrict data access to authorised personnel and systems.
- Rate limiting: Automated protection against brute-force attacks and abuse.
- Security headers: HTTP security headers (CORS, Content Security Policy, etc.) protect against common web vulnerabilities.
10.2. Organisational Measures
- Activity logging: Comprehensive audit trails for accountability.
- Security monitoring: Automated detection of suspicious activity and potential threats.
- Incident response: Procedures for handling data breaches, including notification to the supervisory authority within 72 hours and to affected individuals without undue delay where required by the GDPR (Articles 33 and 34).
- Third-party agreements: Data processing agreements with all sub-processors.
- Minimal data access: Personnel access data only on a need-to-know basis.
10.3. Payment Security
We do not store your full payment card details. All payment processing is handled by Stripe (PCI-DSS Level 1 certified) on the web and by Apple and Google on mobile. Only transaction references and subscription status are stored in our systems.
11. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without valid parental consent, we will take steps to delete that data promptly.
If you believe we have inadvertently collected data from a child under 18, please contact us at privacy@tailsup.gr.
12. Automated Decision-Making
We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects on you, as described in Article 22 of the GDPR.
We may use automated processes for:
- Fraud detection: Automated systems may flag suspicious activity for human review.
- Feature access: Subscription tier determines available features (this is a contractual mechanism, not profiling).
- Content recommendations: AI-generated content suggestions based on pet species and general trends (not individual profiling).
13. Cookies and Similar Technologies
We use cookies and similar technologies on our website. For detailed information about the cookies we use, how we use them, and how you can manage your preferences, please refer to our Cookies Policy.
On our mobile application, we use similar technologies including local storage (AsyncStorage) and secure encrypted storage (SecureStore) for essential functionality such as authentication tokens and user preferences.
14. Push Notifications
With your consent, we send push notifications to your mobile device for event reminders, appointment notifications, pet sharing updates, and other Service-related communications. You can manage your push notification preferences through:
- In-app notification preferences: Granular control over notification categories.
- Device settings: Disable push notifications entirely through your device's operating system settings.
- Quiet hours: Configure time periods during which notifications are suppressed.
15. Third-Party Links and Services
The Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with our Service.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated Privacy Policy on the Service with a new "Last Updated" date.
- Sending a notification through the Service or to your registered email address.
For material changes, we will provide at least 30 days' notice before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
SmashTech Ltd Athens, Greece
- Privacy Inquiries: privacy@tailsup.gr
- General Support: support@tailsup.gr
- Website: https://tailsup.gr
We aim to respond to all privacy-related inquiries within 30 days.