How Puptides handles your data
Most of what you do on Puptides — your Pet Passport, your pet's logs, your cart — lives in your own browser, on your own device, not on our servers. This page explains exactly what does reach us, why, who helps us process it, and what your rights are under EU law. No legalese wall: every section says what it means.
This document is a working draft provided for the operator; have qualified legal counsel review it before relying on it. Bracketed [placeholders] mark decisions the operator still needs to make.
1 Who we are and what this covers
Puptides is an EU-facing web store for research-use peptides and compounds for dogs and cats, together with the Pet Passport (a web tool for logging your pet's plan) and our community and research pages. This policy covers the Puptides website at puptides.eu.
The data controller is [legal entity name, company number, registered address]. When we say "we" in this policy, that is who we mean.
Two things frame everything below: Puptides products are supplied for research use, and nothing on this site is veterinary medical advice or a diagnosis. The Pet Passport is an observational logging tool, not a medical device. And Puptides is for adults only — you must be 18 or older to use it.
2 The Pet Passport lives on your device
When you create a Pet Passport, your browser stores, locally:
- Your email address — used as your sign-in name.
- A scrambled form of your password. Honest caveat: the current Passport is an early version, and its password scrambling is basic obfuscation, not bank-grade protection of the kind a server-side account system would use. Please do not reuse a password you care about (like your email or banking password) for your Passport.
- Your pets and their logs — names, species, weigh-ins, doses, coat check-ins, energy scores and side-effect notes, plus the statistics the dashboard computes from them.
Because this data lives only in your browser: it does not follow you to a second device, private/incognito browsing may not keep it at all, and deleting it is entirely in your hands (clear the site's data in your browser settings, or delete pets and logs inside the Passport itself).
There is no blood-test data of any kind on Puptides. Puptides does not offer blood tests, and the Passport does not connect to wearables, vet clinics or laboratories.
3 Orders, payment and the wishlist
Your cart
Items you add to the cart are kept in your browser's local storage on your device. Browsing, comparing and filling a cart sends nothing to us.
Placing an order
When you place an order, your browser sends our order service:
- the items, quantities and prices in your order;
- your chosen delivery cadence and whether you asked for discreet packaging;
- the email address on your Pet Passport session (so we can send your receipt);
- an order reference and the time the order was placed.
We use this to send you an order receipt by email and to alert the merchant so your order can be prepared. Where live fulfilment is enabled, we also collect your shipping address, including your country, because we cannot ship a parcel without one.
Payment
Where live payment is enabled, card payments are handled by Stripe, a dedicated payment processor. Your full card details go directly to Stripe and are processed under Stripe's own security standards — we never see or store your full card number. We receive only what we need to manage the order: confirmation that payment succeeded, and payment references.
The wishlist
If you press "add to wishlist" on a product, your browser sends our mail service the item's details (name, size, price, cadence) and — if you are signed in to a Passport — your email address, so we can let you know about that item. A small flag is saved on your device so the button remembers you already added it and does not send the same item twice.
4 First-party analytics (being rolled out)
As this rolls out, the analytics will record:
- Pageviews — which pages are visited;
- Shop funnel events — add-to-cart and checkout steps, so we can see where the flow loses people;
- A per-session ID — a random identifier for one visit;
- A per-browser device ID — a random identifier stored in your browser's local storage, so we can tell returning browsers apart without knowing who you are;
- Your IP address, reduced to country only — the IP is used to work out which country a visit came from, is truncated, and is kept only briefly.
These identifiers are random values, not your name or email. Because the session and device IDs are stored on your device and are not strictly necessary to show you the site, we treat them as consent-based under EU ePrivacy rules — see legal bases and local storage below.
5 Email, and how we protect addresses (being introduced)
- Hashed at capture: the address is lowercased and passed through SHA-256, a one-way scramble. The hash lets us recognise "same person" without storing a readable address.
- Kept readable only for: your Pet Passport account (it is your sign-in name), your orders (we must be able to send you a receipt), and email updates you explicitly opted into.
- Sending: transactional email (receipts, order alerts) and any opt-in email are sent through Resend, our email delivery provider. You can withdraw an email opt-in at any time and every marketing email will include a way to do so.
6 Buddy, the voice button
Buddy uses your browser's own built-in speech recognition to turn a short phrase like "coat" or "quiz" into a page to open. We do not receive, record or store any audio. Depending on your browser, its vendor may process the audio through its own speech service (for example, Chrome uses Google's) under that vendor's privacy policy. The microphone is only active after you tap the button, and your browser will ask for microphone permission the first time.
7 · What we never do
- We do not sell personal data. To anyone. Ever.
- We do not use third-party advertising trackers — no ad pixels, no cross-site tracking, no data brokers.
- We do not collect human health data — no blood tests, no wearables, nothing about you beyond what this policy lists.
- We do not read your Pet Passport — it lives on your device; we only receive the email on your session when you place an order or use the wishlist.
- We do not send marketing email without an explicit opt-in.
8 Who helps us run Puptides
A small number of service providers process data on our behalf, under contracts that limit what they may do with it:
| Provider | What they do | What they see |
|---|---|---|
| Stripe | Payment processing (where live payment is enabled) | Your card details and payment information — sent by your browser directly to Stripe; we never store full card numbers |
| Resend | Email delivery — order receipts, merchant alerts, wishlist and opt-in email | Your email address and the contents of the emails we send you (order items, totals) |
| DigitalOcean | Hosting — the servers this website and our order service run on | Whatever passes through our servers, as infrastructure; standard server logs |
That is the whole list. Puptides does not use analytics vendors, ad networks, or social-media plugins.
9 Our legal bases under the GDPR
EU law requires a lawful basis for each use of personal data. Here are ours:
| Basis | What it covers here |
|---|---|
| Contract Art. 6(1)(b) |
Taking, confirming and fulfilling your orders — items, receipt emails, shipping address, payment references. |
| Consent Art. 6(1)(a) |
Email updates you opt into; the non-essential analytics identifiers (session ID and device ID) stored in your browser. You can withdraw consent at any time. |
| Legitimate interests Art. 6(1)(f) |
First-party measurement of how the store performs (in the privacy-reducing form described above), and keeping the site secure — preventing fraud and abuse. |
Where we rely on legitimate interests, you have the right to object — see your rights.
10 Local storage on your device
Puptides does not set third-party cookies. It uses your browser's local storage — data kept on your own device — for the following:
| What | Why | Essential? |
|---|---|---|
Pet Passport puptides-passport-v1 |
Your account, pets and logs — the Passport itself | Yes — it is the feature |
| Cart | Remembering what you put in your cart | Yes — needed to shop |
Wishlist flags pup.wish.* |
Remembering which items you already wishlisted, so we do not send duplicates | Yes — prevents duplicate sends |
| Analytics session & device IDs (being rolled out) | First-party measurement, as described in section 4 | No — used only with your consent |
You can clear all of it at any time through your browser's site-data settings. Clearing it also deletes your Pet Passport, so export or note anything you want to keep first.
11 How long we keep things
- On-device data (Passport, cart, wishlist flags): kept by your browser until you delete it. We do not hold a copy.
- Order records and receipts: kept for as long as needed to fulfil and support your order, and after that only as long as tax, accounting and consumer-law obligations require — [counsel: confirm the statutory retention period for the operating jurisdiction].
- Analytics: IP addresses are reduced to country and truncated at collection, with the raw value kept only briefly; event data is kept on a short retention schedule — [operator: state the exact retention window, e.g. 12 months, once fixed].
- Hashed email addresses: kept while relevant to the purpose they were captured for; they are one-way scrambles and cannot be turned back into readable addresses.
- Opt-in email lists: until you unsubscribe or ask us to delete you.
12 Where data goes
Puptides is hosted on DigitalOcean infrastructure. Some of our providers (see section 8) may process data outside the European Economic Area. Where that happens, we will only allow it with a recognised safeguard under the GDPR, such as an adequacy decision or the European Commission's standard contractual clauses. [Counsel: verify the transfer mechanism in place for each provider — Stripe, Resend, DigitalOcean — before publishing.]
13 Your rights
Under the GDPR you have the right to:
- Access — ask for a copy of the personal data we hold about you;
- Rectification — have inaccurate data corrected;
- Erasure — have your data deleted ("right to be forgotten"), subject to legal retention duties on order records;
- Restriction — limit how we use your data while a dispute is resolved;
- Portability — receive data you gave us in a machine-readable format;
- Objection — object to processing based on legitimate interests;
- Withdraw consent — for anything consent-based (email opt-ins, analytics identifiers), at any time, without affecting past processing;
- Complain — to your national data protection authority. You can find yours through the European Data Protection Board's list of national authorities.
To exercise any of these, email [privacy contact email — e.g. privacy@puptides.eu]. We will respond within one month, as the GDPR requires. Remember that for Passport data the fastest path is your own device — it is yours to edit or delete directly, and we cannot delete what we never received.
14 Adults only
Puptides is for adults aged 18 and over. The site is not directed at children and we do not knowingly collect data from anyone under 18. If you believe a minor has given us personal data, contact us and we will delete it.
15 Changes to this policy
If our data practices change — for example when the first-party analytics or email capture described above go live, or if a provider changes — we will update this page and its effective date. For significant changes affecting data we hold about you (such as your order email), we will tell you directly by email where we reasonably can.
16 Contact
Questions, requests or complaints about privacy on Puptides:
- Email: [privacy contact email — e.g. privacy@puptides.eu]
- Controller: [legal entity name and registered address]
If you are not happy with our answer, you can complain to your national data protection authority at any time.