Privacy Notice
Last updated: June 2026 - Version 1.1
This Privacy Notice explains how Fluffifi Ltd (“Fluffifi”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use our website and services at www.fluffifi.co.uk.
We are committed to protecting your privacy and handling your data in an open, transparent way. This notice is written in plain English.
1. Who We Are (Data Controller)
Fluffifi Ltd (company no. 15793565) is the data controller for personal data collected through our platform. Registered office: 128 City Road, London, EC1V 2NX. We are registered in England and Wales and are subject to UK data protection law - principally the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
If you have any questions about this notice or how we handle your data, please contact us at: support@fluffifi.co.uk or via our contact form.
2. What Personal Data We Collect
Account data
- Name, email address, and password (hashed, never stored in plain text)
- Profile information you choose to add (profile photo, bio, location)
- Pet profile data you create (pet name, species, breed, photos)
Transactional data
- Order history, booking history, and payment confirmations
- Billing details processed via Stripe (we do not store card numbers)
- Subscription plan information processed via Shopify
Usage data
- Pages visited, features used, and in-app activity logs
- Device type, browser, IP address, and approximate location (from IP)
- Cookies and similar tracking technologies (see our Cookie Policy)
Communications data
- Messages sent through our in-app inbox
- Posts, comments, forum replies, and content you publish
- Support requests, complaints, and feedback you submit
Seller, service provider, veterinary, and charity data
- Business, practice, or charity name, address, and contact details
- Identity verification documents (KYC) for sellers, service providers, veterinary practices, and charities - stored securely in AWS S3
- Bank account details for payouts (processed via Stripe Connect)
- Tax identification information where required by law
3. How We Use Your Data and Our Lawful Bases
We only process your personal data where we have a valid lawful basis under UK GDPR Article 6.
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) |
| Processing orders, bookings, and payments | Contract (Art. 6(1)(b)) |
| Providing customer support | Contract / Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails (order confirmation, booking reminders) | Contract (Art. 6(1)(b)) |
| Sending marketing emails (newsletters, promotions) | Consent (Art. 6(1)(a)) - opt-in only |
| Improving our platform (understanding which features are used, from our own server logs and aggregate first-party usage data; we do not use third-party analytics services or tracking cookies) | Legitimate interests (Art. 6(1)(f)) |
| Preventing fraud, abuse, and illegal activity | Legitimate interests / Legal obligation (Art. 6(1)(c)/(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| KYC identity verification for sellers, service providers, veterinary practices, and charities | Legal obligation / Contract (Art. 6(1)(b)/(c)) |
4. Marketing and Communications
We will only send you marketing emails or SMS messages if you have explicitly opted in. You can withdraw consent at any time by:
- Visiting your account settings and toggling marketing preferences off
- Clicking the unsubscribe link in any marketing email
- Contacting us at support@fluffifi.co.uk
Withdrawing consent will not affect the lawfulness of processing carried out before you withdrew consent, and it will not affect transactional communications (such as order confirmations) which are sent under the contract basis.
5. Who We Share Your Data With
We do not sell your personal data. We share it only with trusted processors and partners necessary to deliver our services:
- Amazon Web Services (AWS) - cloud hosting and secure storage (S3), and automated content moderation. Processed in the EU and UK.
- Resend - delivery of our transactional emails and, if you opt in, marketing emails.
- Stripe Inc. - payment processing and seller payouts. Stripe is PCI-DSS certified. Their privacy policy applies to payment data.
- Shopify Inc. - subscription billing for our paid plans. Shopify processes billing data on our behalf.
- Shippo and Sendcloud- shipping rate calculation and label generation for physical orders. They receive the delivery recipient's name and address only when an order ships.
- Anthropic (Claude)- AI features including automated moderation of uploaded images and reels, suggested replies, listing copy assistance, and generating your pet's in-app personality text. The relevant text and images are processed to provide these features. Under our commercial terms, your content is not used to train Anthropic's models.
- postcodes.io - postcode geocoding for local results and the area directory (postcode only, not your identity).
- OpenStreetMap & OSRM - map tiles for the discovery map and route/drive-time estimates for the Service Hub route planner. When you open a map your browser requests tiles from OpenStreetMap (which receives your IP address and the area being viewed); route planning uses approximate booking coordinates.
All third-party processors are bound by Data Processing Agreements (DPAs) consistent with UK GDPR Article 28. Some processors are based outside the UK/EEA (for example Stripe and Anthropic in the United States); where personal data is transferred internationally we rely on the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses) together with a transfer risk assessment. You can request details of the safeguard that applies.
We also share certain seller and service-provider data with HM Revenue & Customs (HMRC) where we are legally required to under the UK digital-platform reporting rules, and we may disclose data to law enforcement or regulators where the law requires it. These disclosures are made under a legal obligation, not for our own purposes.
6. Cookies
We use cookies and similar technologies to operate our platform, remember your preferences, and (with your consent) analyse usage. For full details, see our Cookie Policy.
7. Data Retention
We keep your personal data only for as long as necessary. When you delete your account, your data is deleted straight away - except for the narrow categories below that we are legally required to keep, which we anonymise so they can no longer identify you (UK GDPR Article 17(3)(b)) rather than keep against your name.
- Account & profile data: kept while your account is active; deleted when you delete your account.
- Content (posts, reels, comments, forums, messages): kept while your account is active; deleted when you delete your account.
- Financial / marketplace transaction records: where we are legally required to keep records of marketplace sales (UK tax and digital-platform reporting), we retain them for up to 6 years. If you delete your account within that period, these records are anonymised, not kept against your name.
- KYC identity documents: the document scans are deleted when you delete your account; only the minimal reportable identity data is retained, anonymised, where a legal obligation requires it.
- Marketing consent records: until you withdraw consent + 3 years (audit trail).
- Contact enquiries: 90 days, then deleted.
- Audit logs: 12 months rolling.
8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access (Subject Access Request): request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure (“right to be forgotten”): request deletion of your data where we no longer have a lawful reason to hold it. You can delete your account and personal data yourself at any time from Privacy & Data in the app, or see how to delete your account.
- Right to restrict processing: ask us to pause processing of your data in certain circumstances.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making: we use automated tools to help moderate uploaded content and to match bookings, but we do not make solely automated decisions that produce legal or similarly significant effects without human involvement. Where an automated moderation outcome affects your content or account, you can ask us to review it.
To exercise any of these rights, email us at support@fluffifi.co.uk with the subject line “Data Rights Request”. We will respond within one calendar month (extendable by two further months for complex requests, with notice).
9. Right to Complain to the ICO
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk/make-a-complaint
We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at support@fluffifi.co.uk.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
- Encryption in transit (TLS) and at rest (AES-256 on S3)
- Hashed passwords (bcrypt)
- Role-based access controls on all admin functions
- AWS security groups and private VPC configuration for our database
- Regular security reviews and penetration testing
11. Children
Our services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately at support@fluffifi.co.uk.
12. Changes to This Notice
We may update this Privacy Notice from time to time. Material changes will be communicated to registered users by email or in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the current version.
© 2026 Fluffifi Ltd. Questions? support@fluffifi.co.uk