Privacy Notice

Last updated: May 2026 — Version 1.0

This Privacy Notice explains how Fluffifi Ltd (“Fluffifi”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use our website and services at www.fluffifi.co.uk.

We are committed to protecting your privacy and handling your data in an open, transparent way. This notice is written in plain English.

1. Who We Are (Data Controller)

Fluffifi Ltd is the data controller for personal data collected through our platform. We are registered in England and Wales and are subject to UK data protection law — principally the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

If you have any questions about this notice or how we handle your data, please contact us at: privacy@fluffifi.co.uk or via our contact form.

2. What Personal Data We Collect

Account data

  • Name, email address, and password (hashed, never stored in plain text)
  • Profile information you choose to add (profile photo, bio, location)
  • Pet profile data you create (pet name, species, breed, photos)

Transactional data

  • Order history, booking history, and payment confirmations
  • Billing details processed via Stripe (we do not store card numbers)
  • Subscription plan information processed via Shopify

Usage data

  • Pages visited, features used, and in-app activity logs
  • Device type, browser, IP address, and approximate location (from IP)
  • Cookies and similar tracking technologies (see our Cookie Policy)

Communications data

  • Messages sent through our in-app inbox
  • Posts, comments, forum replies, and content you publish
  • Support requests, complaints, and feedback you submit

Seller & service provider data

  • Business name, trading address, and contact details
  • Identity verification documents (KYC) — stored securely in AWS S3
  • Bank account details for payouts (processed via Stripe Connect)
  • Tax identification information where required by law

3. How We Use Your Data and Our Lawful Bases

We only process your personal data where we have a valid lawful basis under UK GDPR Article 6.

PurposeLawful basis (UK GDPR Art. 6)
Creating and managing your accountContract (Art. 6(1)(b))
Processing orders, bookings, and paymentsContract (Art. 6(1)(b))
Providing customer supportContract / Legitimate interests (Art. 6(1)(f))
Sending transactional emails (order confirmation, booking reminders)Contract (Art. 6(1)(b))
Sending marketing emails (newsletters, promotions)Consent (Art. 6(1)(a)) — opt-in only
Improving our platform through analyticsLegitimate interests (Art. 6(1)(f))
Preventing fraud, abuse, and illegal activityLegitimate interests / Legal obligation (Art. 6(1)(c)/(f))
Complying with legal and regulatory obligationsLegal obligation (Art. 6(1)(c))
KYC identity verification for sellers/providersLegal obligation / Contract (Art. 6(1)(b)/(c))

4. Marketing and Communications

We will only send you marketing emails or SMS messages if you have explicitly opted in. You can withdraw consent at any time by:

  • Visiting your account settings and toggling marketing preferences off
  • Clicking the unsubscribe link in any marketing email
  • Contacting us at privacy@fluffifi.co.uk

Withdrawing consent will not affect the lawfulness of processing carried out before you withdrew consent, and it will not affect transactional communications (such as order confirmations) which are sent under the contract basis.

5. Who We Share Your Data With

We do not sell your personal data. We share it only with trusted processors and partners necessary to deliver our services:

  • Amazon Web Services (AWS) — cloud hosting, storage (S3), and email delivery infrastructure. Processed in the EU and UK.
  • Stripe Inc. — payment processing and seller payouts. Stripe is PCI-DSS certified. Their privacy policy applies to payment data.
  • Shopify Inc. — subscription billing for our paid plans. Shopify processes billing data on our behalf.
  • Twilio / AWS SNS — SMS notification delivery (only if you opt in to SMS notifications).

All third-party processors are bound by Data Processing Agreements (DPAs) consistent with UK GDPR Article 28. Where data is transferred outside the UK, we ensure adequate safeguards are in place (e.g. Standard Contractual Clauses or UK adequacy decisions).

6. Cookies

We use cookies and similar technologies to operate our platform, remember your preferences, and (with your consent) analyse usage. For full details, see our Cookie Policy.

7. Data Retention

We retain your personal data only for as long as necessary:

  • Account data: retained while your account is active and for 7 years after closure (legal/tax obligations).
  • Transaction records: 7 years (HMRC / Companies Act requirements).
  • Marketing consent records: until you withdraw consent + 3 years (audit trail).
  • Contact enquiries: 90 days, then deleted.
  • KYC documents: duration of seller/provider relationship + 5 years (AML obligations).
  • Audit logs: 12 months rolling.
  • Content (posts, comments, forums): retained while your account is active; deleted within 30 days of account closure (unless legal hold applies).

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access (Subject Access Request): request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure (“right to be forgotten”): request deletion of your data where we no longer have a lawful reason to hold it.
  • Right to restrict processing: ask us to pause processing of your data in certain circumstances.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: we do not make solely automated decisions that produce legal or significant effects.

To exercise any of these rights, email us at privacy@fluffifi.co.ukwith the subject line “Data Rights Request”. We will respond within one calendar month (extendable by two further months for complex requests, with notice).

9. Right to Complain to the ICO

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk/make-a-complaint

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at privacy@fluffifi.co.uk.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

  • Encryption in transit (TLS) and at rest (AES-256 on S3)
  • Hashed passwords (bcrypt)
  • Role-based access controls on all admin functions
  • AWS security groups and private VPC configuration for our database
  • Regular security reviews and penetration testing

11. Children

Our services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately at privacy@fluffifi.co.uk.

12. Changes to This Notice

We may update this Privacy Notice from time to time. Material changes will be communicated to registered users by email or in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the current version.

© 2026 Fluffifi Ltd. Questions? privacy@fluffifi.co.uk