Privacy Policy

Last updated: 14 May 2025 · Effective: 14 May 2025

This Privacy Policy explains how Plan for Paw ("we", "us", "our") collects, uses, stores and shares your personal data when you visit planforpaw.com (the "Site") or purchase our products. We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and the California Consumer Privacy Act (CCPA / CPRA).

1. Who We Are

Plan for Paw is an online store selling printable and fillable digital PDF templates for pet owners. Our products are delivered as instant downloads — we do not ship physical goods.

Data Controller: Plan for Paw
Contact:planforpaw@proton.me
Website: planforpaw.com

For the purposes of the GDPR and UK GDPR, Plan for Paw is the data controller of the personal data described in this policy.

2. Data We Collect

2.1 Data you provide directly

Email address & first name — when you subscribe to our newsletter or download a free resource via the lead magnet form.
Email address & name — provided to Stripe during checkout, used to deliver your order confirmation and download link.
Review content — if you submit a product review, we store your name, star rating and review text.

2.2 Payment data

All payments are processed by Stripe, Inc. Stripe collects your card details directly. We never see, receive or store your card number, expiry date, CVV or bank account information. We only receive a confirmation that payment was successful, along with your name, email and the order amount.

2.3 Data collected automatically

IP address — collected with every order for fraud prevention and legal compliance, and also collected as part of our internal analytics system.
Country and city — derived from your IP address using an offline geolocation database. This approximate location data is used solely for aggregate analytics (e.g. "30% of visitors are from the UK") and is never shared with third parties for targeting purposes.
Device type — mobile, tablet, or desktop — derived from your browser's User-Agent string, used for analytics.
Page views and interaction events — we record which pages you visit, when you add a product to your cart, and when you begin checkout. These events are stored in our own database and are not sent to any third-party analytics provider.
Referrer URL — the URL of the page that referred you to our site, where provided by your browser.
Browser and operating system — inferred from the User-Agent header for device analytics.

2.4 Data we do NOT collect

We do not collect data through Google Analytics or any third-party analytics platform.
We do not use Facebook Pixel, TikTok Pixel, or any advertising tracking technology.
We do not collect biometric or sensitive personal data.
We do not build advertising profiles or sell your data to any third party.

3. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR:

Processing activity	Legal basis	GDPR Article
Processing your order and delivering your download	Performance of a contract	Art. 6(1)(b)
Sending order confirmation and download link	Performance of a contract	Art. 6(1)(b)
Sending marketing emails (newsletter)	Consent	Art. 6(1)(a)
Internal analytics (page views, cart events, device type, location)	Legitimate interests — understanding how our site is used and improving it	Art. 6(1)(f)
Fraud prevention and IP logging with orders	Legitimate interests / Legal obligation	Art. 6(1)(c) / (f)
Retaining tax and order records	Legal obligation	Art. 6(1)(c)
Publishing approved product reviews	Legitimate interests — social proof for potential customers	Art. 6(1)(f)

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 9).

4. How We Use Your Data

To process and fulfil your purchase, including sending a download link to your email.
To send you transactional emails (order confirmation, download access).
To send you marketing emails about pet care tips, new products and offers — only if you have subscribed. You may unsubscribe at any time using the link in any email.
To operate and improve our internal analytics so we can understand which products and pages are popular.
To detect and prevent fraud.
To comply with tax, accounting and legal obligations.
To display product reviews on product pages (only approved reviews are published).

We will never use your data for automated profiling or decision-making that has a significant legal or similar effect on you.

5. Cookies & Browser Storage

We use a minimal amount of browser storage. The table below describes every item we store in your browser.

Name	Type	Purpose	Duration	Can be refused?
`petsshop_cart`	localStorage	Stores the contents of your shopping cart so it persists between page loads.	Until cleared or cart emptied	No — strictly necessary for the cart to function
`pfp_sid`	sessionStorage	A randomly generated session identifier used by our internal analytics to group page views within a single browser session. Contains no personal data.	Until browser tab/window is closed	Yes — declining analytics cookies will prevent this from being set
Cookie consent preference	localStorage	Remembers whether you have accepted or declined analytics tracking, so we do not ask again on every visit.	12 months	No — necessary to honour your preference
Stripe cookies	Cookie (third-party)	Set by Stripe on the Stripe-hosted checkout page for fraud detection and secure payment processing. We do not control these cookies.	Varies (see Stripe's policy)	No — required to complete a purchase

Google Fonts

Our site uses fonts served by Google Fonts (fonts.googleapis.com / fonts.gstatic.com). When your browser loads these fonts, your IP address is transmitted to Google's servers. This occurs on your first visit before any consent can be collected. Google's use of this data is governed by the Google Privacy Policy. If you wish to prevent this, you may use a browser extension that blocks Google Fonts requests, or set your browser to block third-party connections.

No advertising or tracking cookies

We do not use Google Analytics, Facebook Pixel, TikTok Pixel, Hotjar, or any other third-party analytics or advertising cookie. All analytics data is processed on our own infrastructure and stored on our own servers.

6. Third-Party Services & Data Processors

We share your personal data only with the service providers listed below, strictly to the extent necessary to operate our business. We do not sell, rent or trade your personal data with any third party.

Provider	Purpose	Data shared	Location
Stripe, Inc.	Payment processing	Name, email, payment card details (collected directly by Stripe), order amount	USA / EU (DPF certified)
Resend	Transactional email delivery (order confirmations, download links)	Email address, name, order details	USA / EU
Google LLC	Font delivery (Google Fonts)	IP address (on font load)	USA (DPF certified)

All processors listed above are bound by data processing agreements and/or standard contractual clauses in accordance with GDPR Article 28. Stripe and Google are certified under the EU–US and UK–US Data Privacy Framework.

7. International Data Transfers

Some of our service providers (Stripe, Resend, Google) are based in the United States. Where we transfer personal data from the EEA or UK to a country that does not benefit from an adequacy decision, we rely on one or more of the following safeguards:

EU–US Data Privacy Framework (DPF) — for transfers to DPF-certified US companies (Stripe, Google).
Standard Contractual Clauses (SCCs) — where the DPF does not apply, we execute the European Commission's approved standard contractual clauses.
UK International Data Transfer Agreements (IDTAs) — for transfers from the UK where required.

You may request a copy of the relevant transfer mechanisms by contacting us at planforpaw@proton.me.

8. Data Retention

Data type	Retention period	Reason
Order records (name, email, items, amount)	7 years from purchase date	UK / EU tax and accounting legal obligations
Download tokens	7 days from order	Security — short-lived access
Newsletter subscribers	Until unsubscribed or deletion requested	Consent-based; revocable at any time
Analytics events (IP, page, device)	13 months from collection	Year-over-year trend comparison
Product reviews	Until the product is removed or deletion is requested	Legitimate interest in accurate product information
Coupon usage records	3 years	Fraud prevention and accounting

After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.

9. Your Rights (EU & UK)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR / UK GDPR:

Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — you may request correction of inaccurate or incomplete personal data.
Right to erasure ("right to be forgotten", Art. 17) — you may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right does not apply where we are required to retain data by law (e.g. tax records).
Right to restriction of processing (Art. 18) — you may request that we restrict how we use your data in certain circumstances.
Right to data portability (Art. 20) — where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
Right to object (Art. 21) — you may object to processing based on legitimate interests (including our internal analytics). We will then cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)) — where processing is based on your consent (e.g. newsletter), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making (Art. 22) — we do not make automated decisions that produce legal or similarly significant effects about you.

To exercise any of these rights, email us at planforpaw@proton.me. We will respond within 30 days (or within 72 hours for data breach notifications where required). If we cannot comply, we will explain why.

You also have the right to lodge a complaint with your supervisory authority:

EU residents: your national data protection authority (e.g. CNIL in France, BfDI in Germany, AEPD in Spain).
UK residents: the Information Commissioner's Office (ICO) , Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of personal information we collect

In the past 12 months, we have collected the following categories as defined by the CCPA:

Identifiers — name, email address, IP address.
Commercial information — products purchased, order amounts.
Internet or other electronic network activity — page views, browser type, device type, referrer URL.
Geolocation data — approximate city/country derived from IP address (not precise GPS location).

We do not sell or share your personal information

We do not sell your personal information to third parties. We do not share your personal information with third parties for cross-context behavioural advertising. You therefore do not need to submit a "Do Not Sell or Share My Personal Information" request, but we honour any such request received.

Your California rights

Right to know — you may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to delete — you may request deletion of your personal information, subject to certain exceptions (e.g. completing a transaction, legal compliance).
Right to correct — you may request correction of inaccurate personal information.
Right to opt out of sale/sharing — not applicable, as we do not sell or share personal information for advertising.
Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA.
Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, email planforpaw@proton.me with the subject line "California Privacy Request". We will respond within 45 days, or notify you if an extension is needed.

Other US state privacy rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA) and other US states with applicable privacy laws have similar rights to those described above. Contact us at planforpaw@proton.me to exercise any applicable rights.

11. Children's Privacy

Our Site is intended for adults aged 16 and over. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at planforpaw@proton.me and we will delete it promptly.

For EEA users, we will not send marketing communications to individuals under 16 without verifiable parental consent.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration or destruction. These measures include:

HTTPS / TLS encryption for all data transmitted between your browser and our servers.
Payment data handled exclusively by Stripe — we never handle raw card data.
Download tokens are single-use with a 7-day expiry.
Admin access is password-protected with non-guessable credentials.
Our analytics data is stored on our own server and not accessible to third parties.

No transmission of data over the internet can be guaranteed to be 100% secure. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33–34.

13. Affiliate Links

Some pages on our Site contain affiliate links (e.g. Amazon Associates). If you click an affiliate link and make a purchase, we may earn a small commission at no extra cost to you. Clicking affiliate links may allow third-party sites to set their own cookies on your device, subject to their respective privacy policies. We only recommend products we genuinely believe are useful for pet owners.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or services. The "Last updated" date at the top of this page will always reflect the most recent revision.

For material changes that significantly affect how we process your data, we will notify newsletter subscribers by email and display a notice on our Site. Your continued use of the Site after any changes constitutes acceptance of the updated policy.

15. Contact & Complaints

If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us:

Plan for Paw — Privacy Team
Email: planforpaw@proton.me
Subject line: "Privacy Request"

We aim to respond to all privacy-related enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (see Section 9 for contact details).

For CCPA requests, please include "California Privacy Request" in the subject line. For urgent data breach concerns, please mark your email as "URGENT".