Privacy Policy

1. Overview

PetExchange (“PetExchange”, “we”, “us”, “our”) operates the digital marketplace at petexchange.ae — a regulated platform for buying and selling pets, pet products, and pet services across the UAE and GCC, incorporating escrow-protected payments, live auctions, veterinary services, and seller verification.

This Privacy Policy applies to all users of our website, mobile applications, APIs, and related services (collectively, the “Platform”). It should be read alongside our Terms of Service and Cookie Policy.

By creating an account or using the Platform, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

We collect data you provide directly, data generated by your use of the Platform, and data from third parties. Categories include:

3.1 Identity & Account Data

• ▸Full name, display name, and profile photograph
• ▸Email address and mobile phone number
• ▸Government-issued ID documents (for Verified Seller verification only)
• ▸Date of birth (age verification for restricted listings)
• ▸Seller trade licence or commercial registration number (businesses only)

3.2 Financial & Transaction Data

• ▸Payment card details (tokenised by Stripe — we do not store raw card numbers)
• ▸Stripe Customer ID and Subscription ID
• ▸Bank account details for Stripe Connect payouts (sellers)
• ▸Transaction history: amounts, currencies, statuses, escrow release dates
• ▸Platform fee amounts, payout records, invoice data
• ▸Subscription tier and billing cycle

3.3 Listing & Pet Data

• ▸Pet species, breed, age, health records, vaccination status
• ▸Listing title, description, images, price, and location (emirate)
• ▸CITES permit numbers (where required for protected species)
• ▸Auction bid history and final sale prices
• ▸Listing view counts and save (wishlist) data

3.4 Communications Data

• ▸Messages sent between buyers and sellers on the Platform
• ▸Dispute messages and attached evidence files
• ▸Email correspondence with our support team
• ▸Review and rating content you submit
• ▸Newsletter subscription preferences

3.5 Technical & Usage Data

• ▸IP address, browser type, operating system, device identifiers
• ▸Pages visited, search queries, filter selections, time on page
• ▸Core Web Vitals (LCP, CLS, INP) for performance monitoring
• ▸Error logs and crash reports
• ▸Referral source and UTM parameters
• ▸Cookie and local storage data (see Section 9)

3.6 Verification Data

• ▸Emirates ID or passport scans (processed by our KYC partner; not stored on PetExchange servers)
• ▸OTP verification logs
• ▸Seller document upload metadata (document type, upload timestamp)

4. Legal Basis for Processing

We process your personal data on the following legal bases under UAE Federal Law No. 45 of 2021 on Personal Data Protection and, where applicable, the EU General Data Protection Regulation (GDPR):

• ▸Contract performance — processing necessary to provide the marketplace, execute transactions, and manage your account
• ▸Legitimate interests — fraud prevention, platform security, product improvement, marketing to existing customers (where not overridden by your rights)
• ▸Legal obligation — compliance with UAE financial regulations, anti-money laundering (AML) obligations, and CITES permit verification
• ▸Consent — analytics cookies, marketing emails, and AI-generated content features (you may withdraw consent at any time)

5. How We Use Your Data

5.1 Platform Operation

• ▸Create and manage your buyer or seller account
• ▸Process listings, purchases, escrow payments, and payout transfers
• ▸Operate live auctions and manage bid history
• ▸Send transactional emails (order confirmation, escrow release, dispute updates)
• ▸Provide in-platform messaging between buyers and sellers
• ▸Display your listings and profile to other users

5.2 Safety, Trust & Compliance

• ▸Verify seller identity and business credentials
• ▸Screen listings for prohibited species (CITES Appendix I & II), illegal content, and scam phrases using automated moderation
• ▸Detect and prevent fraud, money laundering, and account takeover
• ▸Investigate and resolve disputes between buyers and sellers
• ▸Comply with UAE Federal law, CITES obligations, and Stripe's financial regulations
• ▸Respond to lawful requests from UAE government authorities

5.3 Platform Improvement

• ▸Analyse usage patterns to improve search, recommendations, and UX
• ▸Monitor Core Web Vitals to optimise page performance
• ▸A/B test new features
• ▸Generate anonymised marketplace analytics (GMV, category trends, etc.)

5.4 Marketing & Communications

• ▸Send the weekly PetExchange digest newsletter (opt-in only)
• ▸Notify you of price drops on saved listings (opt-in)
• ▸Inform you of new features, promotions, and platform updates
• ▸Personalise homepage content and featured listings
• ▸You may unsubscribe from marketing emails at any time using the link in any email or via Account Settings

5.5 AI-Assisted Features

• ▸Generate listing descriptions using OpenAI GPT — your listing data (title, species, breed, price) is sent to OpenAI's API under their data processing agreement; it is not used to train OpenAI models
• ▸Detect duplicate listings using semantic similarity
• ▸Automated content moderation scoring

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only where necessary:

• ▸Stripe Inc. — payment processing, subscriptions, Connect payouts, and the Stripe Billing Portal. Governed by Stripe's Privacy Policy.
• ▸Resend — transactional and marketing email delivery. Governed by Resend's Privacy Policy.
• ▸Vercel Inc. — hosting, edge infrastructure, and Vercel Blob image storage. Data may be processed in the US under standard contractual clauses.
• ▸Neon / PostgreSQL — managed database hosting for platform data.
• ▸OpenAI — AI listing description generation (listing metadata only; see 5.5).
• ▸Plausible Analytics — privacy-friendly, cookieless web analytics (no personal data shared).
• ▸UAE Government Authorities — in response to lawful legal process or regulatory requirements.
• ▸Dispute Arbitrators — where a dispute requires third-party review, relevant transaction and message data may be shared.
• ▸Business Transfers — in the event of a merger, acquisition, or asset sale, your data may be transferred subject to the same privacy protections.

7. Data Retention

• ▸Account data: retained for the lifetime of your account plus 5 years after closure (UAE commercial record-keeping requirements)
• ▸Transaction records: 7 years (UAE VAT and AML regulations)
• ▸Dispute records: 3 years after resolution
• ▸Marketing preferences: until you unsubscribe or request deletion
• ▸Technical logs: 90 days rolling window
• ▸Anonymised analytics: indefinitely (no personal data retained)
• ▸KYC documents: deleted from third-party processor within 30 days of verification; metadata retained 5 years

8. International Data Transfers

Your data is primarily stored and processed within the UAE and European Economic Area (Vercel infrastructure). When data is transferred to countries without equivalent data-protection laws (e.g., the United States for Stripe, OpenAI, and Vercel), we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the European Commission and the UAE PDPL adequacy framework.

9. Cookies & Tracking Technologies

9.1 What We Use

• ▸Strictly Necessary Cookies — NextAuth.js session cookies (HttpOnly, Secure, SameSite=Lax), CSRF tokens, locale preference cookie. Cannot be disabled.
• ▸Analytics Cookies — Plausible Analytics (cookieless, privacy-first). Only activated with your consent.
• ▸Marketing Cookies — currently not deployed. Will be disclosed and require consent before activation.
• ▸Local Storage — PWA install prompt dismissal, cookie consent preferences (key: pe_consent_v1), locale setting.

9.2 Your Choices

You may manage cookie preferences at any time via the Cookie Consent banner or your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

10. AI & Automated Decision-Making

We use automated systems for:

• ▸Content moderation — listings are automatically scored for policy violations. A flagged listing may be withheld pending human review. You have the right to request human review of any automated moderation decision.
• ▸Duplicate detection — automated semantic comparison to identify duplicate listings. No legal or similarly significant effects; human review applies on appeal.
• ▸AI description generation — optional, user-initiated, no automated decisions made.

We do not use automated decision-making for account suspension, credit decisions, or pricing without human oversight.

11. Children's Privacy

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us at privacy@petexchange.ae and we will promptly delete the account.

12. Security

• ▸All data transmitted over TLS 1.2+ (HTTPS enforced; HSTS enabled)
• ▸Session cookies set with HttpOnly, Secure, and SameSite=Lax flags; __Secure- and __Host- cookie prefixes applied in production
• ▸Payment data handled exclusively by Stripe (PCI DSS Level 1 certified) — raw card numbers never touch our servers
• ▸Database access restricted to authenticated Prisma ORM connections; no direct public database exposure
• ▸Rate limiting applied to all API endpoints to prevent brute-force and credential-stuffing attacks
• ▸Content Security Policy (CSP) headers deployed to mitigate XSS
• ▸Regular dependency audits via npm audit in CI/CD pipeline
• ▸Staff access to production data is role-restricted and logged
• ▸In the event of a data breach, we will notify affected users within 72 hours of discovery as required by UAE PDPL

13. Your Rights

Under UAE Federal Law No. 45 of 2021 (PDPL) and, where applicable, GDPR, you have the following rights:

• ▸Right of Access — request a copy of all personal data we hold about you
• ▸Right to Rectification — correct inaccurate or incomplete data
• ▸Right to Erasure ('Right to be Forgotten') — request deletion of your data subject to legal retention requirements
• ▸Right to Data Portability — receive your data in a structured, machine-readable format
• ▸Right to Object — object to processing based on legitimate interests or for direct marketing
• ▸Right to Restrict Processing — request that we limit how we use your data pending a dispute
• ▸Right to Withdraw Consent — withdraw consent for analytics or marketing at any time without affecting prior processing
• ▸Right to Human Review — request human review of any automated moderation decision affecting your account or listings

To exercise any right, email privacy@petexchange.ae with the subject line “Data Rights Request”. We will respond within 30 days. Identity verification is required for access and deletion requests.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified by email (to verified accounts) and via a prominent banner on the Platform at least 14 days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy. The “Last updated” date at the top of this page always reflects the current version.

15. Contact Us

For any privacy questions, data rights requests, or to report a concern: