Privacy Policy
Effective May 4, 2026
This Privacy Policy describes how PatMate (“we”) processes personal data on the patmate.app platform. We comply with the EU General Data Protection Regulation (GDPR) and similar laws.
1. Controller
Nikola Ristić
Belgrade, Serbia
Email: [email protected]
PatMate is currently operated by a private individual (no registered business entity, no VAT identification number, no Data Protection Officer designated). See our Imprint for the full operator disclosure.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account | Email, password (hashed), display name, country, role | You |
| Profile | Avatar, bio, location (city/country), languages | You |
| Pet records | Species, breed, sex, photos, health docs, lineage | You |
| Verification | Documents you upload to prove identity / breeder status | You |
| Communications | Messages, reviews, reports, feedback | You and other users |
| Technical | IP address, user agent, request logs, error traces | Automated |
| Analytics | Pages visited, search terms, feature usage | Automated (PostHog — only after you accept analytics cookies) |
3. Why we process it (legal bases)
- Contract — to operate the Service you signed up for: account creation, listings, messaging, search.
- Legitimate interest — fraud prevention, abuse detection, audit logging, basic product analytics. You can object to these where applicable.
- Consent — non-essential cookies, marketing emails, optional analytics. You can withdraw at any time.
- Legal obligation — tax records, responding to court orders.
4. Cookies and similar tech
See our dedicated Cookies page.
5. Sharing & subprocessors
We share data with the third parties listed in our Subprocessors register. We do not sell personal data. We do not share data with advertisers. We do not currently process any payment data — PatMate is offered free of charge during the closed-beta period.
6. International transfers
Most of our processing happens inside the European Economic Area: hosting and Redis (Hetzner Cloud, Germany — Redis is self-hosted on the same VPS), Postgres (Neon, eu-central-1 Frankfurt), object storage (Cloudflare R2, EU region), product analytics (PostHog Cloud-EU, Frankfurt), error tracking (Sentry, EU region), and email delivery (Resend, EU region). Some auxiliary services (Cloudflare DNS/CDN, Better Stack) operate globally; transfers outside the EEA are protected by Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
7. Retention
- Account & pet data — kept until you delete the account, then a 30-day grace period, then hard-deleted.
- Messages — retained for the conversation lifetime; on account deletion the sender id is anonymised so other participants keep history.
- Audit logs — 90 days, then IP/user-agent are truncated.
- Backups — encrypted snapshots are kept for 35 days, then destroyed.
8. Your rights
You can exercise the following rights under the GDPR:
- Access — download your data from Profile → Privacy.
- Rectification — edit your profile, or email [email protected].
- Erasure — “Delete my account” on the same page.
- Restriction / Objection — email us; we’ll restrict processing.
- Portability — the export above is a machine-readable JSON bundle.
- Complaint — you can lodge a complaint with your local Data Protection Authority at any time.
9. Security
Passwords are hashed with argon2id. Two-factor secrets are encrypted at rest with AES-256-GCM. All traffic is HTTPS only (the .app TLD is HSTS-preloaded). Backups are encrypted. We log access to sensitive operations.
10. Children
PatMate is not directed at children. If you believe a minor has created an account, contact us and we will delete it.
11. Changes
We will notify you by email and/or in-app banner of any material change at least 14 days before it takes effect.
12. Contact & supervisory authority
Privacy / GDPR requests: [email protected]
Legal: [email protected]
Security / vulnerability disclosure: [email protected] (see also /.well-known/security.txt)
Supervisory authority (operator’s country): Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti, Republic of Serbia (poverenik.rs). You may also lodge a complaint with the data protection authority of your country of residence.