Privacy

Privacy Policy

This Privacy Policy describes how EBOX3 (hereinafter referred to as "the Company", "we", "us", or "our"), a company duly incorporated and registered under the laws of the Principality of Andorra, operates and manages the WoofPlan platform and services (hereinafter "the Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal data when you access or use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

1. Data Controller

The data controller responsible for your personal data is:

  • Company: EBOX3
  • Jurisdiction: Principality of Andorra
  • Email: privacy@woofplan.com

As a company established in the Principality of Andorra, we are subject to Llei 29/2021, del 28 d'octubre, qualificada de protecció de dades personals (the Andorran Qualified Law on Personal Data Protection, hereinafter "LQPDP"), as well as applicable European Union data protection regulations including the General Data Protection Regulation (EU) 2016/679 ("GDPR") where applicable to our processing activities.

2. Information We Collect

2.1 Information You Provide Directly

When you register for, access, or use the Service, we may collect the following personal data:

  • Account Information: Full name, email address, telephone number, username, and encrypted password.
  • Business Information: Business or salon name, business address, business telephone number, tax identification number (NRT in Andorra or equivalent), business registration details, and operating hours.
  • Payment Information: Billing address, payment card details (processed and stored exclusively by our PCI DSS-compliant third-party payment processors — we do not store full card numbers), bank account details for direct debits, transaction history, and invoicing data.
  • Client and Pet Data: Information about your customers and their pets that you input into the Service, including customer names, contact details, pet names, breed, age, weight, health notes, grooming preferences, appointment history, and photographs.
  • Communication Data: Messages sent through WhatsApp integrations, AI phone call transcripts, chat logs, customer support correspondence, and feedback you provide.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect:

  • Device and Technical Data: IP address, browser type and version, operating system, device type, device identifiers, screen resolution, and language settings.
  • Usage Data: Pages visited, features used, clickstream data, time spent on pages, navigation paths, referring/exit URLs, and interaction patterns within the Service.
  • Log Data: Server logs including access times, error logs, API call records, and system performance data.
  • Location Data: Approximate geographic location derived from your IP address.
  • Cookie and Tracking Data: Data collected through cookies, web beacons, pixels, and similar tracking technologies as described in our Cookie Policy.

2.3 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Payment processors (transaction confirmations and fraud prevention data).
  • WhatsApp Business API and other messaging platform integrations.
  • Telephony service providers (call metadata).
  • Analytics providers (aggregated usage insights).
  • Publicly available business directories and registries.

3. Legal Basis for Processing

We process your personal data on the following legal bases, in accordance with the LQPDP and, where applicable, Article 6 of the GDPR:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your account, process payments, and fulfill our contractual obligations to you.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Processing necessary for the purposes of our legitimate interests, including improving and optimizing the Service, ensuring security, preventing fraud, conducting analytics, and direct marketing to existing customers (subject to your right to opt out).
  • Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities, such as receiving marketing communications, enabling optional analytics cookies, or processing special categories of data.
  • Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable legal and regulatory requirements under Andorran law or other applicable jurisdictions.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery and Operations

  • Providing, operating, maintaining, and improving the Service.
  • Processing appointments, bookings, and scheduling through AI-powered systems.
  • Facilitating AI phone answering, WhatsApp messaging, and customer communication features.
  • Managing customer and pet records on your behalf.
  • Processing payments, subscriptions, invoices, and refunds.
  • Sending transactional notifications, appointment reminders, and service-related communications.

4.2 Service Improvement and Analytics

  • Analyzing usage patterns to improve functionality, user experience, and performance.
  • Training and improving our AI models using aggregated and anonymized data (individual conversations are not used for AI training without your explicit consent).
  • Conducting research and development for new features.
  • Generating aggregated statistical reports and business insights.

4.3 Security and Fraud Prevention

  • Detecting, investigating, and preventing fraudulent activities, security breaches, and unauthorized access.
  • Monitoring and enforcing compliance with our Terms of Service.
  • Protecting the rights, property, and safety of the Company, our users, and third parties.

4.4 Marketing and Communications

  • Sending promotional materials, newsletters, and product updates (only with your consent or under legitimate interest for existing customers, and always with the option to unsubscribe).
  • Personalizing content and recommendations based on your usage of the Service.

4.5 Legal and Compliance

  • Complying with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Establishing, exercising, or defending legal claims.
  • Maintaining records required under Andorran tax and commercial law.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your personal data only under the following circumstances:

5.1 Service Providers and Processors

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations of confidentiality and data protection. These include:

  • Cloud hosting and infrastructure providers (Microsoft Azure).
  • Payment processors and billing platforms.
  • Telephony and WhatsApp Business API providers.
  • Email and communication service providers.
  • Analytics and monitoring tools.

5.2 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities, including:

  • Andorran courts, the Agència Andorrana de Protecció de Dades (APDA), or other competent Andorran authorities.
  • Law enforcement agencies pursuant to a lawful order or subpoena.
  • Regulatory bodies in jurisdictions where we operate.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of such transaction. We will notify you of any such transfer and any choices you may have regarding your data.

5.4 With Your Consent

We may share your data with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries outside the Principality of Andorra and/or the European Economic Area (EEA). The Principality of Andorra benefits from an adequacy decision by the European Commission (Decision 2010/625/EU), recognizing Andorra as providing an adequate level of data protection.

Where we transfer data to countries that do not have an adequacy decision, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Binding Corporate Rules where applicable.
  • Other legally recognized transfer mechanisms.

You may request a copy of the applicable safeguards by contacting us at the email address listed in Section 1.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our retention criteria include:

  • Active Account Data: Retained for the duration of your account's active status, plus 30 days after account deletion to allow for reactivation requests.
  • Payment and Transaction Data: Retained for a minimum of 10 years from the date of the transaction, in accordance with Andorran tax and commercial record-keeping obligations.
  • Communication Records: AI phone transcripts and WhatsApp message logs are retained for 3 years from creation, unless you request earlier deletion.
  • Usage and Analytics Data: Retained in identifiable form for up to 26 months; thereafter anonymized and retained indefinitely for aggregate statistical purposes.
  • Legal Hold Data: Data subject to legal proceedings or regulatory investigations is retained until the matter is fully resolved.
  • Marketing Consent Records: Retained for as long as the consent is valid, plus 5 years thereafter as evidence of compliance.

When personal data is no longer required, it is securely deleted or irreversibly anonymized.

8. Data Security

We implement robust technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, or accidental loss. These measures include, but are not limited to:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Secure authentication mechanisms including password hashing with modern algorithms.
  • Role-based access controls and the principle of least privilege.
  • Regular security assessments, vulnerability scanning, and penetration testing.
  • Incident response and data breach notification procedures in compliance with the LQPDP.
  • Employee training on data protection and security best practices.
  • Physical security measures at data center facilities.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any data breach in accordance with applicable law.

9. Your Rights

Under the LQPDP and, where applicable, the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and obtain a copy of such data.
  • Right to Rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17 GDPR): You may request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention obligations.
  • Right to Restriction of Processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data under certain circumstances.
  • Right to Data Portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Object (Art. 21 GDPR): You may object to processing based on legitimate interests or for direct marketing purposes at any time.
  • Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

To exercise any of these rights, please contact us at privacy@woofplan.com. We will respond to your request within 30 days. We may require verification of your identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Agència Andorrana de Protecció de Dades (APDA) or, where applicable, any competent supervisory authority in your jurisdiction.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

11. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through the Service.

12. AI-Specific Data Processing

The Service utilizes artificial intelligence technologies for phone answering, messaging, and scheduling features. In connection with these AI features:

  • AI-processed conversations are recorded and stored for service delivery and quality assurance purposes.
  • We do not use your individual business conversations to train general-purpose AI models without your explicit, informed consent.
  • Aggregated and anonymized data derived from Service usage may be used to improve the AI's general performance.
  • You may request human review of any AI-generated decision that significantly affects you or your business.
  • Transcripts of AI-processed calls and messages are accessible through your account dashboard.

13. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. We will notify you of material changes by posting the updated Privacy Policy on this page with a revised "Last Updated" date and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service. Your continued use of the Service after such modifications constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically for any changes.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Principality of Andorra. Any disputes arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Principality of Andorra, without prejudice to any mandatory consumer protection provisions that may apply in your jurisdiction.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

  • Company: EBOX3
  • Privacy Inquiries: privacy@woofplan.com
  • General Inquiries: info@woofplan.com
  • Jurisdiction: Principality of Andorra