1. Who we are
Appet.tosa is a management software for pet grooming (bath and trim) services and petshop routines, available via website and apps.
Data Controller: WLTS Inovações Ltda, CNPJ 49.608.263/0001-77, headquartered in Barretos, São Paulo, Brazil (“Appet.tosa”, “we”, “us”).
Privacy channel / DPO: [email protected]

2. Scope and audiences
This Policy applies to:
• website visitors and app users;
• Appet.tosa users (groomers, petshop owners/managers, and authorized staff);
• petshop customers/pet owners whose data is entered into Appet.tosa by the petshop/groomer (where applicable).

3. Roles and responsibilities (Controller vs. Petshop Users)
In general, Appet.tosa acts as the Controller for Appet.tosa users’ data and for operating the platform. The petshop/groomer who enters pet owners’ and pets’ data may act as the Controller for that data for purposes of providing its services.
When a petshop/groomer enters pet owners’ and pets’ data into the system, it must do so in compliance with applicable law (e.g., appropriate legal basis, transparency to pet owners, and use of the minimum necessary data).

4. What data we process

4.1. Account and registration data (Appet.tosa users)
• name, email, phone/mobile number;
• petshop/company data (e.g., trade name, CNPJ when applicable, address, responsible persons);
• authentication and security data (e.g., password stored in a protected/irreversible form, tokens, access logs).

4.2. Operational data entered by users
• schedule, services, sessions, confirmations, internal records, preferences and service notes;
• pet owners/customers data entered by the petshop (e.g., name and phone number);
• pet data (e.g., name, breed, service-related notes).

4.3. Payments and billing data (subscriptions/contracting)
• data related to plans, charges, payment status, dates and amounts;
• full card details are not stored by Appet.tosa; they are processed by the payment provider (gateway) under its terms and policies.

4.4. Technical and usage data (logs)
• IP address, date/time, browser, operating system and device identifiers;
• system usage events (logs) for security, auditing, fraud prevention and service improvement.

5. Purposes and legal bases (Europe, U.S. and LATAM)
We process personal data to:
• provide the service and perform the contract (registration, authentication, system use, support, operations);
• comply with legal and regulatory obligations (e.g., tax/accounting, authority orders);
• ensure security, prevent fraud and perform audits (logs, access control, abuse detection);
• exercise or defend legal claims (respond to complaints, legal defense);
• send necessary operational communications (reminders, confirmations, system notices).
In the EEA and the UK, where applicable, typical legal bases include contract performance, legal obligation, legitimate interests and/or consent. In Latin America, equivalent legal bases apply under local laws (e.g., Brazil’s LGPD). In the U.S., legal frameworks vary by state; we aim to provide transparency and user controls where applicable.

6. WhatsApp and SMS notifications
Appet.tosa uses WhatsApp and/or SMS to send notifications related to pet grooming services, depending on petshop/groomer settings, technical availability, provider rules and delivery requirements.

6.1. Notifications to Appet.tosa users (groomers/petshops)
We may send operational communications via WhatsApp and/or SMS (e.g., reminders, confirmations, subscription status and service information). Message content is limited to what is necessary for operational purposes.

6.2. Notifications to pet owners/customers (petshop end customers)
Appet.tosa may notify pet owners about sessions, confirmations and information exclusively related to pet grooming services via WhatsApp and/or SMS, depending on petshop/groomer settings.

6.2.1. When the petshop uses its own WhatsApp Business (QR Code scan)
Appet.tosa allows the petshop/groomer to use the petshop’s own WhatsApp Business account by scanning a QR Code to send such notifications to pet owners.
In this model:
• the petshop/groomer is responsible for using the number, the message content and compliance with WhatsApp/Meta policies and applicable rules (including consent and opt-out where required);
• Appet.tosa is not responsible for blocks, restrictions or penalties imposed by Meta/WhatsApp due to misuse, inappropriate content, reports, or policy violations by the petshop/groomer.
We are not affiliated with Meta/WhatsApp. WhatsApp use is subject to the service’s own terms and policies.

6.3. Preferences and opt-out
Where applicable, individuals may request to stop receiving non-essential communications, while we may continue sending operational communications necessary for service delivery, security and legal compliance.

7. Who we share data with
We share personal data only when necessary to operate Appet.tosa and fulfill the purposes described in this Policy.

7.1. Payment providers
• Pagar.me S/A (credit card in Brazil);
• Banco Cooperativo Sicredi (PIX in Brazil);
• Stripe Brasil (international collections).
These providers process data to enable payments, financial processing and fraud prevention under their own terms and policies.

7.2. Communication providers (SMS and delivery infrastructure)
We use Twilio as a communications infrastructure provider to enable SMS delivery and related technical activities (delivery, routing and reporting). For this purpose, we may share with Twilio only the data necessary, such as:
• recipient phone number;
• message content (limited to what is necessary for the purpose);
• technical/delivery metadata (e.g., timestamp, status, message identifiers).
Twilio processes data under its own terms and policies, in addition to contractual and security measures.

7.3. Infrastructure, support and operations
We may use hosting, storage, monitoring, support and technical tools to keep Appet.tosa running securely and reliably. In such cases, we seek to apply access controls, confidentiality and data minimization.

7.4. Legal obligations and protection of rights
We may share data to comply with legal/regulatory obligations or valid orders from competent authorities, and to protect Appet.tosa’s rights in disputes/legal actions when necessary.

8. International transfers
We may store or process data in Brazil or in other countries, especially when using global providers and/or infrastructure outside Brazil (for example, Twilio and services related to international collections).
Where applicable (especially for EEA/UK/Switzerland data), we use appropriate safeguards for international transfers, such as Standard Contractual Clauses (SCCs), UK addenda/IDTA and/or equivalent mechanisms, plus technical and organizational security measures.

9. Cookies and similar technologies
We may use cookies and similar technologies for:
(i) functionality and security (necessary cookies),
(ii) analytics/performance and
(iii) personalization.
You can manage cookies in your browser/device settings. Some necessary cookies cannot be disabled without affecting service functionality.

10. Storage and retention
We retain personal data:
• while the account is active and the data is necessary to provide the service;
• for as long as required to comply with legal/regulatory obligations;
• for as long as necessary to exercise or defend legal claims (e.g., preserving logs and evidence).
Where possible and applicable, we delete or anonymize data when it is no longer necessary, subject to legal retention requirements.

11. Information security
We adopt technical and organizational measures to protect data against unauthorized access, loss, alteration and improper disclosure, such as access controls, audit logs, backups and secure development/update practices.
However, no system is completely immune. In the event of a relevant incident, we will take mitigation and communication measures as applicable.

12. Privacy rights and how to exercise them
Depending on the laws applicable in your region, you may request:
• access/confirmation of processing;
• correction;
• deletion/anonymization where applicable;
• portability where applicable;
• information about sharing;
• objection/restriction in applicable cases;
• withdraw consent where consent is the legal basis;
• opt-out of sale/sharing for targeted advertising (where applicable in your jurisdiction).
Privacy channel: [email protected]. For security, we may request identity verification.

13. Children and teens
Appet.tosa is not directed to children. If users enter minors’ data (e.g., registering a pet owner), it must be limited to what is necessary and handled in accordance with applicable law.

14. Region-specific information (Addenda)

14.1 Europe/EEA and the UK (GDPR/UK GDPR)
If you are in the EEA/UK, you may have additional rights (e.g., to lodge a complaint with your local supervisory authority). Where required, we will also provide: identity of any EU/UK representatives, detailed categories of recipients, and retention criteria by category.

14.2 United States (e.g., California — CCPA/CPRA, where applicable)
Where applicable, California residents may have rights to: know/receive a copy of categories and pieces of personal information collected; request deletion/correction; limit use of sensitive personal information; and opt out of “sale” or “sharing” for targeted advertising. If applicable to Appet.tosa, we will provide an opt-out mechanism and honor privacy control signals where required.

14.3 Latin America (e.g., Brazil — LGPD and local laws)
In Latin America, rights and legal bases follow local laws. In Brazil, the channel [email protected] can be used to exercise LGPD rights.

15. Changes to this Policy
We may update this Policy to reflect improvements, legal changes and operational changes. The current version will be available on our website with the updated date.

16. Contact
For privacy questions and requests: [email protected].