TailorPupStart

Privacy Policy

Last updated · 5 May 2026

Short version: we only collect what we need to build your dog's program and keep your account working. We don't sell your data. You can export it or delete it at any time.

On this page

  1. 1. Who we are
  2. 2. What we collect
  3. 3. Why we collect it
  4. 4. Sub-processors
  5. 5. Retention
  6. 6. Your rights (GDPR & CCPA)
  7. 7. Security
  8. 8. Children
  9. 9. Changes to this policy
  10. 10. Contact

1. Who we are

This Privacy Policy explains how TailorPup ("we", "us") processes personal data when you use the TailorPup mobile app, the website at tailorpup.com, and any related services (the "Service").

Data controller: TailorPup is operated by an independent founder based in Europe. Full company details (registered name, address, registration number, VAT) are published on the Legal Notices page and updated as the legal entity is finalized for launch.

2. What we collect

Data you give us directly

  • Dog profile — name, breed, age range, sex/neutered status, behaviour issues, training goals, daily time available, household type. Provided through the 10-step onboarding.
  • Account — email address, password (hashed, never stored in clear), and optional dog photos you upload.
  • Training feedback — after each session you tap clean / almost / not yet, plus optional free-text notes. These tune the next week's plan.
  • Payment metadata — when you subscribe, Stripe sends us your subscription status, plan, renewal date. We never see, store, or have access to your card number.

Data we collect automatically

  • Usage analytics — anonymized session recordings (no personal identifiers) and aggregated heatmaps via Microsoft Clarity. Helps us understand which screens are confusing.
  • Device information — operating system, app version, device model. Required for crash diagnosis and platform-specific features.
  • Approximate location — derived from your IP address (country/region only). We do not track precise GPS location.

3. Why we collect it

Each piece of data has a specific purpose:

  • Build your dog's 12-week program — the AI needs the breed, age, behaviours, and goals to generate something specific to your dog.
  • Save your progress — without an account, your sessions and program would reset every install.
  • Process payments — Stripe needs your email and country to issue receipts and comply with VAT rules.
  • Improve the product — anonymized usage analytics tell us where users drop off.
  • Customer support — when you contact us, we read your message.

Legal basis (GDPR Art. 6): contract performance for the program generation, your consent for analytics, our legitimate interest for fraud prevention and security, and legal obligations for tax records.

4. Sub-processors

We use these companies to deliver the Service. Each one is GDPR-compliant and bound by a Data Processing Agreement.

  • Supabase Inc. — authentication and database hosting (EU region: Frankfurt). Privacy
  • Vercel Inc. — website and Edge Function hosting. Privacy
  • Stripe, Inc. — payment processing. We send your email and plan; Stripe handles your card data directly. Privacy
  • OpenAI, OpCo LLC — AI program generation. Your dog profile (no personal identifiers) is sent to OpenAI's API to generate the 12-week plan. OpenAI does not train on API requests by default. Privacy
  • Microsoft Clarity — anonymized session analytics. Privacy
  • RevenueCat, Inc. — in-app purchase entitlement (mobile only). Privacy
  • Apple Inc. / Google LLC — App Store and Play Store payments (mobile).

5. Retention

  • Account & dog profile — kept as long as your account is active. Deleted within 30 days of account deletion.
  • Training sessions and notes — same as account.
  • Payment records — kept for 10 years to comply with French/EU accounting law.
  • Analytics — Clarity recordings expire after 90 days; aggregated metrics are retained indefinitely.
  • Backups — Supabase rolling 7-day backups. Deleted data leaves the backups within 7 days.

6. Your rights (GDPR & CCPA)

If you live in the EU, EEA, UK, or California, you have the following rights — and we honour them everywhere because it's easier and the right thing to do.

  • Access — request a copy of every piece of data we hold about you.
  • Rectification — fix anything that's wrong directly in the app, or ask us to.
  • Deletion — delete your account from Settings → Privacy → Delete my account in the app, or use our web deletion form.
  • Portability — export your data as JSON. Email privacy@tailorpup.com.
  • Restriction / Objection — pause or restrict our processing.
  • Withdraw consent — for analytics, you can opt out via your browser's Do-Not-Track or by clearing cookies.
  • Lodge a complaint — in France, with the CNIL. In other EU countries, with your local DPA.

7. Security

  • All data in transit is encrypted (HTTPS / TLS 1.3).
  • Supabase encrypts data at rest with AES-256.
  • Authentication uses bcrypt-hashed passwords and short-lived JWTs.
  • Row-level security policies prevent users from accessing other users' data.
  • The OpenAI API key, Stripe secret key, and Supabase service role key never leave the server.

8. Children

TailorPup is intended for users aged 16 and over. We don't knowingly collect data from children under 16. If you believe a child has created an account, contact us and we'll delete it.

9. Changes to this policy

We may update this policy from time to time. We'll notify you in-app or by email if the change is material (new data collected, new sub-processor added). The "Last updated" date at the top of this page always reflects the current version.

10. Contact

We aim to respond to all privacy requests within 30 days, as required by GDPR Art. 12.