Last Updated: February 12, 2026
This Data Processing Agreement ("DPA") describes how SOBS Pets ("Controller") processes personal information in connection with the operation of our website, products, and services.
This DPA applies to all personal information processed by SOBS Pets, including information collected from:
SOBS Pets acts as a Controller for the personal information we collect directly from you. We determine the purposes and means of processing your personal information. When we engage third-party service providers, they act as Processors acting on our behalf and under our instructions.
This DPA is incorporated into and forms part of our Privacy Policy and Terms of Service. Capitalized terms not defined herein shall have the meanings assigned in those documents.
The following terms have the meanings set forth below when used in this DPA:
SOBS Pets processes personal information for the following specific, explicit, and legitimate purposes:
Purpose: Process payments, ship products, manage orders, handle returns and refunds.
Categories: Identifiers, Customer Records, Commercial Information
Lawful Basis: Contract performance
Purpose: Create and manage user accounts, authenticate users, maintain account preferences.
Categories: Identifiers, Customer Records, Inferences
Lawful Basis: Contract performance, Legitimate interests
Purpose: Generate personalized pet health recommendations, track assessment history, improve algorithms.
Categories: Identifiers, Commercial Information, Inferences
Lawful Basis: Contract performance, Consent
Purpose: Analyze website usage, improve products and services, conduct market research, measure customer satisfaction.
Categories: Identifiers, Internet Activity, Geolocation Data
Lawful Basis: Legitimate interests, Consent (cookies)
Purpose: Send promotional emails, product recommendations, newsletters, and special offers.
Categories: Identifiers, Commercial Information, Inferences
Lawful Basis: Consent, Legitimate interests (existing customers)
Purpose: Respond to inquiries, resolve issues, provide technical support, handle complaints.
Categories: Identifiers, Customer Records, Commercial Information
Lawful Basis: Contract performance, Legitimate interests
Purpose: Detect and prevent fraud, maintain website security, protect against unauthorized access.
Categories: Identifiers, Internet Activity, Geolocation Data
Lawful Basis: Legitimate interests, Legal obligation
Purpose: Comply with applicable laws, regulations, court orders, and legal processes.
Categories: All relevant categories
Lawful Basis: Legal obligation
SOBS Pets processes personal information of the following categories of data subjects:
Individuals who have purchased products, created accounts, or otherwise engaged in commercial transactions with SOBS Pets.
~50,000+ active customersIndividuals who browse our website, interact with our content, or use our free tools (Health Assessment) without creating an account.
~500,000+ annual visitorsIndividuals who have opted in to receive promotional communications, newsletters, or product updates.
~125,000+ subscribersIndividuals who have contacted our customer support team via email, phone, chat, or other channels.
~15,000+ annual contactsLicensed veterinarians and veterinary staff who interact with our professional services or partner programs.
~500+ professionalsIndividuals who receive products as gifts or shipments from our customers.
~10,000+ annual recipientsSOBS Pets processes the following categories of personal information, mapped to CCPA/CPRA categories and including specific data elements:
| Category | CCPA/CPRA Category | Specific Data Elements | Purpose | Retention |
|---|---|---|---|---|
| Identity Information | A. Identifiers | Full name, username, date of birth (optional), profile photo | Account creation, personalization | Account + 2 yrs |
| Contact Information | A. Identifiers, B. Customer Records | Email address, phone number, shipping address, billing address | Order fulfillment, communication | Account + 2 yrs |
| Payment Information | B. Customer Records, L. Sensitive | Credit card details, PayPal account, billing information | Transaction processing | Not stored by SOBS Pets |
| Account Credentials | L. Sensitive Personal Information | Password (hashed), security questions, authentication tokens | Account security, authentication | Account deletion |
| Pet Information | D. Commercial Information, K. Inferences | Pet name, species, breed, age, weight, health conditions, symptoms, medications | Health assessment, recommendations | 3 years |
| Transaction History | D. Commercial Information | Order history, purchase amount, products purchased, subscription status | Order management, recommendations | 7 years |
| Website Activity | F. Internet Activity | Pages visited, time spent, clicks, navigation path, search queries | Analytics, optimization | 26 months |
| Device Information | F. Internet Activity | IP address, browser type, operating system, device type | Analytics, security | 30 days (logs) |
| Location Information | G. Geolocation Data | IP-based location (city/region), shipping address | Regional compliance, fraud prevention | 30 days (IP logs) |
| Communication Content | B. Customer Records | Emails to support, chat transcripts, call recordings (with notice) | Customer service, quality assurance | 3 years |
| Marketing Preferences | D. Commercial Information | Email opt-in status, subscription preferences, communication history | Consent management | Until consent withdrawn |
| Inferences | K. Inferences | Pet health profile, predicted needs, product recommendations, customer lifetime value | Personalization, improvement | 3 years |
SOBS Pets relies on the following lawful bases for processing personal information:
CCPA/CPRA: Performance of Services
Processing necessary to fulfill our contractual obligations to you, including:
CCPA/CPRA: Explicit Consent
Processing based on your freely given, specific, informed, and unambiguous consent:
You may withdraw consent at any time.
CCPA/CPRA: Business Purpose
Processing necessary for our legitimate interests, provided such interests are not overridden by your rights:
CCPA/CPRA: Legal Compliance
Processing necessary to comply with applicable legal obligations:
CCPA/CPRA: Emergency Situations
Processing necessary to protect someone's life. In rare circumstances, we may process information to address an imminent threat to an individual's health or safety.
This basis is rarely invoked and only in genuine emergencies.
Not currently relied upon
SOBS Pets does not currently process personal information for the performance of a task carried out in the public interest.
For processing based on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests are:
We have determined that these interests are necessary and proportionate, and we implement safeguards to minimize privacy impacts.
SOBS Pets collects limited categories of sensitive personal information as defined under CPRA and other applicable laws. We apply additional safeguards and strictly limit the use of sensitive information.
| Sensitive Data Category | Collected | Purpose | Disclosure | Retention |
|---|---|---|---|---|
| Social Security, Driver's License, State ID | NO | — | — | — |
| Account Login Credentials | YES | Authentication, account security | Not disclosed (hashed) | Until account deletion |
| Financial Account, Debit/Credit Card Number | YES* | Payment processing | PCI-compliant processors | Not stored by SOBS Pets |
| Precise Geolocation | NO | — | — | — |
| Racial or Ethnic Origin | NO | — | — | — |
| Religious or Philosophical Beliefs | NO | — | — | — |
| Union Membership | NO | — | — | — |
| Genetic Data | NO | — | — | — |
| Health Information (Human) | NO | — | — | — |
| Sex Life or Sexual Orientation | NO | — | — | — |
*Note on Payment Information: Credit card numbers are processed directly by our PCI DSS Level 1 compliant payment processors (Stripe, PayPal). SOBS Pets does not store full credit card numbers on our servers. We store only the last four digits and card type for reference.
Under CPRA, California residents have the right to limit the use of their sensitive personal information to that which is necessary to perform the services requested. Because SOBS Pets ONLY uses sensitive information for the purposes of providing the requested services (authentication and payment processing), there is no additional use to limit. We do not use sensitive information for any secondary purpose.
SOBS Pets engages trusted third-party processors to assist in providing our services. All processors are contractually bound to:
| Processor | Service Provided | Data Categories | Location | Security Certification |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment information, billing contact | USA | PCI DSS Level 1, SOC 2 |
| PayPal, Inc. | Payment processing | Payment information, billing contact | USA | PCI DSS Level 1, SOC 2 |
| Shopify, Inc. | E-commerce platform | Customer information, order history | USA/CAN | PCI DSS Level 1, SOC 2 |
| Google LLC | Analytics, email (G Suite) | Website activity, email communications | USA | SOC 2, ISO 27001 |
| Microsoft Corporation | Analytics (Clarity), cloud services | Website activity, usage data | USA | ISO 27001, SOC 2 |
| Amazon Web Services | Cloud hosting, data storage | All data categories | USA | ISO 27001, SOC 2, FedRAMP |
| Mailchimp (Intuit) | Email marketing | Email address, preferences | USA | SOC 2, ISO 27001 |
| Zendesk, Inc. | Customer support platform | Support tickets, customer communications | USA | SOC 2, ISO 27001 |
| ShipStation | Shipping & fulfillment | Name, address, phone, order details | USA | SOC 2, PCI DSS |
| Twilio Inc. | SMS notifications | Phone number, opt-in status | USA | SOC 2, ISO 27001 |
All processors are subject to written data processing agreements that comply with applicable privacy laws. These agreements include obligations regarding data security, confidentiality, sub-processing, audit rights, and assistance with data subject requests.
SOBS Pets is based in the United States and primarily processes personal information within the United States. However, we may transfer personal information to processors located in other countries as necessary to provide our services.
When we transfer personal information outside the United States, we rely on the following safeguards:
For transfers to countries recognized by applicable law as providing adequate data protection (where applicable).
We utilize European Commission approved Standard Contractual Clauses for transfers from the EU/EEA.
Not currently applicable (we are a single entity).
With your explicit consent for specific transfers.
Our processors are primarily located in:
If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information may be transferred to the United States and other jurisdictions that may not provide the same level of data protection as your home country. We provide appropriate safeguards through Standard Contractual Clauses and other transfer mechanisms.
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including for the satisfaction of legal, accounting, or reporting requirements.
| Data Category | Retention Period | Rationale | Deletion Method |
|---|---|---|---|
| Account Information | Duration of account + 2 years | Service continuity, potential reactivation | Secure deletion, anonymization |
| Order History | 7 years | Tax, warranty, legal compliance | Archival, secure deletion |
| Payment Information | Not stored by SOBS Pets | PCI DSS compliance | N/A (processed by payment processors) |
| Health Assessment Data | 3 years from submission | Service improvement, customer support | Anonymization, secure deletion |
| Marketing Preferences | Until consent withdrawn + 30 days | Consent management, audit trail | Secure deletion |
| Website Analytics | 26 months | Google Analytics retention policy | Aggregation, anonymization |
| Server Logs | 30 days | Security monitoring, troubleshooting | Overwrite, secure deletion |
| Customer Support Communications | 3 years | Quality assurance, dispute resolution | Secure deletion |
| Abandoned Cart Data | 30 days | Recovery marketing (with consent) | Secure deletion |
When personal information reaches the end of its retention period, or when we receive a verified deletion request, we implement one of the following:
SOBS Pets implements comprehensive technical and organizational security measures to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
If you have discovered a security vulnerability in our systems, please contact our security team at security@sobspets.com. We follow responsible disclosure practices.
SOBS Pets respects and facilitates the exercise of data subject rights under applicable privacy laws, including CCPA/CPRA, GDPR, and other US state privacy laws.
Data subjects have the right to confirm whether we process their personal information and to access that information, along with details about our processing activities.
CCPA §1798.110, §1798.115 • GDPR Art. 15Data subjects have the right to request deletion of their personal information, subject to certain exceptions.
CCPA §1798.105 • GDPR Art. 17Data subjects have the right to request correction of inaccurate personal information.
CPRA §1798.106 • GDPR Art. 16Data subjects have the right to opt-out of the sale or sharing of personal information. SOBS Pets does not sell personal information.
CCPA §1798.120 • CPRAData subjects have the right to limit the use of sensitive personal information. No limitation is necessary as we do not use sensitive information for secondary purposes.
CPRA §1798.121Data subjects have the right not to receive discriminatory treatment for exercising their privacy rights.
CCPA §1798.125 • CPRAData subjects have the right to receive their personal information in a structured, commonly used, machine-readable format.
GDPR Art. 20 • CPRAData subjects have the right to appeal any denial of their privacy rights requests.
CPRA §1798.130To exercise your data subject rights, please submit a verifiable request through one of our designated methods:
We will respond to verifiable requests within 45 days (extendable by an additional 45 days with notice).
In the event of a personal data breach, SOBS Pets has implemented the following procedures:
Immediately upon discovery, our security team initiates containment procedures to stop the breach and prevent further unauthorized access.
We assess the scope, nature, and impact of the breach, including categories of affected individuals, types of data involved, and probable consequences.
We notify affected individuals, relevant supervisory authorities, and other stakeholders as required by applicable law, without undue delay.
We implement measures to address the breach and prevent future occurrences, including updates to policies, procedures, and technical controls.
If you suspect a data breach involving your personal information, please contact our security team immediately at security@sobspets.com.
SOBS Pets maintains accountability for its data processing activities through the following measures:
Quarterly internal audits of our data processing activities, security controls, and compliance with privacy policies.
Annual independent third-party security assessments and penetration testing. SOC 2 Type II audit in progress.
Maintenance of records of processing activities, data protection impact assessments, and lawful basis documentation.
Continuous monitoring of legal and regulatory developments to ensure ongoing compliance.
SOBS Pets does not currently offer individual customer audit rights due to the multi-tenant nature of our services and the confidentiality of our security practices. However, we provide:
For enterprise customers requiring additional audit rights, please contact our legal department to discuss specific arrangements.
Our authorized processors may engage sub-processors to assist in providing services. All sub-processors are subject to:
We maintain a current list of sub-processors on this page. If you are a customer, you may subscribe to notifications of sub-processor changes by emailing privacy@sobspets.com. You have the right to object to new sub-processors on reasonable grounds relating to data protection. If you object and we cannot provide a reasonable alternative, you may terminate your contract.
All SOBS Pets personnel with access to personal information are subject to strict confidentiality obligations:
SOBS Pets accepts liability for our processing of personal information in accordance with applicable privacy laws. Our liability for data protection claims is subject to the limitation of liability provisions in our Terms of Service.
To the extent permitted by applicable law, you agree to indemnify and hold SOBS Pets harmless from any claims, damages, losses, liabilities, costs, and expenses arising out of or related to your violation of these terms or applicable law regarding your use of our services.
SOBS Pets is committed to processing personal information lawfully, fairly, and transparently. This Data Processing Agreement demonstrates our accountability and dedication to protecting your privacy rights.