Privacy Policy

1. Introduction

Goodstay, Inc. ("Goodstay", "we", "us", or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our pet boarding management platform (the "Service").

1.1 Who This Policy Applies To

This Privacy Policy applies to three categories of people who interact with the Service:

• Facility Customers: Pet boarding businesses (and their staff) who subscribe to Goodstay to manage their facility.
• Pet Owners: Individuals whose contact information, pet profiles, and reservation history are entered into the Service by a Facility Customer or by the pet owner through a facility's customer portal.
• Website Visitors: Anyone who visits goodstay.pet or the marketing website without signing in.

1.2 Goodstay's Role: Controller and Processor

Goodstay plays two distinct roles depending on whose data is involved:

• Goodstay as data controller. When a Facility Customer creates an account, signs in, pays a subscription, contacts support, or visits the marketing website, Goodstay is the data controller for the personal information collected directly from that person and decides how it is used to provide and improve the Service.
• Goodstay as data processor. When a Facility Customer uploads or enters pet owner information, pet profiles, reservations, vaccination records, or other operational data into the Service, Goodstay acts as the data processor on behalf of the Facility Customer. The Facility Customer is the controller of that data and is responsible for the lawful basis on which it is collected, the notices given to pet owners, and the rights exercised by those pet owners.

When acting as a processor, Goodstay only processes pet owner data on the documented instructions of the Facility Customer (including via the configurable settings exposed in the Service) and as required by applicable law. Our processor obligations — including security, sub-processor management, breach notification, and assistance with data-subject requests — are described in our Data Processing Addendum, which is incorporated into your subscription agreement.

2. Information We Collect

2.1 Information You Provide

When you register for and use the Service, we may collect:

• Account information: Name, email address, password, phone number
• Facility information: Business name, address, phone number, email, timezone
• Customer data: Pet owner names, contact details (including phone numbers for SMS notifications), addresses, and notes that you enter into the system
• Pet data: Pet names, species, breeds, dates of birth, weight, medical conditions, behavioral notes, vaccination records, and photos
• Reservation and billing data: Booking dates, space assignments, invoice details, payment records
• Uploaded files: Pet photos, vaccination proof documents, report card images

2.2 Information Collected Automatically

When you access the Service, we may automatically collect:

• Usage data: Pages visited, features used, actions taken, timestamps
• Device information: Browser type, operating system, screen resolution
• Log data: IP address, access times, referring URLs
• Cookies: Session cookies necessary for authentication and Service functionality

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process transactions and send related information (invoices, confirmations)
• Send transactional emails (password resets, reservation notifications, report cards, vaccination reminders)
• Send SMS text message notifications (booking confirmations, check-in reminders, report card alerts, daycare and grooming appointment reminders) when enabled by the facility
• Respond to your requests, comments, and questions
• Monitor and analyze usage trends to improve the Service
• Detect, prevent, and address technical issues and security incidents
• Comply with legal obligations

3.1 AI and Machine Learning

We do not use Customer Data, pet owner records, or any personal information you or your pet owners enter into the Service to train generative AI or machine learning models. We do not sell, license, or otherwise share Customer Data with any third party for the purpose of training such models. If we introduce optional AI-assisted features in the future, we will update this Privacy Policy and provide controls so that Facility Customers can decide whether to use them.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service providers: We use third-party providers for hosting (DigitalOcean), email delivery (Postmark), SMS messaging (Twilio), payment processing (Stripe), and error monitoring (Sentry). These providers only access data necessary to perform their services and are contractually obligated to protect it.
• Within your facility: Staff members you invite to your facility account can access facility data (reservations, pet profiles, etc.) based on their assigned role.
• Pet owner portal: Pet owners accessing the customer portal can view their own pets, reservations, invoices, and report cards associated with your facility.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or government request.

5. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit using TLS/SSL
• Encryption of passwords using bcrypt hashing
• Access controls and role-based permissions
• Regular security updates and monitoring
• Secure cloud infrastructure with managed database services

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5.1 Breach Notification

If we confirm a personal data breach affecting your account or the personal information you have entrusted to us, we will notify you without undue delay and, in any event, within 72 hours of confirmation. Notification will be sent to the primary email address on file for the affected facility account and will describe the nature of the breach, the categories of data involved (to the extent then known), the steps we are taking in response, and recommended actions you should consider. We will also cooperate with you in meeting any further notification obligations you may have to your customers or to regulators under applicable law.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you cancel your subscription:

• You may request, or self-serve through the Service, a data export within 30 days of cancellation. Exports are provided in a machine-readable format (CSV for tabular records and JSON for structured records, with uploaded files such as pet photos and vaccination documents bundled in their original format).
• We will delete your facility data within 90 days of account closure
• SMS message logs (recipient phone number, message content, delivery status) are retained for 12 months for compliance and troubleshooting, then automatically deleted
• Phone numbers used for SMS are not shared with any third party for marketing purposes
• We may retain anonymized, aggregated data for analytics purposes
• We will retain data as required by law (e.g., billing records for tax purposes)

7. Your Rights

7.1 General Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of any inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Data portability: Request an export of your data in a machine-readable format
• Objection: Object to certain processing of your personal information

To exercise any of these rights, please contact us at the address below. We will respond within 30 days. If a request relates to data uploaded by a Facility Customer (where we act as processor), we will refer the request to that Facility Customer and assist them in responding.

7.2 U.S. State-Specific Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Maryland, Kentucky, Minnesota, Rhode Island, and other U.S. states with comprehensive privacy laws have the rights described in Section 7.1, plus any additional rights granted by their state's law (such as the right to appeal a denied request, the right to limit the use of sensitive personal information, and the right to opt out of profiling that produces legal or similarly significant effects).

Categories of personal information

Using the categories defined by the California Consumer Privacy Act ("CCPA"), in the past 12 months we have collected the following categories of personal information for the purposes described in Section 3:

• Identifiers (name, email address, phone number, IP address, account identifiers)
• Customer records (billing address, payment card last four digits, facility business details)
• Commercial information (subscription plan, billing history, transaction records)
• Internet or network activity (login timestamps, pages visited within the Service, device and browser information)
• Geolocation (approximate location derived from IP address; we do not collect precise GPS location)
• Inferences drawn from the above to operate and improve the Service

We do not knowingly collect or process "sensitive personal information" as that term is defined under the CCPA, except to the extent that account credentials and similar authentication information qualify.

Sale and sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We have not done so in the past 12 months and have no plans to do so. Because we do not sell or share personal information in the senses defined by these state laws, no "Do Not Sell or Share My Personal Information" link is required, but you may always contact us using the channels below to confirm or request additional information.

Universal opt-out signals (Global Privacy Control)

Where required by state law (including in California, Colorado, Connecticut, and Oregon), we honor the Global Privacy Control ("GPC") browser signal as a valid opt-out request from the browser sending it. Because we do not sell or share personal information for cross-context behavioral advertising, in practice the GPC signal does not change how we process your information; we record it for compliance purposes.

How to exercise state-specific rights

To submit a state-specific privacy rights request, email privacy@goodstay.pet from the email address on file for your account. We will verify your identity, respond within the time required by your state's law (typically 45 days, with an extension where permitted), and will not discriminate against you for exercising any privacy right. If we deny a request, you may appeal by replying to that decision; we will respond to appeals within 60 days. You may also contact your state attorney general if you believe we have violated applicable law.

Authorized agents

Where state law permits, you may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization, and we may still need to verify your identity directly before completing the request.

8. Cookies

We use essential cookies required for the Service to function (authentication sessions, CSRF protection). We do not use advertising or third-party tracking cookies. You can configure your browser to refuse cookies, but this may prevent you from using the Service.

9. Children's Privacy

The Service is intended for use by pet boarding businesses and the adult pet owners they serve. The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act ("COPPA"). If we become aware that we have inadvertently collected personal information from a child under 13, we will delete that information promptly.

Account holders must be at least 18 years of age to enter into a contract for the Service, as described in our Terms of Service. If you believe a child has provided personal information through the Service, please contact us at privacy@goodstay.pet.

10. Geographic Scope and International Data Transfers

United States only. The Service is hosted in the United States and is offered to U.S. pet boarding facilities and the U.S.-based pet owners they serve. Goodstay does not market, target, or intentionally make the Service available to residents of the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions whose data protection laws would impose cross-border transfer obligations on Goodstay (such as the EU and UK General Data Protection Regulations).

Goodstay does not currently provide the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other cross-border transfer mechanisms, and does not undertake the obligations of an EU/UK "processor" under those laws. Facility Customers agree not to use the Service to process personal data of EU, UK, or Swiss data subjects whose processing would require those mechanisms or that Customer commitment, except where the Facility Customer is itself responsible for any such transfer mechanism and has obtained Goodstay's written agreement.

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By accessing the Service from outside the United States, you acknowledge that the Service is not designed to satisfy the data protection requirements of your jurisdiction and may not be appropriate for processing personal information governed by those laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on the Service with a revised "Last updated" date. We encourage you to review this Privacy Policy periodically.