Vuelve a Casa

Privacy Policy

Last updated: 2026-05-24

This page explains what information Vuelve a Casa collects, why, who else sees it, how long we keep it, and what you can do about it. We have tried to write it in plain language. Legal references (GDPR articles, etc.) are kept so a lawyer or regulator can map our wording to the law.

Who is responsible for your data

The data controller is the entity behind vuelveacasa.pet. You can reach us at privacy@vuelveacasa.pet.

What we collect and where it comes from

  • Account: your email, a hashed password, your name and the country and language you choose. If you sign in with Google, Facebook, Instagram or X, we receive your email, name and a unique ID from that provider.
  • Pets and searches: photos, name, description, approximate place where the pet was last seen, dates and any contact details you decide to publish. While a search is open this information appears on a public page that search engines can index — that is the whole point of the platform.
  • Wall messages: the text and photo you submit as a tip, plus any contact you choose to leave. Every message is screened by an automated moderation system before it appears in public.
  • Activity log: when you sign in, change your password or perform other security-sensitive actions, we store a truncated IP address (the last octet is removed for IPv4, the last 80 bits for IPv6) and a coarse browser/device label (for example android|chrome|mobile) so we can investigate fraud or abuse. We do not store the full IP or the full user-agent string.
  • QR scans and visits: city, country, a coarse device label, the timestamp and where the link came from. We do not store the raw IP or user-agent of these scans.
  • Donations and payments: handled by Stripe, Mercado Pago, PayPal or Cafecito. We never receive your card number — only the result of the transaction (amount, currency, status and a reference token).
  • Transactional email: confirmation, password reset and account notifications, sent through Scaleway TEM from an EU region (France).

Why we use your data and on what legal basis

GDPR Art. 6 requires us to identify the legal basis for each purpose. The table below maps them.

PurposeLegal basis (GDPR Art. 6)
Run your account and provide the lost-pet search servicePerformance of a contract (6(1)(b))
Publish your pet, search and any contact details you choose to shareConsent (6(1)(a)) — you choose what to publish
Moderate messages, prevent fraud, rate-limit abuseLegitimate interest (6(1)(f))
Advertising and analyticsConsent (6(1)(a)) — only if you accept the cookie banner
Keep accounting records for donations and paymentsLegal obligation (6(1)(c))

Who else processes your data

The following providers help us run the service. They act under written data-processing agreements and we do not sell or rent your personal data to anyone.

  • Scaleway SAS (France) — transactional email through Scaleway TEM, hosted in the EU.
  • Hetzner Online GmbH (Germany) — hosting and S3-compatible object storage in EU data centres (currently Falkenstein, Nuremberg and Helsinki). We may use any combination of these locations depending on capacity and demand; all are within the EU/EEA.
  • Cloudflare Inc. — DNS, CDN and the Turnstile captcha that protects sensitive forms.
  • OpenAI L.L.C. (United States) — automated moderation of wall messages and uploaded photos. The text and image you submit is sent to OpenAI servers in the US for this check.
  • Mapbox Inc. — frontend maps.
  • Google LLC — AdSense, Google Analytics and Google sign-in. Loaded only after you accept the cookie banner (sign-in only if you choose to use it).
  • Meta Platforms — Facebook and Instagram sign-in, only if you use them.
  • X Corp. — X sign-in, only if you use it.
  • Stripe, Mercado Pago, PayPal and Cafecito — donations and payments.

Transfers outside the EU

Some providers above (OpenAI, Cloudflare, Google, Stripe, PayPal) are based in the United States. Transfers rely on the EU-US Data Privacy Framework where the provider is certified, and on the European Commission Standard Contractual Clauses (SCCs) as a fallback. You can request a copy of the safeguards in place by writing to the privacy email.

How long we keep your data

  • Account and pets: while your account is active. See “What happens when you delete your account” below.
  • Closed searches: they stay visible until you delete them.
  • Messages rejected by moderation: kept up to 90 days for audit (legitimate interest), then deleted.
  • Security activity log: truncated IP and device-family label kept for up to 12 months, then deleted.
  • QR scan statistics: kept up to 24 months in aggregated form (no raw IP or user-agent).
  • Donation and payment records: kept as long as accounting and tax law in our country of establishment require (typically 5 to 10 years).

Your rights

You have the right to access your data, correct it, delete it, export it, restrict or object to certain uses, and withdraw any consent you have given. You can also complain to your local data-protection authority.

  • EU / UK (GDPR): access, rectification, erasure, restriction, objection, portability and withdrawal of consent.
  • California (CCPA / CPRA): right to know, delete, correct and opt out of sale or sharing. We do not sell personal information. If we ever cross the CPRA thresholds we will publish a “Do Not Sell or Share” link.
  • Argentina (Law 25.326), Brazil (LGPD), Mexico (LFPDPPP): access, rectification and erasure.

To exercise any of these rights, write from your registered email to privacy@vuelveacasa.pet.

Supervisory authorities you can complain to: AEPD (Spain), AAIP (Argentina), ANPD (Brazil), INAI (Mexico), CNIL (France), Garante (Italy), BfDI (Germany), CNPD (Portugal), ICO (United Kingdom).

Automated moderation and your right to a human review

When you submit a wall message or a photo, our system sends it to OpenAI for a content-safety check before showing it in public. The decision is automated. If your message is rejected and you believe the decision is wrong, you can request a human review by writing to us at the privacy email — we will look at it ourselves and let you know the outcome.

Children and minors

The service is not directed at children. We do not knowingly process personal data from anyone below the digital-consent age in their country (between 13 and 16 in the EU — for example 14 in Spain, 15 in France, 16 in Germany, 13 in the UK and Portugal). If we learn that a minor has signed up without the consent of a parent or guardian, we will delete the account.

What happens when you delete your account

When you delete your account we delete your profile, your pets and any open searches. Messages you posted on someone else's wall are kept without your name if removing them would break the moderation history of that thread. Payment and donation records are kept as long as accounting law requires.

Cookies and similar technologies

We load only the cookies strictly needed for the site to work by default. Advertising and analytics cookies are loaded only after you accept them in the cookie banner. You can change your choice at any time using the buttons below.

  • vac_session — HttpOnly cookie that holds your session if you are logged in. Strictly necessary. Expires when you log out or after one hour of inactivity.
  • vac_csrf — small cookie used to protect forms against cross-site request forgery. Strictly necessary.
  • vac_consent_v1 (localStorage) — remembers your cookie choice. Strictly necessary. Persistent until you clear it.
  • Google AdSense cookies — used by Google and third-party vendors to serve ads, including based on previous visits to this and other websites. Only loaded if you accept the cookie banner.
  • _ga, _ga_* — Google Analytics. Only loaded if you accept the cookie banner.

Independent opt-out tools: Google ad personalisation at adssettings.google.com and the industry-wide opt-out at aboutads.info/choices.

How we protect your data

We use appropriate technical and organisational measures to protect your data, including encrypted transport (HTTPS), hashed passwords, access controls, automated moderation of public content and regular encrypted backups. No system is 100% secure, but we keep our setup current and review it regularly.

What we do if there is a data breach

If we suffer a personal-data breach, we will notify the competent supervisory authority within 72 hours of becoming aware of it, as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay (GDPR Art. 34).

Changes to this policy

We will publish any change here and update the date at the top. If the change is substantial, we will email active accounts. Continuing to use the service after a change means you accept the updated policy.

How to contact us

For privacy questions or to exercise your rights, write to: privacy@vuelveacasa.pet