Legal Β· GDPR Β· Data Processing

Data Processing Agreement

πŸ“… Version: March 2026

πŸ“Œ

Introduction

This Data Processing Agreement (DPA) describes how Happy Puppies, as data controller, processes personal data and works with its data processors. It sets out the technical and organisational measures in place to protect personal data processed in connection with our dog care services.

This agreement is intended for clients and website visitors whose data we process and meets the requirements of Art. 28 GDPR.

🏒

1. General Information

  • πŸ‘€ Controller: Camila de Diago β€” Happy Puppies
  • πŸ“ Address: Loosduinseweg 65H, 2571 AA The Hague, Netherlands
  • πŸ›οΈ KvK number: 93920881
  • πŸ“§ Data Protection Officer: dpo@happypuppies.nl
  • πŸ“ž Phone: +31 6 34698983
  • 🌐 Website: happypuppies.nl
  • πŸ“… Valid from: March 2026

We regularly review and update our security measures. Changes to this agreement will be communicated via our website.

πŸ› οΈ

2. Which Services Does This Cover?

This agreement applies to the following services offered by Happy Puppies:

  • Dog boarding β€” overnight stays at our home in The Hague
  • Dog daycare β€” day supervision during working hours
  • Dog walking β€” structured walks in and around The Hague Centre
  • Puppy care β€” support and socialisation for young dogs
βš™οΈ

3. What Do We Process Exactly?

In connection with our services, we process the following personal data:

  • Owner contact details (name, email, phone number)
  • Dog information (name, breed, age, vaccination status, health notes)
  • Booking information (dates, service type, special instructions)
  • Payment information (processed via our bank and invoicing tools β€” we do not store full card details)
  • Website usage data (via functional cookies and server logs)
ℹ️
We only process the data strictly necessary to deliver our services safely and correctly. We do not process special categories of personal data (Art. 9 GDPR) unless a dog’s health needs make this necessary for their care.

🌍

4. Where Is Your Data Stored?

All data processing takes place within the EU/EEA, with the following exception:

ProcessingLocationLegal basis for transfer
Website backupsπŸ‡¨πŸ‡­ Switzerland (pCloud)EU adequacy decision
Website security & CDNπŸ‡ΊπŸ‡Έ United States (Cloudflare)Standard Contractual Clauses (SCCs, Art. 46 GDPR)

For transfers to Switzerland, the European Commission has issued an adequacy decision, meaning Switzerland provides a level of data protection equivalent to the GDPR.

πŸ”—

5. Who Do We Work With? (Sub-processors)

We work with the following parties for our operations:

ProviderServiceLocation
HostingerWeb hosting & server infrastructureπŸ‡³πŸ‡± Netherlands (EU)
YuvoWordPress maintenance (Wordfence + UpdraftPlus)πŸ‡³πŸ‡± Netherlands
pCloudEncrypted backup storageπŸ‡¨πŸ‡­ Switzerland
KnabBanking servicesπŸ‡³πŸ‡± Netherlands
MoneyMonkFinancial administration & invoicingπŸ‡³πŸ‡± Netherlands
ComplianzCookie consent managementπŸ‡³πŸ‡± Netherlands
CloudflareWebsite security & CDNπŸ‡ΊπŸ‡Έ United States (SCCs)

All parties have committed to processing data only within the EU/EEA or in countries with adequate protection. For transfers to the United States (Cloudflare), Standard Contractual Clauses (SCCs) apply in accordance with Art. 46 GDPR.

πŸ”’

6. How Do We Secure Your Data?

πŸ”’

Transit encryptionTLS/SSL for all data in transit

πŸ’Ύ

Backup encryptionEncrypted storage on Swiss servers via pCloud

πŸ›‘οΈ

Website securityWordfence firewall and malware scanning (via Yuvo)

βœ‰οΈ

Email securityDKIM, SPF and DMARC against phishing and spoofing

πŸ”

Access controlTwo-factor authentication where possible, strict access rights

πŸ”

MonitoringRegular security scans of the WordPress site

πŸ”„

UpdatesRegular patches for WordPress core, themes and plugins

🏠

Physical securityDog data and booking records stored on password-protected, encrypted devices

We have no structural access to data beyond what is necessary to deliver our services. We only access client data when explicitly required for service delivery or support.

βœ…

7. Rights of Data Subjects

We honour all GDPR data subject rights. Requests for access, correction, or deletion of personal data can be submitted as described in our Privacy Policy.

πŸ—“οΈ

8. Retention & Deletion

When the relationship with a client ends:

TimelineAction
ImmediatelyBooking access and login credentials are revoked
Within 6 monthsAll personal data is irreversibly deleted, unless longer retention is required by law
Financial recordsRetained for 7 years to comply with Dutch tax law (legal obligation)

🚨

9. What Do We Do in Case of a Data Breach?

ℹ️
What is a data breach? A security incident in which personal data is accidentally or unlawfully destroyed, lost, altered, or accessed without authorisation.
AspectDescription
NotificationIn the event of a breach affecting client data, we notify the affected party within 24 hours of discovery.
Regulatory reportingWhere required under GDPR, we report to the Dutch Data Protection Authority within 72 hours.
Our responseWe document the incident, contain it immediately (e.g. restore from backup, apply security patch), and inform affected parties of the scope and actions taken.