Privacy Policy

1. Who We Are

ADA Service Dog
Website: adaservicedog.com
Contact: info@adaservicedog.com

ADA Service Dog is operated by NS Design ID Cards, a company based in the United Kingdom, serving customers in the United States. For US residents, your privacy rights are governed primarily by US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), under which we act as the "business". Because our operator is UK-based, the UK GDPR also applies to our processing, and we act as the data controller under that law. Where we engage third-party services to process data on our behalf, those parties act as service providers / data processors under our instruction and under written data processing agreements.

2. What Personal Data We Collect and Why

2a. Registration Data

When you register a Service Dog with ADA Service Dog, we collect:

• Your information: full name, email address, telephone number, home address
• Animal information: animal name, species, breed, date of birth, Service Dog category
• Photographs: handler photo and animal photo — used on your NFC ID card and verification profile
• Health & wellbeing information (Special Category Data) — completely optional: you may choose to include a brief note (e.g. anxiety disorder, PTSD, depression) to help others understand your need for a Service Dog. This is entirely voluntary — your registration is fully valid without it. If provided, it is stored securely and never shown publicly without your consent
• Emergency contact information: name and telephone number of a nominated contact
• Subscription & payment data: plan type and billing cycle. Card details are never stored by us — they are processed directly by Stripe (PCI-DSS Level 1 compliant) under their own privacy policy

Why we are allowed to process this: we need this data to provide the service you signed up for. Where UK GDPR applies, the lawful basis is performance of a contract (Article 6(1)(b)); for health/wellbeing information, the lawful basis is explicit consent (Article 9(2)(a)) given at point of registration.

2b. Your Public Verification Profile

When your QR code or NFC card is scanned, a limited verification profile is displayed publicly. This shows only:

• Animal name, species and Service Dog category
• Handler's first name only
• Handler and animal photographs
• Registration status (Active / Expired / Suspended)
• Emergency contact QR (behind a confirmation barrier — for genuine emergency use only)

Emergency contact details, wellbeing information, home address and full handler name are not publicly visible. All Service Dog profile pages carry a noindex, nofollow directive and an X-Robots-Tag HTTP header — your profile cannot be indexed by Google, Bing or any major search engine.

Why we are allowed to process this: enabling third parties to verify Service Dog status is the core purpose of the service and is reasonably expected by registrants. Only the minimum data necessary is displayed. Where UK GDPR applies, the lawful basis is legitimate interests (Article 6(1)(f)).

2c. Website Usage Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and to diagnose technical issues. Retained for 30 days and not linked to your registration data.

Why we are allowed to process this: security and fraud prevention. Where UK GDPR applies, the lawful basis is legitimate interests (Article 6(1)(f)).

2d. Marketing Communications

If you opt in, we may send you service updates, renewal reminders, and information about new features. We use Mailchimp as our email processor. You can unsubscribe at any time via any email or by contacting us.

Why we are allowed to process this: your consent, which you may withdraw at any time. Where UK GDPR applies, the lawful basis is consent (Article 6(1)(a)).

3. Sensitive Personal Information

Any health or wellbeing information you provide is sensitive personal information under US state privacy laws (CCPA/CPRA) and special category data under UK GDPR (Article 9). We apply the highest level of protection:

• Never displayed publicly on your verification profile
• Accessible only behind an explicit confirmation step for emergency use
• Stored encrypted at rest in our database
• Retained only for the duration of your active registration, plus a maximum of 12 months after expiry
• Deleted immediately upon request — see Section 7 (Your Rights)

4. How Long We Keep Your Data

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data, and we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. We share data only with the following service providers, all bound by data processing agreements:

• Stripe — payment processing (PCI-DSS Level 1). Data shared: billing name, email, transaction amount
• IONOS / 1&1 — web hosting and server infrastructure (UK/EU data centers)
• Mailchimp (Intuit) — email marketing. Data: name, email, subscription status. Data stored in USA under Standard Contractual Clauses
• Cloudflare — DNS, CDN and DDoS protection. Data: IP addresses in transit only; no registration data shared

We may disclose personal data to law enforcement or regulatory authorities if legally required.

6. International Data Transfers

We are operated by a UK-based company, so your data may be stored and processed in the United Kingdom, the European Union, and the United States. Our hosting provider (IONOS) uses UK/EU data centers, and Mailchimp stores marketing email data in the USA. Where data is transferred out of the UK, we ensure an appropriate transfer mechanism is in place, specifically Standard Contractual Clauses (SCCs) approved under UK GDPR.

7. Your Privacy Rights

To exercise any right, email us at info@adaservicedog.com with proof of identity. We will respond within 30 days.

7a. US State Privacy Rights (CCPA/CPRA and similar laws)

If you are a resident of California or another US state with a comprehensive privacy law, you have the following rights:

• Right to know / access — request a copy of the personal information we have collected about you, including what categories we collect, why, and who we disclose it to
• Right to delete — request deletion of your personal information. Note: we may retain certain data where required by law (e.g. financial records for 7 years)
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or share your personal information as defined under the CCPA/CPRA, so there is nothing to opt out of
• Right to limit use of sensitive personal information — we only use health/wellbeing information to provide the service you requested, and never display it publicly without your consent
• Right to non-discrimination — we will never penalize you, deny you service, or charge you a different price for exercising any of your privacy rights

7b. Additional Rights Under UK GDPR

Because our operator is UK-based, you can also exercise the rights provided by UK GDPR, whichever set of rights is more favorable to you:

• Right of access — request a copy of all personal data we hold about you (Subject Access Request)
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to restriction — request that we limit processing while a dispute is resolved
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is consent-based (marketing, health data), you may withdraw at any time
• Rights related to automated decision-making — we do not use automated decision-making or profiling that produces legal or significant effects

8. Cookies

We use cookies to operate the website. See our full Cookie Policy for details. Strictly necessary cookies (session, CSRF security token) cannot be disabled as they are essential to the service. With your consent, we may also use functional and analytics cookies.

9. Security

We implement appropriate technical and organizational measures to protect your data:

• TLS encryption in transit (HTTPS) across the entire site
• Encryption at rest for special category (health/wellbeing) data
• Access controls limiting data access to those with a legitimate operational need
• All Service Dog profile pages carry noindex, nofollow directives — search engines cannot index your profile
• Regular security reviews and dependency updates

In the event of a personal data breach likely to result in risk to you, we will notify affected individuals and the relevant regulators as required by applicable law, including US state data breach notification laws and, where UK GDPR applies, the ICO within 72 hours (UK GDPR Articles 33–34).

10. Children's Data

Our registration service is intended for individuals aged 18 and over. We do not knowingly collect personal data from children under 13. If a registration is submitted for a handler under 18, a parent or guardian must provide consent. Contact us immediately if you believe we have inadvertently collected data relating to a child.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified to registered users by email at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us