Cara← Back to home

Privacy Policy

Effective date: 7 May 2025 · Version 1.0

Contact: carashelters@gmail.com

1. Who We Are

Cara Shelters (“Cara”, “we”, “us”, “our”) operates the shelter management SaaS platform available at carashelters.ie. Cara Shelters is incorporated and operates in the Republic of Ireland.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Cara Shelters is the data controller for:

  • Personal data of shelter staff and administrators who hold accounts on the platform.
  • Visitor data collected via the carashelters.ie marketing website.

Animal shelters that use the Cara platform (“Shelters”) are independent data controllers of the adopter, donor, and volunteer data they collect through their own public portals. Cara acts as a data processor for that data. See Section 9 for details.

2. Data We Collect

2.1 Shelter Staff Accounts

  • Full name and email address.
  • Password (stored as a bcrypt hash; never stored in plain text).
  • Organisation membership, role (Admin / Staff / Volunteer / Foster), and join date.
  • Activity log entries recording actions taken within the platform (e.g. application status changes, contract sending).

2.2 Adopter & Donor Data (Processed on Behalf of Shelters)

When members of the public submit adoption or fostering applications through a shelter’s public portal, the following data is collected and stored on behalf of the shelter:

  • Full name, email address, phone number, home address, and county.
  • Household details (type, garden, children, other pets).
  • Previous pet experience and reason for adopting or fostering.
  • GDPR consent records, including timestamp and IP address at time of consent.
  • E-signature data (typed name) and IP address at time of contract signing.
  • Donor data: name, email, donation amount, frequency, and Stripe payment reference.

2.3 Website Visitor Data

  • IP address and browser user agent (collected automatically by our hosting infrastructure).
  • Pages visited and time on site (collected via session cookies only — see Section 8).

3. Lawful Basis for Processing

Processing activityLawful basis (GDPR Article 6)
Shelter staff account managementArticle 6(1)(b) — performance of contract
Billing and subscription managementArticle 6(1)(b) — performance of contract
Platform security and fraud preventionArticle 6(1)(f) — legitimate interests
Adopter application data (processed for shelters)Article 6(1)(a) — consent (obtained by shelter)
Donor payment recordsArticle 6(1)(c) — legal obligation (financial records)
Marketing emails to shelter administratorsArticle 6(1)(a) — consent

4. Data Processors We Use

We engage the following sub-processors to operate the platform. All are subject to appropriate data processing agreements:

Supabase (Supabase Inc.)

Purpose: PostgreSQL database hosting and file storage.

Location: European Union (eu-west-1 region, Ireland/Europe).

Data transferred: All platform data including adopter records, contracts, and photos.

Stripe (Stripe Payments Europe, Limited)

Purpose: Payment processing for subscriptions, donation checkouts, and adoption fees.

Location: European Economic Area (regulated entity incorporated in Ireland).

Data transferred: Donor name, email, payment card data (handled directly by Stripe; Cara never sees raw card data).

Vercel (Vercel Inc.)

Purpose: Application hosting and serverless function execution.

Location: Global CDN; server-side processing in EU regions where possible.

Data transferred: HTTP request logs including IP addresses (retained 30 days).

5. Retention Periods

  • Shelter staff account data: retained for the duration of the shelter’s active subscription, plus 12 months after cancellation.
  • Adopter and donor data (processed on behalf of shelters): subject to each shelter’s own retention policy. Cara will delete or return all such data within 30 days of subscription termination on request.
  • Financial and billing records: retained for 7 years in accordance with Irish Revenue Commissioners requirements under the Taxes Consolidation Act 1997.
  • Activity logs: retained for 24 months, then permanently deleted.
  • Website visitor logs: retained for 30 days (Vercel infrastructure default).

6. Your Data Subject Rights

Under GDPR Articles 15–22, you have the following rights regarding personal data we hold about you as a platform user (shelter staff):

  • Right of access (Article 15): You may request a copy of the personal data we hold about you. Use the ‘Download my data’ function in your account settings, or email carashelters@gmail.com.
  • Right to erasure (Article 17): You may request deletion of your account. Note: financial records required by law cannot be erased.
  • Right to rectification (Article 16): You may correct inaccurate personal data via your account settings or by contacting us.
  • Right to data portability (Article 20): You may download your data in JSON format from your account settings.
  • Right to object (Article 21): You may object to processing based on legitimate interests by contacting carashelters@gmail.com.

For rights requests relating to adopter or donor data collected through a shelter’s portal, please contact the relevant shelter directly — they are the data controller for that data.

7. Controller vs. Processor Distinction

Cara Shelters is the DATA CONTROLLER for: shelter staff account data, platform usage logs, and billing data.

Cara Shelters is the DATA PROCESSOR for: adopter applications, donor records, volunteer data, adoption contracts, and all other data that shelters collect through their public-facing portals.

Each shelter is an independent DATA CONTROLLER for the data their adopters and donors submit. The Cara–Shelter Data Processing Agreement governs this relationship.

8. Cookie Policy

Carashelters.ie uses the following cookies:

  • Session cookies (strictly necessary): Used to maintain your login session after authentication. Deleted when you close your browser.
  • CSRF token cookie (strictly necessary): Protects form submissions against cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or any third-party analytics cookies. No personal data is shared with advertising networks.

9. International Transfers

All data is stored on Supabase infrastructure located within the European Union. Vercel may process request logs on servers outside the EU/EEA; this is covered by Vercel’s Standard Contractual Clauses (SCCs) as adopted by the European Commission. No other international transfers are made.

10. Contact & Complaints

For any data protection queries or to exercise your rights, email carashelters@gmail.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission: dataprotection.ie · +353 (0)57 868 4800 · 21 Fitzwilliam Square South, Dublin 2, D02 RD28.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify shelter administrators by email of any material changes at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.