Privacy Policy
This is our Privacy Policy. Mimos’s Terms of Use (EULA) are on a separate page. View the Terms of Use →
1. About this policy and who it is for
Mimos is a multi-tenant software-as-a-service (SaaS) platform that grooming businesses use to manage clients, pets, appointments, messaging and an online booking storefront. The platform is operated by Mimos Technology Inc. ("Mimos", "we", "us"), 108 W 39th St, STE1006 PMB2057 New York City, 10018 NY, USA.
This policy explains what personal data we process, why, on what legal basis, who we share it with, how long we keep it, and what rights you have. It applies to:
- Grooming businesses that subscribe to Mimos (our direct customers) and the staff users within those businesses who hold an account.
- Pet owners ("clients") whose details a grooming business stores in Mimos or who book through a business's online storefront.
- Visitors to our application and booking pages.
2. Our role: controller and processor
Mimos plays two distinct data-protection roles. It is important to understand which applies to you.
We are the controller for personal data where we decide the purposes and means of processing — principally:
- Account and staff-user data (registration, authentication, billing administration, support, security).
- Technical and usage data we collect to run, secure and improve the platform.
- Communications between us and our business customers.
We are a processor (and the grooming business is the controller) for the personal data a business enters or generates about its own clients and their pets — for example client contact details, pet records, appointment history, photos, vaccination records and message logs. We process that data only on the documented instructions of the business for the purpose of providing the service. Each business is responsible for having a lawful basis to collect this data and for responding to its own clients' privacy requests; our processing is governed by a Data Processing Agreement (DPA) that forms part of our terms.
If you are a pet owner and want to access, correct or delete the information a grooming salon holds about you, please contact that salon directly — they control your record. We will assist them as their processor.
3. Personal data we process
The exact data present depends on how a business configures Mimos and what it chooses to record. The categories below reflect what the platform is capable of storing.
3.1 Business and staff-user accounts (Mimos as controller)
- Identity & contact: first and last name, email address, phone number.
- Authentication & security: hashed password, email-confirmation and password-reset tokens, "remember me" token, failed-login counters and lockout state, and sign-in metadata (timestamps and IP addresses of current/last sign-in).
- Profile: optional avatar photo, and — for staff who are bookable groomers — biography, specialties, calendar colour, hire date and commission percentage.
- Working data: working hours, time-off (including any reason recorded), location assignments, and the business's configuration/settings.
- Role & membership: which business(es) the user belongs to and their role (admin or member).
3.2 Client and pet data (Mimos as processor, on behalf of the business)
- Pet owner ("client") details: name, email address(es), phone number(s), postal/billing address(es), free-text notes, acquisition source, household relationships, and tags/labels.
- Messaging preferences and consent: whether the client consented to automated reminders/marketing messages, when consent was given or withdrawn, and the preferred channel (SMS, email or none).
- Pet records: name, species, breed, date of birth, sex, size, weight, coat/temperament, allergies and medical notes, and pet photos (profile photo and grooming before/after photos).
- Vaccination records: vaccine name/type, dates administered and expiring, verification and any override reason/notes, and an uploaded proof document (photo or PDF of a certificate).
- Appointments & service history: bookings, times, status, price snapshots, appointment notes/special instructions, and which staff member performed the service.
- Consents & signatures: waiver/consent documents captured at check-in, including photo-consent flags, the signer's name and a digital signature payload, plus the document version/locale and timestamp.
- Reviews & testimonials: ratings and free-text comments submitted by clients (some via tokenised links), and any testimonial author name/photo a business chooses to publish.
- Communications: a log of messages sent to or received from clients, including the recipient phone/email, channel (SMS, WhatsApp, email), message body, direction, delivery status and any error.
Sensitive data note. Allergies and medical notes about pets are animal health information, not special-category personal data about a human. However, free-text fields (client notes, appointment notes, review comments) could contain whatever a user types. Businesses should avoid recording special categories of personal data about people in these fields.
3.3 Data collected automatically
- Session and authentication cookies (see §6).
- Server and security logs including IP address, request metadata and user-agent, used for operating, securing and debugging the service. Passwords, tokens, OTP codes and similar secrets are filtered out of our logs.
- Performance and tracing telemetry via our application-performance-monitoring provider (see §7), consisting of request and tracing metadata.
- Product analytics events (e.g. funnel/usage events with a session identifier and the authenticated user, where applicable).
- Mobile push tokens for staff who use the companion iOS or Android app (device token, platform, environment, last-seen time). Push is delivered via Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android; the token data collected is the same on both platforms.
- Subscription and purchase data for Mimos Pro (our paid plan). When you subscribe through the App Store or Google Play, we process the store transaction identifier, the product identifier (e.g. the monthly or yearly plan), a pseudonymous per-account identifier the app sends to the store (Apple
appAccountToken/ GoogleobfuscatedAccountId, derived from your account ID) and the resulting entitlement/subscription status. If you subscribe on the web through Stripe, we process your Stripe customer and subscription identifiers, the product identifier and the subscription status. We process this solely to grant and manage access to Mimos Pro.
We do not store payment-card numbers or bank-account details; Mimos is not a payment processor.
4. Why we process data and our legal bases
Where the GDPR (EU/EEA), Brazil's LGPD, or other applicable data protection laws apply, we rely on the following bases:
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide the service to businesses | Create/maintain accounts, store client & pet records, run bookings | Performance of a contract |
| Process client/pet data for a business | Hosting and operating the business's CRM data | Processor acting on the business's instructions (the business relies on its own basis) |
| Authentication & account security | Login, password reset, lockout, rate limiting | Legitimate interests / contract |
| Service communications | Confirmations, password resets, invitations, appointment reminders/notifications | Contract / legitimate interests; consent for client marketing/reminder messages where required |
| Reliability & security monitoring | Error tracking, performance monitoring, abuse prevention | Legitimate interests |
| Comply with legal obligations | Tax/accounting records, responding to lawful requests | Legal obligation |
| Improve the product | Aggregated/usage analytics | Legitimate interests |
For our own marketing to businesses, or where consent is otherwise required, we rely on consent, which you may withdraw at any time.
5. Client messaging and consent
Mimos can send SMS and email messages to a business's clients (for example appointment reminders and confirmations), with WhatsApp messaging available where enabled. The platform records and enforces messaging consent: a client's consent status and timestamp are stored, and automated client messages are gated on that consent. Clients can withdraw consent at any time by contacting the business or following opt-out instructions where provided. Message logs are retained as part of the business's records (see §9).
6. Cookies and similar technologies
Mimos uses a small number of strictly necessary cookies to operate; it does not use advertising cookies. These include:
- A session cookie (e.g.
_pet_crm_session) to keep you signed in and protect against cross-site request forgery. It is HttpOnly, SameSite=Lax and (in production) Secure (HTTPS-only). - A "remember me" cookie set only if you choose that option at sign-in, so you stay logged in across browser sessions; it is cleared on logout.
Because these cookies are essential to providing a service you request, they do not require consent under the ePrivacy rules. If we later add non-essential cookies or third-party analytics that set cookies, we will present a consent banner and update this section.
7. Service providers and sub-processors
We share personal data with the third parties below strictly to provide the service. Each is bound by data-protection terms. This list may change; we will keep it current.
| Provider | Role | Data involved |
|---|---|---|
| Render | Application hosting, managed PostgreSQL database, backups, logs | All application data |
| Cloudflare R2 | Object storage for uploaded files | Photos (avatars, pet, grooming, testimonials), logos, vaccination proofs |
| Redis (managed) | Background-job queue / cache | Transient job data referencing records |
| Resend | Transactional email delivery | Recipient name & email, message content (confirmations, resets, invitations, reminders) |
| Sweego | Transactional SMS delivery (appointment reminders, confirmations) | Recipient phone number (E.164), message content |
| Apple Push Notification service (APNs) | iOS push notifications to staff app | Device push token, notification content |
| Google — Firebase Cloud Messaging (FCM) | Android push notifications to the staff app | Device push token, notification content |
| Apple — App Store / StoreKit | Processing the Mimos Pro subscription and sending us transaction and entitlement data | Transaction identifier, product identifier, pseudonymous per-account identifier (appAccountToken), subscription status |
| Google — Google Play Billing | Processing the Mimos Pro subscription and sending us transaction and entitlement data | Purchase/transaction identifier, product identifier, pseudonymous per-account identifier (obfuscatedAccountId), subscription status |
| Stripe | Processing the Mimos Pro subscription on the web (Stripe Checkout) and sending us subscription and entitlement data | Stripe customer and subscription identifiers, product/price identifier, subscription status (no card details) |
| Datadog | Application performance monitoring (production) | Request/tracing metadata |
| Slack | Internal operational alerts to Mimos (e.g. new sign-ups/bookings) | Limited account/booking metadata |
| Companion mobile backend webhook | Notifying our mobile app of data changes | Account ID, event type, timestamp (signed) |
| Fontshare (Indian Type Foundry) | Serves the web font used in the interface | The browser's IP/user-agent when loading the font |
Planned (not yet active): error tracking via Sentry is integrated in our codebase but is not enabled in production, so it is not processing personal data today. If we turn it on, we will update this section; error reports may then include IP address, request headers and the identifiers of the affected user.
We do not sell personal data, and we do not share it for third-party advertising.
8. International data transfers
Our providers may process data outside the country where you are located, including in the United States. Where data is transferred out of the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant), or a provider's adequacy/Data Privacy Framework certification. Details of the safeguards for a specific transfer are available on request at hello@joinmimos.com.
9. Data retention
- Account and staff-user data is retained for as long as the business's subscription is active and for a reasonable period afterwards, then deleted or anonymised, subject to legal retention obligations (e.g. tax/accounting).
- Client, pet, appointment, photo and vaccination records are retained for the business (the controller) for as long as it keeps them. Some records use soft deletion (marked deleted and hidden but retained) so history and appointment records stay consistent; they are not automatically purged.
- Change history / audit trail. For integrity and accountability, changes to key records are versioned in an audit log and retained for the life of the account unless purged.
- Message logs are retained as part of the business's communication records.
- Account closure / deletion. When a business account is deleted, its associated data (memberships, clients, pets, appointments, services, invitations, etc.) is removed. On request we will delete or return a business's data in line with our DPA and applicable law.
- Backups are retained for a limited rolling window and then overwritten; deletion requests are honoured in active systems immediately and propagate as backups cycle out.
If you would like a specific retention schedule documented, contact us at hello@joinmimos.com.
10. How we protect data
- Encryption in transit: HTTPS/TLS is enforced across the application (HSTS/force_ssl in production); cookies are Secure and HttpOnly.
- Password protection: passwords are hashed with bcrypt (work factor 12) and never stored or logged in plain text.
- API access: programmatic access uses bearer tokens stored only as a salted HMAC-SHA256 digest (the raw token is never persisted); tokens can be revoked and expired.
- Abuse prevention: rate limiting on sign-in, sign-up, password-reset and OTP endpoints, and account lockout after repeated failed logins.
- Log hygiene: passwords, tokens, OTPs and other secrets are filtered from application logs.
- Tenant isolation: each business's data is logically segregated per account.
- Access control: role-based permissions (admin/member) and policy checks gate access within an account.
- Mobile session security: the mobile app stores its session token in the device's secure storage (iOS Keychain / Android Keystore), optionally protected by device biometrics where you enable them; biometric data never leaves your device and is handled entirely by the operating system.
No system is perfectly secure, but we take reasonable and appropriate technical and organisational measures to protect personal data and will notify affected parties and regulators of a personal-data breach where the law requires.
11. Your rights
Subject to applicable law (such as the GDPR and the LGPD), you may have the right to:
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten") in certain circumstances.
- Restrict or object to certain processing, including processing based on legitimate interests and direct marketing.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data protection or supervisory authority.
How to exercise your rights:
- If Mimos is the controller (your account/staff-user data), contact us at hello@joinmimos.com. We will respond within the timeframe the law requires (one month under the GDPR, extendable). We may need to verify your identity.
- If your data was entered by a grooming business (i.e. you are that business's client), contact that business — it is the controller. We will support it in fulfilling your request.
12. Children
Mimos is intended for businesses and adults. It is not directed at children, and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
13. Automated decision-making
We do not use the personal data described here to make decisions producing legal or similarly significant effects about you solely by automated means.
14. Changes to this policy
We may update this policy to reflect changes in the product, our providers or the law. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (e.g. in-app or by email). Continued use after the effective date constitutes acceptance where permitted by law.
15. Contact us
Questions, requests or complaints about privacy:
Email: hello@joinmimos.com
Postal: Mimos Technology Inc., 108 W 39th St, STE1006 PMB2057 New York City, 10018 NY, USA
This English version is the reference text. Translations into other languages may be provided for convenience; in case of conflict, the English version prevails.