Privacy Policy
HonestDog GmbH operates the platform honestdog.de, which connects people looking for a puppy with vetted breeders and animal-welfare organisations. Protecting your personal data matters to us. This policy explains what data we process, for which purposes and on which legal basis.
This English translation is provided for convenience. Only the German version is legally binding.
1. Overview
When you visit or use honestdog.de, we process personal data. The scope depends on how you use our platform: for simply browsing we need only a little technical data. If you create an account, send an application to a breeder or a shelter, or use our tools (such as the breed finder), we process the information required for that purpose. Analytics and marketing processing that requires consent only takes place after you have agreed via our cookie banner.
You have extensive rights: access, rectification, erasure, restriction, data portability, withdrawal of consent given, and objection. Details and the applicable legal bases can be found in the sections below.
2. Controller & Contact
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
HonestDog GmbH
Am Hauptbahnhof 6
53111 Bonn
Germany
Email: info@honestdog.de
Represented by the Managing Director Sufyan Osamah.
Data Protection Officer: We have not appointed a data protection officer. We are not legally required to do so, as the thresholds of Section 38 BDSG (German Federal Data Protection Act) and Art. 37 GDPR are not met in our case. For questions about data protection and to exercise your rights, please contact info@honestdog.de.
3. Hosting & Infrastructure
This website is hosted with Amazon Web Services (AWS). The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. The primary processing region is Frankfurt am Main (eu-central-1); the database of our content management system runs in Stockholm (eu-north-1) — both regions are located in the European Union.
Content is delivered via the content delivery network Amazon CloudFront, which may process requests at edge locations worldwide in order to serve content quickly. A Web Application Firewall (AWS WAF) protects the platform against attacks and abuse: it processes IP addresses and request metadata, applies per-IP rate limits, and blocks or challenges suspicious traffic. For the purposes of security, abuse prevention and error analysis, server access logs (IP address, timestamp, requested URL, user agent, referrer) are stored.
The legal bases are Art. 6(1)(f) GDPR (our legitimate interest in a secure, efficient and professional provision of our online offering) and — for account holders — Art. 6(1)(b) GDPR. A data processing agreement (DPA) is in place with AWS. Insofar as data reaches the US parent company, the transfer is protected by the EU-US Data Privacy Framework and/or standard contractual clauses.
4. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15 GDPR) to the data we process;
- Rectification (Art. 16 GDPR) of inaccurate data;
- Erasure (Art. 17 GDPR) of your data, insofar as no statutory retention obligations apply;
- Restriction of processing (Art. 18 GDPR);
- Data portability (Art. 20 GDPR) in a common, machine-readable format;
- Withdrawal of consent given (Art. 7(3) GDPR) with effect for the future; the lawfulness of processing carried out before the withdrawal remains unaffected.
Right to object (Art. 21 GDPR)
Where processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data; this also applies to profiling based on those provisions. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (objection under Art. 21(1) GDPR).
Where your personal data is processed for direct-marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object, your personal data will no longer be processed for direct-marketing purposes (objection under Art. 21(2) GDPR).
Right to lodge a complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
www.ldi.nrw.de
Irrespective of this, you may lodge a complaint with the supervisory authority of your habitual residence.
5. Legal Bases & Third-Country Transfers
Depending on the context, we process personal data on the basis of consent (Art. 6(1)(a) GDPR), for the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), to comply with a legal obligation (Art. 6(1)(c) GDPR), or on the basis of our legitimate interests (Art. 6(1)(f) GDPR). Insofar as we store information on your device or access such information, this is based on Section 25 TDDDG — for operations that are not strictly technically necessary, only after your consent under Section 25(1) TDDDG. We state the applicable legal basis in the sections below.
Some of the processors we use are US companies or process data outside the EU. We base such transfers on the adequacy decision of the EU-US Data Privacy Framework and/or on EU standard contractual clauses (Art. 46 GDPR). We point out that a residual risk remains in third countries — in particular the USA: authorities could, under certain conditions, access data stored there without effective legal remedies always being available against this. We have no influence over such processing activities.
6. Cookies & Local Storage (Section 25 TDDDG)
Strictly necessary cookies (Section 25(2) TDDDG)
To operate signed-in areas, we use strictly necessary cookies that do not require consent: a session cookie for login (NextAuth session, valid for up to 60 days) and an access-token cookie ("token"). When signing in via a social network (OAuth), short-lived cookies are set that hold the sign-up context for a maximum of 5 minutes.
Functional storage in the browser (localStorage)
In your browser's local storage we place first-party data only, which we do not share: your consent choice ("cookie-consent"), UI state (e.g. dismissed banners, a favorites cache), and draft application data so that your input is not lost.
Advertising attribution
If you arrive via a Google Ads advertisement, we store the click IDs (gclid/gbraid/wbraid) and UTM parameters for up to 90 days in your browser's local storage in order to measure the success of the ad (conversion attribution). This is done on the basis of your consent (see section 8).
Consent
Our cookie banner offers the options "Accept all" and "Decline" with equal prominence. Your consent can be withdrawn at any time — for example by deleting the "cookie-consent" entry or reopening the choice. Analytics and marketing storage only take place after your consent.
7. Web Analytics (PostHog)
To analyse the use of our platform, we use PostHog (hosted in the EU cloud, eu.posthog.com).
For visitors without an account, analytics runs "cookieless": no cookies are set and no information is stored on your device. Events are held only in memory during your visit, so Section 25 TDDDG is not triggered. We collect the pages viewed, interactions, technical metadata (browser, operating system) and an approximate location derived from the IP address. The legal basis is Art. 6(1)(f) GDPR (our interest in understanding and improving the product). You may object to the processing under Art. 21 GDPR.
For logged-in users, we link events to the account (user ID, email address, role) in order to understand and improve product usage. The legal basis is Art. 6(1)(f) GDPR.
Session recordings (the replay of individual sessions, as a 10% sample, with all text inputs masked) are carried out only after your consent via the cookie banner (Art. 6(1)(a) GDPR, Section 25(1) TDDDG). A data processing agreement (DPA) is in place with PostHog; hosting takes place in the EU.
8. Google Services (Tag Manager, Analytics, Ads)
We integrate Google services via Google Tag Manager with Consent Mode v2. By default, all storage categories are set to "denied"; only after your consent via the cookie banner do the Google tags (Google Analytics 4, Google Ads conversion tracking) become active. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
To measure advertising success (Google Ads), we transmit conversion events server-side to Google, including the click IDs and — for "enhanced conversions" — the email address in SHA-256 hashed form. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time. We base the transfer to the USA on the EU-US Data Privacy Framework and/or standard contractual clauses.
9. User Account & Profiles
For registration (by email and password or via Google or Facebook sign-in), we process your name, email address, password (stored encrypted / hashed), optionally your phone number (with verification), and your role (buyer or breeder).
For matching, buyers create a profile. The following information may be processed: address or location (including coordinates for proximity search and search alerts), the household situation (e.g. whether children live in the household — including whether there are children under the age of 8 —, whether there are other pets, and the living situation), your experience with dogs, and your preferences from the breed-finder quiz.
The purpose is to match buyers with suitable breeders or animal-welfare organisations and to operate your account. The legal basis is Art. 6(1)(b) GDPR. We store this data until your account is deleted, and beyond that within the scope of any statutory retention obligations.
10. Enquiries, Applications & Messages
Applications to breeders or shelters are represented in our system as conversations. Message content, sender and recipient, and read status are stored so that both sides can communicate. The legal basis is Art. 6(1)(b) GDPR (provision of the platform function).
Automatic translation:Incoming messages are automatically detected by language and machine-translated into the recipient's language; we use Google Gemini for this (see section 11). The translation is stored alongside the original.
If you contact us by email at info@honestdog.de, we process your details to handle your request (Art. 6(1)(b) or (f) GDPR). To speed up handling, incoming emails to info@ are pre-sorted and classified with AI assistance (Google Gemini); the substantive response is handled by a human. Automated replies are only sent for routine matters.
11. AI Features
We use Google Gemini (Google Ireland Limited / Google LLC) as a processor for the following features:
- translation and linguistic improvement of messages;
- the breed-finder recommendation (based on your quiz answers);
- the "Nikki" assistant chat (your chat messages, up to the last conversation turns);
- transcription of voice input (audio recordings you actively make);
- analysis of documents you upload.
Inputs are processed in order to provide the respective function and, in accordance with Google's API terms, are not used to train Google's models. Some AI processing takes place on servers in the USA (transfer under the EU-US Data Privacy Framework and/or on the basis of standard contractual clauses). The legal basis is Art. 6(1)(b) GDPR (a function you actively invoke).
12. Breeder Verification & Automated Decisions (Art. 22 GDPR)
Breeders undergo a verification procedure. Uploaded documents (identity document, permit under Section 11 of the German Animal Welfare Act (§ 11 TierSchG), club or association proof, a selfie, and photos of the breeding environment) are checked with AI assistance (Google Gemini) for authenticity and consistency; in addition, publicly available sources (e.g. the VDH registry or the breeder's own website) may be cross-checked.
Automated approval occurs only when all checks are clearly passed ("fail-closed"); in all other cases a human reviews. There is no automated rejection — negative or unclear results always go to manual review.
Under Art. 22(3) GDPR, breeders can request human intervention in any automated approval decision, express their point of view, and contest the decision — by email to info@honestdog.de. We keep full logs of the decisions. The legal basis is Art. 6(1)(b) GDPR and Art. 22(2)(a) GDPR (necessary for entering into the contract).
13. Email Communication & Newsletter
To send emails, we use Amazon SES (AWS, region eu-central-1; a DPA is in place). We send transactional emails (relating to your account, applications, messages, password reset) on the basis of Art. 6(1)(b) GDPR.
We send marketing and drip emails (e.g. welcome series, buyer guides, reactivation) only with your consent, using a double opt-in procedure: the subscription is confirmed via a confirmation link. For accountability, we log the time, source, IP address and browser at the time of consent (Art. 7(1) GDPR).
Open and click measurement: Our emails contain a tracking pixel and measured links with which we record delivery, opens and clicks in order to assess the relevance of our messages. We also evaluate these events in PostHog. Every marketing email contains a one-click unsubscribe link (no login required); more granular settings can be made via the preferences link.
We maintain a suppression list (bounces, complaints, unsubscribes) permanently so that we do not email you again. The legal basis for this is Art. 6(1)(f) or (c) GDPR.
14. Payments (Breeders Only)
For breeders' paid services (e.g. credits, highlighted placements), we process payments via Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland). Stripe receives your name, email address and payment data; processing is carried out in accordance with the PCI-DSS standard. Stripe acts partly as its own controller; for details please see Stripe's privacy policy (https://stripe.com/privacy).
The legal basis is Art. 6(1)(b) GDPR. We retain billing records in accordance with Sections 147 AO and 257 HGB (6 or 10 years). Buyers never pay on the platform.
15. Maps & Geocoding
We render maps using the Leaflet library and obtain the map tiles from CARTO (CARTO, based on OpenStreetMap data). When a map loads, your browser requests the tiles from CARTO's CDN, transmitting your IP address.
Address searches and geocoding are carried out via OpenStreetMap Nominatim, with the requests routed through our own server — your browser therefore does not contact Nominatim directly; the address text is transmitted server-side. The legal basis is Art. 6(1)(f) GDPR (displaying locations).
16. Futtercheck (checkforpet.de)
On individual pages we offer a "Futtercheck", an interactive questionnaire for determining a suitable food recommendation for your dog. It is technically provided by our partner: CHECK FOR PET, operated via www.checkforpet.de. The Futtercheck is loaded only when you actively call it up by clicking the "Futtercheck starten" button — no data is transmitted to the partner when you merely view the page. Only when you click is a script loaded from www.checkforpet.de that displays the questionnaire and processes the information you enter (e.g. your dog's age, weight, breed); cookies or comparable technologies may also be used. The legal basis for the loading triggered by your click is your consent or the performance of the service you requested (Art. 6(1)(a) and (b) GDPR and Section 25(1) TDDDG). Consent can be withdrawn at any time with effect for the future. The partner is responsible for the data processing that takes place within the Futtercheck; for details please see the privacy policy at https://www.checkforpet.de.
17. Partner Offers (Affiliate Links)
If you click on a partner offer, the click is routed through our server, which logs it before redirecting to the partner (pseudonymous visitor ID, placement, campaign parameters) for billing and statistics. The legal basis is Art. 6(1)(f) GDPR.
18. Breeder Recommendations from Publicly Available Sources (VDH)
Nature and origin of the data
In order to make responsible breeding operations accessible to people looking for a puppy, we publish on so-called breeder-recommendation pages information about dog breeders that we did not collect from the data subjects themselves (information pursuant to Art. 14 GDPR). The source of this data is the publicly accessible breeder directory of the Verband für das Deutsche Hundewesen (VDH) at welpen.vdh.de; on each recommendation page the respective original entry is linked as the source. Categories of data processed: name and kennel name, town/region, club membership, breeds bred, publicly available descriptive texts and photos, as well as — without publication — the contact details given in the directory.
Purpose and legal basis
The processing is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in making it easier for buyers to find reputable breeding operations organised in VDH member clubs, and thereby to counteract disreputable online puppy trading. The recommendation pages are free of charge for the listed breeders; there is no business relationship, and HonestDog earns no revenue from the listed breeders through these pages. Email addresses that are only shown in obfuscated form in the VDH directory are neither published nor passed on by us.
Objection and removal
Listed breeders can object to the processing at any time (Art. 21 GDPR). To do so, send a short email to info@honestdog.de — ideally from the address given in your VDH entry or on your website, so that we can assign the request without further queries (details at https://www.honestdog.de/de/vdh-opt-out). We usually remove entries within 1–2 business days, at the latest within 7 days, and keep removed entries on an internal block list so that they are not republished during future updates from public sources. The data is stored for as long as the entry is listed in the public VDH directory or until your objection.
19. Social Media & Meta Pixel
On our website we link to our profiles on social networks (ordinary links, no embedded plugins). Processing of data by the respective platform only takes place once you click the link and visit the platform.
Meta Pixel:After your consent via the cookie banner, we use the Meta Pixel of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. The pixel records page views and may set cookies or access information on your device; Meta may link this data to your account if you are logged in to Meta and use it for its own advertising purposes. We are jointly responsible with Meta for the collection and transmission of the data (Art. 26 GDPR); the subsequent processing is Meta's sole responsibility. The legal basis is your consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG), which you can withdraw at any time. Transfers to the USA are based on the EU-US Data Privacy Framework and/or standard contractual clauses. More information: https://www.facebook.com/privacy/policy
20. Storage Duration & Final Provisions
Unless a more specific storage duration is stated in this policy, we process personal data only for as long as this is necessary for the respective purposes. The data is then deleted, unless statutory retention obligations (in particular under tax and commercial law) preclude deletion; in that case, deletion takes place after the respective period has expired.
For security reasons this website uses SSL / TLS encryption, recognisable by the "https://" in the address bar and the padlock symbol in your browser.
We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation or to changes in our services. The version published on this page at the time applies.
Last updated: July 2026