Data Sharing Agreement

1. Scope of Data Shared

This agreement covers the following categories of data shared between Shelter Partners and WaitingTheLongest.com ("WTL"):

• Dog Profiles: Name, breed, age, size, weight, sex, color, medical status, temperament, special needs, adoption fee, photos, videos, and descriptions.
• Shelter Information: Organization name, address, phone, email, website, hours of operation, and type classification.
• Contact Information: Names, titles, email addresses, and phone numbers of shelter staff designated as points of contact.
• Status Data: Availability status, intake dates, euthanasia dates, adoption dates, and urgency classifications.
• Integration Data: API keys (hashed), webhook endpoints, and usage logs.

2. Permitted Uses

WTL may use shared data for the following purposes:

• Public Display: Displaying dog profiles and shelter information on the WTL website to facilitate adoptions.
• Search Indexing: Making listings discoverable through on-site search and external search engines.
• Social Media Promotion: Featuring dogs and shelters on WTL's social media accounts to increase adoption visibility.
• Aggregate Analytics: Generating anonymized, aggregate statistics about shelter dog populations, wait times, and adoption trends.
• API Distribution: Making listings available through WTL's API to approved partners and integrators.
• Platform Improvement: Analyzing usage patterns to improve the Platform's features and user experience.

3. Prohibited Uses

WTL will NOT:

• Sell raw shelter data or contact information to third parties.
• Share shelter staff personal contact information with commercial marketers, advertisers, or data brokers.
• Use shelter data to build competing products or services without consent.
• Share individual shelter performance data with other shelters without consent.
• Use shelter logos or branding in paid advertising without express permission.

4. Data Retention

• Active Listings: Retained and displayed for as long as the dog is marked available or the shelter partnership is active.
• Removed/Adopted Listings: Archived for 1 year for historical analytics and "Happy Tails" features, then permanently deleted.
• Shelter Profile Data: Retained for the duration of the partnership plus 90 days post-termination.
• Communication Logs: Retained for 2 years for dispute resolution and service improvement purposes.
• API Usage Logs: Retained for 90 days for security and debugging, then aggregated and anonymized.
• Full Deletion: Upon written request, all shelter data will be permanently deleted within 30 days. This action is irreversible.

5. Security Measures

WTL implements the following security measures to protect shared data:

• Encryption in Transit: All data transmitted between shelters and the Platform uses TLS 1.2 or higher encryption.
• Encryption at Rest: All data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256.
• Access Controls: Database access is restricted to authorized systems and personnel. Row-Level Security (RLS) policies enforce data isolation.
• API Key Security: API keys are stored as SHA-256 hashes. Raw keys are never stored and cannot be retrieved after initial generation.
• Webhook Signing: All webhook deliveries are signed with HMAC-SHA256 to ensure integrity and authenticity.
• Regular Audits: We conduct regular security reviews and maintain audit logs of data access.

6. Breach Notification

In the event of a data breach that affects shelter partner data, WTL will:

• Notify affected Shelter Partners within 72 hours of discovering the breach.
• Provide details of the breach, including what data was affected and what remediation steps are being taken.
• Cooperate fully with any investigations and implement measures to prevent future breaches.
• Notify relevant regulatory authorities as required by applicable law.

7. Data Subject Rights

WTL supports data subject rights in compliance with applicable privacy laws:

• Right to Access: Shelter Partners may request a complete export of all their data at any time.
• Right to Correction: Inaccurate data will be corrected upon notification.
• Right to Deletion: Data will be permanently deleted within 30 days of written request.
• Right to Portability: Data exports are provided in machine-readable formats (JSON, CSV).
• Annual Report: An annual data processing report is available upon request, detailing what data is held and how it is used.

8. Cross-Border Transfers

All data is processed and stored in the United States (specifically, the Supabase East US — North Virginia region). No personal data is transferred internationally without prior written consent from the Shelter Partner.

9. Sub-Processors

WTL uses the following sub-processors to provide its services:

• Supabase — Database hosting and authentication (Privacy Policy)
• Vercel — Website hosting and serverless functions (Privacy Policy)
• SendGrid (Twilio) — Email delivery (Privacy Policy)

WTL will notify Shelter Partners of any material changes to sub-processors with at least 30 days notice.

10. Contact

For questions about this Data Sharing Agreement, data requests, or breach notifications: privacy@waitingthelongest.com