LostPaws.

Overview

LostPaws is a UK pet microchip registry. Pet owners register their animals; if a pet is found, scanning the QR tag fires emergency notifications with geolocation back to the owner. The platform supports five different user roles (Free, Premium, POA, Vet, Implanter), each with different access patterns. I was the sole engineer on the platform for ten months.

Problem

The product was running on WordPress with several features that had grown faster than the security or data model could handle. The QR tag scan flow had a subtle exploit that gave anyone scanning a tag full account access. The GBGB greyhound API the platform relied on for breed verification was deprecated with a hard October 20 cutoff. Personal pet-owner data was appearing in Google Search results. And the role system was being maintained as a tangle of conditionals across the codebase instead of one source of truth.

Constraints

• Live users with real pets registered. No rebuild from scratch.
• WordPress as the platform, with all the discipline issues that involves at scale.
• One developer (me). Stewart on the product side.
• The GBGB API replacement had a hard external deadline (October 20). Miss it and breed verification breaks for every Premium user.
• Pricing was fixed-fee on Upwork. Scope clarity per milestone mattered more than hours.

Decisions

• Treat the QR tag flow as a security-first redesign, not a feature tweak. The full-account-access exploit was the visible symptom; the data model behind it needed rethinking.
• Replace the deprecated GBGB API ahead of the October 20 deadline, with the new integration tested against the old data shape so nothing downstream breaks. Pre-commit to the cutover rather than chasing the deadline.
• Map the 5-tier role system into explicit role definitions instead of conditional sprawl. Free, Premium, POA, Vet, Implanter as named roles, each with declarative access rules.
• Build custom PHP modules for the platform-specific concerns (pets, mail, SMS, microchips API) so generic WordPress upgrades stay safe and the platform-specific logic stays inspectable.

What I built

• 5-tier user role system: Free, Premium (PU), POA, Vet, Implanter
• Multi-step pet registration flows
• QR tag scan authentication with a full security overhaul, closing the full-account-access exploit
• Pet ownership transfer system (transfers the pet record, removes from sender)
• Lost-and-Found feature with conditional access by role
• GBGB greyhound database API integration, replacing the deprecated Microdogid API before the October 20 deadline
• SMS notification bridge and custom email system
• Google Search privacy fix (personal pet-owner data was leaking into search results)
• Custom premium product ID mapping for 10+ subscription product IDs
• Custom PHP modules: pets, mail functions, SMS, microchips API
• Left Hand Seat (sister product): UK aviation directory with Supabase backend, Revolut payments, Cloudflare Pages, GitHub Actions, GA4 integration

Result

• $4,525 total earned over 10 months ($3,570 fixed-price + $955 hourly)
• 5.0 Upwork rating across the engagement
• Longest single Upwork client relationship to date
• Security exploit closed. New API integration shipped before the external deadline. Personal data removed from Google Search.
• Sister product (Left Hand Seat) shipped in parallel, ongoing maintenance retainer

Reflection

The most important work here was not novel. It was finding the next exploit before a user did. WordPress at scale punishes magical thinking. Every “this works for now” eventually becomes “this leaks user data” or “this gives strangers full account access.” Stewart valued the engagement enough that we extended into a sister product and stayed in contact past the original scope. The lesson I took: a 5.0 rating across ten months is the result of caring about the parts of a product that users never see, not the parts they do.

What the client said