Privacy Policy

1. Data Controller

The controller of your personal data is:

TAM LABS SP. Z O.O.
ul. Twarda 18, 00-105 Warsaw, Poland
KRS: 0001070536
NIP (Tax ID): 5252981359
REGON: 527013380

The Controller is not required to appoint a Data Protection Officer pursuant to Article 37 GDPR, because the processing of data does not constitute a core activity involving operations that require regular and systematic monitoring of data subjects on a large scale, nor large-scale processing of special categories of data.

For matters relating to the protection of personal data, you may contact us at: hello@pupsy.app.

2. Categories of Personal Data

In connection with your use of the Pupsy app, we process the following categories of data:

Category	Scope of Data
User account	Email address, password (stored in Supabase Auth in hashed form), first name, preferred language. In the case of Google OAuth sign-in: email address and Google profile data (name, profile photo).
Pet data	Pet's name, species, breed, date of birth, sex, weight, microchip number, allergies, chronic illnesses, diet, profile photo.
Pet health data	Veterinary visits, vaccinations, medications, procedures and surgeries, treatment costs, medical documents (photos, PDF files), owner's notes.
AI data (symptom analysis)	Symptom descriptions (up to 2,000 characters), health issue category, photo, AI-generated responses, chat logs.
Document scanner	Photos of scanned documents, OCR-recognized text, extracted data (medications, test results, diagnoses).
Location	GPS coordinates (used solely for searching for nearby veterinarians; "while in use" mode; data is NOT stored on the server).
Photos	Pet photo gallery with tags and descriptions.
Notifications	FCM token (Firebase Cloud Messaging), reminder data (type, date, content).
Subscription	Subscription status, purchase history (processed by RevenueCat; Pupsy does not store payment details such as card numbers).

Note on pet data Data concerning the health of pets does not constitute special categories of personal data within the meaning of Article 9 GDPR, because it relates to animals, not humans. At the same time, when combined with data identifying the owner, it constitutes personal data within the meaning of Article 4(1) GDPR and is protected on the basis of Article 6 GDPR.

Mandatory vs. optional data Providing an email address is required in order to create an account and use the Service (Article 13(2)(e) GDPR). Providing pet data (name, species, breed), photos, symptom descriptions and veterinary documents is voluntary; however, refusal to provide such data will make it impossible to use the corresponding features of the App (health records, AI analysis, document scanner).

Source of data In the case of sign-in via Google Sign-In, identification data (email address, name, profile photo) is obtained directly from the authentication service provider (Google LLC), with the user's consent expressed during the OAuth 2.0 sign-in process. All other data is collected directly from the user.

3. Purposes and Legal Bases of Processing

a) Performance of a contract (Art. 6(1)(b) GDPR)

Creating and maintaining the user account
Storing pet profiles and their health data
Providing the AI symptom analysis and AI chat features
Scanning and extracting data from veterinary documents
Handling subscriptions and processing purchases
Sending transactional notifications (reminders for vaccinations, medications, appointments)

b) Consent (Art. 6(1)(a) GDPR)

Access to GPS location for searching for veterinarians
Receiving marketing push notifications
Firebase Analytics — collection of analytics data (on the basis of Article 5(3) of the ePrivacy Directive, which as lex specialis requires consent for access to information stored on a terminal device)
Marketing communications

Important: Firebase Analytics and ePrivacy The collection of analytics data via Firebase Analytics is carried out on the basis of the user's consent (Article 6(1)(a) GDPR in conjunction with Article 5(3) of the ePrivacy Directive), and NOT on the basis of legitimate interest. The ePrivacy Directive is lex specialis with respect to GDPR concerning access to terminal equipment.

c) Legitimate interests of the Controller (Art. 6(1)(f) GDPR)

Ensuring the security of services and protecting against abuse
Crash reporting in order to improve the quality of the application
Protection against unauthorized access and fraud

4. Data Recipients

Your personal data may be shared with the following processors, with whom we have entered into appropriate Data Processing Agreements (DPAs):

Service	Scope of Data	Server Location	Transfer Mechanism
Supabase (+ AWS)	All account, pet, health, AI, document and photo data	EU West (Ireland)	EEA — data processed within the EEA. Supabase Inc. (USA) has DPA + SCC in place to cover any remote service access from the USA.
OpenAI (GPT-4o)	Symptom descriptions, photos, scanned documents, chat logs	USA	SCC + DPA + TIA
Google Maps / Places	GPS coordinates	USA	EU-US DPF (certification no. 5780) + SCC as an additional safeguard
Firebase (Google)	FCM token, device identifier, analytics data	USA	EU-US DPF (certification no. 5780) + SCC as an additional safeguard
RevenueCat	User identifier, subscription status	USA	SCC + DPA
Google Sign-In	Email address, name, profile photo	USA	EU-US DPF (certification no. 5780)
Apple Sign-In	Email address (including relay address), name	USA	SCC + Apple Data Processing Addendum

We do not sell your personal data to third parties. We do not share it for advertising purposes.

5. Data Transfers Outside the EEA

Some of our subprocessors process data outside the European Economic Area (EEA). In every case we apply the appropriate safeguards required by Chapter V of the GDPR:

OpenAI (USA)

Standard Contractual Clauses (SCCs) — in line with Commission Implementing Decision (EU) 2021/914
Data Processing Agreement (DPA) with OpenAI
Transfer Impact Assessment (TIA) — carried out in accordance with EDPB Recommendations 01/2020

Google (Maps, Firebase, Sign-In) (USA)

EU-US Data Privacy Framework (DPF) — Google LLC holds an active certification (no. 5780) on the basis of the European Commission's Implementing Decision of 10 July 2023 (C(2023) 4745)
SCCs as an additional safeguard in case the adequacy decision is invalidated

RevenueCat (USA)

Standard Contractual Clauses (SCCs)
Data Processing Agreement (DPA) with RevenueCat Inc.

Copies of the SCCs and DPAs are available upon request — please contact us at hello@pupsy.app.

6. Data Retention Periods

Data Category	Retention Period
Account data	For as long as the account is held + 30 days after deletion (in case of accidental deletion).
Subscription and purchase data	5 years from the end of the calendar year in which the transaction was carried out — in accordance with Article 70 of the Polish Tax Ordinance (tax law obligation).
AI and chat logs	For as long as the account is held, and no longer than 3 years from the last activity in the application.
Photos and documents	Deleted when the account is deleted. OpenAI may retain submitted data for up to 30 days for security monitoring (abuse monitoring) purposes.
FCM token	Until sign-out or account deletion.
Location data	Processed transiently — not stored on the server or locally on the device. No retention.
Analytics data (Firebase)	A maximum of 26 months from the date of collection.

Once the retention periods expire, the data is permanently deleted or effectively anonymized.

7. Data Security

We apply appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit — all communication between the application and our servers takes place over HTTPS/TLS.
Encryption at rest — data stored on Supabase (AWS) servers is encrypted at rest.
Row Level Security (RLS) — row-level security policies in the database ensure that each user can only access their own data.
Signed URLs — files (photos, documents) are made available via signed URLs with a limited validity (TTL: 7 days).
Secure token storage — authentication tokens are stored in the device's secure storage (Secure Storage / Keychain).
Password hashing — user passwords are stored only in hashed form (bcrypt) and are never stored in plain text.

8. User Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

1

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation from us as to whether we are processing your personal data, and to access that data and information about how it is processed.
2

Right to rectification (Art. 16 GDPR)

You have the right to obtain, without undue delay, the rectification of inaccurate personal data and to have incomplete data completed.
3

Right to erasure — "right to be forgotten" (Art. 17 GDPR)

You have the right to request the deletion of your personal data, and we are required to delete it where one of the grounds set out in Article 17(1) GDPR applies.
4

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing in the cases set out in Article 18 GDPR (e.g., where you contest the accuracy of the data).
5

Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). You also have the right to transmit that data to another controller.
6

Right to object (Art. 21 GDPR)

You have the right, at any time, to object to processing based on the legitimate interests of the controller (Article 6(1)(f) GDPR).
7

Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw it at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
8

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

Response time We will respond to your request without undue delay, and in any event within 1 month of receiving the request. Given the complexity or number of requests, that period may be extended by a further 2 months, in which case we will inform you accordingly.

To exercise the rights set out above, please contact us at: hello@pupsy.app.

9. Automated Decision-Making and Profiling

The Pupsy app uses artificial intelligence (OpenAI GPT-4o models) to analyze pet health symptoms, scan documents and provide an advisory chat.

Responses generated by AI are for informational and educational purposes only. The AI does not make decisions producing legal effects or similarly significantly affecting the user within the meaning of Article 22 GDPR.

In particular:

The AI does not replace a veterinary consultation and does not constitute a medical diagnosis.
The user always makes the final decision regarding the health of their pet.
We do not engage in profiling that produces legal effects or similarly significantly affects the user.

10. Children's Data

The Pupsy app is intended for individuals who are at least 16 years old (in accordance with Article 8 GDPR in conjunction with Article 7(2) of the Polish Personal Data Protection Act of 10 May 2018).

We do not knowingly collect personal data from individuals under 16 without the consent of a parent or legal guardian. Age verification is based on the user's declaration during registration.

Protection of children's data If we become aware that we are processing personal data of an individual under 16 without the required consent of a parent or legal guardian, we will delete that data and the associated account without undue delay.

11. Location Data

The Pupsy app uses location data solely to search for veterinary clinics near the user.

Access mode: "while in use" (only when the application is active).
Storage: location data is NOT saved on the server or stored locally. It is used transiently at the moment of the search and is not logged.
Sharing: GPS coordinates are sent to the Google Maps/Places API solely in order to display the map and the search results.
Withdrawal of consent: you may disable location access at any time in your operating system settings. The application will continue to work normally, but the "find a vet near me" feature will not be available.

Practical tip Photograph only your pet or the veterinary document, not yourself. This avoids inadvertently sharing your image in connection with health data.

12. Push Notifications

Transactional (service) notifications

Notifications directly related to the provision of the service — such as reminders for vaccinations, medication doses or upcoming veterinary appointments — are sent on the basis of the contract for the provision of services (Article 6(1)(b) GDPR) and do not require separate marketing consent.

Marketing notifications

Marketing notifications (e.g., information about new features or promotions) are sent only after obtaining the user's separate, explicit consent, in accordance with Article 398 of the Polish Electronic Communications Act (PKE).

Managing notifications

You can disable push notifications at any time:

In the Pupsy app settings
In your device's operating system settings (iOS: Settings → Notifications → Pupsy; Android: Settings → Apps → Pupsy → Notifications)

13. Photos and Camera

The Pupsy app may request access to the camera or photo library in the following situations:

Pet profile photo — adding and updating the profile photo.
Health gallery — documenting health changes through photos.
AI analysis — attaching a photo to a symptom description for AI analysis.
Document scanner — photographing veterinary documents to extract data.

Access principles

On-demand access — the application requests access to the camera/library only when the user initiates the relevant action. We do not access these in the background.
System photo picker — for one-off scanning we use the operating system's photo picker, which does not require broad access to the entire library (in line with the Google Play Photo Permission Policy).
Storage — photos are stored in Supabase Storage on servers in the European Union (Ireland).

14. AI Data Processing

Pupsy uses artificial intelligence models (OpenAI GPT-4o) in three main contexts:

AI Analysis — analysis of described symptoms and photos for the purpose of an initial summary of the information.
Document scanner — extraction of data (medications, test results, diagnoses) from photos/scans of veterinary documents.
AI Chat — an interactive conversation with an AI assistant on pet health.

What data is sent to OpenAI?

Symptom descriptions entered by the user (up to 2,000 characters)
Photos attached to queries (symptoms, documents)
Contextual pet data (species, breed, age, weight, known allergies and conditions) — to the extent necessary to provide an adequate response
Message history within the active chat session

How OpenAI processes the data

OpenAI does not train its models on data submitted via the API. Pursuant to OpenAI's API terms, data submitted via the API is not used to train or fine-tune the models.
Data retention: OpenAI may retain data submitted via the API for up to 30 days solely for security monitoring and abuse detection purposes, after which it is automatically deleted.
Server location: data is processed on OpenAI servers in the United States.
Transfer safeguards: Standard Contractual Clauses (SCCs), a Data Processing Agreement (DPA), and a completed Transfer Impact Assessment (TIA).

Compliance with the EU Artificial Intelligence Act (EU AI Act)

In accordance with the requirements of Regulation (EU) 2024/1689 of the European Parliament and of the Council (the Artificial Intelligence Act), we inform you that:

The user is aware that they are interacting with artificial intelligence and not with a human.
The content generated is for informational purposes only and does not constitute veterinary advice.
The AI system used in Pupsy is not classified as a high-risk system within the meaning of Annex III of the AI Act.

Photo processing

Photos sent for AI analysis are not processed biometrically. We do not use facial recognition or any other biometric identification technologies. Photo analysis is limited to pet health symptoms or the contents of veterinary documents.

15. Tracking Technologies and SDKs

The Pupsy app is a native mobile application (Flutter) and does not use cookies in the traditional (browser cookie) sense. We do, however, use the following SDKs:

SDK / Technology	Purpose	Legal Basis
Firebase Analytics	App usage analytics (anonymous statistics, events)	User consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy)
Firebase Cloud Messaging	Delivery of push notifications	Performance of a contract (Art. 6(1)(b) GDPR)
Google Maps SDK	Displaying the map and the location of veterinarians	Consent to location (Art. 6(1)(a) GDPR)
RevenueCat SDK	Management of subscriptions and in-app purchases	Performance of a contract (Art. 6(1)(b) GDPR)

Our principles

No advertising — we do not display ads and do not use advertising tracking networks.
No third-party trackers — we do not share data with advertising networks or data brokers.
Analytics off by default — Firebase Analytics is disabled by default and is only activated after the user has given consent.

16. Changes to the Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our data processing practices, as well as legal or technological changes.

We will inform you of any material change:

Through an in-app notification — we will display a message about the updated policy the next time you open the app.
By email — to the email address associated with your account.

The current version of the Privacy Policy is always available within the app (Settings → Privacy Policy) and at pupsy.app/privacy.

Version	Date	Description of Changes
1.0	February 21, 2026	First version of the Privacy Policy.
1.1	February 22, 2026	Added §18 (personal data breaches). Corrected Supabase server location. Added Apple Sign-In to data recipients. Added location data to the retention table. Clarified information on mandatory/optional data and the source of data. Corrected the policy URL.

17. Contact

For matters relating to this Privacy Policy and the protection of personal data, please contact us at:

TAM LABS SP. Z O.O.
ul. Twarda 18
00-105 Warsaw
Poland

Email: hello@pupsy.app

We will make every effort to respond to your inquiry as quickly as possible, and no later than within 14 business days. For requests concerning rights under the GDPR (Section 8), the applicable response time is 1 month.

18. Personal Data Breaches

In the event of a personal data breach (a so-called data breach):

Notification to the UODO — The Controller will report the breach to the President of the Personal Data Protection Office without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Notification to users — Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller will, without undue delay, notify the data subjects in accordance with Article 34 GDPR, describing the nature of the breach, its likely consequences and the measures taken to address it.
Breach register — The Controller maintains an internal register of all personal data breaches, including the circumstances of the breach, its effects and the remedial action taken, in accordance with Article 33(5) GDPR.