Privacy Policy — Whispet
1. Data Controller
The controller of personal data processed in connection with the use of the Whispet mobile application (hereinafter: the "App") is:
CRE8EVE Sp. z o.o.
Address: Tulipanowa 4, 72-003
Dobra, Poland
KRS (National Court Register): 0000912669 | NIP (Tax
ID): 8513262229 | REGON: 389506637
Contact e-mail:
whispet@cre8eve.eu
(hereinafter: the "Controller")
2. Definitions
- App — the Whispet mobile application available for iOS and macOS devices (Android version planned).
- User — a natural person using the App.
- Personal data — any information relating to an identified or identifiable natural person, within the meaning of Art. 4(1) of the GDPR.
- GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
- Processing — an operation or set of operations performed on personal data, within the meaning of Art. 4(2) of the GDPR.
- Free Plan — the free subscription plan with basic functionality.
- Premium Plan — the paid subscription plan (monthly or annual) with extended functionality.
3. Scope of data collected
3.1. No user accounts
The App operates entirely locally — it does not require registration, login, or account creation. We do not collect email addresses, passwords, or any authentication data. All data is stored exclusively on the User's device.
3.2. Pet data
| Data | Purpose | Legal basis |
|---|---|---|
| Pet name | Identification within the App | Art. 6(1)(b) GDPR (contract) |
| Species (dog, cat, other) | Feature customisation | Art. 6(1)(b) GDPR (contract) |
| Breed | Ideal weight calculation, recommendations | Art. 6(1)(b) GDPR (contract) |
| Sex | Pet information | Art. 6(1)(b) GDPR (contract) |
| Date of birth | Age calculation | Art. 6(1)(b) GDPR (contract) |
| Microchip number | Pet identification | Art. 6(1)(b) GDPR (contract) |
| Veterinarian address | Vet contact information | Art. 6(1)(b) GDPR (contract) |
| Neutering/spaying status | Health information | Art. 6(1)(b) GDPR (contract) |
3.3. Photos
| Data | Purpose | Legal basis |
|---|---|---|
| Photo path (local) | Timeline display | Art. 6(1)(b) GDPR (contract) |
| Photo description | Gallery organisation | Art. 6(1)(b) GDPR (contract) |
| Date taken | Chronological sorting | Art. 6(1)(b) GDPR (contract) |
| Favourite status | Favourites feature | Art. 6(1)(b) GDPR (contract) |
| Tags (automatic labels) | Photo categorisation | Art. 6(1)(b) GDPR (contract) |
Note on auto-tagging: Automatic photo labelling is performed using Google ML Kit Image Labeling entirely on the User's device. No image data is transmitted to external servers.
3.4. Pet medical data
| Data | Purpose | Legal basis |
|---|---|---|
| Vaccinations (name, date, expiry date, dose) | Vaccination history tracking | Art. 6(1)(b) GDPR (contract) |
| Medications (name, dose, administration schedule) | Medication reminders | Art. 6(1)(b) GDPR (contract) |
| Weight (value, date, unit) | Weight monitoring | Art. 6(1)(b) GDPR (contract) |
| Allergies/allergens (name, type, symptoms) | Allergy tracking | Art. 6(1)(b) GDPR (contract) |
| Nutrition/food (name, type, rating, supplements) | Diet management | Art. 6(1)(b) GDPR (contract) |
| Veterinary visits (date, clinic, notes) | Visit history | Art. 6(1)(b) GDPR (contract) |
| Medical documents (name, photos/scans) | Document storage | Art. 6(1)(b) GDPR (contract) |
3.5. Event journals
| Data | Purpose | Legal basis |
|---|---|---|
| Journal definition (name, icon, colour, fields) | Event journal structure | Art. 6(1)(b) GDPR (contract) |
| Journal entries (field values, notes, dates) | Health/behavioural event tracking | Art. 6(1)(b) GDPR (contract) |
| Photos attached to entries (local paths) | Visual documentation of events | Art. 6(1)(b) GDPR (contract) |
Event journals allow the User to track recurring events (e.g. epileptic seizures, digestive issues) using user-defined fields (chips/tags, sliders, toggles, numeric fields, time pickers). All data is stored exclusively on the device.
Disclaimer: Medical data and event journal data pertains to animals, not natural persons. The processing of such data under the GDPR relates to it as an element of the service provided to the User.
3.6. QR Pet Card — optional owner contact data
The QR Pet Card feature allows the User to optionally enter their name and phone number to include on the card. This data is not stored in the App or on the device — it is entered temporarily and embedded directly into the generated QR code image. Once the QR Card screen is closed, the entered contact data is discarded. The QR code is generated entirely on the device; no data is transmitted to any server.
3.7. Sharing Moments (Share Cards)
This feature allows the User to create personalised cards with pet photos. The User may choose a template (Photo of the Day, Event, Note), add text (up to 120 characters), a decorative emoji, and a card colour. The card is generated exclusively on the device as a PNG image. The note text and data displayed on the card (pet name, date) are not stored separately — they are used solely for the one-time generation of the image. Sharing is performed via the system share sheet. No data is transmitted to the Controller's servers.
3.8. Technical data
| Data | Purpose | Legal basis |
|---|---|---|
| App version | GDPR consent audit trail | Art. 6(1)(c) GDPR (legal obligation) |
| Consent timestamps | Consent documentation | Art. 6(1)(c) GDPR (legal obligation) |
4. Purposes of processing and legal bases
The Controller processes personal data for the following purposes:
4.1. Performance of a contract (Art. 6(1)(b) GDPR)
- Provision of App services (timeline, gallery, medical data, event journals, reminders)
- Fulfilment of paid subscription plans
4.2. Legal obligation (Art. 6(1)(c) GDPR)
- Maintaining a consent audit trail (timestamp, app version)
- Fulfilment of User rights (Art. 15–22 GDPR)
4.3. Legitimate interest of the Controller (Art. 6(1)(f) GDPR)
- Ensuring the security and stability of the App
- Diagnosing technical issues
5. Data recipients
The App operates on a fully local architecture. The User's personal data is not transmitted to any servers of the Controller. To a limited extent, data may be shared with the following categories of recipients:
| Recipient | Scope of data | Purpose |
|---|---|---|
| Google LLC (ML Kit Image Labeling) | None — processing on device | Automatic photo labelling (AI runs locally, no data is transmitted) |
| Apple Inc. | Transaction data (payments) | In-App Purchase payment processing |
| Google Fonts | Device IP address | Font downloading |
Note on Google ML Kit Image Labeling: Image recognition is performed entirely on the User's device. No image data or analysis results are transmitted to external servers.
Note on payments: The Controller does not have access to the User's payment data (e.g. credit card number). Payments are handled entirely by the Apple App Store.
6. Data transfers outside the European Economic Area (EEA)
In connection with the use of the Google Fonts service, the User's device IP address may be transferred to Google LLC servers in the United States of America for the purpose of downloading fonts.
In the event of a Premium subscription purchase, transaction data is processed by Apple Inc. (USA).
The aforementioned entities ensure an adequate level of data protection based on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework (to the extent currently in force)
Note: The App does not use any cloud services to store User data. All pet data, photos, medical data, and settings are stored exclusively on the User's device.
7. Data retention period
| Data category | Retention period |
|---|---|
| Pet data | Until deleted by the User |
| Photos | Until deleted by the User from the App |
| Pet medical data | Until deleted by the User |
| Event journals and entries | Until deleted by the User |
| Consent audit trail | 5 years from the date of the last consent change (legal obligation) |
| Technical data | 12 months |
All data is stored exclusively on the User's device. Uninstalling the App permanently deletes all data.
8. User rights
Under the GDPR (Art. 15–22), the User has the following rights:
8.1. Right of access (Art. 15 GDPR)
The User has the right to obtain confirmation as to whether their personal data is being processed, and if so — to access such data and information about the purposes of processing.
8.2. Right to rectification (Art. 16 GDPR)
The User has the right to request the prompt rectification of inaccurate personal data concerning them.
8.3. Right to erasure — "right to be forgotten" (Art. 17 GDPR)
The User has the right to request the erasure of their personal data when:
- the data is no longer necessary for the purposes for which it was collected,
- the User has withdrawn consent and there is no other legal basis for processing,
- the User has objected to processing.
Note: Since the App stores data exclusively on the device, the User can independently delete all data directly in the App or by uninstalling it.
8.4. Right to restriction of processing (Art. 18 GDPR)
The User has the right to request the restriction of data processing in certain cases.
8.5. Right to data portability (Art. 20 GDPR)
The User has the right to receive their data in a structured, commonly used, machine-readable format. The App enables data export in ZIP format containing JSON files (pet profiles, medical records, reminders, settings). The ZIP export does not include photo files — photos are synced separately via iCloud.
8.6. Right to object (Art. 21 GDPR)
The User has the right to object at any time to the processing of data based on the Controller's legitimate interest.
8.7. Right to withdraw consent (Art. 7(3) GDPR)
The User has the right to withdraw consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.
8.8. Right to lodge a complaint with a supervisory authority
The User has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO):
- Address: ul. Stawki 2, 00-193 Warsaw, Poland
- Website: https://uodo.gov.pl
How to exercise your rights?
To exercise the above rights, the User may:
- Contact the Controller at the e-mail address: whispet@cre8eve.eu
- Use the data export/deletion features available in the App
The Controller will process the request without undue delay, no later than within 30 days of receiving the request.
9. Profiling and automated decision-making
The App does not engage in profiling or automated decision-making within the meaning of Art. 22 GDPR.
Note on AI: Automatic photo labelling (Google ML Kit Image Labeling) is used solely for photo categorisation and does not constitute User profiling. The analysis is performed entirely on the device.
10. Age requirement
The App is intended for persons aged 16 years or older (Art. 8 GDPR). Persons under 16 may use the App only with the consent of a parent or legal guardian.
The Controller does not knowingly collect personal data from persons under 16 without the consent of their parent/guardian.
11. Data security
The Controller applies appropriate technical and organisational measures to ensure the security of personal data, including:
11.1. Fully local architecture
- All data is stored exclusively on the User's device (local Hive database).
- The App offers optional backup via iCloud Drive — data is stored on the User's personal iCloud account, not on the Controller's servers. The App does not use any Firebase services.
- No user accounts — there is no risk of login credential leakage.
11.2. Encryption
- Data on the device is protected by the operating system's encryption mechanisms (iOS Keychain, macOS Keychain).
11.3. Data minimisation
- The App collects only the data necessary to provide its services.
- Photo analysis (auto-tagging) is performed on the device — data does not leave the device.
11.4. Data integrity protection
- Before each iCloud synchronisation, the App verifies data integrity (corruption guard). Corrupted data is blocked and is not pushed to iCloud, preventing error propagation between devices.
11.5. Local notifications
- The App uses exclusively local notifications (reminders for vaccinations, medications, etc.). It does not use external push notification services.
12. Changes to the Privacy Policy
The Controller reserves the right to make changes to this Privacy Policy.
- The User will be informed of material changes via the App (in-app notification) at least 14 days before they take effect.
- Continued use of the App after changes take effect constitutes acceptance of the new Privacy Policy.
- The current version of the Policy is always available in the App settings.
13. Contact
For matters concerning personal data protection, please contact:
- E-mail: whispet@cre8eve.eu
- Postal address: CRE8EVE Sp. z o.o., Tulipanowa 4, 72-003 Dobra, Poland
14. Legal bases
This Privacy Policy has been prepared in accordance with:
- Regulation (EU) 2016/679 (GDPR) — General Data Protection Regulation
- Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000, as amended)
- Act of 18 July 2002 on the Provision of Electronic Services (Journal of Laws 2002, No. 144, item 1204, as amended)
- Act of 16 July 2004 — Telecommunications Law (Journal of Laws 2004, No. 171, item 1800, as amended)
Document generated for Whispet app v1.2