Privacy Policy
Effective date: 13 July 2025
Thank you for choosing Pet2Human (the “App”). Protecting your privacy is fundamental to us. This Privacy Policy explains how Codium App Ideas OG (“we”, “our”, or “us”) collects, uses, discloses and stores your information when you use the App, visit our website (pet2human.app), or otherwise interact with us.
1. Who we are
Controller: Codium App Ideas OG.
Address: Seidlgasse 21, 1030 Vienna, Austria.
Email: office@codium.at.
If you are in the EEA/UK, you may also contact our Data Protection Officer (DPO) at the same address.
2. Scope of this Policy
This Policy applies to all personal data processed in connection with:
- The Pet2Human iOS / Android application
- The Pet2Human website and support channels
- Any related services described herein
3. Data we collect, purposes & lawful bases
| Category | Examples | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| User Content | Original pet photo, AI-generated image | Perform requested image transformation; display history; allow download/share | Performance of contract (b) |
| Identifiers | Anonymous Supabase user ID, App Instance ID, RevenueCat User ID | Account management, entitlement tracking, syncing purchases across devices | Performance of contract (b) |
| Purchase Data | App Store / Play Store receipt, token balance, SKU, price, currency | Fulfil in-app purchases, tax & accounting | Legal obligation (c); Performance of contract (b) |
| Usage Data | Timestamps, features used, error logs (if you opt-in to diagnostics) | Improve and secure the service | Legitimate interest (f) |
| Support Data | Emails or chats with our support team | Investigate issues, respond to requests | Legitimate interest (f) |
We do not purposefully collect or process special categories of personal data (Art. 9 GDPR).
4. How we share your data
We do not sell or rent personal data. We disclose it only to service providers (processors) that help us run the App:
| Provider | Role | Data shared | Location / Safeguard |
|---|---|---|---|
| OpenAI, LLC | AI image generation | Original photo, transformation prompt | USA – Standard Contractual Clauses & OpenAI DPA. Input data retained ≤ 30 days for abuse control, not used for model training. |
| Supabase, Inc. | Database & file storage | All images, metadata, anonymous UID | EU region (Frankfurt) – Standard Contractual Clauses & Supabase DPA |
| RevenueCat, Inc. | Purchase validation & tokens | Transaction receipts, anonymous UID, token entitlements | USA – Standard Contractual Clauses & RevenueCat DPA |
We may also disclose data if required by law, to defend legal claims, or to enforce our Terms.
5. International transfers
Where personal data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (Art. 46 GDPR) and supplementary measures as recommended by the EDPB.
6. Retention
- Images (original + generated) are kept 30 days by default. If you press “Save” in the gallery, the generated image remains until you delete it manually.
- Account & purchase records are retained for 10 years in accordance with tax laws.
- Back-ups are automatically deleted after 35 days.
When retention periods expire or you request deletion, data is deleted or anonymised within 30 days.
7. Your rights (EEA/UK residents)
You may, at any time:
- Request access to your personal data.
- Request correction of inaccurate data.
- Request erasure (“right to be forgotten”).
- Request restriction of processing.
- Object to processing carried out under legitimate interests.
- Request portability of data you provided.
You can exercise most rights by emailing us. If you believe we have infringed your rights, you can lodge a complaint with your local supervisory authority.
8. Automated decision-making & AI transparency
The App uses AI to generate a stylised human version of your pet. No fully automated decision produces legal or similarly significant effects on you (Art. 22 GDPR). Generated images might differ in accuracy; please verify before sharing.
9. Security measures
- TLS 1.2+ encryption in transit, AES-256 encryption at rest.
- Supabase Storage buckets are private and protected by Row-Level Security.
- Access control based on least privilege.
- Annual third-party penetration testing.
- Incident response plan with 72-hour breach notification window (Art. 33 GDPR).
10. Children’s privacy
The App is not directed to children under 13. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. We will notify you via an in-app banner or email (if we have your email) at least 14 days before changes take effect. Your continued use of the App after the effective date constitutes acceptance.
12. Contact us
For questions about privacy, please email office@codium.at or write to Codium App Ideas OG, Seidlgasse 21, 1030 Vienna, Austria.
© 2025 Codium App Ideas OG. All rights reserved.