Floofy

Privacy Policy

Effective date: 2026-05-16
Last updated: 2026-06-03
Contact: ccccccara@outlook.com
App developer: ccccccarachen (sole developer)

Floofy ("the app", "we", "our") is an iOS app that helps owners of cats with chronic conditions log daily health data and share reports with a veterinarian. This policy describes what data we collect, how we use it, who we share it with, and the choices you have.

This policy applies only to the Floofy iOS app and the back-end services that support it. It does not cover the practices of third parties (e.g., Apple, your veterinarian) that you separately interact with.

1. Short version

Floofy works as a guest, with no account, by default. Nothing you type leaves your device until you choose to sign in.
If you sign in (Sign in with Apple), we store your pet records on a Supabase database in the United States so you can read them on another device.
A few features send data off your device to an AI service (Google Gemini, via a Cloudflare Worker proxy we control). Each one is opt-in — it only runs when you actively tap a button. Floofy never sends anything to an AI in the background.
- Auto-Recognize Lab Values sends the image or PDF of a lab report you tap "Auto-Recognize" on. Pro only.
- AI Medical Report Analysis & Follow-up Questions sends the medical record(s) you choose to analyze — including any photos or PDFs you attached, the lab values, your pet's basic profile, and any free-text question you type in the follow-up chat. Every user gets one free analysis; after that it is part of Floofy Pro. The AI's answers are shown on screen only and are never saved to your device or our servers.
- Bilingual vet report translation (EN ↔ Chinese) sends the report text you choose to export when your target language differs from the language your records are in. Available to all users.
We do not train AI models on your data, and Google does not use this content to train its general models (enterprise API terms).
We use PostHog to count anonymous product-usage events (taps, screen views). We do not sell data, run ads, or track you across other apps or websites.
You can sign out at any time. You can also permanently delete your account and all cloud data from Settings → Account → Delete Account.

2. Who we are and how to reach us

Floofy is built and operated by a sole developer. For privacy questions, data-access requests, or deletion requests outside of the in-app flow, contact ccccccara@outlook.com. We aim to respond within 14 days.

3. Data we collect

3.1 Data you give us directly

When you use Floofy as a guest, the following stays only on your device (Apple SwiftData, encrypted by iOS at rest as part of normal iOS data protection):

Pet profile: name, optional photo, optional birthdate, optional breed, conditions (e.g., CKD, HCM, Senior, Diabetes, Pancreatitis, IBD), optional stage, optional medications, optional intake goals (water ml/day, food g/day) and clinical-threshold overrides.
Log entries you create: weight, food and water intake, toilet observations, vomiting, breath rate, symptoms, medication completions. Each can include free-text notes and optional photos.
Medical records you attach: a title, visit date, clinic, free-text notes, lab values (name, value, unit), and optional photos or PDF.
Reminders: title, time(s), frequency, optional notes.
App preferences: language preference, units of measurement, quick-log customization, dashboard layout.

When you sign in with Apple at the end of onboarding (or any time later), the same data is also written to our Supabase project so you can use it on another device. We also store:

Your Supabase user ID (a UUID).
The email address Apple shares with us. If you chose "Hide My Email," this is an @privaterelay.appleid.com relay address Apple controls.
Receipts for any Floofy Pro subscription you start (handled by Apple's StoreKit — Floofy does not see your payment-card details).

3.2 Data created automatically

Photos and PDFs you upload (pet photos, log photos, medical record files) are stored in Supabase Storage buckets (pet-photos, log-photos, vet-docs). Each file lives under a folder named after your Supabase user ID so per-user RLS policies enforce isolation.
Anonymous product analytics via PostHog (US cloud): events such as "screen viewed: home," "log entry created (type: weight)," approximate iOS version, device model class, app version. Events are tied to a randomly generated install ID. We do not send your pet's name, weight, lab values, photos, or notes to PostHog.
Crash and diagnostic logs Apple may share with us if you opted in through iOS Settings → Privacy & Security → Analytics & Improvements → Share with App Developers. These are processed under Apple's privacy terms.

3.3 Data we do not collect

We do not access your contacts, calendar, microphone, or precise location.
We do not use the iOS Advertising Identifier (IDFA) and do not ask for App Tracking Transparency permission. Floofy does not track you across other apps or websites.
We do not use Apple HealthKit. Floofy is for cat health, not human health, and so is outside HealthKit's scope.
We do not use third-party advertising SDKs.

4. How we use your data

We use the data above only for the purposes listed below. We do not repurpose it for advertising, profiling, or sale.

Purpose	Data used
Show your pet's history, trends, and dashboards	Pet profile, log entries, medical records (on your device)
Sync your data across your iOS devices when you are signed in	Pet profile, log entries, medical records, reminders, photos, PDFs, app preferences (Supabase)
Run the Auto-Recognize Lab Values feature (Pro)	The specific photo or PDF of a lab report you tap "Auto-Recognize" on
Run AI Medical Report Analysis & answer your follow-up questions (1 free, then Pro)	The medical record(s) you choose to analyze — attached photos/PDFs, lab values, record title/date/clinic, your pet's basic profile (name, conditions, breed, sex, approximate age/CKD stage), and the free-text questions you type in the follow-up chat. Sent to Google Gemini via our Cloudflare Worker. See §5c.
Generate a bilingual vet report you can save to Photos or copy as text	Whatever you select in the report-setup screen. If you choose a target language different from the language your records are in, the selected text is sent to Google Gemini via our Cloudflare Worker for translation. See §5b.
Send local push reminders	Your reminder titles and times (sent to iOS, not to our servers)
Authenticate you and back up your data when you sign in	Apple ID identifier, Apple-relayed email, Supabase JWT
Bill the Floofy Pro subscription	Apple StoreKit transaction (Apple, not Floofy, handles the charge)
Detect crashes and product issues, prioritise fixes	PostHog anonymous events, iOS analytics opt-in (if granted)
Comply with applicable law (e.g., respond to lawful requests)	Whatever is strictly necessary for the request

We do not:

Train AI models on your data.
Sell, rent, or share your data with data brokers.
Build a profile of you for advertising.

5. Auto-Recognize Lab Values — what happens to the image you send

This feature is part of the Floofy Pro subscription. It is opt-in: you must explicitly tap "Auto-Recognize Lab Values" on a medical record. When you do:

Floofy reads the photo(s) or PDF you attached and sends the bytes over HTTPS to a Cloudflare Worker we control (gemini-vision-proxy.<workers-subdomain>.workers.dev). The Worker uses your Supabase access token to confirm you are an authenticated Floofy user and that you have an active Pro subscription.
The Worker forwards the image to Google Gemini 2.5 Flash with a prompt asking it to extract structured lab values (lab name, value, unit, date, clinic).
Google returns a JSON response. The Worker passes it back to your device. Floofy parses it and shows you the extracted values so you can confirm or edit them before saving.

Where Google's role ends. Google processes the request under its enterprise API terms. Per those terms, Google does not use Gemini API content to train its general models. We do not retain a copy of the image on our Worker (the Worker is stateless and does not log image bytes), and we do not store the raw Gemini response after the user closes the medical-record editor without saving.

You can use the manual lab-row editor at any time and never use Auto-Recognize. Floofy does not require this feature to function.

5b. Bilingual Vet Report Translation — what happens to the text you send

This feature is available to all users (free and Pro) but only runs when you actively initiate it. When you open the Export Vet Report flow and choose a target language different from the language your records are entered in (e.g., your records are in Chinese and you choose to export in English), the following happens:

Floofy gathers only the report content you have opted to include in the export (you pick the date range and which sections — pet profile, log entries, medical records, etc.) and sends those strings over HTTPS to a Cloudflare Worker we control (llm-proxy.<workers-subdomain>.workers.dev). The Worker uses your Supabase access token to confirm you are an authenticated Floofy user — translation is gated behind sign-in to prevent abuse.
The Worker forwards the text to Google Gemini (currently gemini-3.1-flash-lite) with a fixed system prompt instructing it to act as a medical translation assistant, preserve terminology and units, and return only the translated text in a structured JSON array.
Google returns the translated text. The Worker passes it back to your device. Floofy renders the translated report — either as an image you can save to Photos or as text you can copy.

What is sent: only the report content you selected for export. This may include pet name, dates, lab values, free-text notes, and medical record contents if those sections are included. What is NOT sent: any record you did not include in the export, your photos, your PDFs, your reminders, your app preferences, or any other in-app data.

Where Google's role ends. Same enterprise API terms as §5 above — Google does not use Gemini API content to train its general models. Our Worker is stateless and does not log request bodies. The translated output is held only in memory on your device for the lifetime of the export view; closing the export view discards it.

You can always export the report in its original language to skip translation entirely. The "no translation" path never sends data to Google.

5c. AI Medical Report Analysis & Follow-up Questions — what happens to what you send

Floofy can read one or more of your medical records and produce a plain-language summary ("AI Medical Report Analysis"), and you can then ask free-text follow-up questions about that report in a chat. Every user gets one free analysis; after that the feature is part of the Floofy Pro subscription. It is opt-in — nothing is analyzed until you explicitly tap "Analyze" on a record (or a set of records), and no question is sent until you type it and tap send.

When you run an analysis or ask a follow-up question:

Floofy gathers the record(s) you selected and sends them over HTTPS to the same Cloudflare Worker that handles translation (llm-proxy.<workers-subdomain>.workers.dev). The Worker uses your Supabase access token to confirm you are an authenticated Floofy user — the feature is gated behind sign-in to prevent abuse and to enforce daily limits.
The request includes: the photos and/or PDF you attached to the record(s) (images are downscaled before sending); the lab values Floofy holds for those records; the record title, visit date, and clinic; your pet's basic profile (name, conditions such as CKD/HCM, optional breed, sex, neuter status, and approximate age or CKD stage); the vet's own narrative if you entered one; and any owner notes on the record. For a follow-up question, the request also includes your typed question, the prior analysis the question is about, and up to the last few question/answer turns from the current chat so the assistant can follow the thread.
The Worker forwards this to Google Gemini (currently gemini-3.1-flash-lite) with a fixed system prompt instructing it to explain the report in plain language and not to give its own diagnosis, treatment, medication, dose, or diet advice. Google returns the answer; the Worker passes it back to your device.

What is NOT sent: any record you did not select for analysis, your other pets, your reminders, your daily log entries, your app preferences, your account email, or your payment details.

Storage. This is the strictest part of the feature: the AI's analysis cards and follow-up answers are session-only. They live in memory while the app is open and are never written to disk and never uploaded to Supabase. Close the app and they are gone; the next analysis starts fresh from your stored records. Our Worker is stateless and does not log request bodies.

Where Google's role ends. Same enterprise API terms as §5 and §5b — Google does not use Gemini API content to train its general models. The assistant is informational only; the app shows a standing reminder in the analysis and chat that, for diagnosis or treatment, you should check with your veterinarian.

You never have to use this feature. Your records, summaries, and trends remain fully available without it.

6. Who we share data with

We share data only with the service providers listed below, each of which is bound by its own privacy and security commitments. We do not sell or rent your data.

Provider	Role	What they receive	Location
Apple	Sign in with Apple, push notifications, App Store / StoreKit billing	Apple ID identifier (per-app, opaque), relayed email, subscription receipts, push notification tokens	Per Apple's privacy policy
Supabase (Supabase, Inc.)	Database, file storage, authentication backend	Encrypted record contents you create when signed in; uploaded files; user ID; email	United States (West region)
Cloudflare	Worker proxies for (a) Auto-Recognize Lab Values OCR, (b) AI Medical Report Analysis & follow-up Q&A, (c) bilingual vet report translation, (d) anonymous PostHog analytics forwarding, (e) account deletion (Apple revoke + Postgres cascade)	Authorization header; the specific image you submit for OCR; the record contents, pet profile, and free-text questions you submit for analysis; the specific report text you submit for translation; the PostHog event payload; the account-deletion request	United States edge (request-local, not stored)
Google (Google LLC)	Gemini API in two roles — Vision (`gemini-2.5-flash`) for Auto-Recognize Lab Values OCR, and text/vision (`gemini-3.1-flash-lite`) for AI Medical Report Analysis, follow-up Q&A, and bilingual vet report translation	The image you submit for Auto-Recognize; the record contents (including attached photos/PDFs), pet profile, and follow-up questions you submit for analysis; the report text you submit for translation; and the corresponding prompts	Per Google's Gemini API terms
PostHog (PostHog Inc.)	Anonymous product analytics	Anonymous install ID, anonymous event names, app version, device model class, iOS version	US cloud (`us.i.posthog.com`)

We will share your data outside these providers only if a law enforcement agency or court order in a jurisdiction we operate in compels us to, and only to the extent required.

7. International transfers

Your data is processed in the United States (Supabase West US region and PostHog US cloud). If you use Floofy from outside the United States, by signing in you understand that your data is transferred to and processed in the U.S. We rely on the lawful transfer mechanisms each sub-processor provides (e.g., Standard Contractual Clauses for users in the EEA, UK IDTA for the UK).

8. How long we keep your data

Type	Retention
Guest-mode data on your device	Until you delete the app or wipe iOS. Floofy never uploads it.
AI Medical Report Analysis cards & follow-up answers	Session-only — held in memory while the app is open; never written to disk or uploaded. Gone when you close the app.
Signed-in data in Supabase	Until you delete your account (Settings → Account → Delete Account).
Photos and PDFs in Supabase Storage	Same lifetime as the row that references them; orphaned files are purged within 30 days.
PostHog anonymous events	Up to 7 years (PostHog default), but they are not linked to your identity.
Apple sign-in audit logs in Supabase Auth	Up to 90 days, then purged by Supabase.
Cloudflare request logs	Up to 30 days of metadata (timestamp, status code) — no image bytes.

When you delete your account, we mark all of your rows for deletion immediately and purge them from primary and backup storage within 30 days. Anonymized analytics that cannot be tied back to you are not deleted because they cannot be located.

9. Your choices and rights

You can exercise the following choices directly from Floofy:

Stay a guest forever. Don't sign in. Nothing leaves your device.
Sign out. Settings → Account → Sign out. Your cloud copy is preserved; the device returns to guest mode.
Delete your account. Settings → Account → Delete Account. This permanently deletes all your cloud data within 30 days, signs you out, and wipes the local copy on the current device. The action cannot be undone.
Manage your Pro subscription. Settings → Manage Subscription deep-links to iOS Settings → Apple ID → Subscriptions. Cancelling stops future charges; current data is unaffected.
Revoke camera or photo permissions. iOS Settings → Floofy → Camera / Photos. The app continues to work without them; photo features are simply unavailable.
Turn off iOS analytics sharing. iOS Settings → Privacy & Security → Analytics & Improvements.
Opt out of product analytics. Floofy is configured so PostHog events do not include identifiers that map back to you. If you would like PostHog disabled entirely on your install, email ccccccara@outlook.com and we will provide a debug build with telemetry compiled out.

Depending on where you live, you may have additional rights:

EU/EEA, UK, Switzerland (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. Our lawful basis is your consent for analytics, and the necessity of performing the service you asked us for (the app itself) for everything else. Floofy has no establishment in the EU/UK and no EU representative; for the moment please contact ccccccara@outlook.com.
California (CCPA/CPRA): right to know, delete, correct, and not be discriminated against for exercising rights. Floofy does not sell or share personal information as defined by CCPA.
Mainland China (PIPL): access, correction, deletion, copy, and withdrawal of consent. Cross-border transfer of your data outside mainland China is necessary to provide cloud backup. By choosing to sign in, you consent to that transfer. You may continue to use Floofy entirely in guest mode without it.

To exercise any right, contact ccccccara@outlook.com. We may ask you to verify control of your Apple ID before acting on requests that involve cloud data.

10. Children

Floofy is not directed to children under 13 (or the equivalent minimum age in your country, e.g., 16 in some EU member states). The App Store age rating is 4+ because the content is benign, but the data-entry workflow is intended for adult caregivers of cats. We do not knowingly collect personal information from children. If you believe a child has provided data to Floofy, contact ccccccara@outlook.com and we will delete it.

11. Security

All network traffic uses HTTPS (TLS 1.2+). iOS App Transport Security is left at the default; we do not exempt any domain.
Database access is gated by Supabase Row Level Security policies that scope every row to its owner's user ID.
Files are stored in Supabase Storage buckets whose RLS policies require the first path segment to equal your Supabase user ID; uploads to other paths are rejected by the server.
Sign in with Apple identifiers (auth.users.id) are stored as opaque UUIDs. Apple-relayed email aliases are stored as you provide them.
We do not store passwords. Floofy does not use any password-based auth.
The Floofy app uses Apple Keychain for session storage via the official Supabase Swift SDK.

No system is perfectly secure. We commit to telling affected users without undue delay if we become aware of a breach that affects their data, as required by applicable law.

12. Data-breach notification

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority where required and notify you directly, by email or in-app, within 72 hours of becoming aware.

13. Changes to this policy

We will revise this policy when the app changes in a way that affects what we collect or how we use it. Material changes will be announced in-app and on this page at least 14 days before they take effect. The "Last updated" date at the top is the source of truth for the current version.

14. Disclaimer

Floofy is informational only. It does not diagnose, treat, or replace veterinary advice. Always consult your veterinarian before changing your cat's diet, medication, or care plan. See the in-app Medical Disclaimers screen for the full text.