Floofy

Privacy Policy

Effective date: 2026-05-16
Last updated: 2026-05-16
Contact: ccccccara@outlook.com
App developer: ccccccarachen (sole developer)

Floofy ("the app", "we", "our") is an iOS app that helps owners of cats with chronic conditions log daily health data and share reports with a veterinarian. This policy describes what data we collect, how we use it, who we share it with, and the choices you have.

This policy applies only to the Floofy iOS app and the back-end services that support it. It does not cover the practices of third parties (e.g., Apple, your veterinarian) that you separately interact with.

1. Short version

Floofy works as a guest, with no account, by default. Nothing you type leaves your device until you choose to sign in.
If you sign in (Sign in with Apple), we store your pet records on a Supabase database in the United States so you can read them on another device.
The only feature that sends an image off your device to an AI service is Auto-Recognize Lab Values. It is opt-in, available only to Pro subscribers, and runs on Google Gemini via a Cloudflare Worker proxy.
We use PostHog to count anonymous product-usage events (taps, screen views). We do not sell data, run ads, or track you across other apps or websites.
You can sign out at any time. You can also permanently delete your account and all cloud data from Settings → Account → Delete Account.

2. Who we are and how to reach us

Floofy is built and operated by a sole developer. For privacy questions, data-access requests, or deletion requests outside of the in-app flow, contact ccccccara@outlook.com. We aim to respond within 14 days.

3. Data we collect

3.1 Data you give us directly

When you use Floofy as a guest, the following stays only on your device (Apple SwiftData, encrypted by iOS at rest as part of normal iOS data protection):

Pet profile: name, optional photo, optional birthdate, optional breed, conditions (e.g., CKD, HCM, Senior, Diabetes, Pancreatitis, IBD), optional stage, optional medications, optional intake goals (water ml/day, food g/day) and clinical-threshold overrides.
Log entries you create: weight, food and water intake, toilet observations, vomiting, breath rate, symptoms, medication completions. Each can include free-text notes and optional photos.
Medical records you attach: a title, visit date, clinic, free-text notes, lab values (name, value, unit), and optional photos or PDF.
Reminders: title, time(s), frequency, optional notes.
App preferences: language preference, units of measurement, quick-log customization, dashboard layout.

When you sign in with Apple at the end of onboarding (or any time later), the same data is also written to our Supabase project so you can use it on another device. We also store:

Your Supabase user ID (a UUID).
The email address Apple shares with us. If you chose "Hide My Email," this is an @privaterelay.appleid.com relay address Apple controls.
Receipts for any Floofy Pro subscription you start (handled by Apple's StoreKit — Floofy does not see your payment-card details).

3.2 Data created automatically

Photos and PDFs you upload (pet photos, log photos, medical record files) are stored in Supabase Storage buckets (pet-photos, log-photos, vet-docs). Each file lives under a folder named after your Supabase user ID so per-user RLS policies enforce isolation.
Anonymous product analytics via PostHog (US cloud): events such as "screen viewed: home," "log entry created (type: weight)," approximate iOS version, device model class, app version. Events are tied to a randomly generated install ID. We do not send your pet's name, weight, lab values, photos, or notes to PostHog.
Crash and diagnostic logs Apple may share with us if you opted in through iOS Settings → Privacy & Security → Analytics & Improvements → Share with App Developers. These are processed under Apple's privacy terms.

3.3 Data we do not collect

We do not access your contacts, calendar, microphone, or precise location.
We do not use the iOS Advertising Identifier (IDFA) and do not ask for App Tracking Transparency permission. Floofy does not track you across other apps or websites.
We do not use Apple HealthKit. Floofy is for cat health, not human health, and so is outside HealthKit's scope.
We do not use third-party advertising SDKs.

4. How we use your data

We use the data above only for the purposes listed below. We do not repurpose it for advertising, profiling, or sale.

Purpose	Data used
Show your pet's history, trends, and dashboards	Pet profile, log entries, medical records (on your device)
Sync your data across your iOS devices when you are signed in	Pet profile, log entries, medical records, reminders, photos, PDFs, app preferences (Supabase)
Run the Auto-Recognize Lab Values feature (Pro)	The specific photo or PDF of a lab report you tap "Auto-Recognize" on
Generate a bilingual vet report you can save to Photos or copy as text	Whatever you select in the report-setup screen
Send local push reminders	Your reminder titles and times (sent to iOS, not to our servers)
Authenticate you and back up your data when you sign in	Apple ID identifier, Apple-relayed email, Supabase JWT
Bill the Floofy Pro subscription	Apple StoreKit transaction (Apple, not Floofy, handles the charge)
Detect crashes and product issues, prioritise fixes	PostHog anonymous events, iOS analytics opt-in (if granted)
Comply with applicable law (e.g., respond to lawful requests)	Whatever is strictly necessary for the request

We do not:

Train AI models on your data.
Sell, rent, or share your data with data brokers.
Build a profile of you for advertising.

5. Auto-Recognize Lab Values — what happens to the image you send

This feature is part of the Floofy Pro subscription. It is opt-in: you must explicitly tap "Auto-Recognize Lab Values" on a medical record. When you do:

Floofy reads the photo(s) or PDF you attached and sends the bytes over HTTPS to a Cloudflare Worker we control (gemini-vision-proxy.<workers-subdomain>.workers.dev). The Worker uses your Supabase access token to confirm you are an authenticated Floofy user and that you have an active Pro subscription.
The Worker forwards the image to Google Gemini 2.5 Flash with a prompt asking it to extract structured lab values (lab name, value, unit, date, clinic).
Google returns a JSON response. The Worker passes it back to your device. Floofy parses it and shows you the extracted values so you can confirm or edit them before saving.

Where Google's role ends. Google processes the request under its enterprise API terms. Per those terms, Google does not use Gemini API content to train its general models. We do not retain a copy of the image on our Worker (the Worker is stateless and does not log image bytes), and we do not store the raw Gemini response after the user closes the medical-record editor without saving.

You can use the manual lab-row editor at any time and never use Auto-Recognize. Floofy does not require this feature to function.

6. Who we share data with

We share data only with the service providers listed below, each of which is bound by its own privacy and security commitments. We do not sell or rent your data.

Provider	Role	What they receive	Location
Apple	Sign in with Apple, push notifications, App Store / StoreKit billing	Apple ID identifier (per-app, opaque), relayed email, subscription receipts, push notification tokens	Per Apple's privacy policy
Supabase (Supabase, Inc.)	Database, file storage, authentication backend	Encrypted record contents you create when signed in; uploaded files; user ID; email	United States (West region)
Cloudflare	Worker proxy for the Auto-Recognize Lab Values feature	Authorization header, the specific image you submit for OCR, the prompt	United States edge (request-local, not stored)
Google (Google LLC)	Gemini Vision API for OCR	The image you submit for Auto-Recognize, the prompt	Per Google's Gemini API terms
PostHog (PostHog Inc.)	Anonymous product analytics	Anonymous install ID, anonymous event names, app version, device model class, iOS version	US cloud (`us.i.posthog.com`)

We will share your data outside these providers only if a law enforcement agency or court order in a jurisdiction we operate in compels us to, and only to the extent required.

7. International transfers

Your data is processed in the United States (Supabase West US region and PostHog US cloud). If you use Floofy from outside the United States, by signing in you understand that your data is transferred to and processed in the U.S. We rely on the lawful transfer mechanisms each sub-processor provides (e.g., Standard Contractual Clauses for users in the EEA, UK IDTA for the UK).

8. How long we keep your data

Type	Retention
Guest-mode data on your device	Until you delete the app or wipe iOS. Floofy never uploads it.
Signed-in data in Supabase	Until you delete your account (Settings → Account → Delete Account).
Photos and PDFs in Supabase Storage	Same lifetime as the row that references them; orphaned files are purged within 30 days.
PostHog anonymous events	Up to 7 years (PostHog default), but they are not linked to your identity.
Apple sign-in audit logs in Supabase Auth	Up to 90 days, then purged by Supabase.
Cloudflare request logs	Up to 30 days of metadata (timestamp, status code) — no image bytes.

When you delete your account, we mark all of your rows for deletion immediately and purge them from primary and backup storage within 30 days. Anonymized analytics that cannot be tied back to you are not deleted because they cannot be located.

9. Your choices and rights

You can exercise the following choices directly from Floofy:

Stay a guest forever. Don't sign in. Nothing leaves your device.
Sign out. Settings → Account → Sign out. Your cloud copy is preserved; the device returns to guest mode.
Delete your account. Settings → Account → Delete Account. This permanently deletes all your cloud data within 30 days, signs you out, and wipes the local copy on the current device. The action cannot be undone.
Manage your Pro subscription. Settings → Manage Subscription deep-links to iOS Settings → Apple ID → Subscriptions. Cancelling stops future charges; current data is unaffected.
Revoke camera or photo permissions. iOS Settings → Floofy → Camera / Photos. The app continues to work without them; photo features are simply unavailable.
Turn off iOS analytics sharing. iOS Settings → Privacy & Security → Analytics & Improvements.
Opt out of product analytics. Floofy is configured so PostHog events do not include identifiers that map back to you. If you would like PostHog disabled entirely on your install, email ccccccara@outlook.com and we will provide a debug build with telemetry compiled out.

Depending on where you live, you may have additional rights:

EU/EEA, UK, Switzerland (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. Our lawful basis is your consent for analytics, and the necessity of performing the service you asked us for (the app itself) for everything else. Floofy has no establishment in the EU/UK and no EU representative; for the moment please contact ccccccara@outlook.com.
California (CCPA/CPRA): right to know, delete, correct, and not be discriminated against for exercising rights. Floofy does not sell or share personal information as defined by CCPA.
Mainland China (PIPL): access, correction, deletion, copy, and withdrawal of consent. Cross-border transfer of your data outside mainland China is necessary to provide cloud backup. By choosing to sign in, you consent to that transfer. You may continue to use Floofy entirely in guest mode without it.

To exercise any right, contact ccccccara@outlook.com. We may ask you to verify control of your Apple ID before acting on requests that involve cloud data.

10. Children

Floofy is not directed to children under 13 (or the equivalent minimum age in your country, e.g., 16 in some EU member states). The App Store age rating is 4+ because the content is benign, but the data-entry workflow is intended for adult caregivers of cats. We do not knowingly collect personal information from children. If you believe a child has provided data to Floofy, contact ccccccara@outlook.com and we will delete it.

11. Security

All network traffic uses HTTPS (TLS 1.2+). iOS App Transport Security is left at the default; we do not exempt any domain.
Database access is gated by Supabase Row Level Security policies that scope every row to its owner's user ID.
Files are stored in Supabase Storage buckets whose RLS policies require the first path segment to equal your Supabase user ID; uploads to other paths are rejected by the server.
Sign in with Apple identifiers (auth.users.id) are stored as opaque UUIDs. Apple-relayed email aliases are stored as you provide them.
We do not store passwords. Floofy does not use any password-based auth.
The Floofy app uses Apple Keychain for session storage via the official Supabase Swift SDK.

No system is perfectly secure. We commit to telling affected users without undue delay if we become aware of a breach that affects their data, as required by applicable law.

12. Data-breach notification

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority where required and notify you directly, by email or in-app, within 72 hours of becoming aware.

13. Changes to this policy

We will revise this policy when the app changes in a way that affects what we collect or how we use it. Material changes will be announced in-app and on this page at least 14 days before they take effect. The "Last updated" date at the top is the source of truth for the current version.

14. Disclaimer

Floofy is informational only. It does not diagnose, treat, or replace veterinary advice. Always consult your veterinarian before changing your cat's diet, medication, or care plan. See the in-app Medical Disclaimers screen for the full text.