Privacy Policy – PetiFit
Data Controller: PetiFit Sp. z o.o., ul. Dworcowa 6H, 12-140 Świętajno, Poland. Contact: contact@petifit.com.
Effective as of October 15, 2025 (version: 3.0).
1. What is this policy?
This explains how PetiFit Sp. z o.o. processes personal data of users of the PetiFit mobile application and the petifit.com website, in line with the GDPR (EU Regulation 2016/679).
2. Data we collect
a) Account & sign-in
- E-mail address and password (stored as a hash).
- Apple / Google Sign-In (enabled): external ID and e-mail. We do not receive your Apple/Google passwords.
b) Pet data
- Species, breed (including “unknown/mixed”), name, gender, birth/adoption date, weight, allergies, diseases, microchip/tattoo, color and all other information added by a user.
- Photos you upload.
c) Health & nutrition
- Visits, vaccinations, medications, symptoms, measurements (e.g., weight, temperature), notes.
- Meals, pet food, calorie & macro targets, food photos, goals (e.g., steps).
d) Media (photos)
You may upload specifically selected photos from your gallery or take a picture directly within the App. PetiFit only accesses the camera while taking a photo – it does not have continuous access to your camera or the entire photo library.
e) Technical data & location
- Logs and diagnostics (app version, OS, error timestamps).
- Push notification token.
- Location—only after permission (e.g., route maps, “find a clinic”).
- Cookies and similar technologies on the Website (see “Cookies”).
f) Health integrations (future)
Apple Health (HealthKit) sync is planned. Before enabling, a consent screen will specify the exact scope. HealthKit data are used solely to provide app features and not for marketing.
3. Why we process data
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account | Art. 6(1)(b) – contract |
| Apple/Google Sign-In | Art. 6(1)(b) |
| Store pet and health records | Art. 6(1)(b) |
| Send push notifications | Art. 6(1)(f) – legitimate interest (service notifications) |
| Analyze photos (OCR/AI), e.g., document scans | Art. 6(1)(b); if an external AI provider is involved – Art. 6(1)(a) (consent) |
| Location features (routes, clinics) | Art. 6(1)(a) – consent |
| Planned Apple Health (HealthKit) sync | Art. 6(1)(a) – consent |
| Improve the app and debug issues | Art. 6(1)(f) |
| Legal obligations (e.g., accounting) | Art. 6(1)(c) |
AI data processing
Some features (e.g., recognizing text from health booklet photos, symptom analysis, nutrition recommendations) use AI models, including OpenAI services. Data sent for analysis (e.g., photos, text) are processed solely to perform the requested function and transmitted over encrypted channels (TLS).
4. How long we keep data
- Account data—while your account is active and up to 6 months after deletion.
- Pet & health records—until you delete them or together with the account.
- Technical logs—typically up to 12 months.
- Consent records—until withdrawn (and up to 12 months for evidential purposes).
- Accounting records—as required by law (typically up to 5 years).
- AI training data — selected and encrypted pet-related data may be stored and processed to improve our AI models. These data remain protected and are not accessible in a form that allows direct identification of the User. Datasets are securely stored within infrastructure controlled by PetiFit Sp. z o.o. and are periodically reviewed to remove outdated or unnecessary information.
5. Where and how we store data
- Currently: a secure local server controlled by PetiFit Sp. z o.o.
- Planned: migration to a company-owned EU/EEA cloud (we will notify users and update this policy).
- Security: HTTPS/TLS, password hashing, access control, admin event logging.
6. Who we share data with
We share data only when necessary and only with:
- IT providers (hosting/cloud) under data processing agreements (Art. 28 GDPR),
- Apple/Google for authentication according to their policies,
- OpenAI or other AI providers — when using features that rely on external AI technology (e.g., image or text analysis). Data are shared automatically and only to the extent necessary for that function. By accepting these Terms, you consent to such processing, as described herein,
- Public authorities — when required by law.
We do not sell personal data. If data are transferred outside the EEA, we apply appropriate safeguards (such as Standard Contractual Clauses under Art. 46 GDPR).
Note: Data shared with external AI providers are encrypted, processed securely, and used only for the requested function. They are not stored or reused by those providers for their own purposes.
7. Your rights
You have the right to access, rectify, erase, restrict processing, data portability, object, and withdraw consent (without affecting prior lawful processing). Contact: contact@petifit.com. We reply within 30 days.
You may lodge a complaint with a supervisory authority. In Poland: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
8. Children
The app is intended for users aged 16+. We do not knowingly collect data from children without parental consent.
9. Cookies and similar technologies (Website)
We use essential cookies. Analytics/marketing cookies operate only with your consent via a cookie banner. If we embed Apple/Google sign-in elements, those providers may use their own identification mechanisms under their policies.
10. Policy updates
As features evolve (e.g., cloud, Apple Health), we may update this policy. The version and date appear at the top. Material changes will be notified in the app and/or on the Website.
11. AI Model Training
To improve the accuracy of analysis and the quality of health and nutrition recommendations, PetiFit may use data generated in the app to train its own AI models. Data used for training are encrypted. Training is performed solely within infrastructure controlled by PetiFit Sp. z o.o. and aims to enhance app features (e.g., symptom detection, food recommendations, behavior analysis).
The legal basis is user consent (Art. 6(1)(a) GDPR). You can withdraw consent anytime in the app settings; this does not affect the lawfulness of processing before withdrawal.