Privacy Policy

1. Introduction

Pet Medly ("we," "us," or "our") operates the Petmedly mobile application (the "App") and related backend services (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws worldwide.

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

Petmedly is designed with a local-first architecture. You can use the App fully without creating an account, in which case all data stays exclusively on your device. We only collect personal data on our servers when you voluntarily create an account and enable cloud synchronisation.

3.1 Data Stored Locally on Your Device Only

The following data is stored on your device and is never sent to our servers unless you explicitly enable cloud sync:

• Pet profiles: name, species, breed, weight, and photos.
• Medication records: medication name, dosage, frequency, times of day, start and end dates, and notes.
• Dose logs: scheduled time, administration status, logged time, and notes.
• App preferences: sync toggle state and last synchronisation timestamp.

Pet photos are stored as image files in the app's private storage directory. They are not uploaded to our servers even when cloud sync is enabled.

3.2 Data Collected When You Create an Account

If you choose to create an account, we collect:

• Email address: used as your unique account identifier and for important account-related communications.
• Password: we never store your password in plain text. It is hashed using Argon2id (a memory-hard hashing algorithm) before storage.

3.3 Data Synced When Cloud Sync Is Enabled

If you create an account and enable the "Sync Data to Cloud" toggle, the following data is transmitted to and stored on our servers:

• Pet profiles (name, species, breed, weight — excluding photos).
• Medication records (name, dosage, frequency, schedule, notes).
• Dose logs (times, status, notes).

3.4 Data Collected Automatically (Server-Side)

When you interact with our servers (logging in, syncing data), we automatically collect:

• IP address: for security monitoring, rate limiting, and abuse prevention.
• User-Agent string: information about your device and app version, for security logging.
• Timestamps: of authentication events and sync operations.

This data is recorded in server-side security logs and is used exclusively for security and operational purposes.

3.5 Data We Do NOT Collect

We want to be explicit about what we do not collect:

• Real names, phone numbers, or physical addresses.
• Location or GPS data.
• Device identifiers, advertising IDs, or fingerprints.
• Usage analytics or behavioural tracking data.
• Cookies (the App does not use a web browser or cookies).
• Payment or financial information.
• Contacts, calendar, or other data from your device.

4. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation, we process your personal data based on the following legal grounds:

You may withdraw your consent at any time by disabling cloud sync or deleting your account. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.

5. How We Use Your Data

We use your personal data for the following purposes only:

• Account management: to create and manage your user account, authenticate you, and issue secure session tokens.
• Cloud synchronisation: to store your pet, medication, and dose log data on our servers so you can access it across devices.
• Security and abuse prevention: to detect and prevent unauthorised access, brute-force attacks, and other malicious activity through rate limiting, account lockout, and security logging.
• Service operation: to monitor server health, diagnose technical issues, and ensure the Service functions reliably.

We do not use your data for advertising, profiling, automated decision-making, or any purpose other than those listed above.

6. Data Storage and Security

6.1 Where Your Data Is Stored

• On your device: all app data is stored in a private SQLite database and secure storage within the app's sandboxed directory.
• On our servers: if you enable cloud sync, your data is stored in a PostgreSQL database on servers located in the European Union.

6.2 Security Measures

We implement the following technical and organisational measures to protect your data:

• Password hashing: Argon2id with memory-hard parameters, ensuring passwords cannot be reversed even if the database is compromised.
• Encrypted connections: all data in transit is protected by TLS/HTTPS encryption.
• Token security: short-lived JWT access tokens with rotating refresh tokens. Refresh tokens are stored as SHA-256 hashes on the server.
• Rate limiting: configurable rate limits on authentication and API endpoints to prevent brute-force and denial-of-service attacks.
• Account lockout: automatic temporary lockout after repeated failed login attempts.
• Encrypted server statistics: aggregate operational data is encrypted with AES-256-GCM at rest.
• Secure headers: HTTP security headers (Helmet) to mitigate common web vulnerabilities.
• Database access: the PostgreSQL database is not exposed to the public internet; only the application server can connect to it.

6.3 Data Retention

• Account data: retained for as long as your account exists. When you delete your account, all associated data is permanently removed from our servers.
• Security logs: retained for up to 90 days for security analysis and incident response, then automatically purged.
• Local data: remains on your device until you delete it within the app or uninstall the app. We have no access to or control over locally stored data.

7. Data Sharing and Third Parties

We do not sell, rent, trade, or share your personal data with any third parties.

Specifically:

• We do not use third-party analytics services.
• We do not use third-party advertising networks.
• We do not use third-party crash reporting tools.
• We do not integrate with social media platforms.
• We do not use third-party data processors for your personal data.

The only scenario in which we may disclose your data is if we are legally compelled to do so by a court order or law enforcement request under applicable law. In such cases, we will notify you to the extent legally permitted.

8. International Data Transfers

Our servers are located in the European Union. If you access the Service from outside the EU, your data will be transferred to and stored in the EU.

The EU provides a high level of data protection under the GDPR. For users in countries with adequacy decisions from the European Commission, this transfer is fully compliant. For users in other jurisdictions, the transfer is based on your explicit consent when you create an account and enable sync.

9. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15): you have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
• Right to rectification (Art. 16): you have the right to request correction of inaccurate personal data. You can also update your pet and medication records directly in the app.
• Right to erasure (Art. 17): you have the right to request deletion of your personal data. You can delete your account at any time, which permanently removes all server-side data.
• Right to restriction of processing (Art. 18): you have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): you have the right to receive your personal data in a structured, commonly used, and machine-readable format. The cloud sync feature effectively provides this through its data pull functionality.
• Right to object (Art. 21): you have the right to object to processing based on legitimate interests. You can disable cloud sync at any time.
• Right to withdraw consent (Art. 7): where processing is based on consent, you can withdraw consent at any time by disabling cloud sync or deleting your account.
• Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, please contact us at privacy@petmedly.app. We will respond within 30 days of receiving your request, as required by the GDPR.

10. Your Rights Under the CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to know: you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete: you have the right to request deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights. Since the Service is free, there is no pricing differential.
• Right to opt out of sale: we do not sell your personal information to any third party. This right is automatically satisfied.

Categories of personal information collected (as defined by the CCPA):

• Identifiers: email address, IP address.
• Internet or electronic network activity: User-Agent string, authentication timestamps.

We do not collect categories such as commercial information, biometric data, geolocation data, sensory data, professional information, education information, or inferences drawn from the above.

To exercise your CCPA rights, contact us at privacy@petmedly.app. We will verify your identity before processing requests and respond within 45 days.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. This age threshold is set in compliance with GDPR Article 8, which establishes 16 as the default age of digital consent.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@petmedly.app.

12. Cookies and Tracking Technologies

Petmedly does not use cookies, web beacons, pixels, or any other tracking technologies.

The App is a native mobile application that communicates with our API server using JSON over HTTPS with bearer token authentication. There is no web browser component, no embedded webviews for tracking, and no third-party SDKs that place cookies or collect device identifiers.

This website (petmedly.app) is a static informational site and does not use cookies or analytics trackers.

13. Notifications

Petmedly uses local device notifications only to remind you of scheduled medication doses. These notifications:

• Are generated entirely on your device by the app.
• Are not sent from our servers (no push notification services like Firebase Cloud Messaging or Apple Push Notifications are used).
• May contain the pet's name and medication details for your convenience.
• Can be disabled at any time through your device's system notification settings.

We do not send marketing emails, promotional notifications, or newsletters. The only communications from us would be critical account-related notices (e.g., security alerts), delivered via the email address associated with your account.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34.
• Document the breach, its effects, and the remedial actions taken.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The "Last updated" date at the top of this page will be revised.
• For material changes, we will provide notice through the App or via email to your registered email address at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 30 days. For GDPR-related requests, we are legally required to respond within one month and will do so.