Privacy Policy

This Privacy Policy explains how LLC Nest Engineering ("we", "us", "our") collects, uses, shares, and protects personal data when you use Pethls Application (the "Service"), including any related websites, mobile apps, and paid subscriptions.

This Policy is written to comply with the laws applicable to where the Service is offered today, including the California Consumer Privacy Act as amended by the CPRA ("CCPA") and other US state privacy laws, and the Ukrainian Law on Personal Data Protection. It also reflects standards from the EU GDPR and UK GDPR so that the same protections apply if you happen to access the Service from those regions and so that the Policy remains accurate when we expand.

If anything here is unclear, contact us at privacy@pethls.com.

01Who is the data controller

The controller of your personal data is:

02What personal data we collect

2.1 Data you provide

• Account data: full name, email address, username, password (stored as a salted hash).
• Pet records data: information about pets under your care, including breed, name, age (or date of birth), sex, weight, photographs, diseases and diagnoses, allergies, vaccination history, prescriptions and treatments, food and feeding habits, and any other notes you choose to add. To the extent this information is linked to your account, we treat it as your personal data. Please avoid uploading photographs that contain identifiable third parties.
• Subscription data: subscription plan, purchase status, renewal status. Payments are processed by Apple App Store and Google Play Billing, and managed through RevenueCat. We do not receive your card details, full billing address, or App Store / Google account credentials.
• Communications: messages, feedback, support requests, survey answers, prompts and inputs you submit to AI features (see Section 11).
• User-generated content: saved progress, settings, uploaded files.

2.2 Data we collect automatically

• Device and technical data: device model, operating system and version, app version, language, time zone, IP address, push notification tokens (APNs / FCM), crash logs, performance diagnostics.
• Usage data: features used, screens viewed, session length, in-app events.
• Cookies and similar technologies on our website — see Section 9.

2.3 Data from third parties

• Apple App Store and Google Play: receipt data, transaction status, country of purchase, subscription renewal events. Provided via RevenueCat, which acts as our subscription infrastructure provider.
• Sign-in providers (if you sign in with Apple, Google, or similar): name, email, profile picture, provider user ID.
• Analytics providers: see Section 4.

The special-category list above refers to your own (human) data. Pet health information (vaccinations, treatments, medications, diagnoses, allergies) is user-generated content that you choose to store about your pet and is described in Section 2.1 as "Pet records data"; under the GDPR / UK GDPR this is not "data concerning health" of a data subject, because the GDPR protects natural persons rather than animals. We do not intentionally collect human special-category data (racial or ethnic origin, political opinions, religious beliefs, your own health, sex life or sexual orientation, biometric data, genetic data, trade union membership) or precise geolocation. Please don't send us such data through support or other channels.

03Why we use your data and our legal bases

Where we rely on consent, you can withdraw it at any time in the app's privacy settings or your device settings, without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interest, you can object on grounds relating to your particular situation (Section 7).

04Who we share your data with

We share personal data only with the categories of recipients below, under contracts that restrict their use of your data to providing services to us:

• Cloud hosting: Amazon Web Services, Inc. Production data is stored in the AWS us-east-1 (N. Virginia) region in the United States.
• App stores and payment processing: Apple Inc. (App Store), Google LLC (Google Play Billing). They process your payment and provide us with transaction confirmation.
• Subscription infrastructure: RevenueCat, Inc. — manages subscription state, receipts, and entitlements.
• Analytics: Google LLC (Firebase Analytics).
• Crash reporting: Functional Software, Inc. (Sentry).
• AI infrastructure: OpenAI, L.L.C. (United States) — powers our AI features. When you use AI features, the relevant inputs (text and, where applicable, photographs of your pet) are sent to OpenAI through its API solely to generate outputs for you. Inputs and outputs are not used to train OpenAI's models. See Section 11.
• Authentication providers: Apple, Google — only when you sign in through them.
• Email notifications: delivered through Amazon Simple Email Service (Amazon SES), operated by Amazon Web Services, Inc. in the same United States region.
• Push notifications: delivered through Firebase Cloud Messaging (FCM) provided by Google LLC; on iOS, FCM forwards messages to Apple Push Notification service (APNs) using credentials we have uploaded to Firebase.
• Customer support tools: by email.
• Professional advisors: lawyers, accountants, auditors, where strictly necessary.
• Authorities: when required by law, court order, or to protect rights, property, or safety.

If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you and any applicable safeguards will continue to apply.

05International data transfers

Your personal data is primarily stored and processed on AWS servers in the United States (us-east-1, N. Virginia). The United States is not the subject of a general European Commission adequacy decision; however, the EU-US Data Privacy Framework provides an adequacy mechanism for organisations that have certified to it (see below).

We are established in Ukraine, which is not part of the EEA or the UK and is not subject to a European Commission adequacy decision. When we access personal data of EEA or UK users from Ukraine, this constitutes an international transfer.

In addition to our hosting infrastructure, several of our service providers — including Apple (APNs), Google (Firebase Analytics, FCM), RevenueCat, Sentry, and OpenAI — are located in the United States and may process your personal data outside the EEA and UK.

For all transfers of personal data outside the EEA or UK — including transfers to ourselves in Ukraine and to our US-based providers and hosting infrastructure — we rely on one or more of the following safeguards:

• The EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US DPF where the recipient is certified (Amazon Web Services, Inc. is certified to the DPF and its UK and Swiss extensions);
• Standard Contractual Clauses (SCCs) approved by the European Commission, with the UK International Data Transfer Addendum where applicable;
• Supplementary technical and organisational measures (including encryption in transit and at rest, access controls, and contractual protections) where required following a transfer impact assessment;
• Other lawful transfer mechanisms recognised under GDPR / UK GDPR.

You can request a copy of the safeguards in place by writing to privacy@pethls.com.

06How long we keep your data

We keep personal data only as long as necessary for the purposes set out in this Policy:

After these periods, data is deleted or irreversibly anonymized.

07Your rights

7.1 EEA and UK users (GDPR / UK GDPR)

You have the right to:

• Access the personal data we hold about you and obtain a copy;
• Rectify inaccurate or incomplete data;
• Erase your data ("right to be forgotten") in certain cases;
• Restrict processing in certain cases;
• Data portability — receive your data in a structured, commonly used, machine-readable format;
• Object to processing based on legitimate interest, including profiling;
• Withdraw consent at any time, where processing is based on consent;
• Not be subject to a decision based solely on automated processing that produces legal effects on you — we do not make such decisions; see Section 11 for details on our AI features.

To exercise these rights, write to privacy@pethls.com. We respond within one month and may ask for information to verify your identity.

You also have the right to lodge a complaint with your local supervisory authority:

• EEA: see edpb.europa.eu
• UK: Information Commissioner's Office (ICO) — ico.org.uk

We'd appreciate the chance to address your concerns first.

7.2 Consent for non-essential analytics

The Service does not run advertising and does not use advertising or attribution SDKs. We use Firebase Analytics for product analytics; where consent is required, we will ask for it in the app before any non-essential analytics begin. You can withdraw consent at any time in Settings → Privacy inside the app. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

7.3 US users — state privacy rights

Depending on your state of residence (including California, Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Iowa, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Indiana, Kentucky, and Rhode Island), you may have the right to:

• Know / access the personal information we collect, use, and disclose about you;
• Delete personal information we collected from you;
• Correct inaccurate personal information;
• Data portability — obtain a copy of your data;
• Opt out of sale or sharing of personal information for targeted advertising or profiling (the Service does not currently engage in either; if this changes, we will update this Policy and provide the opt-out before any such processing begins);
• Limit the use of sensitive personal information;
• Non-discrimination for exercising your rights;
• Appeal a denial of your request.

To submit a request, email privacy@pethls.com. We will verify your identity before responding. You may use an authorized agent with written permission and proof of identity.

We honor Global Privacy Control (GPC) signals received through our website. The Service does not currently sell or share personal information for targeted advertising; if this changes, GPC signals will be treated as a valid opt-out.

7.4 California — additional CCPA / CPRA disclosures

In the past 12 months, we have collected the following categories of personal information:

Sources: directly from you; automatically through your use of the Service; from Apple App Store, Google Play, RevenueCat, and sign-in providers.

Business purposes: providing and securing the Service, validating purchases and managing subscriptions, customer support, analytics and product improvement, legal compliance, fraud prevention.

Disclosed to service providers / contractors: identifiers, customer records, commercial information, internet activity, inferences, and (for AI features) pet records and photographs — to AWS, RevenueCat, Firebase, Sentry, OpenAI, and others listed in Section 4, under contracts that restrict their use to providing services to us.

Shared for cross-context behavioral advertising: none.

Sold for monetary consideration: none.

Sensitive personal information used or disclosed for purposes that trigger the right to limit: none.

Retention: see Section 6.

We do not discriminate against you for exercising your rights.

08Age requirement and children

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.

We do not ask for or store your date of birth. Instead, the age restriction is enforced through the age rating set in the Apple App Store and Google Play, which prevents the app from being installed by accounts that do not meet the rating, and through the eligibility requirement in our Terms of Service.

If we learn that we have collected personal data from a user under 18, we will delete the account and the associated data without undue delay. If you believe a minor has provided us personal data, please contact privacy@pethls.com.

09Cookies and similar technologies

Website. We use cookies and similar technologies to operate the website, remember your preferences, and — with your consent where required — measure performance and analytics. You can manage cookies through our cookie banner and your browser settings. For details, see our Cookie Policy.

Mobile apps. Our apps use device identifiers and SDKs (Firebase Analytics, Sentry, RevenueCat) for the purposes described in this Policy. The Service does not use advertising or attribution SDKs and does not collect advertising identifiers. You can manage in-app consent under Settings → Privacy.

10Security

We apply technical and organizational measures designed to protect personal data, including:

• TLS encryption in transit;
• Encryption at rest on AWS where appropriate;
• Role-based access controls and least-privilege access for staff;
• Logging, monitoring, and periodic security reviews;
• Vendor due diligence and data processing agreements.

No system is 100% secure. If a personal data breach affects you, we will notify the relevant supervisory authority and, where required, you, in accordance with applicable law.

11Automated decisions and AI features

11.1 Automated decision-making (Article 22)

We do not make decisions producing legal or similarly significant effects on you based solely on automated processing within the meaning of Article 22 GDPR / UK GDPR. Veterinary and care decisions concerning your pet are made by you in consultation with a licensed veterinarian.

11.2 What AI features do

The Service includes features powered by artificial intelligence ("AI features"). AI features process the information you provide about your pet — including pet records data (breed, age, vaccinations, diagnoses, allergies, prescriptions, food habits, photographs) and your inputs — to:

• highlight when it may be timely to consult a veterinarian about specific vaccinations;
• surface general informational considerations about pet health, allergens, and day-to-day care;
• identify the breed and assess external appearance from photographs you upload;
• suggest questions and topics you may want to raise with a licensed veterinarian.

AI features are an assistive tool only. They do not provide veterinary advice, do not issue diagnoses or prescriptions, and do not make autonomous decisions about your pet. Outputs are probabilistic and may be incomplete, outdated, or factually inaccurate. Please see Section 1 of our Terms of Service for the full description of the Service and its limitations.

11.3 AI infrastructure provider — OpenAI

AI features are powered by infrastructure provided by OpenAI, L.L.C. ("OpenAI"), based in the United States. When you use AI features, the relevant inputs — including text you submit and, where applicable, photographs of your pet — are sent to OpenAI through its API solely to generate outputs for you. OpenAI acts as our processor under written terms compliant with Article 28 GDPR / UK GDPR.

No training on your data. Inputs and outputs from our use of the OpenAI API are not used to train or improve OpenAI's models. OpenAI retains them only for the limited period necessary to deliver the service and for abuse-monitoring purposes set out in its API terms.

International transfer. Inputs sent to OpenAI are processed in the United States. We rely on OpenAI's certification under the EU-US Data Privacy Framework (including the UK Extension and the Swiss-US DPF where applicable) and, in the alternative, on the Standard Contractual Clauses — see Section 5.

11.4 Your choices

You can choose not to use AI features. Doing so does not affect your access to the rest of the Service. You can also write to privacy@pethls.com to request information about how a specific AI output was produced (to the extent technically feasible), to contest an output, or to request human review by our team.

12Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it was last revised. For material changes, we will notify you in-app or by email a reasonable time before they take effect.

13Contact

© 2026 LLC Nest Engineering. All rights reserved.