GDPR Information Clause — Whispet

Version: 2.4 | Effective date: 1 March 2026 | Last updated: June 4, 2026

Information clause pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR)

Data Controller

The controller of your personal data is:

CRE8EVE Sp. z o.o.
Address: Tulipanowa 4, 72-003 Dobra, Poland
KRS (National Court Register): 0000912669 | NIP (Tax ID): 8513262229 | REGON: 389506637
E-mail: hello@whispet.app

What data does the App process?

Pet data: name, species, breed, date of birth, microchip number, veterinarian address
Photos: file paths, descriptions, dates, automatic labels (tags), sourceAssetId (PHAsset.localIdentifier — technical iOS identifier for duplicate detection), EXIF date (DateTimeOriginal)
Pet medical data: vaccinations, medications, weight, allergies/allergens, nutrition/food, veterinary visits, medical documents
Event journals: journal definitions (name, fields), entries with field values, notes, photos attached to entries
Technical data: app version, consent timestamps (audit trail)

The App operates locally. CRE8EVE does NOT collect data on its own servers, does NOT store it centrally, and has NO technical access to its content. All data remains exclusively on your device and — optionally — in the private iCloud database of your Apple ID (E2E encrypted with iCloud Advanced Data Protection enabled). The App does not require a Whispet account (no registration, login, e-mail, or password). The list below describes the categories of data that the App enables to be collected in the sense of Art. 13 GDPR.

For what purposes and on what basis?

Purpose	Legal basis
Provision of App services (timeline, photos, medical data, event journals, reminders, photo history import, pet photo detection, EXIF date reading, Shared Care, on-device speech dictation)	Art. 6(1)(b) GDPR — performance of a contract
Speech dictation — fallback to Apple Speech Recognition Service when on-device unavailable for the selected system language (rare locales, older hardware)	Art. 6(1)(a) GDPR — consent (iOS permission dialog)
Fulfilment of paid subscription plans	Art. 6(1)(b) GDPR — performance of a contract
Consent audit trail	Art. 6(1)(c) GDPR — legal obligation
App security	Art. 6(1)(f) GDPR — legitimate interest

Who may have access to your data?

Apple Inc. (CloudKit — private database) — synchronisation of your data between your devices via your iCloud account (pets, photos, medical data, journal entries). Apple declares no access to data content (privacy by design; with iCloud Advanced Data Protection enabled — end-to-end encryption).
Apple Inc. (CloudKit — sharing, Shared Care) — optional sharing of selected pets with people you specify (family members, close ones, temporary caregivers). The feature requires activation by you and a Premium subscription. Each shared pet has its own isolated sharing area within your iCloud database. Maximum 10 unique people per Owner total (the same person with access to multiple pets counts as one). Every invitation is sent with the default mode "photos only" (privacy by design — GDPR Art. 25 + data minimization — Art. 5(1)(c)) — medical data is protected against unintended disclosure should an invitation be mis-addressed. The "full access" mode (photos + medical data, read-only) is granted only after the Participant accepts the invitation, separately per pet, as a result of a conscious decision by the Owner. Revocation of access (per pet per person / per person all pets / per pet all people) is immediate on the Apple iCloud server side; the push notification about revocation on the Participant's device may be delayed by up to 15 minutes (known Apple infrastructure behavior — see Privacy Policy §6a.3 for the full description).
Apple Inc. (APNS — Apple Push Notification Service) — delivery of push notifications (reminders for vaccinations/medications/visits; silent notifications for Shared Care synchronisation). Apple receives the device token and encrypted notification content.
Apple Inc. (Apple Speech Recognition Service — fallback only) — speech-to-text transcription for the speech dictation feature. Used only when on-device speech recognition is not available for the selected system language. In the default path audio does NOT leave the device. Subprocessor disclosure: DATA_SUBPROCESSORS §4a.
Apple Inc. (Vision framework — on-device) — automatic photo labelling and smart pet photo detection in the gallery. Processing is performed entirely on the device — no image data is transmitted to Apple servers.
Apple Inc. (StoreKit / In-App Purchase) — Premium subscription payment processing. The Controller has no access to card data.

CRE8EVE does not use Google Fonts, Firebase, or any external analytics/advertising services. The Nunito font is bundled directly within the application package.

CRE8EVE does not mediate the transfer of Shared Care data — all data flows directly between Participants' devices via the Apple infrastructure. The Controller has no access to the shared content.

Data transfers outside the EEA

To a limited extent, data may be transferred outside the European Economic Area (mainly to the USA, where part of the Apple infrastructure is located):

Apple iCloud / CloudKit — private database synchronisation and Shared Care
Apple Push Notification Service (APNS) — delivery of push notifications (device token)
Apple StoreKit / App Store — transaction data for Premium subscription purchases

Legal basis for transfer: Standard Contractual Clauses (SCCs) approved by the European Commission and the EU-US Data Privacy Framework (to the extent currently in force).

Apple Inc. ensures data protection under its own DPA (Data Processing Agreement) and the Apple Developer Program License Agreement.

How long do we retain data?

Pet data, photos, medical data, and event journals — until deleted by you (from the device and from iCloud via the "Delete all my data" feature in Settings → Your account)
Medications: additionally 180 days after archiving before permanent deletion is allowed
Consent audit trail — 5 years (legal obligation)
Technical data — 12 months
Shared Care — until sharing is revoked by the Owner; after Premium subscription loss, sharing is immediately disabled (instant revokeAllShares). Apple Billing Grace Period (3–28 days, configurable) protects against accidental subscription loss due to a failed payment
Audio (speech dictation) — audio is NOT stored by the App. In the default path (on-device) audio does not leave the device. In the fallback path (Apple Speech Recognition Service) retention is on Apple's side; if "Improve Siri & Dictation" is disabled in iOS Settings, Apple does not retain audio

Uninstalling the App removes local data. iCloud-synced data remains in your private iCloud database until you delete it via the "Delete all my data" feature in the App (Settings → Your account). The feature removes all Whispet data zones from your private iCloud database.

Note: "iOS Settings → Apple ID → iCloud → Manage Account Storage → Whispet" only manages iCloud Drive files — it does not remove data from Whispet's CloudKit container (iCloud.com.cre8eve.dailypawsapp). Effective deletion therefore happens from inside the Whispet app.

Your rights

Under the GDPR, you have the right to:

Access your data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase data — "right to be forgotten" (Art. 17)
Restrict processing (Art. 18)
Port your data (Art. 20) — the App enables export of medical records and journals to PDF/CSV from the pet's profile. You can obtain a full copy of your iCloud-stored data via Apple at privacy.apple.com ("Request a copy of your data")
Object to processing (Art. 21)
Withdraw consent at any time (Art. 7(3))
Lodge a complaint with the President of PUODO (ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl)

You can exercise most of these rights directly in the App (PDF/CSV export from a pet's profile, deletion of individual records, or full account deletion via Settings → Your account → "Delete all my data") or via Apple (full iCloud data copy at privacy.apple.com). If needed — contact: hello@whispet.app (response within one month per Art. 12(3) GDPR).

Do we use profiling?

No. We do not engage in profiling or automated decision-making within the meaning of Art. 22 GDPR. Automatic photo labelling and pet photo detection (Apple Vision framework) are used solely for categorisation and gallery filtering. Analysis is performed entirely on the device.

Age requirement

The App is intended for persons aged 16 years or older (Art. 8 GDPR). Younger persons may use the App with the consent of a parent or legal guardian.

Contact

For personal data matters: hello@whispet.app

The full Privacy Policy is available in the App settings (Menu > Privacy Policy) and in the Privacy Policy document.
Subprocessors list: Data Subprocessors.

Authoritative Language Version

This English translation is provided for informational purposes only. In case of discrepancies or interpretation questions, the Polish version of this document is the legally binding version. In case of contradiction between language versions, the following priority order applies: Polish (binding) → English (reference) → other available translations (informational).