Privacy Policy — Whispet

Version: 2.5  |  Effective date: 1 March 2026  |  Last updated: June 4, 2026

1. Data Controller

The controller of personal data processed in connection with the use of the Whispet mobile application (hereinafter: the "App") is:

CRE8EVE Sp. z o.o.
Address: Tulipanowa 4, 72-003 Dobra, Poland
KRS (National Court Register): 0000912669 | NIP (Tax ID): 8513262229 | REGON: 389506637
Contact e-mail: hello@whispet.app
(hereinafter: the "Controller")

2. Definitions

• App — the Whispet mobile application available for iOS and macOS devices (Android version planned).

• User — a natural person using the App.

• Personal data — any information relating to an identified or identifiable natural person, within the meaning of Art. 4(1) of the GDPR.

• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

• Processing — an operation or set of operations performed on personal data, within the meaning of Art. 4(2) of the GDPR.

• Free Plan — the free subscription plan with basic functionality.

• Premium Plan — the paid subscription plan (monthly or annual) with extended functionality.

3. Scope of data processed by the App

3.1. No user accounts

The App operates entirely locally — it does not require registration, login, or account creation. We do not collect email addresses, passwords, or any authentication data. All data is stored exclusively on the User's device.

3.2. Pet data

3.3. Photos

Note on sourceAssetId: The sourceAssetId identifier (PHAsset.localIdentifier) is a technical asset identifier from the iOS gallery (PhotoKit). It is used solely for duplicate detection during repeated photo imports. It is a technical operating system identifier and does not constitute personal data.

Note on cloudIdentifier (photo sync between User's own devices): The Application stores an optional cloudIdentifier (PHCloudIdentifier from Apple PhotoKit, available since iOS 16). This is an opaque technical pointer generated by Apple that references the same photo in the Apple Photos library on every User device signed into the same iCloud account. The Application does not transmit the actual photo bytes through Whispet or CRE8EVE servers — full-image synchronisation occurs exclusively through Apple iCloud Photo Library infrastructure controlled by the User via iOS Settings → [Apple ID] → iCloud → Photos. Requires: (1) User consent for Application access to Apple Photos, (2) iCloud Photo Library enabled on the devices. Without these conditions the sync feature is inactive, but the Application functions normally (the photo saved on the source device remains accessible locally; on other devices a thumbnail is visible). The identifier contains no personal data — it is a technical pointer generated by Apple. The mechanism is analogous to the native Apple Photos application.

Note on Photo History Import (Premium): This feature enables batch import of photos from the device gallery using the native PhotosUI framework (iOS PhotoKit API). Photos are processed in chunks with resizing to 1920x1920 resolution. The import utilises iOS Background Task for additional processing time (~30 s) and supports resume after app termination. All operations are performed exclusively on the device.

Note on Smart Pet Photo Detection (Premium): The "Find Pet Photos" feature uses Apple Vision framework to scan the device gallery to detect animal photos (cats, dogs, birds, etc.). Analysis is performed on 800x800 thumbnails entirely on the device — no image data is transmitted to external servers. An optional "Search deeper" mode re-scans undetected photos at 1600x1600 resolution with a lower confidence threshold for improved accuracy — this is also performed entirely on-device. The feature allows filtering by animal type, favourites, and automatically excludes screenshots, selfies, and panoramas.

Note on EXIF date reading: The App reads only the EXIF DateTimeOriginal date from photo files on the device in order to place photos on the timeline at the correct date. The App does not read or store GPS coordinates from EXIF metadata. Furthermore, location metadata (GPS) is explicitly stripped from photo files when saving to the App's local storage. EXIF data reading is performed exclusively locally, without network access. The User may manually correct the date using a date picker.

Note on Apple Vision Framework: Code supporting the Apple Vision Framework (VNGenerateImageFeaturePrintRequest) is present in the App but is currently disabled and is not invoked. No data is processed or transmitted by this functionality. If activated in the future, processing will be performed exclusively on the device (on-device), without any data transfer.

3.4. Pet medical data

3.5. Event journals

Event journals allow the User to track recurring events (e.g. epileptic seizures, digestive issues) using user-defined fields (chips/tags, sliders, toggles, numeric fields, time pickers). All data is stored exclusively on the device.

Disclaimer: Medical data and event journal data pertains to animals, not natural persons. The processing of such data under the GDPR relates to it as an element of the service provided to the User.

3.6. QR Pet Card — optional owner contact data

The QR Pet Card feature allows the User to optionally enter their name and phone number to include on the card. This data is not stored in the App or on the device — it is entered temporarily and embedded directly into the generated QR code image. Once the QR Card screen is closed, the entered contact data is discarded. The QR code is generated entirely on the device; no data is transmitted to any server.

3.7. Technical data

3.8. Speech dictation (Speech-to-Text)

The App provides an optional speech dictation feature for medical form fields (veterinary notes) and photo descriptions. The feature is activated only on explicit User action (microphone button within a text field).

Privacy-by-default principle:

• By default the App routes the audio stream to Apple Speech framework on-device (processing entirely on the User's device) — request.requiresOnDeviceRecognition is set from recognizer.supportsOnDeviceRecognition. For supported system languages (most common locales on iPhone with iOS 13+) audio does not leave the device.
• Fallback to Apple Speech Recognition Service (cloud) occurs only when on-device speech recognition is NOT available for the selected system language (rare locales, older hardware). In fallback mode the audio stream is transmitted to Apple Inc. servers (USA) only for the duration of the dictation session. Apple acts as a data sub-processor under Standard Contractual Clauses (SCCs). Apple's policy: https://www.apple.com/legal/privacy/.

Nature of processing:

• No biometrics. The feature performs only speech-to-text transcription. It does NOT identify the speaker, does NOT use audio for authentication, does NOT perform profiling or emotion recognition.
• EU AI Act classification: minimal risk (Annex III does not cover STT; specialized transcription models are explicitly excluded from the FLOPs threshold per the EU AI Act Guidelines for GPAI Providers 2025; Art. 50 transparency obligations apply to chatbots / deepfakes / emotion recognition / biometric categorization — not STT).
• Audio is not stored by the App. Only the textual transcription result is saved into the selected form field.
• Apple may use audio fragments (fallback path) to improve its ASR models if "Improve Siri & Dictation" is enabled in iOS Settings → Siri & Search. The User may disable this at any time (per EDPB "Guidelines on Virtual Voice Assistants" 2021 — consent under Art. 6(1)(a) is the only valid legal basis for audio improvement).

User control:

• Consent required — on first use iOS prompts for permission to recognize speech (NSSpeechRecognitionUsageDescription) and access the microphone (NSMicrophoneUsageDescription).
• Revoke consent at any time: iOS Settings → Whispet → Speech Recognition / Microphone → Off.
• Disabling "Improve Siri & Dictation" in iOS Settings → Siri & Search prevents Apple from retaining audio from the dictation feature (in fallback mode).

4. Purposes of processing and legal bases

The Controller processes personal data for the following purposes:

4.1. Performance of a contract (Art. 6(1)(b) GDPR)

• Provision of App services (timeline, gallery, medical data, event journals, reminders, photo history import, smart pet photo detection, EXIF date reading)
• Fulfilment of paid subscription plans

4.2. Legal obligation (Art. 6(1)(c) GDPR)

• Maintaining a consent audit trail (timestamp, app version)
• Fulfilment of User rights (Art. 15–22 GDPR)

4.3. Legitimate interest of the Controller (Art. 6(1)(f) GDPR)

• Ensuring the security and stability of the App
• Diagnosing technical issues

5. Data recipients

The User's personal data is not transmitted to any servers of the Controller. The App does not use any analytics, advertising, or third-party tracking services. To a limited extent, data may be shared with the following categories of recipients:

Note on iCloud synchronisation: Data is synced exclusively to the User's private iCloud database, to which Apple has no access (end-to-end encryption with iCloud Advanced Data Protection enabled). The Controller has no access to data stored in iCloud.

Note on Shared Care: Data is shared with other users only at the explicit request of the User (owner). The User may revoke access at any time from within the App.

Note on speech dictation: The App by default processes audio entirely on the User's device (Apple Speech framework on-device). Fallback to Apple servers occurs only when on-device speech recognition is not available for the selected system language. See §3.8 for full description.

Note on Apple Vision framework: Smart pet photo detection is performed entirely on the User's device. No image data or analysis results are transmitted to external servers.

Note on payments: The Controller does not have access to the User's payment data (e.g. credit card number). Payments are handled entirely by the Apple App Store.

6. Data transfers outside the European Economic Area (EEA)

User data may be transferred outside the EEA in the following circumstances:

• iCloud synchronisation (CloudKit): Data is stored on Apple Inc. servers (USA) in the User's private iCloud database. Apple ensures data protection under its DPA (Data Processing Agreement) and Standard Contractual Clauses (SCCs).
• Shared Care: When the User activates Shared Care, data is stored in a dedicated Apple CloudKit sharing area on Apple Inc. servers (USA). Legal basis for transfer: as above.
• Speech dictation (Apple Speech, fallback): In fallback mode (when on-device speech recognition is not available for the selected system language) the audio stream is transmitted to Apple Speech Recognition Service (USA) only for the duration of the dictation session. See §3.8.
• Premium subscription purchase: Transaction data is processed by Apple Inc. (USA) via the StoreKit/App Store system.

The aforementioned entities ensure an adequate level of data protection based on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework (to the extent currently in force)

Note: The App does not use Google Fonts, Firebase, or any analytics/advertising services. The Nunito font is bundled directly within the App and is not downloaded from external servers.

6a. Shared Care feature (sharing a pet profile)

The App allows the account Owner (hereinafter the "Owner") to share selected pet profiles with other Users — family members or close ones (hereinafter "Participants"). The feature is implemented exclusively via Apple CloudKit sharing. Each shared pet has its own isolated sharing area within the Owner's iCloud database — all data flows directly between participants' devices through the Apple infrastructure. CRE8EVE does NOT mediate the transfer of Shared Care data and has no access to the shared content.

The maximum number of people to whom the Owner may share their pets is 10 unique Participants in total (the same person across multiple pet zones counts as one).

6a.1. Scope of Participants' access

After accepting an invitation, the Participant receives access to the following data of the shared pet:

• Basic profile: name, species, breed, date of birth, avatar (read-only — the Participant cannot edit the profile).
• Photos: full read + write access (the Participant may add their own photos but may delete only their own, NOT photos of other participants).
• Medical data: read-only. The Participant sees vaccinations, medications, vet visits, allergens, nutrition, documents, and the event journal, BUT cannot edit or delete them. The Owner retains full control.

6a.2. Sharing modes (per-participant) — narrowest access by default

The Owner may select a sharing mode per participant:

• Photos only (default): The Participant sees only the pet's photos; no access to medical data. Without an explicit switch to "Full access" the Participant never gains access to medical data.
• Full access: The Participant sees all data (profile + photos + medical data — medical data remains read-only).

Default-deny invite (privacy by design and by default — GDPR Art. 25 + Art. 5(1)(c)):

Every invitation sent by the App is configured by default with the "Photos only" mode, regardless of the Owner's preference in the invitation form. This stems from two GDPR principles and from a technical constraint of Apple CloudKit Sharing API:

• Art. 5(1)(c) GDPR (data minimization) — at the moment an invitation is sent the Participant is not yet uniquely identified by Apple. The invitation is addressed to a lookupInfo value (iCloud email or phone number), and Apple verifies the Participant's userRecordID only at acceptance time. The default narrowest access scope eliminates the risk of disclosing the pet's medical data should the invitation be sent to the wrong address by mistake.
• Art. 25 GDPR (privacy by design and by default) — the App defaults the feature to the narrowest possible processing scope (photos), and any expansion of scope (medical data) requires an additional, conscious action by the Owner taken after the recipient has been positively identified.

Switching to "Full access" mode (post-accept):

After the Participant accepts the invitation, the Owner may at any time change the mode to "Full access" separately per pet. The operation is performed in Settings → Shared Care → tap the person's card. The change takes effect after a brief synchronization (typically a few seconds), without notification to the Participant.

6a.3. Revoking access — three paths

The App offers the Owner three separate, independent paths for revoking access, tailored to different real-life situations:

1. Per pet per person (trash icon next to the pet on the person's card) — revokes the given person's access to one, specific pet only. Other pets shared by the Owner with that person remain accessible. The person remains on the trusted list.
2. Per person — all pets ("Remove completely" on the person's card) — revokes that person's access to all of the Owner's pets and removes them from the trusted list.
3. Per pet — all people (sharing toggle for the pet switched OFF) — stops sharing that pet with all Participants simultaneously. The trusted list stays unchanged.

In all three paths the Participant's permissions are revoked immediately on the Apple iCloud server side (removeParticipant or removeAllParticipants operation at the CKShare level). The push notification about revocation on the Participant's device may be delayed by up to 15 minutes — this is known, intentional behavior of the Apple iCloud infrastructure (revocation notifications are deprioritized compared to invitation acceptances, which are typically delivered within 1–2 seconds). During this delay window the Participant may visually still see the pet in the local app cache, but all attempts to download new data from iCloud are rejected by Apple servers. The Participant's app removes the pet from the view on the next successful sync.

• The Participant may at any time: leave the share ("Leave") from their side. The effect on the Participant's device is immediate; notification of the Owner may be similarly delayed.
• Premium loss by the Owner: If the Owner loses their Premium subscription, Shared Care is immediately disabled for all of the Owner's pets (instant revokeAllShares). Participants are not notified in advance (a product decision preserving the privacy of the Owner's subscription status). Apple Billing Grace Period (3–28 days, configurable in App Store Connect) protects against accidental payment-fail — during the grace period the subscription remains active server-side and Shared Care continues to function.

6a.4. Photos after losing access

At the moment of access revocation, the Participant is offered the option to export their own photos (photos they themselves added) to the iOS system gallery before they are removed from the App. Photos of other participants (including the Owner) are not available to the Participant after access is revoked.

6a.5. Legal basis and processing scope

The Shared Care feature uses exclusively the Apple CloudKit infrastructure (see: https://whispet.app/legal/en/subprocessors). CRE8EVE as the Data Controller:

• does NOT mediate the transfer of Shared Care data,
• has NO access to the shared content (end-to-end encrypted by Apple),
• does NOT store the list of sharing participants on its own servers,
• does NOT use Shared Care data for any purpose other than enabling the feature to operate within the App.

Legal basis for processing: Art. 6(1)(b) GDPR (performance of a contract — feature offered as part of the Premium subscription).

Terminology note: In the App's UI and internal project documentation the feature appears under the name "Shared Care". It should not be confused with the Apple iCloud Family Sharing platform service — Shared Care in Whispet is an independent feature implemented via the CloudKit Sharing API and does NOT require or use Apple Family group membership.

7. Data retention period

Data is stored locally on the User's device and — if iCloud synchronisation is enabled — also in the User's private iCloud database. Uninstalling the App removes local data; iCloud data persists until removed by the User via the "Delete all my data" feature available in the App (Settings → Your account), which deletes all Whispet data zones from the User's private iCloud database.

8. User rights

Under the GDPR (Art. 15–22), the User has the following rights:

8.1. Right of access (Art. 15 GDPR)

The User has the right to obtain confirmation as to whether their personal data is being processed, and if so — to access such data and information about the purposes of processing.

8.2. Right to rectification (Art. 16 GDPR)

The User has the right to request the prompt rectification of inaccurate personal data concerning them.

8.3. Right to erasure — "right to be forgotten" (Art. 17 GDPR)

The User has the right to request the erasure of their personal data when:

• the data is no longer necessary for the purposes for which it was collected,
• the User has withdrawn consent and there is no other legal basis for processing,
• the User has objected to processing.

Note: The User can at any time delete all of their data (from the device and from the private iCloud database) using the "Delete all my data" feature available in Settings → Your account in the App. The feature deletes all Whispet data zones (pet_*) from the User's private iCloud database via the CloudKit API, clears the on-device photo cache, and empties the local database. The Premium subscription remains active — Apple manages it independently of App data.

Why not via iOS Settings? The standard iOS path "Settings → Apple ID → iCloud → Manage Account Storage → Whispet → Delete Data from iCloud" only manages iCloud Drive files and the containers of Apple's first-party apps. It does not remove data from the custom CloudKit container (iCloud.com.cre8eve.dailypawsapp) used by Whispet. For this reason, the in-app feature is the only reliable path for exercising the right to erasure under Art. 17 GDPR.

Alternative: The User may contact the Controller (hello@whispet.app) requesting help with the process or filing a formal Art. 17 GDPR request. We respond within one month per Art. 12(3) GDPR. The Controller, however, has no programmatic access to the User's private iCloud database — Apple deliberately designed CloudKit so that developers cannot read or modify a user's data. The physical deletion is performed by the App on the User's device.

8.4. Right to restriction of processing (Art. 18 GDPR)

The User has the right to request the restriction of data processing in certain cases.

8.5. Right to data portability (Art. 20 GDPR)

The User has the right to receive their data in a structured, commonly used, machine-readable format. The App fulfils this right through two paths:

• In-app medical and journal export — from the pet's profile, the User can export full medical documentation and journal entries to PDF (readable summary) or CSV (tabular data, openable in Excel/Numbers). Files are generated locally on the device and shared via the system share sheet.
• Full iCloud data copy via Apple — all data synchronised with the private iCloud database (profiles, photos, medical records) can be downloaded by the User directly from privacy.apple.com ("Request a copy of your data"). This is the official procedure managed by Apple as the iCloud account controller and covers all data stored in Apple's infrastructure.

8.6. Right to object (Art. 21 GDPR)

The User has the right to object at any time to the processing of data based on the Controller's legitimate interest.

8.7. Right to withdraw consent (Art. 7(3) GDPR)

The User has the right to withdraw consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

8.8. Right to lodge a complaint with a supervisory authority

The User has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO):

• Address: ul. Stawki 2, 00-193 Warsaw, Poland
• Website: https://uodo.gov.pl

How to exercise your rights?

To exercise the above rights, the User may:

1. Contact the Controller at the e-mail address: hello@whispet.app
2. Use the data export feature available in the App (PDF/CSV export from a pet's profile)
3. Use the "Delete all my data" feature available in the App (Settings → Your account) — the feature deletes all Whispet data zones from the User's private iCloud database and erases local data on the device

The Controller will process the request without undue delay, no later than within one month of receiving the request (per Art. 12(3) GDPR).

9. Profiling and automated decision-making

The App does not engage in profiling or automated decision-making within the meaning of Art. 22 GDPR.

Note on AI: Automatic photo labelling and smart pet photo detection (Apple Vision framework — VNRecognizeAnimalsRequest) are used solely for photo categorisation and gallery filtering. They do not constitute User profiling. The analysis is performed entirely on the device. The App additionally uses VNDetectHumanRectanglesRequest (bounding-rectangle detection of human silhouettes) solely to exclude photos dominated by humans from the animal recognition process — without identifying persons, without facial recognition, and without processing biometric data within the meaning of Art. 4(14) and Art. 9 GDPR (a geometric bounding rectangle is not a biometric characteristic enabling unique identification of a natural person).

EU AI Act (Regulation EU 2024/1689): The App's AI functions (animal recognition + human-rectangle detection + speech dictation — see §3.8) are classified as minimal risk. They do not fall under the transparency obligations of Article 50 of the EU AI Act (applicable from 2 August 2026), because:

• they are not chatbots interacting with a natural person (Art. 50(1)),
• they do not perform emotion recognition or biometric categorisation of persons (Art. 50(3)),
• they do not generate or manipulate content (Art. 50(2) and (4) — deepfake / AI-generated content),
• the AI nature of the features is obvious to a reasonably well-informed user (exemption under Art. 50(1), final sentence).

10. Age requirement

The App is intended for persons aged 16 years or older (Art. 8 GDPR). Persons under 16 may use the App only with the consent of a parent or legal guardian.

The Controller does not knowingly collect personal data from persons under 16 without the consent of their parent/guardian.

11. Data security

The Controller applies appropriate technical and organisational measures to ensure the security of personal data, including:

11.1. Local architecture with iCloud synchronisation

• Data is stored locally on the User's device in the App's local database.
• The App synchronises data with the User's private iCloud database (Apple CloudKit) — data is held exclusively on the User's iCloud account, not on the Controller's servers. Apple has no access to content when iCloud Advanced Data Protection is enabled.
• The App does not use Firebase, Google, Amplitude, or any other external analytics or advertising services.
• No user accounts on the Controller's systems — there is no risk of login credential leakage on the Controller's side.

11.2. Encryption

• Data on the device is protected by the operating system's encryption mechanisms (iOS Keychain, macOS Keychain).

11.3. Data minimisation

• The App collects only the data necessary to provide its services.
• Photo analysis (pet photo detection, EXIF date reading) is performed on the device — data does not leave the device.
• Photo history import processes photos in chunks with resizing — all operations are performed locally on the device.

11.4. Data integrity protection

• Before each iCloud synchronisation, the App verifies data integrity (corruption guard). Corrupted data is blocked and is not pushed to iCloud, preventing error propagation between devices.

11.5. Local notifications

• The App uses exclusively local notifications (reminders for vaccinations, medications, etc.). It does not use external push notification services.

12. Changes to the Privacy Policy

The Controller reserves the right to make changes to this Privacy Policy.

• The User will be informed of material changes via the App (in-app notification) at least 14 days before they take effect.
• Continued use of the App after changes take effect constitutes acceptance of the new Privacy Policy.
• The current version of the Policy is always available in the App settings.

13. Contact

For matters concerning personal data protection, please contact:

• E-mail: hello@whispet.app
• Postal address: CRE8EVE Sp. z o.o., Tulipanowa 4, 72-003 Dobra, Poland

14. Legal bases

This Privacy Policy has been prepared in accordance with:

• Regulation (EU) 2016/679 (GDPR) — General Data Protection Regulation
• Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000, as amended)
• Act of 18 July 2002 on the Provision of Electronic Services (Journal of Laws 2002, No. 144, item 1204, as amended)
• Act of 16 July 2004 — Telecommunications Law (Journal of Laws 2004, No. 171, item 1800, as amended)

Document generated for Whispet app v1.3

Authoritative Language Version

This English translation is provided for informational purposes only. In case of discrepancies or interpretation questions, the Polish version of this document is the legally binding version. In case of contradiction between language versions, the following priority order applies: Polish (binding) → English (reference) → other available translations (informational).