Privacy Policy
Who We Are
Remewdy is operated by Povilas Konopackas, operating under individuali veikla registration No. 1503311, Akacijų g. 14-2, Raudondvario k., LT-14258, Lithuania ("we", "us", "Developer").
For GDPR purposes, we are the data controller for any personal data processed through the App.
Contact: support@remewdy.com
Our Privacy Philosophy
1. What We Collect
1.1 Data Stored ONLY on Your Device (We Never See This)
For users who do not use sharing features, the following data is stored exclusively on your device using Apple's local storage. We have no access to this data, cannot read it, and never transmit it to any server:
- Pet profiles (name, species, breed, date of birth, weight, photo, microchip number, insurance info, allergies, conditions)
- Medication records (name, dosage, frequency, schedule, administration notes, missed-dose instructions)
- Dose logs (timestamps, given/skipped/partial status, caregiver attribution)
- Vaccination records
- Prevention schedules (flea/tick/heartworm)
- Weight entries
- Vet contact information
- Vet visit logs
- Daily care check-in entries
- Seizure/event logs
- Subcutaneous fluid tracking records
- Photos attached to pet profiles or records
- App preferences and settings
1.2 Data We Process on Our Servers
Only if you use sharing features (sitter sharing or shared care with family). Shared care data is encrypted end-to-end with a key only your family possesses - we cannot read it:
| Data | Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|---|
| SHA-256 hash of your Apple ID | Verify share ownership when you revoke a sitter share or delete your account. We never store your actual email address - only a one-way cryptographic hash that cannot be reversed. | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Shared medication schedule snapshots | Enable sitter/caregiver to view care schedule | Contract performance (Art. 6(1)(b)) | Sitter links: auto-deleted 30 days after expiry. Shared care data: auto-deleted within 72 hours of last sync; removed immediately on group deletion |
| Dose logs from shared caregivers | Sync dose status between household members | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Phone number (optional) | Displayed on sitter share page so your sitter can reach you in emergencies | Consent (Art. 6(1)(a)) | Deleted with the sitter share link (auto-deleted 30 days after expiry) |
1.3 Analytics Data (Anonymous)
We plan to use TelemetryDeck (TelemetryDeck GmbH, Germany - EU-based) for anonymous usage analytics in a future update. When enabled, it will collect:
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Screen views (which screens you visit) | Understand which features are used | Legitimate interest (Art. 6(1)(f)) |
| Feature adoption (which features you try) | Improve the app | Legitimate interest (Art. 6(1)(f)) |
| App crashes and errors | Fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Device type and OS version | Ensure compatibility | Legitimate interest (Art. 6(1)(f)) |
TelemetryDeck does not use cookies, does not collect IP addresses, and does not create user profiles. All analytics data is aggregated and cannot be traced back to individual users. TelemetryDeck is fully GDPR-compliant and processes data within the EU.
We NEVER include pet care data, medication names, health information, or any personal identifiers in analytics.
1.3.5 Diagnostic Data (Linked to Your Support ID)
The app sends a small amount of diagnostic data to our backend so we can support you when you report bugs and help us understand which versions of iOS need fixes:
| Data | Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|---|
| Support ID (a per-install random identifier shown to you in Settings → About) | Allows us to look up your specific install when you contact support | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
| App version, OS version, device model | Reproduce bugs you report and prioritize fixes for affected devices | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
| Last-seen timestamp and request count | Detect inactive installs for cleanup and capacity planning | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
| Crash and error events (when an action fails) | Diagnose problems and ship fixes | Legitimate interest (Art. 6(1)(f)) | Auto-deleted after 90 days |
This data is linked to your Support ID, which we treat as a pseudonymous identifier. It is not linked to your name, email address, or any advertising identifier. You can delete all of it at any time via Settings → Delete Account, which removes every server-side record associated with your Support ID.
We never include pet names, medication names, health data, or any content from your records in this diagnostic data.
1.4 Purchase Data
Subscription and purchase information is processed entirely by Apple. We store the Apple-issued transaction identifier (linked to your Support ID) so we can verify your subscription status when the app starts. We do not receive or store your payment method, billing address, or Apple ID email.
When you purchase or restore a Remewdy subscription, the app sends your per-install device identifier and the Apple-issued transaction identifier to our backend so we can verify the purchase with Apple's App Store Server API and unlock the premium features you paid for. This happens automatically whenever the app detects a new or renewing StoreKit entitlement. The device identifier is the same per-install UUID stored in your device's Keychain and is used purely for linking your device to the subscription you bought. It is not linked to your name, Apple ID email, or any advertising identifier. Legal basis: performance of a contract (GDPR Art. 6(1)(b)). We need to verify your subscription to deliver what you paid for. Retention: subscription verification logs are auto-deleted after 30 days; the underlying subscription row is kept until you delete your account.
To protect this verification endpoint from abuse, we also temporarily store the IP address of the request for rate-limiting purposes. The IP address is stored in a short-lived key that auto-expires within approximately two hours and is never joined to any other data. Legal basis: legitimate interest in network and information security (GDPR Recital 49).
2. What We Never Collect
We want to be explicit about what we do not do:
- We never collect or transmit your pet's care data to our servers (unless you explicitly use sharing features)
- We never sell, rent, trade, or provide your data to advertisers, data brokers, or any third party for marketing purposes
- We never use pet care data for analytics, machine learning, or any purpose other than displaying it to you
- We never track you across other apps or websites
- We never collect location data
- We never access your contacts, calendar, or other apps
- We never use advertising identifiers (IDFA)
- We never create advertising profiles based on your usage
- We do not participate in the App Tracking Transparency framework because we do not track you across other apps. Note that we do store basic diagnostic data linked to your per-install Support ID (see section 1.3.5) - this is not cross-app tracking and is never shared with advertisers or third parties.
3. Where Your Data Is Processed
| Data Type | Location | Provider |
|---|---|---|
| Local pet care data | Your device only | Apple (iOS) |
| Sharing feature data | EU (Cloudflare EU jurisdiction) | Cloudflare, Inc. (with EU Data Processing Agreement) |
| Anonymous analytics | EU | TelemetryDeck GmbH, Germany |
| Purchase processing | Apple infrastructure | Apple Inc. |
For sharing feature data: Cloudflare processes data under their Data Processing Agreement (DPA), which includes Standard Contractual Clauses (SCCs) for any transfers outside the EU. We have configured our sharing infrastructure to use EU-jurisdiction storage where available.
4. How Long We Keep Data
| Data Type | Retention Period |
|---|---|
| Local device data | Until you delete it or uninstall the App |
| Sitter share links | Auto-deleted 30 days after link expiry date |
| Household/account data | Until you delete your account |
| Anonymous analytics | Aggregated, no individual records; TelemetryDeck retains for up to 24 months |
| Emergency screen logs | Stored locally on device only; never transmitted |
| Subscription verification logs (device ID + Apple transaction ID) | Auto-deleted after 30 days |
| IP addresses used for rate limiting subscription verification | Auto-deleted within ~2 hours |
When you delete your account, we delete all your server-side data within 30 days. Some data may persist in encrypted backups for up to 90 days, after which it is permanently deleted.
5. Your Rights
5.1 Rights for All Users
Regardless of where you live, you can:
- Export all your data at any time: Settings > Export Data (available in CSV, JSON, and PDF formats)
- Delete individual records within the App
- Delete all local data by uninstalling the App
- Delete your account (if you have one): Settings > Delete Account
- Contact us at support@remewdy.com with any privacy questions
5.2 Additional Rights for EU/EEA Residents (GDPR)
Under the General Data Protection Regulation, you have the right to:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. Email support@remewdy.com. |
| Rectification (Art. 16) | Correct inaccurate data directly in the App, or email support@remewdy.com. |
| Erasure (Art. 17) | Delete your account (Settings > Delete Account) or email support@remewdy.com. |
| Data portability (Art. 20) | Use the in-app export feature (CSV/JSON). This fulfills the portability requirement. |
| Restriction of processing (Art. 18) | Email support@remewdy.com to request restriction. |
| Object to processing (Art. 21) | Email support@remewdy.com to object to processing based on legitimate interest (analytics). |
| Withdraw consent (Art. 7(3)) | Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing. |
We will respond to all GDPR requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
5.3 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with:
Lithuanian Data Protection Authority (VDAI)
Valstybine duomenu apsaugos inspekcija
L. Sapiegos g. 17, 10312 Vilnius, Lithuania
Email: ada@ada.lt
Or your local EU/EEA data protection authority if you reside in another member state.
5.4 Additional Rights for California Residents (CCPA)
If you are a California resident:
- Right to Know: You can request what personal information we collect, use, and disclose. Email support@remewdy.com.
- Right to Delete: Request deletion of your personal information. Use Settings > Delete Account or email support@remewdy.com.
- Right to Opt-Out of Sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
6. Children's Privacy
Remewdy is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information through the App, contact us at support@remewdy.com and we will delete it promptly.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Local data: Protected by iOS file protection (encrypted at rest when device is locked) and the iOS application sandbox
- Data in transit: All network communications use TLS 1.2 or higher encryption
- Server-side data (sharing features): Sitter sharing data stored in Cloudflare's infrastructure with encryption at rest. Shared care data is additionally encrypted end-to-end with a symmetric key held only by household members - we cannot decrypt it
- No plain-text storage of authentication tokens or sensitive data
- Minimal data collection: Our primary security measure is not collecting data in the first place
8. Data Breach Notification
In the unlikely event of a data breach affecting your personal data, we will:
- Notify the relevant supervisory authority (VDAI) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34
- Provide clear information about: what happened, what data was affected, what we are doing about it, and what you can do
Note: For solo users (no sharing features), a server breach cannot affect your data because it was never on our servers.
9. Third-Party Services
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Apple (App Store, Sign in with Apple, StoreKit) | App distribution, authentication, payments | Purchase confirmations, Apple ID token (for Sign in with Apple) | apple.com/legal/privacy |
| TelemetryDeck | Anonymous usage analytics | Anonymous usage events (no personal data) | telemetrydeck.com/privacy |
| Cloudflare | Sharing feature infrastructure | Shared schedule data, email (for account users only) | cloudflare.com/privacypolicy |
| Sentry | Crash reporting and error tracking | Anonymous crash reports, app version, device model, OS version. No pet names, medications, or health data. Screenshots are never captured. | sentry.io/privacy |
We also collect basic diagnostic data (app version, device model, OS version) through our own backend to help us identify and fix issues. This data is anonymous and does not include any pet or health information.
We do not use any advertising SDKs, social media SDKs, or third-party tracking services.
10. International Data Transfers
Our analytics provider (TelemetryDeck) and our primary infrastructure (Cloudflare EU) process data within the EU/EEA. For Cloudflare services that may involve transfers outside the EU/EEA, Cloudflare's Data Processing Agreement includes Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring adequate data protection.
Apple processes purchase data under their own privacy policy and data transfer mechanisms.
Sentry processes crash reports in the United States under their Data Processing Agreement, which includes Standard Contractual Clauses (SCCs). Crash reports contain no pet health data, medication names, or personal care information - only technical details needed to fix bugs (app version, device model, error stack traces).
11. Do Not Track
We do not respond to "Do Not Track" browser signals because we do not track you in the first place. Our analytics (TelemetryDeck) are anonymous and aggregate by design.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through:
- An in-app notification
- Email (if you have an account)
We will provide at least 30 days' notice before material changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:
Developer: Povilas Konopackas
Business registration: Individuali veikla, registration No. 1503311
Address: Akacijų g. 14-2, Raudondvario k., LT-14258, Lithuania
Email: support@remewdy.com
We will respond to all inquiries within 14 days, as required by Lithuanian consumer protection law. For GDPR-specific requests, we will respond within 30 days.
This Privacy Policy is available in the App (Settings > Privacy Policy) and at https://remewdy.com/privacy.