ChonkPal Get the app
Effective date: [to be inserted at launch] · Last updated: [to be inserted at launch]

Privacy Notice

This is a working draft. Before public launch it will be reviewed by a UK solicitor specialising in data protection. The substance below reflects our intended approach but should not be relied on as final legal wording.

1. Who we are

This notice describes how [ChonkPal Ltd] ("ChonkPal," "we," "us," "our") handles personal data. ChonkPal Ltd will be a company registered in England and Wales. Company number and registered office will be published here before public launch.

For any data-protection matter you can contact our Data Protection Lead at privacy@chonkpal.example.

2. Scope of this notice

This notice covers personal data processed through the ChonkPal mobile application (iOS and Android) and website (the "Service").

Pet data on its own (your dog's or cat's weight, breed, body-condition score) is not personal data about a human. But because every pet record is linked to the owner's account, the combination is personal data about the owner, and we treat it accordingly.

3. International users

ChonkPal is operated from the United Kingdom and is designed for users anywhere in the world. Our privacy practices are designed to comply with UK law by default and to honour equivalent rights for users in other jurisdictions.

  • United Kingdom: we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner's Office (ICO) is our supervisory authority.
  • European Economic Area and Switzerland: where the EU GDPR or Swiss FADP applies to your use, we extend equivalent protections. The UK has an active adequacy decision from the EU (renewed in December 2024), so no additional transfer mechanism is required for data flowing to our UK hosting from the EEA.
  • California, United States: residents of California have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. We honour these rights — including the right to know, the right to delete, the right to correct, and the right to opt out of sale/sharing — to the same standard as our UK users. We do not sell your personal data and do not share it for cross-context behavioural advertising.
  • Other jurisdictions: we apply UK GDPR standards as our global baseline. Where local laws grant you stronger rights we will of course honour those; where local laws permit weaker standards we do not lower ours.

Regardless of where you live, your personal data is stored on servers in the United Kingdom (see "International transfers" below).

4. What personal data we collect

  • Account data: your email address, a hashed copy of your password, account creation date, and your marketing-consent flag.
  • Profile data: optional display name, locale, country, preferred weight unit.
  • Pet profile data: your pet's name, species, breed (or free-text), approximate date of birth, sex, neuter status, size category, scale type, optional photograph.
  • Weigh-in data: weight, date, scale type used, free-text notes you add.
  • Body-condition data: scores you record (BCS, MCS), optional photographs.
  • Notification preferences: which reminders and tips you've opted into, reminder time, sensitivity level.
  • Technical data: crash logs, device model, operating system version, app version, install identifier.
  • Analytics data (only if you consent): anonymised usage events, feature engagement.
  • Support data: messages you send us, your email address and any information you choose to include.
  • Waitlist data (website only): your email address, locale, UTM source parameters if you arrived via a campaign link.

We do not ask for, and ask that you do not enter, information about other identifiable humans into free-text fields.

5. Why we use your data — lawful bases

Purpose Lawful basis (UK GDPR Art. 6)
Creating and operating your accountContract (6(1)(b))
Storing your weigh-ins and producing trend displaysContract (6(1)(b))
Keeping the Service reliable (crash logs, essential telemetry)Legitimate interests (6(1)(f))
Product analytics (non-essential)Consent (6(1)(a))
Marketing emailsConsent (6(1)(a))
Complying with tax, accounting, and other legal dutiesLegal obligation (6(1)(c))
Answering support queriesContract / legitimate interests
Investigating fraud or misuseLegitimate interests

Pet health data is not "special category" data under UK GDPR (which applies to human health). We nonetheless treat it conservatively.

6. Who we share data with

We use a small set of carefully-chosen processors. Each is bound by a Data Processing Agreement consistent with UK GDPR Art. 28.

  • Hosting and database: Amazon Web Services EMEA (AWS region eu-west-2, London) via Supabase.
  • Error reporting: Sentry (EU region, if configured).
  • Email delivery: a dedicated transactional email provider (named here at launch).
  • Payment processing (if Paid Services are added): Apple Inc. (App Store), Google LLC (Play Store), or a PCI-compliant third-party processor. We do not receive your full card number.
  • Customer support tooling: a support platform (named here at launch).

We do not sell your personal data. We do not share it with advertisers. We will only disclose data where we are required to by law, or where strictly necessary to enforce our Terms or to protect the rights or safety of others.

7. International transfers

Your personal data is stored in the United Kingdom. Some processors may access it from other jurisdictions. Where data leaves the UK, we rely on:

  • an adequacy regulation (e.g. the EEA); or
  • the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum; or
  • another lawful transfer mechanism under Chapter V of the UK GDPR.

We complete a Transfer Risk Assessment for each onward transfer.

8. How long we keep data

  • While your account is active, we keep your data in support of the Service.
  • If you delete your account, we delete your personal data within 30 days, except where we must keep records for legal reasons (for example, HMRC records for six years).
  • We mark accounts as dormant after 24 months of inactivity. Unless you reactivate, we delete them at 36 months.
  • Support correspondence is retained for three years.
  • Backups are purged on a 30-day rolling cycle.

9. Your rights

You can exercise all of the following from within the Service (Settings → Privacy) or by emailing our Data Protection Lead. We respond within one month.

  • Access — a copy of the personal data we hold about you (UK GDPR Art. 15).
  • Rectification — correct inaccurate data (Art. 16).
  • Erasure — delete your account and the data we hold (Art. 17).
  • Restriction — pause processing while a concern is investigated (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests (Art. 21).
  • Not be subject to solely-automated decisions that have legal or similarly significant effects (Art. 22). Our alerts are algorithmic but do not have such effects; you can request a human review.
  • Withdraw consent at any time for activities where consent is the lawful basis.

California residents additionally have the right to opt out of sale and sharing (we do neither), and the right to know the categories of data collected. European users enjoy the same catalogue of rights under the EU GDPR.

10. Children

The Service is not directed at children. You must be at least 13 years old to create an account. We apply high-privacy defaults for users aged 13–17, consistent with the UK Children's code (the Age Appropriate Design Code).

If you are a parent or guardian and believe a child in your care has provided data without permission, please contact us and we will act promptly.

11. Cookies and similar technologies

On our website we use only strictly necessary cookies to make the site work. We do not currently use advertising cookies. Where product analytics are used on the website, they are aggregated and do not identify you individually.

Within the app we use secure device storage to keep you signed in. We do not use third-party advertising SDKs.

12. Security

We encrypt data in transit (TLS 1.2 or higher) and at rest. Access to production systems is restricted and audit-logged. We patch systems regularly and run vulnerability scans. No online service is perfectly secure; we continually improve our controls.

13. Complaints

If you have a concern please first contact us at privacy@chonkpal.example. We will acknowledge within two working days and aim to respond substantively within ten working days.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data-protection regulator, at ico.org.uk/make-a-complaint/ or 0303 123 1113. Users in other jurisdictions may complain to their local supervisory authority.

14. Changes to this notice

We may update this notice to reflect changes to our processing or legal changes. Material updates will be notified to you in-app and by email where we have your email address. The "Last updated" date at the top records the most recent change.

15. Contact

Data Protection Lead, ChonkPal Ltd, [registered office to be inserted], United Kingdom. Email: privacy@chonkpal.example.