PawM8 Privacy Policy
Effective date: April 26, 2026
This policy explains what personal data PawM8 collects, why we collect it, who we share it with, and the rights you have. It applies to the PawM8 iOS app and the pawm8.com website.
PawM8 is provided by Idekini, registered at Van Houtenstraat 60, 7331 SZ Apeldoorn, the Netherlands (KVK 98732951). For data-protection purposes, Idekini is the controller of your personal data.
If you have a question or want to exercise a right described below, email [email protected].
Quick summary
- We process the personal data you give us (profile, photos, messages) and data your device produces (location if you allow it, push token, app diagnostics).
- We use it to run the matching service, deliver the app, keep the community safe, and improve the product. We do not sell your data and do not use it to train third-party AI models.
- We share it with a small set of vetted processors (Supabase, Apple) and not otherwise — except where the law requires.
- You have rights to access, correct, delete, restrict, and port your data. Section 9 explains how to use them.
- If you live in the Netherlands, the rest of the EU/EEA, the UK, or Turkey, you have additional protections — see section 10.
1. Information we collect
1.1 Information you provide
| Category | Examples |
|---|---|
| Account | Email address, password (stored hashed), Apple/Google user ID if you sign in with those |
| Profile | Name, date of birth, bio, photos, prompt answers, match-mode preferences, optional emergency-contact name and phone number |
| Pet profiles | Name, species, breed, age, gender, photos, personality tags, voice notes, vaccination/neuter status |
| Content you send | Messages, images, voice notes, playdate proposals, RSVPs, reports about other users |
1.2 Information collected automatically
| Category | Examples |
|---|---|
| Precise location | If you grant iOS permission — used to surface nearby pet owners and venues. Revocable any time in iOS Settings. |
| Device | Apple Push Notification Service (APNs) device token, iOS version, app version |
| Usage | Screen views, swipe outcomes, aggregated feature counters used to improve the product. We do not run third-party analytics. |
1.3 Information from third parties
If you use Sign in with Apple or Google, we receive the user ID returned by that provider, and (for Google) the email address you authorize.
2. Why we use your data, and on what legal basis
EU and UK GDPR require us to have a lawful basis for each kind of processing. Here is ours:
| What we do | Lawful basis |
|---|---|
| Create and operate your account; provide matching and messaging | Contract (GDPR Art 6(1)(b)) — necessary to deliver the service you signed up for |
| Send transactional pushes (new match, new message, playdate reminder) | Contract (Art 6(1)(b)) |
| Use precise location to find nearby users and places | Consent (Art 6(1)(a)), granted via iOS permission prompt; revocable any time |
| Use voice notes and photos uploaded to your profile | Consent (Art 9(2)(a)) — these may be considered “special category” data when they reveal biometric or health information |
| Run automated image/text moderation to block prohibited content before it reaches other users | Legitimate interest (Art 6(1)(f)) — community safety; balances against your right to send content freely |
| Investigate reports of abuse and enforce the Terms | Legitimate interest (Art 6(1)(f)); occasionally legal obligation (Art 6(1)(c)) when authorities require |
| Aggregate usage analytics to improve the product | Legitimate interest (Art 6(1)(f)) — limited, no cross-app tracking, no third-party analytics |
| Marketing emails about new features (only if you opt in) | Consent (Art 6(1)(a)) |
For users in Turkey, the same processing operations are carried out under either the user’s explicit consent (açık rıza) as defined in Article 5(1) of KVKK, or the relevant non-consent grounds in Article 5(2) (performance of a contract, legitimate interest, legal obligation).
Special-category data (Art 9 GDPR / Art 6 KVKK)
PawM8 does not require or ask for sensitive personal data (race, religion, political opinion, sexual orientation, health, biometrics, genetic data, criminal records). However, content you choose to upload — photos and voice notes — may contain such information. By uploading, you give explicit consent to its storage and display under GDPR Art 9(2)(a) and KVKK Art 6(2). You can remove this content any time by deleting the photo, voice note, or your account.
3. Automated decisions and profiling
Our matching algorithm shows you potential pet/owner matches based on preferences and location. This is not “automated decision-making producing legal effects” under GDPR Art 22 — it does not refuse you a service, process payment, or make a binding decision. Image and text moderation rules block content but do not result in automatic permanent bans without human review of repeat or severe cases.
4. How we share your data
4.1 With other PawM8 users
The profile content you publish — name, photos, bio, prompts, pet profile — is visible to other users as part of the discovery experience. Messages and playdate details are visible only to you and the match participants.
4.2 With service providers (data processors)
We use a small set of processors who handle data on our behalf under a data-processing agreement (Art 28 GDPR):
| Processor | What they do | Where data is stored |
|---|---|---|
| Supabase, Inc. | Backend host (Postgres database, file storage, auth, edge functions) | EU region (Frankfurt) |
| Apple, Inc. | Apple Push Notification Service — delivers an encrypted payload + your device token | USA (Apple’s APNs infrastructure) |
| Cloudflare, Inc. | DNS, email forwarding for *@pawm8.com, hosting of pawm8.com static site | Global edge / EU |
We do not share your personal data with advertising networks, data brokers, or any third party for their own purposes.
4.3 For legal reasons
We may disclose data if required by valid legal process (court order, warrant) or to protect the safety of users or the public, in accordance with applicable law.
4.4 Corporate transactions
If Idekini is acquired, merged, or undergoes another corporate transaction, your data may transfer as part of that transaction. You will be notified beforehand and given the opportunity to delete your account.
5. International transfers
Your data is primarily stored in the European Union (Supabase EU region). Some processors are based outside the EU/UK/Turkey:
- Transfers to the United States (Apple APNs, Cloudflare’s global network for email forwarding) are protected by Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 and, for UK data, the UK International Data Transfer Addendum issued by the ICO.
- For users in Turkey: any transfer of personal data outside Turkey is made under either your explicit consent or, where the destination country provides adequate protection or sufficient guarantees as defined in Article 9 of KVKK and the resolutions of the KVK Authority.
You can request copies of the safeguards in place by emailing [email protected].
6. How long we keep data
| Data | Retention |
|---|---|
| Active account data | While your account is active |
| Account marked deleted | Soft-deleted immediately (hidden from other users); permanently purged within 30 days |
| Reports of abuse and moderation logs | Up to 24 months after the report, even if your account is deleted, for safety and legal-defence purposes |
| Backups | Up to 30 days rolling — deleted accounts disappear from backups within that window |
| Aggregated/anonymised analytics | Indefinite — no longer personal data once anonymised |
7. Security
We use industry-standard encryption in transit (HTTPS / TLS 1.2+) and at rest (Supabase-managed Postgres with disk-level encryption). Passwords are hashed with bcrypt before storage. Photos and voice notes are stored in Supabase Storage with access-controlled URLs.
No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify the competent supervisory authority within 72 hours where required (GDPR Art 33) and notify you without undue delay where the breach is likely to result in a high risk to your rights (Art 34).
8. Children
PawM8 is not directed at and not available to anyone under 18. We verify age at sign-up. If we learn we have inadvertently collected data from a person under 18, we delete it. Parents or guardians who believe a child has registered should email [email protected].
9. Your rights — general
You have the right to:
- Access the personal data we hold about you and receive a copy
- Correct inaccurate or incomplete data — most fields you can update yourself in the app
- Delete your account and personal data (“right to be forgotten”)
- Restrict or object to certain processing
- Port your data — receive it in a structured, commonly-used format
- Withdraw consent for processing based on consent, at any time, without affecting the lawfulness of past processing
To use any of these rights, you can:
- Use Settings → Account → Delete Account in the app for deletion
- Email [email protected] for any other request
We will respond within one month (extendable by two months for complex or numerous requests, with notice). The service is free unless your request is manifestly unfounded or excessive (Art 12 GDPR / KVKK Art 13).
10. Your rights — by jurisdiction
10.1 Netherlands and rest of EU/EEA (GDPR + AVG)
Your rights under section 9 are derived from the General Data Protection Regulation (Regulation (EU) 2016/679) and, in the Netherlands, the Uitvoeringswet AVG.
If you believe we are not handling your data lawfully, you can lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP) Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands https://autoriteitpersoonsgegevens.nl
If you live in another EU/EEA country, you can complain to your local DPA — the European Data Protection Board lists them at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
10.2 United Kingdom (UK GDPR + DPA 2018)
UK residents have rights under the UK GDPR and the Data Protection Act 2018. They mirror the EU rights in section 9. You can lodge a complaint with the UK supervisory authority:
Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow SK9 5AF, United Kingdom https://ico.org.uk
10.3 Turkey (KVKK)
Turkish residents have the rights granted by Article 11 of the Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu, Law No. 6698):
- Learn whether your personal data is being processed
- Request information about the processing
- Learn the purpose and whether the data is used for that purpose
- Know the third parties (in Turkey or abroad) who receive the data
- Request correction of incomplete or inaccurate data
- Request deletion or destruction
- Object to processing that produces unfavourable outcomes
- Claim compensation for damage from unlawful processing
To use any of these rights, write to [email protected] with sufficient information to identify you. Under Article 13 of KVKK, we will respond within 30 days.
If you are not satisfied with our response, you can apply to the Turkish Personal Data Protection Authority:
Kişisel Verileri Koruma Kurumu (KVKK Authority) Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No:4, 06520 Çankaya / Ankara https://www.kvkk.gov.tr
11. Cookies and similar technologies
The pawm8.com website does not set cookies and does not run third-party analytics, advertising, or social-media trackers. The site loads no Google Fonts or other third-party assets.
The PawM8 app stores data on your device (auth tokens, cached profile data, preference settings) using iOS-standard mechanisms (Keychain, UserDefaults). This is necessary for the app to work and is not used for tracking across other apps or services.
12. Marketing communications
We may send transactional emails (account verification, password reset, TestFlight invitations) on the basis of contract performance. We will only send marketing emails (announcements of new features) if you have explicitly opted in. You can opt out at any time by clicking “unsubscribe” in any marketing email or emailing [email protected].
13. Changes to this policy
We may update this policy from time to time. The “Effective date” at the top reflects the current version. Material changes (changes to the legal basis, recipients, or your rights) will be announced in the app and by email at least 30 days before they take effect.
14. Contact
For privacy questions or requests:
Email: [email protected] Postal: Idekini, Van Houtenstraat 60, 7331 SZ Apeldoorn, the Netherlands
If you have a question that doesn’t fit a privacy request, email [email protected].
15. App-Privacy summary (App Store)
The following is what PawM8 declares in App Store Connect, derived from
the app’s PrivacyInfo.xcprivacy manifest:
| Data collected | Linked to you | Used for tracking |
|---|---|---|
| Email address | Yes | No |
| Name | Yes | No |
| Phone number (emergency contact, optional) | Yes | No |
| Precise location | Yes | No |
| Photos and videos | Yes | No |
| Audio data (voice notes) | Yes | No |
| Other user content (bios, messages, prompts) | Yes | No |
| Device identifier (APNs token) | Yes | No |
We do not track users across apps or websites owned by other
companies (NSPrivacyTracking = false).