Privacy Policy

Last updated: June 20, 2026

1. Who we are

KibblKibbl (“we”, “us”, “our”) is a worldwide platform that connects pet owners, rescuers, veterinarians, and pet care businesses. We are committed to protecting your personal data and complying with applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and similar legislation worldwide.

For privacy inquiries or to exercise your rights, contact us at: [email protected]

2. Data we collect

We collect the following categories of personal data:

Account and profile data

  • Username, display name, email address, phone number (if you use phone sign-in), and hashed password.
  • Profile photo, cover image, bio, location field (city or text you enter), and role on the platform.

Authentication and security data

  • IP address, collected on sign-up and on requests, used for security, fraud prevention, and rate limiting.
  • User agent (browser or device type), login timestamps, and session or token metadata.
  • Server access logs (IP, URL, status code, timestamp). Log retention depends on our hosting provider’s configuration.

Content you create

  • Feed posts, comments, reactions, and articles.
  • Pet listings — name, species, breed, age, health notes, adoption status, photos, and QR tag data.
  • Rescue posts and lost-and-found reports, including any location or photos you attach.
  • Private messages, including text and any media you send.
  • Adoption applications (contact details, residence information, and lifestyle answers you submit).
  • Blood donor registrations (pet health information you provide).
  • Business profiles, branches, team listings, service provider profiles, and reviews.
  • QR pet tag scan records: when a pet’s QR tag is scanned, we record the time, the scan source, and — if location permission was granted at the time — the GPS coordinates of the scan.

Uploaded media and documents

  • Photos and videos attached to posts, listings, or profiles.
  • Voice messages (audio files) sent in chat.
  • PDFs and images (JPEG, PNG, WebP) uploaded as documentation — such as vaccination records and expense invoices — to adoption forms or pet profiles.
  • All uploaded files are stored in our cloud media storage (Google Firebase Storage). Some older files from a prior storage migration may remain at their original URLs.

Location data

  • Optional device GPS (mobile app): if you grant location permission, your coordinates are used in-session for nearby search and map features. Coordinates used only for real-time search are not persistently stored on our servers for that purpose.
  • User-submitted locations: addresses or coordinates you choose to attach to pet listings, rescue posts, lost-and-found reports, businesses, or branches are stored as part of that record and may be visible to other users.
  • QR scan GPS: if you grant location permission when scanning a QR pet tag, the coordinates are stored in the scan record linked to that pet.
  • Approximate IP-based location: when you first open the map feature, your IP address is resolved to an approximate city using a self-hosted geolocation database to set an initial map position. Your IP address is not sent to any third party for this purpose and is not stored against your account.

Push notification and device identifiers

  • If you enable notifications, we store a push token associated with your account to deliver alerts via Apple Push Notification service (APNs), Google Firebase Cloud Messaging (FCM), or Expo Push Service.
  • Firebase authentication identifiers (where applicable) are stored in your account record to link your phone auth session.

Diagnostics and platform logs

  • We use Sentry to collect crash reports and performance diagnostics, which may include device type, OS version, and app state at the time of an error. We do not intentionally send message content or passwords to Sentry.
  • Cloudflare security logs — including IP address, request metadata, and bot-detection signals — are generated automatically as part of DDoS and security protection.

We do not collect payment card data, government-issued ID, or biometric data.

3. How we use your data

  • To operate and improve the platform (legal basis: contract performance / legitimate interest).
  • To send transactional notifications — adoption updates, new messages, and rescue alerts (legal basis: contract performance).
  • To detect and prevent fraud, abuse, and spam (legal basis: legitimate interest).
  • To respond to support requests and exercise or defend legal rights (legal basis: legitimate interest / legal obligation).
  • To comply with applicable law, regulatory requirements, or lawful requests (legal basis: legal obligation).
  • To maintain safety and platform integrity, including review of reported content (legal basis: legitimate interest).

We do not sell your personal data to third parties. We do not use your data for behavioural advertising or share it with advertisers.

4. Data sharing

We share data only in the following circumstances:

  • With other users: profile data (username, display name, avatar, bio, location field, and role) is visible to other users as part of the platform’s social features. Content you post publicly — pet listings, rescue posts, articles, reviews, and business profiles — is visible to other users. Private messages are visible only to the conversation participants.
  • Service providers (data processors): the following third parties process data on our behalf and may not use it for their own purposes:
    • DigitalOcean — cloud hosting for the API and web containers, managed PostgreSQL database, and Valkey/Redis cache.
    • Cloudflare — reverse proxy, DDoS protection, and bot mitigation. Cloudflare may set security cookies (__cf_bm, cf_clearance) required for platform security; these are not used for advertising or cross-site tracking.
    • Google Firebase — phone number authentication (OTP via SMS), push notification infrastructure (FCM), and cloud object storage (Firebase Storage) for all user-uploaded media, documents, and voice messages. Your phone number is sent to Firebase only when you use phone-based sign-in.
    • Expo / EAS — over-the-air app updates and push notification relay to APNs and FCM on our behalf.
    • Google Maps Platform — interactive maps, geocoding, reverse geocoding, and location search. Map requests include coordinates or search queries.
    • Sentry — error and crash monitoring for the web and mobile applications.
    • Mandrill (Mailchimp) — transactional email delivery (verification emails, adoption alerts, password resets).
    • Apple App Store / Google Play Store — distribution of the mobile application. Each store’s own privacy policy governs data collected through store interactions.
  • Legal requirements: when required by law, court order, or to protect the safety of users or the public.
  • Business transfers: in the event of a merger, acquisition, or asset sale, your data may be transferred. We will provide notice before this occurs where required by applicable law.

5. Data retention

We retain your account data for as long as your account is active. If you delete your account (via the in-app Settings option or by contacting [email protected]), we will delete or anonymise your personal data as promptly as reasonably practicable, subject to the following:

  • Certain records may be retained as long as necessary for safety, fraud prevention, moderation history, or to satisfy legal or regulatory obligations.
  • Backup snapshots, server access logs, and infrastructure logs may persist for the retention periods configured by our hosting providers before being purged.
  • Uploaded media files stored on our cloud infrastructure are deleted when the associated records are removed; timing may depend on background cleanup processes.
  • Content already received by another user (for example, a message already read) may remain in that recipient’s thread until cleared on their end.
  • Anonymised or aggregated data derived from your activity may be retained indefinitely for platform analytics and safety purposes.

6. Cookies and authentication storage

When you sign in on the web, KibblKibbl stores your authentication token in an httpOnly cookie (named kk_token). This cookie is strictly necessary for the platform to function. It is not accessible by JavaScript and is not used for advertising or analytics.

On the mobile app, your authentication token is stored in the device’s secure storage (Expo SecureStore, backed by iOS Keychain or Android Keystore). This data is not shared with third parties.

We do not use third-party advertising cookies or cross-site tracking pixels. We do not use cookies for analytics.

Our infrastructure provider Cloudflare may set security cookies (__cf_bm and cf_clearance) to distinguish human visitors from automated bots and to support DDoS protection. These are operational security measures and are not used for advertising or cross-site tracking.

7. Your rights

Depending on your location, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: update inaccurate or incomplete data (most fields can be edited directly in your profile settings).
  • Deletion: request deletion of your account and associated personal data, subject to retention exceptions described in §5.
  • Portability: receive a copy of your data in a structured, commonly used format.
  • Restriction: ask us to limit processing of your data in certain circumstances.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

If you are in the EU or UK, you have the right to lodge a complaint with your local data protection authority (such as the Irish Data Protection Commission, the UK ICO, or the relevant supervisory authority in your country).

8. California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal data we collect, use, disclose, and share.
  • Delete personal data we have collected from you, subject to certain exceptions.
  • Correct inaccurate personal data we hold about you.
  • Opt out of the “sale” or “sharing” of personal data for cross-context behavioural advertising — we do not sell or share personal data for this purpose.
  • Limit use and disclosure of sensitive personal information — we collect phone numbers and precise location (when you grant permission) only as described in this policy, and we do not use them for purposes beyond what is stated here.
  • Non-discrimination for exercising your CCPA/CPRA rights.

Categories of personal data we collect include: identifiers (name, email, phone number, IP address, device identifiers); commercial or transaction information (adoption inquiry records); internet or electronic network activity (usage and access logs); geolocation data (optional GPS and IP-based location); audio, visual, or similar data (photos, videos, voice messages); and user-generated content (posts, messages, listings). We do not use these for cross-context behavioural advertising.

To submit a CCPA/CPRA request, contact [email protected]. We may need to verify your identity and California residency. You may also authorise an agent to submit a request on your behalf, subject to verification.

9. International data transfers

KibblKibbl serves users globally. Your data may be stored and processed in data centres outside your country of residence, including in the United States. Where we transfer personal data from the EEA, UK, or Switzerland to third countries that do not provide an equivalent level of protection, we put appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission. For third-party processors, we rely on their own applicable transfer mechanisms where these exist (for example, Google’s and Cloudflare’s Data Processing Addenda and EU SCCs).

10. Children

KibblKibbl is not directed to children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.

11. Security

We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), bcrypt-hashed passwords, httpOnly authentication cookies, CSRF protection on state-changing web requests, input validation and sanitisation, rate limiting, and access controls. No system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].

12. App store disclosures

The KibblKibbl mobile app is distributed through the Apple App Store and Google Play Store. Our Apple Privacy Nutrition Label and Google Play Data Safety disclosures are based on the data categories described in this policy. We update store disclosures when this policy changes in a material way. If there is any inconsistency between store-submitted disclosures and this policy, this policy reflects the intended practice.

13. Changes to this policy

We may update this policy from time to time. Material changes will be notified via an in-app notification or email at least 14 days before taking effect. The “last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after a material change takes effect constitutes acceptance of the updated policy.