Privacy Policy
Last updated: 20 April 2026 · Effective: 20 April 2026
This Privacy Policy (the "Privacy Policy") sets out how Rahul Singh, an individual sole proprietor resident in India ("Company", "we", "us", or "our"), collects, uses, stores, shares, and otherwise processes your Personal Data in connection with your use of:
- the Catwise mobile application for iOS and Android (the "App");
- the Catwise website at www.catwise.pro (the "Website"); and
- all related features, materials, and content we make available to you, including CatGPT, vet‑record OCR, health records, life entries, and routine reminders (together with the App and Website, the "Service").
"Personal Data" means any information that identifies you as an individual or that relates to an identifiable individual. In this Privacy Policy we sometimes also refer to "Cat Data" — information about your cat, such as photos, health records, and CatGPT conversations. Cat Data is not itself Personal Data, but we treat it with the same care because it is yours and may indirectly relate to you.
Under India's Digital Personal Data Protection Act, 2023 ("DPDPA"), the Company acts as the Data Fiduciary for Personal Data processed through the Service. The Company is also the "data controller" under the EU General Data Protection Regulation ("GDPR") and the UK GDPR, and the "business" under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
If you do not agree with this Privacy Policy, please do not use the Service. If you have questions, contact us at support@supalabs.dev.
Summary of key points
- We collect only the Personal Data we need to deliver the Service and to personalise care suggestions for your cat.
- We do not sell or rent your Personal Data. We do not process it for cross-context behavioural advertising. We do not use your data (or your Cat Data) to train AI models.
- We use Supabase as our hosting, authentication, and storage provider, and Supagen as an AI template router that forwards requests to established model providers (currently including OpenAI, Anthropic, and Google; the list may change over time).
- You have rights of access, correction, erasure, portability, objection, and — where applicable — withdrawal of consent. You can exercise them from inside the App or by emailing support@supalabs.dev.
- The Service is intended for users aged 13 and over.
1. What Personal Data we collect
In short: we collect the Personal Data you provide to us when you use the Service, together with limited technical data that our servers, the App, and PostHog collect automatically.
1.1 Personal Data you provide to us
Account Information. When you create an account, we collect your email address and a password (handled and hashed by our authentication provider, Supabase Auth), and the display name you choose to show inside your household.
Cat Profile Information. We collect information about your cat that you enter in the App, such as name, photo, birthdate, adoption date, sex, breed, coat type, and life stage. We use this information to personalise routines and responses.
Care-Area Configuration. We collect the answers you give during setup of the App's care areas (including feeding, grooming, health, socialisation, play, litter, sleep, environment, safety, and training). These answers are used to generate recurring tasks and recommendations tailored to your cat.
Health Records. We collect the health records you enter in the App or that are extracted for you, including vet visits, vaccinations, preventives, weight, body length, and related notes. You may also upload photos of vet documents to the in-App Vault for OCR extraction; we process those images solely to convert their content into structured, editable health records.
Life Entries. We process the photos, videos, captions, activity tags, fun tags, and sleep ranges you voluntarily log as life entries. Within your household, these entries are visible to the other members of your household. Outside your household, life entries are not publicly visible unless we introduce an explicit sharing feature that you opt into in the future.
Social Interactions. When you react to, or comment on, a life entry within your household, we store your reaction or comment associated with your User account.
CatGPT Conversations. We collect the messages you send to CatGPT, any images you attach, and the responses CatGPT returns, so that CatGPT can reference your previous context and so that you can re-read your chat history.
Support Communications. If you contact us by email or via any in-App feedback mechanism, we process the content of your communication and any information you voluntarily provide.
1.2 Personal Data collected automatically
Product Analytics. When you use the Service, we collect limited product-analytics data through PostHog. This includes the screens you open, the in-App events you trigger (for example, completing a task), App crashes, your device type, operating system, App version, and a randomly generated installation identifier. This data helps us understand which features help cat parents, prioritise fixes, and identify bugs.
Log and Technical Data. When the App or Website communicates with our servers, we automatically collect the IP address, timestamps, and request metadata of that communication. This is used for security, abuse prevention, and debugging.
Cookies (Website only). Our Website uses first-party session cookies that are strictly necessary to provide the Website, and, on the landing page only, the Meta Pixel to measure the effectiveness of our landing page. The App does not use cookies and does not participate in cross-App advertising tracking; where iOS requires App Tracking Transparency, the App declines tracking by default.
1.3 Device permissions we may request
The App requests only the following device permissions, and only at the point you use the feature that needs them:
- Photos / Gallery — to let you upload a specific photo or video you select for a cat profile photo, life entry, or vet record. The App reads only the files you pick; we do not scan your gallery.
- Camera — to let you take a photo or video within the App (for example, to capture a vet record or a life moment).
- Microphone — to let you dictate a CatGPT message by voice. Speech is transcribed to text on your device, and only the resulting text is sent to our servers. We do not store raw audio.
- Notifications — to send routine reminders, if you opt in.
1.4 What we do not collect
We do not collect precise location, device contacts, calendar data, financial or payment information (the App does not take payments at present), or health information about humans.
2. How we use your Personal Data
In short: we use Personal Data to run the Service, to personalise care suggestions, to secure and improve the Service, and to comply with law. We do not use it for behavioural advertising or to train AI models.
We process Personal Data for the following purposes:
- To provide the Service. Creating and authenticating your account, syncing your household's data across devices, showing your cat's routine, saving your life entries, and delivering push notifications you opted into.
- To personalise the Service. Tailoring recommended tasks, CatGPT responses, and health-record suggestions based on your cat's profile and the configuration answers you gave us.
- To power AI-assisted features. Processing the minimum context required to answer a CatGPT message or to extract text from a vet-record image (see Section 4.2).
- To analyse and improve the Service. Aggregating usage patterns, diagnosing crashes, and informing product decisions.
- To maintain security and prevent abuse. Detecting and investigating security incidents, bots, and misuse.
- To communicate with you. Sending transactional emails (for example, password reset and account notices) and responding to your support requests. We do not send marketing emails through the Service.
- To comply with legal obligations. Responding to lawful requests from authorities, enforcing our Terms, and establishing, exercising, or defending legal claims.
We do not sell or rent your Personal Data. We do not process it for cross-context behavioural advertising. We do not use your Personal Data or Cat Data to train AI models, whether ours or any third party's.
3. Legal bases for processing (EU / UK)
In short: if you are in the EU, EEA, or UK, we rely on one or more of the legal bases listed below for each processing purpose.
| Purpose | Legal basis (GDPR / UK GDPR) | Data categories |
|---|---|---|
| Providing the Service (account creation, authentication, sync, core features) | Performance of a contract (Art. 6(1)(b)) | Account Information, Cat Profile Information, Care-Area Configuration, Routine completions, Life Entries, Social Interactions |
| AI-assisted features (CatGPT, OCR) | Performance of a contract (Art. 6(1)(b)) | CatGPT Conversations, Cat Profile Information, Health Records, vet-record images |
| Product analytics and Service improvement | Legitimate interests (Art. 6(1)(f)) — interest: understanding how the Service is used so we can improve it | Product Analytics, Log and Technical Data |
| Security and abuse prevention | Legitimate interests (Art. 6(1)(f)) | Log and Technical Data, Account Information |
| Transactional communications and support | Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) | Account Information, Support Communications |
| Push notifications (optional) | Consent (Art. 6(1)(a)) | Device token, notification preferences |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | As required by the applicable law |
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you may object to the processing as described in Section 10.
4. When and with whom we share Personal Data
In short: we share Personal Data only with the service providers we need to run the Service, with authorities where legally required, and in the event of a business transfer.
4.1 Service providers
We rely on a small set of third-party service providers who process Personal Data on our behalf under written data processing terms. These are:
- Supabase — our authentication, database, and file-storage provider. Hosted on AWS in the United States (us-east-1). Supabase's privacy policy is available at supabase.com/privacy.
- Supagen — our AI template router. When you use CatGPT or upload a vet record for OCR, Supagen forwards your request and the minimum context required (for example, your cat's profile and relevant prior messages) to the underlying AI model provider and returns the response to the App.
- PostHog — our product-analytics provider. Hosted in the United States. Its privacy policy is available at posthog.com/privacy.
- App store and operating-system providers — Apple Inc. and Google LLC, for App distribution, push-notification delivery, and any crash logs you opt to share. Their processing is governed by their own privacy policies.
- Email delivery provider — used to send transactional emails from support@supalabs.dev.
4.2 AI model providers
CatGPT and the vet-record OCR pipeline are powered by third-party AI model providers accessed through Supagen. The set of AI model providers we rely on evolves as model capabilities change. At the time of this version of the Privacy Policy, our AI model providers include OpenAI, Anthropic, and Google (accessed through their business / enterprise APIs). We may add or replace AI model providers in the future — including other established providers — as our model routing changes.
We only work with AI model providers whose API terms prohibit training their models on data submitted through the API. If our AI model provider stack materially changes, we will update this Privacy Policy accordingly.
4.3 Legal compliance and protection of rights
We may disclose Personal Data where we have a good-faith belief that disclosure is required to (a) comply with law, a court order, or a lawful request from a public authority; (b) enforce our Terms or protect the rights, property, or safety of the Company, our users, or the public; or (c) prevent or investigate fraud, abuse, or security incidents.
4.4 Business transfers
If the Service is transferred in the context of a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred as part of that transaction. We will notify affected users of any such transfer and of any resulting change to this Privacy Policy before it takes effect.
5. Where your Personal Data is stored and transferred
In short: Personal Data is stored in the United States. If you are outside the United States, your data will be transferred there, subject to appropriate safeguards.
Personal Data is stored on Supabase infrastructure hosted on AWS in the United States (us-east-1). If you access the Service from India, the EU, the EEA, the United Kingdom, or elsewhere, your Personal Data will be transferred to, and processed in, the United States and other jurisdictions in which our service providers operate.
For transfers from the EU / EEA and the United Kingdom, we rely on Standard Contractual Clauses approved by the European Commission and the UK authorities (Art. 46 GDPR / Art. 46 UK GDPR) with our processors as the applicable safeguard. Where an adequacy decision is unavailable, we apply additional safeguards such as encryption in transit and at rest, and access controls, to protect cross-border transfers.
6. How long we keep your Personal Data
In short: we keep Personal Data for as long as you have an account with us, and delete it shortly after you delete your account, subject to limited exceptions for legal compliance.
- Account Information, Cat Profile Information, Care-Area Configuration, Routine completions, Health Records, Life Entries, Social Interactions, CatGPT Conversations, and uploaded media — retained for as long as you have an active account with us.
- After account deletion — removed from our live systems within 30 days, and from routine backups within a further 90 days.
- Product-analytics data not linked to your identity — retained for up to 24 months in aggregated form.
- Support Communications and transactional email records — retained for up to 2 years for abuse-prevention and compliance.
- Records we are legally required to keep — retained for the duration required by the applicable law, and only for that purpose.
7. How we protect your Personal Data
In short: we use commercially reasonable technical and organisational measures, including encryption in transit, encryption at rest, and row-level access controls.
- Traffic between the App, the Website, and our servers is protected in transit using TLS 1.2 or higher.
- Supabase encrypts data at rest.
- Access to your account is gated by the authentication method you have configured.
- Row-level security rules ensure that only members of your household can access your cat's data.
- Internally, access to production systems is limited to the Company and is subject to credentials and least-privilege principles.
No security system is impenetrable. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, as required by the DPDPA, the GDPR / UK GDPR, and applicable US state laws.
8. What we avoid doing with your Personal Data
- We do not sell, license, or rent Personal Data.
- We do not share Personal Data for cross-context behavioural advertising.
- We do not use Personal Data or Cat Data to train AI models.
- We do not knowingly collect Personal Data from children under 13.
- We do not request or store sensitive personal information (as defined under the GDPR or the CCPA) except the minimum technical information, such as an authentication credential, that is strictly necessary to operate the Service.
9. Your rights — overview
In short: depending on where you are located, you have the right to access, correct, delete, port, restrict, or object to our processing of your Personal Data, and to withdraw consent where we rely on it.
You can exercise any of these rights, regardless of jurisdiction, by emailing support@supalabs.dev from the email address associated with your account, or from inside the App (Settings → Delete account). We will respond within the timeframes required by the applicable law, and in any event within 30 days of a verified request, subject to a one-time extension where the request is complex.
We may need to verify your identity before acting on a request. We will only use the information you provide for verification to verify your identity, and we will delete it once the verification is complete. We may decline requests that are manifestly unfounded, excessive, or repetitive, or where an exception provided for under the applicable law applies.
10. Your rights if you are in the EU, EEA, or UK
In short: under the GDPR and the UK GDPR you have the rights listed below.
- Right of access (Art. 15) — to confirm whether we process your Personal Data and to receive a copy.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete Personal Data.
- Right to erasure (Art. 17) — to have your Personal Data deleted, subject to the exceptions set out in Art. 17(3).
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — to receive your Personal Data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21) — to object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — where we rely on consent.
- Right to lodge a complaint (Art. 77) with your local supervisory authority.
11. Your rights if you are in California
In short: under the CCPA / CPRA you have rights to know, delete, correct, and limit the sharing of your Personal Data. We do not sell your Personal Data and do not share it for cross-context behavioural advertising.
You have the following rights under the CCPA (Cal. Civ. Code §§ 1798.100–1798.150) and the CPRA:
- Right to know the categories and specific pieces of Personal Data we have collected about you in the preceding twelve (12) months (§ 1798.100).
- Right to delete your Personal Data, subject to statutory exceptions (§ 1798.105).
- Right to correct inaccurate Personal Data (§ 1798.106).
- Right to opt out of the "sale" or "sharing" of Personal Data for cross-context behavioural advertising (§ 1798.120). We do not sell or share Personal Data in this sense, so there is nothing to opt out of.
- Right to limit the use and disclosure of sensitive Personal Data (§ 1798.121). We do not process sensitive Personal Data for purposes other than those permitted under § 1798.121(d).
- Right of non-discrimination for exercising your privacy rights (§ 1798.125).
- Under California Civil Code § 1798.83 ("Shine the Light"), California residents may request information about our disclosure of Personal Data to third parties for direct-marketing purposes. We do not disclose Personal Data for third-party direct-marketing purposes.
You may use an authorised agent to exercise these rights on your behalf, in accordance with the CCPA.
Categories of Personal Data collected and disclosed in the preceding 12 months.
| CCPA Category | Examples | Collected | Disclosed for a business purpose |
|---|---|---|---|
| A. Identifiers | Email address, account ID, IP address, device identifier | YES | YES — to Supabase, PostHog, App store providers |
| B. California Customer Records | Signature, phone number, education, employment | NO | — |
| C. Protected classification characteristics | Race, religion, sexual orientation, marital status | NO | — |
| D. Commercial information | Transaction history, purchase records | NO | — |
| E. Biometric information | Fingerprints, voiceprints | NO | — |
| F. Internet or similar network activity | Screen views, in-App events, session metadata | YES | YES — to PostHog (product analytics) |
| G. Geolocation data | Precise location | NO | — |
| H. Audio, visual, or similar information | Photos and videos you upload; CatGPT attachments; vet-record images | YES | YES — to Supabase (storage); to AI model providers when you use CatGPT or OCR |
| I. Professional or employment-related information | Job title, employer | NO | — |
| J. Education information | Student records | NO | — |
| K. Inferences drawn from other Personal Data | Inferences about user preferences derived from in-App behaviour | YES | NO |
| L. Sensitive Personal Information (as defined under the CPRA) | Account credentials (username + password) sufficient to access an account | YES — only to authenticate you; not used for any purpose other than those permitted under § 1798.121(d) | YES — to Supabase (authentication) |
12. Your rights if you are in another US state (Virginia, Colorado, Connecticut, Utah, and similar)
In short: residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws have rights similar to, but not identical to, those of California residents. We extend the rights below to all such residents.
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another US state with a comprehensive consumer privacy law, you have the following rights in relation to your Personal Data, subject to jurisdiction-specific exceptions:
- Right to confirm whether we process your Personal Data and to access it.
- Right to correct inaccuracies.
- Right to deletion.
- Right to a portable copy.
- Right to opt out of (i) targeted advertising, (ii) the sale of Personal Data, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities, so there is nothing to opt out of.
- Right to appeal our decision on a privacy request.
To exercise any of these rights, see Section 15.
13. Your rights if you are in India
In short: under the DPDPA you have rights of access, correction, erasure, grievance redressal, and nomination in respect of your Personal Data.
If you are a Data Principal in India (i.e., an individual to whom Personal Data relates), you have the following rights under the Digital Personal Data Protection Act, 2023:
- Right to access information about your Personal Data processed by the Company (Section 11 DPDPA).
- Right to correction, completion, updating, and erasure of Personal Data (Section 12 DPDPA).
- Right to grievance redressal — you may raise a grievance about any act or omission of the Company in processing your Personal Data (Section 13 DPDPA). If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India.
- Right to nominate another person who may exercise these rights in the event of your death or incapacity (Section 14 DPDPA).
- Right to withdraw consent at any time where we rely on consent, with effect going forward.
14. Do Not Track signals
In short: there is no universally accepted "Do Not Track" standard, so we do not currently respond to DNT signals.
Some web browsers transmit "Do Not Track" signals. As no uniform standard for interpreting those signals has been adopted, we do not currently respond to them. Where a widely adopted standard emerges, we will update this Privacy Policy accordingly. The App itself does not track you across third-party apps or websites for advertising purposes.
15. How to exercise your rights
To exercise any right described above, contact us by email at support@supalabs.dev from the email address associated with your account, or delete your account directly from the App (Settings → Delete account). Please include sufficient information for us to identify you and respond, such as the email on your account and a description of your request.
We will respond within 30 days of receiving a verified request. Where a request is complex or we receive a high volume of requests, we may extend the response period by a further 30 days and will notify you of the extension within the initial period. We may decline requests that are manifestly unfounded, excessive, or repetitive, or that fall within an exception provided by the applicable law.
16. AI features and automated decision-making
In short: Catwise uses AI to make suggestions. It does not make decisions that produce legal or similarly significant effects on you, and it is not a substitute for professional veterinary advice.
CatGPT, the vet-record OCR pipeline, and certain personalisation features rely on third-party AI models. Output from these features is advisory in nature: it is intended to help you think through options and to digitise paperwork, not to make decisions about you. None of the Service constitutes veterinary, medical, or legal advice. If your cat is unwell, please consult a qualified veterinarian.
17. Children's privacy
In short: the Service is intended for users aged 13 and older. We do not knowingly collect Personal Data from children under 13.
The Service is not directed at children under the age of 13, and we do not knowingly collect Personal Data from children under 13. If you believe a child under 13 has created an account, email us at support@supalabs.dev and we will delete the account and associated Personal Data promptly. If you are in the EU / EEA or the United Kingdom and are below the age of digital consent in your country (between 13 and 16 depending on the jurisdiction), you must use the Service only with the involvement of a parent or guardian.
18. Changes to this Privacy Policy
In short: if we make material changes we will notify you in-App or by email before the changes take effect.
We may revise this Privacy Policy from time to time to reflect changes in applicable law, our data practices, or the features of the Service. The "Last updated" date at the top of this page indicates when the most recent changes were made. Where the changes are material, we will notify you in-App or by email at least 14 days before they take effect. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acknowledgment of the updated terms.
19. How to contact us
Rahul Singh, sole proprietor and operator of Catwise
Email: support@supalabs.dev
If you have concerns we have not resolved, you may also lodge a complaint with the data-protection authority in your jurisdiction — for example, the Data Protection Board of India, your EU supervisory authority, or the UK Information Commissioner's Office (ico.org.uk).