Privacy Policy

App: What Cat? | Last updated: May 13, 2026 | Effective: May 10, 2026

This Privacy Policy explains how What Cat? ("we", "our", or "the app") collects, stores, and uses your information. We designed this app with privacy in mind: you can use most features without creating an account, and the cat data you enter stays on your device unless you choose to sign in.

This policy is written to comply with the Apple App Store Review Guidelines (including the App Privacy "Nutrition Label" disclosure requirements and Guideline 5.1.1(v) on account deletion), the Google Play Developer Program Policies (including the Data Safety section and User Data policy), the EU/UK General Data Protection Regulation (GDPR / UK GDPR), and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

1. Who We Are

What Cat? is published by the What Cat? team ("we"). For the purposes of GDPR / UK GDPR we act as the data controller for the limited account data described below. We do not have a designated Data Protection Officer or EU/UK representative, as the volume and nature of personal data we process do not require one. You can reach us about any privacy matter at privacy@whatcat.app.

2. What We Collect and Why

2.1 Data stored only on your device (no account required)

Cat profiles — name, breed, age, weight history, ideal weight, diet, health notes, vaccinations, and other care details you enter about your cats.
Health logs — food, water, litter, weight, medication, vomiting, grooming, play, sleep, mood, vet visit, and expense entries you create.
Favorites and quiz results — breeds you save and your quiz answers.
Luna care companion memories — facts about your cats that the care companion remembers across sessions (up to 10 per cat).
App preferences — onboarding completion status, theme, language, and other local settings.

On iOS and Android this data is stored in a local SQLite database and the operating system's secure local storage (Keychain on iOS, Keystore on Android). On the web it is stored in your browser's local storage. It is not transmitted to our servers unless you sign in and use a feature that requires it (see below). Uninstalling the app or clearing browser storage permanently deletes this data from your device.

2.2 Data stored in our cloud (only if you sign in)

Signing in is optional. If you choose to sign in with Apple or Google, the following is stored in our backend (Supabase, hosted in the United States):

Account identity — your email address and display name from your Apple or Google account, plus the opaque user ID our backend assigns you.
Premium subscription status — whether you have an active premium subscription, so your access is restored when you reinstall or switch devices.
AI usage counters — how many AI messages you have sent (used to enforce free-tier limits and prevent abuse).
Cat Chat history — when you chat with Luna in Cat Chat, your messages are saved to your account so you can see your conversation across devices. We keep up to the most recent 200 messages per cat.
Health alert preferences — your settings for which proactive health alerts (e.g., weight, vomiting) you want to receive.
Push notification token — if you enable notifications, the device-specific token issued by Apple or Google (via the Expo push service) is stored so we can deliver your reminders and alerts.

Your cat profiles, health logs, favorites, quiz results, and Luna memories are not uploaded to our cloud. They remain on your device.

2.3 Data transmitted when using AI features (sign-in required)

Cat Chat and the Luna care companion require you to be signed in. When you send a message, the following is transmitted to our secure backend (a Supabase Edge Function) to generate a response:

Cat Chat: your message text, your active cat's profile (name, breed, age, weight, conditions, medications, diet), a summary of that cat's health logs from the last 14 days, and a recent portion of the conversation for context.
Luna care companion (Premium): your message text, your active cat's basic profile, and any "memories" you or Luna have noted about that cat.

Our backend performs security checks (topic filtering, emergency detection) before forwarding the relevant content to OpenAI to generate a response. OpenAI's use of this data is governed by OpenAI's API Privacy Policy; per OpenAI's API terms, content sent through the API is not used to train OpenAI's models. Cat Chat conversations are stored in your account (as described above) so they persist across your devices; Luna care companion conversations are not stored on our servers.

If you are not signed in, no data is transmitted to our backend or to OpenAI. The Luna companion may return a local canned response for a small set of common questions without any network call.

2.4 Data sent to Apple / Google for purchases

If you subscribe to What Cat? Premium, your purchase is processed by the App Store (Apple) or Google Play (Google). We receive a subscription status notification from RevenueCat (our subscription management platform) but we never see your payment card details. RevenueCat's privacy policy is available at revenuecat.com/privacy.

2.5 Device permissions

Some features ask for system permissions on your device:

Notifications — to deliver care reminders and health alerts you set up. You can decline or revoke this in your device settings.
Calendar (iOS) — when you create a care reminder, the app can add it to your device calendar. The app does not read your existing calendar events.
Photo library (when adding a cat photo) — only the photos you explicitly pick are read. We do not browse, index, or upload your library.

Permissions are only requested when you use the relevant feature, and the data accessed stays on your device unless this policy says otherwise.

3. Data We Do Not Collect

We do not collect precise or coarse location data.
We do not track your activity across other apps or websites. We do not show the App Tracking Transparency prompt because we do not track you.
We do not show third-party advertisements.
We do not use analytics, telemetry, or crash-reporting SDKs.
We do not sell or "share" (as defined by the CCPA/CPRA) your personal information to any third party.
We do not use your personal information for any automated decision-making that produces legal or similarly significant effects about you.
We do not share your data with anyone except the service providers listed in this policy, and only to the minimum extent needed to provide the app's features.

4. App Store & Google Play Disclosure Summary

This section summarizes what we report on Apple's App Privacy "Nutrition Label" and Google Play's Data Safety form. The detailed treatment is in Section 2.

Data type	Collected?	Linked to you?	Used to track you?	Purpose
Email address	Only if you sign in	Yes	No	Account, customer support
Name (display name)	Only if you sign in	Yes	No	Personalization in-app
Purchase history (subscription status)	Only if you subscribe	Yes	No	Restore Premium across devices
User content (Cat Chat messages)	Only if you sign in & use Cat Chat	Yes	No	Provide AI feature, history across devices
User content (cat profile excerpts sent for AI)	Only when you send an AI message	Yes (in transit)	No	Provide AI feature
Identifiers (account user ID, push token)	Only if you sign in / enable push	Yes	No	Auth, push delivery
Diagnostics, crash data, performance, location, contacts, browsing, advertising data	No	—	—	—

Security practices: Data in transit is encrypted with HTTPS/TLS. Data at rest in our backend is encrypted by the cloud provider. You can request deletion of your data (Section 7).

5. How We Protect Your Data

All communication between the app and our backend uses HTTPS/TLS (encrypted in transit).
Data stored in our backend (Supabase / Postgres) is encrypted at rest by the hosting provider.
Database access is restricted by Postgres Row-Level Security so each signed-in user can only read and write their own rows.
Your account is authenticated with industry-standard OAuth (Sign in with Apple / Google). We never handle your password.
The Supabase session token is stored in the operating system's secure storage (Keychain on iOS, Keystore on Android) and in localStorage on the web.
User-provided text fields are sanitized before being sent to AI services to reduce prompt-injection risks.
We do not store sensitive API keys in the app binary. AI requests are proxied through our backend.

No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

6. Shared (Non-Personal) Data

To save cost and improve quality, the app caches AI-generated descriptions of common breed-mix combinations (e.g., "Maine Coon × Ragdoll") in a shared cloud table. These cache entries are not tied to any user and contain no personal data.

7. Data Retention and Account Deletion

Retention

On-device data: retained until you uninstall the app or clear app data.
Account data (if signed in): retained while your account is active. Deleted within 30 days of an account deletion request.
Cat Chat history: retained while your account is active. The most recent 200 messages per cat are kept; older messages are pruned automatically.
Push notification tokens: retained while your device is active. Deleted when you sign out or revoke notifications.
AI usage counters: retained while your account is active and for up to 90 days after deletion for audit and abuse-prevention purposes.

Account Deletion (in-app and web)

Per Apple App Store Guideline 5.1.1(v) and the Google Play User Data policy, you can permanently delete your account and the associated cloud-stored data without leaving the app:

Open Settings → Account → Delete account inside the app.
Confirm the prompt. Your account, Cat Chat history, alert preferences, push tokens, AI usage counters, and subscription record in our backend are removed within 30 days.

If you cannot access the in-app option (for example, you've already uninstalled the app), email privacy@whatcat.app with the subject line "Delete my data" from the address associated with your account. We will process the request within 30 days and confirm completion.

Active subscriptions managed by Apple or Google are not cancelled by deleting your account. Cancel those in your App Store or Google Play subscription settings.

8. Your Rights and Choices

Everyone

Access: All cat data and health logs are visible and editable directly in the app.
Delete on-device data: Uninstall the app (or clear browser storage on web). This deletes all locally stored data permanently.
Delete account data: Use the in-app option described in Section 7, or email us.
Opt out of cloud features: Simply do not sign in. The breed encyclopedia, quiz, local cat profiles, and on-device features work without an account.
Opt out of notifications: Disable notifications for What Cat? in your device settings at any time.

Users in the EEA, UK, and Switzerland (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of access to a copy of your personal data.
Right to rectification of inaccurate or incomplete data.
Right to erasure ("right to be forgotten").
Right to restrict processing.
Right to data portability in a structured, machine-readable format.
Right to object to processing based on our legitimate interests.
Right to withdraw consent where processing is based on consent (e.g., notifications), at any time.
Right to lodge a complaint with your local data protection supervisory authority.

Lawful bases: We rely on (a) performance of a contract to provide the account, subscription, and AI features you ask for; (b) legitimate interests in keeping the service secure, preventing abuse, and improving quality; and (c) consent for optional permissions such as notifications.

To exercise any of these rights, email privacy@whatcat.app. We will respond within 30 days.

Users in California (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined by the CCPA/CPRA, and we do not use personal information for cross-context behavioural advertising. To exercise these rights, email privacy@whatcat.app. We will not discriminate against you for exercising any of these rights.

International data transfers

Our backend is hosted in the United States. If you access the app from outside the United States, your account data is transferred to and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent UK addenda for transfers from the EEA, UK, or Switzerland.

9. Children's Privacy

What Cat? is not directed at children under 13 (or under 16 in the EEA / UK, where applicable). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact privacy@whatcat.app and we will delete it promptly. We comply with the United States Children's Online Privacy Protection Act (COPPA) and Apple's Kids Category requirements (which we do not opt into).

10. Third-Party Services

We share the minimum data necessary with the following processors / sub-processors. Each acts on our instructions and is bound by appropriate data-processing terms.

Service	Purpose	Data shared	Privacy Policy
Supabase	Authentication, cloud database, AI proxy, push fan-out	Account identity, subscription status, Cat Chat history, alert preferences, push token, AI prompts	supabase.com/privacy
OpenAI (API)	AI responses for Cat Chat & Luna companion	Sanitized prompt text; no account identifiers	openai.com/policies/privacy-policy
RevenueCat	Subscription receipt validation & entitlement sync	Anonymous user ID, App Store / Google Play subscription receipts	revenuecat.com/privacy
Expo Application Services (EAS)	Push notification delivery	Device push token, notification payload	expo.dev/privacy
Apple	Sign in with Apple, App Store payment processing	Authentication tokens, purchase receipts	apple.com/legal/privacy
Google	Sign in with Google, Google Play payment processing	Authentication tokens, purchase receipts	policies.google.com/privacy
Wikimedia Commons	Breed photos fetched on demand	Standard HTTP request metadata only	foundation.wikimedia.org/wiki/Privacy_policy
TheCatAPI	Curated breed photos & metadata (fetched server-side, never client-side)	None — we cache the assets ourselves	thecatapi.com/privacy
Resend	Transactional email delivery (waitlist verification, launch announcement)	Recipient email address and message content	resend.com/legal/privacy-policy

11. Marketing Website (whatcat.app)

The What Cat? marketing website at whatcat.app is separate from the mobile app. It operates a pre-launch waitlist and does not use any analytics, telemetry, or advertising scripts.

Waitlist email collection

What we collect: your email address when you join the waitlist; the timestamp and verification status of your signup; and a partial IP address (first three octets only, e.g. 192.168.1.x) logged at signup time for spam prevention. The partial IP is stored alongside your email in our database and deleted with it.
Why: to send you a one-time confirmation email, notify you when the app launches, and send a single reminder if you have not confirmed within a few days.
Legal basis (GDPR): your consent, given when you submit the form. You can withdraw consent at any time via the unsubscribe link in any email we send.
Who sees it: your email is shared only with Resend (our email delivery provider) for the purpose of sending the emails above. It is never sold or shared for marketing by any third party.
Retention: waitlist email addresses are deleted within 90 days after the app's public launch, or sooner upon request.
Removal: click the unsubscribe link in any waitlist email, or email privacy@whatcat.app with the subject "Remove from waitlist".

The website does not set tracking cookies, does not use third-party analytics, and does not load any advertising scripts.

12. Changes to This Policy

We may update this policy to reflect changes in the app or applicable law. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, surface an in-app notice on next launch. Continued use of the app after changes are posted means you accept the updated policy.

13. Contact

Questions, data requests, or complaints: privacy@whatcat.app