felineStudio
Start

Privacy Policy

Effective: 2026-02-17 · Last updated: 2026-02-17 · Version 1.0

Privacy Policy

This Privacy Policy explains how personal data is processed in connection with felineStudio.

1. Who is responsible for data processing?

felineStudio has two GDPR roles depending on the context:

  1. As a processor: felineStudio processes personal data on behalf of a cattery (the cattery is the controller).
  2. As an independent controller: felineStudio processes certain data for its own legal and operational purposes (for example account administration, platform security, abuse prevention, and support handling).

1.1 Controller details (for felineStudio-controlled processing)

  • Legal entity: [TODO: legal entity name]
  • Address: [TODO: full legal address]
  • Privacy email: [TODO: privacy@...]
  • Data protection contact / DPO (if applicable): [TODO: contact details]
  • EU/UK representative (if applicable): [TODO: representative details]

1.2 Cattery as controller

For data that a cattery enters and manages in the app (for example buyer contacts, waiting list records, contracts, and cat records), the cattery is generally the controller under Article 4(7) GDPR. felineStudio acts as processor under Article 4(8) GDPR for that processing.

2. Categories of personal data

Depending on feature usage and configuration, the following categories may be processed:

  • Account and profile data: owner name, cattery name, email, phone, address, login/account identifiers.
  • Contact and inquiry data: first/last name, email, phone, inquiry preferences, inquiry notes, consent timestamp.
  • Business records entered by catteries: contacts, waiting list entries, contracts, transactions, and related notes.
  • Media and document data: cat images, uploaded documents/images for OCR features, and extracted content.
  • Technical and security data: IP-derived request metadata, throttling/security logs, session/auth state, and system event logs.
  • Communication data: operational emails and reminder notifications.

3. Purposes and legal bases

Where felineStudio acts as controller, processing is based on one or more of the following legal bases:

  • Article 6(1)(b) GDPR (contract): providing and operating the service, account access, and core functionality.
  • Article 6(1)(c) GDPR (legal obligation): retention and compliance obligations where required by applicable law.
  • Article 6(1)(f) GDPR (legitimate interests): service security, fraud/abuse prevention, reliability, and platform defense.
  • Article 6(1)(a) GDPR (consent): processing that is explicitly consent-based where implemented.

Where felineStudio acts as processor, processing is carried out on documented instructions from the relevant cattery controller.

4. Recipients and processors/sub-processors

felineStudio uses service providers to deliver the platform. Depending on configuration, these include:

  • Supabase: database, storage, and authentication services.
  • Vercel: hosting, infrastructure, and deployment/runtime services.
  • Brevo (optional): transactional email delivery.
  • OCR/AI provider (optional): Cortecs (routing gateway).

felineStudio maintains contractual safeguards (including data processing terms) with providers used for personal data processing.

5. International data transfers

Some providers or their sub-processors may process data outside the EEA/UK/Switzerland. Where required, transfers rely on an appropriate transfer mechanism, such as:

  • an adequacy decision, and/or
  • EU Standard Contractual Clauses (SCCs), and/or
  • UK transfer addendum/IDTA or equivalent legal mechanism.

You may request more information on applicable safeguards via the privacy contact listed above.

5.1 Hosting location transparency

felineStudio is intended to be operated with EU hosting/processing locations. Where data is processed in the EU, this is configured through selected provider settings and regions. If a provider or sub-processor processes data outside the EU/EEA, the safeguards listed above apply.

6. Retention periods

felineStudio applies data minimization and storage limitation principles. Retention depends on context and legal requirements.

Baseline operational retention currently includes:

  • Scheduled account deletion: account marked for deletion, then permanently purged after a 30-day grace period.
  • Data export packages: generated portability files include signed media links that expire (currently 24 hours).
  • Security and abuse-prevention records: retained only as long as necessary for protection and incident handling, subject to legal obligations.

Controller catteries remain responsible for defining lawful retention periods for the records they control and for meeting local legal retention obligations.

7. Data subject rights

Under GDPR, data subjects may have the right to:

  • access personal data (Art. 15),
  • rectify inaccurate data (Art. 16),
  • erase data (Art. 17),
  • restrict processing (Art. 18),
  • data portability (Art. 20),
  • object to processing (Art. 21),
  • withdraw consent at any time (where processing is consent-based).

7.1 How to exercise rights

  • For data controlled by a cattery: requests should first be directed to that cattery as controller.
  • For data controlled directly by felineStudio: contact [TODO: privacy email].

felineStudio supports controller catteries in handling valid rights requests where felineStudio acts as processor.

8. Automated decision-making

felineStudio does not perform solely automated decision-making that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR.

9. Security measures

felineStudio implements technical and organizational measures appropriate to the risk, including measures such as encryption in transit, access controls, role separation, logging/monitoring, and incident response processes.

No system can be guaranteed 100% secure, but controls are designed to reduce risk and protect confidentiality, integrity, and availability.

10. Children

The service is not directed to children. Catteries using the platform remain responsible for ensuring they have a valid legal basis for any personal data they enter into the service.

11. Complaints to supervisory authorities

Data subjects have the right to lodge a complaint with a competent supervisory authority in their habitual residence, place of work, or place of alleged infringement.

Primary supervisory authority (if applicable): [TODO: authority name and contact].

12. Changes to this Privacy Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The current version and effective date are shown at the top of this document.

If you have questions about this policy, contact: [TODO: privacy contact details].