yes.pet

Privacy Policy

Last updated: 2026-06-15 (v2026-06-15)

yes.pet (“we”, “us”) is a pet-care tracker operated by the kakai studio team. This policy explains what personal data we process, why, the legal basis for it, who we share it with, and the rights you have under the EU GDPR and the UK GDPR. If you have any question or want to exercise a right, contact us at [email protected].

1. Two zones: public site vs. account

yes.pet runs in two distinct zones. The public site (yes.pet: potty schedule, walk calculator, guides) is used anonymously — we do not ask who you are. The account (my.yes.pet) requires a login, so within it you are an identified user. We keep the two zones separate: public-site analytics never receive your account identity.

2. What we collect, why, and our legal basis

  • Account email & password — to create and secure your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Passwords are stored only as a salted hash, never in plain text.
  • Tracker entries & pet profiles (walks, potty, feeds, and the pets you add) — to provide the service to you and people you share a household with. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Public-site analytics (Google Analytics 4) — to understand which tools and pages are useful. Legal basis: your consent (Art. 6(1)(a)), requested via the banner described in §5. No analytics run before you accept.
  • Product analytics (Amplitude) — pseudonymous usage events tied to a random id, not to your email, used to improve the app. Legal basis: your consent (Art. 6(1)(a)), given via an optional checkbox at sign-up — you can use your account without it. We do not send your email, password, or pet-health details to Amplitude.
  • Aggregate first-party counts — we keep simple, non-identifying counts of how often a tool is used, on our own infrastructure. Legal basis: legitimate interest (Art. 6(1)(f)) in measuring demand. These contain no personal data and continue even if you decline analytics.

3. Processors / sub-processors

We use the following processors to operate the service. We do not sell your personal data.

  • Google LLC (Google Analytics 4) — Public-site analytics (acquisition / traffic source). Location: United States. Transfer basis: EU-US Data Privacy Framework (DPF).
  • Amplitude, Inc. — Product analytics in the account (pseudonymous events). Location: United States. Transfer basis: EU-US + UK + Swiss Data Privacy Framework (DPF).
  • Novu, Inc. (Novu Cloud) — Notification orchestration (managed service). Location: EU — Frankfurt. Transfer basis: Data Processing Agreement (DPA).
  • Oracle (OCI Email Delivery) — Transactional email delivery. Location: Dubai (UAE). Transfer basis: DPA / Standard Contractual Clauses (SCC).
  • Cloudflare, Inc. — CDN, site hosting, and consent / tag management (Zaraz, edge). Location: Global edge network. Transfer basis: DPA / SCC.
  • Application backend + PostgreSQL database — Core tracker data storage and processing. Location: Dubai (UAE) — outside the EU. Transfer basis: Appropriate safeguards (see §4).

4. International transfers & data residency

We are honest about where your data goes: our application backend and database run in Dubai (UAE), outside the EU/EEA; public-site and product analytics (Google, Amplitude) are processed in the United States; notification orchestration runs in the EU (Frankfurt); and transactional email runs via Oracle OCI in Dubai. We do not claim that your data stays only within the EU.

  • For transfers to the United States we rely on the EU-US Data Privacy Framework (and its UK and Swiss extensions), under which Google LLC and Amplitude, Inc. are self-certified.
  • For transfers outside the EU/EEA that the DPF does not cover (e.g. the Dubai backend and email), and as a fallback should the DPF cease to apply, we rely on Standard Contractual Clauses and data-processing agreements with each provider.
  • Google Analytics 4 does not store IP addresses.

5. Consent & cookies

For visitors in the EEA and the UK we show a consent banner before any analytics load. Until you accept, analytics cookies and tags are not set (“Basic” consent mode). If you decline, the site keeps working — every tool and guide is fully usable without analytics. The only cookie we set without asking is a small strictly-necessary cookie that remembers your consent choice.

You can change or withdraw your consent at any time through the cookie settings on the site (or by clearing the consent cookie). Withdrawing consent does not affect processing that already took place.

6. Linking pre-login and post-login activity

If you create an account, we may connect the anonymous activity you had on the public site before signing up with your new account, so your experience is continuous (for example, a calculator result you started before logging in). Legal basis: your consent, given via the same optional analytics checkbox at sign-up (off by default). You can object to this linking by contacting [email protected].

7. Your data-subject rights, retention & contact

  • Your rights as a data subject (GDPR / UK GDPR): the right of access, rectification, erasure, restriction of processing, data portability, and objection. You can withdraw consent at any time. You also have the right to lodge a complaint with your local data-protection supervisory authority.
  • Retention: account and tracker data are kept while your account is active. When you request deletion, your account is deactivated immediately and permanently erased after a 30-day recovery window (during which logging back in restores it). Analytics data is retained for the shortest period each provider allows.
  • Exercising a right or contacting us: [email protected].

We may update this policy as the service evolves; material changes increase the version number shown above. yes.pet provides general information only and is not a substitute for professional veterinary advice, diagnosis or treatment. Always consult your veterinarian.