GDPR Compliance
General Data Protection Regulation (EU) 2016/679
Last updated: 11.02.2026
This policy is effective as of February 11, 2026.
1. Introduction
PetNexa is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This document outlines how we process and protect the personal data of users in the European Economic Area (EEA), and describes your rights as a data subject.
For users in Turkey, see also our KVKK Information Notice.
2. Data Controller
Furkan Hidayet Alkan acts as the data controller for personal data collected through the PetNexa mobile application and website.
Data Controller: Furkan Hidayet Alkan
Contact: furkan.alkan.1293@gmail.com
Address: Mehmet Akif Ersoy Mah. Arnavutoğlu Cad. 12_1 A/20 Merkez / Kastamonu
As a Turkey-based controller processing data of EEA residents, we are committed to ensuring GDPR compliance. For GDPR-related inquiries, please contact us at: furkan.alkan.1293@gmail.com
3. Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6 of GDPR:
- Consent (Art. 6(1)(a)): AI Veterinarian feature usage, marketing communications, optional analytics (PostHog), advertising personalization (AdMob)
- Performance of a Contract (Art. 6(1)(b)): Account creation and management, pet health tracking services, family sharing features, subscription management, push notification delivery
- Legal Obligation (Art. 6(1)(c)): Tax record keeping, compliance with data retention laws, responding to lawful authority requests
- Legitimate Interest (Art. 6(1)(f)): Service improvement and analytics, application security and fraud prevention, error tracking and crash reporting (Sentry), session management for account security
4. Your Rights Under GDPR
As an EEA resident, you have the following rights under GDPR:
Right of Access (Art. 15)
You can request a copy of all personal data we hold about you, including the purposes of processing, categories of data, recipients, and retention periods.
Right to Rectification (Art. 16)
You can request correction of inaccurate personal data or completion of incomplete data. You can also update most data directly through the app settings.
Right to Erasure (Art. 17)
You can request deletion of your personal data ("right to be forgotten"). Account deletion is available directly in the app under Account Settings. Upon deletion, all personal data is removed within 30 days.
Right to Restriction of Processing (Art. 18)
You can request limitation of processing while we verify accuracy of data, if processing is unlawful, or if you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Art. 20)
You can request your data in a structured, commonly used, machine-readable format (JSON). Data export is available through the app's Account Settings > My Data section.
Right to Object (Art. 21)
You can object to processing based on legitimate interests (Art. 6(1)(f)) or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You can manage consent through the app settings.
Right Related to Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal effects. Our AI Veterinarian feature does not produce legally binding decisions.
5. Data Processing Activities
The following table details our data processing activities in accordance with Article 30 of GDPR:
| Purpose | Data Categories | Legal Basis | Retention Period |
|---|---|---|---|
| Account Creation & Management | Name, email, profile photo, auth provider | Contract (Art. 6(1)(b)) | Account lifetime + 30 days |
| Authentication | OAuth tokens, session ID, device ID | Contract (Art. 6(1)(b)) | Session duration |
| Pet Health Tracking | Pet details, health records, vaccinations, medications | Contract (Art. 6(1)(b)) | Account lifetime + 30 days |
| Appointment Reminders | Appointment dates, push notification tokens | Contract (Art. 6(1)(b)) | Until appointment date + 7 days |
| Vaccine Reminders | Vaccination schedule, notification preferences | Contract (Art. 6(1)(b)) | Account lifetime |
| AI Veterinarian | Questions, AI responses, pet context data | Consent (Art. 6(1)(a)) | 90 days |
| Family Sharing | Family group data, member roles, task assignments | Contract (Art. 6(1)(b)) | Account lifetime |
| Push Notifications | Device tokens, notification preferences, OneSignal external ID | Contract (Art. 6(1)(b)) | Until token invalidation |
| Subscription Management | Subscription tier, purchase history, RevenueCat customer ID | Contract (Art. 6(1)(b)) | 5 years (tax obligations) |
| Analytics | Usage events, screen views, feature interactions | Consent / Legitimate Interest (Art. 6(1)(f)) | 24 months |
| Error Tracking | Crash reports, error logs, device info | Legitimate Interest (Art. 6(1)(f)) | 90 days |
| Advertising | AdMob device identifiers, ad interaction data | Consent (Art. 6(1)(a)) | Per Google's retention policy |
| Session Security | Session ID, device fingerprint, login timestamps | Legitimate Interest (Art. 6(1)(f)) | 6 months |
| Email Communications | Email address, email interaction data | Contract / Consent | Account lifetime / until withdrawal |
6. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA. We ensure adequate protection through the following mechanisms in accordance with Chapter V of GDPR:
| Service Provider | Country | Purpose | Transfer Safeguard |
|---|---|---|---|
| Neon (PostgreSQL) | USA | Primary database | Standard Contractual Clauses (SCCs) |
| Google Cloud | USA | OAuth authentication | EU-US Data Privacy Framework |
| Apple | USA | Sign in with Apple | Standard Contractual Clauses |
| OneSignal | USA | Push notifications | Standard Contractual Clauses |
| Expo (EAS) | USA | Push notifications (fallback) | Standard Contractual Clauses |
| RevenueCat | USA | Subscription management | Standard Contractual Clauses |
| PostHog | EU/USA | Product analytics | EU hosting option / SCCs |
| Sentry | USA | Error monitoring | Standard Contractual Clauses |
| Google AdMob | USA | Advertising | EU-US Data Privacy Framework |
| OpenAI | USA | AI Veterinarian | Standard Contractual Clauses |
| Resend | USA | Email delivery | Standard Contractual Clauses |
In addition to contractual safeguards, we implement supplementary technical measures including encryption in transit (TLS 1.3) and at rest, pseudonymization where possible, and access controls to minimize risks associated with international transfers.
7. Data Security
We implement appropriate technical and organizational measures in accordance with Article 32 of GDPR, including:
- Encryption of data in transit (TLS/SSL) and at rest
- OAuth 2.0 secure authentication (no passwords stored)
- Single-device session enforcement with cryptographic session IDs
- JWT token authentication with session validation
- Database access controls and parameterized queries
- Regular dependency updates and security monitoring
- Incident response procedures with defined escalation paths
- Data minimization in collection and processing
8. Data Breach Notification
In accordance with Articles 33 and 34 of GDPR:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals
- We will notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- We maintain an internal breach register documenting all breaches, their effects, and remedial actions taken
- Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
9. Automated Decision-Making and AI
Our AI Veterinarian feature uses automated processing powered by AI language models (OpenAI) to provide pet health information and guidance.
- The AI feature does not produce decisions with legal or similarly significant effects on users
- AI responses are for informational purposes only and do not constitute veterinary medical advice
- No profiling is performed that produces legal effects
- Pet data sent to the AI is limited to what is necessary for the query and is not used for model training
- You have the right to request human review of any AI-generated output
- You can choose not to use the AI Veterinarian feature; it is entirely optional and consent-based
10. Cookies and Tracking Technologies
For detailed information about our use of cookies and similar tracking technologies, including how to manage your preferences, please see our Cookie Policy. Cookies
In accordance with GDPR and the ePrivacy Directive, we obtain your consent before setting non-essential cookies. Essential cookies required for the operation of the website are placed without consent as permitted by law.
11. Children's Data
Our services are not intended for children under 16 years of age (in accordance with Article 8 of GDPR). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data. If you believe that a child under 16 has provided us with personal data, please contact us immediately.
12. Exercising Your Rights
To exercise your GDPR rights, you can use the following methods:
- In-app: Account Settings > My Data (for data export, deletion, and preference management)
- Email: furkan.alkan.1293@gmail.com (Subject: GDPR Request)
- Include your full name, email associated with your account, and specific right(s) you wish to exercise
We will respond to your request within 30 days. This period may be extended by an additional 60 days for complex or numerous requests, in which case we will inform you of the extension within the initial 30-day period. We will verify your identity before processing your request.
13. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority in your EU/EEA member state if you believe your data protection rights have been violated. You may also lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) as the authority of the controller's jurisdiction.
14. Changes to This Policy
We may update this GDPR compliance policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of significant changes through the application or via email. The 'last updated' date at the top of this page indicates when this policy was last revised. Continued use of our services after changes constitutes acceptance of the updated policy.
15. Contact Information
Data Controller: Furkan Hidayet Alkan
Email: furkan.alkan.1293@gmail.com
Address: Mehmet Akif Ersoy Mah. Arnavutoğlu Cad. 12_1 A/20 Merkez / Kastamonu
GDPR Requests: furkan.alkan.1293@gmail.com (Subject: GDPR Request)