Last Updated: November 6, 2025
Effective Date: November 6, 2025
Version: 1.0

This Privacy Policy is specifically tailored for users in the European Union (EU) and European Economic Area (EEA) and complies with the General Data Protection Regulation (GDPR).

We determine the purposes and means of processing your personal data.

Email: official@supercatai.com
Subject Line: "DPO - [Your Matter]"

We process your personal data based on:

1. Your Consent (Article 6(1)(a) GDPR)
    
   • When you explicitly agree to data processing
   • You can withdraw consent at any time

1. Performance of a Contract (Article 6(1)(b) GDPR)
    
   • To provide services you requested
   • To fulfill our obligations to you

1. Legitimate Interests (Article 6(1)(f) GDPR)
    
   • To improve our services
   • To prevent fraud and ensure security
   • For analytics and research (with anonymized data)

1. Legal Obligation (Article 6(1)(c) GDPR)
    
   • To comply with EU laws and regulations

1. What Personal Data We Collect
2. How We Use Your Personal Data
3. Data Retention Periods
4. Who We Share Your Data With
5. International Data Transfers
6. Your Rights Under GDPR
7. Special Categories of Personal Data
8. Automated Decision-Making and Profiling
9. Data Security Measures
10. Data Breach Notification
11. Children's Privacy
12. Changes to This Privacy Policy
13. How to Exercise Your Rights
14. Complaints to Supervisory Authority

• Category: Identity Data• Data Items: Email address, password (encrypted), user ID • Legal Basis: Contract & Consent • Purpose: Account management

• Category: Pet Profile Data• Data Items: Cat's name, breed, date of birth, photo • Legal Basis: Contract • Purpose: Service provision

• Category: Audio Data• Data Items: Cat meow recordings (1-5 seconds, AAC/WAV format) • Legal Basis: Consent • Purpose: AI emotion analysis

• Category: Communication Data• Data Items: AI chatbot messages, survey responses • Legal Basis: Consent • Purpose: Customer support & service improvement

• Category: Technical Data• Data Items: IP address, device type, OS version, app version • Legal Basis: Legitimate Interest • Purpose: Service operation & security

• Category: Usage Data• Data Items: App interactions, features used, timestamps • Legal Basis: Legitimate Interest • Purpose: Analytics & improvement

• Category: Location Data• Data Items: City-level location (optional, with consent) • Legal Basis: Consent • Purpose: Contextual features

We do NOT collect special categories of personal data as defined in Article 9 GDPR (e.g., health data, biometric data for identification, racial/ethnic origin).

Note: While audio recordings contain voice data, we:

• Only collect cat meow sounds (not human voice, except for translation feature)
• Do not use biometric identification
• Process data solely for emotion analysis, not identification

We process your personal data for the following purposes, based on specific legal grounds:

• Create and manage your account
• Analyze cat meow emotions using AI
• Provide personalized AI models
• Generate daily/weekly/monthly reports
• Offer AI chatbot support
• Enable human-to-cat translation

• Improve AI model accuracy
• Enhance user experience
• Fix bugs and technical issues
• Develop new features
• Conduct anonymized analytics

Legitimate Interest Assessment:

• Purpose: Improve service quality and user experience
• Necessity: Essential for maintaining competitive service
• Balancing Test: Minimal privacy impact as data is aggregated/anonymized
• User Rights: You can object to this processing

• Use completely anonymized cat voice data for AI training
• Advance AI technology and research
• All personal identifiers removed
• You can withdraw consent at any time

• Send promotional offers and updates
• Personalized content recommendations
• You can opt out at any time
• Separate consent required

• Comply with EU laws and regulations
• Respond to lawful requests from authorities
• Maintain records as required by law

We retain personal data only for as long as necessary for the purposes outlined in this policy.

• Data Category: Account Data • Retention Period: Until account deletion + 30 days • Justification: Contract fulfillment & legal compliance

• Data Category: Cat Profile • Retention Period: Until account deletion • Justification: Service provision

• Data Category: Audio Recordings• Retention Period: 90 days (then archived) • Justification: Service provision & cost optimization

• Data Category: Emotion Analysis Results • Retention Period: Until account deletion or 3 years • Justification: Service provision & analytics

• Data Category: Chat Messages • Retention Period: 90 days • Justification: Customer support

• Data Category: Technical Logs • Retention Period: 6 months • Justification: Security & troubleshooting

• Data Category: Marketing Data • Retention Period: Until consent withdrawn + 30 days • Justification: Legal compliance

After the retention period expires:

• Data is automatically and securely erased
• Backups are deleted within 90 days
• Anonymized data may be retained for research (cannot identify you)

You can request erasure of your data at any time (see Section 6: Your Rights Under GDPR).

We do not sell your personal data. We share data only with:

All processors are bound by Data Processing Agreements (DPAs):

• Processor: Google Cloud Platform• Location: USA • Purpose: Cloud hosting & storage • Safeguards: Standard Contractual Clauses (SCCs), SOC 2, ISO 27001

• Processor: Amazon Web Services• Location: USA • Purpose: Backup storage • Safeguards: SCCs, SOC 2, ISO 27001

• Processor: OpenAI, LLC• Location: USA • Purpose: AI processing (anonymized data only) • Safeguards: SCCs, Data minimization

• Processor: Firebase (Google)• Location: USA • Purpose: Push notifications • Safeguards: SCCs, Google Cloud DPA

For transfers to the USA (non-adequate country), we use:

• EU Standard Contractual Clauses (Decision 2021/914)
• Supplementary measures: Encryption, pseudonymization, access controls
• Transfer Impact Assessment conducted and documented

You can request a copy of SCCs: official@supercatai.com

We may disclose data to:

• Law enforcement (only with valid legal basis under EU law)
• Regulatory authorities (if legally required)
• Courts (in legal proceedings)

We will challenge overly broad or unlawful requests.

Your data is transferred to and processed in the United States, which is not recognized by the European Commission as providing adequate data protection.

Standard Contractual Clauses (SCCs):

• We use EU-approved SCCs (Commission Decision 2021/914)
• SCCs provide contractual guarantees for data protection
• Available upon request

Supplementary Measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Pseudonymization: Where possible, we replace identifying fields
• Access Controls: Strict authorization and authentication
• Data Minimization: Only necessary data is transferred
• Security Certifications: SOC 2 Type II, ISO 27001

We have conducted a TIA assessing:

• Nature of data transferred: Audio files, profile data (no sensitive data)
• Laws in destination country: US CLOUD Act, surveillance laws
• Effectiveness of safeguards: Encryption and contractual protections deemed sufficient
• Residual risks: Low, given anonymization and encryption

• You can request information about transfers
• You can object to transfers (may limit service availability)
• You can file a complaint with your supervisory authority

What: Obtain confirmation of processing and a copy of your data
How: Settings > Privacy > Download My Data, or email official@supercatai.com
Timeline: Within 1 month (extendable by 2 months if complex)

What: Correct inaccurate or incomplete data
How: Settings > Profile, or email official@supercatai.com
Timeline: Within 1 month

What: Request deletion of your data
Grounds:

• Data no longer necessary
• You withdraw consent
• You object to processing
• Data processed unlawfully

Exceptions: We may refuse if needed for:

• Legal compliance
• Legal claims
• Public interest

How: Settings > Account > Delete Account, or email official@supercatai.com
Timeline: Within 1 month

What: Limit how we use your data
Grounds:

• Accuracy of data is contested
• Processing is unlawful
• Data no longer needed but you need it for legal claims
• You objected to processing (pending verification)

How: Email official@supercatai.com
Timeline: Within 1 month

What: Receive your data in structured, commonly used, machine-readable format (CSV, JSON)
Applies to: Data provided by you, processed by automated means, based on consent or contract
How: Settings > Privacy > Export Data
Timeline: Within 1 month

What: Object to processing based on legitimate interests or for direct marketing
How: Settings > Privacy > Object to Processing, or email official@supercatai.com
Effect: We will stop processing unless we demonstrate compelling legitimate grounds

What: Withdraw consent at any time
How: Settings > Privacy > Manage Consent
Effect: Does not affect lawfulness of processing before withdrawal
Timeline: Immediate

What: Not be subject to decisions based solely on automated processing with legal/significant effects
Status: We do not engage in such automated decision-making (see Section 8)

In-App:

• Settings > Privacy & Data Rights

By Email:

• Email: official@supercatai.com
• Subject: "GDPR Right Request - [Right Name]"
• Include: Name, email, account details, specific request

Response:

• We respond within 1 month (extendable by 2 months if complex)
• Free of charge (unless excessive or unfounded)
• We may request identification verification

We do NOT intentionally collect or process special categories of personal data under Article 9 GDPR, which include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation

Note on Audio Data:

• Cat meow recordings are not considered biometric data for identification purposes
• We do not extract or process biometric identifiers from audio
• Processing is solely for emotion analysis, not identification

Process: We use AI to classify cat meow emotions
Nature: Automated processing, but NOT automated decision-making under Article 22
Reason: Decisions do not produce legal effects or significantly affect you

We do NOT engage in profiling that produces legal effects or similarly significantly affects you.

Emotion analysis is for:

• Informational purposes only
• Helping you understand your cat better
• No legal, financial, or significant personal consequences

If our practices change to include Article 22 automated decision-making:

• We will inform you explicitly
• Obtain your explicit consent (if required)
• Provide meaningful information about the logic involved
• Give you the right to human intervention
• Allow you to challenge the decision

We implement appropriate technical and organizational measures as required by Article 32 GDPR.

Encryption:

• TLS 1.3 for data in transit
• AES-256 for data at rest
• End-to-end encryption where possible

Access Controls:

• Role-Based Access Control (RBAC)
• Multi-Factor Authentication (MFA)
• Principle of least privilege
• Regular access reviews

Security Monitoring:

• 24/7 intrusion detection
• Real-time alerting
• Security Information and Event Management (SIEM)
• Regular penetration testing

Staff Training:

• Mandatory GDPR training for all staff
• Regular security awareness programs
• Confidentiality agreements

Data Protection by Design & Default (Article 25):

• Privacy integrated into system design
• Default settings maximize privacy
• Data minimization principles applied

Vendor Management:

• Due diligence on all processors
• Data Processing Agreements (Article 28)
• Regular audits of processors

• SOC 2 Type II (security, availability, confidentiality)
• ISO/IEC 27001 (information security management)
• GDPR Compliance audited annually

Timeline: Within 72 hours of becoming aware
Content:

• Nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Contact point for information
• Likely consequences
• Measures taken or proposed

When Required: If breach likely to result in high risk to your rights and freedoms
Timeline: Without undue delay
Content:

• Nature of the breach
• Contact point
• Likely consequences
• Measures taken or proposed to address the breach
• Measures you can take to mitigate risks

We may not notify you if:

• We implemented appropriate technical and organizational protections (e.g., encryption)
• We took subsequent measures ensuring high risk no longer likely
• Notification would involve disproportionate effort (we will make public announcement instead)

Under 16 years old (or lower age set by Member State):

• Parental consent required for processing
• We verify parental consent

16 years and older:

• May consent to processing themselves

For children below the age of consent:

Step 1: Child provides parent/guardian email
Step 2: We send verification request to parent
Step 3: Parent reviews data processing and consents
Step 4: We verify parental authority
Step 5: Account activated

Parents/guardians can:

• Access their child's data
• Rectify inaccurate data
• Erase their child's data
• Restrict processing
• Object to processing
• Withdraw consent

Contact: official@supercatai.com with "Parental Rights - [Child's Name]"

Minor Changes:

• Posted in-app with 7 days' notice
• Email notification

Material Changes:

• Posted in-app with 30 days' notice
• Email notification with summary of changes
• May require re-consent for affected processing

If you disagree with changes:

• Withdraw consent
• Exercise your right to erasure
• Object to processing

Continued use after notice period constitutes acceptance.

Primary Contact:

• Email: official@supercatai.com
• Subject: "GDPR Request - [Right Name]"

Data Protection Officer:

• Email: official@supercatai.com
• Subject: "DPO - [Your Matter]"

• Full name
• Email address
• Account details
• Specific right(s) you wish to exercise
• Proof of identity (if requested)

Timeline:

• Within 1 month of receipt
• Extendable by 2 months if complex (we will inform you)

Format:

• Electronic format (unless you request otherwise)
• Concise, transparent, intelligible language

Cost:

• Free of charge (unless excessive or unfounded)

If we refuse your request, we will:

• Explain why (within 1 month)
• Inform you of your right to complain to supervisory authority
• Inform you of your right to judicial remedy

You have the right to lodge a complaint with a supervisory authority, particularly in your EU Member State of:

• Habitual residence
• Place of work
• Place of alleged infringement

Find your supervisory authority:

• EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

You also have the right to an effective judicial remedy if you believe your rights under GDPR have been infringed:

• Against a supervisory authority decision (Article 78)
• Against a controller or processor (Article 79)

Data Controller:
SuperCat.AI
Email: official@supercatai.com

Data Protection Officer:
Email: official@supercatai.com
Subject Line: "DPO - [Your Matter]"

EU Representative (if applicable):
[To be appointed if needed under Article 27]

This Privacy Policy complies with:

• Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)
• Directive 2002/58/EC (ePrivacy Directive)
• National implementations of GDPR in EU Member States

Last Updated: November 6, 2025
Version: 1.0
Effective Date: November 6, 2025

© 2025 SuperCat.AI. All rights reserved.

Questions? Concerns?
We're committed to protecting your privacy.
Email us at: official@supercatai.com
Response time: Within 5 business days for general inquiries, 1 month for rights requests.