Privacy Policy
At a glance
- Who: flok sp. z o.o., Warsaw, Poland. The company behind the Flok pet care app.
- What we collect: account details you give us, the pet info you log, and some technical data about how you use the app.
- What we do with it: run the service you signed up for, help you keep your pet’s records in order, keep the app working.
- Who we share it with: a short list of named service providers. We do not sell your personal data.
- Where it lives: primarily on EU servers; some service providers are in the US and other countries, under safeguards described below.
- Your rights: access, correction, deletion, portability, objection, withdrawal of consent. Region-specific rights for people in the EU/EEA, UK, Switzerland, the US, Canada, Brazil, and Australia are detailed below.
- Contact: info@flokpetapp.com (routed internally to privacy requests).
1. Who we are
flok sp. z o.o. (“Flok”, “we”, “us”) is the data controller for the personal data processed through the Flok mobile application and the Flok website.
- Registered office: ul. Domaniewska 17/19, lok. 133, 02-672 Warszawa, Poland.
- Contact: info@flokpetapp.com. Privacy and data-subject requests reach the same inbox and are routed to the team handling privacy.
Flok is not required to appoint a Data Protection Officer under Art. 37 GDPR, but you can reach our privacy contact at the address above.
2. Where Flok is available
Flok is available worldwide except Russia and Afghanistan, and except any country or region where provision of the app would violate applicable law, including US (OFAC), EU, or UN sanctions. If you attempt to use the app from an excluded country, we may block access.
3. The data we process
3.1 Data you give us
- Account: name, email, and (optionally) phone number.
- Authentication: password (stored as a salted hash, never in clear text) or Apple / Google sign-in identifier.
- Pet profile: species, breed, date of birth, sex, weight, notes, photos you upload.
- Health & care records: vaccinations, treatments, medications, vet visits, feeding, routines, and any documents you choose to scan or upload.
- Reviews: text and rating you post about pet-service providers (if you choose to post).
3.2 Data collected automatically
- Device & usage: device model, OS version, app version, IP address, crash reports, feature-usage events.
- Location (only when you grant permission): used to find nearby pet services and, in emergencies you trigger, to help services locate you. Background location is never collected.
- Cookies (website only): see §13.
3.3 Special-category data
Pet medical records are not GDPR “special category” data by the letter of Art. 9 (which covers humans). We treat them with equivalent care anyway and rely on your explicit opt-in before storing them.
3.4 Children
Flok is intended for users 13 years of age or older. In the European Economic Area and the United Kingdom, users under 16 (or the lower age set by their member state; Poland: 13) need verifiable parental consent. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has given us personal data, contact info@flokpetapp.com and we will delete it.
4. Why we process your data and on what legal basis
| Purpose | Data categories | EU/UK legal basis (GDPR Art. 6) |
|---|---|---|
| Provide the core Flok service (store records, sync across devices, send reminders) | Account, pet profile, health records | Contract (6(1)(b)) |
| Process your document scans via the Gemini API to extract structured data | Uploaded document images | Consent (6(1)(a)) at the time you use the feature |
| Locate nearby services and emergency vets | Device location | Consent (6(1)(a)) |
| Keep the app secure, prevent abuse, investigate incidents | Device data, usage events, IP | Legitimate interest (6(1)(f)) |
| Fix bugs and improve the app | Crash reports, usage events | Legitimate interest (6(1)(f)) |
| Send essential service emails (password reset, policy updates) | Email address | Contract (6(1)(b)) |
| Send marketing emails | Email address | Consent (6(1)(a)), opt-in only |
| Meet tax and accounting obligations | Billing metadata | Legal obligation (6(1)(c)) |
You can withdraw any consent at any time; withdrawal doesn’t affect processing that already happened.
5. How we share your data
5.1 Service providers (subprocessors)
We use the following service providers to run the app. Each acts as a processor under a written data-processing agreement that includes confidentiality, security, and, where applicable, EU Standard Contractual Clauses.
| Provider | Purpose | Location of processing |
|---|---|---|
| Apple Inc. | App Store distribution, in-app purchases, push notifications via APNs | United States (EU-US Data Privacy Framework certified) |
| Amazon Web Services, Inc. | Application hosting and compute, database, photo and document storage, authentication, transactional email, push delivery | EU region |
| Google LLC | Gemini API for the Document Scanner; Firebase services for analytics, crash reporting, and related telemetry | United States (EU-US Data Privacy Framework certified) |
If we add or replace a material subprocessor, we will update this list and, where required, notify account-holders by email before the change takes effect.
5.2 Veterinarians and third parties you choose
When you export a record or share it from the app, we transmit the data to the recipient you pick. We do not forward data to any third party without your action.
5.3 Legal and safety disclosures
We may disclose personal data when we believe in good faith that it is required to comply with a binding legal order, to protect the vital interests of a person or animal, or to investigate fraud or abuse of the service. We resist overbroad government requests.
5.4 Corporate transactions
If Flok is acquired, merged, or sold, your data may transfer to the successor entity under the same commitments made in this policy. We will notify you before any such transfer changes how your data is used.
5.5 We do not sell your personal data
We do not sell your personal data. We do not share it for cross-context behavioural advertising. This applies equally in California, Virginia, Colorado, Connecticut, Utah, and every other jurisdiction where “sale” or “share” has a defined meaning in the local privacy law.
6. International data transfers
Your data may be processed outside your country.
- EU/EEA / UK / Switzerland → United States transfers (Apple, Google) rely on the EU-US Data Privacy Framework where the recipient is certified, and on EU Standard Contractual Clauses (Module Two or Three as applicable) supplemented by a transfer impact assessment for any non-DPF US transfer.
- Other cross-border transfers rely on Standard Contractual Clauses or the recipient country’s adequacy status as recognised by the European Commission.
- You can request a copy of the relevant safeguards by emailing info@flokpetapp.com.
7. How long we keep your data
| Category | Retention |
|---|---|
| Account (email, name, auth identifier) | For the life of the account plus 60 days, then deleted |
| Pet profile and health records | For the life of the account; on account deletion, deleted within 60 days unless you requested longer retention |
| Uploaded documents and photos | Deleted within 60 days of account deletion |
| Crash reports and diagnostic logs | Up to 90 days |
| Aggregated analytics (non-identifiable) | Up to 26 months |
| Billing records | 5 years from the end of the tax year in which the transaction occurred (Polish Accounting Act, Art. 74) |
| Content needed for legal claims or compliance | For the statutory limitation period, then deleted |
Where the law lets you, you can ask us to delete earlier (see §8).
8. Your rights
Wherever you live, you can ask us to:
- Access the personal data we hold about you and receive a copy.
- Correct inaccurate or incomplete data.
- Delete your data.
- Restrict or object to specific processing.
- Port your data to another service (structured, commonly used, machine-readable format).
- Withdraw consent at any time.
Email info@flokpetapp.com. We respond within 30 days (extendable by two months for complex requests, with notice). We may ask for proof of identity before acting on a request.
If we reject a request, you can complain to a supervisory authority (see your region below).
9. Region-specific rights
9.1 European Economic Area, United Kingdom, Switzerland (GDPR / UK GDPR / nFADP)
You have all the rights in §8, plus the right to lodge a complaint with:
- Poland (primary): Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl.
- UK: Information Commissioner’s Office, ico.org.uk.
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
- Any EEA member state: your local data protection authority.
9.2 United States
Residents of the following states have additional rights under their state privacy laws: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), and other states as these laws take effect.
You can:
- Know what personal information we have collected about you, the sources, the purposes, and the categories of recipients.
- Delete personal information we collected from you.
- Correct inaccurate personal information.
- Opt out of the “sale” or “share” of personal information. We do not sell or share personal information as those terms are defined; the opt-out is still available.
- Limit the use of Sensitive Personal Information (e.g., precise geolocation). We only use Sensitive Personal Information to deliver features you asked for.
- Non-discrimination: exercising a privacy right does not change the price or level of service.
California “Shine the Light”: California residents may request a list of third parties to whom we disclosed personal information for the third party’s direct marketing purposes in the previous calendar year. We do not do this; the answer is always “none”.
Do Not Sell or Share My Personal Information: we don’t sell or share personal information. To confirm this or exercise any CCPA/CPRA right, email info@flokpetapp.com with the subject line “California Privacy Request” and we will respond within 45 days (extendable once by 45 days with notice).
Authorised agents can submit requests on your behalf with a signed permission. We verify before acting.
Children under 16: we do not sell or share the personal information of minors under 16.
9.3 Canada (PIPEDA + Quebec Law 25)
You have access and correction rights and the right to withdraw consent (subject to legal or contractual requirements). In Quebec, you additionally have a right to data portability and the right to be informed of automated decisions having significant effects; we do not make such decisions.
Complaints: Office of the Privacy Commissioner of Canada, priv.gc.ca. Quebec: Commission d’accès à l’information, cai.gouv.qc.ca.
9.4 Brazil (LGPD)
You have rights to confirmation, access, correction, anonymisation, portability, deletion, information about sharing, information about the consequences of refusing consent, and revocation of consent. Complaints go to the Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd.
9.5 Australia (Privacy Act 1988)
You have access and correction rights under the Australian Privacy Principles. Complaints: Office of the Australian Information Commissioner, oaic.gov.au.
9.6 Other jurisdictions
If your local law grants you rights not listed above, we honour them to the extent required. Email info@flokpetapp.com.
10. Automated decision-making
The Document Scanner uses the Google Gemini API to extract text and structured fields from images you upload. The output is suggested back to you for confirmation; no decision producing legal or similarly significant effects is made automatically. You can opt out of using the scanner and enter records manually.
11. Security
We use industry-standard controls: TLS in transit, at-rest encryption for stored data, role-based access limited to staff who need it, audit logging, and ongoing vulnerability management. No system is perfectly secure; we aim for reasonable defence-in-depth.
12. Breach notification
If a personal data breach is likely to result in a high risk to your rights and freedoms, we notify affected users without undue delay. We notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of a notifiable breach, and other authorities as required by local law (UK ICO, California AG, Brazilian ANPD, etc.).
13. Cookies on the website
The Flok website (flokpetapp.com) uses:
- Strictly necessary cookies for basic site function (no consent needed, no tracking).
- Analytics cookies: only set after you accept via the cookie banner on first visit.
You can change your choice at any time via the “Cookie preferences” link in the website footer.
The Flok app does not use browser cookies; it uses native iOS storage for session and preference data.
14. Changes to this policy
We publish material changes here at least 30 days before they take effect and notify you in-app and (for account-holders) by email. Continued use of the service after the effective date means you accept the updated policy. Previous versions are available on request at info@flokpetapp.com.
15. Contact
- Email: info@flokpetapp.com (privacy team routes from here)
- Post: flok sp. z o.o., ul. Domaniewska 17/19, lok. 133, 02-672 Warszawa, Poland