Last updated: May 22, 2026

This Privacy Notice for MoaTails ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Download and use our mobile application (MoaTails), or any other application of ours that links to this Privacy Notice.
Use MoaTails. MoaTails is a mobile pet care app that helps pet owners track their pets' health, schedules, and documents, and collaborate with family members or caregivers. Users can manage multi-pet profiles, log feedings, medications, vaccines, weight, and appointments, store documents, receive reminders, and share access with a care team.
Engage with us in other related ways, including any marketing or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@moatails.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.
Do we process any sensitive personal information? No. Most privacy laws define sensitive personal information as data about natural persons (humans). Pet health data and similar care information are not legally classified as sensitive under those frameworks, though we apply heightened care and security to such data as described in Section 15.
Do we collect any information from third parties? We do not collect any information from third parties.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties (such as cloud storage or payment processors).
How do we keep your information safe? We have organizational and technical processes in place to protect your personal information, though no electronic transmission is 100% secure.
What are your rights? Depending on where you are located, you may have certain rights regarding your personal information.
How do you exercise your rights? The easiest way to exercise your rights is by contacting us at privacy@moatails.com.

WHAT INFORMATION DO WE COLLECT?
HOW DO WE PROCESS YOUR INFORMATION?
WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
HOW DO WE HANDLE YOUR SOCIAL LOGINS?
IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
HOW LONG DO WE KEEP YOUR INFORMATION?
HOW DO WE KEEP YOUR INFORMATION SAFE?
DO WE COLLECT INFORMATION FROM MINORS?
WHAT ARE YOUR PRIVACY RIGHTS?
CONTROLS FOR DO-NOT-TRACK FEATURES
DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
PET INFORMATION AND USER-GENERATED CONTENT
CARE TEAM COLLABORATION AND SHARED ACCESS
EXTERNAL SHARING AND STORY CARDS
REFERRAL PROGRAM
OFFLINE-FIRST DATA HANDLING
NO SALE OF PERSONAL INFORMATION
DEVICE PERMISSIONS AND SENSOR DATA
DO WE MAKE UPDATES TO THIS NOTICE?
HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
MARKETING COMMUNICATIONS

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

Names
Email addresses

Pet health data. We collect pet health-related information you enter (vaccinations, weight, medications, conditions, treatment notes). While most privacy laws do not technically classify pet health data as "sensitive personal information" — those frameworks apply to natural persons — we apply the same heightened care and security measures to this data as we would to genuinely sensitive information. See Section 15 for details.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases. MoaTails does not collect, process, or store any payment card information. All payments for subscription purchases are processed through Apple App Store, Google Play Store, and our subscription management partner RevenueCat. Payment card details are provided directly to these payment processors and are subject to their respective privacy policies. We receive transaction confirmations and subscription status information from these processors and associate them with your account in order to grant the corresponding subscription entitlements. You may find their privacy notices here:

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Apple, Google, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:

Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device's camera, photo library, storage, calendar, and notifications. If you wish to change our access or permissions, you may do so in your device's settings.
Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model, internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device's operating system or platform, the type of mobile device you use, your mobile device's unique device ID, and information about the features of our application(s) you accessed.
Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.

This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Our website (moatails.com) also sets a small number of strictly necessary cookies for language preference and bot protection — no tracking, advertising, or analytics. See Section 5 for the full inventory.

The information we collect includes:

Log and Usage Data. Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings, information about your activity in the Services (such as date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), and device event information (such as system activity, error reports — sometimes called "crash dumps" — and hardware settings).
Device Data. Information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, internet service provider and/or mobile carrier, operating system, and system configuration information.
Location Data. Information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use IP-based geolocation to determine your approximate country/region. You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.
Crash and Diagnostic Data. Stack traces, exception details, device state, application breadcrumbs, and release information collected by our error monitoring service (Sentry) for the purpose of diagnosing and fixing application errors.
Analytics Events (with your separate consent). When you opt in to analytics in Settings → Privacy, we use PostHog to capture session and engagement data — including session identifiers, app version, locale, subscription tier, and similar product properties — associated with your account so we can understand how features are used across sessions and devices. We do not transmit your name, email, pet names, pet photos, health entries, or any user-generated content to PostHog. You can withdraw consent at any time from the same screen.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes only with your prior explicit consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service, including pet profile management, calendar entries, reminders, document storage, and Care Team collaboration.
To respond to user inquiries and offer support. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
To fulfill and manage subscription orders. We may process your information to fulfill and manage your subscription orders, payments, renewals, and cancellations made through Apple App Store or Google Play Store.
To enable Care Team communications and collaboration. We may process your information to allow you to invite, share data with, and collaborate with Care Team members on your pets' care.
To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
To deliver targeted communications about our Services. We may process your information to better understand how to provide service-related communications most relevant to you. We do not use your information for third-party advertising.
To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

If you are located in the EU or UK

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on:

Consent: We may process your information if you have given us permission for a specific purpose. You can withdraw your consent at any time.
Performance of a Contract: To fulfill our contractual obligations to you, including providing the Services.
Legitimate Interests: When reasonably necessary to achieve our legitimate business interests, provided those interests do not outweigh your rights and freedoms (e.g., diagnosing problems, preventing fraud, improving user experience).
Legal Obligations: To comply with law enforcement or regulatory requirements, exercise or defend our legal rights, or respond to legal process.
Vital Interests: To protect your vital interests or the vital interests of a third party (e.g., situations involving potential threats to safety).

If you are located in Canada

We may process your information with your express consent or, in some situations, your implied consent. You can withdraw your consent at any time. In limited exceptional cases permitted by applicable law (PIPEDA), we may process information without consent — for example, for fraud detection, witness statements in insurance claims, situations where consent cannot be obtained in a timely way, or where required by subpoena, warrant, or court order.

In Short: We may share information in specific situations described in this section and/or with the following third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it, and they will not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.

The categories of third parties with which we share personal information are as follows:

Category	Service provider	Purpose
Allow users to connect to third-party accounts	Apple, Google	OAuth authentication / sign-in
Cloud computing services	Supabase, Inc., Journey Mobile (PowerSync)	Database hosting, authentication, offline data synchronization
Functionality and infrastructure optimization	Google LLC (Firebase Cloud Messaging)	Push notification delivery
Subscription and billing	RevenueCat, Inc., Apple App Store, Google Play Billing	Subscription management and payment processing
Web and mobile analytics	PostHog, Inc.	Product analytics associated with your account (with your consent)
Website hosting	Cloudflare, Inc.	Website hosting and content delivery
Performance and error monitoring	Functional Software, Inc. (Sentry)	Crash and error monitoring
Transactional email	Resend, Inc.	Transactional email delivery (e.g., account verification, password reset)
Newsletter signup intake	Formspree, Inc.	Receiving newsletter email-address submissions from the website footer

We may also share information in the following situations:

Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Other Users (Care Team): When you invite Care Team members to access your pet's information, those members can view the data you have shared with them based on the permissions you assign. We are not responsible for how Care Team members handle data after you have shared it with them. You can change permissions or remove Care Team members at any time.
Legal Obligations: To comply with applicable law, governmental requests, judicial proceedings, court orders, or legal process.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: Our website uses two strictly necessary cookies (functional + security). We do not use tracking, advertising, or analytics cookies. The mobile application uses no cookies at all.

The MoaTails website (moatails.com) sets the following cookies. These are strictly necessary for the site to function and are exempt from consent requirements under GDPR Art. 5(3), the UK PECR, PIPA Art. 22, and equivalent regimes.

Cookie	Set by	Purpose	Type	Expiry
`NEXT_LOCALE`	next-intl (our framework)	Remembers your selected language so the site doesn't revert to the default on every visit. Set only when you change language from the toggle.	First-party, functional	1 year
`__cf_bm`	Cloudflare (our hosting CDN)	Bot management — distinguishes humans from automated traffic to protect against abuse. Set automatically on every visit at the edge before the site code runs.	First-party (set on our domain), security	30 minutes after last request

We do not set or permit any:

Analytics cookies (no Google Analytics, PostHog, Plausible, or equivalent)
Advertising or retargeting cookies (no Meta Pixel, Google Ads, DoubleClick, or equivalent)
Third-party tracking cookies for any purpose
"Web beacons," tracking pixels, or fingerprinting scripts

We do not use cookies or similar technologies for targeted advertising or to "sell" or "share" personal information as defined under applicable US state privacy laws.

To the extent any tracking technology used on our website is deemed to be a "sale" or "sharing" under applicable US state laws, you can opt out by submitting a request as described under section "DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?".

The MoaTails mobile application itself does not use browser cookies. Our app uses only the device storage required to operate (e.g., the local SQLite database described in Section 19).

You can clear or refuse the cookies above through your browser's settings. Doing so will not prevent the site from working — language preference will fall back to your browser's Accept-Language header, and Cloudflare protection may revalidate on subsequent requests.

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (such as your Apple ID or Google account). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, and (where applicable) profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in Japan and the United States, and the Services are operated and administered from India. Regardless of your location, please be aware that your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties with whom we may share your personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" above), including facilities in Japan, the United States, India, and other countries.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

European Commission's Standard Contractual Clauses. We have implemented measures to protect your personal information, including by using the European Commission's Standard Contractual Clauses for transfers of personal information between us and our third-party service providers. These clauses require all recipients to protect personal information they process originating from the EEA or UK in accordance with European data protection laws and regulations. Our Standard Contractual Clauses can be provided upon request by emailing privacy@moatails.com. We have implemented similar appropriate safeguards with our third-party service providers and partners, with further details available upon request.

For users located in Japan, Korea, India, the United Kingdom, Canada (including Quebec), Switzerland, Brazil, Australia, and New Zealand, we apply additional safeguards specific to those jurisdictions as described in Section 14.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us, except as expressly noted below.

Specific retention periods include:

Account and service data: Until account deletion.
Subscription transaction records: 5 years after the transaction (for tax and commercial-record obligations under applicable law, including in India and Korea).
Customer support correspondence: 3 years (for consumer protection record-keeping obligations).
Crash and diagnostic data: 30 days.
Analytics data: Up to 12 months from collection, or until consent is withdrawn — whichever is earlier.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. If this is not possible (for example, because your personal information has been stored in encrypted backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible — typically within 30 days as part of our regular backup-rotation cycle.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. Our measures include:

Encryption in transit: All communication between the App and our servers uses TLS encryption.
Encryption at rest (server side): Personal data stored in our managed cloud databases is encrypted at rest by the database provider.
Local device storage: Offline data resides in the application's sandboxed storage on your device, isolated by the operating system. The local SQLite database itself is not separately encrypted; we rely on your device's OS-level protections (passcode/PIN, full-disk encryption on iOS and Android) for at-rest security and delete the local database when you sign out.
Access controls: Database access is restricted to authorized personnel using least-privilege principles. Production and development environments are separated.
Access logging: Access to personal information is logged for audit purposes.
Designated Privacy Officer: A specific individual is responsible for personal information protection (see Section 23 and, for Korean residents, Section 14.7.9).
Periodic review: We periodically review our security measures and update them as needed.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

10. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to anyone under 13 years of age (or under 14 in the Republic of Korea without parental consent).

We do not knowingly collect, solicit data from, or market to anyone under 13 years of age, nor do we knowingly sell such personal information. For Korean residents, Section 14.7.8 describes the additional under-14 child-data protections we apply under PIPA; users under 14 in the Republic of Korea must confirm parental consent at signup as a condition of using the Services.

By using the Services, you represent that you are at least 13 years old, or that you are the parent or guardian of such a minor and consent to that minor's use of the Services. If we learn that personal information from users under 13 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

If you become aware of any data we may have collected from anyone under 13, please contact us at privacy@moatails.com.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your region, you have rights that allow you greater access to and control over your personal information.

You may have the right to:

Request access and obtain a copy of your personal information.
Request rectification or erasure.
Restrict or object to processing.
Data portability.
Not be subject to solely automated decision-making that produces legal or similarly significant effects.

To exercise these rights, contact us at privacy@moatails.com.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to lodge a complaint with your Member State's data protection authority or the UK Information Commissioner's Office. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at privacy@moatails.com or by updating your preferences in the app. Withdrawing consent will not affect the lawfulness of processing carried out before the withdrawal, nor processing carried out on other lawful grounds.

Opting out of marketing communications

You can unsubscribe from our marketing emails at any time by clicking the unsubscribe link in any marketing email or by emailing privacy@moatails.com. You will then be removed from marketing lists, but we may still send you service-related messages necessary for the administration and use of your account.

For our full marketing consent disclosure — including the personal information we use, the purpose, retention period, and your right to refuse — see Section 25.

Account information and deletion

You can review or update your account information at any time through the in-app Settings menu. To delete your account, use Settings → Account → Delete Account in the app, or email privacy@moatails.com. Upon account deletion, we will deactivate or delete your account and personal information from our active databases. We may retain limited information to prevent fraud, troubleshoot problems, assist with investigations, enforce our Legal Terms, or comply with applicable legal obligations.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track ("DNT") feature. We do not currently respond to DNT browser signals as no uniform technology standard has been finalized.

13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have specific rights regarding your personal information.

Categories of Personal Information We Collect

We have collected the following categories of personal information in the past twelve (12) months:

Category	Examples	Collected
A. Identifiers	Name, email address, IP address, account name, device identifiers	YES
B. Customer Records (Cal. Civ. Code §1798.80(e))	Name, contact information	YES
C. Protected classifications	Age, race, gender, demographic data	NO
D. Commercial information	Subscription transaction identifiers, purchase history	YES
E. Biometric information	Fingerprints, voiceprints	NO
F. Internet/network activity	Usage data, app interactions, feature usage	YES
G. Geolocation data	Device location (coarse, IP-based)	YES
H. Audio, electronic, sensory information	Pet photos, uploaded documents	YES
I. Professional/employment information	—	NO
J. Education information	—	NO
K. Inferences	—	NO
L. Sensitive personal information	—	NO

Your Rights

You have the following rights, subject to applicable law:

Right to know what personal information we collect, use, disclose, and (if applicable) sell
Right to access a copy of your personal information
Right to correct inaccuracies in your personal information
Right to delete your personal information
Right to opt out of the sale or sharing of your personal information for targeted advertising (we do not sell or share)
Right to limit the use of sensitive personal information
Right to non-discrimination for exercising these rights

How to Exercise Your Rights

Email us at privacy@moatails.com, or use the in-app Settings → Privacy menu. We will respond within the timeframes required by applicable law (generally 45 days, with one possible 45-day extension where reasonably necessary).

Request Verification

Upon receiving your request, we will need to verify your identity to confirm you are the person about whom we hold information. We will only use information provided in your request to verify your identity or authority to make the request. If we cannot verify your identity from information already on file, we may request additional information for verification or fraud-prevention purposes.

Authorized Agent

You may designate an authorized agent to submit a request on your behalf. We may require:

Proof that you have provided the agent with signed permission to act on your behalf, and
Verification of your own identity directly with us.

We may deny requests from agents who do not provide sufficient proof of authorization.

Appeals

If we decline to act on your request, you may appeal our decision by emailing privacy@moatails.com with "Privacy Appeal" in the subject line. We will respond in writing with our action taken or the reasons for declining. If your appeal is denied, you may submit a complaint to your state attorney general or applicable regulator.

California "Shine The Light" Law

California Civil Code Section 1798.83 ("Shine The Light") permits California residents to request, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for those third parties' direct marketing purposes during the immediately preceding calendar year, and the names and addresses of those third parties. We do not disclose personal information to third parties for their direct marketing purposes. California residents may submit such a request by emailing privacy@moatails.com.

We do not sell or share your personal information for targeted advertising, and we have not done so in the preceding twelve (12) months.

14. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: You may have additional rights based on the country you reside in.

14.1 Australia and New Zealand

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024) and New Zealand's Privacy Act 2020. This Privacy Notice satisfies the notice requirements defined in both Acts: what personal information we collect, from which sources, for which purposes, and other recipients.

Australian Privacy Principles (APPs). We handle personal information in accordance with the 13 Australian Privacy Principles, including the requirements for open and transparent management (APP 1), notice of collection (APP 5), use and disclosure (APP 6), data quality (APP 10), data security (APP 11), access and correction (APPs 12–13), and cross-border disclosure (APP 8).

Cross-border disclosure (APP 8). Your personal information may be disclosed to recipients located outside Australia, including Japan (Supabase, PowerSync), the United States (PostHog, Sentry, RevenueCat, Cloudflare, Google, Resend, Formspree), and India (MoaTails operations). We take reasonable steps to ensure these recipients comply with the Australian Privacy Principles by entering into Data Processing Agreements with each.

Automated decision-making. We do not use solely automated decision-making (with legal or similarly significant effects) to process Australian users' personal information. If we introduce such processing in the future, we will update this Privacy Notice in compliance with the disclosure requirements that come into effect on 10 December 2026.

Statutory tort. From 10 June 2025, Australian residents may have a statutory cause of action for serious invasions of privacy under the Privacy and Other Legislation Amendment Act 2024.

You have the right to request access to or correction of your personal information by emailing privacy@moatails.com. If you believe we are unlawfully processing your personal information, you may submit a complaint to:

Office of the Australian Information Commissioner (OAIC) — oaic.gov.au · 1300 363 992
Office of the New Zealand Privacy Commissioner — privacy.org.nz · 0800 803 909

If you are located in the United Kingdom, we process your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

The legal bases on which we process your personal information are the same as those described in Section 3 for EU residents. UK residents enjoy substantively the same rights described in Section 11, including access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

International transfers from the UK. Personal information transferred from the UK to recipients in third countries (Japan, United States, India) is protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with additional safeguards as required.

Complaints process. From 26 June 2026, you have the right to make a complaint to us about our handling of your personal information. We will acknowledge complaints within seven (7) calendar days and resolve them within thirty (30) days, unless additional time is necessary, in which case we will inform you. To submit a complaint, email privacy@moatails.com with subject "UK Privacy Complaint."

If your complaint is not resolved to your satisfaction, you may escalate it to the Information Commissioner's Office (ICO) — ico.org.uk · 0303 123 1113.

We currently rely on Article 27(2) of the UK GDPR exemptions for non-occasional, low-risk processing and have not appointed a UK representative. If our processing scale or risk profile changes such that a UK representative is required, we will update this Privacy Notice.

14.3 Canada (PIPEDA) and Quebec (Law 25)

In addition to the legal bases set out in Section 3, the following provisions apply to Canadian residents:

PIPEDA. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) for personal information of Canadian residents. You have rights of access, correction, and withdrawal of consent. Complaints unresolved by us may be submitted to the Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca · 1-800-282-1376.

Quebec residents — Law 25 (Act respecting the protection of personal information in the private sector). If you reside in Quebec, the following apply in addition:

Right to data portability. You may request a copy of your personal information in a structured, commonly used technological format, where the information was collected from you (and not created or inferred by us).
Right to information about automated decision-making. We do not currently make decisions concerning you based exclusively on automated processing. If we introduce such processing in the future, we will inform you and explain the principal factors and parameters leading to the decision.
Confidentiality incident reporting. In the event of a confidentiality incident presenting a risk of serious injury, we will notify the Commission d'accès à l'information du Québec (CAI) and the affected persons without delay.
Cross-border transfer. Personal information of Quebec residents may be communicated outside Quebec to Japan, the United States, and India, as described in Section 7. Before transferring, we have conducted a privacy impact assessment to confirm that the receiving jurisdictions provide a level of protection equivalent to that applicable in Quebec, supported by Data Processing Agreements with each recipient.
Person in charge of personal information. Bhagwat Garg acts as our Person in Charge of the Protection of Personal Information for Quebec purposes and may be contacted at privacy@moatails.com.

You may submit complaints regarding our handling of your personal information to the Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca.

14.4 Switzerland (Federal Act on Data Protection — FADP)

If you are a resident of Switzerland, we process your personal data in accordance with the revised Federal Act on Data Protection (FADP / nFADP) in force since 1 September 2023. You have rights of access, correction, deletion, restriction, objection, and data portability substantively similar to those under the EU GDPR. You may contact us at privacy@moatails.com to exercise these rights, or submit complaints to the Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.

14.5 Brazil (Lei Geral de Proteção de Dados — LGPD, Law No. 13.709/2018)

If you are a resident of Brazil, we process your personal data in accordance with the Lei Geral de Proteção de Dados (LGPD).

Lawful basis. We process Brazilian residents' personal data on the bases of consent, performance of a contract, legitimate interest (subject to your rights), and compliance with legal obligations, as set out in Article 7 of the LGPD.

Data Subject Rights. Under Article 18 of the LGPD, you have the right to:

Confirmation of processing
Access to your personal data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Portability of your data
Deletion of personal data processed with your consent
Information about public and private entities with which we have shared your data
Information about the possibility of denying consent and the consequences of doing so
Withdrawal of consent

To exercise these rights, email privacy@moatails.com with subject "LGPD Request." We will respond in Portuguese where requested.

International transfer. Personal data of Brazilian residents may be transferred to Japan, the United States, and India, as described in Section 7. Such transfers are made under Data Processing Agreements that provide a level of protection at least equivalent to that required by the LGPD.

Data Protection Officer (Encarregado). As a small processing agent (microenterprise / startup with limited-risk processing) under Resolution CD/ANPD No. 2/2022, we are exempt from the mandatory appointment of an encarregado. However, you may contact our designated privacy contact for all LGPD matters at privacy@moatails.com. If we cease to qualify for this exemption, we will appoint a formal encarregado and update this Privacy Notice.

Children and adolescents (ECA Digital, Law 15.211/2025). Where applicable, we comply with Brazil's Digital Statute for Children and Adolescents (effective March 2026), including not knowingly processing the personal data of users under 18 without parental consent.

Complaints. You may submit complaints to the Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.

14.6 India — Digital Personal Data Protection Act, 2023 (DPDP Act)

In Short: MoaTails is operated from India. As a Data Fiduciary under the DPDP Act, 2023, we apply DPDP protections to all users.

We are based in India and act as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025.

Your rights as a Data Principal

Under the DPDP Act, you have the right to:

Obtain a summary of the personal data we process, the processing activities undertaken, and the identities of other Data Fiduciaries or Data Processors with whom we have shared your personal data
Request correction, completion, updating, or erasure of your personal data
Lodge a grievance with our designated Grievance Officer (see below)
Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity

We process your personal data on the basis of your free, specific, informed, unconditional, and unambiguous consent, given through clear affirmative action. You may withdraw your consent at any time by the same means through which it was given (in-app Settings → Privacy or by emailing privacy@moatails.com). Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

We do not rely on a "legitimate interests" basis for processing the personal data of Data Principals located in India, except as permitted under Section 7 of the DPDP Act for "legitimate uses" specifically enumerated by law.

Children and persons with disability

We do not knowingly process the personal data of children under 18 years of age without verifiable consent from their parent or lawful guardian. We do not track, profile, or target advertising at children. Where a Data Principal is a person with disability with a lawful guardian, we obtain the guardian's consent in accordance with applicable law.

Grievance Officer

If you have a grievance regarding the processing of your personal data, you may contact our Grievance Officer:

Name: Bhagwat Garg
Email: privacy@moatails.com (subject line: "DPDP Grievance")
Address: Noida, Uttar Pradesh, India

We will acknowledge your grievance within a reasonable time and respond within 90 days as required by the DPDP Rules, 2025.

Notification of personal data breach

In the event of a personal data breach affecting your personal data, we will notify the Data Protection Board of India and you without undue delay, in the manner and form prescribed by applicable law.

Cross-border transfer

Your personal data may be transferred to and processed in countries outside India, including Japan and the United States, as described in Section 7 of this Privacy Notice. We implement appropriate safeguards in accordance with the DPDP Act for such transfers. If the Central Government of India notifies any restriction on the transfer of personal data to specified countries or territories, we will comply with such restrictions.

14.7 Republic of Korea — Personal Information Protection Act ("PIPA")

In Short: If you reside in the Republic of Korea, these additional provisions apply and, together with the rest of this Privacy Notice, constitute our Personal Information Processing Policy (개인정보처리방침).

If you are a resident of the Republic of Korea, the following provisions apply to you in addition to — and, where inconsistent, in precedence over — the other provisions of this Privacy Notice.

14.7.1 Personal Information We Collect and Purposes of Processing (개인정보의 처리 목적)

We collect and process the following categories of personal information for the stated purposes and retention periods:

Purpose	Items collected	Retention period
Account creation and authentication	Name, email address, OAuth identifiers (Google / Apple)	Until account deletion
Service provision (pet profiles, calendar, documents, notifications)	Pet profiles, calendar entries, uploaded documents, photos, device push tokens	Until account deletion
Subscription and payment processing	Transaction identifier, subscription status (received from RevenueCat / Apple / Google)	5 years (Commercial Act; tax records)
Customer support and grievance handling	Email correspondence, in-app feedback	3 years (Act on the Consumer Protection in Electronic Commerce)
Crash and diagnostic reporting	Crash logs, device information, OS version, application state	30 days
Product analytics (with your separate consent)	Event data and session identifiers associated with your account	Until consent is withdrawn or 12 months, whichever is earlier

You may refuse consent to the collection and processing of personal information. Refusal of consent to required items will limit or prevent your use of the Services. Refusal of consent to optional items (such as product analytics) will not affect your use of the Services.

14.7.3 Provision to Third Parties (제3자 제공)

We do not provide your personal information to third parties for their own purposes, except where required by law or with your separate prior consent.

14.7.4 Outsourcing of Processing (처리 위탁)

We outsource the processing of personal information to the following entrustees. Each entrustee processes personal information only as necessary for the outsourced task and under a data processing agreement:

Entrustee	Outsourced tasks	Items processed
Supabase, Inc.	Database and authentication hosting	All account and service data
Journey Mobile, Inc. (PowerSync)	Offline data synchronization	Service data
PostHog, Inc.	Product analytics (with consent)	Event data associated with your account
Functional Software, Inc. (Sentry)	Crash and error monitoring	Crash diagnostic data
RevenueCat, Inc.	Subscription management	Transaction identifiers
Cloudflare, Inc.	Website hosting and content delivery	Request metadata
Google LLC (Firebase Cloud Messaging)	Push notification delivery	Device tokens
Resend, Inc.	Transactional email delivery	Email address, message content
Formspree, Inc.	Newsletter email-address intake from the website footer	Email address

14.7.5 Cross-Border Transfer of Personal Information (국외이전)

Your personal information is transferred outside the Republic of Korea as follows:

Destination	Recipient	Items	Purpose	Method and timing	Retention
Japan	Supabase, Inc.; Journey Mobile, Inc. (PowerSync)	All service data	Database hosting; offline data synchronization	Network transmission at the time of use	Until account deletion
United States	PostHog, Sentry, RevenueCat, Cloudflare, Google, Resend, Formspree	Varies by service (see 14.7.4)	As specified in 14.7.4	Network transmission at the time of use	As specified in 14.7.4
India	MoaTails (Bhagwat Garg)	Account and service data for administration and support	Service operation	Network transmission at the time of use	Until account deletion

By using the Services, you consent to these transfers. You may withdraw consent at any time by deleting your account; note that withdrawal may prevent continued use of the Services.

14.7.6 Rights of Data Subjects (정보주체의 권리)

You have the right to:

Request access to your personal information (열람)
Request correction of your personal information (정정)
Request deletion of your personal information (삭제)
Request suspension of processing of your personal information (처리정지)

You may exercise these rights directly within the app (Settings → Privacy), by emailing privacy@moatails.com, or by contacting our Personal Information Protection Manager (see 14.7.9). We will respond within 10 days of receiving your request, as required by PIPA.

14.7.7 Destruction of Personal Information (개인정보 파기)

When the retention period for personal information expires or the purpose of processing is otherwise fulfilled, we destroy the personal information without delay using the following methods:

Electronic files: permanent deletion from active databases. Data in encrypted backups is overwritten during the next backup rotation cycle, within 30 days of deletion.
Paper documents: shredding or incineration. We do not currently retain personal information in paper form.

14.7.8 Children Under 14 (만 14세 미만 아동)

We do not knowingly collect personal information from children under 14 years of age. If a child under 14 wishes to use the Services, the verifiable consent of a legal guardian is required. If we become aware that we have collected personal information from a child under 14 without such consent, we will delete the information without delay.

14.7.9 Personal Information Protection Manager (개인정보 보호책임자)

Role	Name	Contact
Personal Information Protection Manager	Bhagwat Garg	privacy@moatails.com
Grievance Contact	Bhagwat Garg	privacy@moatails.com

14.7.10 Domestic Agent (국내대리인)

MoaTails currently does not meet the thresholds requiring designation of a Domestic Agent under Article 31-2 of PIPA (annual global revenue ≥ KRW 1 trillion or processing personal information of more than 1 million Korean Data Subjects). If we meet those thresholds in the future, we will designate a Domestic Agent and update this Privacy Notice with the agent's contact details.

14.7.11 Remedies for Rights Violations (권익침해 구제방법)

If you believe your rights have been violated, you may seek remedies through the following Korean authorities:

Personal Information Protection Commission (개인정보보호위원회) — pipc.go.kr · 국번없이 182
Personal Information Dispute Mediation Committee (개인정보분쟁조정위원회) — kopico.go.kr · 1833-6972
Korea Internet & Security Agency Privacy Infringement Reporting Center (개인정보침해신고센터) — privacy.kisa.or.kr · 국번없이 118
Cyber Investigation Bureau, Supreme Prosecutors' Office (대검찰청 사이버수사과) — 국번없이 1301
Cyber Bureau, National Police Agency (경찰청 사이버수사국) — 국번없이 182

14.7.12 Security Measures (안전성 확보조치)

We implement the following measures to protect personal information, as required by PIPA:

Administrative: designated Personal Information Protection Manager, documented internal access controls, periodic training
Technical: encryption of personal information in transit (TLS) and at rest, access control to databases, separation of production and development environments, logging of access to personal information
Physical: not applicable — we do not maintain on-premises servers or paper records

14.7.13 Automatic Collection Devices (자동 수집 장치)

The MoaTails mobile application does not use cookies. Our website (moatails.com) uses only the two strictly necessary cookies inventoried in Section 5 — one for language preference and one for bot protection. We do not use cookies for tracking, advertising, or analytics. You may refuse or clear these cookies through your browser settings.

14.7.14 Changes to This Korean Privacy Notice (개인정보 처리방침 변경)

If we make material changes to this Korean-specific section, we will notify you by in-app notification at least 7 days before the changes take effect. For changes that are disadvantageous to your rights, we will notify you at least 30 days in advance and, where required by law, obtain your renewed consent.

14.8 Japan — Act on the Protection of Personal Information ("APPI")

In Short: If you reside in Japan, the following additional provisions apply under the Act on the Protection of Personal Information (個人情報保護法).

If you are a resident of Japan, the following provisions apply to you in addition to the other provisions of this Privacy Notice. As a foreign business operator that supplies services to data subjects located in Japan, MoaTails is subject to the extraterritorial application of the APPI.

14.8.1 Business Operator Information

Personal Information Handling Business Operator: Bhagwat Garg, doing business as MoaTails
Address: Noida, Uttar Pradesh, India
Contact: privacy@moatails.com

14.8.2 Purpose of Use (利用目的)

We use personal information of Japanese residents only for the purposes set out in Section 2 of this Privacy Notice (account management, service provision, support, security, communications, and product improvement). We will not use personal information beyond these stated purposes without obtaining your separate consent.

14.8.3 Provision to Third Parties (第三者提供)

We do not provide personal information of Japanese residents to third parties for their own independent purposes, except (a) where you have given consent, (b) where required by law, or (c) where the recipient is a service provider acting under our instruction (entrusted processing under APPI Article 27, paragraph 5).

14.8.4 Cross-Border Transfer of Personal Information (外国にある第三者への提供)

Your personal information is transferred to and processed in Japan, the United States, and India. We provide the following information about the recipient countries' personal information protection systems, in compliance with APPI Article 28:

Japan: APPI applies; Personal Information Protection Commission (PPC) is the supervisory authority. Hosted with Supabase, Inc. (Tokyo region).
United States: Federal sectoral laws and state-level laws (CCPA/CPRA, etc.) apply. The United States is not designated as having an adequate level of protection equivalent to Japan, and we therefore implement contractual safeguards (Data Processing Agreements with our service providers).
India: The Digital Personal Data Protection Act, 2023 applies; MoaTails operates from India under DPDP requirements.

By using the Services, you consent to these transfers. We have implemented appropriate safeguards through Data Processing Agreements with each recipient.

14.8.5 Disclosure, Correction, Suspension Procedures (開示・訂正・利用停止手続)

You have the right to request disclosure, correction, addition, deletion, suspension of use, suspension of provision to third parties, or disclosure of records of provision to third parties of your retained personal data. To make a request:

In-app: Settings → Privacy
Email: privacy@moatails.com (subject line: "APPI Disclosure Request")

We will respond without delay, generally within 30 days. We may request information necessary to verify your identity before processing your request.

14.8.6 Safety Management Measures (安全管理措置)

We implement organizational, personnel, physical, and technical safety management measures for personal information, as described in Section 9 of this Privacy Notice. Information regarding our specific safety management measures is available upon request to privacy@moatails.com.

14.8.7 Notification of Personal Data Breach

In the event of a personal data breach that meets the thresholds set by the APPI (including breaches involving sensitive personal information, breaches creating a risk of property damage, breaches resulting from improper use such as cyberattack, or breaches involving more than 1,000 data subjects), we will report to the Personal Information Protection Commission (PPC) and notify affected individuals as required by law.

14.8.8 Complaints

You may submit complaints regarding the handling of your personal information by emailing privacy@moatails.com. You may also contact the Personal Information Protection Commission (個人情報保護委員会) at ppc.go.jp.

15. PET INFORMATION AND USER-GENERATED CONTENT

In Short: Information about your pets — including health records, photos, and care notes — is content you create and control.

When you use MoaTails, you create and upload content about your pets, including:

Pet profiles (name, photo, species, breed, color, date of birth, gender, microchip number, health tags, and notes such as allergies)
Calendar entries (feedings, water intake, medications, vaccines, weight, appointments, activities, tasks, and free-form notes)
Health metrics and tracked values (weight history, computed trends)
Documents such as veterinary records, receipts, and prescriptions
Photos attached to pets, calendar entries, or story cards

This pet information is your content. We store and process it solely to provide the Services to you — for example, to display your pets' information across your devices, to sync data with Care Team members you have authorized, to send reminders, and to generate health insights. We do not use your pet information to train artificial intelligence models, sell it to third parties, or for any purpose unrelated to delivering the Services.

While pet health data is not technically considered "sensitive personal information" under most applicable privacy laws (which apply to natural persons), we treat it with the same care and security measures as other personal information you provide.

16. CARE TEAM COLLABORATION AND SHARED ACCESS

In Short: When you invite others to help care for your pet, they can see and edit information you have shared with them.

MoaTails allows you to invite family members, caregivers, veterinarians, pet sitters, or other individuals ("Care Team members") to collaborate on your pets' care. When you invite someone to your Care Team:

We share their email address and/or a generated invitation code or link so they can join.
Once they accept, they gain access to the pet(s) and data you have granted them permission to view or edit, based on the role you assign (Owner or Caregiver) and the per-entity-type permissions you configure.
Care Team members may see your name, profile photo, and activity within the shared pet(s).
Care Team members may add, modify, or delete data within the permissions you have granted them.

You can change permissions or remove Care Team members at any time through the app. When you remove a Care Team member, they lose access to your pets' information going forward, but may retain copies of information they previously viewed (for example, in their device's cache or local memory).

If you are invited to a Care Team by another user, your participation is governed by the permissions that user grants you. You are responsible for using that access appropriately.

In Short: You control what you share outside the app. Once shared, we cannot control how others use that content.

MoaTails includes features that allow you to share content outside the Services:

Story Cards: Shareable images you create to celebrate milestones (e.g., adoption anniversaries, birthdays), which may include your pet's photo, name, selected statistics, and a personal message.
iCal Feeds (available on Premium plan): Auto-generated calendar feed URLs that export your pets' scheduled events to external calendar applications such as Google Calendar or Apple Calendar. (MoaTails offers two paid tiers: Plus and Premium, each available as monthly or annual subscriptions through Apple App Store and Google Play Store.)
Shared Documents or Content: Any content you choose to export, screenshot, or share via your device's share sheet.

When you share content externally, that content leaves our Services and becomes subject to the privacy practices of the platform or recipient you share it with. We cannot control or be responsible for how third parties use content you voluntarily share with them. We recommend reviewing what is included in a Story Card or shared feed before sharing it, particularly if it contains information you consider private.

For iCal feeds, the feed URL functions as an access token — anyone with the URL can subscribe to and view the feed. You can regenerate the token at any time to invalidate a previously shared URL.

18. REFERRAL PROGRAM

In Short: When you apply a referral code or share yours, we track the connection for reward purposes only.

MoaTails offers a referral program that allows users to invite others using a 6-character invite code. When:

You share your referral code: We track when your code is applied by new users so we can credit you with any applicable rewards.
You apply someone else's referral code: We associate your account with the referrer's account solely for attribution and reward purposes.

Referral activity is not shared with third-party advertising networks and is not used to build advertising profiles about you. Referral data is retained for as long as your account is active.

19. OFFLINE-FIRST DATA HANDLING

In Short: MoaTails works offline. Your data lives on your device and syncs with our servers when you're connected.

MoaTails is designed to work offline. This means:

Your pets' data is stored locally on your device in a SQLite database managed by PowerSync, residing in the application's sandboxed storage. The local database itself is not separately encrypted; we rely on your device's OS-level protections (passcode/PIN, full-disk encryption) for at-rest security, and the local database is deleted when you sign out.
You can view, create, and modify entries without an internet connection.
When your device reconnects to the internet, local changes are synchronized with our servers (Supabase) so that your data is backed up and available across your devices and to your Care Team.

If you uninstall the MoaTails app from your device, the local copy of your data is removed from that device, but a copy remains on our servers as long as your account is active. To permanently delete your data from our servers, you must delete your account from within the app (Settings → Account → Delete Account) or contact us at privacy@moatails.com.

20. NO SALE OF PERSONAL INFORMATION

In Short: We do not sell your personal information. We never have.

MoaTails does not sell your personal information, and has never sold personal information, within the meaning of the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or any other applicable US state privacy law. We do not share personal information with third parties for their own advertising, marketing, or data-broker purposes.

We do disclose personal information to service providers (listed in Section 4) who process it on our behalf under contracts that restrict their use of that information to providing services to us. These disclosures are not "sales" under applicable law.

If we ever change this practice, we will update this Privacy Notice and provide you with the opportunity to opt out before any sale occurs.

21. DEVICE PERMISSIONS AND SENSOR DATA

In Short: We only request device permissions you opt into, and we explain why before asking.

MoaTails may request access to certain features of your mobile device to provide specific functionality:

Camera: To capture pet photos or scan documents (only when you tap to take a photo).
Photo Library and Storage: To select existing photos or attach document files to your pets or calendar entries.
Microphone (iOS only, optional): If you choose to record a video clip of your pet using the in-app camera, the microphone is used solely to capture audio in that video. Audio is never recorded outside of an active video-capture action you initiate, and we do not transmit audio to our servers separately from the video file you save to your pet's profile.
Notifications: To send reminders for pet care tasks, medications, appointments, and Care Team activity.
Calendar (optional): For iCal feed integration, if you choose to subscribe to your MoaTails calendar in an external calendar application.

We do not request access to your location (precise GPS), contacts, motion sensors, Bluetooth, or health/fitness data from Apple Health or Google Fit. If a future feature requires new permissions, we will explain why at the point we request access, and you can always decline.

You can change or revoke any device permission at any time through your device's system settings. Revoking permissions may prevent the related feature from working but will not otherwise affect your account.

22. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by a revised "Last updated" date. If we make material changes, we will notify you by prominent in-app notification or email. We encourage you to review this Privacy Notice periodically.

23. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) by:

Email: privacy@moatails.com
Post: Bhagwat Garg (DPO), Noida, Uttar Pradesh, India

24. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have several ways to review, update, or delete your data:

In-app review and update. Open Settings → Privacy to review your consent status and toggle your analytics and marketing preferences. Pet profiles, calendar entries, documents, and other content can be edited or deleted directly from the relevant screens.
In-app data export. Open Settings → Privacy → Export Data to download a copy of your data in a structured, machine-readable format (JSON), satisfying portability rights under GDPR Article 20, LGPD Article 18, PIPA Article 35-2, and Quebec's Law 25.
In-app account deletion. Open Settings → Account → Delete Account to permanently delete your account and all associated personal data. Deletion is irreversible. Server-side data is purged immediately on submission; encrypted backups are overwritten in the next rotation cycle, typically within 30 days.
By email. Contact us at privacy@moatails.com for assistance with any of the above, or to exercise rights described in Section 11, Section 13, or Section 14.

25. MARKETING COMMUNICATIONS

In Short: We collect explicit, separate consent before sending you marketing emails. Marketing is the only optional consent we collect at this layer, and refusing has no effect on your use of the app.

This Section describes how we obtain and handle consent for marketing communications. It is structured to satisfy the explicit-consent requirements of GDPR Art. 6(1)(a) (EU/UK), PIPA Art. 22(4) and Network Act Art. 50 (Korea), CASL (Canada), LGPD (Brazil), and equivalent regimes worldwide.

25.1 What we collect, why, and for how long

Item	Detail
Personal information used	Email address
Purpose of use	Sending pet care tips, app updates, and seasonal advice
Retention period	Until you withdraw consent
Your right to refuse	You have the right to refuse this consent. Refusing has no effect on your access to any core feature of the MoaTails app.
Channels	Email only. We do not use SMS, push notifications, or in-app interstitials for marketing communications.
Third parties	Marketing emails are sent by us directly via our transactional email processor (Resend, Inc.). For website-footer newsletter signups, the email address is first received by Formspree, Inc. (United States) acting as our processor for form intake, then stored in our subscriber list. Your email address is not shared with any third party for their own marketing purposes.

Marketing consent is collected separately from account signup and is never bundled with any required consent. There are two opt-in surfaces:

Inside the app, via a deferred prompt that fires after you've used the app for a while. You may also opt in or out at any time via Settings → Privacy → Marketing.
On our website footer, via the newsletter signup widget. The 4-item disclosure above is shown directly above the Subscribe button so your click constitutes an informed affirmative action under GDPR/PIPA standards.

We do not pre-tick consent boxes, do not use asymmetric button styling between accept and decline, and do not use master "agree-to-all" toggles that bundle marketing with required consents.

You may withdraw at any time, by any of the following methods:

Tap the unsubscribe link in any marketing email
Toggle Settings → Privacy → Marketing off in the app
Email privacy@moatails.com

Withdrawal is processed immediately. You will be removed from marketing lists but may still receive service-related messages necessary for account administration (e.g., billing notices, security alerts, policy update prompts).

25.4 Frequency

We do not commit to a specific sending frequency. We aim for substantive over frequent and reserve the right to adjust cadence over time. If we ever introduce a fixed cadence commitment, we will update this Section first.

25.5 Korea Network Act Art. 50-8 — biennial renewal

For users who consent to marketing communications and whose locale at consent time was Korean (ko), we will re-ask for consent every 2 years as required by the Korean Network Act. If you decline at the renewal prompt or fail to respond, you will be removed from marketing lists automatically.

25.6 Audit log

Every consent grant and withdrawal is recorded in our audit table (user_consents) with the timestamp, source (signup vs. settings vs. marketing prompt vs. auto-expiry), locale at acceptance, and app version. You can request your full consent history via the data export at Settings → Privacy → Export Data in the app.