Privacy Policy
Last updated: 15 May 2026 Effective from: 15 May 2026
1. Who we are
Superkin is a service operated by Superwild Ltd, a company registered in England and Wales (company number 17138850), registered office: Moy Road Industrial Estate, Taffs Well, Cardiff, Wales, CF15 7QR.
In this policy, "we", "us" and "our" mean Superwild Ltd. "You" means anyone who uses Superkin — whether you're the owner of an account, a team member someone invited, a dog walker, a vet, or a visitor to our website.
We are the data controller for the personal data we process about you.
If you have any questions about this policy or your data, email us at hello@superkin.app.
2. What this policy covers
This policy explains what personal data we collect from you, why we collect it, what we do with it, who we share it with, and what rights you have under UK data protection law (the UK GDPR and the Data Protection Act 2018).
It applies to:
- Our website at superkin.app
- The Superkin mobile apps for iOS and Android
- Our customer support communications
If you're a vet practice signing up to Superkin's veterinary tier in the future, a separate addendum will apply — we'll send you that when the time comes.
3. What we collect, why, and our legal basis
We try to collect only what we need. Here's the full picture.
3.1 Account data
| What | Why | Legal basis |
|---|---|---|
| Your email address | To sign you in via magic links and contact you about your account | Contract |
| Your display name | To show in your dog's feed so your team knows who logged what | Contract |
| Authentication tokens (managed by Supabase) | To keep you signed in | Contract |
3.2 Your dog's data
| What | Why | Legal basis |
|---|---|---|
| Dog's name, breed, date of birth, life stage | To personalise the service and generate plans | Contract |
| Hero photo (if you add one) | To show on your dog's profile | Contract |
| Weight, medications, vet practice (if you add them) | To power the Money Tab and Vet Brief features | Contract |
3.3 What your team logs
| What | Why | Legal basis |
|---|---|---|
| Notes — text observations about your dog (health, behaviour, mood, training) | To build the dog's record and inform the weekly plan | Contract |
| Tasks — feeding, walking, medications | Same | Contract |
| Voice recordings (audio files) | To transcribe via OpenAI Whisper so you don't have to type | Contract |
| Transcripts of voice recordings | To populate notes and tasks | Contract |
| Photos you attach to notes | To preserve visual context (lumps, gait, conditions) | Contract |
| Reactions and comments on weekly plans | To improve future plans | Contract |
3.4 Technical and usage data
| What | Why | Legal basis |
|---|---|---|
| IP address, device type, OS, app version | Operational security and debugging | Legitimate interest |
| In-app events (which screens you opened, which features you used) | Product analytics so we can improve the service | Legitimate interest (UK GDPR Art 6(1)(f)) |
| Crash reports (stack traces, device state) | To find and fix bugs | Legitimate interest |
| Approximate location (country/region) from IP | To deliver region-appropriate content | Legitimate interest |
We don't collect precise location, contact lists, or browse history.
3.5 What we do NOT collect
- We do not access your camera roll outside what you explicitly attach to a note
- We do not record audio in the background or while the app is closed
- We do not collect data about people who are not on a team you're part of
- We do not buy, sell, or share data with advertising networks
- We do not collect special category data (race, religion, sexual orientation, etc.) — we ask you not to put any in notes either
4. How we use your data
In plain terms:
- To run the service — sign you in, store your dog's information, deliver weekly plans, generate vet briefs, etc.
- To improve the service — see which features work, find bugs, prioritise improvements
- To contact you — about your account (transactional emails), occasionally about Superkin updates (you can opt out)
- To comply with the law — for example, responding to lawful requests from authorities
We do not use your data:
- To train AI models (see Section 5 for what our AI subprocessors do)
- For advertising
- To make automated decisions that significantly affect you legally
5. Who we share your data with — our subprocessors
Superkin is built on a small number of trusted services. Each one processes a specific kind of data on our instructions. We have a Data Processing Agreement (DPA) in place with each.
| Service | What they process | Where |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt region) |
| Vercel | Hosting for the website and APIs | EU and US edge network |
| OpenAI | Voice transcription via the Whisper API | US |
| Anthropic | Plan generation via the Claude API | US |
| PostHog (EU) | Product analytics | EU (Frankfurt region) |
| Sentry | Error monitoring | US |
| Resend | Transactional email (welcome, magic link, notifications) | US |
| Inngest | Background jobs (Sunday plan generation) | US |
| Apple / Google | App distribution and push notifications | Global |
Important about AI subprocessors (OpenAI and Anthropic): voice recordings sent to OpenAI for transcription, and text sent to Anthropic for plan generation, are processed on our behalf and not retained for model training under their commercial API terms. Both companies retain the data for a short period (typically 30 days) for abuse monitoring, then delete.
We don't share your data with anyone else for any other purpose unless we're legally required to (for example, a court order) or you ask us to (for example, when you share a vet brief PDF).
If we engage a new subprocessor, we'll update this list before the change takes effect.
6. International data transfers
Some of our subprocessors (OpenAI, Anthropic, Sentry, Resend, Vercel for edge functions, Apple, Google) are based in the United States or process data globally. When your data goes there, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs) or equivalent UK-approved mechanisms, plus our own technical safeguards (encryption in transit and at rest).
You can request the specific mechanism used for any subprocessor by emailing hello@superkin.app.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account data | While your account is active, plus 30 days after deletion |
| Your dog's data and team logs | While the household is active, plus 30 days after the last member leaves |
| Voice recordings | 30 days after transcription, then deleted from our storage |
| Voice transcripts | Same as the notes they belong to |
| Photos | While the note exists; deleted with the note |
| Crash reports and analytics events | 90 days for crashes, 24 months for analytics |
| Customer support emails | 2 years |
| Billing records (once paid tier ships) | 7 years (UK accounting rules) |
If you delete your account, we delete or anonymise your personal data within 30 days, except where we're legally required to keep it longer (for example, billing records).
8. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you (right of access)
- Get a copy in a portable format like CSV (right to data portability)
- Correct anything inaccurate (right to rectification)
- Delete your account and personal data (right to erasure / "right to be forgotten")
- Restrict how we process your data in certain situations
- Object to processing based on legitimate interest (including analytics)
- Withdraw consent at any time where we rely on consent
- Complain to the ICO if you think we've mishandled your data (https://ico.org.uk/concerns/)
To exercise any of these rights, email hello@superkin.app. We respond within 30 days. We won't charge you unless requests are excessive or repeated.
9. How we keep your data secure
- All data in transit is encrypted with TLS 1.2 or higher
- All data at rest is encrypted (Supabase, Vercel, our storage buckets)
- Authentication is by email magic link only — no passwords for you to lose
- Access to user data by the Superkin team is restricted, logged, and limited to support and engineering needs
- We use Row-Level Security in Postgres so role boundaries (Owner vs Helper vs Walker vs Vet) are enforced at the database level, not just in app code
- Voice recordings are stored in a separate bucket with stricter access controls
- We do not use third-party SDKs that share data with advertising networks
- We run penetration tests at least annually once we have meaningful user numbers
- If we discover a personal data breach that's likely to result in risk to your rights, we notify the ICO within 72 hours and you without undue delay
No system is ever fully secure. But these are the standards we hold ourselves to.
10. Cookies and similar technologies
We use a small number of cookies, all functional or analytical:
| Cookie / storage | Purpose | Type |
|---|---|---|
| Supabase auth session | Keep you signed in | Strictly necessary |
superkin_consent | Remember your cookie preferences | Strictly necessary |
| PostHog analytics ID | Aggregated product analytics | Analytics (opt-out available) |
We do not use marketing or advertising cookies.
EU and UK visitors see a cookie banner on first visit asking for analytics consent. You can change your preferences any time in Settings → Privacy in the app.
11. Children's data
Superkin is for people aged 18 or over. We don't knowingly collect personal data from anyone under 18 as an account holder.
We know children may use the app on a parent's account — for example, helping log walks or feedings. That's the parent's responsibility to supervise. Kid Mode (a simplified, restricted UI for children) is planned for a future release; until then, parents should not give children access to features they shouldn't see (medications, vet briefs, payment info).
If you believe we've collected personal data from a child without their parent's consent, contact us at hello@superkin.app and we'll delete it.
12. Changes to this policy
We may update this policy as the service evolves. Material changes (for example, a new subprocessor, a new category of data, a change to how we use it) will be communicated to active users by email at least 14 days before they take effect. Minor or clarifying changes will be published here with the "Last updated" date refreshed.
13. How to contact us
For anything — privacy questions, rights requests, general support: hello@superkin.app
Postal address: Superwild Ltd Moy Road Industrial Estate Taffs Well Cardiff Wales CF15 7QR
Information Commissioner's Office (ICO): You have the right to complain to the ICO if you're unhappy with how we've handled your data. Their contact details are at https://ico.org.uk/concerns/.
This policy is written in plain English on purpose. If anything's unclear, ask us — we'd rather rewrite it than have you worry.