Privacy Policy

We collect only what is necessary to provide and improve the service.

Account data — When you register with email and password we store your name (optional), email address, and a bcrypt hash of your password — never the password itself.

OAuth accounts — When you sign in with Google or GitHub we receive your name, email address, and profile photo URL from that provider. We do not receive your password.

Pet health data — All health records you create — daily logs, vet visit notes, weight entries, medications, and health notes — are stored and linked to your account. This data is voluntary and fully under your control.

Technical data — We may log IP addresses, browser user-agents, and request timestamps for security and debugging. Server logs are automatically purged after 30 days.

Your data is used exclusively to operate BunnyNotes:

• Authenticate you and maintain your signed-in session.
• Store and display the health records you create.
• Send transactional emails (password reset, account confirmation).
• Detect and prevent abuse or fraudulent use of the service.
• Improve and debug the application based on error logs.

Under GDPR we process your personal data on the following legal bases: (a) Contract performance — processing your account data is necessary to provide the service you signed up for; (b) Legitimate interests — server logs and security monitoring protect both you and the service; (c) Consent — where you have explicitly agreed (for example, optional analytics if introduced in future). You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell, rent, or trade your personal data. We share data only with the following sub-processors, under binding data processing agreements:

• Cloud infrastructure provider (hosting, database) — to run the service.
• Transactional email provider — to send password-reset and confirmation emails.
• OAuth providers (Google, GitHub) — only the data they return during sign-in; we do not send your data back to them.

We will disclose personal data if required by law or to protect the rights, property, or safety of BunnyNotes or its users.

We keep your account and health data for as long as your account is active. You may permanently delete your account and all associated data at any time from Settings → Delete Account. After deletion your data is removed from our primary database within 24 hours and from backups within 30 days. Server logs containing IP addresses are automatically deleted after 30 days.

Under GDPR you have the following rights:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your account and data ('right to be forgotten').
• Portability — receive your data in a machine-readable format (JSON export available in Settings).
• Restriction — request that we limit processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.

You also have the right to lodge a complaint with a supervisory authority, such as the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) at dataprotection.gov.sk.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

BunnyNotes uses a single session cookie to keep you signed in (HttpOnly, Secure, SameSite=Lax). We also use browser localStorage to remember your UI preferences (theme and language). We do not use advertising or third-party tracking cookies. See our Cookie Policy for full details.

All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed with bcrypt (work factor 12). Database backups are encrypted at rest. We conduct periodic security reviews. Despite these measures no system can guarantee absolute security; in the event of a breach affecting your rights we will notify you within 72 hours as required by GDPR.

BunnyNotes is hosted on infrastructure within the European Economic Area (EEA). If any sub-processor transfers data outside the EEA we ensure appropriate safeguards are in place (such as EU Standard Contractual Clauses) before such transfers occur.

BunnyNotes is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

We may update this Privacy Policy when our practices change or applicable law requires it. We will notify you of material changes by email and by posting a notice in the app at least 14 days before the change takes effect. The 'Last updated' date at the top reflects the most recent revision.

Data controller: Dávid Kromka, Bratislava, Slovakia. Email: [email protected]. We will respond to all privacy-related enquiries within 30 days.