Privacy Policy
Last updated: 07/14/2026
The protection of your privacy and your walk data is our absolute priority. This policy explains, simply and in full, what we collect, why, and how you stay in control.
1. Data Controller
The data controller is Kotchi Studio, trade name of Sullivan Floricourt, sole trader (entrepreneur individuel), 6 rue du Progrès, 27100 Val-de-Reuil, France. For any question about your personal data, you can contact us at privacy@haiko.app.
2. Data We Collect
Haiko only collects the data necessary for the app and its community features to function:
- Account: e-mail address, display name, avatar, and your Google or Apple sign-in identity (see "Security" below — there is no Haiko password).
- Public profile (if you choose to create one): public handle, bio, banner.
- Dogs: name, breed, date of birth, weight, photo.
- Walks: GPS traces (geometry and timestamped points), duration, distance, notes, title, photos (with their coordinates when taken during the walk), and the locality (city, region) derived from the trace.
- Community content (if you publish): published routes and places (free-text name and description), photos, likes and saves.
- Co-walkers: invitations (QR code or code), links between accounts sharing a dog.
- Reports & moderation: free-text report content, a capture of the reported content, and any resulting sanctions on your account.
- Subscription: premium status, RevenueCat identifier, purchase platform — we never receive your banking details, which are handled exclusively by Apple or Google.
- Technical data: usage events (statistics), crash diagnostics, device information.
- Location: GPS position used at your request to center Explorer, show nearby places, prepare an offline area, or provide local weather; when you explicitly start a walk, it is also used in the foreground and background for the duration of the active walk.
3. Purposes and Legal Bases
In accordance with Article 6 of the GDPR, each processing activity relies on a specific legal basis:
- Performance of the contract: providing the service (account, dog, and walk history management).
- Consent: geolocation requested for map, weather, and offline-area features, as well as during a walk; camera and photo access; and push notifications — all of these permissions are requested at the operating-system level and remain revocable at any time.
- Legitimate interest and legal obligation: content moderation, abuse and fraud prevention, service security, removal of unlawful content.
- Legitimate interest: aggregated, pseudonymized usage statistics, to understand and improve the app; you can turn them off at any time in the app's Settings ("Usage statistics"), or object to this (see "Your Rights" below).
- Performance of the contract and legal (accounting) obligation: management of premium subscriptions.
4. Public Content Moderation
When you publish community content (a route or a place), its text (name, description) is automatically analyzed to detect hateful, sexual, violent, or unlawful content. This text analysis is performed by OpenAI (OpenAI, LLC / OpenAI Ireland Ltd), acting as a processor within the meaning of Article 28 of the GDPR, which does not use it to train its models and retains it only temporarily, for abuse-detection purposes. Published photos (route and place photos, public profile avatar and banner) are also automatically analyzed by OpenAI to detect sexual, violent, or self-harm content; route and place photos are additionally reviewed by a human moderator. Content that is manifestly contrary to our rules may be hidden automatically, without prior human review; in that case, you are notified that your content has been hidden, and you can contact us to obtain the reason and request a human re-examination by writing to support@haiko.app. In accordance with Article 22 of the GDPR, you have the right to human intervention, to express your point of view, and to contest this decision.
5. Recipients and Sub-processors
We rely on the following providers to operate Haiko. Each one only accesses the data strictly necessary for its role:
- Supabase, Inc. — database, authentication, file storage, and server functions (all account, walk, and content data). Hosted in the European Union (Frankfurt, Germany).
- Sentry (Functional Software, Inc.) — technical crash diagnostics (technical identifier only, without directly identifying data such as your e-mail). Hosted in the European Union (Germany).
- PostHog — anonymized or pseudonymized usage statistics. Hosted in the European Union.
- OpenAI (OpenAI, LLC / OpenAI Ireland Ltd) — automated moderation of the text and photos of published content (see section 4 above). Processed in the United States, covered by the safeguards in section 6.
- RevenueCat, Inc. — premium subscription management (purchase identifier). United States.
- Mapbox, Inc. — map display and base maps; your device shares your position or visible area with Mapbox to render the map. United States.
- Google (Sign-In) and Apple (Sign in with Apple) — identity providers for sign-in (e-mail and provider identifier). United States / international.
- OpenWeatherMap — weather by coordinates, coordinates being sent via our server. International.
- Apple App Store / Google Play — processing of subscription payments; we never receive your banking details. International.
- Push notifications (Expo, Apple APNs, Google FCM) — a technical device identifier (notification token) to send you notifications. International.
6. Transfers Outside the European Union
Our primary storage (Supabase), our statistics tool (PostHog), and our diagnostics tool (Sentry) remain hosted within the European Union. However, some of the providers listed above (OpenAI, RevenueCat, Mapbox, Google, Apple, OpenWeatherMap, payment platforms) process data outside the EU, notably in the United States. These transfers are governed by safeguards recognized by the European Commission: Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF), depending on the provider.
7. Retention Periods
Your account and content are kept for as long as your account exists, and are deleted when your account is deleted (see our dedicated data deletion page). Statistics and diagnostics data are kept for a limited period of 12 months. Moderation and sanction data are kept for as long as necessary for community safety and to meet our legal obligations.
8. Your Rights
In accordance with Articles 15 to 22 of the GDPR, you have the right to access, rectify, erase, and port your data, to object to and restrict its processing, and to withdraw your consent at any time. You can exercise most of these rights directly from the app (deleting your account or your walks), or by contacting us at privacy@haiko.app. You also have the right to lodge a complaint with the French data protection authority, the CNIL (www.cnil.fr). We respond to your requests within one month. You may also set directives regarding what happens to your data after your death (Article 85 of the French Data Protection Act).
9. Security
Signing in to Haiko is done exclusively via Google or Apple (OAuth): we do not store any password. Traffic between the app and our servers is encrypted in transit (TLS), and access to data in our database is restricted at the row level through Row Level Security rules.
10. Minimum Age
Haiko is intended for people aged 15 and over, the digital age of consent set by Article 8 of the GDPR in France.
11. Changes
We may update this privacy policy from time to time, in particular to reflect changes to the service or to applicable regulations. The update date is shown at the top of this page.
12. Contact
For any question about this policy or your personal data, write to us at privacy@haiko.app.