This Privacy Policy explains what personal data we process, for what purpose and on what legal basis when you use the Lapa mobile application for pet owners (the «App»).

Data controller. Sole proprietor (Natural Person-Entrepreneur, ФОП) Serhii Halych, taxpayer registration number (РНОКПП) 3607108612, registered at: 70 Starokozatska Street, apartment 70, Dnipro, 49000, Ukraine. Email: legal@lapahub.com. Referred to below as «we», «us», or «our».

What Lapa is. Lapa is a mobile application for pet owners. You keep a profile of your pet — vaccinations, preventive care, weight, photos — and (with your separate consent) connect with veterinary clinics that use our clinic system. Lapa is not a veterinary service and does not replace an in-person consultation with a veterinarian.

Why this matters. We process the minimum personal data necessary. Health data relate to the animal, not to you, and therefore do not constitute special categories of personal data of a natural person under Article 7 of the Law of Ukraine «On Personal Data Protection».

Applicable law. Personal-data processing is carried out in accordance with the Law of Ukraine «On Personal Data Protection» of 1 June 2010, No. 2297-VI (the «Law») and other Ukrainian legislation. This document is also drafted with regard to the principles of the EU General Data Protection Regulation (GDPR) where you interact with the App from the European Economic Area.

Questions about this Policy: legal@lapahub.com or support@lapahub.com.

We collect only the data needed to operate the App and provide the features you use. The categories are as follows.

1.1. Account data

• Email address (received from your chosen identity provider — Apple ID or Google).
• First name and last name (optional; you can fill in or edit them in the «Profile» section).
• An internal technical user identifier.
• Avatar (profile photo) — optional.
• Mobile phone number — optional; only sent to our servers after you complete a separate verification step initiated by you.

1.2. Pet data

• Pet name, species (dog, cat, etc.), sex, date of birth, breed.
• Microchip number (if you choose to enter it).
• Sterilisation status (yes / no / unknown).
• Current weight and weight history.
• Photographs of the pet that you upload.
• Vaccination records: vaccine name, manufacturer, batch, administration date, next-due reminder date.
• Preventive-care records (parasite prevention, hygiene, etc.): product name, dose, administration date, next-due reminder date.

1.3. Veterinary clinic data (with your consent)

If you grant a specific veterinary clinic access to your pet's medical record, that clinic can view and update the pet profile within the scope of access you granted. Records that the clinic itself creates during visits belong to the clinic; we display them in the App so that you can see them in one place.

1.4. Technical and diagnostic data

• Device type and model, OS version, interface language.
• Device push token used to deliver notifications.
• A technical device identifier provided by the operating system, used to map the push token to your account correctly.
• IP address (recorded by servers for the duration of request handling), request timestamps, server-side error logs.

We do not collect: special categories of personal data of a natural person (human health, race or ethnicity, religious belief, biometric or genetic data); geolocation (the location permission is used only on-device — see section 9); contents of your address book; data from other apps.

We obtain data from three sources.

2.1. Directly from you

When you create an account, add a pet profile, upload photos, record vaccinations or care events, or change settings.

2.2. From your identity provider

Authorisation in the App is performed via Sign in with Apple or Sign in with Google. We do not handle your password directly — verification is performed by your chosen identity provider. From that provider we receive: your email address (or the Apple Private Relay alias if you chose it), your name (if you allowed it to be passed), and a technical user identifier.

2.3. Automatically — from your device and our servers

Technical data (device model, OS version, push token, IP address, request logs) are produced automatically while the App operates so that we can deliver push notifications and diagnose technical issues.

2.4. From veterinary clinics — only with your consent

If a partner clinic already holds a record of your pet in its system (for example, you visited the clinic earlier and the clinic recorded your contact details), the App will surface that clinic to you as «discovered». You decide whether to link such a record to your pet's profile and whether to grant the clinic access to view and update the profile. Without your consent, the clinic does not receive any additional data from your account.

We process your personal data only for purposes defined in advance and on one of the bases set out in Article 11 of the Law. The full list is below.

3.1. Performance of a contract with you (Article 11(1)(3) of the Law)

• Creating and maintaining your account.
• Storing the pet profile, vaccination history, care records, and photos.
• Calculating reminders for upcoming vaccinations and preventive care.
• Delivering push notifications about events in the App (reminders, clinic access requests).

3.2. Consent (Article 11(1)(1) and Article 6(6) of the Law)

• Granting a specific veterinary clinic access to your pet's medical record.
• Linking pet records held by partner clinics to your account.
• Associating the optional phone number with your account.

You give consent through actions in the App. You can withdraw it at any time in the settings; withdrawal does not affect the lawfulness of processing performed before withdrawal.

3.3. Legitimate interest of the controller (Article 11(1)(5) of the Law)

• Information security of the App, abuse detection, and fraud prevention.
• Technical diagnostics of server-side errors and stability monitoring.
• Internal Service improvement based on de-identified statistics (without identifying an individual user).

3.4. Compliance with legal obligations (Article 11(1)(2) of the Law)

• Responses to written requests from authorised public authorities within the limits and procedures set by law.
• Compliance with tax, accounting, and other mandatory laws.

We do not make automated decisions that produce legal effects concerning you or similarly significantly affect you (Article 8(13) of the Law). No profiling for advertising or marketing purposes is performed.

One of Lapa's core features is the ability to see, in a single app, the medical history of your pet recorded across different veterinary clinics. This mechanism is fully under your control.

4.1. How it works

• After you create an account, the App checks whether partner clinics have records of pets where the listed owner contact matches yours.
• If such records exist, the App shows you a list of «discovered pets» and clinics. You decide whether to link each pet to your account.
• Separately, a clinic can send you a request for access to view or update a pet's medical record. You see such a request in the App and can «Approve» or «Deny» it.
• Access can be revoked at any time in the pet profile settings.

4.2. What the clinic sees if you approve access

If you have granted a clinic access, the clinic sees only the profile of the pets for which you confirmed access: basic pet data, vaccination and care history, weight, photographs. The clinic does not see your other pets, does not gain access to other clinics with which you interact, and does not receive any information about you beyond what is needed to contact you as the owner.

4.3. What you see

You see the medical records that the clinic enters into your pet's chart. You do not get access to the clinic's internal systems, financial data, data about other clients, or veterinarians' private notes.

4.4. Who is the controller of clinic medical records

Records that the clinic creates during visits (diagnoses, prescriptions, lab results, doctor's notes) form part of the clinic's medical documentation. The clinic itself acts as the controller of such personal data within the meaning of the Law; we merely display them to you as the pet owner. Requests to amend such records should be addressed directly to the clinic.

We do not sell your personal data, do not share them with advertising networks, do not use them to build advertising profiles, and do not use them for third-party marketing. We engage only reputable service providers, who act as processors of personal data on the basis of agreements with us and process data solely on our instructions.

5.1. Categories of processors (sub-processors)

• Cloud infrastructure: hosting of server components, databases, and file storage.
• Authentication services: sign-in verification through external identity providers (Apple ID, Google).
• Push notification delivery: platform push services for iOS and Android.
• Network protection and DNS: traffic routing and protection against network attacks.
• Auxiliary observability and diagnostics: error monitoring, stability and performance metrics — where used.
• User-communication tools: delivery of essential service messages by email — where required.
• Operational content-processing services: providers that process content you actively submit through the App (for example, images you upload through an in-App feature) to perform a specific operation you initiated and return the result. These providers act as processors on the basis of agreements with us, process data solely on our instructions, and do not retain the content for any other purpose.

A current list of specific providers is available upon request at legal@lapahub.com.

5.2. Veterinary clinics — only with your consent

Veterinary clinics to which you have granted access (see section 4) act as independent controllers of personal data with respect to records they create in your pet's medical chart. Transfer to them takes place only within the scope of access you granted and only until you revoke it.

5.3. Authorised public authorities

We may disclose your personal data in response to a binding request from a court, law-enforcement body, or other authorised public authority of Ukraine, received in the manner set by law and only to the extent necessary to comply with such a request.

5.4. Reorganisation

If the business is sold or reorganised, personal data may be transferred to the successor on the condition that it assumes obligations no less stringent than those set out in this Policy. We will notify you of such a change in advance.

Your personal data are primarily stored and processed within the European Economic Area (EEA). Transfers to EEA countries are permitted by Article 29 of the Law without additional protective measures, because these states ensure an adequate level of personal-data protection and are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108).

Certain auxiliary and operational services (in particular push notification delivery, observability and diagnostics, and processing of content you submit through in-App features) may transmit data to infrastructure in other jurisdictions, including the United States. In such cases the transfer takes place on an adequate legal basis: your consent (the relevant features are optional and you can decline or use manual alternatives at any time) and contractual safeguards with the respective provider that meet the requirements of Article 29 of the Law.

If you would like additional information about specific processing routes, write to legal@lapahub.com.

We retain personal data only as long as necessary to achieve the purposes listed in section 3 or to comply with applicable law. In practice this means:

• Account data and pet profiles: for the lifetime of your account.
• After you delete the account: data are removed from primary systems without an additional «cooling-off» period; backup copies are overwritten as part of the regular backup cycle.
• Server technical logs: for as long as needed for security, incident detection, and diagnostics.
• Push tokens: until you sign out, reinstall the App, or a delivery error occurs.
• Records owned by Partner Clinics: retained by the clinics under their own policies. Once you revoke access or delete your account, we stop displaying these records in the App.
• Some data may be retained longer where this is required by law (in particular tax, accounting, and consumer-protection legislation).

You can delete individual data (a pet, a vaccination record, a photo) in the App at any time.

We apply technical and organisational measures to protect personal data in accordance with Article 24 of the Law:

• All network connections between the App and our servers are protected by TLS encryption.
• Server-side databases and file storage are encrypted at rest by the infrastructure provider.
• Access to server systems is granted only to authorised persons on a least-privilege basis.
• We do not handle your password directly — sign-in is performed by your identity provider (Apple ID or Google).
• The on-device authentication token is stored in the hardware-protected storage of the operating system (Apple Keychain / Android Keystore).
• We monitor vulnerabilities in dependencies and apply security updates within reasonable timeframes.

Data on your device. For offline use, the App may keep a copy of the pet profile and medical records in a local database on the device. This local copy is accessible only to the Lapa app within OS sandboxing. If you sign out or uninstall the App, the local copy is fully erased from the device.

No system is absolutely invulnerable. In the event of a security incident posing a risk to your rights and freedoms, we will notify you and the Ukrainian Parliament Commissioner for Human Rights within the time and procedure set by law.

Before using a permission, the App always asks for it. You can grant or revoke each permission in the operating system settings at any time. Below is the full list of permissions the App may request and how we use them.

• Camera — so that you can take a photo of your pet directly from the App. The image is uploaded to server storage only if you explicitly attach it to the profile.
• Photo library — so that you can pick an existing photo of your pet. The file is copied to server storage only if you explicitly attach it to the profile.
• Location (while in use) — used to sort the list of nearby clinics by distance. In the App's current implementation, precise location is processed on the device and is not transmitted to our servers as part of regular requests.
• Push notifications — for vaccination and preventive-care reminders and App events. If you decline this permission, the push token is not registered and notifications are not sent.

The Lapa mobile app does not use cookies. Brand websites (such as lapahub.com) use only strictly necessary cookies. Details — in the Cookies Policy.

Within the App we may use limited analytics, error monitoring, and stability diagnostics tools that are needed to operate the Service reliably, detect issues, and gradually improve the product. The legal basis for such processing is our legitimate interest (Article 11(1)(5) of the Law).

Such tools are not used to:

• profile you for advertising or marketing purposes;
• sell or transfer your personal data to advertising networks or data brokers;
• make automated decisions that produce legal effects concerning you;
• track your activity across other apps or websites.

Where individual tools collect information that may identify you personally, we minimise the scope of such processing. If the overall character of this processing changes, we will reflect it in the next revision of this Policy and notify you in an appropriate manner.

Article 8 of the Law guarantees you the following rights as a data subject. We respect them in full.

• To know about the sources of collection, the location of your personal data, the purpose of their processing, and the location of the controller.
• To receive information about the conditions for granting access to personal data, including about third parties to whom they are transferred.
• To access your personal data.
• To receive a response about the processing of your personal data within 30 calendar days of submitting a request.
• To submit a reasoned request for amendment or destruction of your personal data.
• To protection of personal data against unlawful processing and accidental loss, destruction, or damage.
• To protection against the provision of information that is unreliable or that disgraces honour, dignity, or business reputation.
• To submit complaints regarding the processing of personal data to the Ukrainian Parliament Commissioner for Human Rights or to a court.
• To apply legal remedies in the event of a breach of personal-data legislation.
• To make reservations limiting the right to process your personal data when granting consent.
• To withdraw consent to the processing of personal data.
• To know about the mechanism of automated processing of personal data (no automated decisions are made in the Lapa App).
• To protection against an automated decision that produces legal effects concerning the individual.

If you interact with the App from the EEA, GDPR rights additionally apply — including the rights of access, rectification, erasure, restriction, objection, and data portability. We handle such requests on a case-by-case basis and provide data in a commonly used structured format.

To exercise any of these rights, send a request to legal@lapahub.com from the email address associated with your account. We may ask you to verify your identity to prevent disclosure to a third party. We respond within the timeframes set by Article 8 of the Law.

Complaint to the regulator. If you believe we have violated your rights, you may contact the Ukrainian Parliament Commissioner for Human Rights: 21/8 Instytutska Street, Kyiv, 01008; hotline 0 800 50 17 20; email hotline@ombudsman.gov.ua; website ombudsman.gov.ua.

Lapa is intended for adult pet owners. The App may be used by persons aged 16 and older. We do not knowingly collect personal data of persons under 16.

If you are a parent, guardian, or other legal representative and become aware that your child has created an account without proper consent, please notify us at legal@lapahub.com. We will delete such an account and the related data without undue delay.

We may update this Policy to reflect changes in the App's features, the categories of processors, or legal requirements. The current version is always available at this link, and the update date is shown at the top of the document.

If the changes are material (new categories of data, new processing purposes, significant changes to processing routes), we will notify you in advance — by push notification in the App and/or to the email address associated with your account.

Data controller:
Sole proprietor (ФОП) Serhii Halych
Taxpayer registration number (РНОКПП): 3607108612
Address: 70 Starokozatska Street, apartment 70, Dnipro, 49000, Ukraine
Email (general): support@lapahub.com
Email (data protection): legal@lapahub.com
Website: lapahub.com

Regulator: Ukrainian Parliament Commissioner for Human Rights, Department of Personal Data Protection. Address: 21/8 Instytutska Street, Kyiv, 01008. Hotline: 0 800 50 17 20. Email: hotline@ombudsman.gov.ua. Website: ombudsman.gov.ua.

We respond to requests and complaints within the timeframes set by law.