PawScene

GDPR & Your Data Rights

Last updated: March 2026

This page supplements our Privacy Policy and describes how Denovate, LTD. d/b/a PawScene complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR, EU 2016/679), the Swiss Federal Act on Data Protection (nFADP), and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). As a UK-registered company, the UK GDPR and the oversight of the Information Commissioner's Office (ICO) apply directly to our processing activities.

1. Data Controller

The data controller responsible for your personal data is:

Denovate, LTD. d/b/a PawScene
71-75 Shelton Street, Covent Garden
London, United Kingdom, WC2H 9JQ
Email: gdpr@denovate.app
Phone: +44 7349 580908 / +90 537 581 36 36

As a UK-based company processing personal data of EEA residents, we are required to designate an EU Article 27 representative. We are in the process of appointing one and will update this page when the appointment is made.

2. Categories of Personal Data Processed

  • Identifiers: Apple or Google provider user ID, email address, device identifier (IDFV on iOS / Android ID on Android)
  • Authentication metadata: IP address and User-Agent string recorded at registration and login (stored in consent logs)
  • Session data: JWT token identifiers, device platform, app version, last session timestamps
  • Push tokens: Firebase Cloud Messaging (FCM) token stored for notification delivery
  • Photos (Input Content): Pet photos uploaded for generation — transmitted to AI providers and deleted from our systems upon pipeline completion; not persistently stored by PawScene
  • Prompts and chat history: Text instructions submitted for generation or chat sessions, stored in our database until you delete them
  • Generated Content (Output Content): AI-generated images stored in secure cloud storage until you delete them
  • Generation metadata: Model used, provider, credits charged, output URL, job status
  • Usage data: Events tracked via Firebase Analytics (login, purchases, feature usage); crash data via Firebase Crashlytics
  • Subscription and commercial data: Subscription tier, credit balance, transaction tokens (via RevenueCat, Apple, and Google); your user ID and email are passed to RevenueCat for entitlement management
  • Referral data: Referee IP address and device identifier (for fraud prevention, recorded at referral use only)
  • Support communications: Messages and correspondence you send to us

3. Legal Bases for Processing (UK/EU GDPR Art. 6)

  • Performance of contract (Art. 6(1)(b)): Authentication, processing generation requests, managing credits, storing chat history and outputs, sending notifications about your jobs. Photo processing for generation is conducted on this basis — no separate consent is required for the generation pipeline.
  • Legitimate interests (Art. 6(1)(f)): Fraud prevention (including referral abuse detection), security monitoring, crash diagnostics via Firebase Crashlytics, and usage analytics via Firebase Analytics to improve the Service. We conduct balancing tests to ensure our interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)): Tax and financial record-keeping, responding to lawful requests from law enforcement, and compliance with applicable regulations.
  • Consent (Art. 6(1)(a)): Optional marketing communications. Consent is freely given, specific, and withdrawable at any time without detriment. Consent flags are recorded in our consent log at registration.

4. Sub-Processors

We share personal data with the following sub-processors, each bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

OpenAI— AI image generation — USA — UK IDTA / EU SCCs
Anthropic— Language model assistance — USA — UK IDTA / EU SCCs
Google LLC (Gemini)— AI image understanding and generation — USA — UK IDTA / EU SCCs
Replicate— Open-source AI model hosting — USA — UK IDTA / EU SCCs
RevenueCat— Subscription entitlement management (receives user ID and email) — USA — UK IDTA / EU SCCs
Apple Inc.— Authentication (Apple Sign In) and billing (App Store IAP) — USA — UK IDTA / EU SCCs
Google LLC (Firebase)— Push notifications (FCM), crash reporting (Crashlytics), usage analytics (Firebase Analytics) — USA — UK IDTA / EU SCCs
Google LLC (Sign In)— Authentication (Google Sign In) — USA — UK IDTA / EU SCCs
Cloudflare— CDN and object storage (generated output images) — Global — UK IDTA / EU SCCs + BCRs

5. International Data Transfers

We are based in the United Kingdom. When we transfer personal data to sub-processors located outside the UK or EEA, we rely on:

  • UK → third countries (e.g., USA): International Data Transfer Agreement (IDTA) approved by the UK ICO, or EU SCCs with a UK Addendum
  • EEA → third countries: EU Standard Contractual Clauses pursuant to EU Commission Implementing Decision 2021/914
  • Switzerland → third countries: Adapted SCCs under the Swiss nFADP
  • EEA → UK: The EU has granted the UK an adequacy decision; no additional mechanism required

Copies of the applicable transfer agreements are available on request at gdpr@denovate.app.

6. Your Rights Under UK/EU GDPR (Art. 15–22)

If you are in the EEA, UK, or Switzerland, you have the following rights. We will respond within one calendar month of a valid, verified request (extendable by two further months for complex requests, with prior notice).

Art. 15 — Right of Access

You may request a copy of all personal data we hold about you, along with information about how it is processed, who it is shared with, and the legal basis for processing.

Art. 16 — Right to Rectification

You may request correction of inaccurate or incomplete personal data. Email address and display name changes are managed through your Apple or Google account.

Art. 17 — Right to Erasure ("Right to Be Forgotten")

You may request deletion of your personal data where: (a) the data is no longer necessary for the purpose it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object under Art. 21 and no overriding interests exist; or (d) the data was unlawfully processed. Delete your account directly in the app (Settings → Delete Account) or email gdpr@denovate.app. We will process requests within one month.

Art. 18 — Right to Restriction of Processing

You may request that we restrict processing of your data while accuracy is contested, while an objection is assessed, or where processing is unlawful but you prefer restriction to erasure.

Art. 20 — Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, machine-readable format (JSON or CSV).

Art. 21 — Right to Object

You may object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to processing for direct marketing purposes.

Art. 22 — Automated Decision-Making

We do not make solely automated decisions that produce legal or similarly significant effects on you.

Art. 7(3) — Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Contact gdpr@denovate.app or use the unsubscribe link in our emails.

7. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, business purposes, and categories of third parties with whom data is shared.
  • Right to Delete: Request deletion of personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: Not applicable — we do not sell or share personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: We process sensitive PI (such as your email) only as necessary to provide the Service.
  • Right to Non-Discrimination: We will not deny, charge different prices for, or provide a different quality of service because you exercised your CCPA rights.

Authorized agents may submit requests with written proof of authorization. We verify identity via your registered Apple or Google account.

8. Retention Periods

  • Account data (email, profile, credits): active period plus 90 days after deletion, then permanently purged.
  • Uploaded photos (Input Content): Zero retention — deleted upon generation pipeline completion.
  • Prompts and chat history: Retained until you delete the session or your account.
  • Generated outputs (Output Content): Retained until you delete them, plus a 30-day backup window.
  • Consent logs (IP, User-Agent, consent timestamps): Retained for the duration of legal compliance obligations.
  • Support communications: Up to 3 years.
  • Legal and financial records: Up to 7 years as required by applicable law.
  • Analytics data (Firebase): Retained as per Google's Firebase data retention settings; aggregated/anonymized data may be retained indefinitely.

9. How to Exercise Your Rights

You can exercise your rights in two ways:

  • In-app: Settings → Delete Account (erasure) or Settings → Export Data (portability), where available.
  • By email: gdpr@denovate.app — include your name, registered email address, and a description of your request.

We acknowledge requests within 1 business day and provide a substantive response within 1 calendar month. Identity verification is required. There is no fee for one request per 12-month period.

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority:

  • UK (lead authority): Information Commissioner's Office (ICO) at ico.org.uk
  • EEA: Your local Data Protection Authority — directory at edpb.europa.eu
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) at fdpic.ch

We ask that you contact us first at gdpr@denovate.app so we have the opportunity to address your concern before you escalate to a supervisory authority.

11. Cookies and Tracking

Mobile app: The PawScene iOS and Android apps do not use browser cookies. The app uses Firebase Analytics (usage events) and Firebase Crashlytics (crash reports). You can limit analytics data collection via your device's privacy settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Privacy → Ads). Analytics and Crashlytics are disabled in debug builds.

Website (pawscene.com): We use only functional cookies necessary for the website to operate. We do not use advertising cookies or cross-site tracking cookies.

12. Contact

For all data protection and privacy matters:

  • Email: gdpr@denovate.app
  • Phone: +44 7349 580908 / +90 537 581 36 36
  • Post: Denovate, LTD., 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

We acknowledge all data protection inquiries within 1 business day and provide a substantive response within 1 calendar month.