Privacy Policy

1. Who is responsible

Norbo is built and operated as a personal project by an individual indie developer. There is no company behind it — just one person who cares about pets and wants to build a useful tool.

For the purposes of the EU General Data Protection Regulation (GDPR) and the Italian Privacy Code, the Data Controller is:

• Name: Marius Trica
• Status: Individual indie developer (no business entity)
• Country: Italy
• Contact email: tricabit@gmail.com

A postal address is available on request for legitimate privacy-related inquiries.

2. Data I collect

I only collect the personal data strictly necessary to provide the service. Here's the full list, grouped by category.

Account data

• Email address and password (stored exclusively as an Argon2 hash, never in plain text);
• Name or nickname (optional), profile photo (optional);
• Preferred language, light/dark theme preference, notification preferences;
• If you sign in with Google or Apple: the unique identifier provided by the provider and the associated email address.

Pet data

• Name, photo, date of birth (which can be approximate), sex, weight, breed or species, optional notes;
• Health and life events recorded on the timeline: vaccinations, vet visits, antiparasitics, weight entries, water parameters for aquatic animals, photos, and free-text notes;
• Attachments to those events: certificates, photos, receipts;
• Reminders and their due dates.

Tool data

Some of the tools and calculators available in the Services section (water intake, caloric calculator, ideal weight estimator, etc.) may save the last calculated result to give you continuity between sessions. In that case, only the inputs you provided (e.g. animal weight, activity level) and the corresponding result are stored, linked to your account and the relevant animal. This data is not shared with third parties or used for any purpose other than the Tool's functionality.

Financial data

• Amounts and categories of the expenses you choose to record in the app;
• Photos of receipts (which may contain tax-related information about the merchant).

Technical and usage data

• Push notification tokens (FCM), device identifier, operating system;
• Technical access and error logs (IP address, timestamps, request type);
• Anonymous product events (e.g. "screen opened", "pet added") used solely for aggregate analytics.

What I don't collect

I do not collect your geographic location, biometric data, your address book contacts, browsing behaviour outside the app, your social graph, or any payment data (the app has no in-app purchases).

3. Purposes and legal bases

Your personal data is processed on the following legal bases under Article 6 of the GDPR.

Performance of a contract — Art. 6(1)(b) GDPR

• Providing the core features of the app: pet records, health timeline, reminders, photos, expenses, tools and calculators;
• Managing your account, authentication, and password recovery;
• Service communications that are strictly necessary (e.g. email confirmation, security alerts).

Legitimate interest — Art. 6(1)(f) GDPR

• Technical security: preventing abuse, fraud, and intrusion attempts;
• Application logging and error diagnostics to keep the service stable;
• Aggregate product analytics to improve features (anonymous events, no individual profiling).

Explicit consent — Art. 6(1)(a) GDPR

• Sending push notifications (opt-in at the operating system level and within the app settings);
• Any future marketing or promotional communications, always subject to separate opt-in.

Legal obligation — Art. 6(1)(c) GDPR

• Retaining security logs for the time required by applicable law;
• Responding to legitimate requests from judicial or supervisory authorities.

4. Data retention

I keep your personal data only as long as needed for the purposes it was collected for.

• Account and pet data: for the entire lifetime of your account.
• Tool results: for the entire lifetime of your account; automatically deleted when the relevant animal or account is deleted.
• After account deletion: permanent deletion (hard delete) within 30 days.
• Database backups: retained for 30 days on a rolling basis, then deleted.
• Application logs: retained for 90 days, then deleted.
• Security logs: retained for the time required by applicable law.

Some legal obligations (for example tax-related, where applicable) may require longer retention of specific records. In that case, data is kept solely for the purpose required by law.

5. Security

I take reasonable technical and organisational measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. In particular:

• All communication between the app and the server runs over HTTPS with up-to-date TLS;
• Passwords are stored exclusively as Argon2 hashes, never in plain text;
• Sessions use secure cookies (HttpOnly, SameSite Strict) and refresh tokens with rotation;
• Rate limiting is enforced on sensitive endpoints (login, signup, password reset);
• Database backups are encrypted at rest;
• Infrastructure credentials are kept in a dedicated secrets vault, never in the source code;
• Dependencies are scanned automatically to catch known vulnerabilities.

No system is 100% secure. In the event of a breach that involves risks to your rights, I will notify you within the timeframes set by Article 34 GDPR.

6. Third-party processors

To run the service, I rely on a small number of trusted external providers. They act as Data Processors under Article 28 GDPR. The main ones are:

• Cloud infrastructure provider for hosting servers and databases (e.g. Hetzner, Supabase, Neon, Fly.io, or equivalent) — with EU data residency whenever available;
• Object storage provider for storing photos and attachments (e.g. Cloudflare R2 or Backblaze B2);
• Google Firebase Cloud Messaging for sending push notifications;
• Apple Push Notification Service for push notifications to iOS devices;
• Sentry for application error monitoring;
• PostHog for aggregate product analytics.

I do not sell, rent, or otherwise transfer your personal data to third parties for commercial purposes. Ever, under any circumstances.

7. International transfers

Some of the providers I use (such as Google, Apple, Cloudflare) are headquartered or operate in non-EU countries, primarily the United States. In those cases, data transfers happen on the basis of appropriate safeguards under the GDPR, including:

• European Commission adequacy decisions where applicable (e.g. the EU–US Data Privacy Framework);
• Standard Contractual Clauses (SCCs);
• Supplementary technical and organisational measures where required.

You can request detailed information about transfers by writing to the contact address at the bottom of this page.

8. Your rights

As the data subject, you can exercise the following rights under Articles 15–22 GDPR at any time:

• Access: get confirmation that I'm processing your data and obtain a copy of it. All of your data is already visible inside the app;
• Rectification: update or correct your data. Everything is editable directly from the app;
• Erasure (right to be forgotten): request deletion of your data. You can do this yourself from "Delete account" — I will permanently delete it within 30 days;
• Restriction of processing in the cases listed in Article 18 GDPR;
• Data portability: receive your data in a structured, machine-readable format. The in-app "Export my data" function generates a complete JSON archive;
• Object to processing based on legitimate interest, in particular for product analytics;
• Withdraw consent at any time for processing based on consent (e.g. push notifications), without affecting the lawfulness of processing carried out beforehand.

You also have the right to lodge a complaint with a supervisory authority — for Italy, that's the Garante per la Protezione dei Dati Personali (garanteprivacy.it) — if you believe the processing of your data infringes applicable law.

To exercise your rights, write to tricabit@gmail.com. I will reply within 30 days of receiving your request.

9. Push notifications

Norbo uses push notifications to deliver reminders for the events and due dates you set up (vaccinations, vet visits, maintenance tasks, pet birthdays, etc.). Notifications are sent only with your explicit consent, which you give:

• Initially, through the operating system's permission prompt on your device;
• Granularly, through the notification settings inside the app, where you can choose which categories of reminder to receive (health, admin, maintenance, milestones).

You can disable notifications at any time from your device settings or from the app preferences. Disabling them does not affect any other functionality.

10. Cookies and similar technologies

The Norbo mobile app does not use cookies in the traditional sense. For service functionality, it relies on equivalent technologies:

• Session tokens stored locally on your device to keep you signed in between sessions;
• Local cache to improve speed and offline experience;
• Technical identifiers for push notifications.

These elements are strictly necessary to operate the app and are not used to profile you or for marketing purposes.

11. Minors

Norbo is not intended for users under 16 years of age. I do not knowingly collect personal data from minors without the consent of the holder of parental responsibility, as required by Article 8 GDPR and the Italian Privacy Code.

If you are a parent or guardian and believe a minor has provided personal data through the app without your authorisation, please contact me: I will promptly remove the data.

12. Changes to this policy

I may update this policy when the app changes substantially, when I add or change providers, or when applicable law evolves. The current version is always published at this address, with the date of the last update clearly shown.

For material changes, I will notify you in advance through an in-app notification or by email to the address linked to your account, giving reasonable notice before the changes take effect.

13. Contact

For any question about this policy or about how your data is handled, write to:

• Privacy: tricabit@gmail.com
• General support: tricabit@gmail.com

I'll do my best to reply quickly, and in any case within the timeframes set by applicable law.