Privacy Policy

1. Introduction

Everkin ("we," "our," or "us") is operated by Ghost Labs LLC, a New York limited liability company. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use the Everkin mobile application, the everkin.io website, and all related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy should be read together with our Terms of Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address
• Display name
• Password (stored as a salted hash; we never store plaintext passwords)
• Profile photo/avatar (optional)

Pet Health Data:

• Pet profiles (name, species, breed, date of birth, sex, microchip number)
• Weight measurements and history
• Glucose readings
• Symptom logs (type, severity, notes)
• Medication records (name, dosage, frequency, start/end dates)
• Allergy and medical condition records
• Seizure logs
• Bathroom/elimination logs
• Feeding records (food type, amount, schedule)
• Grooming records
• Activity logs and notes
• Veterinary visit records
• Pet photos and note-attached images

Images uploaded as part of your pet data (photos, note attachments, document scans) are subject to automated safety scanning. See Section 2.3 below.

Household and Social Data:

• Household membership and roles
• Household invitations (inviter, invitee email, status)
• Caregiver access grants and permissions

Veterinary Clinic Data:

• Clinic name, address, phone number, and website (when you manually add a clinic)

2.2 Information Collected Automatically

Device and Usage Information:

• IP address (logged during authentication events and email verification)
• User-Agent string (browser/device identifier, logged during authentication events)
• App version and operating system version

Authentication Audit Logs:

• Timestamps of login events
• IP address and User-Agent string at time of authentication
• Authentication method used (email/password, Google, Apple)

2.3 Automated Image Safety Scanning

Images you upload to the Service (pet photos, note attachments, profile avatars, food and medication images, and scanned veterinary documents) are automatically screened for prohibited content using Google Cloud Vision API before being stored. This process is fully automated. No Ghost Labs employee and no Google employee reviews your images as part of this scan. Google does not retain your images after the scan completes and does not use them to train its own models, consistent with Google Cloud's data processing terms.

We perform this scanning to comply with our obligations under 18 U.S.C. 2258A (U.S. reporting of child sexual abuse material) and Canada's Mandatory Reporting Act (S.C. 2011, c. 4), and to maintain a safe Service. Apparent CSAM is reported to the National Center for Missing & Exploited Children (NCMEC) in the U.S. and to the Canadian Centre for Child Protection (Cybertip.ca) for incidents involving Canadian users.

2.4 Information from Third-Party Authentication

If you sign in using Google or Apple Sign-In, we receive your name (as configured in your Google or Apple account), your email address, and a unique account identifier from the provider. We do not receive or store your Google or Apple password.

Apple Hide My Email: If you choose Apple's "Hide My Email" option during Sign in with Apple, we receive only a private relay email address ending in @privaterelay.appleid.com. We never see your real email address. All emails we send you (account verification, password resets, Household invitations, security notices, and, if you opt in, product updates) are routed through Apple's relay service. If you disable the relay from your Apple ID settings, we may lose the ability to contact you by email, and your account may become unrecoverable if you also lose access to your Apple ID.

2.5 Information We Do NOT Collect Server-Side

Voice and Microphone Data: The Service offers optional voice input for notes using Apple's speech recognition frameworks (SpeechTranscriber and DictationTranscriber on iOS 26+). Everkin configures speech recognition to run on-device only. Audio is processed on your device and is never transmitted to Ghost Labs' servers or to Apple's servers. Only the resulting transcribed text is stored if you choose to save it. If your device or iOS version does not support on-device recognition, voice input is disabled.

Precise Location Data: The Service may request "when in use" location access solely to help you search for nearby veterinary clinics (via Apple Maps). We do not transmit, store, or log your location on our servers. Location processing occurs on-device through Apple's MapKit framework.

2.6 Subscription and Payment Information

Everkin offers optional premium subscriptions purchased through Apple's In-App Purchase system. Apple processes all payments. Ghost Labs does not receive, process, or store your credit card number, billing address, CVV, or any other payment credential.

From Apple we receive a transaction identifier, an anonymized app-account identifier, the product purchased, the purchase and expiration dates, and the subscription status (active, in grace period, expired, refunded, etc.). We use this data solely to unlock premium features on your account, restore purchases across devices, detect fraudulent subscription activity, and comply with tax and accounting obligations.

Refunds, billing disputes, payment method updates, and subscription cancellation are handled entirely by Apple. You can manage your subscription at any time in Settings > Apple ID > Subscriptions on your device. See Apple's Privacy Policy for information about how Apple handles your payment data.

3. How We Collect Information

• Direct Input: Information you enter into the app (pet records, account details, notes).
• Automatic Collection: Technical data collected automatically when you interact with the Service (IP addresses, User-Agent strings during authentication).
• Third-Party Authentication: Profile data provided by Google or Apple when you use their sign-in services.
• Marketing Site: The everkin.io website may collect analytics data through cookies and similar technologies (see Section 15).

4. How We Use Your Information

We use the information we collect to:

• Operate the Service: Create and manage your account, store and display your pet health data, enable Household sharing and Caregiver access.
• Provide Features: Generate health timelines, track weight trends, display medication schedules, and support all core app functionality.
• Communicate with You: Send transactional emails (account verification, password resets, Household invitations), and optional product updates or newsletters (which you can unsubscribe from at any time).
• Ensure Safety and Security: Detect and prevent fraud, abuse, and unauthorized access; enforce our Terms of Service; comply with legal obligations.
• Improve the Service: Analyze aggregated usage patterns to fix bugs, improve features, and develop new functionality.
• AI/ML Improvement: Use anonymized, aggregated data to train and improve machine learning models (see Section 5 for details and opt-out).

5. AI and Machine Learning Data Usage

5.1 Anonymization Process

Before any data is used for AI/ML purposes, we apply an irreversible anonymization process that removes all personally identifiable information (names, email addresses, account IDs) and all pet-identifying information (pet names, microchip numbers). The resulting anonymized dataset cannot be linked back to any individual user or pet.

5.2 Aggregated Data Use

We may use anonymized, aggregated data to:

• Train machine learning models that improve algorithmic correlation features;
• Identify general patterns in aggregated pet data (for example, common symptom patterns across breeds);
• Develop new features and improve existing ones;
• Conduct internal research.

5.3 No Individual Personal Data in Model Outputs

We design our anonymization process so that no personal data or individually identifiable pet data can be recovered from trained models. If you prefer that your data not be included in the anonymization and training process at all, you can opt out at any time as described in Section 5.4.

5.4 Opt-Out

You may opt out of having your anonymized data used for AI/ML training at any time through your account settings in the app or by emailing privacy@everkin.io. If you opt out, we will exclude your data from future anonymization and model training processes within 30 days. Data that has already been anonymized and incorporated into trained models cannot be retroactively removed (because it is no longer identifiable).

6. How We Share Your Information

6.1 We Never Sell Your Data

We do not sell, rent, or trade your personal information or pet data to third parties. Period.

6.2 Household Members and Caregivers

Your pet data is shared with other members of your Household and any Caregivers you authorize, in accordance with the permissions you set.

6.3 Third-Party Service Providers (Processors)

We share information with third-party service providers who process data on our behalf to operate the Service. These providers are contractually obligated to use your data only as directed by us and to maintain appropriate security measures. See Section 14 for a complete list of processors.

6.4 Law Enforcement and Legal Obligations

We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal obligations;
• Protect the rights, property, or safety of Ghost Labs, our Users, or the public;
• Detect, prevent, or address fraud, security, or technical issues;
• Report child sexual abuse material (CSAM) to NCMEC as required by 18 U.S.C. 2258A (United States) and to Cybertip.ca as required by Canada's Mandatory Reporting Act (S.C. 2011, c. 4).

We review each legal request for validity and scope, produce only the specific data lawfully required, and challenge requests we believe are overbroad, vague, or not supported by law. Where legally permitted, we will notify you before producing your data so you have an opportunity to object.

6.5 Business Transfers

If Ghost Labs is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your information becomes subject to a different privacy policy.

6.6 How Caregiver Access Works

When you grant Caregiver access to another user (for example, a pet sitter or dog walker), that person can view the pet data you authorize for the duration you specify and within the permission scope you select. Caregivers see pet records, medication schedules, and notes that are in scope for their grant. Caregivers do not see your email address, your household's billing information, your payment history, or pet records outside the scope of their grant.

You can revoke a Caregiver's access at any time from the Household settings. Revocation is effective immediately for new requests; the Caregiver's device may retain locally cached data until the app next synchronizes, at which point cached pet data for your household is removed.

You are responsible for ensuring that you have the right to share your pets' information with a Caregiver.

7. Data Storage and Security

7.1 Where We Store Your Data

• Application Database: Google Cloud Platform (GCP) Cloud SQL (PostgreSQL), located in the United States.
• Primary File Storage: Google Cloud Storage (GCS), located in the United States. Used for pet photos, note images, user avatars, food and medication images, and scanned documents.
• Legacy File Storage: Amazon Web Services (AWS) S3, located in the United States. Used for files uploaded prior to our migration to GCS; no new uploads are written to S3.
• Cache Layer: Upstash Redis, located in the United States. Used for short-lived session data and rate-limiting counters; TLS required.
• Message Queue: GCP Pub/Sub, located in the United States. Used to dispatch image processing jobs between services.
• Application Hosting: GCP Cloud Run, located in the United States.

7.2 Security Measures

We implement industry-standard security measures, including:

• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
• Encryption at rest: Database and file storage are encrypted at rest using AES-256 or equivalent.
• Password security: User passwords are salted and hashed using bcrypt; we never store plaintext passwords.
• Access controls: Role-based access controls limit employee access to user data on a need-to-know basis.
• Authentication audit logging: We log authentication events to detect unauthorized access attempts.

7.3 No Guarantee

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7.4 Breach Notification

In the event of a personal data breach likely to result in a risk to your rights, we will:

• Notify affected users and competent authorities within the timeframes required by applicable law, including the New York SHIELD Act (N.Y. Gen. Bus. L. 899-aa), other U.S. state breach notification statutes, PIPEDA, and Quebec Law 25;
• Notify affected users by email and in-app notice without undue delay where the breach is likely to result in a significant risk to you;
• Provide affected users with a description of the nature of the breach, the categories and approximate number of records involved, the likely consequences, the measures taken to address it, and the contact point for further information.

We maintain an internal incident response plan and require our processors to notify us of suspected breaches without undue delay.

8. Data Retention

8.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service. Specific retention windows include:

• Account and pet health data: retained for the life of your account.
• Authentication audit logs: 12 months (see 8.3).
• Transactional email delivery records: 24 months for deliverability and anti-abuse purposes.
• Crash and error diagnostics (Sentry): 90 days.
• Application performance metrics (Grafana Cloud): 30 days.
• Financial and subscription records: 7 years to meet tax and accounting obligations.
• Backup snapshots: up to 90 days after the underlying record is deleted.

8.2 After Account Deletion

When you delete your account:

• Your personal data and pet data are marked for deletion and removed from active systems within 30 days.
• Backup copies may persist for up to 90 days before being permanently purged.
• Anonymized, aggregated data that has already been processed is retained indefinitely (because it is no longer identifiable).
• Data we are required to retain by law (e.g., financial records, legal compliance) will be retained for the legally required period.

8.3 Authentication Logs

Authentication audit logs (IP addresses, User-Agent strings) are retained for 12 months for security purposes, then permanently deleted.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 Access

You can access your pet health data at any time through the app. You may request a copy of all personal data we hold about you by emailing privacy@everkin.io.

9.2 Correction

You can update or correct your information directly in the app. For corrections you cannot make yourself, contact privacy@everkin.io.

9.3 Deletion

You can delete your account through the app settings or by contacting support@everkin.io. See Section 8.2 for retention details after deletion.

9.4 Data Export

You can export your pet health records from the app in CSV and PDF formats.

9.5 Opt-Out of AI/ML Training

You can opt out of having your anonymized data used for AI/ML model training. See Section 5.4.

9.6 Opt-Out of Marketing Communications

At launch, Ghost Labs sends only transactional emails (account verification, password reset, Household invitations, security notices, and service updates). We are not sending marketing or newsletter emails. If we later introduce marketing communications, they will be sent only with your express opt-in consent, consistent with Canada's Anti-Spam Legislation (CASL) for Canadian recipients and applicable U.S. law. You will be able to unsubscribe from marketing emails using the link in any such email or by updating your notification preferences in the app. Transactional emails are not affected by marketing opt-outs.

9.7 Withdrawal of Consent

Where we rely on your consent to process your data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. For jurisdiction-specific rights, see Sections 11 (California), 12 (EU website visitors), and 13 (Canada).

10. Children's Privacy

The Service is intended for adult pet owners and is not directed to children. You must be at least 13 years old to create an Everkin account. The Service is currently available only in the United States and Canadian App Stores.

Age verification. Age verification is based on your attestation at signup. We do not collect date of birth. If we later determine an account holder is below the applicable minimum age, the account and associated data will be deleted within 30 days. We do not knowingly collect personal information from children below the applicable minimum age. We do not use the Service to market to children and we do not design features to appeal to children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@everkin.io so we can delete the information. We comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. 6501 et seq.) and analogous children's privacy requirements in the jurisdictions where the Service is available.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

11.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions permitted by law.

11.3 Right to Correct

You have the right to request correction of inaccurate personal information.

11.4 Right to Opt-Out of Sale or Sharing

We do not sell or share (as defined by CCPA/CPRA) your personal information. Therefore, there is no need to opt out. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link.

11.5 Right to Limit Use of Sensitive Personal Information

Pet health data may be considered sensitive personal information under CPRA. We use this data only to provide the Service as described in this Privacy Policy. You may request that we limit our use of sensitive personal information.

11.6 Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

11.7 How to Exercise Your Rights

To submit a CCPA/CPRA request, email privacy@everkin.io with the subject line "CCPA Request" and include: (a) the email address associated with your Everkin account, (b) the specific right you wish to exercise (know, delete, correct, limit), and (c) enough detail for us to locate your account.

Verification: For requests to know specific pieces of personal information, or to delete or correct data, we verify your identity to a reasonable degree of certainty by (i) sending a confirmation email to the address on your Everkin account, (ii) asking you to confirm recent account activity such as the approximate account creation date or the name of a pet in your Household, and, where risk warrants, (iii) asking you to sign in to the app and confirm the request in-session. We will never ask you for your password or for a government-issued ID to process a standard request.

Response time: We will confirm receipt within 10 business days and respond substantively within 45 calendar days. We may extend by an additional 45 days where reasonably necessary, with written notice of the reason for the extension. If we deny a request in whole or in part, we will explain why.

11.8 Authorized Agent

You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

11.9 Opt-Out Preference Signals (Global Privacy Control)

When you visit the everkin.io website using a browser that transmits a Global Privacy Control (GPC) signal or similar universal opt-out preference signal, we treat that signal as a valid request to opt out of the "sale" or "sharing" of personal information for the browser and device on which it is received, consistent with 11 CCR §7025 and comparable rules in Colorado, Connecticut, Oregon, Texas, Delaware, Minnesota, New Jersey, and other states that recognize universal opt-out mechanisms. Because Everkin does not sell or share personal information as those terms are defined under applicable law, honoring the signal does not change how we handle your data. If our practices change in the future, we will continue to honor GPC signals.

11A. Other U.S. State Privacy Rights

Residents of other U.S. states with comprehensive consumer privacy laws, including (without limitation) Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Delaware, New Hampshire, New Jersey, Maryland, Nebraska, Rhode Island, Minnesota, Indiana, and Kentucky, may have rights to access, correct, delete, or port their personal information, and to opt out of targeted advertising, the sale of personal information, or certain profiling activities.

Ghost Labs does not sell personal information, does not share it for cross-context behavioral advertising, and does not engage in profiling that produces legal or similarly significant effects about you. To exercise any applicable state privacy right, email privacy@everkin.io with the subject line "Privacy Request" and include your state of residence, the email associated with your account, and the specific right you wish to exercise. We will respond within the timeframes required by the applicable state statute.

Sensitive data. Pet health data may be considered sensitive under some state laws. We use it only to provide the Service. We do not use it for targeted advertising, for inferring characteristics about you, or for any purpose that would trigger a right-to-limit mechanism under state regulations.

Washington My Health My Data Act. Everkin does not collect human health data. We do not process data that would qualify as "consumer health data" about a natural person under the Washington My Health My Data Act (RCW 19.373) or analogous state laws. If we ever begin collecting such data, this Privacy Policy will be updated before any such processing begins.

12. EU/UK Website Visitors (Marketing Site Only)

The Everkin mobile application is not available in the European Union, European Economic Area, or United Kingdom App Stores. The everkin.io marketing website, however, is globally accessible. This Section 12 applies solely to the limited personal data we may process through the marketing website (such as analytics cookies and any form submissions) when a visitor is in the EU, EEA, or UK. It does not describe or provide rights regarding the mobile application, which is not offered in those jurisdictions.

12.1 Data Controller

Ghost Labs LLC is the data controller for information collected through everkin.io.

12.2 Legal Basis

For analytics cookies and marketing communications we rely on your consent. For essential site functionality, security, and fraud prevention we rely on our legitimate interest in operating a secure website.

12.3 Your Rights

For website-collected data, you may request access, correction, deletion, restriction, objection, portability, or withdrawal of consent at any time by emailing privacy@everkin.io. You may also lodge a complaint with your local data protection supervisory authority.

12.4 International Data Transfers

Website data is processed in the United States. Where transfers from the EU/EEA/UK occur, we rely on appropriate safeguards such as Standard Contractual Clauses.

13. Canadian Users

13.1 Privacy Officer

Ghost Labs has designated the following individual as its Privacy Officer, responsible for compliance with Canadian privacy laws including Quebec's Law 25:

Corey Schaf, Founder, Ghost Labs LLC
Email: privacy@everkin.io
Mail: 418 Broadway, Suite R, Albany, NY 12207, USA

13.2 PIPEDA (Federal)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). You may access, correct, or delete your personal information, or withdraw consent to our collection and use of it, by contacting our Privacy Officer at privacy@everkin.io. We obtain meaningful consent for the collection, use, and disclosure of personal information, limit collection to what is reasonably necessary to provide the Service, and safeguard personal information with appropriate security measures. You may file a complaint with the Office of the Privacy Commissioner of Canada (30 Victoria Street, Gatineau, QC K1A 1H3) if you believe we have not handled your personal information in accordance with PIPEDA.

13.3 Quebec Residents (Law 25)

If you are a resident of Quebec, you have additional rights under Quebec's Act respecting the protection of personal information in the private sector, as modernized by Law 25. In addition to the PIPEDA rights described above:

• Consent: We seek your clear, free, informed, and specific consent for each purpose for which your personal information is collected. Consent is granular and not bundled.
• Data portability: You may request a copy of your personal information in a structured, commonly used, technology-neutral format (for example, JSON or CSV) to the extent technologically feasible.
• Automated decision-making: We use automated systems in two contexts: (a) content safety scanning of uploaded images via Google Cloud Vision API, and (b) automated enforcement actions such as rate limiting and temporary account quarantine. You have the right to be informed about these systems and to request human review of decisions that result in account suspension or termination by emailing legal@everkin.io.
• Cross-border transfer. Your personal information is stored and processed in the United States. Ghost Labs has assessed that the combination of U.S. legal protections, contractual safeguards with our U.S.-based processors, encryption in transit and at rest, and role-based access controls provides adequate protection for the processing activities involved. A summary of our Privacy Impact Assessment for Quebec residents is available on request.
• Complaints. Complaints may be directed to the Commission d'accès à l'information du Québec (CAI).

French version available. A Canadian French translation of this Privacy Policy is available at everkin.io/fr/privacy, and a Canadian French translation of our Terms of Service is available at everkin.io/fr/terms. The French and English versions are equally binding; Quebec consumers may rely on whichever interpretation is most favourable to them, consistent with the Civil Code of Québec and the Consumer Protection Act.

13.4 British Columbia and Alberta

Residents of British Columbia and Alberta are covered by provincial Personal Information Protection Acts (BC PIPA and Alberta PIPA) that are substantially similar to PIPEDA. Complaints may be directed to the Office of the Information and Privacy Commissioner for British Columbia or the Office of the Information and Privacy Commissioner of Alberta, in addition to or in lieu of the federal OPC.

14. Third-Party Service Providers (Processor Inventory)

We use the following third-party service providers to operate the Service:

All processors are contractually bound to process data only on our instructions and to implement appropriate technical and organizational security measures.

15. Cookies and Tracking Technologies

15.1 Marketing Site (everkin.io)

The everkin.io marketing website may use:

• Essential cookies: Required for basic site functionality (e.g., form submission).
• Analytics cookies: To understand how visitors interact with the site (e.g., page views, referral sources).

15.2 Mobile Application

The Everkin mobile application does not use cookies or third-party tracking SDKs for advertising purposes.

15.3 Managing Cookies

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the marketing website but will not affect the mobile application.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by sending an email to the address associated with your account and/or displaying a prominent notice within the app.

We will provide at least 30 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Ghost Labs LLC
418 Broadway, STE R
Albany, NY 12207
United States
Email: privacy@everkin.io
General inquiries: support@everkin.io

For CCPA/CPRA requests, email privacy@everkin.io with the subject line "CCPA Request."

For PIPEDA (Canadian privacy) inquiries, use the same email address above.

Copyright 2026 Ghost Labs LLC. All rights reserved.