Privacy Policy

Last updated: April 10, 2026

1. Who we are

LeashUp ("we", "our", "the app") is a hyper-local community for dog owners. The service is provided by an individual based in the Czech Republic acting as the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

For any privacy-related questions, contact us at [email protected].

2. What we collect

We collect only the data needed to make LeashUp work:

• Account & profile — first name, last name (optional), profile picture (optional), district (optional), and a single contact handle of your choice (Telegram, WhatsApp, Instagram, or phone number) used to let other owners reach you.
• Authentication identifiers — depending on which method you use to sign in: an Apple user ID (from Sign in with Apple), a Telegram user ID and username (from the Telegram Login Widget), or an email address and a hashed password.
• Dogs — name, breed, photo (up to 4 photos), age, energy level, play style, social temperament, sex, neutered status, purebred status, and — if you opt into the breeding feature — breeding availability, breeding bio, pedigree number, and titles for each dog you add.
• Location — your approximate or precise GPS coordinates while you use the map, while a walk is in progress (including in the background if you grant the permission), and the coordinates you attach to listings, events, help requests, and danger zones you create.
• User-generated content — marketplace listings, events, help requests, danger zone reports, photos uploaded with them, walks you log, waves (mutual interest signals) you send to other owners, breeding interactions (like/pass decisions and mutual matches between dogs), and 1-to-1 chat messages exchanged with other owners.
• Block and report data — a list of users you have blocked and reports you have submitted about other users or messages. Used solely for moderation and to prevent contact between parties.
• Push notification token — an Apple Push Notification Service (APNs) device token, used only to deliver notifications you have opted into (nearby danger, nearby events, waves, weather reminders).
• Device language and timezone — used to localize the app and pick a sensible default for daily reminders.
• Diagnostic data — minimal server-side error logs without personally identifying content.

We do not collect contacts from your address book, access your photo library beyond the picture you explicitly choose to upload, sell data to advertisers, or run third-party tracking SDKs.

3. Why we use it (and our legal basis)

• To provide the service — show nearby dogs, listings, events, and danger zones; track walks; facilitate breeding matches between dogs; let you communicate via the contact you publish. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• To send notifications you opted into — wave received, wave matched, breeding matched, danger nearby, event nearby, weather reminders, and new chat messages. Legal basis: your consent (GDPR Art. 6(1)(a)), withdrawable at any time in iOS Settings or in the in-app Notifications settings.
• Anti-abuse and moderation — rate limits, content checks, and the reports system that lets users flag inappropriate posts. Legal basis: legitimate interest in keeping the community safe (GDPR Art. 6(1)(f)).
• Account security — password hashing, JWT authentication, contact reveal rate limits to prevent scraping. Legal basis: legitimate interest.

4. Who we share it with

LeashUp does not sell your personal data and does not share it with advertisers. We use the following processors strictly to operate the service:

• Cloudflare, Inc. — hosts our backend (Workers), database (D1), object storage for images (R2), and key-value store. Data is stored in Cloudflare's global edge network.
• Apple Inc. — Sign in with Apple identity verification and Apple Push Notification service.
• Telegram FZ-LLC — only if you sign in with Telegram or use Telegram as your published contact.
• Open-Meteo — weather data provider. We send your approximate coordinates to fetch local forecasts; we do not send any account identifier.

We may disclose data if compelled by a valid legal request from a competent authority.

5. Where your data lives

Cloudflare hosts data on its global edge network. Some processing may take place outside the European Economic Area. Cloudflare maintains GDPR-compliant Standard Contractual Clauses for such transfers.

6. How long we keep it

• Account & profile — kept until you delete your account.
• Walks, achievements, paws (in-app currency) — kept while your account exists.
• Listings, events, help requests, danger zones — kept until you delete them or until they expire (each type has its own TTL ranging from 48 hours to 30 days).
• Breeding interactions — like/pass decisions and matches are kept while both dogs exist in the system. Deleting your dog removes all associated breeding data.
• Notifications — read notifications older than 30 days are automatically removed.
• Chat messages — automatically deleted 60 days after they were sent. Conversations themselves persist (so you can resume) but the message bodies are removed on the daily cleanup pass.
• Blocks and reports — blocks persist until you unblock. Reports are retained for at least 12 months for moderation review and audit purposes.
• Active walk records — kept only while a walk is in progress and removed shortly after the walk ends.

7. Your rights under GDPR

As a user located in the European Economic Area you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request erasure of your data ("right to be forgotten");
• request a copy of your data in a portable format;
• object to processing or restrict it;
• withdraw consent at any time;
• lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ) or the supervisory authority of your country of residence.

To exercise any of these rights, write to us at [email protected]. We respond within one month.

8. Account deletion

You can delete your account directly from the app's Settings screen, or by emailing [email protected] from the address linked to the account. Once verified, we delete your profile, dogs, photos, walks, and all user-generated content within 30 days. Aggregated and anonymized data (e.g. total walk count for leaderboards) is retained but cannot be linked back to you.

9. Children

LeashUp is not directed to children under 13 (or under 16 where applicable under local law). We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Security

We use HTTPS for all network traffic, store passwords hashed with PBKDF2, and authenticate API requests with short-lived JWT tokens. Profile contacts are never returned in browse endpoints — they are only revealed to a logged-in user via a rate-limited reveal endpoint (max 30 reveals per user per day).

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be announced inside the app.

12. Contact

Questions, requests, or complaints related to this Privacy Policy: [email protected]