Koiru
FI EN SV
Join the waitlist

Privacy Policy

Last updated: April 30, 2026

Short version: Koiru only stores what you log yourself — your dog's daily entries, photos, and basic info. Data is kept in the EU, never sold to advertisers, and never used to train AI models. You can delete your account at any time.

1. Who We Are

Koiru is operated by Tohmoco Oy, a company registered in Finland (business ID 3387948-8). We are the data controller for the personal data you provide when using the Koiru app.

Contact: info@tohmoco.fi

2. What Data We Collect

Data you provide directly

  • Diary entries: Feedings, walks, medications, symptoms, vet visits, weights and other entries from the ten entry types you choose to log. Includes any free-text notes and details you add.
  • Photos: Images you attach to entries (e.g. medication boxes, photos of symptoms, vet documents).
  • Tassutulkki consultations: The text description of your concern and any photos you submit for analysis.
  • Dog details: Name, breed, birth date, sex, weight and other basic information you provide about your dog.
  • Account information: Email address and display name, provided directly or through Google Sign-In or Apple Sign-In.
  • Profile preferences: Language, timezone, notification settings.
  • Family / household invites: 8-character invite codes you share with family members, plus member roles.

Data collected automatically

  • Push notification tokens: Device identifiers used to deliver reminders you have configured.
  • Crash reports: Device model, OS version and crash stack traces (Firebase Crashlytics) for stability monitoring. No behavioural analytics are collected.
  • Subscription lifecycle: An anonymous subscription identifier and events (via RevenueCat) for managing your Premium subscription.

Data derived by AI

  • Photo-AI classification results: category (e.g. medication), reasoning details and confidence level.
  • Tassutulkki recommendation results: summary, recommendation enum (likely normal / monitor / consider vet / urgent vet) and references to your dog's similar past episodes.
  • Smart-reminder anomaly results (e.g. walk pattern change), based on your own dog's history.

What we do NOT collect

  • We do not use advertising trackers or collect advertising identifiers.
  • We do not collect behavioural analytics or usage events.
  • We do not access your contacts, calendar or photo library beyond the specific items you share with Koiru.
  • We do not collect location data.

3. How We Use Your Data

To provide the service (contract performance — Art. 6(1)(b) GDPR)

  • Providing the diary and the family's shared real-time view.
  • Providing Photo-AI classification for your photos (Premium).
  • Generating Tassutulkki recommendations based on your dog's history (Premium).
  • Delivering reminders and gentle nudges.
  • Managing your account and subscription.

To improve the service (legitimate interest — Art. 6(1)(f) GDPR)

  • Logging AI processing metadata (operation type, token count, success/failure) for quality monitoring. No actual content is stored in these logs.
  • Diagnosing crashes and technical errors.
  • Recording metadata about user corrections to Photo-AI results to improve accuracy (only the type of correction, not the content).

With your consent (Art. 6(1)(a) GDPR)

  • Sending push notifications for reminders you have configured and for entries by other family members.

4. AI Processing

Koiru uses Google Vertex AI (Gemini models) for Photo-AI recognition and Tassutulkki analysis. This processing occurs on servers located in the EU (Belgium, europe-west1). Your content is processed solely to provide the service to you.

Your data is never used to train AI models. This is explicitly guaranteed under Google Cloud's Data Processing Addendum.

Tassutulkki does not replace a vet's assessment. The recommendations it produces are tools to help you understand the situation. They are not diagnoses and do not replace a veterinary examination. In an emergency, always contact a vet.

5. Data Sharing and Third Parties

We do not sell your personal data. We do not display advertisements. We do not share data with advertisers or data brokers.

We share data only with the following service providers, operating under strict data processing agreements:

  • Supabase (EU — Ireland): Database, authentication and file storage. All user data is stored here with row-level security ensuring data isolation between users and households.
  • Google Vertex AI (EU — Belgium): Photo-AI recognition and Tassutulkki analysis. Receives content (images, text, dog history) for processing. Customer data is not used for model training.
  • Firebase Cloud Messaging (Google): Push notification delivery. Receives device tokens and notification payloads.
  • Firebase Crashlytics (Google): Crash reporting in production builds. Receives crash traces and device info.
  • RevenueCat: Subscription management. Receives an anonymous user identifier and subscription lifecycle events. Does not receive email, name or diary content.
  • Apple App Store / Google Play Store: Handle all payment processing. We never see or store payment card details.

We may also disclose data if required by Finnish or EU law, or to protect the rights and safety of our users.

6. Family Sharing

When you join a household with other users, you automatically share access to the household's dogs and their diary entries. Household members see all entries, photos and reminders. You cannot restrict data from individual members — household membership is whole-household.

You can leave a household at any time from Settings. Your view is then cleared, but the entries you logged remain with the household for the dog's continuing diary. You can also request deletion of your own entry history — your entries are then re-attributed as "former member".

7. International Data Transfers

Core data processing occurs within the EU:

  • Database and storage: Supabase, EU (Ireland)
  • AI processing: Google Vertex AI, EU (Belgium)

Some supporting services involve transfers to the United States:

  • Push notification delivery (Firebase Cloud Messaging)
  • Crash reporting (Firebase Crashlytics)
  • Subscription management (RevenueCat)
  • Authentication (Google/Apple OAuth)

All US transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Data Retention

We retain your diary entries, photos and account data for as long as your account is active. You can delete individual entries, photos, dogs or your entire account at any time from the app settings.

When you delete your account, all data is permanently removed: diary, photos, Tassutulkki consultations, reminders, household membership and your authentication record. This is irreversible.

Individual entries are first moved to a trash bin from which they can be restored for 7 days. After that they are permanently removed by an automated cleanup.

9. Data Security

  • Encryption at rest (AES-256) and in transit (TLS/HTTPS) for all data.
  • Row-Level Security ensuring each user can only access their own household's data.
  • Media files stored in private buckets with short-lived signed URLs.
  • JWT-based authentication required for all API access.

No system is completely secure. If a data breach occurs that poses a risk to your rights, we will notify you and the Finnish Data Protection Ombudsman within 72 hours as required by GDPR.

10. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access: View all your data in-app or request a copy.
  • Right to rectification: Correct inaccurate personal data.
  • Right to erasure: Delete your account and all associated data.
  • Right to restriction: Ask us to pause processing of your data.
  • Right to portability: Export your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Withdraw consent at any time for things like push notifications.

To exercise any of these rights, email us at info@tohmoco.fi. We will respond within 30 days.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

11. Children's Privacy

Koiru is not directed at children under the age of 16 (EU) or 13 (US). We do not knowingly collect personal data from children. If we discover that a minor's data has been collected, it will be deleted promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. The date at the top of this page reflects when the policy was last updated.

13. Contact

For any privacy-related questions, requests, or concerns: