Animal welfare | Civic technology | Greece

Animal welfare, on the record.
Anonymous by design.

Platforms

iOS · Android

Privacy posture

Zero data retention

Legal frame

Law 4830/2021

Status

In active development

§ 01

Strong laws.
No reporting infrastructure.

Greece has some of the strongest animal welfare laws in Europe, yet official counts of millions of stray animals remain non-existent.

The legal framework exists, but the reporting mechanism for a safe path from witness to prosecutor does not. Filing a report today often means walking into a police station and identifying yourself.

For many witnesses, that identifying step is a bridge too far. Our goal is narrow: lower the friction, route the report to the right desk, and refuse to become a privacy liability for the people who help.

3-4M

SOURCE: NGO + ACADEMIC ESTIMATES

Estimated stray cats and dogs in Greece, among Europe's highest rates.

10 yrs

SOURCE: LAW 4830/2021, ART. 21

The maximum prison sentence for animal cruelty under current Greek Law.

SOURCE: MINISTRY OF INTERIOR

Official national count of strays. All current figures are unofficial.

§ 02

Report. Route.
Record in 90 seconds.

How a welfare report moves from witness to prosecutor.

STEP 01 →

Report.

A witness sees an animal in distress, snaps a photo, and confirms the location. No accounts, no logins, no personal details.

CAPTURED ON DEVICE

+photo (EXIF-stripped)

+gps coordinates

+incident_type · severity

+description (optional)

STEP 02 →

Route.

The report is relayed in-memory directly to the authorities. Photos are stripped of digital fingerprints twice, on the phone and on the server.

RELAYED IN MEMORY · NEVER PERSISTED

−photo bytes

−gps coordinates

−description text

−reporter identifiers

STEP 03 ∎

Record.

Once sent, the report is gone from our system. We only store coarsened data like a general region and the month to help the community.

WRITTEN TO POSTGRES · 4 FIELDS

·ref_hash · one-way

·grid_cell · ~9 km

·incident_type

·year_month

§ 03

The privacy contract is the schema.

Witness fear is the rate-limiter on cruelty reporting. So we made the privacy contract impossible to break by design.

Most apps protect data with policies. We protect it by not having a database table that could hold it. Below is the exact line between what we store and what we discard immediately.

reports_aggregate

4 fields · stored

ref_hash

A one-way hash given to the witness. It cannot be reversed to identify the original report.

grid_cell

A 9km grid square. Enough to show community trends, impossible to pin down a house.

incident_type

Basic categorization only: poisoning, neglect, physical abuse, or other.

year_month

YYYY-MM format only. We intentionally discard the day, hour, and second.

reports_full

no such table

photo_blob

Relayed instantly in memory. Never touches a hard drive or storage bucket.

gps_lat / lng

Exact coordinates are discarded before the server relay returns a response.

description

Text is passed through the relay to authorities but is never saved in our database.

device_id / ip

These are stripped at the edge. They never reach our application code.

COMMITMENT 01

In-memory relay.

Reports are processed inside an Edge Function, sent out, then vanished. Photos and IDs never touch persistent storage.

COMMITMENT 02

Anonymous aggregates.

We only keep four fields. Enough for a public heatmap, not enough to identify anyone or anything.

COMMITMENT 03

External audit.

A written privacy audit and an automated test suite verify that the schema and the relay keep their promises. The audit is the contract; the tests catch drift.

§ 04

What the public sees
is the only thing we store.

Illustrative · pre-pilot data

A map of cruelty trends in Greece. No individual reports exist.

The public heatmap uses only our four-field aggregate. Each cell represents a 9km square and a single month. Cells brighten as report frequency increases. No individual report is recoverable from this data because the individual data simply doesn't exist below it.

0 reports

nominal

1–3 reports

moderate

4–9 reports

elevated

10+ reports

cluster

§ 05

Mainstream, reliable, verifiable.

Boring is better. We choose audit-friendly tools.

Every layer is mainstream and replaceable. The privacy properties live in the architecture itself, not in a single vendor. If we change a tool, the contract we have with our users still holds.

Mobile

React Native | Expo SDK 52

CLIENT

Routing

Expo Router | file-based

CLIENT

Styling

NativeWind | Tailwind for RN

CLIENT

State

Zustand | TanStack Query

CLIENT

Backend

Supabase | Postgres + Edge Functions

EDGE

Relay

Resend | transactional only

EDGE

Language

TypeScript | end-to-end

ALL

§ 06

Privacy audited.
App in active development.

Zero-retention backend

The Edge relay and enforced Postgres schema are finished.

Done

Privacy architecture audit

Written audit and automated RLS tests are fully implemented.

Done

EXIF stripping

Scrubbing tools are live on both the phone and the server.

Done

Mobile application

Scaffolded; in active development for iOS and Android.

Now

End-to-end app testing

Ensuring the photo-to-prosecutor relay is seamless.

GDPR review

A final review by external counsel to ensure we are ironclad.

Beta distribution

Closed beta for a limited audience in Greece.

Planned

Direct line

thorsten.wilm@gmx.eu

Built by

Dimitrios Tsiakmakis

Welfare infrastructure should be unable to harm the witnesses who use it.

Strong laws.No reporting infrastructure.

Report. Route.Record in 90 seconds.

Report.

Route.

Record.

The privacy contract is the schema.

In-memory relay.

Anonymous aggregates.

External audit.

What the public seesis the only thing we store.

Mainstream, reliable, verifiable.

Privacy audited.App in active development.

Strong laws.
No reporting infrastructure.

Report. Route.
Record in 90 seconds.

What the public sees
is the only thing we store.

Privacy audited.
App in active development.