Privacy Policy

Welcome to VetNote. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our pet health booklet service.

The data controller is: Tupek Kamil Nowak, ul. Józefa Poniatowskiego 17, 63-200 Jarocin, Poland. NIP: 6172197279, REGON: 384712929. Contact: [email protected].

The controller has not appointed a Data Protection Officer, as the processing does not constitute core activity involving regular and systematic monitoring of data subjects on a large scale, nor large-scale processing of special categories of data (Art. 37 GDPR).

We process your data in accordance with the General Data Protection Regulation (GDPR) and Polish data protection laws.

We collect and process the following categories of personal data:

• Account information (required): email address, name, password (hashed with bcrypt). Providing an email address is necessary to create an account. Without it, we cannot provide the service.
• Login data from third-party providers: If you sign in via Google or Apple OAuth, we receive your email address and name from Google LLC or Apple Inc. with your consent during sign-in.
• Pet health data (optional): pet names, species, breeds, vaccination records, medical history, veterinary visits, medications. Refusing to provide this data prevents using pet health management features.
• Documents (optional): uploaded medical documents, photos, scan files. Uploaded photos may contain metadata (EXIF data such as location, timestamp, device info). We recommend avoiding uploads that contain personal photos.
• Usage data: login times, features used, device information
• Communication data: support requests, feedback
• Mobile app data: device identifiers, push notification tokens (FCM), app version
• Biometric data: Face ID/Touch ID enrollment status (the actual biometric data never leaves your device and is processed solely by Apple/Google in the Secure Enclave/TEE)
• AI-processed data (optional): when you enable AI features, your pet's medical record excerpts, chat messages, and document summaries are processed by AI services (only with your explicit consent). Refusing to consent prevents using AI-powered features only; all other app features remain available.

We process your personal data for the following purposes, each paired with its legal basis:

• Providing and maintaining the VetNote service, managing your account, storing pet health records, and handling subscriptions — Legal basis: contract performance (Art. 6(1)(b) GDPR)
• Sending transactional notifications: appointment reminders, medication alerts, vaccination due dates — Legal basis: contract performance (Art. 6(1)(b) GDPR), no separate consent required
• Sending marketing notifications: product updates, tips, new features — Legal basis: consent (Art. 6(1)(a) GDPR). Sent only with your separate, explicit consent
• Product analytics (PostHog): understanding usage patterns to improve the service — Legal basis: consent (Art. 6(1)(a) GDPR), also required under ePrivacy Directive Art. 5(3) as lex specialis for terminal device access
• AI-powered medical record analysis, document search, and health Q&A — Legal basis: explicit consent (Art. 6(1)(a) GDPR). Only active after you opt in
• Ensuring service security, protecting against abuse, and unauthorized access prevention — Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Our specific interest: protecting service integrity and user accounts from unauthorized access and fraud
• Error reporting and crash monitoring (Sentry) — Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Our specific interest: maintaining service stability and quickly resolving technical issues
• Responding to your support requests — Legal basis: contract performance (Art. 6(1)(b) GDPR)
• Retaining billing and tax records — Legal basis: legal obligation (Art. 6(1)(c) GDPR), specifically Art. 70 of the Polish Tax Ordinance and the Accounting Act

All your data is stored and processed within the European Economic Area (EEA). Our infrastructure providers (Vercel, Supabase, Sentry, PostHog, Google Cloud, Qdrant) all operate in EU data centers (Frankfurt and europe-west1 regions).

Some of our service providers are headquartered in the United States (Vercel Inc., Supabase Inc., Sentry Inc., Qdrant). Although data physically remains within the EU, these providers may have limited access to data for support and maintenance purposes. Such access is governed by Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914 and Data Processing Agreements (DPA).

We do not sell your personal data. We may share your data with the following recipients:

• Veterinarians: Only when you explicitly share access via secure link
• Hosting: Vercel — Frankfurt, Germany (eu-central-1). Serves the web application and serverless functions.
• Database and authentication: Supabase (on AWS) — Frankfurt, Germany (eu-central-1). Stores all user data, pet records, and authentication.
• Error tracking: Sentry — Frankfurt, Germany (ingest.de). Crash reporting and error monitoring.
• Analytics: PostHog — Frankfurt, Germany (eu-central-1). Product analytics, only with your consent.
• AI language model: Google Vertex AI (Anthropic Claude) — EU region (europe-west1). Processes chat messages and medical record text for AI-powered analysis. Data is processed under Google Cloud's Data Processing Agreement, within the EU, and is not used for model training. Only active with your explicit consent.
• AI embeddings: Google Vertex AI — EU region (europe-west1). Converts medical record text into searchable numerical representations. Data is processed within the EU and is not used for training.
• Vector search: Qdrant (on AWS) — Frankfurt, Germany (eu-central-1). Stores searchable numerical representations of your pet's medical records. Data is encrypted at rest.
• Authentication providers: Google LLC and Apple Inc. — when you use Google or Apple Sign-In. Only authentication data (email, name) is exchanged.
• Legal authorities: When required by law

In accordance with Art. 50 of the EU AI Act (Regulation 2024/1689), we inform you that VetNote offers optional AI-powered features including a health assistant and intelligent document search. You are interacting with an AI system when using these features, and responses are AI-generated.

AI features are entirely opt-in — you must give explicit consent before any data is sent to AI services. When AI features are enabled, the following data may be sent to AI services: chat messages you send to the health assistant, excerpts from your pet's medical records (visit summaries, medications, lab results), and your pet's name and species. This data is used solely to generate responses and search results within VetNote.

All AI processing takes place within the European Union (Google Cloud europe-west1 region). AI service providers process data under data processing agreements and do not use your data to train or improve their models.

You can enable or disable AI data processing at any time in Settings > Privacy. When you disable AI features, no further data will be sent to AI services. Previously processed data (such as search embeddings) may be retained until you request its deletion.

VetNote uses AI (Google Vertex AI with Anthropic Claude) to analyze pet health symptoms, scan veterinary documents, and provide advisory chat responses.

AI responses are for informational and educational purposes only. The AI does not make decisions producing legal effects or similarly significantly affecting you (Art. 22 GDPR). In accordance with Polish law (Ustawa o zawodzie lekarza weterynarii), only a licensed veterinarian may diagnose and prescribe treatment for animals. AI does not replace veterinary consultation, does not constitute a medical diagnosis, and you always make the final decision. There is no profiling that produces legal effects.

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: HTTPS/TLS for all communications
• Encryption at rest: All data encrypted on Supabase (AWS) servers
• Row Level Security (RLS): Database policies ensure you can only access your own data
• Signed URLs: Files accessible via signed URLs with limited time-to-live
• Secure token storage: Secure Storage/Keychain for sensitive tokens
• Password hashing: Bcrypt, never stored in plaintext
• Regular backups: Your data is backed up regularly

We retain your data according to the following schedule:

• Account data: For the duration of your account plus 30 days after deletion
• Pet health data (profiles, visits, vaccinations, medications): Deleted upon account deletion
• Photos and documents: Deleted upon account deletion
• Vector embeddings (Qdrant): Deleted upon account deletion or individual pet deletion
• AI chat logs: For the duration of your account, maximum 3 years from last activity
• Subscription and purchase history: 5 years from the end of the fiscal year (Art. 70 of the Polish Tax Ordinance)
• Push notification tokens (FCM): Until logout or account deletion
• Analytics data (PostHog): Maximum 26 months from collection

Under GDPR, you have the following rights:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your data ('right to be forgotten')
• Restriction (Art. 18): Limit how we process your data in specific cases
• Portability (Art. 20): Receive your data in JSON format or request transfer to another controller
• Withdraw consent (Art. 7(3)): Withdraw previously given consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal is as easy as giving consent — you can do it in the same settings where you gave it.
• Lodge a complaint: You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland

VetNote uses browser local storage (not traditional cookies) to provide and improve our service. When you first visit VetNote, you will be asked to choose your preferences via a consent banner.

• vetcare_cookie_consent (essential): Stores your consent choice (essential/analytics preference and timestamp). Provider: VetNote. Persistent until cleared.
• Supabase auth tokens (essential): Authentication session data required for secure login. Provider: Supabase. Cleared on logout.
• PostHog analytics (optional, consent required): Usage analytics data including session recording with full text/attribute masking for GDPR compliance. Provider: PostHog, Frankfurt (eu-central-1). Only active with your consent (Art. 5(3) ePrivacy Directive).

When you use the VetNote mobile app (iOS or Android), we collect and process additional data specific to mobile devices:

• Transactional push notifications: Vaccination reminders, medication alerts, appointment reminders — sent based on contract performance (Art. 6(1)(b) GDPR), no separate consent required.
• Marketing push notifications: Product updates, tips, new features — sent only with your separate, explicit consent.
• Biometric authentication: VetNote supports Face ID, Touch ID, and fingerprint authentication for secure app access. Your biometric data is processed entirely on your device by Apple/Google in the Secure Enclave/TEE and never transmitted to our servers. We only store whether biometric login is enabled.
• Camera and photo library: Used only when you initiate an action (capturing pet photos, scanning documents). Photos are stored securely in your account on Supabase Storage (EU, Frankfurt). Uploaded photos may contain EXIF metadata (GPS location, timestamp, device information). We recommend not uploading personal photos unrelated to your pet's health.
• App Tracking Transparency (iOS): On iOS 14.5+, we request permission before collecting analytics data. You can change this in Settings > Privacy > Tracking. If you deny permission, we will not collect analytics data for product improvement, but error tracking for app stability will remain active.
• Device identifiers: We collect anonymous device information for crash reporting and analytics. This helps us identify and fix issues.

VetNote is not intended for children under 16 (Art. 8 GDPR). We do not knowingly collect data from children under 16 without parental or legal guardian consent. Age verification is based on the user's declaration. If we discover such data, we will promptly delete it along with the account.

In the event of a personal data breach:

• Notification to UODO: Without undue delay, no later than 72 hours after becoming aware of the breach (Art. 33 GDPR), unless the breach is unlikely to result in a risk to rights and freedoms
• Notification to users: If the breach results in a high risk to your rights and freedoms, you will be notified without undue delay (Art. 34 GDPR)
• Breach register: We maintain an internal record of all breaches including circumstances, effects, and remedial actions taken (Art. 33(5) GDPR)

We may update this Privacy Policy only for important reasons, including: changes in applicable law, changes in data processing activities, introduction of new features or services, changes necessary for security reasons, or changes in third-party service providers.

You will be notified of any changes at least 14 days before they take effect, via email and in-app notification. The notification will include the content of the changes and the date they take effect.

If you do not agree with the changes, you have the right to terminate your account before the changes take effect. To terminate, contact [email protected] or delete your account before the effective date.

The current version is always available in the app (Settings > Privacy Policy) and at vetnote.pl.