Privacy Policy

Last updated: March 2026

1. Introduction

Vetta BV ("we," "our," or "us") operates the Vetta application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including during our waitlist and early-access phases.

2. Data Controller

Data Controller: Vetta BV, registered in Belgium

Privacy Contact: privacy@vetta.health

3. Types of Data Collected

We collect the following categories of personal data, depending on how you interact with the Service:

  • Waitlist Data: Email address and submission timestamp when you join our waitlist.
  • Activation Data: Activation code usage records, including code, timestamp, and associated email.
  • Account Data: Name, email address, profile information provided via email/password registration or social sign-in (Google, Apple), subscription status, and payment history.
  • Social Sign-In Data: When you register or log in via Google or Apple, we receive your name, email address, and profile identifier from the provider. We do not receive or store your social account password.
  • Dog Profiles: Dog name, breed, age, weight, photo, medical history, vaccination records, and health conditions.
  • Chat Conversations: All messages you send to the AI, including health-related questions and information about your dog.
  • Health Records: User-generated health notes, quick-log entries, uploaded documents, medication logs, and veterinary visit summaries.
  • Payment Data: Payment method information (handled by Stripe; we do not store full card details).
  • Analytics Data: Usage patterns, feature interactions, session duration, and device information (collected via Matomo, only with your consent). We link your analytics sessions using a pseudonymized account identifier to understand how our Service is used across sessions. This identifier is derived from your account ID but cannot be used to identify you personally; it is hashed before storage.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent (Article 6(1)(a) GDPR): For analytics cookies, optional features, and waitlist registration.
  • Contract Performance (Article 6(1)(b) GDPR): To provide the Service, manage your account, process payments, and fulfill your requests.
  • Legitimate Interest (Article 6(1)(f) GDPR): To improve our Service, detect fraud, ensure security, and comply with legal obligations.

5. AI Processing and Conversations

Vetta uses artificial intelligence (Anthropic Claude API) to provide educational responses about dog health. Please note:

  • API Processing: Your chat messages are sent to Anthropic's Claude API servers (located in the United States) for processing and generating responses. This transfer is protected by EU Standard Contractual Clauses (SCCs) and a Data Processing Agreement. See Section 6 for details.
  • Data Retention by AI Provider: Anthropic retains API request logs for up to 30 days for safety and abuse monitoring purposes, after which they are automatically deleted. Anthropic does not use your data to train its AI models.
  • Internal Storage: Conversations are stored in our database (hosted in the EU) for the purpose of maintaining your health records and improving our Service. This storage allows you to review your chat history and maintain continuity in your dog's health tracking.
  • Educational Only: Responses are educational in nature and never provide veterinary diagnosis or treatment recommendations. Vetta does not make medical decisions; it provides information to support informed discussions with your veterinarian.
  • Never Shown to Users: Internal analysis and processing data are never displayed to users and are used only for Service improvement and record-keeping.

6. Data Processors and International Transfers

We share your data with the following processors:

  • Supabase (EU): Database, authentication, and social sign-in services. Data stored in EU data centers.
  • Anthropic (US): AI model processing. Transfers subject to Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA).
  • Stripe (US): Payment processing. Transfers subject to SCCs and DPA.
  • Vercel (US): Hosting and CDN services. Transfers subject to SCCs and DPA.
  • Matomo Cloud (EU): Analytics (only with your consent). Data stored in EU data centers.
  • Brevo (EU): Email and notifications service. Data stored in EU data centers.
  • Sentry (US): Error tracking and monitoring. Transfers subject to SCCs and DPA.
  • Google (US): OAuth authentication provider (when you choose to sign in with Google). Transfers subject to SCCs.
  • Apple (US): OAuth authentication provider (when you choose to sign in with Apple). Transfers subject to SCCs.

All transfers to processors outside the EU/EEA are protected by Standard Contractual Clauses and appropriate Data Processing Agreements in accordance with GDPR Article 44-49.

7. Data Retention

We retain your personal data as follows:

  • Waitlist Data: Retained until you are activated or request removal, and no longer than 12 months after submission if not activated.
  • Activation Codes: Code usage records are retained for 12 months after use for audit purposes.
  • Account Data: Retained for the duration of your account and 30 days after account deletion for compliance purposes.
  • Chat Data and Health Records: Retained while your account is active to maintain continuity of your dog's health records. Deleted upon your request or 90 days after account deletion.
  • Payment Data: Retained as required by tax and accounting regulations (typically 7 years).
  • Analytics Data: Retained for up to 26 months.

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of Access (Article 15): Request a copy of your personal data.
  • Right to Rectification (Article 16): Request correction of inaccurate data.
  • Right to Erasure (Article 17): Request deletion of your data (subject to legal obligations).
  • Right to Data Portability (Article 20): Request your data in a portable format.
  • Right to Restrict Processing (Article 18): Request limitation of data processing.
  • Right to Object (Article 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Withdraw consent for optional processing at any time.

To exercise any of these rights, please contact us at privacy@vetta.health.

9. Cookies and Tracking Technologies

We use cookies to enhance your experience. Our use of cookies is governed by your consent choices:

Essential Cookies (always active)

These cookies are required for the Service to function and cannot be disabled.

  • cookie-consent — Stores your cookie consent preference. Duration: 1 year. Provider: Vetta.
  • sb-*-auth-token — Authentication session token. Duration: session / 7 days. Provider: Supabase.

Analytics Cookies (opt-in only)

These cookies are set only when you click "Accept All" on the cookie banner.

  • _pk_id.* — Unique visitor identifier. Duration: 13 months. Provider: Matomo.
  • _pk_ses.* — Session tracking. Duration: 30 minutes. Provider: Matomo.

You can manage cookie preferences through the cookie consent banner on our website or by clearing cookies in your browser settings.

10. Children's Privacy

Vetta is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information and terminate the child's account.

11. Supervisory Authority

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35
1000 Brussels
Belgium
Website: www.gegevensbeschermingsautoriteit.be

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest, access controls, and regular security reviews. However, no security measure is completely secure, and we cannot guarantee absolute security.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date above. For material changes, we will notify registered users by email. Your continued use of the Service following the posting of changes constitutes your acceptance of such changes.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@vetta.health
Company: Vetta BV, Belgium