Privacy Policy

1. Data Controller Information

The data controller for information collected through this platform is the company operating the VetClinic SaaS service. Contact details are provided in Section 12.

For clinic-specific patient and pet owner data: the veterinary clinic using this platform is the primary data controller for its patient records. We act as a data processor on behalf of clinics, handling their data solely as instructed and as necessary to operate the Service.

2. Personal Information We Collect

From clinic administrators and staff:

• Full name and email address (for account registration)
• Professional role within the clinic
• Login activity and session data
• Billing and payment information (processed via PayMongo)

From pet owners (via clinic intake or owner portal):

• Full name and contact information (phone number, email)
• Home address (for records and reminders)
• Pet information (name, species, breed, age, medical history)
• Vaccination and treatment records
• Appointment history and visit notes
• Payment and invoice records

Automatically collected:

• IP address and browser/device type
• Pages visited, time spent, and feature usage within the platform
• Error logs and performance data (PII is stripped before logging)
• Session cookies necessary for authentication

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Facilitate clinic workflows: appointments, patient records, billing, inventory management
• Send appointment reminders and notifications via SMS (Semaphore) on behalf of your clinic
• Process payments through PayMongo (GCash, Maya, card)
• Authenticate users and maintain account security
• Respond to support requests and resolve technical issues
• Monitor platform performance and fix errors (using anonymized data only)
• Comply with legal obligations under Philippine law

We do not use patient data for advertising, marketing analytics, or any purpose unrelated to operating the Service for your clinic.

4. Legal Basis for Processing

Under RA 10173, we process personal information on the following bases:

• Consent — Pet owners who register for the owner portal provide explicit consent for processing their personal information.
• Contract performance — Processing clinic staff information is necessary to fulfill our subscription agreement with your clinic.
• Legitimate interest — We process usage and performance data to maintain and improve the Service in ways that do not override your fundamental rights.
• Legal obligation — We may process information as required to comply with applicable Philippine laws and regulatory requirements.

5. Information Sharing and Disclosure

We do not sell your personal information to third parties. We share information only in these limited circumstances:

• Service providers — We use trusted third-party services to operate the platform: Supabase (database and authentication), PayMongo (payment processing), and Semaphore (SMS notifications). Each processes only the data necessary for their service and is contractually bound to protect it.
• Legal requirements — We may disclose information if required by Philippine law, court order, or government authority, and only to the extent required.
• Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before such a transfer and provide options to export or delete your data.

6. Data Retention

We retain your data for as long as your clinic account is active or as needed to provide the Service. Specifically:

• Active accounts: Data is retained for the duration of your subscription plus a 30-day grace period after cancellation.
• Medical records: Veterinary records may be subject to retention requirements under Philippine veterinary regulations. Clinic administrators are responsible for complying with applicable retention obligations.
• Billing records: Payment and invoice records are retained as required by Philippine tax regulations (BIR).
• Deleted accounts: Upon account deletion, personal data is removed within 30 days, except where required to be retained by law.

7. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

• All data in transit is encrypted via HTTPS/TLS
• Data at rest is encrypted using Supabase's built-in encryption features
• Row-Level Security (RLS) ensures clinic data is isolated and inaccessible to other clinics
• Authentication is handled via Supabase Auth with secure session management
• Access to production data is restricted to authorized personnel only
• Error monitoring strips personally identifiable information before reporting

While we take security seriously, no system is completely impenetrable. In the event of a data breach affecting your personal information, we will notify you and the National Privacy Commission (NPC) as required under RA 10173 within 72 hours of discovery.

8. Your Rights Under RA 10173

The Philippine Data Privacy Act grants you the following rights regarding your personal information:

To exercise any of these rights, contact our Data Privacy Officer at privacy@vetclinic.ph. We will respond within 15 business days as required by NPC regulations.

9. Cookies and Tracking

We use cookies and similar technologies strictly for the following purposes:

• Session cookies — Required to maintain your authenticated session. These are necessary for the Service to function and cannot be disabled.
• Preference cookies — Store your UI preferences (e.g., dark mode setting). These expire after 1 year.

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies that profile your behavior across other websites.

10. Children's Privacy

The Service is intended for use by adults (18 years and above) in a professional veterinary context. We do not knowingly collect personal information directly from individuals under 18 years of age.

Pet owner accounts for minors should be managed by a parent or legal guardian who accepts responsibility for the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by:

• Posting the updated policy with a new “Last Updated” date
• Sending a notice to the email address associated with your clinic account at least 14 days before the changes take effect

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

12. Contact and DPO Information

For questions, concerns, or requests regarding this Privacy Policy or your personal information, contact our Data Privacy Officer:

Note: This Privacy Policy is provided for informational purposes. We recommend having it reviewed by a Philippine-licensed attorney familiar with RA 10173 before going live with a production service.