Privacy Policy

1.1. Who We Are

VetAI Diagnostics is a web service for veterinary physicians and veterinary clinics that helps interpret the results of animal laboratory tests using artificial intelligence, deterministic clinical rules, reference values, and an internal knowledge base.

The service is intended for use in veterinary practice as a supplementary informational tool. It does not replace the professional clinical judgment of a veterinary physician and does not make final diagnoses.

Owner / controller of personal data with respect to service users' data:

• Name: ФОП Разін Анатолій Вікторович
• Registration number: 3133106337
• Registered address: Запорізька обл. Запорізький р-н с Розумівка вул. Мельнична 16
• Email for personal data inquiries: tech@vetaidiagnostics.pro
• Contact email: tech@vetaidiagnostics.pro
• Website: https://vetaidiagnostics.pro

1.2. What This Policy Governs

This Privacy Policy explains:

• what personal data we collect;
• for what purposes we process it;
• what legal bases we rely on;
• to whom data may be transferred;
• how processing through artificial intelligence works;
• how long we retain data;
• what rights users and other data subjects have;
• what security measures are applied.

1.3. Regulatory Framework

This Policy has been prepared in accordance with:

• the Law of Ukraine "On Personal Data Protection";
• the Law of Ukraine "On Information";
• the Civil Code of Ukraine;
• the Law of Ukraine "On Electronic Commerce";
• the EU General Data Protection Regulation — GDPR, where applicable;
• Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

1.4. Who This Policy Applies To

This Policy applies to:

• Service users — veterinary physicians, veterinary clinic staff, clinic administrators, and other individuals who have an account with VetAI Diagnostics.
• Veterinary clinics — legal entities or sole proprietors that use the service in their operations.
• Animal owners — natural persons whose data may be entered by service users in connection with the provision of veterinary services.
• Website visitors — individuals who browse the vetaidiagnostics.pro website without creating an account.

1.5. Acceptance of This Policy

By using VetAI Diagnostics, the user confirms that they:

• have read this Policy;
• understand its content;
• agree to the processing of their personal data on the terms set out in this Policy;
• have an appropriate legal basis for entering animal owners' data into the service, where such data is entered.

2.1. VetAI Diagnostics Is Not a Medical Device

VetAI Diagnostics is not:

• a registered medical device;
• a veterinary medical device, should such a category be expressly regulated by law;
• a means of making a final diagnosis;
• a means of prescribing treatment;
• a substitute for consultation with a veterinary physician;
• a service for independent use by animal owners without the involvement of a veterinary specialist.

2.2. VetAI Diagnostics Is a Supplementary Tool

The service may:

• recognise data from laboratory forms using OCR;
• structure laboratory parameters;
• compare parameters against reference values;
• take into account the species, age, sex, breed, and other clinically relevant parameters of the animal;
• generate a preliminary interpretation of laboratory data;
• compile a list of possible differential diagnoses for consideration by the veterinary physician;
• suggest possible next diagnostic steps.

2.3. Responsibility for Clinical Decisions

All clinical decisions are made exclusively by the veterinary physician. Such decisions include:

• making a diagnosis;
• selecting a treatment;
• prescribing medications;
• determining a prognosis;
• decisions regarding hospitalisation;
• decisions regarding additional investigations;
• decisions regarding euthanasia;
• any other medical or veterinary actions.

VetAI Diagnostics provides informational support but does not make clinical decisions on behalf of the physician.

2.4. Limitations of Artificial Intelligence Accuracy

Artificial intelligence algorithms may make errors. Possible risks include:

• incorrect recognition of text or numbers on a test report form;
• errors due to low quality of a photo, scan, or PDF;
• incorrect identification of units of measurement;
• incomplete or inaccurate interpretation;
• failure to detect rare or atypical conditions;
• generation of differential diagnoses that do not correspond to the specific clinical case;
• errors due to incomplete or incorrectly entered data.

The user is obliged to verify the results produced by the service before applying them in clinical practice.

3.1. Service User Data

When registering and using the service, we may process the following data of veterinary physicians, clinic staff, and other users:

• full name;
• email address;
• hashed password;
• Google OAuth data, if the user chose to sign in with Google;
• clinic name;
• role in the system: administrator, veterinary physician, clinic staff, or another role;
• clinic ID;
• registration date and time;
• login date and time;
• IP address;
• browser type;
• device type;
• technical activity logs;
• interface preferences, such as language or display theme.

3.2. Veterinary Clinic Data

We may process the following data relating to clinics:

• clinic name;
• technical clinic identifier in the system;
• users associated with the clinic;
• user roles within the clinic;
• service usage history;
• technical data for invoicing or usage accounting, if the service is used on a paid basis.

3.3. Animal Owner Data

A service user may enter animal owner data. Such data may include:

• animal owner's full name;
• phone number;
• email address;
• veterinary physician's notes;
• other information that the user voluntarily enters in the relevant service fields.

An animal owner does not typically interact with VetAI Diagnostics directly. Their data is entered by the veterinary physician or clinic staff in the course of providing veterinary services. The clinic or veterinary physician is responsible for having a legal basis for entering such data into the service.

3.4. Patient Data — Animals

The service processes data about animals, including:

• name;
• species: dog, cat, or other;
• breed;
• sex;
• age or date of birth;
• weight, if entered;
• diet, if entered;
• medical history, if entered;
• clinical notes;
• laboratory parameters;
• complete blood count results;
• biochemistry panel results;
• urinalysis results, if this feature is used;
• OCR recognition results;
• AI interpretations;
• differential diagnoses generated for consideration by the physician;
• recommended next diagnostic steps.

Animal data is not personal data in itself, as an animal is not a natural person. However, such data may be associated with the personal data of the animal's owner. We therefore treat it with heightened care.

3.5. Files Uploaded to the Service

A user may upload photos of laboratory forms, scanned copies, PDF files, and other document formats. Such files may contain the animal's laboratory parameters, reference values, the laboratory name, the date of the test, the animal's name, and other data, including personal data of the animal's owner if it is printed on the form.

Important: if a user uploads a form that already contains the animal owner's personal data, such data may be technically processed together with the file during OCR recognition. Users should, where possible, avoid uploading unnecessary personal data or redact it beforehand.

3.6. Technical Data

When using the website or service, we may automatically process:

• IP address;
• date and time of request;
• request URL;
• browser type;
• operating system type;
• device type;
• browser language;
• session data;
• technical error logs;
• security logs;
• logs of AI feature usage, without the content of the medical query.

3.7. Data We Do Not Collect

We do not request and do not intend to collect:

• passport details of animal owners;
• tax identification numbers of animal owners;
• bank card details;
• biometric data;
• precise geolocation coordinates;
• data on political views;
• data on religious beliefs;
• data on the health status of human users;
• data on sexual life or sexual orientation;
• other sensitive personal data of individuals, unless it is necessary for the operation of the service.

Users are prohibited from entering into the service any unnecessary personal or sensitive data of individuals that is not required for veterinary work.

4.1. User Data

With respect to service user data, we may act as the personal data controller. We process such data on the basis of:

• performance of a contract or steps taken prior to entering into a contract;
• the user's consent, where required;
• legitimate interest, in particular for service security, prevention of misuse, and product maintenance;
• compliance with legal obligations, where such obligations arise.

4.2. Animal Owner Data

With respect to animal owner data entered by a veterinary clinic or physician, the basic model is as follows:

• the clinic or veterinary physician is the controller of the animal owner's personal data;
• VetAI Diagnostics is the processor acting on behalf of the clinic or veterinary physician.

The user confirms that they have a legal basis for entering such data into the service. Such basis may be:

• the animal owner's consent;
• a contract for the provision of veterinary services;
• the legitimate interest of the clinic or physician;
• another legal basis provided for by law.

4.3. Technical Data

Technical data may be processed on the basis of legitimate interest for the purpose of:

• ensuring security;
• preventing unauthorised access;
• maintaining the stable operation of the service;
• diagnosing technical errors;
• protecting the rights and interests of VetAI Diagnostics, users, and clinics.

4.4. AI Processing

AI processing is used exclusively to provide the service's features:

• OCR recognition;
• normalisation of laboratory data;
• generation of a preliminary interpretation;
• creation of differential diagnoses for consideration by the physician;
• generation of recommendations regarding possible next diagnostic steps.

AI processing is not used for making legally significant decisions about individuals.

We process data for the following purposes:

• Providing access to the service — registration, authentication, account management, and user role configuration.
• Creating and maintaining clinical records — creating profiles for animal owners, patients, clinical cases, and laboratory investigations.
• OCR recognition of laboratory forms — automatic reading of data from photos, scans, or PDF files.
• Interpretation of laboratory data — comparison with reference values, clinical rules, and age- and species-specific characteristics.
• AI-generated conclusions — generation of structured interpretations, differential diagnoses, and possible next steps.
• Storing case history — providing the physician with the ability to review previous tests and interpretations.
• Technical support — assisting users, correcting errors, and diagnosing incidents.
• Security — protection against unauthorised access, spam, misuse, and technical attacks.
• Invoicing and usage accounting, if the service is used on a paid basis.
• Service improvement — analysis of feature usage in anonymised or aggregated form.
• Compliance with legal obligations — responding to lawful requests from public authorities or court orders.
• Protection of the rights of VetAI Diagnostics, users, clinics, or third parties in the event of disputes.

We do not sell personal data to third parties.

6.1. General Architecture

VetAI Diagnostics operates as a web application. The main components are:

• web interface: Next.js / React;
• application hosting: Vercel;
• database: Supabase PostgreSQL;
• file storage: Supabase Storage;
• authentication: Supabase Auth, Google OAuth at the user's choice;
• AI processing: Google Cloud Vertex AI / Google Gemini;
• internal clinical rules and knowledge base;
• RAG / retrieval-augmented generation, if this feature is enabled.

6.2. User Registration

The user creates an account, enters the required data, and is linked to a clinic. The system stores the user's full name, email address, hashed password or OAuth data, clinic ID, user role, and technical session data.

6.3. Creating an Animal Owner Profile

The user may create an animal owner profile. The data is entered by the user — the veterinary physician or clinic staff. VetAI Diagnostics does not obtain the animal owner's consent directly. Responsibility for the legal basis for entering such data lies with the clinic or the user entering the data.

6.4. Uploading a Laboratory Form

The user may upload a photo or PDF, or enter laboratory values manually. Files are stored in Supabase Storage with access restricted by technical policies.

6.5. OCR Recognition

For text recognition from files, the service may transmit the file or its technical representation to Google Cloud Vertex AI / Google Gemini. The data typically transmitted to the AI service includes laboratory parameters, units of measurement, reference ranges, and animal parameters (species, breed, age, sex). The animal owner's personal data is not transmitted as separate fields; however, it may technically be included in OCR processing if it is already printed on the form.

6.6. Normalisation of Laboratory Data

After OCR or manual entry, the system normalises the data: it identifies parameters, verifies units of measurement, compares values against reference intervals, and identifies deviations.

6.7. AI Interpretation

To generate a conclusion, the service may transmit to Google Gemini / Vertex AI the animal's species, breed, age, and sex, laboratory parameters, deviation markers, clinical context, and excerpts from the internal knowledge base. The service must not transmit to the AI model the owner's full name, the owner's contact details, or the physician's full name as separate prompt fields.

6.8. RAG and the Internal Knowledge Base

VetAI Diagnostics may use RAG — retrieval-augmented generation. This means that before generating an AI conclusion, the system may retrieve relevant excerpts from the internal knowledge base and add them to the AI request context. The internal knowledge base may contain clinical rules, excerpts from veterinary guidelines, reference materials, and vector representations of text excerpts. RAG does not change the list of personal data collected by the service.

6.9. Saving Results and Logging

Results are stored in the database: recognised and normalised parameters, AI interpretation, differential diagnoses, suggested next steps, technical processing metadata, date and time, and the IDs of the user, clinic, patient, and case.

For technical monitoring purposes, AI request logs may be stored: clinical case ID, model name, date and time, processing duration, token count, and technical status. As a general rule, such logs should not contain the full text of the prompt or the full text of the AI response.

7.1. To Whom Data May Be Transferred

For the operation of the service, we may use the following providers:

• Supabase — database, file storage, authentication. User, clinic, animal owner, patient, and test data and files are transferred.
• Vercel — web application hosting. Technical processing of HTTP requests.
• Google Cloud Vertex AI / Gemini — OCR, AI interpretation, embeddings. Laboratory data, files for OCR, and the animal's clinical context are transferred.
• Google OAuth — sign-in via Google. User's email address and technical authorisation data.

7.2. Supabase

Supabase is used for database storage, file storage, user authentication, and access management. Under the current architecture, the primary storage region is eu-west-1, Ireland, EU.

7.3. Vercel

Vercel is used for web application hosting. The user's HTTP requests, technical headers, IP address, and session data may pass through the Vercel infrastructure.

7.4. Google Cloud Vertex AI / Gemini

Google Cloud Vertex AI / Gemini is used for OCR recognition, AI interpretation of laboratory results, and generation of structured conclusions. As a general rule, Google Cloud customer data is not used by Google to train general models without separate consent or an appropriate contractual basis.

7.5. Google OAuth

If a user chooses to sign in with Google, Google processes the relevant authorisation data in accordance with its own terms and privacy policies.

7.6. To Whom We Do Not Transfer Data

We do not transfer personal data to:

• advertising networks;
• data brokers;
• insurance companies;
• pharmaceutical companies;
• pet food manufacturers;
• other clinics;
• third-party veterinary physicians without a legal basis;
• other third parties for their own marketing purposes.

We do not sell personal data.

8.1. Where Data May Be Processed

Data may be processed in Ukraine, the European Union, the United States, or other countries, depending on the infrastructure of the providers. The main processing locations are:

• Supabase — primary region eu-west-1, Ireland;
• Vercel — global infrastructure, including the EU and the US;
• Google Cloud — Google's infrastructure, including the EU and the US.

8.2. Safeguards

The following may be applied for cross-border transfers: Data Processing Agreements, Standard Contractual Clauses, technical and organisational security measures, encryption in transit, access controls, and contractual obligations of providers.

8.3. Consent to Cross-Border Transfer

By using the service, the user understands that, for the technical operation of VetAI Diagnostics, data may be transferred to or processed outside Ukraine. If the user acts on behalf of a clinic, they confirm that the clinic has an appropriate legal basis for such transfer of animal owner data.

9.1. Current Status

At the time of preparing this Policy, VetAI Diagnostics does not use Google Analytics, Vercel Analytics, Mixpanel, PostHog, Hotjar, Amplitude, Plausible, Facebook Pixel, Google Ads Pixel, or any other advertising or marketing trackers.

9.2. Which Cookies Are Used

The service may use only technically necessary cookies and similar technologies:

• Supabase Auth session cookies — required for user login and session maintenance.
• Language preference cookies or local storage — required to save the user's selected interface language.
• Theme preference cookies or local storage — required to save the light or dark theme setting.

These cookies are first-party and are not used for advertising profiling.

9.3. Future Analytics

In the future, the service may introduce product analytics (self-hosted PostHog, Vercel Analytics, or another privacy-friendly tool). This Policy will be updated before any such analytics are introduced. If consent is required by law, an appropriate consent banner will be added.

9.4. How to Manage Cookies

Users may restrict or delete cookies through their browser settings. However, disabling technically necessary cookies may result in the user being unable to log in to their account or use the service fully.

10.1. Transactional Emails

At the current stage, the service may send only technical or transactional emails:

• email confirmation upon registration;
• password reset;
• magic link for sign-in;
• notification of email or password change;
• other service notifications for account security.

10.2. Service Notifications

In the future, we may send service notifications regarding: changes to the terms of use or this Policy, scheduled maintenance, security incidents, and important feature updates.

10.3. Educational and Product Notifications

In the future, VetAI Diagnostics may send educational materials, information about new features, and product updates. If such notifications are considered marketing communications under applicable law, we will ensure an appropriate legal basis.

10.4. Promotional Mailings

Advertising or promotional messages may only be sent where there is an appropriate legal basis, including the user's consent. All non-transactional emails will include an unsubscribe mechanism.

11.1. General Principle

Access to data is limited by the principle of necessity. Access to production data may only be granted to those individuals who require it for service maintenance, error correction, database migrations, incident investigation, security assurance, or compliance with legal obligations.

11.2. Current MVP Stage

At the MVP stage, the team may be small. Administrative access to Supabase or other infrastructure may be held by the founder and technical developer. Such access is used only for technical purposes. Individuals with access to data are required to maintain confidentiality.

11.3. Engaged Developers and Technical Contractors

Engaged developers, technical contractors, or other specialists may have limited access to the service's technical infrastructure. Such access is granted only to the extent necessary for the relevant technical tasks. Engaged specialists are obliged to maintain confidentiality and must not use access for their own purposes.

11.4. Access Restrictions

We aim to implement: a role-based access model, minimum necessary permissions, logging of administrative actions, a separate staging environment, the use of synthetic or anonymised data for testing, and restrictions on local copying of production data.

12.1. Technical Measures

We apply or plan to apply the following measures:

• HTTPS / TLS for data transmission;
• encryption of data in transit and at rest;
• password hashing;
• OAuth authentication at the user's choice;
• Row-Level Security in Supabase;
• access separation by clinic and role;
• secured environment variables;
• backup copies;
• error monitoring and technical logging.

12.2. Organisational Measures

We apply or plan to apply: data access restrictions, confidentiality agreements with engaged specialists, internal rules for working with production data, a prohibition on using real data in tests without necessity, controls over the transfer of data to third parties, and documentation of incidents.

12.3. User Obligations

The user is obliged to:

• use a strong password;
• not share account access with third parties;
• log out of their account on shared devices;
• not upload unnecessary personal data;
• notify VetAI Diagnostics of any suspected unauthorised access.

13.1. User Data

Account data is retained for the duration of service use. Following account deletion, some data may be retained for up to 3 years to comply with legal obligations, resolve disputes, and protect rights.

13.2. Clinic Data

Clinic data is retained for the duration of the contract or service use. Upon termination of cooperation, data may be exported, deleted, or anonymised.

13.3. Animal Owner and Patient Data

Animal owner, patient, and laboratory investigation data is retained for the duration of active service use and for up to 3 years following the termination of cooperation, unless a different period is required by law or contract.

13.4. Logs and Backups

Technical logs may be retained for up to 12 months. Backups — for up to 90 days or for the period established by the infrastructure provider.

13.5. Accounting Documents

Data related to payments, invoices, and other accounting documents may be retained for the periods prescribed by Ukrainian law.

14.1. General Rights

A personal data subject may have the following rights:

• the right to know about the processing of their personal data;
• the right to access their data;
• the right to rectification of inaccurate data;
• the right to erasure of data;
• the right to restriction of processing;
• the right to object to processing;
• the right to data portability, where GDPR applies;
• the right to withdraw consent, where processing is based on consent;
• the right to lodge a complaint with a supervisory authority.

14.2. Exercising Rights

Users may contact VetAI Diagnostics to exercise their rights with respect to their own personal data. A request may be sent to: tech@vetaidiagnostics.pro. The request should ideally include the user's full name, account email address, and the nature of the request.

14.3. Response Timeframe

We aim to respond to requests within 30 calendar days. If a request is complex or requires additional verification, the timeframe may be extended in accordance with law.

14.4. Limitations on Rights

Some rights may be limited where data retention is required by law, the data is needed to protect rights in a dispute, the request is manifestly unfounded, or the clinic has a legal obligation to retain veterinary records.

VetAI Diagnostics does not make automated decisions that have legal consequences for, or significantly affect, any individual. The AI conclusions generated by the service are not a final diagnosis, are not a prescription for treatment, are not binding, and must be verified by a veterinary physician. Clinical decisions are always made by the veterinary physician.

The service is not intended for use by persons under 18 years of age. We do not knowingly collect personal data of children as service users. If it becomes known that a child has provided their personal data as a service user, we will take steps to delete such data.

17.1. B2B Model

VetAI Diagnostics is oriented towards B2B use. In the typical model, an animal owner contacts a veterinary clinic, the clinic provides veterinary services, the veterinary physician or clinic staff enters data into VetAI Diagnostics, and the service processes this data as a technical provider.

17.2. Roles of the Parties

With respect to animal owner data, the clinic is generally the personal data controller and VetAI Diagnostics is the processor. With respect to VetAI Diagnostics user data, VetAI Diagnostics is the personal data controller.

17.3. DPA

A separate Data Processing Agreement may be concluded with clinics, setting out the subject matter, categories of data, purpose and duration of processing, the rights and obligations of the parties, technical security measures, and the procedure for responding to incidents.

17.4. Clinic Obligations

The clinic or veterinary physician using the service undertakes to:

• have a legal basis for processing animal owner data;
• inform animal owners about the use of digital services, where required;
• not enter unnecessary personal data into the service;
• control its staff's access to the service;
• delete or deactivate accounts of staff members who are no longer employed by the clinic;
• use VetAI Diagnostics results only as supplementary information.

18.1. What Constitutes an Incident

A security incident may include: unauthorised access to data, loss of data, accidental or unlawful destruction of data, unauthorised modification of data, disclosure of data to unauthorised persons, compromise of an account, leakage of access keys, or a configuration error.

18.2. Our Actions in the Event of an Incident

In the event of an incident, we aim to: promptly identify and contain the issue, limit potential harm, restore system security, document the incident, and notify the relevant users or clinics and supervisory authorities in accordance with law.

18.3. Notification

Where GDPR applies, notification of the competent authority may be made within 72 hours of becoming aware of the incident, where such notification is required by law.

19.1. Data and Technical Processing

We are responsible for the processing of personal data within the limits defined by law and contracts. We are not responsible for unlawful entry of data by a user, entry of unnecessary or sensitive data, uploading of documents containing excessive personal data, use of the service for purposes other than those intended, or transfer of access to third parties.

19.2. Clinical Decisions

VetAI Diagnostics is not responsible for the clinical decisions of the veterinary physician. The service does not substitute for professional judgment, clinical examination, medical history, additional investigations, or consultation with a specialist.

We may periodically update this Policy. Changes may be required due to changes in service functionality, changes in infrastructure providers, the launch of new AI features, the introduction of analytics, changes to the legal model, or changes in legislation.

The current version of the Policy will be available on the website https://vetaidiagnostics.pro. If the changes are material, we may notify users via email, through the service interface, or via a notice on the website. Continued use of the service after the updated Policy comes into effect constitutes acceptance of its new version.

For questions regarding privacy and the processing of personal data, please contact:

• VetAI Diagnostics / ФОП Разін Анатолій Вікторович
• Address: Запорізька обл. Запорізький р-н с Розумівка вул. Мельнична 16
• Email for personal data inquiries: tech@vetaidiagnostics.pro
• General email: tech@vetaidiagnostics.pro
• Phone: +380503624413
• Website: https://vetaidiagnostics.pro

Person responsible for personal data processing: Razin Anatolii Viktorovych.

In Ukraine, a personal data subject has the right to contact the Ukrainian Parliament Commissioner for Human Rights.

• Ukrainian Parliament Commissioner for Human Rights
• Address: 01008, Kyiv, 21/8 Instytutska Street
• Website: https://ombudsman.gov.ua

Where GDPR applies to the processing, the personal data subject may also have the right to contact the relevant supervisory authority in an EU member state.