Privacy Policy

Vetorya, S.L.
Registered address: [Street Address], [City], Spain
CIF: [Tax ID]
Email: contact@vetorya.com

For any data protection questions, contact our Data Protection Officer at the email above.

• Identity data: Name, email address, phone number.
• Pet data: Pet name, species, breed, age, weight, medical history, vaccination records, and photos you upload.
• Booking data: Appointment dates, times, services requested, preferred veterinarian, and visit notes.
• Payment data: Billing information processed by our PCI-DSS compliant payment provider. We do not store full card numbers.
• Technical data: IP address, browser type, device information, and cookies for platform security and functionality.
• Communications: Messages between you and the clinic via our platform.

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contractual necessity: To provide booking services and manage your appointments.
• Legal obligation: To comply with veterinary record-keeping requirements under Spanish law.
• Consent: For marketing communications and optional cookies. You can withdraw consent at any time.
• Legitimate interests: Fraud prevention, platform security, and service improvement.

• Process and manage veterinary appointments on behalf of the clinic you choose.
• Send appointment confirmations, reminders, and follow-up care instructions.
• Enable communication between you and your veterinary clinic.
• Maintain pet health records as required by veterinary practice regulations.
• Process payments for services and issue invoices.
• Improve our platform and detect security threats.
• Send marketing communications only with your explicit consent.

We retain your personal data for as long as necessary for the purposes stated:

• Active accounts: While you maintain an active account or have upcoming appointments.
• Pet health records: Minimum 5 years after the last veterinary visit, as required by Spanish veterinary regulations.
• Inactive accounts: After 3 years of inactivity, we anonymise or delete personal data, retaining only anonymised statistics.
• Payment records: 6 years for tax and accounting compliance.
• Marketing data: Until you withdraw consent or unsubscribe.

Your data is shared only when necessary:

• Veterinary clinics: The clinic you book with receives your contact details, pet information, and appointment data to provide services.
• Payment processors: Stripe Payments Europe, Ltd. processes card payments under PCI-DSS standards.
• Cloud infrastructure: Our hosting and database providers (within the EEA or under Standard Contractual Clauses).
• Legal authorities: When required by law or court order.

We never sell your personal data to third parties for marketing purposes.

We use cookies and similar technologies for:

• Essential cookies: Required for the platform to function (e.g., authentication, session management).
• Analytics cookies: To understand how users interact with our platform (optional, with consent).
• Preference cookies: To remember your language and display preferences.

You can manage cookie preferences via your browser settings or our cookie banner.

Under GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): Request deletion of your data when there is no overriding legal basis for retention.
• Restriction: Limit how we process your data in certain circumstances.
• Data portability: Receive your data in a structured, machine-readable format or transfer it to another controller.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: At any time for processing based on consent, without affecting prior lawful processing.

To exercise any of these rights, email us at contact@vetorya.com. We respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Role-based access controls and regular security audits.
• Penetration testing and vulnerability scanning.
• Employee training on data protection and confidentiality.
• Incident response procedures and breach notification protocols (within 72 hours to the AEPD and without undue delay to affected users).

We primarily store and process data within the European Economic Area (EEA). Where we use service providers outside the EEA (e.g., US-based cloud services), we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission and additional safeguards.

For privacy-related questions, exercising your rights, or raising concerns: