Privacy Policy

MyPeterinarian ApS ("we", "us", "our") operates the website www.mypeterinarian.com and the MyPeterinarian web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.

We are committed to protecting your privacy and ensuring transparency about our data practices. By using our Service, you agree to the collection and use of information in accordance with this policy.

Data Controller:
MyPeterinarian ApS
Peder Hvitfeldts Stræde 16
1173 Copenhagen, Denmark
CVR: 39029804
Email: hej@mypeterinarian.com
Phone: +45 61 66 76 11

We collect different types of information depending on how you interact with our Service:

Account & Profile Data

• Name, email address, and phone number — provided when you create an account or book an appointment.
• Postal address — if you provide it for pet-related services or deliveries.
• Password — stored in hashed (bcrypt) form; we never store plaintext passwords.

Pet Information

• Pet name, species, breed, age, weight, and medical history — provided when you register your pet or use our veterinary services.
• Vaccination records, health notes, and treatment history — entered by you or our veterinary staff during appointments.

Booking & Transaction Data

• Appointment dates, times, service type, and assigned staff member.
• Payment information — processed by Stripe. We do not store full credit card numbers. We store only Stripe customer IDs, payment intent IDs, and transaction amounts for invoicing purposes.
• Invoices and receipts — generated and stored within our system.

Communication Data

• Direct messages between you and our staff through the in-app messaging system.
• Email correspondence — booking confirmations, reminders, and support communications sent via Resend.

Technical & Usage Data

• IP address, browser type, device information, and operating system — collected automatically via Google Analytics 4.
• Pages visited, session duration, and interaction patterns — used to improve our Service.
• Cookies and similar technologies — see our Cookie Policy for details.

Google User Data (Staff & Admin Only)

When staff or administrators connect their Google account to our Service, we may access the following Google user data:

• Google profile information (name, email) — via OpenID Connect, to identify the connected account.
• Google Calendar events — to sync pet-care appointments to staff/sitter personal calendars and to manage company scheduling.
• Google Drive files — specifically, files within designated HR folders used for staff document management. We do not access personal Drive files outside these designated folders.

We use the data we collect for the following purposes:

How We Use Google User Data Specifically

We use Google user data strictly for the following purposes:

• Google Calendar: To create, read, and manage appointment events on connected staff and sitter calendars. This ensures staff members have their work schedule visible alongside personal commitments. Calendar data is only accessed for users who have explicitly authorized the connection.
• Google Drive: To synchronize staff HR documents (employment contracts, certifications) between our platform and designated Google Drive folders. We only access folders explicitly created and managed by our application — we do not browse or access personal files.
• Google Profile (OpenID): To identify the connected Google account (name and email) so we can display which account is linked in the integration settings.

We do not use Google user data for advertising, profiling, or any purpose unrelated to the specific functionality described above.

We do not use Google user data to train artificial intelligence or machine learning models.

We may share your data with the following third-party service providers, solely for the purposes described in this policy:

Google User Data Sharing

We do not share Google user data with any third parties beyond what is necessary for the Google integration itself (i.e., communicating with Google's APIs). Specifically:

• Google Calendar data is not shared with anyone other than the user who connected their calendar.
• Google Drive data (HR documents) is only accessible to authorized administrators within MyPeterinarian.
• Google profile information is not sold, rented, or shared with advertisers or data brokers.

We will never sell, rent, or trade your personal information or Google user data to third parties for marketing purposes.

We take the security of your data seriously and implement the following measures:

Where Your Data Is Stored

• Database: Hosted on Supabase (AWS Frankfurt, EU region) with Row-Level Security (RLS) enabled, ensuring users can only access their own data.
• Application: Hosted on Vercel's edge network with automatic HTTPS/TLS encryption for all connections.
• Payments: Payment data is processed and stored by Stripe (PCI DSS Level 1 certified). We never store credit card numbers.

Security Measures

• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Encryption at rest: Database data is encrypted at rest using AES-256.
• Password hashing: User passwords are hashed using bcrypt with salt rounds; plaintext passwords are never stored.
• Access control: Role-based access control (USER, SITTER, ADMIN, SUPER_ADMIN) ensures users only see data appropriate to their role.
• API authentication: All API endpoints require authentication via secure session tokens (NextAuth).
• OAuth token security: Google OAuth tokens (access tokens and refresh tokens) are stored encrypted in our database and are only used to communicate with Google APIs on behalf of the authorized user.

Google User Data Storage

Google OAuth access tokens and refresh tokens are stored in our secure database (Supabase, EU region). These tokens are:

• Only used to access the specific Google services the user has authorized.
• Automatically refreshed when they expire (with a 5-minute buffer).
• Deleted when a user disconnects their Google integration.
• Never shared with third parties or used for any purpose other than the authorized integration.

We retain your data only as long as necessary for the purposes described in this policy:

How to Request Data Deletion

You have the right to request deletion of your personal data at any time. To do so:

1. Email us at hej@mypeterinarian.com with the subject line "Data Deletion Request".
2. We will verify your identity and process your request within 30 days.
3. We will delete all personal data except what we are legally required to retain (e.g., tax records for 5 years under Danish law).

Google Data Deletion

To revoke our access to your Google data:

1. Go to Settings > Integrations in our app and click "Disconnect" next to Google.
2. This immediately deletes your Google OAuth tokens from our system.
3. You can also revoke access from Google Account Permissions.

As a resident of the EU/EEA, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access — You can request a copy of all personal data we hold about you.
• Right to Rectification — You can ask us to correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten") — You can request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing — You can ask us to limit how we use your data.
• Right to Data Portability — You can request your data in a structured, machine-readable format.
• Right to Object — You can object to processing based on legitimate interests.
• Right to Withdraw Consent — Where processing is based on consent (e.g., Google integrations), you can withdraw consent at any time by disconnecting the integration.

To exercise any of these rights, contact us at hej@mypeterinarian.com. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Website: www.datatilsynet.dk

We use cookies and similar technologies to provide and improve our Service. For complete details about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

In summary:

• Essential cookies — Required for the website to function (authentication, session management). Cannot be disabled.
• Analytics cookies — Google Analytics 4 to understand how visitors use our site. Only activated with your consent.
• Marketing cookies — Google Ads conversion tracking. Only activated with your consent.

You can manage your cookie preferences at any time using the cookie consent banner or by contacting us.

Our Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hej@mypeterinarian.com, and we will take steps to delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• For significant changes, we will notify registered users via email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MyPeterinarian ApS
Peder Hvitfeldts Stræde 16
1173 Copenhagen, Denmark

Email: hej@mypeterinarian.com
Phone: +45 61 66 76 11
Website: www.mypeterinarian.com