Privacy Policy

Vetware ("Vetware", "we", "our", or "us") builds software for veterinary practices. This Privacy Policy explains how we collect, use, share, and protect information across our products: VetPACS (cloud backup and full-resolution sharing for veterinary imaging), VetAI (AI radiology screening, currently in beta), Keepsake (custom engraved keepsakes), and Insights (clinical retrieval for licensed veterinarians). It applies to visitors of our marketing sites, veterinary practices that subscribe to our products, and the staff users they invite.

Most of this policy describes practices common to all of our products. Where a product differs — for example, in the third-party processors it relies on, or in how it uses data to improve our AI — those differences are called out in the per-product sections below.

Information We Collect

Account information. When you create an account, we collect your name, email address, practice (or clinic) name, practice location, your role, and a password (stored only as a salted, slow-hashed digest, never in plaintext). Additional staff users invited to your practice provide the same identifying information.

Billing information. Payment card details are collected and stored by our payment processor and are never transmitted to or stored on our servers. We retain only the customer and subscription identifiers, the billing email address, and usage counts needed to invoice your practice.

Product content. Depending on the product, we process veterinary radiographs and associated metadata (VetPACS and VetAI), pet photographs and the keepsakes generated from them (Keepsake), or anonymized clinical signals extracted from a connected practice-management system (Insights). The handling of this content is described per product below.

Usage and server logs. Our servers automatically log request metadata (IP address, user agent, timestamp, request path, response status) for security monitoring, abuse prevention, and debugging. We also collect information about how you interact with our products, such as features used and requests made. Server logs are retained for up to 90 days.

How We Use Information

• To create and administer your practice's account and authenticate users.
• To deliver the core product you subscribe to.
• To process subscription and usage-based payments.
• To send transactional email such as account verification, password resets, billing receipts, and service notifications.
• To provide customer support and respond to inquiries.
• To monitor service health, prevent abuse, and investigate security incidents.
• To improve our products and AI models, subject to the product-specific rules described below.
• To comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of our users.

How We Share Information (Third-Party Sub-processors)

We do not sell or rent your information, and we do not engage in cross-context behavioral advertising. We share data only with service providers that are contractually required to use it solely to provide services to us. The specific processors differ by product (see the per-product sections). Across products we commonly rely on:

• DigitalOcean, LLC — cloud hosting (compute, managed PostgreSQL) and object storage.
• Stripe, Inc. — payment processing and subscription billing.
• Resend, Inc. — transactional email delivery.

We may also disclose information when we believe in good faith that disclosure is required by law (for example, a valid subpoena), is necessary to enforce our Terms, or is necessary to protect the safety of our users or the public. In the event of a merger, acquisition, or asset sale, your information may be transferred as part of that transaction; we will notify you, and any successor will be bound by this Policy.

Information is transmitted to third parties only by authenticated, server-to-server API calls over TLS-encrypted HTTPS. Payment card data is sent directly from your browser to Stripe via Stripe's hosted fields and does not traverse our servers.

How We Protect Your Data

• TLS encryption in transit for all web, API, and device traffic.
• Encryption at rest for our managed databases and object storage.
• Passwords stored only as salted, slow-hashed digests; never in plaintext.
• Stateless session tokens, scoped per product and revocable on signout.
• Isolation between practices: one practice's data is segregated from another's.
• Principle-of-least-privilege access controls; production access is limited to the small number of personnel who require it for operations and support.
• Network firewalls and VPC isolation between application, database, and broker tiers.
• Routine application of security updates to operating systems and dependencies.

No system is perfectly secure. If we become aware of a security incident affecting your information, we will notify affected practices without undue delay and as required by applicable law.

VetPACS (Veterinary Imaging Backup & Sharing)

VetPACS keeps a secure cloud copy of the studies synced from your existing PACS and lets you share them at full resolution with clients and other clinics. We store your radiographs and their associated metadata so you can back them up, retrieve them, and share them.

Sharing happens at your direction. A study leaves your practice only when someone on your team chooses to share it (for example, emailing a study to a client or a referral practice). We do not make your imaging accessible to anyone outside your practice except as you direct.

We do not train AI on VetPACS data. VetPACS is a backup and sharing service. Running AI screening on your studies is a separate, optional product (VetAI), which has its own data terms described below. Using VetPACS does not enroll your imaging in AI training.

A note on DICOM and data in transit. DICOM, the standard protocol used to transmit medical images, has no built-in encryption. This is an industry-wide limitation, not a Vetware choice, and it already exists in the workflow your practice uses today to communicate with your PACS. For practices that require encrypted transmission, we offer VPN-based connectivity as an add-on at additional cost.

VetAI (AI Radiology Screening, Beta)

VetAI is an optional product, currently in beta, that runs AI screening on the radiographs in your VetPACS backup. Please read the following carefully, because the data model is central to how it works.

Images contribute to our AI. After personally identifiable information is removed, anonymized image data and the associated findings are used to train and improve our diagnostic models. The AI learns generic diagnostic patterns ("this image shows a fracture in this location"), not the identity of any specific animal, owner, or practice. Patient names, owner information, and practice-specific identifiers are stripped before any training occurs. If a usage model in which images train our AI does not work for your practice, VetAI is not the right fit.

Retention. We retain anonymized images indefinitely. AI models improve continuously by re-testing new model weights against prior training data, so the original anonymized data is needed to verify that improvements actually perform better. Anonymized data that has already been incorporated into our models cannot be extracted or deleted, because it no longer contains identifiable information.

What is never shared. Patient names, owner information, your practice name or location in connection with specific cases, any data that could identify a specific animal or client, your billing or financial information, and raw unprocessed images with embedded metadata are never sold, shared, or made accessible to anyone outside your practice.

Keepsake (Custom Keepsakes)

To generate a keepsake (such as a paw print, nose print, or pet ID tag), your clinic uploads one or more photographs of a pet (and, optionally, a pet name or text your clinic supplies). We store the source photos and the generated output images in our cloud object storage so that you can retrieve and re-engrave them. Photos and outputs are linked to the clinic account that uploaded them; we do not collect pet-owner identifying information.

We do not use customer photos or generated images to train AI models by default. We will do so only with your clinic's explicit, opt-in consent.

Engraver telemetry. If your clinic uses a Keepsake-connected engraver, the device communicates with our cloud over an authenticated, TLS-encrypted MQTT connection using per-device credentials. We collect job status, firmware version, device identifier, error messages, and operational telemetry (for example, temperature, USB and Wi-Fi state) needed to operate, support, and update the device. We do not collect audio, video, or images from the engraver beyond the artwork files queued for jobs.

Keepsake sub-processors: Stripe (subscription billing and per-keepsake overage charges), OpenAI, L.L.C. (AI image generation — receives the uploaded paw photographs and returns the line-art output; per OpenAI's API data-usage policy, API inputs and outputs are not used to train OpenAI's models by default), DigitalOcean (hosting and Spaces object storage for account data, photos, and generated images), and Resend (transactional email). Source photos and generated images are retained while your account is active; you may request deletion of specific images or your entire account at any time, and we will action verified deletion requests within 30 days, subject to limited records (such as invoices) we must retain by law.

Insights (Clinical Retrieval)

Insights exists to make veterinary medicine smarter through collective clinical intelligence, and to do that we need clinical data, not personal data. We have designed the system so that personally identifiable information never enters our AI pipeline.

What we extract from a connected PIMS. When your practice connects its practice-management system, we extract only anonymized clinical signals: species and breed, weight and age, presenting symptoms, diagnoses and conditions, medications and dosages, treatment protocols, and follow-up outcomes.

What we never access. Patient names, owner names or contact information, addresses or phone numbers, email addresses, billing or payment data, appointment scheduling, or any other personally identifiable information. PII is stripped before data ever leaves the PIMS integration layer; our models never see identifying information because it is never collected in the first place.

Your account and choices. To use Insights you create an account with your name, email, and DVM license number, which we use to verify your credentials and manage your subscription. Your conversation history with Insights is private to your account and is not used for training or shared with other users. If your practice disconnects its PIMS, we stop collecting new data immediately, and you can request deletion of previously contributed data at any time.

Data Retention

We retain account information for as long as your practice maintains an active subscription, and for a reasonable period afterward to support reactivation, billing reconciliation, and legal record-keeping. Product content is retained according to the per-product rules above. Server logs are retained for up to 90 days.

Your Rights

You have the right to access, correct, or delete the personal account information we hold about you, to request a copy of your data, or to close your account at any time. Depending on your jurisdiction (for example, California or the EEA/UK), you may have additional rights such as data portability, the right to object to or restrict processing, and the right to lodge a complaint with a supervisory authority. We do not sell personal information. Note that, for VetAI, anonymized data already incorporated into our AI models cannot be extracted or deleted, as it no longer contains identifiable information.

Children's Privacy

Vetware products are business-to-business services offered to veterinary practices. They are not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

International Users

Our services are operated from, and information is processed in, the United States. If you access our products from outside the United States, you consent to the transfer and processing of your information in the United States, where data-protection laws may differ from those in your jurisdiction.

Cookies

Our applications use a small number of cookies, primarily an authentication token that keeps you signed in. For details, see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the date above. Material changes will be communicated by email to the address on your practice's account or by an in-product notice before the change takes effect.

Contact

For questions about this Policy, to exercise your rights, or to report a privacy concern, contact us at privacy@vetware.io.