Privacy Policy

CaptiVet, LLC (“CaptiVet,” “we,” “us,” or “our”) operates the CaptiVet mobile application, web platform, and related services (collectively, the “Service”) — an AI-powered veterinary documentation platform that helps licensed veterinary professionals generate clinical SOAP notes.

This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service. It also explains your rights and choices regarding your data.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

For questions about this Privacy Policy, contact us at legal@captivet.com.

CaptiVet does NOT use your recordings, transcriptions, SOAP notes, or any clinical content to train, fine-tune, or improve AI models. Your clinical data is processed solely to provide the Service to you. This is a core commitment of our privacy-first architecture.

3a. Information You Provide

• Account Information: Name, email address, and password (passwords are cryptographically hashed via Supabase and never stored in plaintext).
• Professional Information: Veterinary license details, practice name, role, and practice type.
• Billing Information: Payment method details are collected and processed by our third-party payment processor. CaptiVet does not store full credit card numbers on its systems.
• Clinical Data: Audio recordings of veterinary appointments, AI-generated transcriptions, and AI-generated SOAP notes.
• Support Communications: Emails, chat messages, and feedback you send to our support team.

3b. Information Collected Automatically

CaptiVet collects NO usage analytics, NO tracking cookies, NO advertising pixels, and runs NO third-party tracking scripts.

We collect only:

• Minimal Server Logs: IP address, request timestamp, and HTTP method — retained for security purposes and automatically deleted after 30 days.
• Anonymized Crash Reports: Diagnostic data to maintain service reliability. These reports contain no personally identifiable information or clinical content.

3c. Information from Third Parties

We receive authentication session data from Supabase (our authentication provider). We do not receive data from social media platforms, advertising networks, or data brokers.

We use your personal information for the following purposes:

• Provide the Service: Process recordings, generate transcriptions and SOAP notes, and deliver clinical documentation to you.
• Account Management: Authenticate your identity, manage your subscription, and process billing.
• Security: Detect and prevent unauthorized access, fraud, abuse, and security threats.
• Service Reliability: Monitor system health using aggregated, de-identified data. We never use individual clinical data for this purpose.
• Communication: Send service announcements, security alerts, and billing notices. We do not send marketing emails without your explicit opt-in consent.
• Legal Compliance: Respond to lawful legal requests and enforce our Terms of Use.

We do not sell your personal information. Ever.

We do not share your clinical data for advertising or marketing purposes. Ever.

We share information only in the following limited circumstances:

Service Processors

The following third-party services process data as necessary to provide the Service:

• Deepgram — Audio transcription (or your own key via BYOK)
• Google Gemini — SOAP note generation (or your own key via BYOK)
• Supabase — Authentication and user management
• Cloudflare R2 — Encrypted audio file storage
• Payment Processor — Subscription billing

Legal Requirements

We may disclose information if required by law, court order, subpoena, or government request.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your personal information becomes subject to a different privacy policy.

With Your Consent

We will not share your information in any other manner without your explicit consent.

CaptiVet’s BYOK option provides the highest level of data privacy available:

• Direct Data Flow: When you provide your own Deepgram and Google Gemini API keys, audio data flows directly from your device to Deepgram for transcription, and transcription data flows directly to Google Gemini for SOAP note generation. This data does not transit CaptiVet servers at any point.
• No Server-Side Access: CaptiVet has no access to the content of your recordings, transcriptions, or SOAP notes when BYOK is enabled.
• Key Encryption: Your API keys are encrypted with AES-256 on your device. CaptiVet never receives or stores your plaintext API keys.
• Third-Party Policies: When using BYOK, your data is subject to Deepgram’s and Google’s respective privacy policies for data processed via your own keys.

BYOK effectively makes CaptiVet an application shell — your clinical data remains entirely within your control and the third-party services you directly authorize.

We implement robust security measures to protect your data:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Encryption in Transit: All network communications use TLS 1.3.
• Authentication: Secure token-based authentication via Supabase with cryptographically hashed passwords.
• Audio Storage: Audio files are encrypted on Cloudflare R2 with strict access controls.
• Clipboard Security: SOAP notes copied to your clipboard are automatically cleared after 30 seconds.
• Access Controls: Role-based access with the principle of least privilege.
• Security Assessments: Regular security reviews and vulnerability assessments.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable safeguards.

• Account Data: Retained for the duration of your active subscription plus thirty (30) days after account closure.
• Audio Recordings: Retention period is configurable by you within the application. You may delete individual recordings at any time.
• Transcriptions & SOAP Notes: Retained until you delete them or your account is closed.
• Server Logs: Automatically deleted after 30 days.
• Billing Records: Minimal billing records retained as required by applicable tax law (typically up to 7 years), with personal details minimized.
• BYOK Data: Data processed via your own API keys is subject to Deepgram’s and Google’s respective retention policies — CaptiVet does not control this data.

Deletion Process

You may delete individual recordings and notes at any time within the application. For full account deletion, contact legal@captivet.com. Upon account termination, all User Data is permanently deleted within thirty (30) days using cryptographic deletion (encryption keys are destroyed) for audio files and database purging for metadata.

Regardless of your location, we provide the following rights to all Users:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate personal information.
• Deletion: Request deletion of your account and all associated data.
• Data Export: Download your data in a machine-readable format.
• Opt-Out of Communications: Unsubscribe from non-essential emails at any time.
• No Cookie Management Needed: Because we do not use tracking cookies, there is no cookie consent to configure.

To exercise any of these rights, contact legal@captivet.com. We will respond to your request within thirty (30) days.

CaptiVet does not use cookies for tracking, analytics, or advertising.

The only cookie-like technology we use is an essential session authentication token required for the application to function. This token:

• Is strictly necessary for you to log in and use the Service;
• Contains no tracking or behavioral data;
• Is not shared with any third party; and
• Expires when your session ends or after a defined timeout period.

We do not use:

• Third-party cookies
• Advertising or retargeting cookies
• Analytics cookies (no Google Analytics, no Mixpanel, no Amplitude)
• Tracking pixels or web beacons
• Browser fingerprinting technologies

Because we do not track you, the Do Not Track (DNT) browser signal is not applicable — we respect your privacy regardless of your browser settings.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of Information Collected

• Identifiers: Name, email address, IP address
• Professional Information: Veterinary license details, practice name
• Commercial Information: Subscription and billing records
• Audio/Electronic Data: Recordings, transcriptions, SOAP notes

Your California Privacy Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information, so no opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (clinical audio) only to provide the Service.

To exercise your rights, contact legal@captivet.com. We will verify your identity before processing your request and respond within 45 days.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights.

Data Controller

CaptiVet, LLC is the data controller for personal information processed through the Service. Contact our Data Protection Officer at legal@captivet.com.

Legal Bases for Processing

• Contract Performance: Processing necessary to provide the Service you subscribed to (account management, clinical data processing, billing).
• Legitimate Interests: Security monitoring, fraud prevention, and service reliability.
• Legal Obligation: Compliance with applicable laws and regulations.
• Consent: Marketing communications (only if you opt in).

Your GDPR Rights

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure / “Right to Be Forgotten” (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Right to Withdraw Consent (Article 7)
• Right to Lodge a Complaint with a supervisory authority

International Data Transfers

Your data may be processed in the United States. For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.

Data Processing Agreement

A Data Processing Agreement (DPA) is available upon request for business customers. Contact legal@captivet.com.

If you are located in Canada, CaptiVet complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

• Consent: By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.
• Access & Correction: You may request access to or correction of your personal information by contacting legal@captivet.com.
• Withdrawal of Consent: You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us.
• Complaints: If you are not satisfied with our response to your privacy inquiry, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

If you are located in Australia or New Zealand, CaptiVet complies with the Australian Privacy Act 1988 (including the Australian Privacy Principles) and the New Zealand Privacy Act 2020 (including the Information Privacy Principles).

• Cross-Border Disclosure: Your personal information may be processed in the United States. We take reasonable steps to ensure overseas recipients handle your information in accordance with applicable privacy principles.
• Access & Correction: You may request access to or correction of your personal information by contacting legal@captivet.com.
• Complaints (Australia): If you believe your privacy has been breached, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
• Complaints (New Zealand): You may lodge a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz.

The Service is not intended for use by individuals under the age of 18. CaptiVet does not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly in compliance with the Children’s Online Privacy Protection Act (COPPA) and equivalent international regulations.

If you believe a child has provided personal information to CaptiVet, please contact us immediately at legal@captivet.com.

In the event of a data breach affecting your personal information, CaptiVet will:

• Notify affected users within 72 hours of discovering the breach;
• Provide details including: the nature of the breach, categories of data affected, remedial measures taken, and contact information for further inquiries;
• Notify applicable regulatory authorities as required by law (including GDPR’s 72-hour notification requirement and applicable U.S. state breach notification laws); and
• Take immediate steps to contain the breach, mitigate potential harm, and prevent recurrence.

CaptiVet may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days’ advance notice via the email address associated with your account before the changes take effect.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. Previous versions of this policy are available upon request.

Contact Information

CaptiVet, LLC
Email: legal@captivet.com
Data Protection Inquiries: legal@captivet.com
Privacy Rights Requests: legal@captivet.com

We aim to respond to all inquiries within thirty (30) days.