Privacy Policy

Account information: When you create an account, we collect your name, email address, and optionally your phone number. For professional accounts (vets, clinics, shelters), we also collect license numbers, practice addresses, and professional credentials.

Pet information: Pet name, species, breed, date of birth, microchip number, photos, and health records. Health records include vaccination history, medical records, documents, and notes entered by you or your veterinarian.

Usage data: Standard web analytics — pages visited, features used, browser type. We do not use third-party tracking cookies or advertising networks.

Contact form submissions: Name, email, subject, and message content. Used solely to respond to your inquiry.

Database: All structured data is stored in Neon PostgreSQL, a SOC 2 compliant database provider. Personal identifiers (names, emails, phone numbers) are encrypted at rest using AES-256-GCM.

Files & Documents: Uploaded documents (health certificates, lab results, license proofs) are stored in Cloudflare R2 object storage. Files are accessed via presigned URLs that expire in 15 minutes. There are no permanent public links to any stored file.

Authentication: We use Clerk for authentication. Your password is never stored on our servers. Clerk manages all credential storage, hashing, and multi-factor authentication.

Encryption at rest: All personally identifiable information (PII) is encrypted with AES-256-GCM before being written to the database. Encryption keys are stored in environment variables and never logged or exposed.

You: Full access to your account, pets, and records at all times. You can download your data, correct it, or delete it.

Your vet or clinic: Access is granted by you on a per-visit basis. When you scan your clinic's QR code, you grant temporary access to your pet's records. Access expires automatically after the visit. You can revoke access at any time.

Family and caretakers: You can share access to specific pets with trusted people. You control what they can see and for how long.

Emergency lookup: Anyone who scans your pet's QR tag or looks up their microchip number sees only the information you have chosen to make public — typically your pet's name, photo, and your emergency contact preferences. You control what is visible on the public scan page.

PeTrace staff: Access is strictly limited to what is necessary for support and operations. We never browse your records without cause. All staff access is logged and audited.

Third parties: We never sell your data. We never share your data with advertisers, data brokers, insurance companies, or any other third party. The only exceptions are when required by law or with your explicit consent.

Your data is retained for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days. Pet records linked to a microchip may be retained in anonymized form for lookup purposes (e.g., "this microchip has been registered") unless you request full deletion.

Rate limit records and IP hash logs are automatically purged after 24 hours. Application documents from rejected applications are deleted after 90 days.

You have the right to:

• Access: Request a copy of all data we hold about you and your pets.
• Correction: Correct any inaccurate or incomplete data.
• Deletion: Request deletion of your account and all associated data.
• Export: Receive your data in a machine-readable format.
• Restriction: Limit how your data is processed in certain circumstances.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, contact us at privacy@petrace.io. We will respond within 30 days as required by GDPR and similar regulations.

We use only essential cookies:

• Authentication session: Managed by Clerk. Required for sign-in to function. No tracking.
• Locale preference: Stores your language preference (e.g., English, Thai). Functional only.

We do not use analytics cookies, advertising cookies, or any form of cross-site tracking.

PeTrace is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us and we will delete it immediately.

In the event of a data breach, we will notify affected users within 72 hours of discovery. We will provide details of what was accessed, what we are doing about it, and what steps you should take.

We will notify you of material changes to this policy via email and/or a notice in the app. Continued use of PeTrace after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions or requests:

• Email: privacy@petrace.io
• Mail: PeTrace, Bangkok, Thailand

This privacy policy is a thorough draft. It should be reviewed by a lawyer before launch, particularly for jurisdiction-specific requirements in Thailand and any markets where you operate.