Who we are
Cliny Pet is a multilingual AI-assisted veterinary triage service. We help pet owners decide whether — and how urgently — they should consult a licensed veterinarian. We are not a veterinarian, do not issue medical diagnoses, and do not prescribe medication. This privacy notice explains what data we process when you use Cliny Pet and how we keep it safe.
What data we collect
We process the following categories of personal data:
- Account data — email address, hashed password, language preference, country of residence, account-creation timestamp.
- Pet profiles — pet name, species, breed, age, sex, neutered status, weight, chronic conditions, current medications, and an optional avatar.
- Photos and conversation content — images of your pet that you upload with each triage session and the free-text symptom description you write.
- Triage results — the structured AI assessment (urgency level, observations, suggested actions) returned for each session.
- Payment metadata — subscription tier, billing cycle, and a tokenised Stripe customer identifier (Stripe is our sole payment processor for all markets). We do not store full card numbers; tokenised identifiers are held by Stripe.
- Consent events — every time you accept or change cookie / privacy preferences, we record the timestamp and the version of the policy in effect at that moment.
- Diagnostic logs — minimal server logs (request timestamps, redacted errors) needed to operate the service securely.
Where your data is stored
Cliny Pet operates in the European Union. Your data is hosted in EU data centers located in Germany and France, and our database and backups remain within the EU at all times. The photos you upload are held in EU-region image storage.
This data-residency posture supports compliance with the EU General Data Protection Regulation (GDPR). When AI processing requires sending a sanitised payload to our model provider, only the minimum content needed for that triage session is transmitted.
How we use your data
We use your data only to:
- Generate triage assessments you actively request.
- Maintain your account and subscription.
- Provide language-appropriate user-interface text in your selected locale.
- Send essential service emails (verification, billing receipts, security notices).
- Improve service reliability through error monitoring (no personal data is mined for training; see below).
We do not sell your data, do not use customer content to train third-party AI models, and do not run third-party advertising on the Cliny Pet service.
Your rights (GDPR)
You have the right to:
- Access the personal data we hold about you.
- Export your data in a portable format.
- Correct inaccurate data through your account settings.
- Delete your account and personal data (subject to limited legal retention windows described below).
- Withdraw consent for processing where consent is the legal basis.
- Object to processing or restrict it where applicable.
- Lodge a complaint with the competent data-protection supervisory authority (GDPR Article 77).
To exercise any of these rights, contact us using the channel listed in "Contact us" below. We respond within one month, in line with GDPR Article 12(3).
How long we keep your data
- Active accounts: for as long as your subscription is active.
- Deleted accounts: soft-deleted for thirty days to allow recovery, then permanently removed from primary storage.
- Authentication and security events: kept for the period required by applicable law (typically up to six months for security investigation purposes).
- Consent records and audit events: retained for the legal retention
window after deletion (per
policy_version, jurisdiction-dependent). - Backups: purged on the rolling backup window of the relevant storage provider after the deletion date.
Cookies and tracking
Cliny Pet uses cookies and similar technologies only for:
- Essential operation — session and authentication cookies needed to keep you signed in.
- Preference memory — language and theme selection.
We obtain consent for anything beyond strictly-essential cookies through an equal-prominence cookie banner. You can re-open the cookie-preferences panel at any time from the link in the page footer. For a detailed breakdown of each cookie category, see our Cookie Policy.
Contact us
To exercise your privacy rights or ask questions about this policy, contact our data-protection point of contact at [email protected].
Your data rights (GDPR)
You hold a defined set of rights over the personal data we hold about you under the EU General Data Protection Regulation (GDPR Articles 12-22). The following table maps each right to the article that grants it and to the Cliny Pet product surface that lets you exercise it:
| Right | GDPR | Where to exercise |
|---|---|---|
| Right to be informed | Art 13 | This policy + the persistent footer notice |
| Right of access | Art 15 | /settings/privacy → Export my data |
| Right to rectification | Art 16 | /settings/account + [email protected] |
| Right to erasure ("right to be forgotten") | Art 17 | /settings/privacy → Delete my account |
| Right to restriction of processing | Art 18 | [email protected] (DSAR — Restriction) |
| Right to data portability | Art 20 | /settings/privacy → Export my data |
| Right to object | Art 21 | [email protected] (DSAR — Objection) |
| Right not to be subject to ADM | Art 22 | [email protected] (DSAR — Art 22) |
| Right to withdraw consent | Art 7(3) | Footer "Cookie preferences" link |
| Right to lodge a complaint with a DPA | Art 77 | Your competent supervisory authority |
Note on data portability (GDPR Article 20): Cliny Pet provides data portability under GDPR Article 20 ("structured, commonly used, machine-readable format"). You receive a JSON + images ZIP package containing the personal data we hold about you.
How to exercise your rights
The in-app surface at /settings/privacy is the primary channel for
exercising the four rights that Cliny Pet automates (access, erasure,
portability, withdrawal of consent). For the remaining rights
(rectification of non-self-service fields, restriction, objection, Art 22
human-intervention requests), email [email protected] with the
right you wish to exercise.
Response time: We respond within 30 days of receiving a complete request, in line with GDPR Article 12(3). Because account deletion is finalised by a daily cron sweep, erasure completes within 31 days of your initial request (30-day soft-delete window plus up to 24 hours for the next cron tick). Soft-deletion is effective immediately — your sessions are revoked at the moment you press Delete, and the 30-day window exists solely to let you change your mind.
Automated processing (AI triage)
Cliny Pet uses automated processing (xAI Grok vision model + a deterministic safety-override layer) to provide veterinary triage recommendations. The output (a 5-level urgency assessment plus observations, possible causes, immediate actions, red flags, and a vet recommendation) significantly affects you because it informs a decision that has real cost, time, and animal-welfare consequences.
Lawful basis for the AI processing: We rely on explicit consent (GDPR Art 22(2)(c)), given at sign-up via your acceptance of our Terms of Service. The Terms include this Article 22 disclosure verbatim.
Your rights with respect to the AI triage specifically:
- Human intervention — Email [email protected] to request that a human review your triage. We respond within 30 days.
- Express your point of view — You may submit additional context about your triage outcome to the same address; this becomes part of the audit record we keep alongside the triage result.
- Contest the decision — You may dispute the urgency assessment or request that we re-run it with corrected context. We provide meaningful information about how the triage works — and where its limits are — at Cliny Pet is not a veterinarian — and here's how it still helps.
- Safety overrides — Independently of the AI model output, Cliny Pet applies a deterministic safety override for six well-documented veterinary emergency patterns (e.g., male-cat urethral obstruction, GDV in deep-chested dogs, rabbit GI stasis). When any of these patterns is detected, the urgency level is force-upgraded to EMERGENCY regardless of what the AI model returned.
Sub-processors
Cliny Pet relies on a small set of sub-processors. The two vendors that process the most significant categories of personal data — our AI model provider and our payment processor — are named below. Each entry shows the role of the processor, the SCC module used for any restricted EU transfer, and the categories of data handled. Where the data flow stays inside the EU, no SCC is required — those rows are marked "EU residency".
| Processor | Role | SCC / Transfer regime | Data handled |
|---|---|---|---|
| xAI | AI model provider (Grok) | SCC Module 2 (Irish law per Clause 17 Option 1) — DPA exists; signed enterprise Annex I+II pending counsel retrieval | Pet profile context + symptom description + processed image (post-EXIF strip, post-resize) |
| Stripe | Payments (all markets) | SCC Module 2 via Stripe DPA | Country + tier + tokenised payment refs |
| Image storage (EU region) | Object storage for photos and exports | EU residency | Pet avatars + triage photos + export ZIPs |
| Transactional email delivery | Service emails | SCC Module 2 via the provider's DPA | Email address + locale + email content |
Beyond xAI and Stripe, we rely on a small number of EU-focused infrastructure service providers, used for image storage (EU region), transactional email delivery, and error monitoring. The full, up-to-date sub-processor list — including provider names — is available on request via [email protected].
Status note on xAI: xAI publishes a Data Processing Addendum that treats them as processor under SCC Module Two, governed by Irish law. The general-availability DPA terms are public; the signed enterprise copy with the completed Annex I (processing scope) and Annex II (technical & organisational measures) is being retrieved through our enterprise contact channel. The DPA exists — this is a paperwork completion item, not an unmitigated gap.
Status note on payments: Stripe is our sole payment processor for all markets (including Türkiye). We never receive or store your full card number — Stripe holds tokenised payment references out-of-band. Stripe retains transactional records to satisfy anti-money-laundering and tax obligations (see the data-retention table below).
Data retention
| Data category | Retention window | Legal basis |
|---|---|---|
| Active account data | Lifetime of the subscription | GDPR Art 6(1)(b) contract performance |
| Soft-deleted account | 30 days (then hard-delete cascade) | Permits restoration; GDPR Art 17 |
| Pet + triage + thread data | Hard-deleted at T+30 with the account | GDPR Art 17 |
| Sessions + refresh tokens | Revoked instantly on soft-delete; deleted at T+30 | OWASP + GDPR Art 5(1)(c) data minimisation |
audit_events (pseudonymised) | 5 years post hard-delete | GDPR Art 17(3)(e) legal-claims defence |
consent_events (pseudonymised) | 5 years post hard-delete | GDPR Art 7(1) consent-proof |
| Breach-related audit events | 10 years post hard-delete | GDPR Art 33(5) breach-documentation duty |
| Stripe transactional records | Per Stripe's AML retention (typically 7+ years) | GDPR Art 17(3)(b) overriding legal obligation (AML) |
| Data export ZIPs | 7 days (automatic storage lifecycle policy) | Self-imposed minimum-exposure window |
The 5-year pseudonymisation step removes direct identifiers (user_id,
ip, user_agent, metadata.email, metadata.ip) from the retained
rows; what remains is the event taxonomy and timestamps required to
demonstrate consent and to respond to potential supervisory-authority
audits.
Data residency
Cliny Pet's runtime is locked to the European Union. Specifically:
- Application hosting: EU data centers located in Germany and France.
- Database and backups: held within the EU at all times.
- Image storage: EU-region object storage.
- Transactional email: an EU-focused delivery provider, with SCC Module 2 safeguards for any US-routed delivery paths.
This residency lock is enforced at process boot by a runtime guard that refuses to start the backend if any configured compute, database, or storage location references a non-EU region. A daily automated audit job re-attests the residency posture of the database and the image storage; any drift raises a critical alert in our error-monitoring system and records an audit event so the engineering team is paged immediately. We surface this operator-side transparency here because we believe data-residency guarantees should be auditable, not merely promised.
This policy is reviewed regularly and updated whenever our practices change. The final wording of each section is subject to ongoing review by counsel licensed in TR, EU, and US jurisdictions.