Privacy Policy
How VetTrack Pro collects, uses, protects and discloses your information
1. Controller Information
The data controller is VetTrack Pro Ltd, registered in Nairobi, Kenya. Contact: privacy@vettrackpro.com. For EU residents, our EU representative can be reached via the same email.
2. Information We Collect
2.1 Account Registration Data
When you create an account: email address, username, first and last name, phone number, and (for institution administrators) organisation name, email, phone, country, website, and description. Passwords are stored as PBKDF2-SHA256 hashes with 600,000 iterations — never in plaintext.
2.2 Automatically Collected Technical Data
- Network identifiers: IPv4/IPv6 address, X-Forwarded-For chain, Cloudflare CF-Connecting-IP, and MAC address where provided by enterprise proxy headers.
- Browser and device: User-agent string parsed into browser name/version, operating system, device type (desktop / mobile / tablet / bot), device brand and model.
- HTTP metadata: Referer URL, Accept-Language, DNT (Do-Not-Track) status, request path and query string.
- Geolocation (guest pages only): Approximate country, region, and city derived from IP address via GeoIP lookup. We do not use GPS-level precision.
- JavaScript fingerprint (guest pages only): Screen resolution, viewport dimensions, pixel ratio, colour depth, timezone, canvas hash, WebGL vendor/renderer, touch support, and cookie-enabled status — collected only from public landing pages to detect bots and fraud.
2.3 Platform Usage Data
Wildlife case records, veterinary reports, uploaded documents, messages, and audit actions created by users within the platform.
2.4 Payment Data
For payment transactions: phone number, payment gateway reference, transaction amount, and status. We do not store full card numbers. Payment processing is handled by third-party gateways (Safaricom Daraja, KCB Buni, MTN MoMo, Flutterwave, Paystack, Pesapal, DPO Pay, Airtel Money) under their own privacy policies.
3. Legal Basis for Processing
| Processing Purpose | Legal Basis |
|---|---|
| Account management and service delivery | Contract (Art. 6(1)(b) GDPR / s.30 KDPA) |
| Payment processing | Contract |
| Security, fraud prevention, audit logging | Legitimate interests (Art. 6(1)(f) GDPR) |
| Visitor analytics (guest pages) | Legitimate interests |
| Email marketing campaigns | Consent (opt-in per account settings) |
| Legal compliance and regulatory obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. How We Use Your Information
- Provide, operate, and improve the VetTrack Pro platform
- Authenticate users and protect account security
- Process payments and issue invoices
- Send transactional notifications (account verification, invoice, payment confirmation)
- Send marketing emails only to users who have opted in via account settings
- Generate anonymised analytics for platform improvement
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal and regulatory requirements in applicable jurisdictions
5. Sharing and Disclosure
We do not sell personal data. We may share data with:
- Your institution's administrators — for staff account verification and management within your organisation.
- Payment gateway providers — to process transactions. Each provider is a data processor under their own terms.
- Cloud infrastructure providers — AWS (S3 storage), where applicable, under data processing agreements.
- Law enforcement or regulators — when required by Kenyan law, GDPR, or other applicable legal obligation.
- Professional advisers — lawyers and auditors under confidentiality obligations.
All third-party processors are bound by written data processing agreements meeting the requirements of GDPR Article 28 and the Kenya Data Protection Act, 2019.
6. International Transfers
VetTrack Pro is hosted in the European Economic Area (EEA) and/or AWS regions. Where data is transferred outside Kenya or the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and recognised by the Kenya Office of the Data Protection Commissioner (ODPC).
7. Data Retention
See our full Data Retention Policy. Summary:
- Account data: retained while account is active, plus 12 months after deletion request
- Visitor logs: 24 months
- Audit logs: 36 months (for regulatory compliance)
- Payment records: 7 years (Kenyan tax regulations)
- Wildlife case data: per institution retention policy, minimum 5 years
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access — obtain a copy of your personal data | Email privacy@vettrackpro.com |
| Rectification — correct inaccurate data | Update in Profile settings or email us |
| Erasure — request deletion of your data | Email privacy@vettrackpro.com (subject to retention obligations) |
| Restriction — restrict processing in certain circumstances | Email privacy@vettrackpro.com |
| Portability — export your data in machine-readable format | Available via API or on request |
| Objection — object to processing based on legitimate interests | Email privacy@vettrackpro.com |
| Withdraw consent — for marketing emails | Profile → Notification Settings → disable Marketing Emails |
We will respond to all data rights requests within 30 days as required by GDPR Article 12 and the Kenya Data Protection Act s.35.
9. Security
We implement industry-standard technical and organisational measures including: TLS 1.2+ encryption in transit; AES-256 encryption at rest for sensitive fields; PBKDF2-SHA256 password hashing; TOTP two-factor authentication; rate limiting and IP-based abuse detection; security headers (HSTS, CSP, X-Frame-Options); regular security audits.
10. Cookies
We use session cookies for authentication and CSRF protection. We do not use third-party advertising cookies. See our Cookie Policy for details.
11. Children's Data
VetTrack Pro is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact privacy@vettrackpro.com immediately.
12. Changes to This Policy
We may update this policy periodically. Material changes will be notified by email and in-app notification at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.
13. How to Complain
If you are unsatisfied with our response to a data rights request, you may lodge a complaint with:
- Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke
- EU/EEA: Your local supervisory authority
- Uganda: Personal Data Protection Office (PDPO)
- Tanzania: Tanzania Communications Regulatory Authority (TCRA)
14. Contact
Data Protection Officer: VetTrack Pro Ltd, Westlands, Nairobi, Kenya
Email: privacy@vettrackpro.com
Response time: within 5 working days for initial acknowledgement; 30 days for full response.