Privacy Policy

NexGen Technologies ("we", "us", or "our") operates VetAssistant AI (the "Service"), accessible at vetassistantai.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Union and European Economic Area. By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

Data Controller: NexGen Technologies Email: [email protected] Ireland: +353 838654992 Chile: +569 53858376 For all privacy-related inquiries or to exercise your data rights, please contact us at the email address above.

3.1 Information You Provide Directly • Account Information: When you create an account, we collect your name, email address, and encrypted password. If you sign in via Google SSO, we receive your name, email, and profile picture from Google. • Chat Messages: The questions and messages you submit to the AI assistant. • Conversation History: For registered users, we store your conversation history (messages, titles, timestamps) to allow you to resume previous conversations. • Clinic Information: For B2B (veterinary clinic) users, we collect clinic name, email, and contact information during registration. 3.2 Information Collected Automatically • Visitor ID: For anonymous users, a unique identifier is generated and stored in your browser's localStorage to track usage (up to 5 free daily questions). • Usage Data: Number of questions asked, AI art generations, subscription status, billing period, and session information. • Device Information: Browser type, operating system, and device type for service optimization. • IP Address: Collected for security purposes and fraud prevention. • Google Analytics Data: We use Google Analytics 4 (GA4) to collect aggregated usage statistics, including page views, session duration, language preferences, and user interactions. This data is anonymized and used to improve our Service. 3.3 Information from Third Parties • Payment Information: When you subscribe or purchase a plan, Stripe (our payment processor) handles all payment card information. We receive only: - Stripe Customer ID and Subscription ID - Transaction status - Plan type and billing period - Email address associated with payment • Google Authentication: If you use Google SSO to sign in, Google shares your basic profile information (name, email, profile picture) with us. We do NOT store complete credit card numbers, CVV codes, or other sensitive payment details on our servers.

We use the collected information for the following purposes: 4.1 Service Provision • To provide AI-generated responses to your pet care questions • To manage your account, subscription plans, and question quotas • To process payments and manage recurring subscriptions through Stripe • To store and display your conversation history • To provide AI pet art generation features • To authenticate users via email/password or Google SSO • To authenticate veterinary clinics via API keys 4.2 Service Improvement • To analyze usage patterns and improve AI responses • To identify and fix technical issues • To develop new features and services • To collect aggregated analytics via Google Analytics 4 4.3 Communication • To send purchase confirmations and subscription notifications • To respond to support inquiries • To send important service updates (you can opt out of non-essential communications) 4.4 Security and Compliance • To prevent fraud and abuse • To enforce our Terms of Service • To comply with legal obligations

For users in the EU/EEA, we process personal data based on the following legal grounds: 5.1 Contract Performance (Article 6(1)(b)) • Processing necessary to provide the Service you requested • Managing your account, subscription, and billing • Processing payments through Stripe 5.2 Legitimate Interests (Article 6(1)(f)) • Improving our Service and AI capabilities • Analyzing usage patterns via Google Analytics • Fraud prevention and security • Customer support 5.3 Legal Obligation (Article 6(1)(c)) • Compliance with applicable laws and regulations • Responding to legal requests • Tax and accounting requirements 5.4 Consent (Article 6(1)(a)) • Marketing communications (when applicable) • Use of Google Analytics cookies • Google SSO authentication You may withdraw consent at any time by contacting us.

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances: 6.1 Service Providers • Stripe: Payment processing and subscription management (PCI-DSS compliant) • Abacus.AI: AI model provider for generating chat responses and pet art (messages are processed to generate responses) • Google: Analytics (GA4) and authentication (SSO) • Cloud Hosting: Infrastructure providers for secure data storage 6.2 Legal Requirements We may disclose information if required by law or in response to: • Valid legal process (subpoena, court order) • Government requests • Protection of our rights and safety • Prevention of fraud or illegal activities 6.3 Business Transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is subject to a different privacy policy. 6.4 With Your Consent We may share information for other purposes with your explicit consent.

We retain your information for as long as necessary to fulfill the purposes described in this policy: 7.1 Retention Periods • User Accounts: Retained for the duration of your account plus 24 months of inactivity • Conversation History: Retained while your account is active; deleted upon account deletion request • Chat Messages (anonymous): Retained for up to 12 months, then anonymized or deleted • Payment Records: Retained for 7 years as required for tax/legal compliance • Subscription Data: Retained for the duration of the subscription plus legal retention period • Visitor IDs: Stored in your browser; cleared when you clear browser data • Clinic Accounts: Retained for the duration of the business relationship plus 24 months 7.2 Deletion You may request deletion of your data at any time (see Section 9). Some data may be retained for legal compliance even after a deletion request.

We implement industry-standard security measures to protect your information: 8.1 Technical Measures • HTTPS/TLS encryption for all data in transit • Encrypted password storage using bcrypt hashing • Encrypted database storage • Regular security audits and updates • Secure API authentication for clinic access • JWT-based session tokens for user authentication • Rate limiting to prevent abuse 8.2 Organizational Measures • Limited access to personal data (need-to-know basis) • Employee confidentiality agreements • Regular security training • Incident response procedures 8.3 Third-Party Security • All service providers are vetted for security compliance • Stripe is PCI-DSS Level 1 certified • Cloud providers maintain SOC 2 compliance Important: While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Depending on your location, you may have the following rights regarding your personal data: 9.1 Right to Access You can request a copy of the personal data we hold about you. 9.2 Right to Rectification You can request correction of inaccurate or incomplete data. 9.3 Right to Erasure ("Right to be Forgotten") You can request deletion of your personal data, including your account, conversation history, and subscription data, subject to legal retention requirements. 9.4 Right to Restrict Processing You can request that we limit how we use your data. 9.5 Right to Data Portability You can request your data in a machine-readable format for transfer to another service. 9.6 Right to Object You can object to processing based on legitimate interests, including profiling. 9.7 Right to Withdraw Consent Where processing is based on consent, you can withdraw it at any time. 9.8 Right to Lodge a Complaint You have the right to file a complaint with a supervisory authority if you believe your rights have been violated. How to Exercise Your Rights: Contact us at [email protected] with your request. We will respond within 30 days. We may need to verify your identity before processing certain requests.

10.1 What We Use We use browser localStorage and cookies to store: • Session Token: JWT authentication token for logged-in users • visitorId: Unique identifier for anonymous usage tracking • language: Your preferred language setting (EN/ES) • consent_status: Your cookie/analytics consent preference • theme: Your preferred visual theme 10.2 Google Analytics Cookies Google Analytics 4 uses cookies to: • Collect anonymized usage data • Distinguish users and sessions • Analyze traffic patterns You can opt out of Google Analytics tracking through your browser settings or our consent banner. 10.3 Purpose These storage mechanisms are essential for: • Maintaining your logged-in session • Tracking your remaining free questions (anonymous users) • Remembering your language and theme preferences • Collecting anonymized analytics 10.4 Managing Local Storage and Cookies You can clear localStorage and cookies through your browser settings. Note: Clearing these will log you out and reset your anonymous question count. 10.5 Third-Party Services Stripe may use cookies for fraud prevention and payment processing. Google uses cookies for Analytics and SSO. Please refer to their respective Privacy Policies for details.

Your information may be transferred to and processed in countries other than your country of residence, including: • Chile: Where our company is legally registered • Ireland: Where we operate from and where our Stripe payment processing is based • United States: Where some of our service providers (AI providers, Google) are located 11.1 Safeguards for EU/EEA Users For transfers outside the EU/EEA, we ensure appropriate safeguards: • Standard Contractual Clauses (SCCs) approved by the European Commission • Data processing agreements with all service providers • Verification that recipients maintain adequate data protection 11.2 Your Consent By using the Service, you consent to the transfer of your data to these countries, which may have different data protection laws than your jurisdiction.

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected]. We will take steps to delete such information from our systems. If you are under 18, please do not use the Service or provide any personal information.

Our Service may contain links to third-party websites or services, including: • Stripe (payment processing) • Google (authentication and analytics) • Veterinary clinics' websites • Veterinary resource locators We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information. This Privacy Policy applies only to VetAssistant AI and does not cover any third-party services.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. 14.1 Notification of Changes • We will update the "Last Updated" date at the top of this policy • For material changes, we will provide notice through: - Email (if you have a registered account) - Prominent notice on our website - In-app notification 14.2 Your Continued Use Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, please stop using the Service. We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: NexGen Technologies Email: [email protected] Ireland: +353 838654992 Chile: +569 53858376 For EU/EEA Users: If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (e.g., the Data Protection Commission in Ireland). Response Time: We aim to respond to all privacy-related inquiries within 30 days. Complex requests may require additional time, and we will keep you informed of any delays.