Privacy Policy
Last updated: March 2026
1. Data controller
The data controller for the flow.vet platform (the "Service") is the entity operating flow.vet (the "Company"), based in Athens, Greece. For any questions or requests regarding your personal data, contact us at [email protected].
2. What data we collect
a) Account holders (veterinary professionals)
When you register and use the Service, we collect: email address, first and last name, password (encrypted), language and timezone preferences, sign-in activity (timestamps, IP addresses, sign-in count), and Google account identifiers if you use Google sign-in.
b) Client data (pet owners)
Veterinary professionals enter data about their clients into the Service, including: first and last name, email address, phone number(s), postal address, and preferred language. The veterinary professional is the data controller for this data; we act as a data processor on their behalf.
c) Animal data
The Service stores animal records including: name, species, breed, gender, date of birth, microchip number, passport number, medical history, vaccinations, treatments, clinical notes, and uploaded documents/photos.
d) Booking requests
When pet owners submit booking requests through a clinic's public page, we collect: first and last name, phone number, email address, pet details, and the reason for the visit.
e) Automatically collected data
When you visit the Service, we may automatically collect: IP address, browser type, pages visited, and timestamps. If you consent to analytics cookies, Google Analytics collects anonymized usage data (see our Cookie Policy).
3. Legal basis for processing
We process personal data under the following legal bases (Article 6 GDPR):
- Contract performance (Art. 6(1)(b)) — to provide the Service, manage your account, and process payments.
- Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, error monitoring, and service improvement.
- Consent (Art. 6(1)(a)) — for analytics cookies and optional communications. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — where required by applicable law.
4. Third-party services
We use the following third-party services that may process personal data on our behalf:
| Service | Purpose | Data processed |
|---|---|---|
| Stripe | Payment processing | Billing details, subscription data |
| Brevo | Transactional email and SMS | Email addresses, phone numbers, message content |
| Amazon Web Services (S3) | File storage | Uploaded documents and photos |
| Google Analytics | Usage analytics (with consent) | Anonymized browsing data, IP address |
| Google OAuth | Authentication | Email, name, Google account ID |
| Cloudflare | Security and bot protection | IP address, browser metadata |
| Sentry | Error monitoring | User ID, email, technical error data |
All third-party services are bound by their own privacy policies and, where applicable, data processing agreements.
5. International data transfers
Some of our third-party services (Stripe, AWS, Google, Sentry, Cloudflare) may process data outside the European Economic Area (EEA). Where this occurs, transfers are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework, in accordance with Chapter V of the GDPR.
6. Data retention
- Account data — retained for the duration of your account. After account deactivation, data is retained for 60 days before deletion.
- Client and animal records — retained for the duration of the veterinary professional's account and subject to applicable veterinary record-keeping obligations.
- Communication logs — email and SMS delivery logs are retained for operational purposes and deleted periodically.
- Analytics data — governed by Google Analytics' retention settings (see Cookie Policy).
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request restriction of processing in certain circumstances.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Supervisory authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):
Kifisias 1-3, 115 23 Athens, Greece
www.dpa.gr · [email protected]
9. Security
We implement appropriate technical and organisational measures to protect personal data, including: encryption of all communications via HTTPS, encrypted password storage, session management controls, and access controls within multi-user accounts.
10. Changes to this policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the Service after changes constitutes acceptance of the updated policy.