GDPR & Processing
Data Processing
Last Updated: October 1, 2025
Controller & Processor Roles
For clinics using VetBrain, the clinic is the Data Controller for patient and client data entered into the platform. VetBrain acts as the Data Processor, processing data on documented instructions from the clinic as required to deliver the Service.
A Data Processing Agreement (DPA) is available and will be executed with each subscribing clinic. Please contact us to receive a copy.
Purpose of Processing
- •Provide and operate the VetBrain platform
- •Maintain patient medical records and clinic workflows
- •Improve functionality, quality, and security of the service
- •Comply with legal and regulatory obligations
Categories of Data
- •Clinic account data (name, email, role, organization)
- •Patient data and medical records uploaded by the clinic
- •Operational data (logs, audit trails, usage metrics)
- •Billing and subscription information
Legal Basis
- •Performance of a contract with the clinic (Art. 6(1)(b) GDPR)
- •Compliance with legal obligations (Art. 6(1)(c) GDPR)
- •Legitimate interests in providing and securing the service (Art. 6(1)(f) GDPR)
- •Consent where required for optional features (Art. 6(1)(a) GDPR)
Data Subjects
- •Clinic staff and practitioners using VetBrain
- •Clients/pet owners whose data is entered by the clinic
- •Patients (animals) associated with the clinic records
Retention Policy
- Account data retained for the duration of the contract and statutory periods
- Backups retained for 30 days in encrypted storage
- Audit logs retained for a minimum of 12 months
- Deletion or return of data upon contract termination, on request
Data Deletion
- Upon verified request from the clinic administrator
- Subject to applicable regulatory retention requirements
- Performed using secure deletion procedures
Processor Responsibilities
- •Process personal data only on documented instructions from the controller
- •Ensure confidentiality and train personnel with access to data
- •Implement appropriate technical and organizational measures (TOMs)
- •Assist the controller with data subject requests and DPIAs
- •Notify the controller without undue delay after becoming aware of a personal data breach
- •Maintain records of processing activities (RoPA)
Subprocessors
- •Use vetted infrastructure and service providers for hosting, storage, and email
- •Keep an up-to-date list of subprocessors available on request
- •Ensure subprocessors are bound by equivalent data protection obligations
Request a Data Processing Agreement (DPA)
To receive our standard DPA or to request a signed copy, please contact our data protection team.
office@vetbrain.ro