ClinicDesq

Last updated: 9 May 2026

ClinicDesq ("we", "us", "our") is a veterinary clinic and practice management platform owned and operated by Tattva Pet Care Private Limited ("Company"), a company registered in India (CIN pending) with its registered office at Binnamangala 2nd Stage, Indiranagar, Bangalore 560038, Karnataka, India. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform at clinicdesq.com and all related services (collectively, the "Platform").

This policy applies to users worldwide, including users in India, the United States, the United Kingdom, the European Economic Area (EEA), and all other jurisdictions. Where specific regulations apply to your region, those provisions are clearly noted.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

1. Who This Policy Applies To

This policy applies to all users of ClinicDesq, including:

• Organisations — Veterinary clinics, hospitals, and multi-clinic practices that subscribe to the Platform
• Veterinarians — Independent or organisation-associated veterinary professionals
• External Laboratories — Diagnostic labs connected to the Platform
• Students — Veterinary students using the learning and case study features
• Staff Members — Users created by organisations (receptionists, technicians, managers, etc.)
• Pet Parents — Pet owners whose personal data is recorded by clinics using the Platform

2. Data Controller and Data Processor Roles

Under the UK General Data Protection Regulation (UK GDPR), EU GDPR, India's Digital Personal Data Protection Act 2023 (DPDPA), and other applicable data protection laws:

• ClinicDesq as Data Processor / Data Fiduciary Agent: When veterinary organisations use ClinicDesq to manage patient records, case sheets, prescriptions, billing, and pet parent data, the organisation is the Data Controller (or "Data Fiduciary" under DPDPA) and ClinicDesq acts as a Data Processor. We process this data solely on the organisation's instructions and in accordance with our contractual obligations.
• ClinicDesq as Data Controller / Data Fiduciary: For account registration data, login credentials, billing and subscription information, AI credit usage, platform analytics, student verification data, and all data collected directly from users during registration, ClinicDesq is the Data Controller (or "Data Fiduciary" under DPDPA).

Organisations using ClinicDesq are independently responsible for establishing their own lawful basis for processing pet parent and patient data, obtaining any required consents from pet owners, and complying with data protection obligations in their jurisdiction.

3. Lawful Basis for Processing

3.1 For UK and EEA Users (GDPR)

We process personal data under the following lawful bases as defined by Articles 6 and 9 of the GDPR:

• Contractual Necessity (Article 6(1)(b)) — To provide our Platform services, create and manage your account, process subscriptions and payments, deliver AI features, and fulfil the services you have signed up for.
• Legitimate Interest (Article 6(1)(f)) — To maintain Platform security, detect and prevent fraud, enforce single-session policies, improve our services through analytics, debug technical issues, and communicate service-related updates. We conduct balancing tests to ensure these interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)) — For marketing communications (email, WhatsApp), processing voice recordings through third-party AI services, and any future non-essential cookies or tracking. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legal Obligation (Article 6(1)(c)) — To comply with applicable laws, regulations, tax obligations, and lawful government requests.

3.2 For Indian Users (DPDPA 2023)

Under India's Digital Personal Data Protection Act, 2023, we process your personal data based on your consent (obtained during registration and use of the Platform) and for legitimate uses as defined under the Act, including providing services you have requested, complying with legal obligations, and responding to medical emergencies involving animals where applicable.

3.3 For US Users

We process your personal information to provide our services pursuant to our contractual relationship with you, with your consent where required by applicable state laws, and for our legitimate business purposes as described in this policy.

4. Information We Collect

4.1 Information You Provide Directly

User Type	Data Collected
Organisations	Admin name, email address, phone number (with country code), organisation name, organisation type, GST number (India) or business registration number, clinic addresses
Veterinarians	Full name, email address, phone number, veterinary registration/license number, degree, specialisation, practicing license document, certificates, digital signature image
Laboratories	Lab name, full address (street, city, state/region, pincode/postal code), admin name, email address, phone number
Students	Full name, email address, phone number (with country code), college/university name, city, state/region, country, year of study, batch year, college ID card image
Staff/Lab Techs	Full name, email address, phone number, assigned role and clinic
Pet Parents (via clinics)	Name, phone number, email address, address (as entered by the clinic)

4.2 Information Generated Through Platform Use

• Clinical Data — Patient (animal) records, case sheets, presenting complaints, clinical examination findings, prescriptions, diagnostic reports, lab orders and results, treatment histories, vaccination records, follow-up schedules, billing records
• AI Interaction Data — Clinical data sent to AI features, AI-generated responses (differential diagnoses, treatment plans, prescription suggestions, case overviews, senior vet support responses), AI credit consumption records
• Voice Recordings — When veterinarians use the voice-to-case-sheet feature, audio recordings are captured by the browser, transmitted to our server, forwarded to OpenAI's Whisper API for transcription, and then processed through OpenAI's GPT API for clinical data extraction. Audio files are stored temporarily on our server only during processing and are deleted immediately after transcription is complete (typically within seconds). We do not retain audio files. The resulting transcript text is not stored separately — only the extracted clinical fields that are saved to the case sheet.
• Student Case Data — Clinical case records created for learning, case photos, AI learning interactions, practice prescription records
• Communication Records — WhatsApp messages sent through the Platform (case sheets, reminders, follow-ups), OTP delivery records
• Usage Data — Login timestamps, session duration, pages visited, features used, error logs

4.3 Information Collected Automatically

• IP address and approximate geolocation (country/region level only)
• Browser type and version, operating system, device type
• Session tokens and authentication data
• CSRF tokens for security
• Referring URL (how you reached our Platform)

4.4 Communications Data

We collect phone numbers and email addresses for the purpose of sending one-time passwords (OTPs) during registration and verification. For users in India, OTPs are sent via both SMS and WhatsApp. For international users, OTPs are sent via WhatsApp only, with email as a fallback. These are strictly transactional messages — we do not send marketing or promotional messages via SMS or WhatsApp without your separate, explicit prior consent.

5. How We Use Your Information

We use your information for the following purposes and no other:

• Platform Operation — To provide, maintain, operate, and improve our veterinary practice management services
• Account Management — To create your account, verify your identity and professional credentials, manage registration, process onboarding approvals
• AI Services — To process clinical data through AI models for generating differential diagnoses, treatment suggestions, prescription support, case overviews, and educational insights
• Voice Processing — To transcribe audio recordings and extract structured clinical data for automatic case sheet completion
• Transactional Communication — To send OTPs, account confirmations, approval notifications, credential sharing emails, password resets, subscription receipts, and service-critical alerts
• Marketing Communication — To send product updates, feature announcements, and promotional content via email (only with your explicit opt-in consent; you may opt out at any time via the unsubscribe link in any marketing email)
• Security and Fraud Prevention — To detect and prevent unauthorized access, enforce single-session policies, monitor for suspicious activity, and protect the integrity of the Platform
• Student Verification — To verify college ID cards for student account activation (processed through AI image analysis)
• Legal Compliance — To comply with applicable laws, regulations, and respond to lawful requests from authorities
• Analytics and Improvement — To understand usage patterns, diagnose technical issues, and improve Platform features (using aggregated, non-personally-identifiable data wherever possible)

6. AI and Voice Data Processing

6.1 What Data Is Sent to AI Providers

• Case sheet fields (presenting complaint, history, clinical examination, vitals, differentials, diagnosis) when using AI clinical assistant features
• Diagnostic report content when using AI extraction features
• Audio recordings when using voice-to-case-sheet (sent to OpenAI Whisper for transcription)
• Transcribed text when extracting structured clinical fields (sent to OpenAI GPT for processing)
• Student college ID images when using automated verification
• Pet information (species, breed, age, weight) to provide clinical context for AI responses

6.2 How AI Data Is Handled

• Our current AI provider is OpenAI (OpenAI, L.L.C., San Francisco, USA)
• Data is sent to OpenAI via their API under their API Data Usage Policy, which states that API inputs and outputs are not used to train OpenAI's models
• OpenAI may retain API data for up to 30 days for abuse monitoring, after which it is deleted (per OpenAI's data retention policy as of the date of this Privacy Policy)
• Voice recordings are deleted from our servers immediately after transcription — we do not maintain an audio archive
• We do not send personally identifiable information (names, phone numbers, emails) to AI providers — only clinical and case-related data
• If we change AI providers in the future, we will update this policy and ensure equivalent or stronger data protection commitments

6.3 Your Choice

AI and voice features are entirely optional. You may use the Platform without ever activating AI features. By choosing to use AI-powered tools, you consent to the data processing described above. You may stop using these features at any time.

7. Third-Party Service Providers (Sub-Processors)

We use the following third-party service providers to operate the Platform. Each provider receives only the minimum data necessary for their specific function:

Provider	Purpose	Data Shared	Server Location
Amazon Web Services (AWS)	Cloud hosting, database, file storage	All Platform data (encrypted at rest and in transit)	Mumbai, India (ap-south-1)
OpenAI	AI clinical features, voice transcription, image analysis	Clinical case data, audio recordings, college ID images	United States
MSG91	SMS and WhatsApp OTP delivery	Phone numbers, OTP codes	India
Razorpay	Payment processing (INR)	Name, email, phone, payment amount	India
Stripe	Payment processing (USD/international)	Name, email, payment amount, card details (handled entirely by Stripe)	United States

We maintain data processing agreements with each sub-processor where required by law. We do not permit sub-processors to use your data for any purpose other than providing services to ClinicDesq.

8. Data Sharing

We do not sell, rent, lease, or trade your personal information to any third party for their own marketing, advertising, or commercial purposes. We have never sold personal data and have no plans to do so.

We share data only in the following limited circumstances:

• Within Your Organisation — Staff members within the same organisation can access clinical data as permitted by their assigned roles and permissions
• Vet–Organisation Relationship — When a veterinarian accepts an organisation's onboarding invitation, relevant professional data (name, registration number, qualifications) is shared with that organisation
• Lab–Organisation Relationship — Lab orders, sample details, and test results are shared between connected laboratories and ordering organisations
• Sub-Processors — As detailed in Section 7 above, strictly for providing Platform functionality
• Pet Parents (via WhatsApp) — When a clinic sends case sheets, prescriptions, or reminders to pet parents via WhatsApp, the relevant document content is shared through the configured WhatsApp Business API
• Legal Requirements — When required by applicable law, regulation, court order, subpoena, or binding government request in any jurisdiction. We will attempt to notify affected users before disclosure unless legally prohibited from doing so.
• Business Transfers — In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity. We will notify you via email and/or prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.
• Protection of Rights — When we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of our users or the public

8.1 California Residents — "Do Not Sell or Share"

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): we do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, no opt-out mechanism is required. If California law changes to require additional disclosures, we will update this policy accordingly.

9. International Data Transfers

ClinicDesq is operated from India. Your personal data is primarily stored on AWS servers in Mumbai, India. If you access the Platform from outside India, your data will be transferred to India for processing and storage.

Additionally, when you use AI features, data is transmitted to OpenAI servers in the United States. When international students make payments, payment data is processed by Stripe in the United States.

9.1 Safeguards for UK and EEA Users

For transfers of personal data from the UK or EEA to India and the United States (countries that do not have an adequacy decision from the UK or European Commission), we rely on:

• Standard Contractual Clauses (SCCs) — EU Commission-approved clauses (and the UK International Data Transfer Addendum where applicable) incorporated into our agreements with sub-processors
• Supplementary measures — Including encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls, and contractual commitments from our sub-processors regarding government access requests

You may request a copy of the relevant SCCs by contacting info@clinicdesq.com.

9.2 Acknowledgement for All International Users

By using the Platform from outside India, you acknowledge and consent to the transfer of your personal data to India and (when using AI features) to the United States. Data protection laws in these countries may differ from those in your country of residence.

10. Data Storage and Security

We take the security of your data seriously and implement the following technical and organisational measures:

• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced site-wide)
• Encryption at Rest — Database and file storage on AWS are encrypted using AES-256 encryption
• Password Security — All passwords are hashed using bcrypt with appropriate cost factors and are never stored or logged in plain text
• Access Controls — Role-based access controls (RBAC) ensure users can only access data appropriate to their role. Admin, vet, staff, lab, and student roles have distinct permission boundaries
• Session Security — Single-session enforcement for students and staff (one active session per account). CSRF protection on all forms. Secure, HTTP-only session cookies.
• File Security — Uploaded files (licenses, certificates, ID cards, diagnostic images) are stored in private S3 buckets with signed URLs for time-limited access
• Voice Recording Security — Audio files are transmitted over HTTPS, stored temporarily in a private directory, and deleted immediately after AI processing
• Payment Security — We are PCI DSS compliant through our payment processors. We never store, process, or log credit/debit card numbers, CVVs, or bank account details on our servers. All card handling is performed entirely by Razorpay and Stripe.
• Infrastructure Security — Our AWS infrastructure uses VPCs, security groups, and is monitored for unauthorized access
• Backups — Regular automated database backups are maintained and encrypted

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR for UK/EEA users, and as best practice for all users)
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Notify the Data Protection Board of India as required under the DPDPA for Indian users
• Document the breach, its effects, and remedial actions taken in our internal breach register

12. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law:

Data Type	Retention Period
Active account data	For the duration of the account's active status and contractual relationship
Clinical records (case sheets, prescriptions)	As long as the organisation's account is active; retained in accordance with applicable veterinary regulations upon deletion request
Voice recordings (audio files)	Deleted immediately after transcription (seconds)
AI interaction logs	Up to 12 months for debugging and service improvement
OTP and verification codes	10 minutes (auto-expire)
Inactive accounts	Archived after 12+ months of inactivity; user notified 30 days before archiving
Deleted accounts	Personal data removed within 30 days of confirmed deletion request; anonymised analytics may be retained
Billing and payment records	As required by applicable tax and accounting laws (typically 7 years in India, 6 years in UK)
Security and access logs	Up to 12 months
Student college ID images	Retained until account deletion or 12 months after account deactivation

13. Your Rights

13.1 Rights for All Users (Regardless of Location)

Every ClinicDesq user has the right to:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete personal data
• Deletion — Request deletion of your account and associated personal data (subject to legal retention requirements)
• Opt-Out of Marketing — Unsubscribe from marketing communications at any time via the unsubscribe link or by contacting us
• Withdraw Consent — Withdraw consent for any processing based on consent, without affecting the lawfulness of processing before withdrawal
• Data Export — Request your data in a commonly used electronic format

To exercise any right, email info@clinicdesq.com with the subject line "Data Rights Request". We will verify your identity and respond within 30 days. If we need additional time (up to 60 days for complex requests), we will inform you within the initial 30-day period.

13.2 Additional Rights for UK and EEA Users (GDPR)

Under the UK GDPR and EU GDPR, you additionally have the right to:

• Data Portability — Receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON) and transmit it to another controller
• Restriction of Processing — Request that we restrict processing of your data while we verify its accuracy, while we assess an objection you have raised, or where processing is unlawful but you oppose deletion
• Object to Processing — Object to processing based on our legitimate interests (we will cease processing unless we demonstrate compelling legitimate grounds) or object to direct marketing at any time (we will comply immediately)
• Automated Decision-Making — Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features are decision-support tools that require human review by qualified veterinary professionals — no automated decisions with legal or clinical effects are made without human oversight.
• Lodge a Complaint — File a complaint with your supervisory authority:
  • UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint — Tel: 0303 123 1113
  • EU: Your national data protection authority (full list)

13.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purpose for collecting it, and the categories of third parties with whom we share it
• Right to Delete — Request deletion of personal information, subject to exceptions (e.g., legal obligations, security, completing transactions)
• Right to Correct — Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing — We do not sell or share personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information for purposes beyond those permitted by the CCPA
• Right to Non-Discrimination — We will not deny you services, charge different prices, or provide a different quality of service for exercising your CCPA rights

California residents may submit requests by emailing info@clinicdesq.com. We will verify your identity before processing. You may also designate an authorised agent to submit requests on your behalf. We will respond within 45 days (extendable by an additional 45 days with notice).

13.4 Rights for Indian Users (DPDPA 2023)

Under the Digital Personal Data Protection Act, 2023, you (as a "Data Principal") have the right to:

• Access information about the personal data being processed and a summary of processing activities
• Request correction and erasure of your personal data
• Nominate another individual to exercise your rights in the event of your death or incapacity
• Seek grievance redressal from our Grievance Officer (see Section 17)
• File a complaint with the Data Protection Board of India if your grievance is not resolved

14. Cookies and Tracking Technologies

We use the following types of cookies:

• Strictly Necessary Cookies — Required for authentication (session cookies), CSRF protection, and Platform security. These are essential for the Platform to function and cannot be disabled.
• Functional Cookies — Remember your preferences such as selected clinic, display settings, and form states. These improve your experience but are not essential.

We do not use:

• Third-party advertising or retargeting cookies
• Social media tracking pixels or widgets
• Cross-site analytics or behavioural tracking cookies
• Fingerprinting or other persistent tracking technologies

For UK and EEA users: As we use only strictly necessary and functional cookies, explicit consent is not required under the Privacy and Electronic Communications Regulations (PECR) or the ePrivacy Directive. If we introduce any analytics or non-essential tracking in the future, we will implement a cookie consent mechanism before doing so.

Browser controls: You can configure your browser to block or delete cookies. However, disabling strictly necessary cookies will prevent the Platform from functioning correctly.

15. Communications Compliance

15.1 US Users (TCPA / CAN-SPAM)

By providing your phone number during registration, you consent to receive transactional messages (OTPs, account alerts, verification codes) via SMS and/or WhatsApp. These are not marketing messages and are exempt from TCPA marketing consent requirements. We will never send marketing or promotional messages via SMS or WhatsApp without your separate, explicit written consent. You may opt out of marketing messages at any time. Standard message and data rates from your carrier may apply. Message frequency varies based on your use of the Platform.

All marketing emails comply with the CAN-SPAM Act: they include our physical address, an unsubscribe mechanism, and accurate subject lines. We process unsubscribe requests within 10 business days.

15.2 UK/EEA Users (PECR / ePrivacy)

We only send electronic marketing communications with your explicit prior consent (opt-in). You may withdraw consent at any time. Transactional and service-related messages do not require separate consent.

15.3 Indian Users

OTP delivery via SMS is provided through MSG91 in compliance with TRAI (Telecom Regulatory Authority of India) regulations. Marketing communications are sent only with your consent and include an unsubscribe option.

16. Children's Privacy

ClinicDesq is not directed at or intended for use by children. We do not knowingly collect personal information from:

• Children under 18 years of age (general minimum)
• Children under 16 years of age (UK/EEA, per GDPR)
• Children under 13 years of age (US, per COPPA)

If we discover that we have inadvertently collected personal data from a child below the applicable age threshold, we will delete it promptly. If you believe a child has provided us with personal data, please contact us immediately at info@clinicdesq.com.

17. Contact Information and Grievance Redressal

17.1 General Contact

17.2 Grievance Officer (India — DPDPA / IT Act)

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines) Rules, 2021, and the Digital Personal Data Protection Act, 2023, our Grievance Officer can be reached at:

17.3 UK and EEA Users — Data Protection Contact

For data protection queries, data subject access requests, or complaints related to UK GDPR or EU GDPR, please contact: info@clinicdesq.com with the subject line "GDPR Request".

If you are not satisfied with our response, you have the right to lodge a complaint with:

• UK: Information Commissioner's Office — ico.org.uk/make-a-complaint
• EU: Your national data protection authority

17.4 US Users

For privacy-related enquiries or to exercise your rights under the CCPA or other applicable state privacy laws, email info@clinicdesq.com with the subject line "Privacy Request".

18. Data Processing Agreement

Organisations using ClinicDesq to process patient and pet parent data on their behalf may request a Data Processing Agreement (DPA) that formalises our obligations as a Data Processor under UK GDPR, EU GDPR, DPDPA, and other applicable data protection laws. The DPA covers data processing scope, sub-processors, security measures, breach notification obligations, data subject rights assistance, and data return/deletion upon termination. To request a DPA, email info@clinicdesq.com.

19. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes:

• We will notify registered users via email at least 14 days before the changes take effect
• We will update the "Last updated" date at the top of this page
• For significant changes affecting data processing, we will seek renewed consent where required by applicable law

Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the changes take effect and request deletion of your data.

© 2026 Tattva Pet Care Private Limited. All rights reserved.