Specific Sections:

Notice to users in the European Economic Area and the United Kingdom (Section 10), and

Notice to Californian Residents (Section 11).

INTRODUCTION

VETPASS LLC (the entity that will collect and handle Your personal information if You are a user in the United States of America or any of its territories) and VETPASS LTD (the entity that will collect, handle and process Your Personal Data if You are a user in the United Kingdom, Canada, the European Economic Area (“EEA”) or elsewhere), both trading as VETPASS (each, as “VETPASS”, “We”, “Us” or “Our”), operate the “Websites and Applications” including the website, www.VETPASS.com and other related Websites and Applications, domains, subdirectories and Our Mobile Applications (iOS and Play Store) including VETPASS for Owners and VETPASS for Vets.

The “User” accessing or using Our Websites and Applications means “You”, “Your”, “Yours”, the “Owner”, “Responsible Person” (e.g., Farmer, Herd or Stable Employee, Manager or Owner), “Veterinarian” (veterinary; practice, surgeon, nurse, technician, administrative staff) or Animal Service Provider (e.g., walking, grooming, behavior, hoteling, or kenneling services).

Reference to “Animal” means patient, pet, animal, species, or group of any of the foregoing.

VETPASS provides “Services and Products” for Users through Our Websites and Applications. Services include:

User Accounts, Animal (and herd) registration and secure retention of all records in the cloud,

Information specific to Animal Breeds and Species tailored to each User,

Find a Local Veterinarian, Specialist or Animal Service,

Favorite a Veterinary Practice, automatically register and share Your Animal Records with the Veterinary Practice and its Veterinarians, or access and explore their services (participating Vets only, free for all Veterinarians to participate subject to usage. Services may require an existing Veterinary Client Patient Relationship (“VCPR”) and be limited by Your Veterinarian to not provide diagnosis, treatment, or a prescription. To establish a VCPR, a Vet must carry out within a reasonable period of prior time a “Clinical Examination” of the Animal. Summarized as a physical check of an Animal using all five senses, alternatively to have visited the farm, stables, location, etc.),

Connect, book, and hold online appointments with Your Favorited Veterinarians (participating Veterinarians only, free for all Veterinarians to participate subject to usage, may require a VCPR, and be limited by Your Veterinarian to not provide diagnosis, treatment, or a prescription). New Veterinarian registrations typically take 5 to 10 minutes and other New User registrations under 3 minutes,

Book in-clinic appointments with Your Favorited Veterinarians (participating Veterinarians only, free for all Veterinarians to participate subject to usage),

Free message chat with a Veterinarian (may require a Subscription subject to usage). This Service does not provide Clinical Advice (diagnosis, treatment, prescriptions), replace a VETPASS video or in-person appointment with a Veterinarian, or establish a VCPR,

Connect with Your Animal’s Breed/Species-specific Community of Owners to share photos, video experiences, and information. Over 1,000 Communities supported,

Information, email, text, and other electronic messaging between You and Our Websites and Applications, and for Veterinarians subject matter Forums and Continuing Professional Development and Education tools,

Competitions, Incentives, and Discounts which do not breach any Veterinary, Financial, Gaming, Trade or Competition Regulations applicable to VETPASS, and

Subscription Services to access combinations of the above in conjunction with Your Favorited Veterinarians.

Subscription Services to access combinations of the above in conjunction with Your Favorited Veterinarians.

And “Products” including:

“Insurance” and “Goods” (Ideas, Pet Food and Animal Feed) which are sold direct, introduced (e.g., Insurance), promoted, recommended, or compared through VETPASS Shop(s). We will always clarify in which capacity We provide these Products and will offer all Products in line with VETPASS’s regulatory responsibilities.

This Policy applies to Our use of all data collected by Us in relation to Our Websites and Applications, Services and Products.

The processing of Personal Data, such as the name, address, e-mail address, or telephone number of a Data Subject is in line with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and in accordance with other country-specific data protection regulations applicable to VETPASS. By means of this Policy, We like to inform the public and Our Users of the nature, scope, and purpose of the Personal Data We collect, use, and process. Furthermore, Users are informed, by means of this Policy, of the rights to which they are entitled.

By accessing Our Websites and Applications, and Our Services and Products, You acknowledge and confirm that Your Personal Data may be processed in accordance with this Policy and that by accepting Our Terms and Conditions which incorporates Our Privacy Policy and Cookie Policy, You authorize VETPASS to process Your Personal Data and use Your Animal Records as set out herein.

Specifically, if You “Favorite” or “Star” a Veterinary Practice You (1) authorize Us on Your behalf to automatically register You with that Veterinary Practice (participating Veterinarians only) and to share Your Personal Details (name, address, telephone number, email) and Your Animal Records with that Veterinary Practice (2) If You are already registered with that Veterinary Practice to request on Your behalf the Animal Records from that Practice to also be held by VETPASS. If You do not wish this to happen, You should not “Favorite or “Star” a Veterinary Practice.

Specifically, if You are a Veterinarian attached to a Veterinary Practice in Our Websites and Applications You agree that the Veterinary Practice Administrator may create an Account on Your behalf including Your Personal Details, and amend those records as required. You agree that it is Your responsibility to ensure those details are correct. VETPASS does not accept any responsibility for the creation of Your Account or any amendments. You may disassociate Yourself from the Veterinary Practice in Your App and connect to another Practice.

DATA SECURITY

We and Our service providers have implemented measures designed to secure Your personal information from unintentional loss and from unauthorized access, use, alteration, and disclosure. We believe We have taken reasonable precautions necessary to maintain security for all Users of Our Websites and Applications.

The safety and security of Your information also depend on You. Where You have chosen a password or any other piece of information for access to certain parts of Our Websites and Applications, You are responsible for keeping this information confidential. You also acknowledge that Your account is personal to You and agree not to provide any other person access. You agree to notify Us immediately of any unauthorized access or any other breach of security. You should use more caution when accessing Websites and Applications from a public or shared computer or internet connection so that others are not able to view or record Your password or other personal information.

Ultimately, the transmission of information via the Internet is not completely secure. Although We take reasonable precautions to protect Your personal information, We cannot guarantee the security of information transmitted to or stored on Our Websites and Applications. Any transmission or storage of information is at Your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Websites and Applications.

You authorize the Veterinarians (veterinary; surgeons, nurses, technicians, and practice administrative staff) You connect with, and VETPASS, to process and where required release, the Animal Records and Personal Data obtained from Your registration and the provision of Our Services, and the care of Your Animal. You consent that this release includes Your Animal’s primary Veterinarian. VETPASS will only seek to share, what it considers is the minimum information necessary.

You agree that We may share Your User Account details, Animal Records, and the information You provide to Us, to Our Veterinarians including Your Favorited Veterinarians or any Veterinarians that have provided You with a Service.

In certain circumstances, We and, or Veterinarians may be required by law or regulation to disclose certain information that You provide or about Your Animal. This includes, but not exclusively, in the event, there is a suspicion of Animal abuse (including neglect) or any illegal or criminal activity.

You hereby consent to VETPASS obtaining directly, Your Animal Records from Your Favorited or Primary Veterinarian.

You hereby consent to Our storage of Your Animal’s Records in VETPASS’s system or distributed to Your Favorited Veterinarians, emergency, or specialist referral Services at Your request in the event Your Animal might need emergency care at a time when Your primary or Favorited Veterinarians may not available.

VETPASS reserves the right at Our exclusive discretion to remove the records where You have not used a Service in the previous eighteen-month period. If We do exercise that right, We will give You three months’ notice by email prior to the end of the minimum 21-month period.

If You are entitled to free or subsidized Services through Your Insurer, Employer, or Group Membership, We will share with them the details of the Service, Your name, contact details, and policy or membership number to assist in reimbursement.

You agree VETPASS may use Pseudo-Anonymized Data (“De-identified Data”) as defined in the various European Data Protection Acts in the improvement of Our Services and in the development of Our business with third parties.

WHAT WE COLLECT AND RETAIN

Without limitation We may collect any of the following data and store it in Your Account and on Our Servers from time to time:

Browsing information via cookies, links, and similar and technical information including Your internet connection details from Your mobile phone or another device, Your mobile device’s unique ID, the App and Website and Applications IP address; mobile or web browser type and version, time zone setting, operating system type and version, login information, and Your location, while using Our Websites and Applications,

personal Data on registration meaning information relating to an identified or identifiable natural person (“Data Subject”) including directly or indirectly, by reference to an identifier such as name, email, telephone number, address, date of birth, gender, and location, and

animal Records including all information You provide, and We collect directly or indirectly about Your Animal. This includes information from the use of Our Websites and Applications and the provision of Our Services and Products including User Accounts and Animal Records Registration and Retention, Find, Favorite and Register with a Local Vet, Online Message Chat with a Veterinarian, Access, appointing booking and Appointments with Your Local Vet, Connect with Your Community of Owners, Shop and for Veterinarians; a complete online consultation tool, vet forums and CPD modules (collectively the “Services”).

Other Information provided to Us by Your or Your Veterinarians stored in Your Animal Records concerning the current and historical care of Your Animal.

We do not request or store, and You should not provide Sensitive Personal Data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data, or biometric data.

We will only collect, process, and store Personal Data where We have lawful bases. Lawful bases include “consent” (where You have given consent express or implied), “contract” (where processing is necessary for the performance of a Service with You (e.g., to deliver Services or Products You have requested), and “legitimate interests.”

Any Personal Data and Animal Records We collect, You provide, or store in Your Account will be collected, used, and held in accordance with Our Data Retention Policy and Our Contract with You set out in Our Terms and Conditions.

Where We rely on Your consent to process Personal Data, You have the right to withdraw or decline Your consent at any time and where We rely on legitimate interests, You have the right to object. If You have any questions about the lawful bases upon which We collect and use Your Personal Data, please contact Our Data Protection Officer at [email protected]. This Clause does not affect Our right to process Your Personal Data in De-identified form.

If You wish to close Your Account, You may do so at any time, contacting Us by email. Closing Your Account will result in the removal of Your access to Your Records. It will not remove any information We have already collected which We are required to maintain in line with Our Data Retention Policies, best practices, the relevant Data Protection Regulations, and to be used in De-identified form.

All Personal Data is stored securely in accordance with the relevant UK and European Data Protection Acts, including compliance with GDPR.

We do not store any credit or debit card information on Our Servers. Payments are processed via a third-party payment provider that is fully compliant with Level 1 Payment Card Industry (PCI) data security standards. Any payment transactions are encrypted using SS L technology.

We store and process all data on Secure Servers located in the United Kingdom in compliance with the UK and European Data Protection Standards and the California Consumer Privacy Act (CCPA).

We may on occasion process Your Personal Data and Animal Records outside the UK, European Union, and or the United States. Where We do Process Data outside of these regions, Your Personal Data will be processed in line with Your local data protection and security regulations.

VETPASS reserves the right to remove access to Your User Account and/or Animal Record and/or to remove Your User Account and/or Animal Record from Our Servers or to levy a charge to maintain access to Your Account or Animal Record. This does not affect any of Your statutory rights to access information VETPASS holds about You including Your Personal Data.

HOW WE PROCESS YOUR DATA

We use information held about You to:

Provide Our products and services,

communicate with You including transmission by Website and Applications and Applications alerts, texts and similar messages and email, to provide Our Products and Services,

distribute transactional, information and promotional material including communication via market research using email, text, alert, post, or other forms of distribution subject to Your consent which can be withdrawn at any time by contacting Us or unsubscribing,

provide such information to any member of Our group, Our Affiliates, business partners, suppliers, and sub-contractors where reasonable or necessary in relation to the provision of Our Services and Products including the provision of Your User Account and Animal Record information to Our and Your Veterinarians, and suppliers or subcontractors used in relation to Our Websites and Applications,

process Your Orders (including payment) for Products and Services,

make disclosures as required by or in compliance with reasonable requests by regulatory bodies including the relevant Veterinary Governing bodies or as otherwise required by law or regulation or to enforce or apply Our Terms and Conditions. VETPASS will endeavor to protect Your privacy always from these requests,

if You have a valid Subscription or are eligible for free or subsidized Services to assist in the payment for those Services with Your Insurer, Employer, or Member Group,

to provide information to other veterinarians such as Your primary vet or a specialist,

to assist in the detection of fraud or management of credit which may require Us to disclose Personal Data,

to review and improve Our Services and Products including the operation of Our Websites and Applications and for internal operations, including troubleshooting, data analysis, testing, statistical and survey purposes,

to inform You of new products and/or services available from VETPASS. You may request that We stop sending You this information at any time,

as De-identified Data for analysis purposes including research, and marketing of VETPASS and Our Services and Products to You,

to our clients regarding the use of the Website and Applications by their employees and representatives,

to a buyer or other successor in the event of a merger, reorganization, dissolution, or other sale or transfer some or all VETPASS’s assets, in which personal information held by VETPASS about our Websites and Applications is among the assets transferred,

to fulfill the purpose for which You provide it,

for any other purpose disclosed by Us when You provide the information, and,

with Your consent.

We may disclose or share Your data to protect the rights, property, or safety of VETPASS and Our Veterinarians or the Animal in Your care, customers, insurers, or others.

ACCESSING AND CONTROLLING YOUR OWN DATA

You have the right to ask for a copy of Your User Account and Animal Records held by VETPASS.

Wherever You are required to submit data for marketing purposes You will be given options to restrict Our use of that data. This may include the use of data for direct marketing purposes and sharing data with third parties.

You have the right to seek from VETPASS the rectification of inaccurate Personal Data. If the data, We hold about You is incorrect please contact Us.

You have the right to be forgotten in certain circumstances as provided for under Article 17 of the GDPR (https://gdpr-info.eu/art-17-gdpr). This right will always be balanced with the VETPASS requirement to retain data for legal and regulatory reasons.

If You are a Californian Citizen, You also have the rights set out in the California Consumer Privacy Act (CCPA), see below.

Our Website and Applications contain information that enables a quick electronic contact to VETPASS as well as direct communication with Us, which also includes a general e-mail address. If a Data Subject contacts VETPASS by e-mail or via a contact form, the Personal Data transmitted by the Data Subject are automatically stored. Such Personal Data transmitted on a voluntary basis by a Data Subject to VETPASS are stored for the purpose of processing or contacting the Data Subject. Your Personal Data may be stored in a third-party marketing management platform to facilitate the delivery of marketing emails and materials to You.

THIRD-PARTY WEBSITES AND APPLICATIONS AND SERVICES

Our Websites and Applications can contain links to other independent or third-party Websites and Applications, which are not under Our control. This Policy does not extend to Your use of such Websites and Applications. Users are advised to read the privacy policy and terms and conditions of other Websites and Applications prior to using them.

VETPASS may, from time to time, employ the services of other parties for dealing with matters that may include but are not limited to, payment processing, delivery of purchased items, search engine facilities, advertising, and marketing. Any data used by such parties is used only to the extent required by them to perform the services that VETPASS requests. Any use for other purposes is strictly prohibited. Any data that is processed by third parties is processed within the terms of this Policy and in accordance with the appropriate Data Protection Requirements relevant to Your location.

SUBSCRIPTIONS TO EMAILS, NOTIFICATIONS, BLOGS, WEBINARS, AND OTHER MARKETING MATERIALS

Our Websites and Applications contain information that enables a quick electronic contact to VETPASS as well as direct communication with Us, which also includes a general e-mail address. If a Data Subject contacts VETPASS by e-mail or via a contact form, the Personal Data transmitted by the Data Subject is automatically stored. Such Personal Data transmitted on a voluntary basis by a Data Subject to VETPASS is stored for the purpose of processing or contacting the Data Subject. Your Personal Data may be stored in a third-party marketing management platform to facilitate the delivery of marketing emails and materials to You. When You register with Us, We send You a confirmation e-mail which is Our Proof that the owner of the e-mail address is the Data Subject.

The database(s) storing the list of Users resides on systems within the United Kingdom.

Our marketing emails contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, VETPASS may see when an e-mail was opened by a Data Subject, and which links in the e-mail were called up by Data Subjects.

Such Personal Data collected in the tracking pixels contained in the emails are stored and analyzed by the Data Controller to optimize the delivery of the emails, as well as to adapt the content of future marketing messages to the interests of the Data Subject. This Personal Data will not be passed on to third parties. Data Subjects are at any time entitled to revoke their consent issued by means of the opt-out procedure. After a revocation, the user’s information will be marked to be unsubscribed from any marketing messages or notifications. VETPASS automatically regards a withdrawal from the receipt of the marketing messages as a revocation.

COMMUNICATIONS FROM VETPASS

If VETPASS has Your contact details, VETPASS may from time to time send You important notices by email. Such notices may relate to matters including, but not limited to, service changes and changes to these Policies.

VETPASS will never send You marketing emails of any kind without Your consent. If You do give such consent, You may opt-out at any time. All marketing emails sent by VETPASS include an unsubscribe link. If You opt-out of receiving emails from VETPASS at any time, it may take up to seven business days for Your new preferences to take effect.

CONTACT OR COMPLAINTS

If You are a user in the United States of America or any of its territories and wish to contact VETPASS with general questions please email: [email protected] or write to Us at VETPASS LLC, 5660 Strand Court, Unit #A140, Naples, 34110 FL.

In the UK, EEA, or elsewhere with general questions please email: [email protected] or write to Us at VETPASS LTD, 71-75- Shelton Street, London, Greater London, WC2H 9JQ.

All complaints are handled in accordance with Our Complaints Handling Policy available from Us on request.

If You have a Complaint about Data Protection and Privacy You can also lodge a complaint with Your national Data Protection Commissioner or National Equivalent at any stage if You are of the view that any of Your rights have been breached.

NOTICE TO USERS IN THE EUROPEAN ECONOMIC AREA AND THE UNITED KINGDOM

As the Controller, VETPASS has implemented numerous technical and organizational measures to ensure the protection of Personal Data processed through Our Website and Applications. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every Data Subject is free to transfer Personal Data to Us via alternative means, e.g., by telephone.

DEFINITIONS

The Policy of VETPASS is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). To improve understanding, We would like to first explain the terminology used herein.

In this Policy, We use, inter alia, the following terms:

Personal Data

Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data Subject

Data Subject is any identified or identifiable natural person, whose Personal Data is processed by the Controller responsible for the processing.

Processing

Processing is any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Restriction of processing

Restriction of processing is the identification of stored Personal Data with the aim of limiting its processing in the future.

Profiling

Profiling means any form of automated processing of Personal to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymization

Pseudonymization is the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person.

Controller or Data Controller responsible for the processing

Controller or Data Controller responsible for the processing is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Processor

Processor is a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

Recipient

The recipient is a natural or legal person, public authority, agency, or another body, to which the Personal Data is disclosed, whether a third party or not.

Third-party

Third-party is a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, processor, and persons who, under the direct authority of the Controller or processor, are authorized to process Personal Data.

Consent

Consent of the Data Subject is any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

NAME AND ADDRESS OF THE CONTROLLER AND DATA PROTECTION OFFICER

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Damian Kissane, VETPASS LTD, 71-75 Shelton Street, LONDON WC2H 9JQ

Email: [email protected]

Name and Address of the Data Protection Officer

The Data Protection Officer of the Controller is:

Damian Kissane, VETPASS LTD, 71-75 Shelton Street, LONDON WC2H 9JQ

Email: [email protected]

Any Data Subject may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.

ROUTINE ERASURE AND BLOCKING OF PERSONAL DATA

The Data Controller shall process and store the Personal Data of the Data Subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the Controller is subject to.

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the Personal Data are routinely blocked or erased in accordance with legal requirements.

RIGHTS OF EEA DATA SUBJECTS

Right of confirmation

Each Data Subject shall have the right granted by the European legislator to obtain from the Controller the confirmation as to whether Personal Data concerning him or her are being processed. If a Data Subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact our Data Protection Officer.

Right of access

Each Data Subject shall have the right granted by the European legislator to obtain from the Controller free information about his or her Personal Data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the Data Subject access to the following information:

The purposes of the processing,

the categories of Personal Data concerned,

the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, recipients in third countries or international organizations,

where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period,

the existence of the right to request from the Controller rectification or erasure of Personal Data, or restriction of processing of Personal Data concerning the Data Subject, or to object to such processing,

the existence of the right to lodge a complaint with a supervisory authority,

where the Personal Data are not collected from the Data Subject, any available information as to their source, and

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject.

Furthermore, the Data Subject shall have a right to obtain information as to whether Personal Data are transferred to a third country or to an international organization. Where this is the case, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

If a Data Subject wishes to avail himself of this right of access, he or she may at any time contact our Data Protection Officer.

Right to rectification

Each Data Subject shall have the right granted by the European legislator to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Considering the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

If a Data Subject wishes to exercise this right to rectification, he or she may, at any time, contact our Data Protection Officer.

Right to erasure (Right to be forgotten)

Each Data Subject shall have the right granted by the European legislator to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay, and the Controller shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies if the processing is not necessary:

The Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed,

the Data Subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing,

the Data Subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21(2) of the GDPR,

the Personal Data has been unlawfully processed,

the Personal Data must be erased for compliance with a legal obligation in European Union or Member State law to which the Controller is subject, and

the Personal Data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If one of the reasons applies, and a Data Subject wishes to request the erasure of Personal Data stored by VETPASS he or she may at any time contact our Data Protection Officer who shall promptly ensure that the erasure request is complied with.

Where the Controller has made Personal Data public and is obliged pursuant to Article 17(1) to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Controllers processing the Personal Data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, those Personal Data, as far as processing is not required. Our Data Protection Officer will arrange the necessary measures in individual cases.

Right of restriction of processing

Each Data Subject shall have the right granted by the European legislator to obtain from the Controller restriction of processing where one of the following applies:

the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data,

the processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests instead the restriction of their use instead,

the Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims, and

the Data Subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification of whether the legitimate grounds of the Controller override those of the Data Subject.

If one of the conditions is met, and a Data Subject wishes to request the restriction of the processing of Personal Data stored by VETPASS he or she may at any time contact our Data Protection Officer who will arrange the restriction of the processing.

Right to data portability

Each Data Subject shall have the right granted by the European legislator, to receive the Personal Data concerning him or her, which was provided to a Controller, in a structured, commonly used, and machine-readable format. He or she shall have the right to transmit those data to another Controller without hindrance from the Controller to which the Personal Data has been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the Data Subject shall have the right to have Personal Data transmitted directly from one Controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

To assert the right to data portability, the Data Subject may at any time contact our Data Protection Officer.

Right to object

Each Data Subject shall have the right granted by the European legislator to object, on grounds relating to his or her situation, at any time, to processing of Personal Data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

VETPASS shall no longer process the Personal Data in the event of the objection unless We can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

If VETPASS processes Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of Personal Data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the Data Subject objects to VETPASS to the processing for direct marketing purposes, VETPASS will no longer process the Personal Data for these purposes.

In addition, the Data Subject has the right, on grounds relating to his or her situation, to object to the processing of Personal Data concerning him or her by VETPASS for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the Data Subject may directly contact the VETPASS Data Protection Officer. In addition, the Data Subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.

Automated individual decision-making, including profiling

Each Data Subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not necessary for entering into, or the performance of, a contract between the Data Subject and a data Controller, or (2) is not authorized by European Union or Member State law to which the Controller is subject, and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or (3) are not based on the Data Subject’s explicit consent.

If the decision (1) is necessary for entering, or the performance of, a contract between the Data Subject and a data Controller, or (2) it is based on the Data Subject’s explicit consent, VETPASS shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision.

If the Data Subject wishes to exercise the rights concerning automated individual decision-making, he or she may at any time directly contact the VETPASS Data Protection Officer.

Right to withdraw data protection consent

Each Data Subject shall have the right granted by the European legislator to withdraw his or her consent to the processing of his or her Personal Data at any time.

If the Data Subject wishes to exercise the right to withdraw the consent, he or she may at any time directly contact the VETPASS Data Protection Officer.

Legal basis for the processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which We obtain consent for a specific processing purpose. If the processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of Personal Data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of Personal Data may be necessary to protect the vital interests of the Data Subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his or her name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or other third parties. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations that are not covered by any of the abovementioned legal grounds, if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the Data Subject is a client of the Controller (Recital 47 Sentence 2 GDPR).

The legitimate interests pursued by the Controller or by a third-party

Where the processing of Personal Data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.

Period for which the Personal Data will be stored

The criteria used to determine the period of storage of Personal Data is the respective statutory retention period. After the expiration of that period, the corresponding data is routinely deleted, if it is no longer necessary for the fulfillment of the contract or the initiation of a contract.

Provision of Personal Data as a statutory or contractual requirement; Requirement necessary to enter a contract; Obligation of the Data Subject to provide the Personal Data; possible consequences of failure to provide such data

We clarify that the provision of Personal Data is partly required by law (e.g., tax regulations) or can also result from contractual provisions (e.g., information on the contractual partner).

Sometimes it may be necessary to conclude a contract that the Data Subject provides Us with Personal Data, which must subsequently be processed by Us. The Data Subject is, for example, obliged to provide Us with Personal Data when VETPASS signs a contract with him or her. The non-provision of the Personal Data would have the consequence that the contract with the Data Subject could not be concluded.

Before Personal Data is provided by the Data Subject, the Data Subject must contact our Data Protection Officer. Our Data Protection Officer clarifies to the Data Subject whether the provision of the Personal Data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the Personal Data and the consequences of non-provision of the Personal Data.

Existence of automated decision-making

As a responsible company, We do not use automatic decision-making or profiling (see above for definition).

Payments and GDPR

We collect and store Your service usage and transactional information to enable You to view certain details of all Your transactions that have been made using our services, to provide You uninterrupted and satisfactory services, to administer our relationship with You, to comply with any statutory or regulatory requirement, to monitor Your use of our services for the purposes of ensuring compliance with our user rules.

Combinations of the information collected as mentioned in this Privacy Policy such as name, email address, telephone and company name when coupled with information which is not Personal Information such as speed of typing, the maximum screen area usage, other patterns, and data help Us detect and protect Users and ourselves against errors, fraud, or other criminal activity.

NOTICE TO CALIFORNIA RESIDENTS

This notice supplements the Privacy Policy and applies only to California, United States of America residents. This notice sets forth the disclosures and rights for California consumers regarding their personal information, as required by the California Consumer Privacy Act (“CCPA”). Terms used in this California Privacy Notice have the same meanings given in the CCPA and the regulations of the Attorney General implementing the CCPA unless otherwise defined.

Outlined below are the categories of information that We collect from California residents (in general terms), the sources of the information, the purposes for which the information is used, and the categories of third parties to whom We disclose the information for business purposes (and information on how to opt-out).

The CCPA defines personal information (“Personal Information”) as information that identifies, relates to, describes, references are capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.

The following are the categories of Personal Information that We have collected from our users over the last 12 months (and examples of the types of information those include), the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, the categories of third parties with whom We disclose the information for a business purpose, and the categories of third parties to whom this type of personal information is sold. Note, We do not sell personal information to any third parties.

The Personal Information We collect about You will depend upon how You use our Website and Applications, Services and Products, or otherwise interact with Us. Accordingly, We may not collect all the below information about You. We may also collect and/or use additional types of information after providing notice to You before collection and obtaining Your consent (to the extent such notice and consent are required by the CCPA). The following are examples of Personal Information We may collect as categorized by the CCPA:

Identifiers (Name, postal address and previous addresses, phone numbers),

customer records information (Signature, Social Security Number, Driver’s License Number, Account password),

characteristics of protected classifications under California or US Federal Law,

commercial information,

product interest, purchase history,

biometric information (we do not collect biometric information),

internet or other electronic network activity information,

browsing data while on the website, IP address used to access the website, cookie information (see our Cookie Policy),

geolocation data,

audio, electronic, visual, thermal, olfactory, or similar information (we may record consultations and message exchanges with Veterinarians),

professional or employment-related information (Veterinarians),

professional certifications and dates (specializations and advanced practitioner), work history, interests (Bio),

education information,

inferences: such as preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes (we do not collect this type of information) and

animal ownership.

CCPA Rights to Access and Deletion and “Do Not Sell” Rights

California residents have the right to know what Personal Information We collect, use, disclose, and sell. Additionally, California residents have the right to request that We provide the specific pieces of Personal Information We have collected about You in the prior 12 months, and You have the right to ask Us to delete the Personal Information We collect about You (“Right to Know” and “Right to Delete”), with some exceptions set forth in the CCPA. Note, We do not sell consumer data to third parties.

California residents also have the right to opt out from the sale of their Personal Information. These rights are also subject to limitations, such as when a company retains data to comply with its own legal obligations. You will not be required to create an account with Us to submit a request. If We do not receive adequate proof that the agent is authorized to act on Your behalf, We may deny the request.

Right to Access and Making a Request

When You request access to the Personal Information We have collected or request deletion of Your Personal Information, We will provide the requested information within 45 days. You will be notified within that time if We need additional time to process Your request. When You opt-out from the sale of Your Personal Information, We will affirm Your request as soon as feasibly possible, typically no later than 15 days from the date the request is received.

To request the specific pieces of Personal Information We have collected about You in the prior 12 months, send a message to [email protected]. You will be provided the requested information up to two times in a twelve-month period. Unfounded, repetitive, or excessive requests may be declined.

Verifying Requests to Access

We will take steps to verify Your identity to fulfill Your request. We will verify Your email address is active and We will take steps to verify the information You provide to Us. To verify Your identity, We will request the following pieces of information: Your name, email address, and ZIP code.

Right to Deletion

The CCPA provides the right to request the deletion of personal information collected about You and for Us to direct service providers to do the same (with some exceptions listed in the CCPA).

In response to a deletion request, We may erase some information and may de-identify some information. To de-identify information, We use technical safeguards and business processes that prevent re-identification. Business processes prevent the inadvertent release of de-identified information, and no attempt will be made to re-identify information.

Making a Request

For California residents to submit a request for deletion, please send an email to [email protected]

Verifying Requests to Delete

To safeguard against fraudulent requests, after submitting Your request We will take steps to confirm that You want Your information deleted.

To verify Your identity, We will request You provide: name, email address, and ZIP code. If We are unable to verify Your identity (or the identity of someone submitting a request on Your behalf) We will not delete the information.

Right to Opt-Out

The CCPA provides the right to opt out of the sale of Your personal information. VETPASS does not engage in online advertising practices that could be considered ‘sales’ under the CCPA via the collection of cookies, mentioned above.

Users under the age of 16

VETPASS does not knowingly collect the personal information of children under the age of 16.

Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights

California residents have the right to not receive discriminatory treatment for exercising CCPA rights. VETPASS will not discriminate against You for exercising Your CCPA rights.

More Information

For more information, You can email Us at [email protected] or write to Us at VETPASS LLC, Attn: Marketing, 5660 Strand Court, Unit A#140, Naples, FL 34110

Other California Privacy Rights

Further to California Civil Code Section 1798.83, California residents who provide Us with personal information (as covered by California’s Civil Code Section 1798.83), have the right to request and obtain from Us one time per calendar year, information about the customer information We shared, if any, with third parties for their own direct marketing purposes during the preceding year. If applicable this information would include the categories of customer information and the names and addresses of those businesses with which We shared customer information for the immediately preceding calendar year.

If You wish to obtain this information from Us and are a California resident, please email or write to Us at the following address: VETPASS LLC, Attn: Marketing, 5660 Strand Court, Unit #A140, Naples, Florida 34110 or [email protected]. Include ‘Your California Privacy Rights’ in the subject field of Your email or include it in Your writing if You choose to write to Us at the above mailing address. Please also include Your name; street address; city; state; and ZIP code. Please note, We are not responsible for notices that are not labeled, or sent properly, or do not have complete information.

VERSION, REVISIONS, AND DATE

We may revise and update this Policy from time to time at Our sole discretion. All changes are effective immediately. Acceptance of this Privacy Policy and of Our Cookie Policy is incorporated by reference into acceptance of Our Terms and Conditions.

This Privacy Policy is dated 26th April 2021 and should be read with Our Terms and Conditions and Cookie Policy dated 26th April 2021.

© VETPASS. All rights reserved.