Privacy & Cookie Policy
Last updated: April 2026
This Privacy & Cookie Policy explains how Kozelot Vet, operated by Kozelot EOOD ("we", "us", "our"), collects, uses, and protects your personal data when you use our Service. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller for personal data processed through Kozelot Vet is Kozelot EOOD, registered at [Company Address], Republic of Bulgaria. Contact: support@kozelot.com.
2. Data We Collect
We collect: (a) Account data - your email address and hashed password; (b) Clinic data - clinic name, address, and business details you provide; (c) Clinical records - patient, owner, appointment, and medical data you enter (processed on your behalf as data processor under GDPR Art. 28); (d) Usage data - pages visited, actions taken, and session information for analytics; (e) Communications - messages sent via our contact form.
3. How We Use Your Data
We use your data to: provide and operate the Service; send transactional emails (account verification, password reset, billing notices); improve the Service through anonymised usage analytics; respond to support requests; and comply with legal obligations. Our legal bases are contract performance (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and legal obligation (Art. 6(1)(c) GDPR).
4. Cookies and Analytics
We use Google Analytics 4 (GA4) to understand how users navigate the Service. GA4 sets cookies and collects anonymised usage data including pages visited, session duration, and approximate location. This data is processed by Google LLC. You can opt out of Google Analytics tracking at any time using the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.
5. Data Sharing and Third Parties
We share data only with the following third-party processors: Google LLC (Google Analytics - usage analytics); Cloudinary Inc. (file and image hosting); Stripe Inc. (payment processing); Brevo / Sendinblue (transactional email delivery). We do not sell your personal data to any third party.
6. Data Retention
Account and clinic data is retained for the duration of your subscription plus 30 days after cancellation, after which it is permanently deleted. You may request early deletion by contacting us. Backup copies may persist for up to 90 days after deletion.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the right to: access your personal data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; data portability; and lodge a complaint with a supervisory authority. In Bulgaria, the supervisory authority is the Commission for Personal Data Protection (CPDP) - www.cpdp.bg. To exercise any of these rights, contact us at support@kozelot.com.
8. International Data Transfers
Some third-party service providers may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.
9. Changes to This Policy
We may update this Privacy & Cookie Policy periodically. We will notify you of significant changes by email. The "last updated" date at the top of this page reflects the most recent revision.
10. Contact
For privacy-related questions or to exercise your GDPR rights, contact us at support@kozelot.com.