What we collect.
Why we keep it.
How to take it back.

The data controller for Loki is wait, what. (Tobias Temmen), represented by Tobias Temmen, Zürich. Contact for all privacy questions: hello@loki.vet.

Loki is operated from Switzerland. Records are stored in the European Union (Supabase EU, Frankfurt). The full subprocessor list is on the Security page.

Three categories of personal data are processed:

• Account data. Email address (for magic-link sign-in), optional display name, locale preference, timestamps of sign-in events.
• Pet records you write. Pet name, species, breed, birthdate, weight, medical entries (visits, vaccinations, medications, notes), and any attachments you upload. You are the author and owner of this data.
• Operational data. Request IP address and user agent (security only, retained 90 days), magic-link tokens (expire on use or after 1 hour), session cookies (essential, no analytics), and audit-log entries (every consent change is logged).

We do not sell data. We do not run third-party analytics or ad pixels on signed-in surfaces. Vercel Speed Insights collects anonymous performance metrics only.

• Contract (revDPA Art. 31, GDPR Art. 6(1)(b)). To deliver the service you signed up for: storing your pet record, enabling sharing with caregivers and vets, sending the magic-link emails you request.
• Legitimate interest (GDPR Art. 6(1)(f)). Protecting the service against abuse, fraud, and unauthorised access. We log IPs and rate-limit auth endpoints.
• Consent (GDPR Art. 6(1)(a)). Optional features that require additional sharing or processing (vet sharing, AI-triage chat, analytics if you opt in) are only enabled when you give consent. You can revoke consent any time.
• Legal obligation (GDPR Art. 6(1)(c)). Responding to legitimate authority requests, retaining minimal audit logs to satisfy revDPA Art. 12 and GDPR Art. 30.

We use third parties to deliver the service. Each is a processor, contractually bound to act only on our instructions. The full list with regions and roles is at /security. Summary:

• Supabase (Frankfurt, EU) — primary database, auth, file storage.
• Vercel (EU origin, global edge CDN) — web hosting.
• Resend (Ireland, EU) — transactional email delivery (magic links, deletion confirmations).
• Stripe (Ireland, EU) — payments, only when you subscribe.
• Anthropic (EU + US) — AI-triage model, only when you turn it on. The single triage message you send is processed; no other records, no identifiers we would not share with your vet.
• Cal.com (EU) — vet appointment booking, only if you book.
• OpenRouter — vaccine-label image scan, only when you upload a vaccine label and ask for it to be parsed.

When we add a new subprocessor we update the /security page and notify you in-app at least 14 days before they go live.

• Account data. Until you delete your account. Deletion uses a 14-day soft-delete window per the account-deletion policy. After the window closes, your email and display name are pseudonymised; pet records are preserved to maintain continuity for co-caregivers who still hold the record.
• Pet records. Until you delete the pet, or until 7 years after the last activity (whichever is sooner) — this matches Swiss veterinary record-retention norms.
• Security logs. 90 days.
• Database backups. 30 days, encrypted at rest.
• Magic-link tokens. Expire on first use or after 1 hour, whichever comes first.

Under the Swiss revised Data Protection Act (revDPA, in force since 2023-09-01, Art. 25–28) and the EU General Data Protection Regulation (GDPR, Art. 15–21), you have these rights at no cost:

• Access. Request a copy of everything we hold about you. Available in-app at any time via Settings → Export.
• Rectification. Correct anything inaccurate. You can edit your own records directly; for the email address bound to your account, contact hello@loki.vet.
• Deletion. Delete your account from Settings. Deletion is final after the 14-day undo window.
• Portability. Receive your data in a structured machine-readable format. Same export path as access.
• Restriction + objection. Limit how we process your data or object to specific processing operations.
• Complaint. File a complaint with the EDÖB (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter) in Switzerland, or your national EU data-protection authority.

Loki uses essential cookies only by default. These are the session cookie (signed-in identity) and a short-lived consent cookie (your locale and theme preference). No advertising cookies. No fingerprinting.

If you opt into product analytics (PostHog, EU-hosted), a pseudonymised user identifier and event payload are sent to PostHog. You can revoke this consent in Settings → Privacy at any time. Browser-level Do Not Track is honoured.

Loki is not directed at children under 16. If you are a parent or guardian and believe your child has signed up, contact hello@loki.vet and we will delete the account.

Material changes will be announced in-app and via email at least 14 days before they take effect. The full revision history of this page is in the public repository at github.com/thoughtful-toby/loki.