Last updated: March 2026

GDPR Policy

This policy outlines how Smartchainers Private Limited, operating as PetCare.AI (a PetON Company), complies with the General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA) and the United Kingdom. This policy supplements our Privacy Policy with GDPR-specific information.

1. Data Controller Information

The data controller responsible for your personal data is:

Smartchainers Private Limited

Operating as PetCare.AI — A PetON Company

Registered in: Chennai, Tamil Nadu, India

Website: petcare.ai

Contact: contact@smartchainers.com

As a company based in India that processes personal data of individuals in the EEA, we are committed to complying with the GDPR and ensuring that your data is handled with the highest level of care and transparency.

2. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following bases depending on the processing activity:

Processing Activity	Legal Basis
Account creation and management	Contractual necessity (Art. 6(1)(b))
AI health analysis by Rio	Explicit consent (Art. 6(1)(a), Art. 9(2)(a))
Vet directory and appointment booking	Contractual necessity (Art. 6(1)(b))
Pet health record storage	Consent and contractual necessity
Service improvement and analytics	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Legal obligations compliance	Legal obligation (Art. 6(1)(c))

Where we process special categories of data (such as health-related pet data that may indirectly reveal information about you), we obtain your explicit consent in accordance with Article 9 of the GDPR.

3. Types of Personal Data Processed

We process the following categories of personal data:

3.1 Identity Data

Full name, email address, phone number
Profile photograph (if provided)
Account credentials (password stored in hashed form only)

3.2 Pet Data

Pet name, species, breed, age, weight, and sex
Health history, vaccination records, and medical notes
Photos submitted for AI analysis

3.3 Health Interaction Data

Symptom descriptions and health queries submitted to Rio
AI-generated triage results and urgency classifications
Consultation records and veterinary notes

3.4 Technical Data

IP address and approximate geolocation
Device type, operating system, and browser information
Session data, cookies, and usage logs

3.5 Transaction Data

Appointment booking records
Payment transaction metadata (full payment details are handled by third-party processors)

4. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data. We are committed to honouring these rights in a timely and transparent manner.

4.1 Right of Access (Art. 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed, the purposes, the categories of data, and the recipients.

4.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can update most of your information directly through your account settings.

4.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed. This right is subject to certain exceptions, such as legal retention obligations.

4.4 Right to Restriction of Processing (Art. 18)

You may request restriction of processing when you contest the accuracy of your data, when processing is unlawful but you oppose erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification.

4.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller. This applies to data processed based on consent or contractual necessity through automated means.

4.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately. For other objections, we will cease processing unless we demonstrate compelling legitimate grounds.

4.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. See Section 9 for details on how this applies to Rio's AI health analysis.

5. How to Exercise Your Rights

To exercise any of your data subject rights:

Email: Send your request to contact@smartchainers.com with the subject line "GDPR Data Request"
Identity Verification: We may ask you to verify your identity before processing your request to protect your data from unauthorised access
Response Time: We will respond to your request within 30 days. If your request is complex or we receive many requests, we may extend this by a further 60 days, and we will inform you of the extension within the initial 30-day period
No Fee: Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests

When submitting a request, please include:

Your full name and the email address associated with your PetCare.AI account
A clear description of the right you wish to exercise
Any relevant details to help us locate and process your request efficiently

6. Data Protection Officer

We have designated a Data Protection Officer (DPO) to oversee our GDPR compliance and handle data protection matters.

Data Protection Officer

Smartchainers Private Limited

Chennai, Tamil Nadu, India

Email: contact@smartchainers.com

You may contact our DPO for any questions regarding data protection, to exercise your rights, or to raise concerns about how your personal data is processed.

7. International Data Transfers

As Smartchainers Private Limited is based in India, your personal data may be transferred to and processed in India. India is not currently recognised by the European Commission as providing an adequate level of data protection. To safeguard your data, we implement the following measures:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers to India, ensuring contractual obligations equivalent to GDPR protections
Encryption: All data in transit is encrypted using TLS/SSL, and data at rest is encrypted in our MongoDB databases
EU Infrastructure: Where possible, we process and store EU user data on servers located within the European Union
Access Controls: Strict access controls limit who can access personal data, with logging and monitoring of all access events
Transfer Impact Assessment: We have conducted a transfer impact assessment to evaluate and mitigate risks associated with international data transfers

8. Data Breach Notification

In the event of a personal data breach, we follow strict procedures in compliance with GDPR Articles 33 and 34:

8.1 Supervisory Authority Notification

If a breach is likely to result in a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate the breach.

8.2 Data Subject Notification

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly and without undue delay. The notification will describe the nature of the breach in clear, plain language and provide recommendations for steps you can take to protect yourself.

8.3 Internal Procedures

We maintain an internal data breach register documenting all breaches, their effects, and remedial actions taken
Our incident response team is trained to detect, contain, and respond to data breaches promptly
We conduct post-breach reviews to identify root causes and implement preventive measures

9. Automated Decision-Making and Profiling

PetCare.AI uses automated processing in the following ways:

9.1 Rio AI Health Analysis

Rio analyses pet symptoms using artificial intelligence to generate health guidance and urgency classifications. This constitutes automated processing but does not produce legal effects or similarly significant effects on you as defined under GDPR Article 22, because:

Rio provides guidance and recommendations only, not binding decisions
All health decisions remain with you and your veterinarian
Rio's outputs do not determine your access to services, benefits, or contractual terms
You can always consult a human veterinarian through our platform

9.2 Vet Matching

We use automated processes to match you with veterinary professionals based on your location, pet's needs, and availability. You always have the choice to select any listed veterinary professional regardless of our recommendations.

9.3 Your Rights Regarding Automated Processing

Even though our automated processing does not fall under Article 22 restrictions, we respect your right to:

Request human review of any AI-generated health guidance
Understand the logic involved in automated processing through clear explanations
Object to automated processing and request manual alternatives
Receive meaningful information about how Rio analyses symptoms and generates recommendations

Where we rely on consent as the legal basis for processing, we ensure that:

Freely Given: Consent is not a precondition for accessing services that do not require the specific data processing
Specific: We request consent for each distinct processing purpose
Informed: We clearly explain what data will be processed and for what purpose before obtaining consent
Unambiguous: Consent is obtained through a clear affirmative action (opt-in), not pre-ticked boxes

10.1 Withdrawing Consent

You may withdraw consent at any time through your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10.2 Consent Records

We maintain records of all consent given, including when and how consent was obtained, what information was provided at the time, and whether consent has been withdrawn.

We use cookies and similar technologies on our website and mobile applications. In compliance with GDPR and the ePrivacy Directive:

11.1 Essential Cookies

These cookies are strictly necessary for the operation of our platform. They include authentication tokens, session identifiers, and security cookies. These do not require consent as they are essential for providing the service you requested.

11.2 Analytics Cookies

We use analytics cookies (such as Google Analytics) to understand how users interact with our platform. These cookies are only placed after you provide consent. Data collected is anonymised and used in aggregate form for service improvement.

11.3 Functional Cookies

These cookies remember your preferences, such as language settings and display options. They enhance your experience but are not strictly necessary. We request consent before setting these cookies.

11.4 Managing Cookies

You can manage your cookie preferences through the cookie consent banner displayed on your first visit
You can modify your preferences at any time through your browser settings
Disabling non-essential cookies will not affect core platform functionality
For detailed information about specific cookies we use, their purposes, and expiry periods, please contact us

12. Complaints to Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with:

The supervisory authority in the EU/EEA member state of your habitual residence
The supervisory authority in the EU/EEA member state of your place of work
The supervisory authority in the EU/EEA member state where the alleged infringement occurred

We encourage you to contact us first so we can attempt to resolve your concern directly. However, this does not affect your right to lodge a complaint with a supervisory authority at any time.

A list of EU/EEA supervisory authorities and their contact details is available at the European Data Protection Board website.

13. Contact Us

For any questions regarding this GDPR Policy or to exercise your data subject rights, please contact us: