This Privacy Policy (the 'Policy') describes how Natural Person-Entrepreneur Serhii Halych (ФОП Галич Сергій Сергійович), doing business as LapaHub ('LapaHub', 'Company', 'we', 'us', or 'our'), collects, uses, stores, and protects personal information in connection with Lapa Clinic — a cloud-based veterinary practice management platform (the 'Service') available at https://clinic.lapahub.com (the 'Site') and through the Lapa Clinic mobile application (the 'App').

Lapa Clinic is a business-to-business product designed for veterinary clinics and their staff. This Policy applies to Tenant Owners, Billing Administrators, and Authorized Users — the clinic professionals who interact with the Service on behalf of their veterinary practice (collectively, 'Clinic Users' or 'you'). If you are a pet owner, this Policy does not apply to you; please refer to the Lapa consumer application privacy policy instead.

LapaHub acts in a dual capacity with respect to personal data:

• Data Controller — for the personal information of Clinic Users (account data, authentication data, usage analytics).
• Data Processor — for the personal data that Clinic Users enter into the Service on behalf of their veterinary practice (patient records, client contact details, medical histories). This data is owned and controlled by the Tenant.

By creating an account, accessing the Service, or authorising others to access the Service on your behalf, you acknowledge that you have read and understood this Policy. If you do not agree with its terms, please do not use the Service. Questions or concerns may be directed to legal@lapahub.com.

SUMMARY OF KEY POINTS

What personal information do we collect? We collect account information you provide (name, email, phone number), authentication credentials, employment and role data within your clinic, and technical information generated through your use of the Service. Learn more →

What data do we process on behalf of clinics? In our capacity as a Data Processor, we process patient records, client contact details, appointment data, invoices, and uploaded files on behalf of the Tenant. This data belongs to the Tenant and is governed by the Tenant's own privacy obligations. Learn more →

How is Tenant data kept separate? Each Tenant's data is stored in a dedicated, isolated database schema. There is no cross-tenant access; one clinic cannot view another clinic's data. Learn more →

Do we sell personal data? No. We never sell, rent, or trade the personal information of Clinic Users or Tenant data to third parties.

What are your rights? Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, port, or object to the processing of your personal data. Learn more →

When you register for the Service, use its features, or interact with our support channels, we may collect the following categories of personal information directly from you or generated through your use of the Service.

1.1 Account and Profile Information

• Full name (first name, last name)
• Email address
• Phone number
• Profile photograph (if uploaded)
• Preferred language settings

1.2 Employment and Role Data

• Role within the Tenant (e.g., Tenant Owner, Billing Administrator, veterinarian, technician, receptionist)
• Professional title or specialisation
• Tenant membership and association history

1.3 Authentication Data

• Hashed password credentials (for email/password authentication)
• OAuth tokens and provider identifiers (for Google sign-in)
• Firebase Authentication identifiers
• Session tokens and refresh tokens

1.4 Usage and Activity Data

• Actions performed within the Service (e.g., records created, appointments scheduled)
• Feature usage patterns and frequency
• Timestamps of login, logout, and activity events
• Error logs and crash reports

1.5 Device and Technical Data

• IP address
• Browser type and version
• Operating system and device type
• Screen resolution and viewport dimensions
• Referring URL and page-view history within the Service
• Unique device identifiers (for the mobile App)

In the course of providing the Service, we process data that Clinic Users enter, upload, or generate within their Tenant workspace. This data is owned and controlled by the Tenant, and LapaHub processes it strictly as a Data Processor on the Tenant's behalf.

Categories of Tenant-controlled data ('Clinic Data') include:

• Patient records — pet profiles, species, breed, date of birth, microchip identifiers, medical histories, treatment notes, diagnoses, prescriptions, and vaccination records.
• Client contact information — names, phone numbers, email addresses, and mailing addresses of pet owners and clients served by the clinic.
• Appointment data — scheduling information, appointment types, assigned veterinarians, consultation notes, and calendar integrations.
• Billing and invoice data — service charges, payment records, invoice line items, and transaction histories.
• Uploaded files and media — photographs, documents, lab results, and any other files attached to patient or client records.
• Inventory and product data — stock levels, product descriptions, pricing, manufacturer details, and supply chain records.

The Tenant Owner is responsible for ensuring that the collection and input of Clinic Data complies with all applicable data-protection laws, including obtaining any necessary consents from pet owners whose personal information is stored in the Service. LapaHub does not independently determine the purposes or means of processing Clinic Data — we act only on the instructions of the Tenant.

We process personal information under the following legal bases, as applicable under the General Data Protection Regulation (GDPR) and the Law of Ukraine on the Protection of Personal Data:

3.1 Performance of a Contract

Processing your account information, authentication data, and role assignments is necessary to perform the contract between you (or your organisation) and LapaHub — namely, the Terms of Service. Without this processing, we cannot provide the Service.

3.2 Legitimate Interest

We rely on legitimate interest for processing activities that support the security, stability, and improvement of the Service, including:

• Monitoring for and protecting against fraud, abuse, and security threats
• Analysing aggregated usage patterns to improve features and user experience
• Maintaining system logs for debugging, incident response, and audit trails
• Enforcing our Terms of Service and acceptable use policies

Where we rely on legitimate interest, we conduct balancing assessments to ensure that our interests do not override your fundamental rights and freedoms.

3.3 Consent

Where required by applicable law, we obtain your explicit consent before processing certain categories of data — for example, before sending you optional marketing communications or deploying non-essential tracking technologies. You may withdraw your consent at any time by contacting us at legal@lapahub.com.

3.4 Legal Obligation

We may process personal information when necessary to comply with a legal obligation to which LapaHub is subject, such as responding to valid legal process, fulfilling tax or accounting requirements, or reporting to regulatory authorities.

We use the personal information described in this Policy for the following purposes:

4.1 Providing and Operating the Service

• Creating and managing your Global User Account and Tenant associations
• Authenticating your identity and authorising access to appropriate Tenant workspaces
• Processing Clinic Data on behalf of your Tenant as a Data Processor
• Synchronising appointment data with integrated third-party calendars (e.g., Google Calendar)

4.2 Improving and Developing the Service

• Analysing aggregated and anonymised usage patterns to identify and prioritise feature improvements
• Diagnosing technical issues through error and crash reports
• Conducting internal research and development

4.3 Communication

• Sending transactional notifications related to your account, Tenant, or subscription
• Delivering security alerts and service updates
• Responding to your support requests and enquiries
• Sending optional marketing communications (only with your consent, where required by law)

4.4 Safety and Compliance

• Protecting the Service against unauthorised access, fraud, and abuse
• Enforcing our Terms of Service
• Complying with applicable legal requirements

Lapa Clinic employs a schema-per-tenant database architecture. This means that each Tenant's Clinic Data is stored in a dedicated, logically isolated database schema. The architecture enforces the following guarantees:

• No cross-tenant access — Clinic Data belonging to one Tenant is never accessible to users of another Tenant. Database queries are scoped to a single tenant schema and cannot traverse schema boundaries.
• Tenant-scoped authorisation — every data request is validated against the authenticated user's Tenant context. Requests that lack a valid Tenant context are rejected before reaching the data layer.
• Isolated configuration — each Tenant maintains its own user roster, role assignments, settings, and operational data, independent of all other Tenants on the platform.

Global User Account data (name, email, authentication credentials) is stored in a shared platform schema. This data is not considered Clinic Data and is managed by LapaHub as a Data Controller.

Lapa Clinic is part of the broader LapaHub Ecosystem, which includes a consumer (B2C) application designed for pet owners. The following describes how data may flow between the B2C and B2B products.

6.1 Owner-Initiated Linking

A pet owner using the Lapa consumer application may choose to link their pet's profile with veterinary records held across one or more Tenants on the Lapa Clinic platform. This linking is always initiated by the pet owner — Tenants and Clinic Users cannot initiate or force this connection.

When a pet owner initiates linking, limited pet and medical data from the Tenant's records may become visible to the pet owner within the consumer application, potentially aggregated across multiple clinics that have treated the same pet.

6.2 Impact on Tenants

Owner-controlled data sharing may grant Clinic Users read-only access to a pet's global profile — a consolidated view of data that the pet owner has chosen to share from other clinics. This read-only access is governed by the pet owner's sharing preferences and can be revoked by the pet owner at any time.

Tenants retain full ownership and control of the Clinic Data they have created. Ecosystem linking does not transfer ownership of Clinic Data, nor does it grant other Tenants write access to a Tenant's records.

We do not sell, rent, or trade your personal information or Clinic Data to third parties. We may share personal information only in the following limited circumstances:

7.1 Service Providers (Sub-Processors)

We engage trusted third-party service providers to help us operate and deliver the Service. These sub-processors are bound by contractual obligations to process data only as instructed and to maintain appropriate security measures. Categories of sub-processors include:

• Cloud infrastructure providers — for hosting, storage, and compute resources (e.g., Google Cloud Platform)
• Authentication services — for identity verification and secure sign-in (e.g., Firebase Authentication)
• Payment processors — for subscription billing and payment handling
• Communication services — for transactional email delivery and push notifications
• Error monitoring and analytics — for crash reporting, performance monitoring, and aggregated usage analytics

7.2 Legal and Regulatory Disclosure

We may disclose personal information if required to do so by law, regulation, legal process, or enforceable governmental request, or if disclosure is reasonably necessary to protect the rights, property, or safety of LapaHub, our users, or the public.

7.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred to the successor entity. We will provide notice before your personal information becomes subject to a different privacy policy.

LapaHub is established in Ukraine. However, the sub-processors we engage to deliver the Service may process data in jurisdictions outside Ukraine, including within the European Economic Area, the United States, and other countries where cloud infrastructure providers operate data centres.

When personal data is transferred to a jurisdiction that does not provide an equivalent level of data protection, we implement appropriate safeguards, which may include:

• Standard contractual clauses approved by relevant authorities
• Binding agreements with sub-processors that impose equivalent data-protection obligations
• Reliance on adequacy decisions where available

You may request information about the safeguards in place for any specific international transfer by contacting us at legal@lapahub.com.

We retain personal information for as long as necessary to fulfil the purposes described in this Policy, subject to the following guidelines:

9.1 Clinic User Account Data

Your account information is retained for as long as your Global User Account remains active. If you wish to delete your personal account data, you may submit a request to legal@lapahub.com. Upon verified receipt, we will delete or anonymise your personal data within a reasonable timeframe, except where retention is required by law.

9.2 Clinic Data (Tenant Data)

Clinic Data is retained for the duration of the Tenant's active subscription. Following Tenant account termination, Clinic Data is retained for a limited grace period (as specified in the Terms of Service) to allow for data export, after which it is permanently deleted.

9.3 Legal Retention Obligations

Certain data may be retained beyond the periods described above where required by applicable law — for example, to satisfy tax, accounting, or regulatory record-keeping obligations.

9.4 Aggregated and Anonymised Data

We may retain aggregated or anonymised data indefinitely for statistical analysis and service improvement. Such data cannot be used to identify any individual.

We implement technical and organisational measures designed to protect personal information and Clinic Data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption — data is encrypted in transit (TLS) and at rest within our cloud infrastructure.
• Authentication controls — access to the Service requires authenticated credentials; multi-factor authentication may be supported.
• Schema-per-tenant isolation — Clinic Data is segregated at the database level, preventing cross-tenant access even in the event of application-level vulnerabilities.
• Role-based access controls — Tenant Owners control which Authorized Users have access to their Tenant and at what permission level.
• Infrastructure security — our cloud infrastructure providers maintain SOC 2, ISO 27001, and equivalent certifications.
• Security assessments — we conduct regular reviews of our security posture, including code reviews and dependency audits.
• Incident response — we maintain procedures for detecting, investigating, and responding to security incidents. Affected Tenants and individuals will be notified in accordance with applicable law.

While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to continuously improving our safeguards.

The Service uses cookies and similar technologies to support essential functionality such as authentication, session management, and security.

Our approach to non-essential tracking technologies (such as analytics and performance monitoring tools) is still being finalised. We are committed to transparency and will update this section — or publish a dedicated Cookies Policy — as our tracking practices are confirmed.

At a minimum, the Service uses:

• Strictly necessary cookies — required for authentication, session persistence, and security. These cannot be disabled without impairing core Service functionality.
• Firebase Authentication tokens — stored locally on your device to maintain your authenticated session.

Should we introduce additional tracking technologies in the future, we will provide clear notice and, where required by law, obtain your consent before activation. For further details, please refer to our Cookies Policy when it becomes available, or contact us at legal@lapahub.com.

Depending on your jurisdiction, you may be entitled to exercise the following rights with respect to your personal information under the GDPR, the Law of Ukraine on the Protection of Personal Data, or other applicable legislation:

• Right of access — request confirmation of whether we process your personal data, and obtain a copy of that data.
• Right to rectification — request correction of inaccurate or incomplete personal data.
• Right to erasure ('right to be forgotten') — request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
• Right to restriction — request that we restrict processing of your personal data in certain circumstances (e.g., while we verify the accuracy of contested data).
• Right to data portability — receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
• Right to object — object to the processing of your personal data where we rely on legitimate interest, including profiling based on legitimate interest.
• Right to withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights: Submit your request by emailing legal@lapahub.com. We will verify your identity before processing the request and respond within the timeframe required by applicable law (generally within 30 days). If we need additional time, we will notify you of the extension and its reasons.

Clinic Data requests: If you are a pet owner or client of a veterinary clinic that uses Lapa Clinic and wish to exercise your data-protection rights with respect to data held in a Tenant, please direct your request to the clinic (the Data Controller for that data). We will assist the Tenant in responding to such requests as required by our Data Processor obligations.

If you believe that our processing of your personal data infringes applicable data-protection law, you have the right to lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) or another relevant supervisory authority.

The Service is a business-to-business platform intended for use by veterinary professionals and clinic staff. It is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at legal@lapahub.com.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will:

• Update the 'Last updated' date at the top of this Policy.
• Post the revised Policy on the Site and within the App.
• For material changes, provide prominent notice — such as an in-app notification or an email to Tenant Owners and Billing Administrators — at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of any revised Policy constitutes your acknowledgement of the updated terms. We encourage you to review this Policy periodically.

If you have questions, concerns, or requests related to this Privacy Policy or our data-processing practices, please contact us:

• Entity: ФОП Галич Сергій Сергійович (Sole Proprietor Serhii Halych), doing business as LapaHub
• Email: legal@lapahub.com
• Applicable to: clinic.lapahub.com and the Lapa Clinic mobile application

We aim to respond to all enquiries within 30 days. For urgent data-protection matters, please indicate the urgency in your subject line.