This policy explains what personal data we collect when you use Pricebook.vet, why we collect it, what we do with it, and what rights you have. It is written to comply with the UK GDPR and the Data Protection Act 2018.
If you have a question, email privacy@helpsome.ai.
#1. Who is the data controller?
For personal data collected about practice staff who use Pricebook.vet (accounts, admins, editors), the data controller is:
Helpsome Limited (trading as Helpsome.ai), operator of Pricebook.vet
Company number: 16464301
Registered office: 11c Alma Road, Snettisham, PE31 7NY, United Kingdom
Contact: privacy@helpsome.ai
ICO registration number: 16464301
For personal data that appears in pricing data you publish (for example, if a vet's name appears in a service description), you are the data controller and Helpsome is a data processor acting on your behalf. A B2B Data Processing Agreement is available on request by emailing privacy@helpsome.ai.
#2. What personal data we collect
We collect different categories of personal data depending on how you interact with Pricebook.vet.
#2.1 If you sign up for an account
- Identity: your name, the name of your practice, your role.
- Contact: your email address, optionally a phone number.
- Authentication: a password hash (we never store your password in the clear) or, if you sign in with a third-party provider (Google, Microsoft, etc.), an identifier and tokens issued by that provider.
- Practice details: practice trading name, registered name, company number (where applicable), addresses of branches, ownership disclosure (independent vs corporate group - a CMA requirement), telephone, website.
#2.2 When you use Pricebook.vet
- Usage telemetry: pages visited in the dashboard, feature interactions, timestamps, errors, device/browser information, IP address (anonymised at Google Analytics), approximate location derived from IP. This is collected via Google Analytics 4 on
pricebook.vetandapp.pricebook.vet, and only if you consent to analytics cookies via our banner. See the Cookie Policy §3.2 for the specific cookies set and §8 below for the US transfer mechanism. - Audit log: who in your account made what change and when, to support the CMA audit trail.
- Publish events: what was published, by whom, and when.
#2.3 Pricing data you enter
Pricing data is primarily about services and prices, not people. However, it may include names of individual vets or staff in service descriptions, and you may enter internal notes. We treat everything you enter as confidential until you explicitly publish it (see section 5).
#2.4 Visitors to the widget
When a pet owner views a practice's prices via the Pricebook.vet widget on a practice's website, we collect limited, non-identifying analytics via a first-party beacon to our own ingestion endpoint: IP address (used once for geolocation and discarded, not stored), user agent, referrer, approximate location. The widget does not load Google Analytics or any other third-party script. We do not build profiles of individual pet owners or sell their data.
#2.5 Consent banner outcomes
When the cookie consent banner is shown and when you resolve it (Accept, Reject, or Save preferences), a small anonymous ping is sent to our server recording only the outcome - one of banner_shown, consent_decision_accept, or consent_decision_reject, plus a timestamp. No identifiers are recorded: we do not log your IP address, User-Agent, referrer, or any cookie on this endpoint. The pings are used only in aggregate, to estimate how many visitors the site receives in total versus how many consent to Google Analytics, so we can reason about traffic volume without enlarging what GA4 sees. Because these pings carry no personal data, they do not depend on your consent to be sent.
#2.6 Communications
If you contact us (email, support form), we keep that correspondence so we can respond and track issues.
#3. Why we collect it and our lawful bases
Under UK GDPR we must have a lawful basis for every use of personal data. The table below maps what we do to the basis we rely on.
| What we do | Lawful basis |
|---|---|
| Create and run your account; authenticate you | Contract (Art. 6(1)(b)) - we need this to provide the Service you asked for |
| Store and host your pricing data, drafts, notes, audit history | Contract |
| Serve Published Data to pet owners via the widget on your whitelisted domains | Contract (with you) - publishing is the service |
| Make Published Data available as structured JSON-LD for search engines and other consumers | Legitimate interests (Art. 6(1)(f)) - the data is pricing information you chose to publish under a CMA Order that requires it to be public |
Product usage telemetry on pricebook.vet and app.pricebook.vet via Google Analytics 4 |
Consent (Art. 6(1)(a)) - analytics cookies are only set if you opt in via the banner; you can withdraw consent at any time via Cookie settings in the footer |
| First-party widget analytics beacon on practice websites (no cookies, no PII) | Legitimate interests - operating and improving the widget; balanced against the minimal, non-identifying data collected |
| Anonymous consent-banner outcome counter (no PD - see §2.5) | Not personal data, so no UK GDPR lawful basis is required; listed here for completeness only |
| Training and fine-tuning Helpsome.ai machine-learning models on Published Data (current and historical) for use in Pricebook.vet and adjacent services | Legitimate interests - the data is already public by operation of the CMA transparency rule; models are not sold or licensed externally. See Terms of Service §7.5 |
| Security, fraud prevention, abuse detection | Legitimate interests; also legal obligation where applicable |
| Transactional emails (account verification, password reset, publish notifications) | Contract |
| Marketing emails to you about Pricebook.vet | Consent (Art. 6(1)(a)) - you can opt out at any time |
| Complying with legal obligations (tax, accounting, regulator requests) | Legal obligation (Art. 6(1)(c)) |
Drafts and internal notes are never used for marketing, product screenshots, or any purpose beyond operating the Service for you. See the Terms of Service §7.3.
#4. Who we share it with
We share personal data only where needed:
- Sub-processors - the third parties that host, store, or transmit data on our behalf. See the Sub-processors page for the current list (Neon, Railway, AWS, Google LLC for analytics on the marketing site + dashboard, Google Ireland Limited for sign-in, email provider).
- Published Data recipients - anyone who views the widget on your whitelisted domains or consumes the structured JSON-LD payload. Published pricing data is intentionally public.
- Regulators and law enforcement - where we are legally required to disclose, for example in response to a valid court order, an ICO request, or a CMA enquiry.
- In a business sale or reorganisation - if Helpsome is acquired or merged, your data may transfer to the successor, subject to equivalent protections.
We do not sell personal data to advertisers or data brokers.
#5. Published vs unpublished data
This distinction matters, so we call it out explicitly:
- Published Data is pricing data you have deliberately made live. It is served via the widget on your whitelisted domains and is exposed as structured JSON-LD for search engines and other consumers. Treat it as public.
- Drafts, internal notes, unpublished versions, and comments are private to your account. They are hosted by our sub-processors on our behalf but are never displayed publicly, never shared with third parties outside infrastructure sub-processors, and never used for marketing.
#6. How long we keep it
| Category | Retention |
|---|---|
| Account data (name, email, practice details) | For the life of the account, plus [TODO: 30 days] after closure to allow for reactivation and export |
| Pricing data (drafts + published) | For the life of the account; published versions kept in versioned history for [TODO: 24 months] to support the CMA audit trail |
| Audit logs | [TODO: 24 months] |
| Usage telemetry (Google Analytics 4) | 2 months at Google (the GA4 default), after which user and event data is deleted or aggregated by Google |
| Marketing-email consent records | Until you opt out, plus [TODO: 12 months] as evidence of consent at the time |
| Support correspondence | [TODO: 3 years] from last contact |
| Financial records (if paid add-ons are ever used) | 6 years (UK tax requirement) |
After the retention period, we delete or anonymise the data. Backups are rotated on a schedule and any residual personal data in backups is overwritten within [TODO: 35 days].
#7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification - correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") - ask us to delete your data, subject to our right to retain where legally required.
- Restriction - ask us to stop using your data in certain ways while a query is resolved.
- Objection - object to processing based on legitimate interests (note: if you want a published price list to stop being publicly served, unpublishing it from the dashboard is usually the quicker route).
- Portability - receive your data in a machine-readable format (we provide JSON and CSV exports).
- Withdraw consent where we rely on consent (for example, marketing emails).
- Complain to the ICO - the UK's data-protection regulator. Contact details:
https://ico.org.uk, telephone 0303 123 1113.
To exercise any of these rights, email privacy@helpsome.ai. We will respond within one month. We may ask you to verify your identity first.
#8. International transfers
Pricebook.vet is hosted primarily in the UK and EEA via Neon (database), Railway (application), and AWS (S3/CloudFront in eu-west-2 London). The one sub-processor based outside the UK/EEA is Google LLC, which processes Google Analytics 4 data in the United States. We rely on the UK-US Data Bridge (the UK extension of the EU-US Data Privacy Framework, in force since October 2023) as the adequacy mechanism for that transfer; Google LLC is a certified participant. If the Data Bridge is ever invalidated, we will fall back to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
For any other sub-processor that transfers data outside the UK/EEA, the same fallback (IDTA / SCC Addendum) applies and we require equivalent technical and organisational safeguards.
#9. Cookies and tracking
See the Cookie Policy for what cookies and similar technologies we use and how to reject them. In summary: we use strictly necessary cookies for authentication and security, and analytics cookies (Google Analytics 4) only with your consent via our banner. The embed widget does not set any cookies on pet-owner devices.
#10. Children
Pricebook.vet is a B2B tool for veterinary practices. It is not directed at children and we do not knowingly collect personal data from children under 13. If you believe we have, contact us and we will delete it.
#11. Security
We use industry-standard measures to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest for databases and stored files, least-privilege access controls for our team, and audit logging. No system is 100% secure; if we become aware of a breach that affects your personal data, we will notify you and, where required, the ICO within 72 hours.
#12. Changes to this policy
We will update this policy from time to time. The "last updated" date at the top shows when. For material changes we will notify you by email or in-app.
#13. Contact
Helpsome Limited (trading as Helpsome.ai), operator of Pricebook.vet
11c Alma Road, Snettisham, PE31 7NY, United Kingdom
Email: privacy@helpsome.ai
ICO registration number: [TODO: fill once registered]