Privacy Policy

VetRx Ledger ("we," "us," or "our") operates the website located at grantshelf.com and provides controlled-substance logbook software for veterinary practices (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our Service.

Please read this policy carefully. If you disagree with its terms, please discontinue use of our Service.

1. Information We Collect

Information you provide directly. We collect information you provide when you request a pilot, book a discovery call, sign up for an account, or contact us. This may include:

• Name and job title
• Work email address and phone number
• Practice name, size, and location
• DEA registration number (encrypted at rest; see Section 4)
• Communications you send us

Usage and analytics data. When you visit our website, we automatically collect certain information about your device and browsing activity, including:

• IP address (anonymized where technically feasible)
• Browser type and version, operating system
• Pages viewed, time on page, referring URLs
• Click events and feature interactions (via PostHog analytics)

Cookies and similar technologies. We use first-party cookies for session management and A/B testing variants, and third-party analytics cookies (PostHog). See Section 6 for details and how to manage your preferences.

Controlled-substance ledger data. When you use the Service as a paying customer, transaction records (draws, wastes, blind counts) are stored in your practice's isolated data partition. VetRx Ledger does not collect patient names or patient medical records. Staff identifiers may be badge numbers, initials, or any non-PII token you configure — real names are optional.

2. How We Use Your Information

• To operate, maintain, and improve the Service
• To respond to your inquiries and fulfil pilot or subscription requests
• To send transactional and product-update emails (you may opt out at any time)
• To measure website performance and run anonymized A/B tests
• To detect, prevent, and address technical issues or security incidents
• To comply with applicable laws and regulatory obligations

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

3. Legal Bases for Processing (EEA / UK Visitors)

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

• Contract: processing necessary to provide the Service you requested
• Legitimate interests: analytics, fraud prevention, and product improvement
• Consent: optional marketing communications and non-essential cookies
• Legal obligation: compliance with applicable law

4. Data Security and Encryption

We implement technical and organizational measures designed to protect your data, including:

• AES-256-GCM field-level encryption for sensitive fields (DEA numbers, email addresses)
• TLS 1.2+ in transit for all data exchanged with our servers
• Hash-chained, append-only audit log with hardware-backed e-signatures
• Role-based access controls and SOC 2-aligned operational procedures
• Regular security reviews and vulnerability assessments

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your account and ledger data for as long as your subscription is active, plus a 90-day grace period after termination. Upon written request, we will delete or export your data within 30 days, subject to legal retention obligations (e.g., DEA record-keeping requirements under 21 CFR § 1304.04 require two-year retention of controlled-substance records — deletion of records within that window may conflict with your regulatory obligations).

6. Cookies and Tracking Technologies

We use the following categories of cookies:

• Strictly necessary: session tokens, CSRF protection — these cannot be disabled without breaking core functionality.
• Analytics: PostHog collects anonymized usage data to help us improve the product. You may opt out via our cookie preference center or by settingvetrx_analytics_opt_out=1 in your browser.
• A/B testing: first-party cookies store your assigned variant so you see a consistent experience. No PII is associated with these cookies.

You can manage or withdraw consent at any time using the "Cookie Preferences" link in the site footer. You may also configure your browser to refuse cookies, but some Service features may not function correctly.

7. Third-Party Services

We use the following sub-processors and third-party services:

• Vercel — hosting and edge infrastructure (US/EU)
• Supabase — managed PostgreSQL database (US)
• PostHog — product analytics (EU cloud)
• Stripe — payment processing (compliant with PCI DSS)

Each sub-processor is bound by a data processing agreement consistent with applicable privacy law. We do not share your data with these parties beyond what is necessary to operate the Service.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion ("right to be forgotten") subject to legal retention requirements
• Port your data in a machine-readable format
• Object to or restrict certain processing activities
• Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at hello@grantshelf.com. We will respond within 30 days.

9. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated "Last updated" date and, where required by law, by sending you an email notice. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy, please contact:

VetRx Ledger
Email: hello@grantshelf.com

See also our Terms of Service and Privacy & PII Configuration Docs.