1. Who we are
Xonvet is a provider of CMA compliance software and setup services for independent veterinary practices in the United Kingdom. We deliver a standardised, fixed-scope implementation of the CMA Order requirements through a configured software widget, automated infrastructure, and pre-defined compliance documentation. For the purposes of data protection law, Xonvet is the data controller of your personal information.
Contact: [email protected]
2. What personal data we collect
We collect personal data in the following circumstances:
- Enquiry form: full name, practice name, email address, and any information you include in your message.
- Consultation bookings: name and contact details submitted via our Google Calendar booking link.
- Website analytics: anonymised usage data including pages visited, time on site, approximate location (city/region), device type, and browser. This is collected via Google Analytics 4 and does not identify you individually.
- Cookies: see our Cookie Policy for full details.
- Widget feedback: anonymous satisfaction signals (thumbs up or thumbs down) collected via the Xonvet pricing module embedded on client practice websites. No name, email, or personally identifiable information is collected. Responses are stored in Cloudflare KV.
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Responding to your enquiry or booking request | Legitimate interests / contract |
| Providing our compliance services to you | Performance of a contract |
| Sending service-related communications | Legitimate interests |
| Improving our website and services | Legitimate interests |
| Complying with legal obligations | Legal obligation |
We do not use your personal data for automated decision-making or profiling.
4. Who we share your data with
We do not sell or rent your personal data. We may share it with:
- Google LLC — for Google Analytics (anonymised) and Google Calendar booking management. Where Xonvet hosts a Google Sheet on behalf of a client practice, Google LLC also acts as a sub-processor for that data.
- Cloudflare, Inc. — our website hosting provider and the infrastructure layer for the Xonvet pricing module (Cloudflare Pages, Workers, and KV storage).
- Airtable Inc. — our complaints management platform. Client practices on the Confident tier use an Airtable base to log and manage complaints. Airtable is located in the USA and processes data under Standard Contractual Clauses.
All processors are required to handle your data securely and only for the purposes we specify.
Xonvet personnel may access personal data from outside the UK. Where this occurs, appropriate safeguards are in place in accordance with UK GDPR, including reliance on Standard Contractual Clauses or equivalent transfer mechanisms as applicable.
5. How long we keep your data
- Enquiry and correspondence records: up to 3 years from last contact, unless a service relationship continues.
- Client records: 6 years from the end of our engagement (in line with UK limitation periods).
- Analytics data: 14 months, in line with Google Analytics 4 defaults.
6. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data where there is no legitimate reason for us to retain it.
- Restriction — ask us to limit how we use your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, email [email protected]. We will respond within one calendar month.
7. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
8. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. All data in transit is encrypted via HTTPS. Access to enquiry data is restricted to authorised personnel only.
9. Children's data
Our services are directed at veterinary practice owners and managers. We do not knowingly collect personal data from anyone under the age of 18.
10. Changes to this policy
We may update this policy from time to time. Any material changes will be reflected by an updated date at the top of this page. We encourage you to review it periodically.
11. Contact
For any data protection queries, please contact us at [email protected].