Privacy Policy
Effective date: 24 May 2026 Version: 1.3
This Privacy Policy explains how Kakariki Technology Limited (“Kakariki”, “we”, “us”, or “our”), a company registered in New Zealand, collects, uses, and protects information when you access Librevet Ortho and any related services we provide through librevet.com and its subdomains (together, the “Service”).
If you have any questions about this Policy or our handling of your information, contact us at info@ktech.co.nz.
1. Who this Policy applies to
The Service is intended for veterinary professionals and personnel working under their direction. You must be a qualified veterinarian, veterinary surgeon, veterinary technician, or comparable professional to create an account. The Service is not directed to consumers, members of the public, or children under 18.
2. Information we collect
We collect the following categories of information.
Account information. When you register, we collect your name, email address, and confirmation that you are a veterinary professional. If you sign in using Google, we receive your basic Google profile (name, email, profile picture URL) via the OAuth scope you authorise.
Case and imaging data. When you create a case in Librevet Ortho, we store the radiographic images you upload, together with the metadata and notes you choose to associate with that case. This metadata may include patient (animal) details, owner name, clinic name, anatomical region, free-text notes, measurements, annotations, and saved planning artefacts (reference lines, implant placements, osteotomies).
Technical information. We collect standard application logs needed to operate the Service, including timestamps of requests, error reports, browser and device identifiers, and the Internet Protocol address associated with your sessions. We use these for security, debugging, and abuse prevention.
Communications. When you contact us by email or submit feedback through the in-app feedback widget, we store the content of those communications.
We do not intentionally collect special-category personal data about you (such as health or biometric data about a human subject). We do not knowingly collect or process personal data of children.
3. How and why we use your information
We use the information we collect for the following purposes, on the following legal bases.
| Purpose | Legal basis (GDPR/UK GDPR) | NZ Privacy Act basis |
|---|---|---|
| Provide and operate the Service (account, case storage, planning tools) | Performance of a contract | Authorised by you as part of providing the Service |
| Communicate with you about the Service (verification, password resets, security notices, important account updates) | Performance of a contract / legitimate interest | Directly related to the purpose of collection |
| Improve and secure the Service (debugging, abuse prevention, performance monitoring) | Legitimate interest | Directly related |
| Send product news, feature announcements, and other marketing communications | Legitimate interests (soft opt-in for existing users of the Service, with right to opt out) | Authorised as part of the existing service relationship |
| Train, evaluate, and improve our diagnostic and planning algorithms, including machine learning models (the “ML Programme”) | Legitimate interests (with right to object) | Consent |
| Comply with legal obligations (regulator requests, court orders) | Legal obligation | Authorised by law |
4. The Machine Learning Programme (opt-out)
To improve diagnostic and planning algorithms in our products, we use de-identified veterinary imaging data uploaded to the Service to develop, train, evaluate, and improve machine learning and artificial intelligence models. As Librevet Ortho is provided at no cost, contribution of de-identified data is part of how we sustain and improve the Service, and is enabled by default.
You may opt out at any time. To do so, disable the “Contribute imaging data to AI development” toggle in your account Settings. Opting out stops any future use of your data for the ML Programme but does not require us to retrain or remove your contributions from models that have already been trained at the time you opt out.
Before any of your data is used in the ML Programme, we de-identify it: case identifiers, patient names, owner names, clinic identifiers, and the free-text content of your notes are removed. Only the imaging data and structured non-identifying clinical metadata (anatomical region, species, age category, measured angles, and similar) are retained for training.
If you would like specific previously-uploaded cases excluded from future training cycles, contact us using the details in section 13.
We rely on the legal basis of legitimate interests (Article 6(1)(f) GDPR / equivalent UK GDPR provision) for this processing. We have conducted a balancing test and concluded that the public benefit of improving veterinary diagnostic tools, combined with the low risk to data subjects given de-identification, the absence of decisions affecting individuals, and the availability of an easy opt-out, outweighs the residual privacy impact. Users in the EU/UK/Switzerland have the right under Article 21 GDPR to object to this processing; the opt-out toggle is provided as the practical means to exercise that right.
5. Email communications
Transactional emails (account verification, password reset, security notices, critical service announcements) are necessary to operate your account and are sent without separate marketing consent.
Marketing emails (product news, feature announcements, educational content, surveys) are sent to all users as part of the existing service relationship under the soft opt-in exception permitted by the EU ePrivacy Directive, UK PECR, and equivalent provisions in other jurisdictions. Every marketing email includes a one-click unsubscribe link. You may also opt out at any time via the “Receive product updates” toggle in your account Settings. Opting out takes effect within 48 hours.
6. Sharing with third parties
We do not sell your personal information. We share information only with the categories of recipient below, and only as needed to operate the Service.
Infrastructure and platform providers.
- Google LLC and its affiliates — we host the Service on Google Cloud Platform, including Firebase Authentication, Cloud Firestore, Cloud Storage, and Cloud Run. Google processes your data on our behalf under data processing terms.
- Resend (Resend.com, Inc.) — we use Resend to send transactional and marketing emails. Email addresses and message content are processed by Resend on our behalf.
Legal and safety recipients. We may disclose information if compelled by a valid legal order, where necessary to protect the safety of any person, to investigate fraud or abuse of the Service, or to enforce our Terms of Service. We will challenge overbroad requests where appropriate.
Successor entity. If we are involved in a merger, acquisition, asset sale, or insolvency, your information may be transferred to a successor entity, subject to a privacy policy at least as protective as this one.
We do not share your information with advertising networks, data brokers, or analytics platforms beyond what is described above.
7. Where your data is stored, and international transfers
We store imaging data (“Cloud Storage”) in regional buckets selected to reflect the location of the user where reasonably possible:
- Asia-Pacific region: Sydney, Australia
- European Economic Area: an EU member-state region (to be confirmed as the Service scales into EU)
- Americas: a United States region
Account, case-metadata, and operational records (“Cloud Firestore”) are currently stored in a Google Cloud region in the United States (us-west1). We are actively working to introduce regional Firestore instances to reduce cross-border transfers of EU/UK user data; in the interim, where personal data of users in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not been recognised as providing an adequate level of protection, the transfer is conducted under the European Commission’s Standard Contractual Clauses (2021) (or the UK Addendum thereto) as supplemented by appropriate technical and organisational safeguards (encryption in transit and at rest, access controls, and audit logging).
You may request a copy of the relevant transfer mechanism by contacting us.
8. How long we keep your data
We retain your account information for as long as your account remains active. If you delete your account, we delete or anonymise your personal data within 90 days, except where we are required to retain it to comply with a legal obligation, to resolve disputes, or to enforce our agreements.
Case and imaging data that you delete from within the Service is removed from active storage within 30 days and from backup storage within a further 90 days.
Anonymised data used in the ML Programme is retained as part of the trained models indefinitely; once data has been anonymised, we cannot re-associate it with you.
9. Your rights
Depending on where you live, you have the following rights with respect to your personal information. To exercise any of these rights, contact us at info@ktech.co.nz. We will respond within 30 days.
- Access. You may request a copy of the personal information we hold about you.
- Correction. You may ask us to correct information that is inaccurate or incomplete.
- Deletion. You may ask us to delete your personal information, subject to legal limitations.
- Portability. Where the data is held on the basis of consent or contract and is processed by automated means, you may request a machine-readable export.
- Objection and restriction. You may object to, or ask us to restrict, certain processing.
- Withdraw consent. Where processing is based on your consent (including the ML Programme and marketing), you may withdraw that consent at any time.
- Complain. If you are unhappy with our handling of your information, you have the right to lodge a complaint with your local supervisory authority — for example, the Office of the Privacy Commissioner of New Zealand (privacy.org.nz), the Information Commissioner’s Office in the United Kingdom (ico.org.uk), the Office of the Australian Information Commissioner (oaic.gov.au), or the relevant data protection authority in your EU member state.
10. Security
We protect your information using industry-standard safeguards, including:
- Transport-layer encryption (HTTPS) on all connections
- Encryption at rest for all Cloud Storage objects and Firestore documents
- Mandatory account-level access controls enforced by Firebase Authentication
- Multi-factor authentication available on all accounts via Google Sign-In
- Principle-of-least-privilege access for our staff
- Continuous logging and monitoring of administrative actions
No system is ever perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.
11. Cookies and similar technologies
The Service uses only the cookies and local storage strictly necessary to operate the application — primarily, the session cookie set by Firebase Authentication to keep you signed in. We do not use advertising cookies, tracking pixels, third-party analytics cookies, or social-media trackers.
12. Changes to this Policy
We may update this Policy from time to time to reflect changes in the Service or applicable law. When we make material changes, we will notify you by email and update the “Effective date” at the top of the page. The current version is always available at librevet.com/privacy.
13. Contact
Questions, complaints, and rights requests:
Kakariki Technology Limited
Email: info@ktech.co.nz
Postal: Kakariki Technology Limited
c/o BDO Auckland
Level 2, 116 Harris Road
East Tamaki
Auckland 2013
New Zealand
For users in the European Economic Area, the United Kingdom, or Switzerland: we have not appointed a representative under Article 27 GDPR at this time. We will appoint a representative if and when our user base in those regions reaches the threshold that requires one.