Privacy Notice
Last updated: 8 July 2026
1. Who we are
This notice describes how Virtus Nemeton Ltd, trading as "StationReady", collects and uses personal data. Virtus Nemeton Ltd is a company registered in England & Wales. Please confirm the registered legal name and company number you'd like published here.
2. Our role: controller or processor
- When a veterinary practice uses StationReady: the practice is the data controller for personal data about its staff and any content its staff upload. Virtus Nemeton Ltd is the data processor, acting on the practice's documented instructions under a Data Processing Agreement (Article 28 UK GDPR).
- Marketing, sales and support contacts: Virtus Nemeton Ltd is the data controller.
3. Personal data we collect
- Account & profile: name, email address, role (technician/manager/admin), organisation, hashed authentication credentials.
- Usage & telemetry: checks completed, timestamps, station identifiers, device type, IP address, browser session identifiers.
- Content you submit: checklist responses, photo evidence attached to failed items, notes.
- Support & sales correspondence: the content of emails and calls with us.
- Payments: collected directly by our payment processor, Stripe. We receive transaction metadata (amount, currency, product, last-4, country) but not full card details.
4. Why we use it and our legal basis
- To provide and secure the Service — performance of a contract with you or your organisation.
- To fulfil legal obligations (accounting, tax, responses to lawful requests) — legal obligation.
- To detect and prevent fraud or abuse, and to improve the Service — legitimate interests, which we have balanced against your rights.
- To send service-related emails (invoices, incident notifications, essential product changes) — legitimate interests / contract.
- To send optional marketing — consent, which you can withdraw at any time.
5. Who we share it with
- Hosting & infrastructure: Supabase (EEA regions) and Vercel's edge network for application hosting and content delivery.
- Payments processor: Stripe Payments Europe, Ltd. — for payment authorisation, subscription billing, VAT calculation, invoicing, and fraud prevention.
- Email delivery: Resend — for transactional and manager-alert emails.
- Professional advisers: accountants and legal advisers, on a need-to-know basis.
- Authorities: where required by law or to protect our rights.
We do not sell personal data. We do not use it to train third-party AI models.
6. International transfers
Personal data is primarily stored in the European Economic Area. Where transfers outside the UK/EEA occur (for example to a subprocessor's support team), we rely on UK International Data Transfer Agreements, EU Standard Contractual Clauses, or an adequacy decision, and apply appropriate additional safeguards.
7. Retention
- Account data: retained while your organisation is a customer, then deleted or anonymised within 90 days of contract end.
- Check records & photo evidence: retained on your organisation's schedule; default retention is 7 years to support RCVS Practice Standards Scheme evidence requirements.
- Billing records: retained for 7 years to comply with UK tax law.
- Support correspondence: retained for up to 3 years.
8. Your rights
Under UK GDPR you have the right to: access; rectification; erasure; restriction; portability; objection; and withdrawal of consent. You can also complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority. To exercise a right, email privacy@virtusnemeton.co.uk; we will respond within one month.
If you are a staff member of a customer practice, please direct requests about check content and photo evidence to your practice (the data controller) in the first instance.
9. Security
We apply appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, MFA on production infrastructure, and regular backups. In the event of a personal data breach affecting the rights of individuals we will notify affected customers and the ICO within 72 hours as required by UK GDPR.
10. Cookies
We use only essential cookies to keep you signed in and to secure the session. We do not use marketing cookies or third-party advertising trackers. If we introduce analytics in future we will present a consent banner and update this notice.
11. Children
StationReady is a professional tool for veterinary staff and is not directed at children under 13.
12. Contact & data protection queries
Virtus Nemeton Ltd — privacy@virtusnemeton.co.uk
Security or incident contact: security@virtusnemeton.co.uk
