Everfur

Everfur

Privacy policy

Last updated: May 27, 2026 — Effective: June 27, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Strand Health Inc., doing business as Everfur ("Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information and other data in connection with our mobile applications, websites, APIs, browser extensions, embedded widgets, partner integrations, and all related products, features, tools, and services (collectively, the "Services"). This Policy applies to all users, visitors, account holders, trial users, beta testers, and authorized representatives of organizations using our Services, including users of Everfur Health Intelligence (our direct to consumer pet health application), Everfur Clinical Intelligence (our business to business clinical decision support platform for veterinary professionals), and any future products or services we may introduce.

By accessing, downloading, installing, registering for, or using any of our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy in its entirety. If you do not agree with any part of this Policy, you must immediately discontinue all use of our Services and delete any copies of our applications from your devices. We reserve the right to modify this Policy at any time. Material changes will be communicated through the Services, via email to the address associated with your account, or through prominent in app notifications at least thirty (30) days prior to the effective date of such changes. Your continued use of the Services following the effective date of any modification constitutes your acceptance of the updated Policy.

Strand Health Inc. is incorporated in the State of Delaware with its principal place of business at 1002 Dean Street, Suite 101, Brooklyn, NY 11238. For questions regarding this Policy, contact us at privacy@everfur.com.

2. Information We Collect

We collect information from multiple sources and through multiple means as described below. The categories below are intended to be comprehensive and include all data types that may be collected through any current or future feature of the Services.

2.1 Information You Provide Directly

We collect information that you voluntarily provide when you create an account, use our Services, communicate with us, upload content, or otherwise interact with our platform. This includes but is not limited to:

Account and Identity Information. Full name, email address, username, password and authentication credentials, phone number, profile photograph, date of birth (if provided), mailing address, and any other information you provide during account registration or profile completion. For veterinary professionals: veterinary license number, DEA registration number, NPI number (if applicable), state(s) of licensure, license expiration dates, specialty certifications, clinic or practice name, practice address(es), organizational affiliation, and professional credentials.

Pet and Animal Information. Pet name, species, breed (including mixed breed composition if known), date of birth or estimated age, weight, body condition score, sex, reproductive status (intact, spayed, neutered, including date of procedure if known), microchip number, registration or pedigree information, coat color and pattern, distinguishing physical characteristics, dietary information (food brand, feeding schedule, supplements, treats), exercise and activity levels, behavioral notes, housing or living environment information, and any other descriptive information you choose to provide about your animal(s).

Medical and Health Records. Vaccination history and records, current and past medications (including dosage, frequency, route of administration, prescribing veterinarian, pharmacy), known drug allergies and adverse reactions, diagnosed medical conditions and chronic illnesses, surgical history, hospitalization records, laboratory results (bloodwork panels, urinalysis, fecal analysis, cytology, histopathology, culture and sensitivity, metabolic panels, endocrine panels, organ function panels), diagnostic imaging reports (radiograph interpretations, ultrasound findings, CT or MRI results), dental records and dental radiographs, growth and developmental records, reproductive history, behavioral health assessments, pain scores, vitality and quality of life assessments, end of life and hospice care notes, necropsy reports, emergency visit records, specialist referral notes and consultation summaries, and any other clinical or health related information you submit or that is transmitted through integrated practice management information systems (PIMS) or electronic health record (EHR) systems.

User Generated Content and Media. Photographs and images of animals (including clinical photographs of skin conditions, eye conditions, wounds, masses, dental conditions, ear conditions, orthopedic presentations, dermatologic presentations, and any other body region or clinical presentation), video recordings, audio recordings (including cough recordings, respiratory sounds, vocalization recordings, heart and lung sounds captured via digital stethoscope or device microphone), text descriptions of symptoms, health concerns, behavioral observations, clinical notes and SOAP notes, annotation data, free text clinical narratives, uploaded documents (PDF lab reports, referral letters, prior medical records, insurance documents, invoices), and any other content you submit through the Services.

Biometric and Physiological Data. To the extent our Services incorporate features that analyze animal physiological data, we may collect wearable device data (activity trackers, GPS trackers, smart collars), heart rate data, respiratory rate data, temperature readings, sleep and rest pattern data, mobility and gait analysis data, caloric expenditure estimates, and environmental sensor data transmitted from connected devices. We do not collect human biometric data for identification purposes.

Biological Sample Information. If you participate in any Everfur diagnostic or research programs (including fur metabolomics testing), we may collect information associated with biological specimens submitted for analysis, including sample collection date, collection method, specimen type, chain of custody information, sample identifiers, laboratory processing metadata, and resulting analytical data (metabolomic profiles, biomarker concentrations, spectral data). Biological specimens themselves are processed by our laboratory partners and are subject to their respective specimen retention and destruction policies.

Payment and Transaction Information. Billing name and address, payment method type, last four digits of payment card number, card expiration date, transaction amounts, transaction dates, subscription plan details, billing cycle information, refund and credit history, promotional code usage, and payment processor transaction identifiers. Full payment card numbers, CVV codes, and bank account credentials are processed by our PCI DSS compliant third party payment processor(s) and are never stored on our servers.

Communications and Support Data. Information contained in emails, in app messages, live chat transcripts, support tickets, feedback forms, survey responses, app store reviews, social media interactions, phone call recordings (where permitted by law and disclosed at the time of the call), video call recordings (with your consent), bug reports, feature requests, testimonials, and any other communications you send to us or post about us on third party platforms.

User Preferences and Settings. Notification preferences, communication opt in/opt out selections, language and locale settings, display preferences, accessibility settings, feature toggles, saved searches, bookmarked content, alert configurations, and any personalization settings you configure within the Services.

2.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain technical and usage information through server logs, cookies, pixels, SDKs, and similar technologies. This includes:

Device and Hardware Information. Device type and model, manufacturer, operating system name and version, operating system build number, screen resolution and display density, device orientation, available storage capacity, RAM capacity, processor type, unique device identifiers (including IDFV, Android ID, and advertising identifiers where available), mobile network carrier name, network connection type (WiFi, cellular, wired), cellular signal strength, Bluetooth and NFC capability status, camera specifications (resolution, lens count), microphone specifications, SIM card information, and browser type, version, and engine.

Usage and Interaction Data. Features accessed and frequency of use, pages and screens viewed, buttons tapped, navigation paths, actions taken within the Services (including searches performed, filters applied, items selected, forms started and completed, content viewed and duration of viewing, content shared, features enabled or disabled), session start and end times, session duration, number of sessions per day/week/month, time between sessions, first and last use dates, app version at time of interaction, referral sources, onboarding completion status, feature adoption metrics, A/B test group assignments, feature flag states, in app purchase and subscription events, and scroll depth.

Log and Diagnostic Data. IP address (full and truncated), access timestamps, server response times, HTTP request method and URL, HTTP status codes, referring and exit URLs, error codes and error messages, crash reports and stack traces, application not responding (ANR) events, memory usage at time of crash, CPU usage metrics, network request latency, API call success and failure rates, SDK versions, library versions, and performance diagnostics including app startup time, screen render time, and frame rate metrics.

Location Information. We collect location information at varying levels of precision depending on your device settings and the features you use. Approximate (coarse) location derived from IP address geolocation, which provides city or regional level location, is collected automatically. Precise (fine) GPS location is collected only if you explicitly enable location based features and grant the requisite operating system level permission. Location data may include latitude and longitude coordinates, altitude, speed, heading, horizontal and vertical accuracy, location timestamp, and the location provider (GPS, network, fused). Wi Fi access point identifiers and Bluetooth beacon identifiers may be used to determine or refine location when location services are enabled. You may disable location collection at any time through your device operating system settings.

Cookies, Pixels, and Similar Technologies. We use cookies (session and persistent), web beacons, pixel tags, local storage objects, and similar tracking technologies on our websites and within our applications. These technologies collect information such as pages visited, links clicked, browser type, date and time of visit, and other browsing behavior. We use first party analytics cookies and may use third party analytics services. We do not use third party advertising cookies or tracking pixels for cross context behavioral advertising. For detailed information about our cookie practices, see Section 11 of this Policy.

2.3 Information from Third Party Sources

We may receive information about you from third party sources, including:

Authentication Providers: If you sign in using Apple Sign In, Google Sign In, or another third party authentication service, we receive your name, email address, and a unique identifier as permitted by your account settings with that service.

Analytics and Attribution Providers: Aggregated usage data, performance metrics, attribution data (which advertisement or channel led you to our Services), and campaign performance data.

Practice Management Information Systems (PIMS) and EHR Integrations: For B2B users, veterinary practice management systems and electronic health record platforms (including but not limited to eVetPractice, Cornerstone, Avimark, Shepherd, and other integrated platforms) may transmit patient records, appointment data, billing information, treatment protocols, prescription history, inventory data, and other clinical data to our Services as authorized by the veterinary practice under the applicable enterprise or integration agreement.

Veterinary Diagnostic Laboratories: Laboratory results, reference ranges, interpretive comments, and related metadata may be transmitted to our Services when you or your veterinary practice connects a diagnostic laboratory integration.

Wearable and IoT Device Manufacturers: Activity, location, and physiological data from pet wearable devices, smart feeders, smart litter boxes, or other internet connected pet devices that you choose to integrate with our Services.

Insurance Partners: Pet insurance partners may transmit policy information, claims history, coverage details, and pre authorization data as authorized under their agreements with you and with us.

Publicly Available Sources: We may collect information from publicly available databases, government records, breed registries, published veterinary literature, and other public sources to enhance the accuracy of our Services.

2.4 Sensitive Information Disclosures

We do not intentionally collect sensitive personal information as defined under applicable U.S. state privacy laws pertaining to humans, including but not limited to Social Security numbers, driver's license numbers, financial account credentials (other than as described in Section 2.1), racial or ethnic origin, religious or philosophical beliefs, sexual orientation, genetic data, biometric data used for uniquely identifying a human individual, health information pertaining to humans, citizenship or immigration status, or union membership. The health and biological information we collect pertains exclusively to non human animals and does not constitute protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or analogous state laws governing human health data. However, we recognize that pet owner identity information combined with pet health information may be considered sensitive by users, and we treat all user data with appropriate care regardless of its legal classification.

2.5 Information We Do Not Collect

For clarity and avoidance of doubt, we do not collect: human health, genetic, or biometric data for identification purposes; Social Security numbers, taxpayer identification numbers, or government issued identification numbers (except professional license numbers for B2B users); login credentials for third party services (except through secure OAuth flows); contents of phone calls, text messages, or other communications that occur outside the Services; information from children under the age of thirteen (13), as detailed in Section 12.

3. How We Use Your Information

We use the information we collect for the purposes described below. We process information only where we have a lawful basis to do so, and we limit processing to what is reasonably necessary for the stated purpose.

3.1 Service Delivery and Core Operations

  • To create, maintain, authenticate, and secure your account and verify your identity.
  • To provide, operate, personalize, and continuously improve our Services, including AI generated health assessments, drug dosing calculations, differential diagnosis generation, clinical decision support, laboratory result interpretation, imaging analysis, clinical scribe functionality, and any other current or future AI powered features.
  • To process your uploaded images (photographs of skin conditions, eye conditions, wounds, masses, dental presentations, ear conditions, and other clinical presentations) through our computer vision and image classification models to generate clinical assessments, confidence scores, and recommended next steps.
  • To process audio recordings (cough recordings, respiratory sounds, heart sounds, vocalizations) through our audio analysis models to support clinical assessment.
  • To geocode and display location information for the purpose of identifying nearby veterinary clinics, emergency veterinary hospitals, pharmacies, pet service providers, and other location relevant features.
  • To maintain longitudinal health records for your animals, enabling trend analysis, early detection of health changes, and continuity of care across veterinary visits.
  • To process biological sample results and generate diagnostic reports, health scores, risk assessments, and personalized health recommendations based on metabolomic, proteomic, or other analytical data.
  • To process transactions, manage subscriptions, send purchase confirmations, invoices, billing reminders, and payment failure notifications.
  • To respond to your questions, requests, and support inquiries.

3.2 Artificial Intelligence and Machine Learning

Our use of data in connection with AI and ML is described in detail in Section 10 of this Policy. In summary, we use data to:

  • Process your real time inputs to generate AI powered outputs (inference).
  • Train, validate, test, and improve our AI and ML models, but only with de identified data or with your explicit, informed, opt in consent as described in Section 10.
  • Evaluate model performance, detect model drift, measure accuracy, and ensure safety and reliability.
  • Develop new AI features, capabilities, and model architectures.

3.3 Communications

  • To send transactional communications including account verification, password resets, security alerts, appointment reminders, medication reminders, vaccination due date notifications, and administrative messages.
  • To send promotional communications, product updates, new feature announcements, newsletters, and marketing materials where permitted by applicable law and consistent with your communication preferences. You may opt out of promotional communications at any time.
  • To send health alerts, wellness reminders, and personalized health recommendations for your animals based on their profile information and health history.

3.4 Analytics, Research, and Product Improvement

  • To monitor and analyze usage trends, feature adoption, user behavior patterns, and service performance.
  • To conduct A/B testing, feature experiments, and user experience research.
  • To generate aggregate and de identified statistical analyses of disease prevalence, treatment outcomes, geographic health trends, breed specific health patterns, and other population level veterinary health insights.
  • To conduct internal research and development, including development of new products, features, models, and services.
  • To benchmark and validate our AI models against peer reviewed veterinary clinical standards.

3.5 Safety, Security, and Legal Compliance

  • To detect, investigate, and prevent fraud, unauthorized access, security incidents, abuse, spam, and other harmful or illegal activities.
  • To enforce our Terms of Service, Acceptable Use Policy, and other agreements.
  • To protect the rights, property, safety, and security of the Company, our users, our employees, and the general public.
  • To comply with applicable laws, regulations, legal processes, subpoenas, court orders, and governmental requests.
  • To establish, exercise, or defend legal claims.
  • To maintain audit trails and records as required for regulatory compliance, including SOC 2 compliance obligations.

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross context behavioral advertising. We may share your information only in the circumstances described below.

4.1 Service Providers and Sub Processors

We share information with carefully vetted third party service providers and sub processors who perform services on our behalf under written agreements that require them to protect your information and use it only as directed by us. These providers include cloud hosting and infrastructure providers, data analytics and business intelligence services, payment processing services, email and push notification delivery services, customer support and help desk platforms, error monitoring and crash reporting services, application performance monitoring services, content delivery networks, identity verification and authentication services, and security and penetration testing firms. A current list of our sub processors is maintained at everfur.com/sub-processors and is updated at least thirty (30) days before any new sub processor begins processing personal information.

4.2 Business Partners and Integrations (B2B)

For Everfur Clinical Intelligence users, we may share clinical data with the veterinary practice or organization that submitted it, share de identified or aggregated clinical data with practice management groups as necessary to deliver contracted services, transmit data to and receive data from integrated PIMS and EHR systems as authorized under the applicable enterprise agreement, and share performance analytics and usage reports with authorized practice administrators. Individual animal patient data is shared only with the veterinary practice that submitted it, the pet owner associated with that animal (if using our DTC product), or as directed by the authorized practice administrator.

4.3 Diagnostic and Laboratory Partners

If you submit biological samples for analysis through our Services, we share necessary sample identifiers and associated metadata with our laboratory processing partners (currently NYU Langone Health and affiliated laboratories) to facilitate analysis. Results are returned to us and associated with your account. Laboratory partners operate under their own privacy policies with respect to physical specimen handling and are bound by written agreements restricting their use of Everfur user data.

4.4 Research Collaborators

We may share de identified, aggregated, or anonymized data with academic and research collaborators for veterinary science research purposes. We will never share individually identifiable data with research collaborators without obtaining your separate, explicit, informed consent. Any published research will use only aggregate or anonymized data.

4.5 Legal Requirements and Protection of Rights

We may disclose your information if we believe in good faith that such disclosure is reasonably necessary to: (a) comply with applicable law, regulation, legal process, subpoena, court order, or enforceable governmental request; (b) enforce our Terms of Service, this Policy, or other applicable agreements, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, abuse, or technical issues; (d) protect the rights, property, or safety of the Company, our users, our employees, or the public as required or permitted by law; or (e) establish, exercise, or defend legal claims. Where permitted by law, we will attempt to notify you of such disclosures, unless such notice would be prohibited by law, would compromise the integrity of an investigation, or would create a risk of harm.

4.6 Business Transfers

In connection with, or during negotiations of, any merger, acquisition, sale of assets, reorganization, financing, IPO, joint venture, dissolution, or transfer of all or a portion of our business to another company, your information may be among the assets transferred or disclosed during due diligence. In such an event, we will notify you via email and/or a prominent notice within our Services of any change in ownership, any new uses of your personal information that differ materially from this Policy, and any choices you may have regarding your personal information. The acquiring entity will be bound by the terms of this Policy with respect to information collected prior to the transfer.

4.7 De Identified and Aggregate Data

We may share de identified, aggregated, or otherwise non personally identifiable data with third parties for any purpose, including veterinary research, industry benchmarking, public health analysis, academic publication, and commercial analytics. De identification is performed using techniques that meet or exceed the standards set forth in applicable privacy laws and that are designed to prevent re identification. We contractually prohibit recipients from attempting to re identify de identified data.

4.8 With Your Consent

We may share your information with third parties when you have given us your explicit, informed consent to do so, including through in app consent flows, written agreements, or other affirmative consent mechanisms.

5. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and as permitted by applicable law. Our specific retention periods are as follows:

  • Account Data: Retained for the duration of your active account and for thirty (30) days following account deletion to allow for account recovery, after which it is permanently and irreversibly deleted from all active systems.
  • Pet Health and Clinical Records: Retained for the duration of your active account. Upon account deletion, permanently deleted within thirty (30) days, unless retention is required by law, a valid legal hold, or a pending or reasonably anticipated legal proceeding.
  • User Generated Media (Images, Audio, Video): Retained for the duration of your active account. Permanently deleted within thirty (30) days of account deletion. If you have opted in to model training use, de identified versions may be retained in training datasets as described in Section 10.
  • Location Data: Precise location data is retained for no more than twenty four (24) hours for real time feature delivery. Approximate (coarse) location is retained in de identified form for up to twelve (12) months for analytics purposes.
  • Biological Sample Data: Analytical results are retained for the duration of your active account. Physical specimens are handled and retained/destroyed per our laboratory partners' policies. Upon account deletion, analytical results are permanently deleted within thirty (30) days.
  • Usage Analytics and Diagnostic Data: Retained in de identified or pseudonymized form for up to twenty four (24) months for product improvement purposes.
  • Payment and Transaction Records: Retained for seven (7) years as required for tax, financial reporting, and audit purposes.
  • Communications and Support Records: Retained for three (3) years following resolution.
  • Marketing Consent Records: Retained for as long as the consent is valid and for three (3) years after withdrawal to demonstrate compliance.
  • Security Logs and Audit Trails: Retained for a minimum of twelve (12) months and up to thirty six (36) months as required for security incident investigation and SOC 2 compliance.

When retention periods expire, data is permanently deleted from active databases and production systems. Backup systems may retain encrypted copies for up to an additional ninety (90) days, after which backup data is purged through standard backup rotation processes.

6. Data Security

We implement comprehensive administrative, technical, organizational, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, destruction, loss, and misuse. Our security program includes but is not limited to the following measures:

6.1 Technical Safeguards

  • Encryption of all data in transit using TLS 1.2 or higher with strong cipher suites.
  • Encryption of all data at rest using AES 256 or equivalent encryption standards.
  • Encryption of database fields containing sensitive data (medical records, payment information) with application level encryption in addition to storage level encryption.
  • Secure key management using hardware security modules (HSMs) or equivalent cloud provider key management services.
  • Role based access controls (RBAC) limiting employee and contractor access to personal information to those with a documented, legitimate business need.
  • Multi factor authentication (MFA) required for all employee and contractor access to production systems and administrative interfaces.
  • Network segmentation and firewalls isolating production environments from development, staging, and corporate networks.
  • Intrusion detection and prevention systems (IDS/IPS) monitoring for unauthorized access attempts.
  • Web application firewall (WAF) protection against common web application attacks.
  • Automated vulnerability scanning and regular penetration testing by qualified third party security firms.
  • Secure software development lifecycle (SSDLC) practices, including code review, static application security testing (SAST), and dynamic application security testing (DAST).
  • API authentication and rate limiting to prevent unauthorized access and abuse.
  • Database access logging and monitoring with real time alerting on anomalous access patterns.

6.2 Administrative and Organizational Safeguards

  • SOC 2 Type II compliance program administered through Drata with independent audit by Prescient Security.
  • Formal information security policies, standards, and procedures reviewed and updated at least annually.
  • Mandatory security awareness training for all employees and contractors prior to accessing personal information and annually thereafter.
  • Background checks on employees and contractors with access to sensitive data, consistent with applicable law.
  • Written confidentiality agreements and data handling obligations for all employees and contractors.
  • Vendor risk assessment program for third party service providers who access or process personal information.
  • Formal change management and configuration management processes.
  • Regular risk assessments and security program reviews.

6.3 Incident Response

We maintain a formal incident response plan that includes procedures for detecting, responding to, containing, remediating, and recovering from security incidents. In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities as required by applicable law within the timeframes specified by such laws. Our incident response plan is tested at least annually through tabletop exercises.

No method of transmission over the Internet or method of electronic storage is completely secure. While we use commercially reasonable and industry standard measures to protect your personal information, we cannot guarantee absolute security. We encourage you to use strong, unique passwords for your Everfur account and to notify us immediately at security@everfur.com if you suspect any unauthorized access to your account.

7. Your Privacy Rights

7.1 Rights Available to All Users

Regardless of your geographic location, we provide all users with the following rights:

  • Right to Access: You may request a copy of the personal information we hold about you, including the categories and specific data elements collected, the sources of that information, the purposes for which it is used, and the categories of third parties with whom it has been shared.
  • Right to Correction: You may request that we correct or update inaccurate, incomplete, or outdated personal information.
  • Right to Deletion: You may request that we delete your personal information, subject to certain exceptions required by law (such as fraud prevention, legal compliance, or exercising or defending legal claims).
  • Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, machine readable format (such as JSON or CSV).
  • Right to Opt Out of Marketing: You may opt out of receiving promotional communications at any time by following the unsubscribe instructions in those communications, adjusting your notification settings within the app, or by contacting us at privacy@everfur.com.
  • Right to Withdraw Consent: Where we rely on your consent to process your information, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, contact us at privacy@everfur.com or use the in app account settings. We will acknowledge your request within ten (10) business days and respond substantively within thirty (30) days. We may require verification of your identity before processing your request, and we will not fulfill requests that we cannot verify. We will not charge a fee for processing reasonable requests.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA):

  • Right to Know the categories and specific pieces of personal information collected, sources, purposes, and third party recipients.
  • Right to Delete personal information we have collected, subject to statutory exceptions.
  • Right to Correct inaccurate personal information.
  • Right to Non Discrimination: We will not discriminate against you for exercising any CCPA rights, including by denying goods or services, charging different prices, providing a different level of quality, or suggesting you will receive any of the foregoing.
  • Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information as defined under the CCPA, you have the right to limit our use and disclosure of such information to purposes necessary to perform the Services.

We do not sell personal information. We do not share personal information for cross context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA. To submit a CCPA request, contact us at privacy@everfur.com. You may designate an authorized agent to make a request on your behalf, subject to our identity verification procedures. We will verify your identity using at least two data points matching your account before fulfilling your request.

7.3 Residents of Other U.S. States with Comprehensive Privacy Laws

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Kentucky, Rhode Island, Tennessee, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota, or any other U.S. state that has enacted or enacts comprehensive consumer privacy legislation, you may have rights similar to those described above, including rights to access, correct, delete, and port your personal information, as well as the right to opt out of targeted advertising, the sale of personal information, and profiling in furtherance of decisions that produce legal or similarly significant effects. We honor all such rights to the extent required by applicable law. To exercise these rights, contact us at privacy@everfur.com. If we decline your request, you may appeal our decision by contacting us at privacy@everfur.com with the subject line "Privacy Rights Appeal" and we will respond within the time period required by your state's law.

7.4 International Users (GDPR and Similar Laws)

While our Services are primarily directed at users in the United States, if you access our Services from a jurisdiction subject to the European Union General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, or similar comprehensive data protection legislation, you may have additional rights including the right to lodge a complaint with a supervisory authority, the right to object to processing based on legitimate interests, and the right to restrict processing. Our lawful bases for processing include performance of a contract, legitimate interests (such as improving our Services, ensuring security, and preventing fraud), consent (where applicable), and legal compliance. For data transferred outside your jurisdiction, we rely on Standard Contractual Clauses or other approved transfer mechanisms. Contact us at privacy@everfur.com for more information or to exercise your rights.

8. Location Data Practices

Because location data is particularly sensitive, we provide this dedicated section detailing our location data practices.

8.1 Types of Location Data

Approximate Location: We derive approximate (city or regional level) location from your IP address when you access our Services. This occurs automatically and does not require your affirmative permission beyond using the Services.

Precise Location: We collect precise GPS based location data only when you: (a) enable a location dependent feature (such as "Find Nearby Vets"), and (b) grant location permission through your device operating system. You are never required to share precise location to use our core Services.

8.2 How We Use Location Data

  • To display nearby veterinary clinics, emergency animal hospitals, pharmacies, pet stores, and other relevant service providers.
  • To provide location relevant health alerts (such as regional disease outbreaks, tick prevalence zones, or extreme weather warnings).
  • To associate geographic context with biological sample collection data (if you opt in).
  • In de identified and aggregated form, to analyze regional pet health trends and inform product development.

8.3 Location Data Retention and Controls

Precise location data used for real time feature delivery is retained for no more than twenty four (24) hours. Approximate location data retained for analytics purposes is de identified and retained for no more than twelve (12) months. You may revoke location permissions at any time through your device settings. Revoking precise location permission does not delete previously collected location data; to request deletion of historical location data, contact us at privacy@everfur.com.

9. Image, Audio, and Media Data Practices

Because our Services rely on the analysis of images, audio recordings, and other rich media, we provide this dedicated section detailing our media data practices.

9.1 Image Processing

When you upload photographs to our Services (including clinical photographs of skin conditions, eye conditions, wounds, masses, dental presentations, ear conditions, and other body regions), those images are transmitted to our secure servers over encrypted connections and processed by our computer vision and image classification models. Processing occurs in real time to generate diagnostic assessments, confidence scores, and clinical recommendations. The original image is stored in your account and associated with the relevant pet profile.

9.2 Audio Processing

When you record audio through our Services (including cough recordings, respiratory sounds, heart sounds, and other vocalizations), those recordings are transmitted to our secure servers and processed by our audio analysis models. Recordings are stored in your account and associated with the relevant pet profile.

9.3 Media Data Use and Limitations

  • Images and audio are used to generate the specific clinical output you requested (the primary purpose).
  • Images and audio are displayed within your account and may be shared with your veterinarian if you choose to use sharing features.
  • Images and audio are not used for training our AI models unless you have provided separate, explicit, informed, opt in consent as described in Section 10.
  • Images and audio may be reviewed by authorized Everfur personnel for quality assurance, safety monitoring, and abuse prevention purposes, subject to strict access controls and confidentiality obligations.
  • Images and audio are permanently deleted within thirty (30) days of account deletion.

9.4 Metadata

Images and audio files may contain embedded metadata (EXIF data, geolocation coordinates, device information, timestamps). We may extract and use this metadata for quality assurance (such as verifying image resolution) and, where relevant, to associate geographic or temporal context with the media. We do not share raw media metadata with third parties except as described in Section 4.

10. Artificial Intelligence and Machine Learning

Our Services utilize advanced artificial intelligence and machine learning technologies. We are committed to transparency about how these technologies work and how your data interacts with them.

10.1 AI Capabilities

Our AI powered features currently include, but are not limited to: differential diagnosis generation, drug dosing calculations, clinical decision support, image based disease classification (dermatologic, ophthalmic, and other presentations), audio based respiratory assessment, laboratory result interpretation, clinical note generation (AI scribe), treatment protocol recommendations, medication interaction checking, and personalized health risk assessments. We may introduce additional AI features in the future, and this Policy applies to all such features.

10.2 Model Training Data Sources

Our AI models are trained primarily on: (a) peer reviewed veterinary literature and textbooks obtained under valid content licenses; (b) structured clinical reference databases and ontologies (including SNOMED CT Veterinary Extension, RxNorm, ATCvet, and proprietary knowledge graph data); (c) publicly available veterinary research data; and (d) de identified data from users who have provided explicit, informed, opt in consent for training use. We maintain detailed documentation of training data provenance and composition.

10.3 User Data and Model Training

Default (Opt Out): By default, we do not use your individually identifiable clinical data, photographs, audio recordings, or other user generated content to train, fine tune, or otherwise improve our AI models. When you use AI features, your inputs are processed to generate the requested output and are not incorporated into model training datasets.

Opt In Training Consent: You may voluntarily opt in to allow us to use your de identified data for model training and improvement. Opt in consent is: (i) separate from acceptance of this Policy or our Terms of Service; (ii) informed, with a clear explanation of what data will be used and how; (iii) granular, allowing you to consent to specific data types; (iv) revocable at any time through your account settings, though revocation does not require us to retrain models that have already been trained on previously consented data; and (v) not a condition of using any feature of the Services.

10.4 De Identification for Training

Before any user data is used for model training (with consent), we apply de identification procedures designed to remove or obscure all personal identifiers, including pet names, owner names, email addresses, phone numbers, specific dates, clinic names, veterinarian names, and any other information that could reasonably be used to identify an individual. De identification methods include suppression, generalization, perturbation, and k anonymity or differential privacy techniques as appropriate for the data type.

10.5 Real Time Processing (Inference)

When you use AI features, your inputs are transmitted to our secure servers, processed by our models, and the outputs are returned to you. Inputs are used solely to generate the requested output during that session. Unless you have opted in to training consent, inputs processed during inference are not retained in any model training dataset. Inference processing occurs on our own managed cloud infrastructure and is not outsourced to third party model providers without appropriate data processing agreements.

10.6 Automated Decision Making

Our AI features provide informational outputs, recommendations, and clinical decision support. They do not make autonomous decisions that produce legal effects or similarly significant effects concerning any individual. All AI outputs are intended to be reviewed by the user (pet owners) or a licensed veterinary professional (B2B users) before any action is taken. We do not use AI to make automated decisions about account eligibility, pricing, service access, or any other determination that would affect your rights or obligations under this Policy or our Terms of Service.

10.7 Accuracy, Limitations, and Disclaimers

AI generated outputs are probabilistic and may contain errors, omissions, or inaccuracies. Confidence scores reflect statistical likelihood based on training data distributions and do not represent diagnostic certainty. AI outputs are not a substitute for professional veterinary examination, diagnosis, or treatment. Users should not rely solely on AI outputs for clinical decision making. We continuously work to improve model accuracy, but no AI system achieves perfect performance, and edge cases, rare conditions, and out of distribution inputs may produce unreliable results. See our Terms of Service for additional disclaimers regarding AI limitations.

10.8 Human Oversight and Safety

We maintain human oversight processes for our AI systems, including regular model performance evaluation by qualified veterinary and data science professionals, monitoring for model drift and degradation, out of distribution detection mechanisms designed to flag inputs that may fall outside the model's reliable operating range, safety gates that escalate uncertain or high risk outputs for additional review, and feedback mechanisms through which users can report inaccurate or concerning outputs.

11. Cookies and Tracking Technologies

11.1 Types of Technologies Used

Strictly Necessary Cookies: Essential for the operation of our Services, such as session management, authentication, and security. These cannot be disabled without affecting core functionality.

Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences, language, and display settings.

Analytics Cookies: Help us understand how users interact with our Services, measure performance, and identify areas for improvement. We use first party analytics and may use third party analytics services such as Firebase Analytics, Mixpanel, or similar tools.

SDKs and Mobile Analytics: Our mobile applications may incorporate software development kits (SDKs) from analytics providers for crash reporting, performance monitoring, and usage analytics. These SDKs may collect device identifiers and usage data as described in Section 2.2.

11.2 Technologies We Do Not Use

We do not use third party advertising cookies or pixels. We do not use tracking technologies for cross context behavioral advertising. We do not participate in ad exchanges, real time bidding, or similar advertising auction systems. We do not allow third party advertisers to place cookies on our Services.

11.3 Your Choices

You may manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, although doing so may affect the functionality of certain features. Where required by applicable law, we display a cookie consent banner that allows you to accept or reject non essential cookies. We honor Global Privacy Control (GPC) signals as valid opt out requests where required by applicable law.

12. Children's Privacy

Our Services are not directed to individuals under the age of thirteen (13), or under the age of sixteen (16) in jurisdictions where applicable law sets a higher age threshold. We do not knowingly collect personal information from children below these applicable age thresholds. We do not knowingly allow children to create accounts or submit content to our Services. If we become aware that we have collected personal information from a child without verification of parental consent (where required), we will take prompt steps to delete that information and terminate any associated account. If you believe we may have collected information from a child below the applicable age threshold, please contact us immediately at privacy@everfur.com.

13. Third Party Services, Links, and Integrations

Our Services may contain links to, or integrations with, third party websites, applications, or services that are not operated or controlled by us. This includes veterinary clinic websites, pharmacy platforms, pet insurance portals, wearable device manufacturer apps, social media platforms, app stores, payment processors, and laboratory portals. This Policy does not apply to those third party services, and we are not responsible for their privacy practices, data collection, or security measures. We encourage you to review the privacy policies of any third party services before providing your information. The inclusion of a link to or integration with a third party service does not imply our endorsement of that service's privacy practices.

14. International Data Transfers

Our Services are primarily operated in the United States. If you access our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection and privacy laws may differ from, and may be less protective than, those in your country of residence. By using our Services, you explicitly consent to the transfer of your information to the United States and to its processing in the United States in accordance with this Policy. Where required by applicable law (such as the GDPR), we implement appropriate safeguards for international data transfers, including European Commission approved Standard Contractual Clauses (SCCs) or other valid transfer mechanisms. We also maintain agreements with our service providers that require them to protect transferred data in accordance with applicable data protection laws.

15. Do Not Track and Global Privacy Control

Our Services do not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry consensus on how to interpret and respond to DNT signals. However, we honor Global Privacy Control (GPC) signals as valid opt out of sale/sharing requests where required by applicable law, including under the CCPA. If we detect a GPC signal from your browser, we will treat it as a valid request to opt out of the sale or sharing of your personal information. Because we do not sell personal information or share it for cross context behavioral advertising, GPC signals do not change our data processing practices, but we respect and record these signals as a matter of transparency and compliance.

16. Disclaimers and Limitation of Liability

This Policy is provided for transparency and informational purposes regarding our data practices. Nothing in this Policy creates, expands, or limits any rights or obligations beyond those established by applicable law, our Terms of Service, or other binding agreements between you and the Company. Our compliance with this Policy does not constitute a guarantee against any loss, misuse, or alteration of your information, as no security measures are infallible. To the maximum extent permitted by applicable law, the Company's liability for any claims arising under or related to this Policy shall be limited as set forth in our Terms of Service.

17. Governing Law and Dispute Resolution

This Policy is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles. Any dispute, claim, or controversy arising out of or relating to this Policy or the processing of your personal information shall be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service, which may include mandatory binding arbitration and a class action waiver. Nothing in this section limits your right to file a complaint with a data protection authority in your jurisdiction where applicable law provides for such a right.

18. Supplemental Privacy Notices

We may provide supplemental privacy notices for specific products, features, programs, or jurisdictions. Such supplemental notices are incorporated into and form a part of this Policy. In the event of a conflict between this Policy and a supplemental notice, the supplemental notice shall control with respect to the specific product, feature, program, or jurisdiction to which it applies.

19. Sub Processors

We use third party sub processors to assist in providing our Services. A current list of sub processors is maintained at everfur.com/sub-processors and is updated at least thirty (30) days before any new sub processor begins processing personal information. If you are a B2B customer and wish to receive advance notification of sub processor changes, you may subscribe to updates through our sub processor page or your account settings.

20. Data Processing Addendum (B2B Customers)

Enterprise and B2B customers that require a Data Processing Addendum (DPA) or similar contractual data protection terms may request our standard DPA by contacting legal@everfur.com. Our DPA includes terms addressing data processing roles and responsibilities, technical and organizational security measures, sub processor management, data breach notification, data subject rights assistance, international data transfer mechanisms, audit rights, and data return and deletion upon termination.

21. Changes to This Policy

We may update this Policy from time to time to reflect changes in our data practices, Services, legal requirements, or industry standards. If we make material changes, we will notify you by: (a) email sent to the address associated with your account; (b) in app notification or prominent notice within our Services; or (c) both. Notification will be provided at least thirty (30) days prior to the effective date of the changes. We will indicate the date of the most recent update at the top of this Policy. We encourage you to review this Policy periodically. Material changes will not be applied retroactively to information collected before the effective date of the change without your consent where required by applicable law. A history of prior versions of this Policy is available upon request by contacting privacy@everfur.com.

22. Contact Us

If you have questions, concerns, complaints, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us at:

Strand Health Inc.
d/b/a Everfur
1002 Dean Street, Suite 101
Brooklyn, NY 11238

Email: privacy@everfur.com
Security issues: security@everfur.com
Legal and DPA requests: legal@everfur.com
Website: everfur.com/privacy

Copyright © 2026 Strand Health Inc. All rights reserved.