Privacy Policy

Last updated: May 4, 2026

Overview

Keepsake ("we", "us", "our") is a product of Aletheias.ai Inc. operated at keepsake.vet and app.keepsake.vet. This Privacy Policy describes what information we collect, how we use it, the third parties with whom we share it, the methods by which it is disclosed, and the security practices we use to protect it. It applies to visitors of our marketing site, veterinary clinics that subscribe to the service, and the staff users they invite.

Information We Collect

Account & signup information

When you request access or create an account, we collect your name, email address, clinic name, clinic location (city, state), role at the clinic, and a password (stored only as a salted hash). Additional staff users invited to your clinic provide the same identifying information.

Billing information

Payment card details are collected and stored by our payment processor, Stripe, and are never transmitted to or stored on our servers. We retain only the Stripe customer and subscription identifiers, the billing email address, and metered usage counts (number of paw prints generated) needed to invoice your clinic.

Pet photos and generated images

To generate a memorial paw print, you upload one or more photographs of a pet's paw (and, optionally, a pet name supplied by your clinic). We store the source photos and the AI-generated output images in our cloud object storage so that you can retrieve and re-engrave them. Photos and outputs are linked to the clinic account that uploaded them; we do not collect pet-owner identifying information.

Engraver telemetry

If your clinic uses a Keepsake-connected engraver, the device communicates with our cloud over an authenticated MQTT connection. We collect job status, firmware version, device identifier, error messages, and operational telemetry (e.g., temperature, USB and Wi-Fi state) needed to operate, support, and update the device. We do not collect audio, video, or images from the engraver beyond the artwork files queued for jobs.

Server logs

Our servers automatically log request metadata (IP address, user agent, timestamp, request path, response status) for security monitoring, abuse prevention, and debugging. Logs are retained for up to 90 days.

Cookies

Our applications use a single authentication token stored in your browser (localStorage and a first-party cookie scoped to our domains) to keep you signed in. We do not use third-party advertising cookies, and our marketing site (keepsake.vet) does not currently use analytics or tracking cookies.

How We Use Information

  • To create and administer your clinic's account and authenticate users.
  • To deliver the core service: generating, storing, and engraving paw prints.
  • To process subscription payments and metered usage billing through Stripe.
  • To send transactional email such as account verification, password resets, billing receipts, and service notifications.
  • To provide customer support and respond to inquiries.
  • To monitor service health, prevent abuse, and investigate security incidents.
  • To improve our AI models — but only with your clinic's explicit, opt-in consent. We do not use customer photos or generated images to train models by default.
  • To comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of our users.

How We Share Information (Third-Party Sub-processors)

We do not sell or rent your information. We share the categories of data described above only with the following service providers, each of which is contractually required to use the data solely to provide services to us:

  • Stripe, Inc. — payment processing and subscription billing. Receives billing email, clinic name, payment card details (entered directly into Stripe's hosted fields), and metered usage events.
  • OpenAI, L.L.C. — AI image generation. Receives the pet paw photographs you upload, processes them to produce the line-art output, and returns the result. Per OpenAI's API data-usage policy, API inputs and outputs are not used to train OpenAI's models by default.
  • DigitalOcean, LLC — cloud hosting (compute, managed PostgreSQL database) and Spaces object storage. Stores all customer account data, photos, and generated images.
  • Resend, Inc. — transactional email delivery. Receives recipient email addresses and message content for service emails (verification, billing, etc.).

We may also disclose information when we believe in good faith that disclosure is required by law (e.g., a valid subpoena), is necessary to enforce our Terms, or is necessary to protect the safety of our users or the public. In the event of a merger, acquisition, or asset sale, your information may be transferred as part of that transaction; we will notify you and any successor will be bound by this Policy.

Method of Disclosure

Information is transmitted to the third parties above only by authenticated, server-to-server API calls over TLS-encrypted HTTPS connections. Payment card data is sent directly from your browser to Stripe via Stripe's hosted Elements; it does not traverse our servers. Engraver telemetry is sent over TLS-encrypted MQTT (mqtts://) using per-device credentials. Email is delivered via authenticated, TLS-encrypted SMTP/HTTPS through Resend. We do not publicly post, share with advertisers, or otherwise broadcast your information.

Data Retention

We retain account information for as long as your clinic maintains an active subscription, and for a reasonable period afterward to support reactivation, billing reconciliation, and legal record-keeping. Source photos and generated images are retained while your account is active so that you can re-engrave them. You may request deletion of specific images, or of your entire account, at any time by contacting us at the address below; we will action verified deletion requests within 30 days, subject to our obligation to retain limited records (e.g., invoices) as required by law. Server logs are retained for up to 90 days.

Security Practices

We use industry-standard practices to protect your information, including:

  • TLS encryption in transit for all web, API, and MQTT traffic.
  • Encryption at rest for our managed PostgreSQL database and Spaces object storage.
  • Passwords stored only as salted, slow-hashed digests; never in plaintext.
  • Stateless JWT-based session tokens, scoped per product and revocable on signout.
  • Per-device credentials and isolated topics for MQTT connections from engravers.
  • Principle-of-least-privilege access controls for our staff; production access is limited to the small number of personnel who require it for operations and support.
  • Network firewalls and VPC isolation between application, database, and broker tiers.
  • Routine application of security updates to operating systems and dependencies.

No system is perfectly secure. If we become aware of a security incident affecting your information, we will notify affected clinics without undue delay and as required by applicable law.

Your Rights

You may request access to, correction of, or deletion of the personal information we hold about you by emailing hello@aletheias.ai. Depending on your jurisdiction (e.g., California, EEA/UK), you may have additional rights such as the right to data portability, the right to object to or restrict processing, and the right to lodge a complaint with a supervisory authority. We do not sell personal information and do not engage in cross-context behavioral advertising.

Children's Privacy

Keepsake is a business-to-business service offered to veterinary clinics. It is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

International Users

Our services are operated from, and information is processed in, the United States. If you access the service from outside the United States, you consent to the transfer and processing of your information in the United States, where data-protection laws may differ from those in your jurisdiction.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. Material changes will be communicated by email to the address on your clinic's account or by an in-product notice prior to the change taking effect.

Contact

For questions about this Policy, to exercise your rights, or to report a privacy concern, contact us at hello@aletheias.ai, or by mail to: Aletheias.ai Inc., Attn: Privacy, hello@aletheias.ai.