VetNotes

VetStack Review of VetNotes and UK Market Suitability

visit their website

Core Features

AI Clinical Note Generation

The platform converts consultation audio into structured clinical notes using a veterinary-specific fine-tuned model. Notes are produced as editable drafts requiring clinician review and sign-off before being committed to the practice management system.

Veterinary-Specific Fine-Tuning

Unlike products that rely on general-purpose models adapted through prompting, VetNotes reports that its model has been fine-tuned on veterinary-specific data by an in-house veterinary team. The submission does not detail the training dataset composition or evaluation methodology.

Configurable Data Residency

Clinics can configure where their data is stored and processed. No default region is stated in the submission. Practices must confirm and document their chosen residency region before go-live.

Configurable Audio Retention

Audio retention following transcription is configurable at clinic level. No default retention period or maximum window is stated. Practices must confirm and record their chosen setting as part of their data protection documentation.

Source Audio and Text Traceability

Users can review how a note was generated with source audio available, as well as text-only traceability. Both traceability paths are supported, which is a useful verification option for practices wanting audit depth beyond transcript review alone.

User Sign-Off Safeguard

In addition to the editable draft model, VetNotes requires explicit user acknowledgement or sign-off before records are finalised. This is a stronger clinician accountability mechanism than draft-only alone.

PMS Integration

Integration is available via API and browser extension. Copy-paste is not listed as a supported workflow.

VetNotes.com is an AI-powered clinical documentation platform developed specifically for the veterinary profession, with AI design and training led by an in-house veterinary team. The platform converts spoken consultation audio into structured clinical notes using a fine-tuned model adapted to veterinary terminology and workflows.

The product is headquartered in Sydney, Australia, with a UK legal entity in place. The supplier's stated positioning is built around three pillars: simplicity, accuracy, and integration. The submission is concise and the stated differentiator is straightforward: accuracy of clinical notes, with a fine-tuned veterinary model rather than a general-purpose one adapted through prompting alone.

One submission detail requires careful attention. VetNotes declared itself as a data controller rather than a data processor for UK clinics. This is addressed directly below and is the most significant factor in assessing this product for UK practice use.

About the Organisation

VetNotes.com is headquartered in Sydney, Australia, with a UK legal entity established. The product is developed by a team that includes in-house veterinarians who are involved in both AI design and ongoing output quality monitoring. The submission is brief on organisational detail, which reflects the product's positioning as focused and simple rather than broad.

The company has not provided details on scale, deployment numbers, or named reference customers in the UK veterinary market. Practices evaluating VetNotes should ask for UK reference sites as part of their due diligence.



Security and Compliance Review

The following assessment covers Heidi Health's approach to data protection, security controls, and compliance alignment relevant to UK veterinary practices. This review reflects information submitted directly to VetStack's vendor assessment process and documentation available at the time of assessment.

VetNotes declared itself as a data controller rather than a data processor for UK clinics. Every other vendor assessed in this cohort declared as data processor. This distinction is significant. As a data controller, VetNotes takes on primary legal responsibility for determining the purposes and means of processing personal data, rather than acting solely on the clinic's documented instructions. This changes the legal relationship between the vendor and the practice. Practices should obtain specific legal advice on the implications of this structure before contracting, confirm what it means for their own data controller obligations under UK GDPR, and ensure their DPA and privacy notices reflect the arrangement accurately. This is not necessarily a reason to avoid the product, but it requires active engagement rather than a standard processor onboarding process.

GDPR and Data Protection

  • Data Controller Status. VetNotes declared as data controller, not data processor. See note above for implications.

  • Data Processing Agreement. A completed DPA suitable for UK clinical use is available. Practices should review it carefully given the data controller declaration, as the obligations and risk allocation will differ from a standard processor agreement.

  • Patient Consent. The consent field in the submission was answered with reference to model training rather than patient or client consent management. Practices should ask the supplier directly how client consent for audio recording is handled within the platform.

Data Storage and Residency

  • Primary Data Location. Data residency is configurable by clinic. No default region is stated. UK, EU, and other regions may be available; practices must confirm and document their chosen location before go-live.

  • Residency Controls. Clinics can choose or restrict data residency. The mechanism for configuring and verifying this should be confirmed with the supplier during onboarding.

Audio Retention and Data Use

  • Audio Retention. Audio retention following transcription is configurable by clinic. There is no stated default retention period or maximum cap. This places the data minimisation obligation firmly on the practice. Practices should define and document their retention setting and confirm it is applied correctly at go-live.

  • Model Training. Customer audio and text data are not used to train AI models. This is confirmed unambiguously in the submission.

Encryption and Technical Controls

  • Encryption in Transit. TLS 1.2 or above.

  • Encryption at Rest. AES-256 or equivalent.

  • MFA. Multi-factor authentication is supported.

Certifications

VetNotes holds Cyber Essentials Plus certification. This is a UK government-backed cybersecurity standard covering five core technical controls. It is a useful baseline indicator of security hygiene but is narrower in scope than ISO 27001, which requires a comprehensive information security management system audit.

No ISO 27001 or SOC 2 certification was reported. Practices with contractual requirements for specific certifications should confirm whether Cyber Essentials Plus meets those requirements.

Clinical Accuracy and Hallucination Mitigation

VetNotes's approach to clinical accuracy includes:

  • AI designed and trained by in-house veterinarians on veterinary-specific data

  • Structured templates and constrained outputs

  • Confidence scoring and uncertainty indicators

  • Post-generation validation checks

  • Source audio and text traceability for post-generation verification

  • Mandatory clinician review, plus explicit user sign-off before records are finalised

The combination of fine-tuning on veterinary data and constrained output templates addresses two distinct sources of inaccuracy: domain terminology errors and structural hallucination. The dual sign-off mechanism (editable draft plus explicit acknowledgement) is the strongest clinician accountability control in the assessed cohort thus far.

Model Updates and Change Management

VetNotes describes its approach to model updates as constant monitoring of output quality. No formal governance framework, notice period commitments, accuracy thresholds, or rollback SLAs are stated in the submission.

Practices that require contractual commitments on change management governance should raise this explicitly in pre-contract discussions.

UK Support and Legal Presence

  • Legal Structure. UK legal entity confirmed alongside the Australian headquarters.

  • Support. UK-based support is available. Practices should confirm support hours, response time commitments, and escalation routes.

Summary Assessment

VetNotes.com presents a focused, veterinary-grounded product with genuine technical differentiation through fine-tuning on veterinary-specific data. The core security controls meet baseline expectations. The dual clinician accountability mechanism is the strongest in the assessed cohort.

However, the data controller declaration is the dominant compliance consideration here and cannot be treated as an administrative detail. It requires active legal engagement from any practice considering this product, and should be the first question in any pre-contract conversation.

UK GDPR Alignment

Flagged. VetNotes declared as data controller, not data processor. This is an atypical structure that changes the legal relationship between vendor and clinic materially.

Data Residency

Configurable by clinic. No default stated. Practices must confirm their chosen region and ensure it meets their governance requirements.

Audio Retention

Configurable by clinic. No stated default or maximum. Practices must confirm and document their chosen retention window in writing.

Certifications

Cyber Essentials Plus. No ISO 27001 or SOC 2 reported.

Clinical Safety

No formal clinical safety framework declared. Human review is mandatory before records are finalised; user sign-off required.

Change Management

Described as constant monitoring of output quality. No formal governance framework, SLAs, or notice periods stated.

UK Presence

UK entity confirmed. Australian HQ. UK-based support available.

Points for Practices to Consider

  • Obtain specific legal advice on the data controller structure before contracting. Understand what obligations this places on the practice and whether your existing privacy notices and data protection documentation need updating.

  • Audio retention is configurable with no stated default. Define your retention period, confirm it is applied at go-live, and document it in your data protection records. Do not assume a sensible default is in place.

  • Data residency is configurable but no default is stated. Confirm which region your data will be stored in and ensure it meets your governance requirements, particularly if you hold NHS contracts or similar.

  • Ask for UK reference sites and speak to practices already using the product. The submission is light on deployment evidence in the UK veterinary market.

  • Confirm the consent mechanism for client audio recording. The submission did not address this clearly and it is a practical requirement for any UK practice before deploying ambient recording in a consultation room.

  • Ask about change management governance if your procurement process requires contractual commitments on notice periods, accuracy thresholds, or rollback SLAs.

Notes and Limitations

This review is based on information submitted directly to VetStack's vendor assessment process and publicly available material at the time of assessment. It is not a legal certification, authorised compliance seal, or formal security audit performed by VetStack. Practices should conduct their own contractual and technical due diligence to confirm suitability within their specific governance and regulatory contexts.


VetStack is vendor-agnostic and takes no referral fees from any supplier assessed in this process.