Privacy Policy | Dozz AI

1. Introduction

Dozz ("Dozz", "we", "us", or "our") provides a software platform that helps organisations track, assign, and manage their physical assets. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices available to you when you or your organisation uses our website at dozz.ai or any subdomain of dozz.ai (collectively, the "Service").

This policy is written to be read by an actual human being, not just a lawyer. If anything here is unclear, contact us at the email address listed at the end of this document and we will explain it properly.

2. Who we are and scope of this policy

Dozz operates a multi-tenant software-as-a-service platform. Each organisation that signs up for Dozz (a "Customer" or "Organisation") receives its own private workspace, accessible through a unique subdomain of dozz.ai. Individual people who use the Service on behalf of an Organisation are referred to in this policy as "Users".

This policy applies to:

Visitors browsing the public Dozz website (dozz.ai)
Prospective customers submitting enquiries through our contact, get-started, or careers forms
Users who access an Organisation's private Dozz workspace
Administrators who manage an Organisation's account, billing, or configuration

Important distinction: When an Organisation uses Dozz to manage its own assets and staff records, Dozz acts as a data processor on behalf of that Organisation, which acts as the data controller for its own staff and operational data. Where this distinction matters, it is called out explicitly in the relevant section below.

3. Information we collect

3.1 Information you provide directly

Category	Examples
Account and contact details	Name, work email address, phone number, job title, organisation name
Organisation details	Company name, industry, country, estimated staff and asset counts, billing address
Form submissions	Information submitted through our contact, get-started, or careers application forms, including résumés and cover letters where applicable
Payment information	Billing details processed through our third-party payment processor; Dozz does not directly store full card numbers
Support communications	Content of emails, support tickets, or messages you send us

3.2 Information collected automatically

When you use the Service, we automatically collect certain technical information, including IP address, browser type, device information, pages visited, and timestamps of activity. This is used for security, troubleshooting, and improving the Service, as described in Section 4.

3.3 Information generated through use of the Service

Once an Organisation begins using Dozz, the Service generates and stores operational data created by that Organisation's own Users, including but not limited to:

Asset records (names, categories, locations, photographs, purchase information)
Checkout and assignment history (who has which asset, when, and the approval trail)
Approval chain decisions and timestamps
Booking records for shared resources
Purchase orders and vendor information
User accounts within the Organisation's workspace, including names, work email addresses, department assignments, and role permissions

This category of data belongs to the Organisation. Dozz processes it solely to provide the Service and does not use it for any other purpose, including marketing or analytics unrelated to the Service itself.

4. How we use information

We use the information described above for the following purposes:

To provide and maintain the Service — operating your Organisation's private workspace, processing checkouts and approvals, generating reports, and sending in-app notifications
To authenticate Users — verifying identity through Google or Microsoft single sign-on as described in Section 6
To communicate with you — responding to support requests, sending invoices and billing notifications, and providing important Service updates
To process job applications — reviewing and responding to applications submitted through our careers page
To improve the Service — understanding how the Service is used in aggregate so we can fix problems and build better features
To maintain security — detecting and preventing fraud, abuse, and unauthorised access
To comply with legal obligations — including tax, accounting, and regulatory requirements

We do not sell personal information to third parties, and we do not use Organisation operational data (asset records, checkout history, etc.) to train any general-purpose model or to serve advertising of any kind, to you or to anyone else.

5. Our legal basis for processing

Where data protection law requires a legal basis for processing personal information (such as under the EU or UK GDPR), we rely on one or more of the following:

Performance of a contract — processing necessary to provide the Service under our terms with your Organisation
Legitimate interests — for security, fraud prevention, and Service improvement, balanced against your rights and interests
Consent — where you have explicitly agreed, such as submitting a careers application or marketing enquiry
Legal obligation — where processing is required to comply with applicable law

6. Single sign-on, Google, and Microsoft

Dozz does not use traditional passwords for Organisation Users. Instead, Users sign in using their existing Google Workspace or Microsoft 365 work account, through the standard OAuth authentication protocol provided by Google and Microsoft respectively.

When a User signs in through this method, we receive only the limited profile information authorised by the OAuth scope requested — typically name, work email address, and profile photograph where available. We do not receive or store the User's Google or Microsoft account password at any point; authentication is handled entirely by Google or Microsoft's own systems.

Access to each Organisation's workspace is restricted to email addresses matching that Organisation's verified company domain. This is a deliberate security control that prevents unauthorised account creation and ensures only legitimate members of an Organisation can gain access.

7. Data separation between organisations

Dozz is built on a multi-tenant architecture in which each Organisation's operational data is stored in a separate, isolated database environment. One Organisation's Users, asset records, and history are never combined, shared, or made visible to any other Organisation using the Service. There is no shared data pool between customers beyond the underlying software infrastructure itself.

Dozz personnel do not access an Organisation's private workspace data except where strictly necessary to provide support requested by that Organisation, to investigate a security incident, or where required by law.

8. When we share information

We do not sell personal information. We share information only in the following limited circumstances:

Service providers — third parties who perform functions on our behalf, such as cloud hosting, email delivery, and payment processing, under contractual obligations to protect your information and use it only for the purposes we specify
Within your Organisation — information you provide as a User is visible to authorised administrators and managers within your own Organisation, in accordance with the role and department permissions configured by your Organisation
Legal requirements — where we are required to disclose information to comply with a legal obligation, court order, or governmental request
Business transfers — in the event of a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to the same protections described in this policy
With your consent — in any other circumstance where you have given explicit permission

9. International data transfers

Dozz serves customers globally, and information may be processed and stored in countries other than the one in which you or your Organisation are located. Where we transfer personal information across borders, we take appropriate steps to ensure it remains protected in accordance with applicable data protection law, including the use of standard contractual clauses or equivalent safeguards where required.

10. Data retention

We retain personal information and Organisation operational data for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

Operational data within an active Organisation's workspace is retained for the duration of that Organisation's subscription
If an Organisation's account is closed, we retain a copy of its data for a limited period to allow for export requests and accidental-cancellation recovery, after which it is permanently deleted, unless a longer retention period is required by law
Job application data is retained for a reasonable period to support the hiring process, after which it is deleted unless the applicant has consented to longer retention for future opportunities
Billing and invoicing records are retained for as long as required by applicable tax and accounting law

Organisations may request export of their full operational data at any time during an active subscription. This is a core design principle of the Service, not an exception requiring special approval.

11. How we protect your information

We implement technical and organisational measures designed to protect personal information and Organisation data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted connections (HTTPS/TLS) for all data in transit, access controls restricting internal access to customer data on a need-to-know basis, isolated database environments per Organisation, and regular review of our security practices.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law.

12. Your rights and choices

Depending on your location and applicable law, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate personal information
Request deletion of your personal information, subject to legal and contractual limitations
Object to or restrict certain processing of your personal information
Request a copy of your personal information in a portable format
Withdraw consent where processing is based on consent

If you are a User within an Organisation, many of these requests should first be directed to your Organisation's administrator, since they control the underlying account. Where Dozz is the appropriate party to contact directly, reach us using the details in Section 16.

13. Cookies and similar technologies

The Dozz website and application use cookies and similar technologies necessary for core functionality, including maintaining your authenticated session, remembering your preferences, and protecting against cross-site request forgery. We do not use cookies for third-party advertising or cross-site behavioural tracking.

14. Children's privacy

The Service is intended for use by organisations and their adult staff members in a professional context. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will update the "Last updated" date at the top of this page when we do. Material changes will be communicated to active Organisations through the Service or by email where appropriate.

16. How to contact us

If you have questions, concerns, or requests relating to this Privacy Policy or how your information is handled, contact us at:

privacy@dozz.ai
We aim to respond to all privacy-related enquiries within one business day.