Privacy Policy
Last updated: March 29, 2026
Dotty (“we”, “us”, “our”) operates the Dotty invoice and client portal service (the Service). This Privacy Policy explains how we collect, use, and share information when you use dotty.ai (marketing) and app.dotty.ai (application).
Who we are
The Service is provided by the operator of Dotty. For privacy requests, contact: privacy@dotty.ai.
Information we collect
Account and profile. When you create an account, we collect your email address, authentication identifiers from our auth provider, and optional profile details you provide (for example, your name).
Invoice and business data. Content you enter into the Service—such as invoice titles, amounts, due dates, statuses, client names, and client email addresses—is stored to provide the Service.
Usage and technical data. We may collect IP address, browser type, device information, and similar technical data through hosting and analytics tools to secure and improve the Service.
Payment data. Payments are processed by Stripe. We do not store full payment card numbers on our servers. Stripe’s use of information is governed by Stripe’s privacy policy.
Email delivery. Transactional and product emails (for example, client invites or reminders) may be sent through Resend or comparable providers. Those providers process recipient addresses and message content as necessary to deliver mail.
How we use information
We use information to:
- provide, operate, and maintain the Service;
- authenticate users and enforce role-based access (for example, admin vs client);
- process payments and invoice status updates via Stripe;
- send service-related communications you expect (invites, reminders, security notices);
- detect abuse, fraud, and security incidents;
- comply with legal obligations and enforce our Terms.
We do not sell your personal information.
Legal bases (EEA/UK visitors)
If applicable law requires a legal basis, we rely on: contract (providing the Service you requested), legitimate interests (security, product improvement, proportionate analytics), and legal obligation where required.
Retention
We retain information for as long as your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce our agreements. You may request deletion of your account subject to legal and technical constraints (for example, records we must retain for tax or fraud prevention).
Subprocessors and infrastructure
We use trusted infrastructure and service providers, including but not limited to:
- Supabase (database, authentication, and related APIs);
- Stripe (payments);
- Resend (email delivery);
- Vercel (or comparable hosting for web properties).
These providers process data under agreements that require appropriate safeguards.
International transfers
If you access the Service from outside the country where our systems are hosted, your information may be transferred and processed across borders. We take steps consistent with applicable law to protect your information.
Your rights
Depending on where you live, you may have rights to access, correct, delete, or restrict processing of your personal data, and to object to certain processing or port your data. To exercise these rights, contact privacy@dotty.ai. You may also lodge a complaint with your local data protection authority.
Cookies and similar technologies
We use cookies and similar technologies as needed for authentication, security, and basic site functionality. Marketing analytics, if enabled, are configured to respect applicable consent requirements on the marketing site.
Children’s privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children.
Changes
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Material changes may be communicated through the Service or by email where appropriate.