DoCrew Privacy Policy

**Last Updated:** February 8, 2025

**Effective Date:** To be determined upon public launch

**Company:** DDDEV LTD

**Website:** https://docrew.ai

1. Introduction

DoCrew ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our desktop application, mobile app, and web services (collectively, the "Service").

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Do NOT Collect

**Your Files Are Private**: Files stored in your project folders are processed locally on your device. We never transmit, store, or have access to:

Documents you create or edit (PDFs, Word files, spreadsheets, code, etc.)

Images, videos, or multimedia files in your projects

Full chat conversation histories

Personal or sensitive file metadata

**File processing** happens entirely on your device. Only the agent's relay messages and task status are sent to our servers.

3. Information We Collect

3.1 Account Information

When you create an DoCrew account, we collect:

Email address

Password hash (encrypted, never stored in plaintext)

Full name (optional)

Profile picture (optional, stored by Supabase)

Subscription plan and billing information

**Purpose**: Account authentication, subscription management, customer support

**Storage**: Supabase Authentication service

3.2 Device & Binding Information

Device ID (unique identifier for your desktop/mobile devices)

Device type (Desktop/Mobile/Web)

Device OS and app version

Pairing timestamp (when device linked to your account)

Last activity timestamp

Device status (online/offline)

**Purpose**: Multi-device sync, push notifications, device management

**Storage**: Supabase PostgreSQL database with Row Level Security (RLS)

3.3 Task Queue Metadata

When tasks are queued between devices:

Task ID and user ID

Task title and description (user-provided instructions only)

Task status (pending/in_progress/completed/failed)

Estimated execution time

Created and updated timestamps

Device of origin and target device

**Purpose**: Offline task synchronization, execution tracking

**Storage**: Supabase PostgreSQL (temporary, deleted after delivery confirmation)

**Retention**: Tasks deleted after 7 days if not retrieved by receiving device

3.4 Push Notification Tokens

Expo push token (uniquely identifies your mobile device for notifications)

Device registration timestamp

Token expiration timestamp

**Purpose**: Delivering push notifications for task completion, reminders, and events

**Storage**: Supabase PostgreSQL with RLS

**Note**: Tokens are never shared with third parties except Expo (for delivery)

3.5 Usage Analytics (Optional)

If you opt-in to analytics:

Features used (Chat, Tasks, Connectors)

Number of chats and tasks executed

Connector types used (Gmail, Calendar, Drive)

Errors and crashes (anonymized)

App version and device info

**Purpose**: Improving service reliability and feature prioritization

**Storage**: Analytics service (third-party, anonymized)

**Opt-out**: Disabled by default; can be toggled in Settings

3.6 Stripe Billing Data

If you subscribe to a paid plan:

Stripe customer ID

Subscription plan (Free/Pro/Team)

Billing period (start/end dates)

Payment status

Invoice history (stored by Stripe, accessible via our app)

**Purpose**: Billing, subscription management, payment processing

**Storage**: Supabase (metadata) + Stripe (full billing details)

**Note**: We never store credit card numbers; Stripe handles all PCI compliance

3.7 OAuth Connector Tokens

When you connect services (Gmail, Google Calendar, Google Drive):

OAuth access tokens and refresh tokens

Connector metadata (service type, connected email, permission scopes)

Token expiration timestamp

**Purpose**: Enabling connector functionality

**Storage**: **Local only** in system Keychain (macOS/Windows/Linux)

**Never transmitted to** Supabase or any other server

**Encryption**: System-level encryption (Keychain/Credential Manager/libsecret)

3.8 Server Logs

We collect standard server logs:

API request timestamps

HTTP method and endpoint (non-sensitive)

Response status codes

Error messages (sanitized)

User ID (hashed)

IP address

**Purpose**: Security, debugging, performance monitoring

**Retention**: 30 days (then archived and eventually deleted)

4. How We Use Your Information

We use collected information for:

Purpose	Data	Legal Basis
User authentication	Email, password hash, JWT tokens	Contractual necessity
Account management	Email, profile, subscription status	Contractual necessity
Service delivery	Project metadata, task queue, push tokens	Contractual necessity
Billing	Stripe customer ID, subscription plan	Contractual necessity + Legal obligation
Connectors	OAuth tokens (local storage)	Contractual necessity
Device sync	Device IDs, online status, relay messages	Contractual necessity
Customer support	Email, chat history (if provided)	Legitimate interest + Contractual
Security & fraud detection	Login patterns, suspicious activity	Legitimate interest + Legal obligation
Service improvement	Anonymized usage analytics	Legitimate interest (if opted-in)
Legal compliance	Account info, transaction history	Legal obligation

5. Data Sharing & Third Parties

5.1 Supabase (Backend Provider)

**What we share**: User accounts, device bindings, task queue metadata, push tokens

**What we do NOT share**: User files, full chat histories, OAuth tokens, billing details beyond subscription status

**Relationship**: Data processor under Data Processing Agreement

**Location**: EU (PostgreSQL) + US (Auth servers)

**Privacy**: Supabase has SOC 2 Type II certification

5.2 Anthropic (Claude API)

**What we share**: Chat messages and task instructions (user-facing prompts only)

**What we do NOT share**: Your files, personal documents, full project context

**Relationship**: Service provider

**API calls**: User API key or proxied through Supabase (subscription users)

**Privacy**: Anthropic Claude API policy at https://www.anthropic.com/privacy

5.3 Stripe (Payment Processor)

**What we share**: Customer ID, subscription plan, payment information (entered by you)

**What we do NOT share**: API keys, file access, personal documents

**Relationship**: Payment processor under Data Processing Agreement

**PCI Compliance**: Stripe is PCI DSS Level 1 compliant

**Privacy**: Stripe privacy policy at https://stripe.com/privacy

5.4 Expo (Mobile Push Notifications)

**What we share**: Your Expo push token (non-identifying, device-specific)

**What we do NOT share**: Messages content, personal data, file information

**Relationship**: Push notification service provider

**Privacy**: Expo privacy policy at https://expo.dev/privacy

5.5 Google (OAuth & APIs)

**What we share**: Only what you authorize via OAuth (Gmail, Calendar, Drive scopes)

**What we do NOT share**: Other Google Account data

**Relationship**: OAuth provider + API service provider

**Token storage**: Local on your device, never shared with us

**Privacy**: Google Privacy Policy at https://policies.google.com/privacy

5.6 Service Providers (Sub-processors)

**AWS** (Supabase infrastructure): data processing

**Auth0** (if used): authentication backup

**Sentry** (optional): error tracking and crash reporting

**Complete list available upon request**

5.7 Legal Requirements

We may disclose your information if required by law:

Court order or subpoena

Law enforcement request

National security investigation

Protection of our legal rights

We will notify you of such disclosure unless legally prohibited.

6. Data Retention

Data Type	Retention Period	Reason
User account	Until deletion requested	Service operation
Device bindings	Until device removed	Multi-device sync
Task queue	7 days after completion	Delivery confirmation
Chat/Agent logs (local)	Until user deletes	User control
Chat/Agent logs (server relay only)	7 days	Debugging relay issues
API logs	30 days, then archived	Security and debugging
OAuth tokens	Until revoked or expired	Service operation
Billing records	7 years	Legal/tax requirement

**Upon account deletion**, all associated data is deleted within 30 days except where legally required (e.g., billing records).

7. Data Security

Encryption In Transit

All communication uses TLS 1.3

API endpoints require HTTPS

WebSocket connections (Realtime) are encrypted

Encryption At Rest

Database encryption (Supabase managed)

OAuth tokens encrypted in system Keychain (not Supabase)

API keys stored locally in encrypted credential managers

Access Control

Row Level Security (RLS) in PostgreSQL (user-scoped)

IAM roles for Supabase Edge Functions

Minimal access principle for staff access

Security Practices

Regular security audits

Automated dependency scanning

Incident response plan

No hardcoded credentials

Rate limiting on API endpoints

**Note**: While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

8. Your Privacy Rights (GDPR & CCPA)

GDPR Rights (EU Users)

**Right of Access**: Request a copy of your data

**Right to Rectification**: Correct inaccurate data

**Right to Erasure**: Delete your account and associated data

**Right to Restrict Processing**: Limit how we use your data

**Right to Data Portability**: Export your data in standard format

**Right to Object**: Opt-out of certain processing

**Right to Lodge a Complaint**: With your supervisory authority

CCPA Rights (California Users)

**Right to Know**: What personal information is collected

**Right to Delete**: Request deletion of your data

**Right to Opt-Out**: Of data sales (we do not sell data)

**Right to Non-Discrimination**: No penalty for exercising rights

Exercising Your Rights

Email us at **privacy@docrew.ai** with your request and proof of identity. We will respond within 30 days.

9. Cookies & Tracking

**Local Storage**: We use browser/app local storage for session management and preferences

**Analytics Cookies**: Only if you opt-in to analytics

**Third-party Cookies**: Supabase Auth may set cookies for session management

**Do Not Track**: We honor browser DNT signals

10. International Data Transfers

**EU → US**: Data transferred to Supabase (EU servers) and Stripe (subject to Standard Contractual Clauses)

**Adequacy**: We ensure transfers comply with GDPR adequacy requirements

**DPA**: Data Processing Agreement available upon request

11. Children's Privacy

DoCrew is not designed for users under 13. We do not knowingly collect data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it immediately. Contact us at **privacy@docrew.ai**.

12. Third-Party Links

DoCrew may contain links to third-party services (Google, GitHub, Stripe, etc.). This Privacy Policy applies only to DoCrew. We are not responsible for third-party privacy practices.

13. California Privacy Rights

**California Consumers** have additional privacy rights under CCPA and CPRA:

**Right to Know**: We collect: email, device info, subscription status, usage data

**Right to Delete**: You can request account deletion

**Right to Opt-Out**: We don't sell personal information

**Right to Limit**: You can limit use of sensitive data (OAuth tokens)

**California residents**: Contact **privacy@docrew.ai** to exercise rights.

14. Contact Us

For privacy questions or to exercise your rights:

**Email**: privacy@docrew.ai

**Company**: DDDEV LTD

**Website**: https://docrew.ai

**Address**: [Company Address - to be updated before launch]

**Data Protection Officer**: [DPO contact - to be assigned]

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be:

1. Communicated via email to users

2. Posted on our website

3. Require explicit consent if they affect your rights

**Effective date of changes**: Specified at top of updated policy

16. Additional Information for Different Jurisdictions

EU/UK Specific

**GDPR Compliance Officer**: Available upon request

**Data Processing Agreement**: Available upon request

**DPA Addendum for STANDARD CONTRACTUAL CLAUSES**: Available upon request

**Right to Lodge Complaint**: With your national data protection authority

UK Specific (Post-GDPR)

UK Data Protection Act 2018 applies

ICO is the UK authority: https://ico.org.uk

Australia Specific

Australian Privacy Act applies

App privacy details available in App Store/Play Store

OAIC is the privacy regulator

**By using DoCrew, you acknowledge that you have read and understood this Privacy Policy.**