DoCrew Privacy Policy

Last Updated: March 13, 2026

Effective Date: February 26, 2026

Company: DDDEV LTD (registered in England & Wales)

Website: https://docrew.ai

1. Introduction

DDDEV LTD ("Company," "we," "us," or "our") operates DoCrew, an AI-powered productivity application available as a desktop application, mobile application, and marketing website (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Service.

General inquiries: hi@docrew.ai

Privacy and legal requests: legal@docrew.ai

2. Information We Do NOT Collect

Your files remain on your device. DoCrew processes files locally using your desktop or mobile device. We never transmit, store, or access:

Documents, spreadsheets, presentations, code files, or any other user-created files

Images, videos, audio, or multimedia content in your projects

Raw files (documents, spreadsheets, images) -- these are processed locally and never uploaded

Credit card numbers or full payment credentials (handled entirely by Stripe)

3. Information We Collect

3.1 Account Information

When you create a DoCrew account, we collect:

Email address

Password hash (bcrypt, never stored in plaintext)

Display name (optional)

Profile avatar (optional)

Purpose: Account authentication, subscription management, customer communications

Legal basis: Contractual necessity

Storage: Supabase Authentication service

3.2 Device Information

When you link a device to your account:

Device identifier (randomly generated UUID)

Device type (desktop or mobile)

Operating system and app version

Last activity timestamp

Online/offline status

Purpose: Multi-device synchronization, push notifications, device management

Legal basis: Contractual necessity

Storage: Supabase PostgreSQL with Row-Level Security (RLS)

3.3 Conversations and Messages

When you use the AI agent, we store:

Conversation metadata (title, creation date, folder assignment, archived status)

User messages and AI assistant responses (synced between your devices)

Message status (queued, processing, done, error)

Message ordering metadata

Purpose: Delivering the core Service, syncing conversations across your devices

Legal basis: Contractual necessity

Storage: Supabase PostgreSQL with RLS. Messages are associated with your user ID and protected by row-level access controls.

3.4 Usage Logs (Billing)

For every AI request processed, we log:

AI model used (e.g., Flash Lite, Flash, Pro)

Token counts (input, output, cache read, cache creation)

Credits consumed

Request latency

Request purpose (chat, classifier, subagent)

Associated conversation and message identifiers

Request status (success or error)

Purpose: Credit-based billing, usage tracking, cost calculation, abuse prevention

Legal basis: Contractual necessity + Legitimate interest

Storage: Supabase PostgreSQL with RLS

Note: Usage logs record token counts and model metadata for billing. The content of your messages is stored separately as described in Section 3.3.

3.5 Push Notification Tokens

If you use the mobile application:

Expo push notification token (device-specific, non-identifying)

Token registration and expiration timestamps

Purpose: Delivering push notifications for task completion and updates

Legal basis: Contractual necessity

Storage: Supabase PostgreSQL with RLS

Sharing: Tokens are shared only with Expo for notification delivery

3.6 Payment and Subscription Data

If you subscribe to a paid plan:

Stripe customer identifier

Subscription plan (Starter, Pro, Business, or Scale)

Billing period start and end dates

Payment status

Credit balance (subscription credits and top-up credits)

Credit transaction history (grants, purchases, usage deductions)

Purpose: Billing, subscription management, credit allocation

Legal basis: Contractual necessity + Legal obligation (tax/accounting)

Storage: Supabase (subscription metadata, credit balances) + Stripe (full payment details, invoices)

Note: We never store credit card numbers. All payment card processing is handled by Stripe (PCI DSS Level 1 compliant).

3.7 Connector Data

When you connect third-party services via connectors:

Connector type and connected account identifier

OAuth permission scopes granted

Connection status and timestamps

Purpose: Enabling third-party service integrations

Legal basis: Contractual necessity

Storage: OAuth tokens are managed by Composio (our connector provider) and encrypted at rest. Connector metadata is stored in Supabase PostgreSQL with RLS.

3.8 Server and Infrastructure Logs

Our servers automatically collect:

API request timestamps

HTTP method and endpoint path (non-sensitive)

Response status codes

Sanitized error messages (no personal data, no file paths)

IP address

User agent string

Purpose: Security monitoring, debugging, performance optimization, abuse prevention

Legal basis: Legitimate interest

Retention: 30 days, then permanently deleted

3.9 Cookie Consent Preferences

On our marketing website (docrew.ai), we store:

Your cookie consent preferences in browser localStorage

Consent timestamp

Purpose: Complying with cookie consent requirements

Legal basis: Legal obligation (ePrivacy Directive, GDPR)

Storage: Browser localStorage only (key: docrew:cookie-consent). Never transmitted to our servers.

3.10 Analytics Data (Optional, Consent Required)

Only if you opt in via the cookie consent banner:

Pages visited on docrew.ai

Feature usage patterns (anonymized)

Error and crash reports (anonymized)

App version and device type

Purpose: Improving service reliability and user experience

Legal basis: Consent

Storage: Google Analytics (Google LLC) and PostHog (PostHog Inc, EU region). Anonymized, no personal identifiers.

Opt-out: Disabled by default. You can withdraw consent at any time via the cookie settings link in our website footer.

4. How We Use Your Information

Purpose	Data Used	Legal Basis
Account authentication	Email, password hash, JWT tokens	Contractual necessity
Service delivery	Conversations, messages, device info	Contractual necessity
Credit-based billing	Usage logs, subscription data, credit balances	Contractual necessity
Payment processing	Stripe customer ID, plan, payment status	Contractual necessity + Legal obligation
Multi-device sync	Device IDs, activity status, messages	Contractual necessity
Connector integrations	OAuth tokens, connector metadata	Contractual necessity
Push notifications	Expo push tokens	Contractual necessity
Security and fraud prevention	Server logs, login patterns, IP addresses	Legitimate interest
Service improvement	Anonymized analytics (if opted in)	Consent
Legal and tax compliance	Account info, billing records, transaction history	Legal obligation
Customer support	Email, account info, conversation context (if provided by you)	Legitimate interest

We do not sell, rent, or trade your personal information. Ever.

5. Data Sharing and Third Parties

We share data with third parties only as necessary to operate the Service:

5.1 Google Cloud (AI Processing)

User messages and AI instructions are sent to Google Vertex AI for processing by Gemini language models

Regions: us-east1 (United States), europe-west1 (EU)

Your local files, documents, or media are never sent

Relationship: AI model and infrastructure provider (Google Cloud)

Google does not use your data to train models (Vertex AI data governance)

Privacy: Google Cloud Privacy Policy at https://cloud.google.com/terms/cloud-privacy-notice

5.2 Anthropic (AI Processing)

User messages and AI instructions may be sent to Anthropic Claude models via Amazon Bedrock for processing

Your local files, documents, or media are never sent

Relationship: AI model provider

Anthropic does not use your data to train models when accessed via Amazon Bedrock

Privacy: Anthropic Privacy Policy at https://www.anthropic.com/privacy

5.3 Amazon Web Services (AI Infrastructure)

User messages and AI instructions may be processed via Amazon Bedrock (Anthropic Claude models)

Regions: us-west-2 (United States), eu-central-1 (EU)

Your local files, documents, or media are never sent

Relationship: Cloud infrastructure and AI model hosting provider

AWS does not use your data to train models (Amazon Bedrock data governance)

Privacy: AWS Privacy Notice at https://aws.amazon.com/privacy/

5.4 Supabase (Backend Infrastructure)

Data shared: Account data, device bindings, conversations, messages, usage logs, subscription metadata, push tokens

Data NOT shared: Local files, payment card details

Relationship: Data processor

Certification: SOC 2 Type II

Privacy: Supabase Privacy Policy at https://supabase.com/privacy

5.5 Stripe (Payment Processing)

Data shared: Customer ID, subscription plan, payment method (entered directly by you to Stripe)

Data NOT shared: Local files, conversations, usage data

Relationship: Payment processor (independent data controller for payment data)

Certification: PCI DSS Level 1

Privacy: Stripe Privacy Policy at https://stripe.com/privacy

5.6 Composio (Connector Integrations)

Data shared: OAuth tokens for connected services, connector metadata

Data NOT shared: File contents, conversation data, payment data

Relationship: Data processor for connector functionality

Security: OAuth tokens encrypted at rest

Privacy: Composio Privacy Policy at https://composio.dev/privacy

5.7 Fly.io (Proxy Infrastructure)

Data shared: API requests between your device and our backend (encrypted in transit)

Relationship: Infrastructure provider

Privacy: Fly.io Privacy Policy at https://fly.io/legal/privacy-policy/

5.8 Expo (Push Notifications)

Data shared: Push notification tokens (device-specific, non-identifying) and notification payloads

Data NOT shared: Message content, personal data, files

Relationship: Push notification service provider

Privacy: Expo Privacy Policy at https://expo.dev/privacy

5.9 Sentry (Error Tracking, Optional)

Data shared: Anonymized crash reports and error data (only if you consent to analytics)

Data NOT shared: Personal data, conversation content, files

Relationship: Data processor

Privacy: Sentry Privacy Policy at https://sentry.io/privacy/

5.10 Google Analytics (Website Analytics, Optional)

Data shared: Anonymized page views, button clicks, scroll depth, and navigation events (only if you consent to analytics)

Data NOT shared: Personal data, conversation content, files, email address

Measurement ID: G-RD57D032TD

Relationship: Data processor

Google does not use analytics data to build advertising profiles when consent mode is active

Privacy: Google Privacy Policy at https://policies.google.com/privacy

5.11 Legal Disclosure

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to:

Comply with a court order, subpoena, or legal process

Respond to a valid law enforcement request

Protect and defend the rights or property of DDDEV LTD

Prevent fraud or address security issues

Protect the personal safety of users or the public

We will notify you of such disclosure unless legally prohibited from doing so.

6. Data Retention

Data Type	Retention Period	Reason
User account	Until you request deletion	Service operation
Conversations and messages	Until you delete them or delete your account	Service operation
Device bindings	Until you remove the device or delete your account	Multi-device sync
Usage logs	90 days	Billing verification, dispute resolution
Server/infrastructure logs	30 days	Security and debugging
Push notification tokens	Until revoked or expired	Notification delivery
Connector tokens	Until you disconnect the connector	Connector functionality
Subscription and credit data	Duration of account + 7 years	Legal/tax requirements
Cookie consent preferences	12 months (then re-consent required)	Regulatory compliance

Account deletion: When you delete your account, all associated data is permanently deleted within 30 days, except billing and transaction records retained for legal and tax compliance (up to 7 years as required by UK law).

7. Data Security

Encryption

All data in transit is encrypted using TLS 1.3

All API endpoints require HTTPS

Database encryption at rest (managed by Supabase)

OAuth tokens encrypted at rest (managed by Composio)

Local credentials stored in system keychain (macOS Keychain, Windows Credential Manager, Linux libsecret)

Access Controls

Row-Level Security (RLS) on every database table (your data is only accessible to you)

Principle of least privilege for all infrastructure access

No shared database credentials

Practices

Automated dependency vulnerability scanning

Rate limiting on all API endpoints

No hardcoded credentials in source code

Sanitized error messages (no personal data leaked in logs)

Disclaimer: While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data and accept no liability for unauthorized access resulting from factors beyond our reasonable control.

8. Your Privacy Rights

8.1 GDPR Rights (EU/EEA/UK Users)

Under the General Data Protection Regulation (EU) and UK GDPR:

Right of Access -- Request a copy of your personal data

Right to Rectification -- Correct inaccurate or incomplete data

Right to Erasure -- Request deletion of your personal data

Right to Restrict Processing -- Limit how we process your data

Right to Data Portability -- Receive your data in a structured, machine-readable format

Right to Object -- Object to processing based on legitimate interest

Right to Withdraw Consent -- Withdraw consent for optional processing (e.g., analytics) at any time

Right to Lodge a Complaint -- With your national data protection authority. UK users: Information Commissioner's Office (ICO) at https://ico.org.uk

Data Controller: DDDEV LTD (registered in England & Wales)

Lawful bases: See Section 4 table above

8.2 CCPA/CPRA Rights (California Residents)

Under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know -- What personal information we collect, use, and disclose

Right to Delete -- Request deletion of your personal information

Right to Correct -- Correct inaccurate personal information

Right to Opt-Out of Sale/Sharing -- We do not sell or share personal information for cross-context behavioral advertising

Right to Limit Use of Sensitive Data -- You can limit use of sensitive personal information

Right to Non-Discrimination -- We will not discriminate against you for exercising your rights

Categories of personal information collected: Identifiers (email), commercial information (subscription data), internet activity (usage logs), geolocation data (IP address).

We do not sell personal information. We have not sold personal information in the preceding 12 months.

8.3 LGPD Rights (Brazilian Users)

Under the Lei Geral de Protecao de Dados:

Confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, consent withdrawal, and the right to petition the ANPD

8.4 Exercising Your Rights

Email legal@docrew.ai with your request. Include your account email address and a description of the right you wish to exercise. We may request identity verification before processing your request. We will respond within 30 days (or sooner where required by applicable law).

9. Cookies and Tracking

What We Use

localStorage (browser) -- Cookie consent preferences, session tokens, UI preferences. Essential for site functionality.

Analytics cookies -- Google Analytics and PostHog. Only loaded if you explicitly consent via the cookie consent banner. Disabled by default.

Marketing cookies -- Only loaded if you explicitly consent. Disabled by default. Not currently in use.

What We Do NOT Use

No third-party tracking pixels

No fingerprinting

No cross-site tracking

No data brokers

Do Not Track

We honor the browser Do Not Track (DNT) signal. If your browser sends DNT=1, analytics defaults to off regardless of consent state.

Managing Preferences

You can change your cookie preferences at any time by clicking "Cookie settings" in the website footer.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States (Google Cloud, Amazon Web Services, Fly.io) and the EU (Supabase, Amazon Web Services, Google Cloud). We ensure such transfers are lawful through:

EU Standard Contractual Clauses (SCCs) -- For transfers from the EU/EEA to third countries

UK International Data Transfer Agreement (IDTA) -- For transfers from the UK

Adequacy decisions -- Where applicable

A Data Processing Agreement (DPA) is available upon request by emailing legal@docrew.ai.

11. Children's Privacy

DoCrew is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, contact us at legal@docrew.ai.

12. Third-Party Links

The Service may contain links to third-party websites and services. This Privacy Policy applies only to DoCrew. We are not responsible for the privacy practices of third-party services, and we encourage you to review their privacy policies independently.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will notify registered users via email at least 30 days before the changes take effect

The updated policy will be posted on our website with a new "Last Updated" date

Continued use of the Service after the effective date constitutes acceptance of the updated policy

If a change materially reduces your rights, we will seek your explicit consent where required by applicable law.

14. Contact

General inquiries: hi@docrew.ai

Privacy and legal requests: legal@docrew.ai

Company: DDDEV LTD

Registered in: England & Wales

Website: https://docrew.ai

By using DoCrew, you acknowledge that you have read and understood this Privacy Policy.