This Privacy Policy explains how Dotio Inc. ("Dotio", "we", "us", "our") collects, uses, shares, and protects personal information when you use our websites (including getdotio.com), applications, AI agents, and related services (the "Services"), and the rights and choices you have.
Important context for a finance product. Dotio is business software. Much of what you put into the Services is your business's financial information - and may include personal information about your own customers, employees, vendors, or contacts. For that information, you are the controller and Dotio is the processor acting on your instructions (see Section 1). This Policy focuses on personal information for which Dotio decides the purposes - for example, your account and the people who visit our site.
Quick summary (not a substitute for this Policy). We collect account and contact details you give us, payment information (handled by Stripe), the data you put into the product, and technical/usage data. We never sell your personal information, and we never use your data to train AI models - ours or our providers'. We use third parties to run the Services, including Anthropic (AI), Amazon Web Services (hosting/storage), Stripe (payments), and Cloudflare (network). Data may be processed in the United States and the European Union; we use safeguards for international transfers. You have rights over your personal information (access, correction, deletion, and more), described in Sections 8–11.
01Controller vs. processor - who is responsible for what
Dotio as controller. For personal information where we determine the purposes and means of processing - your account registration data, billing contact details, marketing and website-visitor data, and support communications - Dotio is the controller, and this Policy governs.
Dotio as processor. For the content you submit to or generate in the product ("Customer Data"), including personal information about your clients, staff, vendors, or contacts, you are the controller and Dotio is the processor. We process that data only on your documented instructions to provide the Services, as set out in our Data Processing Addendum, which applies to business customers and prevails over this Policy for that data. You are responsible for having a lawful basis and appropriate notices/consents for the personal information you put into the Services.
02How AI processes your information
The Services use artificial intelligence, including large-language models provided by Anthropic, to deliver features such as categorization, document generation, answers, and forecasts.
- What is sent. To respond to your requests and run agents, relevant Customer Data and your prompts are sent to our AI provider for processing and returned to you as Output.
- No training on your data. We contractually require our AI providers not to use data submitted through the Services to train or improve their models, and we do not use Customer Data to train models ourselves.
- We do not control the provider's own systems. Once data is processed in a provider's environment, that environment is operated by the provider under its own terms; we select reputable providers and bind them by data-protection terms, but we do not control their internal operations (see Sections 4 and 6).
- AI output can be wrong. Output is generated by automated systems and may be inaccurate. It is not professional advice, and you should review it before relying on it. See also Section 7 (automated decision-making).
03Information we collect
You give us:
- Identifiers and contact data - name, email, job title, company, contact preferences.
- Account/credentials - username and password (stored only as a salted hash).
- Billing data - billing name and address, and payment-method details handled and stored by Stripe; we receive only limited information such as a Stripe customer ID, card brand, and last four digits. We never see or store full card numbers.
- Customer Data - the financial records, documents, transactions, invoices, contacts, and other content you upload or generate (processed as described in Section 1).
- Communications - messages you send us (support, sales, feedback).
We collect automatically:
- Usage and device data - log data, IP address, device/browser type, pages and features used, and similar analytics.
- Cookies and similar technologies - see Section 5.
From others: We generally do not buy personal information about you. We may receive limited data from service providers (for example, fraud or delivery signals) and from integrations you choose to connect.
Sensitive information. We do not seek special-category data (such as health, biometric, or government-ID numbers) for our own purposes. Please do not submit special-category personal data to the Services unless necessary, and only where you have a lawful basis to do so. Note that financial information, while not always "special category," is sensitive in practice, and we treat it with heightened care.
04How we use information (and our legal bases)
We use personal information to: create and secure accounts and authenticate users; provide, maintain, and support the Services; process payments; communicate with you about your account, security, and changes; provide customer support; prevent, detect, and investigate fraud, abuse, and security incidents; improve and develop the Services using aggregated/de-identified data; send marketing where permitted (you can opt out); and comply with legal obligations and enforce our terms.
Where the GDPR/UK GDPR applies and we act as controller, our legal bases are: performance of a contract (to provide the Services you request); legitimate interests (to secure, support, and improve the Services and run our business, balanced against your rights); consent (for non-essential cookies and certain marketing - withdrawable at any time); and legal obligation (for example, tax and accounting records). For Customer Data we process as a processor, the lawful basis is determined by you as controller.
05Cookies and analytics
We use strictly necessary cookies to operate the Services and, with your consent where required, analytics and preference cookies. We use Google Analytics to understand usage; you can opt out via Google's opt-out tools. In the EU/UK and other regions that require it, we request consent for non-essential cookies through a consent banner, and you can change your choices at any time. We honor Global Privacy Control (GPC) signals where required. For full details, including the specific cookies we use and how to manage them, see our Cookie Policy.
06When and with whom we share information
We share personal information only as described here:
- Service providers / processors who help us run the Services under written contracts requiring appropriate protection - including Anthropic (AI), Amazon Web Services (hosting/storage), Stripe (payments), Cloudflare (network/security), Postmark (email), Google Workspace (internal collaboration), and Sentry (error monitoring). The current list is maintained on our Security page and in the DPA.
- At your direction - with integrations or recipients you choose to connect or share with.
- Legal and safety - to comply with law, lawful requests, or to protect the rights, safety, and security of users, the public, or Dotio.
- Business transfers - in a merger, acquisition, financing, or sale of assets, subject to this Policy.
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months and will not do so.
07Automated decision-making and the EU AI Act
The Services use automated processing and AI to generate suggestions, categorizations, and outputs. Dotio does not use these to make legal or similarly significant decisions about you without human involvement. Outputs are tools to assist you; you (or your organization) remain the decision-maker and should review outputs before acting. Where the GDPR Article 22 right regarding solely automated decisions with legal/similarly significant effects applies, you may contact us to exercise it. We provide information about the AI nature of the Services in keeping with transparency expectations under the EU AI Act and similar laws; AI-generated content within the Services is identified as such where appropriate.
08International data transfers
We operate in the United States and the European Union, and your information may be processed in either, and by our providers in their locations. Customer Data is stored on Amazon Web Services, and AI processing is performed by Anthropic, in the European Union and/or the United States. Where personal data is transferred out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss addendum as applicable), together with supplementary measures such as encryption. You can request information about these safeguards at legal@getdotio.com.
09How long we keep information
We keep personal information only as long as needed for the purposes in this Policy, then delete or anonymize it. Account and Customer Data are retained for the life of your account and, after closure, for a wind-down/export period (generally 30 days), after which they are deleted in the ordinary course - except where a longer period is required or permitted by law (for example, tax/accounting records) or for the establishment or defense of legal claims. Backups are cycled out on the schedule described on our Security page.
10Your privacy rights
Depending on where you live, you may have rights to: access your personal information and obtain a copy; correct inaccuracies; delete it; restrict or object to processing; data portability; withdraw consent; and not be subject to solely automated decisions with legal/similarly significant effects. To exercise these, email legal@getdotio.com. We will verify your request and respond within the timeframes required by applicable law. You will not be discriminated against for exercising your rights. If we act as processor for your data (Customer Data), we will refer your request to the relevant controller (our customer) and assist them.
EEA/UK/Switzerland. You may lodge a complaint with your local supervisory authority (in the UK, the ICO; in Switzerland, the FDPIC).
United States - state rights. If you are a resident of a US state with a comprehensive privacy law (including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia), you have rights to know/access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, or certain profiling. We do not sell or share for cross-context behavioral advertising. You may appeal a decision by replying to our response; if an appeal is denied you may contact your state attorney general. Categories of personal information we collect map to: identifiers, customer records, commercial information, internet/usage activity, and professional information; we do not collect biometric data and do not use protected-classification data for these purposes.
Latin America. If you are in Brazil (LGPD), you have rights of confirmation, access, correction, anonymization/blocking/deletion, portability, information about sharing, and to withdraw consent; our contact above serves as your channel, and you may contact the ANPD. If you are in Mexico (LFPDPPP), you have ARCO rights (access, rectification, cancellation, opposition). Other Latin American data-protection laws (for example in Argentina, Chile, Colombia) provide similar rights, which we honor as applicable.
Canada. We process personal information with your consent (express or implied) except where the law permits otherwise, and you may request access or correction.
11Children
The Services are for business use and are not directed to anyone under 18. We do not knowingly collect personal information from children. If we learn we have, we will delete it and may deactivate the account. Contact legal@getdotio.com if you believe a minor has provided us data.
12How we protect information
We use technical and organizational measures including encryption in transit and at rest, per-customer data isolation, access controls and least-privilege, logging, and vetted processors - described on our Security page. No method of transmission or storage is 100% secure, but we work to protect your information and to notify you and authorities of incidents as required by law.
13Changes to this Policy
We may update this Policy. If changes are material we will provide notice (for example by email or in-product) and update the "Last updated" date. Continued use after the effective date means you accept the updated Policy.