DDokodo

Privacy Policy

Last updated: December 30, 2024

1. Introduction

Welcome to Dokodo ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our inventory management application.

2. Information We Collect

2.1 Account Information

  • Email Address: Required for account creation, login, and communications
  • Password: Securely hashed using bcrypt with cost factor 12
  • Email Verification Status: To ensure valid email addresses

2.2 Inventory Data

  • Items: Names, descriptions, quantities, and optional photos
  • Locations: Names and descriptions of storage locations
  • Tags: Custom labels and colors for organization

2.3 Usage Data

  • Session Information: Login timestamps, IP addresses, user agents
  • Audit Logs: Account changes, deletions, password updates (retained for 90 days)
  • Search Queries: Aggregate metrics only (query length, result count) - not raw queries

2.4 Payment Information

For paid subscriptions, payment processing is handled by Stripe. We do not store credit card numbers. We retain:

  • Subscription status and plan type
  • Payment event history (successful/failed payments)
  • Stripe customer ID for subscription management

2.5 What We DON'T Collect

  • GPS coordinates or location tracking
  • Device identifiers or fingerprints
  • Raw search queries (only aggregate metrics)
  • Behavioral tracking across other websites

3. How We Use Your Information

  • Account Management: Authentication, session management, password resets
  • Service Delivery: Storing and retrieving your inventory data
  • Security: Fraud detection, abuse prevention, audit logging
  • Communications: Email verification, login notifications, service updates
  • Payments: Subscription management, billing, payment confirmations
  • Product Improvement: Aggregate analytics (e.g., feature usage, error rates)

4. Data Storage and Security

4.1 Storage Location

Your data is stored on secure servers hosted by Render (primary database and backend) and AWS S3 (photos). All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.

4.2 Security Measures

  • Password hashing with bcrypt (cost factor 12)
  • JWT tokens with 15-minute expiration for access tokens
  • httpOnly, Secure, SameSite cookies to prevent XSS/CSRF attacks
  • Rate limiting on authentication endpoints (10 requests/minute)
  • Email verification required for new accounts
  • Content Security Policy headers to prevent injection attacks
  • Regular security audits and dependency updates

4.3 Photo Privacy

Item photos are stored in private S3 buckets. Access is granted only through time-limited signed URLs (expires in 1 hour). Photos are automatically deleted when you delete items or your account.

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We will never sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Service Providers

We share limited data with trusted service providers:

  • Stripe: Payment processing (email, subscription data)
  • Render: Hosting and infrastructure (all data)
  • AWS S3: Photo storage (photos only)
  • Email Service: Transactional emails (email address, verification tokens)

All service providers are contractually obligated to protect your data and use it only for authorized purposes.

5.3 Legal Requirements

We may disclose your information if required by law, such as:

  • Compliance with legal processes (subpoenas, court orders)
  • Protection against fraud, abuse, or security threats
  • Enforcement of our Terms of Service

6. Your Rights (GDPR & CCPA)

6.1 Access & Export

You can export all your data in JSON format from Settings → Privacy → Export My Data. This includes:

  • Account information
  • All items, locations, and tags
  • Audit logs (last 1000 entries)
  • Active sessions

6.2 Deletion

You can delete your account at any time from Settings → Account → Delete Account. This action:

  • Permanently deletes all your data (items, locations, tags, photos)
  • Deletes all S3 photos associated with your account
  • Revokes all active sessions
  • Cancels any active subscriptions (no refunds for partial months)
  • Cannot be undone - no recovery is possible

6.3 Rectification

You can update your account information and inventory data at any time through the app interface.

6.4 Objection & Restriction

Contact us at privacy@inventoryapp.com to object to processing or request restriction of your data.

6.5 Portability

Your data export includes all personal data in a machine-readable JSON format for easy portability.

7. Cookies and Local Storage

7.1 Essential Cookies

  • access_token: Authentication (15-minute expiration)
  • refresh_token: Session persistence (14-day expiration)
  • XSRF-TOKEN: CSRF protection

7.2 Local Storage (IndexedDB)

For offline functionality, we cache inventory data in your browser's IndexedDB. This data:

  • Remains on your device only (never transmitted without your action)
  • Is cleared when you log out
  • Should be protected with device-level security (passcode/biometrics)

7.3 Analytics Cookies

We currently do not use any third-party analytics cookies. All analytics are first-party and aggregate only.

8. Data Retention

  • Account Data: Retained until account deletion
  • Audit Logs: 90 days
  • Payment History: 7 years (for tax compliance)
  • Email Verification Tokens: 24 hours
  • Refresh Tokens: 14 days or until revoked

9. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us immediately at privacy@inventoryapp.com.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure adequate protections through:

  • Standard Contractual Clauses (EU-approved)
  • Encryption in transit and at rest
  • Service provider compliance with GDPR and CCPA

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Significant changes will be communicated via email. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or to exercise your rights, contact us:

  • Email: privacy@inventoryapp.com
  • Data Protection Officer: dpo@inventoryapp.com
  • Response Time: Within 30 days (GDPR requirement)

13. Supervisory Authority

If you are in the European Economic Area (EEA) and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection authority.