Privacy Policy
Last updated: March 9, 2026 · Effective: March 9, 2026
1. Introduction
This Privacy Policy explains how Dokky ("Company", "we", "us", "our"), the operator of the Dokky platform, collects, uses, discloses, and safeguards your personal data when you use our AI-powered invoice processing platform ("Service") available at dokky.com.ua and related services.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Law of Ukraine "On Personal Data Protection" No. 2297-VI, and other applicable data protection legislation.
2. Data Controller
The data controller responsible for your personal data is:
- Entity: Dokky
- Country: Ukraine
- Email: info@dokky.com.ua
- Website: dokky.com.ua
3. Data We Collect
3.1. Account Data
When you register and use the Service:
- Full name and email address.
- Password (stored only as a bcrypt hash — we never store or access your plain-text password).
- Organization name and business details.
- Telegram account ID (only if you voluntarily connect the Dokky Telegram Bot).
- Billing information (processed by Stripe/LiqPay; we do not store full card numbers).
3.2. Invoice & Business Data
When you use the document processing features:
- Uploaded invoice images, receipts, acts, and other documents.
- Extracted data: product names, quantities, prices, supplier names, dates, and totals.
- Product matching results and manual corrections you make.
- Supplier, product, and category catalogs you create.
- Location data (your business locations / branches).
3.3. Usage & Technical Data
Collected automatically when you interact with the Service:
- IP address, browser type, operating system, device type.
- Pages visited, features used, timestamps, session duration.
- API call logs (endpoint, status code, response time).
- Error reports and crash logs.
- Referral source (how you arrived at the Service).
3.4. Communication Data
- Emails and messages you send to our support channels.
- Feedback, feature requests, and survey responses.
4. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Provide the Service (OCR, matching, analytics) | Performance of contract (Art. 6(1)(b)) |
| Account registration & authentication | Performance of contract (Art. 6(1)(b)) |
| Payment processing & invoicing | Performance of contract (Art. 6(1)(b)) |
| Security monitoring & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement & analytics | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails (invoice processed, etc.) | Performance of contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Tax & accounting record-keeping | Legal obligation (Art. 6(1)(c)) |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
- To provide, maintain, and improve the Service.
- To process invoices and documents using AI/OCR models.
- To match products, learn from your corrections, and improve matching accuracy within your organization.
- To send transactional emails (invoice processed, subscription updates, security alerts).
- To provide customer support.
- To detect and prevent fraud, abuse, and security incidents.
- To generate aggregated, anonymized analytics to improve the Service (this data cannot identify you or your organization).
- To comply with legal and regulatory obligations.
6. AI Processing & Third-Party Data Processors
Your documents may be transmitted to third-party AI providers for OCR and analysis. These providers act as data processors under our instructions:
| Provider | Service | Data Center Location |
|---|---|---|
| Google (Gemini Flash / Pro) | Primary OCR | EU / US |
| OpenAI (GPT models) | Alternative OCR | US |
| Anthropic (Claude) | Alternative OCR | US |
| Groq | Alternative OCR | US |
| OpenRouter | Model routing | US |
| MiniMax | Alternative OCR | Singapore |
Important guarantees:
- We select providers whose terms prohibit using customer data for model training.
- Your Content is transmitted for immediate processing only and is not stored by AI providers beyond the processing session (typically seconds to minutes).
- You may choose your preferred OCR provider in the Settings or use the default (Gemini Flash).
- AI-generated results may contain inaccuracies. You are responsible for verifying output before relying on it.
6.1. Other Service Providers
- Stripe / LiqPay — payment processing. They receive your billing data under their own privacy policies.
- OVH / Hetzner — server hosting (EU data centers).
- Amazon S3 / MinIO — file storage (encrypted at rest).
- Telegram — bot notifications (only if you connect the bot).
7. Data Storage & Security
- Data is stored in PostgreSQL databases with multi-tenant Row-Level Security (RLS) ensuring strict data isolation between organizations.
- Files are stored in S3-compatible object storage (encrypted at rest with AES-256).
- All network traffic is encrypted with TLS 1.2/1.3.
- Passwords are hashed using bcrypt with per-user salts.
- Authentication uses JWT tokens with short-lived access tokens (15 min) and secure refresh token rotation.
- Regular automated backups are performed and stored securely with retention for 30 days.
- Rate limiting, IP-based blocking, and DDoS protection measures are in place.
- Our primary servers are located in European data centers (OVH, France).
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While account is active + 30 days after deletion request |
| Invoice data & documents | Per your organization's settings (default: indefinite while active) |
| Usage & access logs | 90 days |
| Security audit logs | 1 year |
| Billing records | As required by tax law (typically 3–7 years) |
| Database backups | 30 days (rolling) |
| Support correspondence | 2 years after ticket resolution |
After the retention period, data is permanently deleted or anonymized so that it can no longer be associated with you.
9. Your Rights
Under GDPR and the Law of Ukraine "On Personal Data Protection", you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
- Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (CSV, JSON) or request transfer to another controller.
- Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You may file a complaint with the Ukrainian Parliamentary Commissioner for Human Rights (Ombudsman) or your local supervisory authority (e.g., a Data Protection Authority in the EU).
To exercise any of these rights, email us at info@dokky.com.ua. We will respond within 30 days. If the request is complex, we may extend this by an additional 60 days with notice.
10. Cookies & Tracking Technologies
10.1. Essential Cookies
Required for the Service to function. These include authentication tokens, session identifiers, and CSRF protection cookies. They cannot be disabled without breaking the Service.
10.2. Functional Cookies
Store your preferences (language, theme, dashboard layout). These enhance your experience but are not strictly necessary.
10.3. Analytics Cookies
We may use privacy-respecting analytics (no advertising trackers) to understand how users interact with the Service. Analytics data is aggregated and anonymized. Analytics cookies are only set with your explicit consent.
10.4. We Do NOT Use
- Advertising or remarketing cookies.
- Third-party social media tracking pixels.
- Cross-site tracking technologies.
You can manage cookie preferences through your browser settings. Note that disabling essential cookies will prevent the Service from functioning properly.
11. International Data Transfers
Your data may be transferred to and processed in countries outside Ukraine and the EEA (primarily the United States) when using AI providers. We ensure adequate protection through:
- Selecting providers that participate in recognized data protection frameworks (EU-U.S. Data Privacy Framework where applicable).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Providers' binding corporate rules and certifications (SOC 2, ISO 27001 where available).
Our primary infrastructure is hosted in the EU (OVH, France). Document processing via AI providers involves temporary data transfer for the duration of the API call only.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34).
- Document the breach, its effects, and the remedial actions taken.
13. Children's Privacy
The Service is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at info@dokky.com.ua.
14. Automated Decision-Making & Profiling
The Service uses AI/ML models to extract data from invoices and match products. This constitutes automated processing but does not produce legal effects concerning you or similarly significantly affecting you. All AI-generated results are presented for your review and manual confirmation — no fully automated decisions are made about your rights, creditworthiness, or similar matters.
15. Do Not Track Signals
We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not set any non-essential cookies or tracking technologies.
16. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any third-party websites you visit.
17. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by: (a) updating the "Last updated" date at the top; (b) sending an email to your registered address; (c) displaying a notice within the Service. We encourage you to review this page regularly.
If you disagree with a material change, you may close your account before the revised policy takes effect.
18. Contact
For any privacy-related questions, data subject requests, or complaints:
- Email: info@dokky.com.ua
- Website: dokky.com.ua
- Telegram: @dokky_support
- Supervisory Authority (Ukraine): Ukrainian Parliamentary Commissioner for Human Rights — ombudsman.gov.ua