Doraverse ("we," "us," or "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect data when you use our platform and related services (the "Services").
This policy applies to our Customers (subscribing businesses), their End Users, and visitors to our website.
Key Definitions:
Personal Data: Information relating to an identifiable natural person.
Customer: The business entity subscribing to the Services.
End User: An individual authorized by a Customer to use the Services.
Customer Data: Data submitted by Customers or End Users for processing via the Services (e.g., inputs/outputs in Chat, data processed by AI Agents, content in Notebooks). May contain Personal Data.
Service Data: Data related to Service registration, use, and performance (e.g., usage stats, logs, account info, user profiles). May contain Personal Data of End Users.
When processing Customer Data, the Customer is the Data Controller, and Doraverse is the Data Processor, acting on Customer instructions. For Service Data, Doraverse is the Data Controller.
1. Information We Collect
1.1 Information You Provide Directly
Account Information: Name, business email, company name, job title, password, contact details for account administration (collected from Customer administrators and potentially End Users for their profiles).
Payment Information: Billing and payment details for paid plans, processed securely by our third-party payment processor. We do not store full credit card numbers.
Support Communications: Information provided when you contact support or give feedback.
1.2 Customer Data (Processed on Behalf of Customers):
Chat Interactions: Text prompts, conversation history (if saved by user), AI model selections, and text outputs generated via the Services by End Users.
AI Agent & Automation Data: Configuration details, credentials provided by the End User to connect external services (handled securely), and the data passed into, processed by, and outputted from these Automations as directed by the End User's configuration.
AI Notetaker Data: Audio recordings (where enabled), meeting transcripts, generated meeting notes/summaries, action items, and related meeting metadata (such as meeting title, agenda, participants’ names and email addresses, and timestamps) that are captured, uploaded, or generated through the AI Notetaker feature by End Users and/or as configured by the Customer. This data may include Personal Data and, depending on what is discussed during meetings, may include sensitive information provided by participants.
Studio Data: Text prompts, reference inputs (if applicable) uploaded by End Users, and the outputs generated by AI models accessed via the Services.
1.3 Information Collected Automatically (Service Data):
Usage Data: Information on how End Users interact with the Services, such as features accessed, actions taken, time spent, frequency, automation execution metrics, and performance data.
Log Data: Server logs including IP address, browser type, OS, device info, timestamps, pages viewed, referring URLs when End Users access the Services.
Cookies and Similar Technologies: Used for operating the Services, gathering usage data, and improving experience (essential, performance, functionality cookies).
If you choose to connect your Google account (including Gmail, Google Calendar, or Google Drive) to Doraverse, we may collect certain data from your Google services. This may include email headers (not body content), calendar event details, and file metadata required to provide platform features.
3. How We Use Information
3.1 To Provide, Maintain, and Operate the Services
We use Service Data for authentication of End Users, payment processing, account management, and delivering core functionality.
We process Customer Data strictly as directed by the Customer and its End Users:
AI Chat: Processing text inputs and transmitting them to selected model APIs to generate text outputs for the End User.
AI Agents/Automation: Executing configured automation logic, processing and transmitting data between Doraverse and connected external services per End User instructions.
AI Notetaker: Capturing and processing meeting audio (where enabled), generating transcripts, notes/summaries, and action items, and transmitting relevant inputs to selected model APIs to produce outputs for the End User and/or Customer. Where configured, the AI Notetaker may access meeting details (e.g., calendar event information) and associate notes/transcripts with the relevant meeting.
Studio: Processing prompts (and reference inputs) provided by the End User and transmitting them to relevant AI model APIs to generate outputs.
We use Service Data for technical support. Service Data from Google integrations is used solely to deliver the features you activate, and is never used for advertising or shared with third parties without your consent.
3.2 To Improve, Develop, and Optimize the Services:
We analyze Service Data (often in anonymized or aggregated form) to understand usage trends, identify popular features, troubleshoot technical issues, improve performance, and inform the development of new features and functionalities.
Our Commitment Regarding Customer Data: Doraverse does NOT use Customer Data (which includes any inputs like prompts or uploaded documents, and outputs like AI-generated text or outputs received via the Services) to train Doraverse's own general-purpose AI models or the general models of the underlying providers we integrate with. Furthermore, we will not use identifiable Customer Data for general service improvement or research and development outside of providing the service directly to you. We may, however, use Customer Data in an anonymized and aggregated form (which does not identify you or any individual) for limited purposes such as service improvement, research, and development, consistent with our Terms of Service. Any other use of Customer Data for model training or development would only occur if explicitly requested by the Customer through a separate agreement for a specific service (e.g., a custom model fine-tuning service) and would require the Customer's explicit, opt-in consent.
3.3 To Communicate with You
Using Service Data (like End User email addresses) for important administrative messages (updates, alerts, policy changes).
Sending marketing communications (subject to preferences/law), with opt-out options.
3.4 For Security and Compliance:
Using Service Data and sometimes Customer Data to detect/prevent fraud or abuse, investigate incidents, enforce terms, and protect rights and safety.
Processing data to comply with laws, regulations, legal processes, or governmental requests.
4. Legal Basis for Processing
4.1 Processing Service Data (Doraverse as Controller)
Based on:
Performance of Contract: To provide the subscribed Services to the Customer and its End Users.
Legitimate Interests: Improving/securing Services, analyzing usage, marketing (where permitted), balanced against End User rights.
Consent: Where required (e.g., certain cookies or marketing). See our Cookie Notice for cookie choices.
Legal Obligation: To comply with legal requirements.
4.2 Processing Customer Data (Doraverse as Processor)
Based solely on Customer instructions per our agreement (including the DPA). The Customer (Controller) is responsible for ensuring a valid legal basis for processing any Personal Data of End Users or others within Customer Data.
5. Information Sharing and Disclosure
We may share information as described below and consistent with the purposes set out in this Privacy Policy. We do not disclose Personal Data to third parties for their own independent marketing purposes, and we do not “Sell” or “Share” Personal Data.
5.1 With Sub-processors and Third-Party Service Providers
We use third-party service providers (“Sub-processors”) to host, operate, secure, and maintain the Services, and to provide business functions such as billing and customer support. These Sub-processors may process Service Data and, where applicable, Customer Data on our behalf and under contractual obligations consistent with this Privacy Policy.
Key categories of Sub-processors include:
Cloud infrastructure and hosting: We may use providers such as Microsoft Azure, Amazon Web Services (AWS), or Google Cloud to host and operate the Services, including storage, backups, security monitoring, and performance of the platform.
Payments (Stripe): If you purchase paid Services, we use Stripe to process payments, manage billing, and help detect and prevent fraud. We may share limited billing-related information (such as email address and billing details) as necessary to complete transactions and provide billing support. Payment card information is handled directly by Stripe according to Stripe’s terms and privacy policy.
Support and operational tools: We may use third-party tools for customer support, communications, and service operations where necessary to provide support and administer accounts.
OAuth/integration facilitation: OAuth connections may be facilitated through an integration partner (currently Composio). Access occurs via scope-limited OAuth tokens; we do not receive your third-party passwords. You can disconnect integrations and revoke access at any time within Doraverse.
We aim to access and share only the minimum data necessary for the relevant service provider to perform its function.
5.2 With Third-Party AI Model Providers
When End Users use AI-powered features, Doraverse transmits relevant content to third-party AI model providers solely to process the request and return AI-generated outputs.
Who we send data to. Depending on the feature used and/or the model selected, Doraverse may transmit AI Inputs to providers such as Microsoft Azure AI (including Azure OpenAI Service), Anthropic API, OpenAI API, or Fail.ai (for image and video generation features).
What data we send. Doraverse transmits only the content the End User chooses to submit for AI processing (“AI Inputs”), such as:
Text prompts/messages and related context selected for processing.
Files or attachments the End User uploads or connects for the requested AI feature (e.g., documents, images, audio, or video), where applicable.
As a general practice, Doraverse does not intentionally include account identifiers (such as user ID, workspace ID, or session ID) and device/network information in the AI request payload. However, third-party providers may receive or generate certain technical metadata as part of providing their services under their own systems and policies.
Provider terms and policies. Third-party AI providers process data under their own terms and privacy policies. We encourage Customers and End Users to review the policies of the model providers they choose to use through Doraverse.
Controls and choices. AI requests are sent only when an End User actively uses an AI feature or applies AI processing to content. Customers may be able to manage or restrict AI feature availability via workspace settings. End Users should avoid submitting sensitive Personal Data in AI Inputs unless necessary for their intended use and authorized by the Customer.
Legal basis and roles. Where Doraverse processes Customer Data (including AI Inputs that form part of Customer Data), Doraverse acts as a Data Processor on behalf of the Customer, and the Customer is responsible for ensuring a valid legal basis for any Personal Data included in AI Inputs. Where required by applicable law, Doraverse may provide additional notices and/or obtain necessary permissions through product experiences before transmitting AI Inputs containing Personal Data.
5.3 With Google Workspace APIs and Other Third-Party Integrations
If you choose to connect Doraverse to third-party services, Doraverse will access and process data only as authorized by you through the provider’s permission/consent screen (OAuth) and the scopes you grant.
For Google Drive, depending on the scopes granted and features used, Doraverse may access: file metadata (e.g., file name, file type, size, modified time) and file content that you select for import, sync, search, or analysis.
We use this data to provide the features you request (e.g., importing documents, syncing selected files, enabling search, and enabling AI-based analysis or summarization where you choose to apply AI features). If you apply AI features to Google Drive content, the relevant content (or extracts you select) may be transmitted to third-party AI model providers as described in Section 5.2.
You can disconnect integrations at any time in Doraverse settings. After disconnection, Doraverse will stop accessing new data from the integration.
5.4 For Legal Reasons
We may disclose information if required by law, legal process, or governmental request; to enforce our terms; to detect, prevent, or investigate fraud, abuse, or security issues; or to protect the rights, property, or safety of Doraverse, our Customers, End Users, or the public.
5.5 With Customer Direction or Consent
We may share information in other ways where directed or authorized by the Customer (or where otherwise permitted by applicable law), including enabling integrations and data flows configured by the Customer or End Users.
6. Data Security
6.1 Security Measures
We implement appropriate technical and organizational measures designed to protect the security, confidentiality, and integrity of the data we process. These measures include, but are not limited to, encryption of data both in transit (using TLS) and at rest where appropriate, role-based access controls and authentication mechanisms, network security measures like firewalls and intrusion detection/prevention systems, regular security assessments including vulnerability scanning, and security awareness training for our personnel.
6.2 Credential Security
Credentials provided by Customers/End Users for connecting external services via Integration are protected (e.g., encrypted storage, restricted access). End Users should follow credential management best practices. OAuth tokens are stored and transmitted securely and are removed after you revoke a connection in Doraverse.
6.3 Disclaimer
No internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.
6.4 Security Certifications
Doraverse maintains SOC 2 Type II certification and GDPR compliance.
7. Data Retention
7.1 Retention Principles
We retain Personal Data only as long as needed for the purposes collected, including providing Services, legal/accounting/reporting needs, dispute resolution, and enforcing agreements.
7.2 Customer Data
We retain Customer Data for as long as the Customer's account is active and as necessary to provide the Services. When the last user leaves a workspace, the workspace and its subdomain become inactive and are permanently deleted after 30 days. Following deletion from active systems, backups are purged through routine rotation cycles. We may retain limited records where required by law (e.g., billing, security logs).
7.3 Service Data
We retain Service Data for as long as necessary for the purposes described in this policy. For example, account information (including End User profile info) is retained while the account is active and for a reasonable period thereafter for administrative purposes. Technical log data may be retained for a shorter period for security and troubleshooting purposes.
8. Data Residency and International Data Transfers
Doraverse’s primary hosting and processing environment is located in Japan. However, your Personal Data may be transferred to, stored in, and processed in other locations, including the United States and Europe (including the European Economic Area), where our service providers, AI model providers you select, or third-party integrations operate. Those locations may have data protection laws that differ from the laws in your country of residence.
9. Your Data Protection Rights
For clarity:
Service Data: Doraverse acts as the Data Controller (we determine the purposes and means of processing).
Customer Data: Doraverse acts as the Data Processor on behalf of the Customer, who is the Data Controller. We process Customer Data only on documented Customer instructions (including as set out in our DPA).
9.1. Rights You Have (Depending on Your Location)
Subject to applicable law and certain exceptions, you may have the right to:
Access / Know: Confirm whether we process your Personal Data and access it (and, where required, receive specific pieces of data).
Correct / Rectify: Correct inaccurate or incomplete Personal Data.
Delete / Erase: Request deletion of Personal Data.
Restrict Processing: Limit how we process your Personal Data in certain circumstances.
Object: Object to processing based on legitimate interests and object to direct marketing.
Data Portability: Receive your Personal Data in a structured, commonly used, machine-readable format (where applicable).
Withdraw Consent: Withdraw consent at any time where processing is based on consent (withdrawal does not affect processing already performed).
Non-Discrimination (where applicable): Not be discriminated against for exercising applicable privacy rights.
9.2 Submitting a Rights Request (Service Data vs. Customer Data)
(A) Requests About Service Data (Doraverse as Controller)
You may be able to update certain Service Data (such as profile information) through your account settings where available. You may also contact Doraverse to exercise your rights relating to Service Data.
We may need to verify your identity before fulfilling your request, and we will only use verification information for that purpose. We will respond in accordance with applicable law.
(B) Requests About Customer Data (Doraverse as Processor)
If your request relates to Customer Data (e.g., prompts, uploads, notebook content, or automation inputs/outputs) in a Customer workspace, please submit the request directly to the relevant Customer (typically your employer or the organization that provided access).
Doraverse will provide reasonable assistance to the Customer to help them respond, consistent with our DPA and applicable law.
9.3 Privacy Rights for Residents of Certain U.S. States
This section contains additional information relevant to residents of certain U.S. states with comprehensive privacy laws. This section is part of, and should be read in conjunction with, this entire Privacy Policy. Where required by applicable law, this section also serves as our notice at collection for Personal Data collected online or that you submit by email or phone.
Depending on your state of residence and subject to applicable law, you may have certain rights regarding the use of your Personal Data, such as:
The right to know/access the Personal Data a company collects, uses, and discloses (including categories of Personal Data, categories of sources, purposes, categories of third parties, and—where required—specific pieces of Personal Data).
The right to request deletion of Personal Data.
The right to request correction of inaccurate Personal Data.
The right to access Personal Data in a portable format (where applicable).
The right to opt out of certain processing activities (where applicable under state law).
Not all state privacy laws provide equal rights, and certain information may be exempt from such requests under applicable law. We may deny or limit a request as permitted by law, including to comply with legal obligations, protect security and integrity, prevent fraud, or protect the rights of others.
Doraverse does not “Sell” or “Share” Personal Data as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).
We use Sensitive Personal Information (if any is collected, such as account log-in credentials) only as necessary to provide the Services or as otherwise permitted under the CCPA/CPRA (for example, for security and integrity purposes). We do not use Sensitive Personal Information for purposes that would require offering a “right to limit” under the CCPA/CPRA.
To exercise applicable U.S. state privacy rights relating to Service Data (where Doraverse acts as Controller/Business), please contact us at: support@doraverse.com.
For requests relating to Customer Data (where Doraverse acts as a Processor/Service Provider), please direct your request to the relevant Customer as described in Section 9.2(B).
9.4 EU/UK Notice (GDPR / UK GDPR)
If you are located in the EEA or the UK, you may have GDPR/UK GDPR rights described above (including access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where applicable).
If you believe our processing of your Personal Data violates applicable law, you have the right to lodge a complaint with a competent data protection authority.
For clarity on how to exercise rights:
Requests relating to Service Data should be submitted to Doraverse.
Requests relating to Customer Data should be submitted to the relevant Customer as described in Section 9.3(B).
9.5 Rights Regarding Third-Party Integrations
If you have connected your Google account (such as Gmail, Drive, or Calendar) or other third-party integrations to Doraverse, you may revoke access or disconnect these integrations at any time. Upon disconnection, Doraverse will cease accessing new data from the integration. You may request deletion of any data previously obtained via the integration, subject to applicable laws and contractual commitments.
10. Data Processing Agreement (DPA)
10.1 Importance
For Customers subject to GDPR or similar laws, processing Customer Data (which may contain Personal Data of End Users) is governed by our DPA, incorporated into our Terms of Service.
10.2 Content
Details processor/controller obligations (scope, security, handling of data subject requests from End Users via the Customer, Sub-processor management, data breach notification procedures, audit rights, and international data transfers related to the processing of Customer Data). Request our standard DPA via support channel. Essential for Customers processing Personal Data subject to GDPR through the Services.
11. Changes to This Privacy Policy
We may update this policy periodically. The "Last Updated" date indicates the latest revision. Material changes will be notified via the Services, email to the Customer's primary contact or potentially End Users, or other appropriate means before taking effect. Please review periodically.