Privacy Policy

Doraverse ("we," "us," or "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect data when you use our platform and related services (the "Services").

This policy applies to our Customers (subscribing businesses), their End Users, and visitors to our website.

Key Definitions:

  • Personal Data: Information relating to an identifiable natural person.
  • Customer: The business entity subscribing to the Services.
  • End User: An individual authorized by a Customer to use the Services.
  • Customer Data: Data submitted by Customers or End Users for processing via the Services (e.g., inputs/outputs in Chat, data processed by AI Agents, content in Notebooks). May contain Personal Data.
  • Service Data: Data related to Service registration, use, and performance (e.g., usage stats, logs, account info, user profiles). May contain Personal Data of End Users.

When processing Customer Data, the Customer is the Data Controller, and Doraverse is the Data Processor, acting on Customer instructions. For Service Data, Doraverse is the Data Controller.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, business email, company name, job title, password, contact details for account administration (collected from Customer administrators and potentially End Users for their profiles).
  • Payment Information: Billing and payment details for paid plans, processed securely by our third-party payment processor. We do not store full credit card numbers.
  • Support Communications: Information provided when you contact support or give feedback.

1.2 Customer Data (Processed on Behalf of Customers):

  • Chat Interactions: Text prompts, conversation history (if saved by user), AI model selections, and text outputs generated via the Services by End Users.
  • AI Agent & Automation Data: Configuration details, credentials provided by the End User to connect external services (handled securely), and the data passed into, processed by, and outputted from these Automations as directed by the End User's configuration.
  • Notebook Content: Documents, text, notes, data sources, and other content uploaded, connected, or generated within the Notebook feature by End Users.
  • Studio Data: Text prompts, reference inputs (if applicable) uploaded by End Users, and the outputs generated by AI models accessed via the Services.

1.3 Information Collected Automatically (Service Data):

  • Usage Data: Information on how End Users interact with the Services, such as features accessed, actions taken, time spent, frequency, automation execution metrics, and performance data.
  • Log Data: Server logs including IP address, browser type, OS, device info, timestamps, pages viewed, referring URLs when End Users access the Services.
  • Cookies and Similar Technologies: Used for operating the Services, gathering usage data, and improving experience (essential, performance, functionality cookies).
  • If you choose to connect your Google account (including Gmail, Google Calendar, or Google Drive) to Doraverse, we may collect certain data from your Google services. This may include email headers (not body content), calendar event details, and file metadata required to provide platform features.

3. How We Use Information

3.1 To Provide, Maintain, and Operate the Services

  • We use Service Data for authentication of End Users, payment processing, account management, and delivering core functionality.
  • We process Customer Data strictly as directed by the Customer and its End Users:
    • • AI Chat: Processing text inputs and transmitting them to selected model APIs to generate text outputs for the End User.
    • • AI Agents/Automation: Executing configured automation logic, processing and transmitting data between Doraverse and connected external services per End User instructions.
    • • Notebook: Processing and analyzing content for insights as requested by the End User.
    • • Studio: Processing prompts (and reference inputs) provided by the End User and transmitting them to relevant AI model APIs to generate outputs.
  • We use Service Data for technical support.
  • Service Data from Google integrations is used solely to deliver the features you activate, and is never used for advertising or shared with third parties without your consent.

3.2 To Improve, Develop, and Optimize the Services:

We analyze Service Data (often in anonymized or aggregated form) to understand usage trends, identify popular features, troubleshoot technical issues, improve performance, and inform the development of new features and functionalities.

Our Commitment Regarding Customer Data: Doraverse does NOT use Customer Data (which includes any inputs like prompts or uploaded documents, and outputs like AI-generated text or outputs received via the Services) to train Doraverse's own general-purpose AI models or the general models of the underlying providers we integrate with. Furthermore, we will not use identifiable Customer Data for general service improvement or research and development outside of providing the service directly to you. We may, however, use Customer Data in an anonymized and aggregated form (which does not identify you or any individual) for limited purposes such as service improvement, research, and development, consistent with our Terms of Service. Any other use of Customer Data for model training or development would only occur if explicitly requested by the Customer through a separate agreement for a specific service (e.g., a custom model fine-tuning service) and would require the Customer's explicit, opt-in consent.

3.3 To Communicate with You

  • Using Service Data (like End User email addresses) for important administrative messages (updates, alerts, policy changes).
  • Sending marketing communications (subject to preferences/law), with opt-out options.

3.4 For Security and Compliance:

  • Using Service Data and sometimes Customer Data to detect/prevent fraud or abuse, investigate incidents, enforce terms, and protect rights and safety.
  • Processing data to comply with laws, regulations, legal processes, or governmental requests.

4. Legal Basis for Processing

4.1 Processing Service Data (Doraverse as Controller)

Based on:

  • Performance of Contract: To provide the subscribed Services to the Customer and its End Users.
  • Legitimate Interests: Improving/securing Services, analyzing usage, marketing (where permitted), balanced against End User rights.
  • Consent: Where required (e.g., certain cookies or marketing). See our Cookie Notice for cookie choices.
  • Legal Obligation: To comply with legal requirements.

4.2 Processing Customer Data (Doraverse as Processor)

Based solely on Customer instructions per our agreement (including the DPA). The Customer (Controller) is responsible for ensuring a valid legal basis for processing any Personal Data of End Users or others within Customer Data.

5. Information Sharing and Disclosure

5.1 With Sub-processors and Third-Party Integrations

We use third-party service providers ("Sub-processors") for cloud hosting, payment processing, support tools, analytics, and to enable integrations you initiate with external services (e.g., Google Gmail/Drive/Calendar, Slack, Notion). For such integrations, we access only the minimum data needed to provide the requested features and comply with applicable third-party policies.

OAuth connections may be facilitated through an integration partner (currently Composio). Access occurs via scope-limited OAuth tokens; we do not receive your third-party passwords. You can disconnect integrations and revoke access at any time within Doraverse. After revocation, we cease requests to that provider and remove active tokens within a reasonable period.

5.2 With Underlying Model APIs (AI Features)

When an End User uses AI features, relevant Inputs are transmitted to the API of the selected underlying model provider solely for receiving the AI-generated Output for that request. We rely on the data usage policies associated with these providers' commercial API offerings, which generally state API data is not used for training their general models. We encourage you to review the data usage policies of the model providers you choose to interact with via Doraverse.

5.3 With External Services via Automation

If a Customer or End User configures an Automation to connect Doraverse with an external service (e.g., a spreadsheet application, communication platform, or CRM system), data will be transferred between Doraverse and that service as directed by the automation's configuration set up by the Customer/End User. We are not responsible for the data practices of these external services. Customers should review their policies.

5.4 For Legal Reasons

We may disclose information if required by law, legal process, or governmental request; to enforce terms; detect/prevent fraud or security issues; or protect the rights, property, or safety of Doraverse, our Customers, End Users, or the public.

5.5 Business Transfers

Information may be transferred during a merger, acquisition, or similar transaction, as permitted by law/contract and subject to confidentiality.

5.6 With Customer Consent

We may share information in other ways if directed or consented to by the Customer.

5.7 No Sale or Sharing of Personal Data

Doraverse does not "Sell" or "Share" Personal Data as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

6. Data Security

6.1 Security Measures

We implement appropriate technical and organizational measures designed to protect the security, confidentiality, and integrity of the data we process. These measures include, but are not limited to, encryption of data both in transit (using TLS) and at rest where appropriate, role-based access controls and authentication mechanisms, network security measures like firewalls and intrusion detection/prevention systems, regular security assessments including vulnerability scanning, and security awareness training for our personnel.

6.2 Credential Security

Credentials provided by Customers/End Users for connecting external services via Integration are protected (e.g., encrypted storage, restricted access). End Users should follow credential management best practices. OAuth tokens are stored and transmitted securely and are removed after you revoke a connection in Doraverse.

6.3 Disclaimer

No internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

6.4 Security Certifications

Doraverse maintains SOC 2 Type II certification and GDPR compliance.

7. Data Retention

7.1 Retention Principles

We retain Personal Data only as long as needed for the purposes collected, including providing Services, legal/accounting/reporting needs, dispute resolution, and enforcing agreements.

7.2 Customer Data

We retain Customer Data for as long as the Customer's account is active and as necessary to provide the Services. When the last user leaves a workspace, the workspace and its subdomain become inactive and are permanently deleted after 30 days. Following deletion from active systems, backups are purged through routine rotation cycles. We may retain limited records where required by law (e.g., billing, security logs).

7.3 Service Data

We retain Service Data for as long as necessary for the purposes described in this policy. For example, account information (including End User profile info) is retained while the account is active and for a reasonable period thereafter for administrative purposes. Technical log data may be retained for a shorter period for security and troubleshooting purposes.

8. International Data Transfers

Information may be transferred to, stored, and processed in countries outside your own.

For transfers from these regions to countries without adequacy decisions, we rely on legal mechanisms like Standard Contractual Clauses (SCCs) or the UK Addendum. DPA details commitments for Customer Data transfers.

9. Your Data Protection Rights

9.1 List of Rights

Depending on your location and applicable data protection laws, you (End Users and other individuals whose data we process) may have certain rights regarding your Personal Data, including:

  • The right to access the Personal Data we hold about you.
  • The right to rectify inaccurate Personal Data.
  • The right to erase your Personal Data ('Right to be Forgotten').
  • The right to restrict the processing of your Personal Data.
  • The right to data portability (receive your data in a structured, commonly used format).
  • The right to object to the processing of your Personal Data (particularly for direct marketing or processing based on legitimate interests).
  • The right to withdraw consent, where processing is based on consent.

9.2 Exercising Rights

  • Regarding Service Data: End Users can typically access and update some of their profile information directly within their account settings. For other requests related to Service Data concerning an End User (where Doraverse is Controller), the End User should contact us. We will respond to requests in accordance with applicable data protection laws.
  • Regarding Customer Data: As Doraverse processes Customer Data as a Data Processor on behalf of the Customer (the Data Controller), End Users wishing to exercise their data protection rights with respect to Customer Data must direct their request to the relevant Customer (typically their employer or the organization that provided them access). Doraverse will provide reasonable assistance to our Customers to help them respond to such requests from their End Users, as outlined in our DPA.

9.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a relevant data protection supervisory authority if you believe our processing of your Personal Data infringes applicable data protection laws.

9.4 Supplemental Notice for California Residents

If you are a California resident (End User or otherwise), you may have additional rights under the CCPA/CPRA regarding your Personal Data. This section supplements the information contained elsewhere in this Privacy Policy.

  • Right to Know/Access: You have the right to request information about the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the purposes for collecting the data, and the categories of third parties with whom we have disclosed Personal Data.
  • Right to Delete: You have the right to request the deletion of your Personal Data, subject to certain exceptions.
  • Right to Correct: You have the right to request the correction of inaccurate Personal Data.
  • Right to Opt-Out of Sale/Sharing: As stated in Section 5.7, we do not Sell or Share Personal Data, so there is no need to opt-out.
  • Right to Limit Use of Sensitive Personal Information (SPI): We only use SPI (if any is collected, e.g., account log-in credentials) as necessary to provide the Services or as otherwise permitted by the CCPA/CPRA, such as for security and integrity purposes. We do not use SPI for purposes that would require offering a Right to Limit under the CCPA/CPRA.
  • Right Against Discrimination: You have the right not to be discriminated against for exercising your CCPA/CPRA rights.
  • Exercising Your Rights: To exercise these rights regarding Service Data pertaining to you (where Doraverse acts as the "Business"), please contact us. We will need to verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf by providing us with written permission signed by you and verifying your own identity directly with us, or through a power of attorney. For requests related to Customer Data (where Doraverse acts as the "Service Provider"), please direct your request to the relevant Customer (the "Business") as described in Section 9.2.

9.5 Rights Regarding Third-Party Integrations (including Google Services)

If you have connected your Google account (such as Gmail, Drive, or Calendar) or other third-party integrations to Doraverse, you may revoke access or disconnect these integrations at any time. Upon disconnection, Doraverse will cease accessing new data from the integration, and you may request deletion of any data previously obtained via the integration, subject to applicable laws and contractual commitments.

10. Data Processing Agreement (DPA)

10.1 Importance

For Customers subject to GDPR or similar laws, processing Customer Data (which may contain Personal Data of End Users) is governed by our DPA, incorporated into our Terms of Service.

10.2 Content

Details processor/controller obligations (scope, security, handling of data subject requests from End Users via the Customer, Sub-processor management, data breach notification procedures, audit rights, and international data transfers related to the processing of Customer Data). Request our standard DPA via support channel. Essential for Customers processing Personal Data subject to GDPR through the Services.

11. Changes to This Privacy Policy

We may update this policy periodically. The "Last Updated" date indicates the latest revision. Material changes will be notified via the Services, email to the Customer's primary contact or potentially End Users, or other appropriate means before taking effect. Please review periodically.