Privacy Policy

Effective Date: October 9, 2025

1. Introduction

Dossier ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Information You Provide

  • Account Information: Name, email address, and Google account credentials
  • Calendar Data: Meeting titles, times, and attendee email addresses from your Google Calendar
  • Payment Information: Processed securely through Stripe (we never store credit card details)

Information We Collect Automatically

  • Usage Data: Pages visited, features used, and interaction patterns
  • Technical Data: IP address, browser type, device information
  • Cookies: Session cookies for authentication and functionality

Information We Collect from Third Parties

  • Public Data: Publicly available text from websites, professional profiles, and articles about meeting attendees
  • Google Calendar: Event details and attendee information

3. How We Use Your Information

We use the information we collect to:

  • Provide and improve our service
  • Analyze meeting attendees and generate personality insights
  • Send you pre-meeting dossiers via email
  • Process payments and manage subscriptions
  • Communicate with you about your account
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

Service Providers

We share data with third-party vendors who perform services on our behalf:

  • Google LLC: Authentication (OAuth 2.0) and calendar access. Subject to Google's Privacy Policy.
  • Stripe, Inc.: Payment processing. Stripe is PCI-DSS compliant and never shares your payment details with us.
  • SendGrid (Twilio): Transactional email delivery.
  • Hosting Providers: Infrastructure and database hosting services.

All service providers are contractually bound to protect your data and use it only for specified purposes.

Legal Obligations

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders)
  • Governmental or regulatory requests
  • Enforcement of our Terms of Service
  • Protection of our rights, property, or safety, or that of our users or the public

Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, your information may be transferred as part of the business assets. You will be notified via email and/or prominent notice on our website of any such change.

With Your Consent

We may share your information with other third parties when you give us explicit consent to do so.

5. Data Security

We implement industry-standard security measures including:

  • HTTPS encryption for all data transmission
  • Encrypted storage of OAuth tokens
  • Secure session management
  • Regular security updates and monitoring

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your information according to the following schedule:

  • Account Data: Retained while your account is active
  • Calendar Events: Retained for 90 days after the event date
  • Analysis Data: Cached for 30 days, then refreshed as needed
  • Payment Records: Retained for 7 years for tax and accounting purposes
  • Deleted Account Data: Permanently deleted within 30 days of account deletion, except where legal retention is required

You may request deletion of your account and data at any time through the Settings page.

7. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Revoke calendar access at any time
  • Opt out of email notifications
  • Export your data

8. Cookies

We use essential cookies for:

  • Authentication and session management
  • Security (OAuth state validation)

We do not use tracking or advertising cookies.

9. Children's Privacy

Dossier is not intended for users under 18 years of age. We do not knowingly collect information from children.

10. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place through:

  • Standard contractual clauses approved by regulatory authorities
  • Adherence to applicable data protection frameworks
  • Security measures equivalent to those required in your jurisdiction

10A. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to our processing of your data
  • Right to Withdraw Consent: Withdraw consent at any time where we rely on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing: We process your data based on: (a) your consent; (b) performance of our contract with you; (c) our legitimate interests in providing and improving our services; and (d) compliance with legal obligations.

10B. CCPA Rights (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

  • Right to Know: Request information about what personal data we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: We do not sell your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@dossier.so. We will verify your identity before processing your request and respond within 45 days.

Categories of Personal Information Collected: Identifiers (name, email), commercial information (subscription data), internet activity (usage data), calendar data, and inferences (personality assessments).

10C. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law within 72 hours of becoming aware of the breach. Notifications will include:

  • Nature of the breach and data affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommended actions you can take

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the service.

12. Contact Us

If you have questions about this Privacy Policy, please contact us: