Privacy Policy

This policy applies to personal information we process as a controller — including data about website visitors, prospective customers, and the administrative users who manage a Dodil account.

It does not govern the data you upload to, generate in, or process through the Services (“Customer Data”). For Customer Data, you are the controller and Dodil acts as your processor under our Data Processing Addendum (“DPA”). See Customer Data and our role below.

We collect the following categories of personal information:

• Account & profile data — name, work email, company, and role, provided when you request access or create an account.
• Billing data — billing contact and transaction records. Card details are handled by our payment processor (Stripe); we do not store full card numbers.
• Usage & device data — API usage, log data, feature interactions, IP address, browser and device information, collected to operate and secure the Services.
• Communications — messages you send us via support, sales, or community channels.
• Cookies & similar technologies — see Cookies & analytics.

When you use the Services to store, index, or process data, you remain the data controller for that Customer Data and Dodil acts as a data processor, processing it only on your documented instructions and as described in the DPA.

Dodil is sovereign by design: your data plane runs in the region you choose, and we do not access Customer Data except as necessary to provide, secure, or maintain the Services, as you instruct, or as required by law.

If you are an end user of a customer building on Dodil, please direct privacy requests to that customer, who controls how your data is used.

We use personal information for the purposes below. Where the GDPR applies, the legal basis is shown in brackets:

• To provide, operate, and support the Services (performance of a contract).
• To process payments and manage billing (performance of a contract).
• To secure the Services and prevent fraud or abuse (legitimate interests; legal obligation).
• To improve and develop our products, including analytics (legitimate interests; or consent where required).
• To send service, security, and (where permitted) marketing communications (legitimate interests; or consent).
• To comply with legal and regulatory obligations (legal obligation).

Under the PDPA, we rely on your consent or applicable exceptions (such as legitimate interests and business improvement) for the equivalent purposes.

We use essential cookies to run the site and keep you signed in, and preference cookies to remember your settings.

We do not use third-party advertising or analytics cookies. Product and service telemetry is collected first-party through our own self-hosted observability stack (Prometheus and Loki). You can manage non-essential cookies through your browser settings.

We share personal information only as described here:

• Service providers & subprocessors — for hosting, payments, usage metering, and communications, under contract. Our current subprocessors are listed on our subprocessors page.
• Within our corporate group — where needed to operate the Services.
• Legal & safety — to comply with law, enforce our terms, or protect rights and safety.
• Business transfers — in connection with a merger, acquisition, or asset sale.

We do not sell your personal information.

Personal information may be processed in the United Kingdom, the European Economic Area (“EEA”), and Singapore. Where we transfer personal data out of the UK or EEA, we rely on an adequacy decision where one exists, or otherwise on Standard Contractual Clauses (together with the UK International Data Transfer Addendum) and appropriate safeguards.

For transfers subject to the PDPA, we take steps to ensure a comparable standard of protection.

We keep personal information for as long as your account is active and as needed to provide the Services, then for the period required to meet legal, tax, accounting, and security obligations. Customer Data is retained and deleted in accordance with the DPA, typically 30 days after termination.

We apply encryption in transit and at rest, strict access controls, tenant isolation, and continuous monitoring. For details on our controls and compliance posture, see our Security overview.

Depending on where you are, you may have the right to:

• access, correct, or delete your personal information;
• restrict or object to certain processing;
• receive a portable copy of your data;
• withdraw consent at any time; and
• lodge a complaint with a supervisory authority.

To exercise these rights, contact us at legal@dodil.io. UK individuals may complain to the Information Commissioner’s Office (ICO); EU individuals may contact their local data protection authority. For Customer Data, please contact the relevant customer (controller).

The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will post the revised version here and update the “Last updated” date above. For material changes, we will provide additional notice where required.

For privacy questions or to exercise your rights, contact our privacy team at legal@dodil.io, or write to Circle Technologies Pte. Ltd., 68 Circular Road, #02-01, Singapore 049422.