LegalPrivacyTermsDPASub-processors

Legal · Privacy

Privacy notice

Last updated:

Draft, under counsel review. This document describes our intended terms in plain language. The final binding version, reviewed by our solicitors, will be published before paid signups open. For the current draft of any specific clause, email paulo@myneatflow.com.

Short version: we collect the minimum we need to run DoraPilot. We host it in the EU. We don't sell your data, we don't train AI models on it, and you can ask us to delete it at any time. The rest of this page is the longer version of those four sentences.

Who we are

DoraPilot is operated by DoraPilot Ltd., a private limited company registered in Ireland. Our registered office and contact for data-protection matters is paulo@myneatflow.com. We are the controller of the data described in the "Marketing site" and "Account" sections below. For data you upload into the product (assessments, vendor records), we act as your processor — see our Data Processing Agreement.

What we collect, why, and how long we keep it

Marketing site (this domain)

  • Server logs — IP address, request path, response status, user agent. Held by our hosting provider for 30 days. Used to detect abuse and debug outages.
  • Privacy-friendly analytics — aggregated page views and conversion events with no cookies and no personal identifiers. Held for 24 months.
  • Waitlist submissions — your email address and the persona you selected (vendor or financial entity). Held until you ask us to delete it or until 12 months after we close the waitlist.

Account (the product, when it opens)

  • Account profile — name, work email, organisation, role. Used to provide the service. Kept for the lifetime of the account plus 30 days after cancellation so you can export data.
  • Billing information — invoicing details handled by our payment processor. We see the invoice metadata, not the card number. Kept for 7 years to meet Irish accounting law.
  • Product activity logs — actions you take in the workspace, the audit trail, exports. Kept while the account is active.

Customer data you upload

Assessment responses, vendor records, policy drafts, uploaded files. We process this on your instructions, under the Data Processing Agreement. We do not look at it except where strictly necessary to debug a support ticket you raised, and we never use it to train AI models.

The legal grounds we rely on

  • Contract (GDPR Art. 6(1)(b)) — for account, product activity and billing data, processing is necessary to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — for server logs and security telemetry, where we have a legitimate interest in keeping the service available and safe and our interest is not overridden by your rights.
  • Consent (Art. 6(1)(a)) — only for the waitlist and optional marketing emails. You can withdraw at any time via the unsubscribe link.
  • Legal obligation (Art. 6(1)(c)) — for retaining invoice records to meet Irish tax and accounting law.

Who we share it with

We share data with the sub-processors listed on our Sub-processors page, each bound by a written DPA. We do not sell data, do not share it with advertisers, and do not allow our sub-processors to process it for their own purposes.

We will share data with a competent authority (e.g. the Data Protection Commission, Central Bank of Ireland) if legally required. We will tell you about the request unless we are legally prohibited.

Where the data lives

The data described above is stored in the European Union — primarily Frankfurt, with replicas in Dublin. Where a sub-processor is headquartered outside the EEA we contract with their EU entity and process data in EU regions only. The full picture is on the Sub-processors page.

Your rights

Under GDPR you have the right to:

  • Get a copy of your personal data we hold (Art. 15).
  • Ask us to correct anything that's wrong (Art. 16).
  • Ask us to delete your data when there's no legal reason for us to keep it (Art. 17).
  • Ask us to restrict or object to certain processing (Arts. 18 and 21).
  • Receive your data in a portable format (Art. 20) — this includes exporting your assessment workspace.
  • Withdraw any consent you've given, without affecting past lawful processing.
  • Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.

To exercise any of these, email paulo@myneatflow.com. We respond within 30 days; usually faster.

Security

We follow the controls our financial-entity customers expect of their vendors: encryption in transit (TLS 1.2+) and at rest (AES-256), MFA for staff accounts, least-privilege access, audit logging, regular vulnerability scans, third-party penetration tests, and an incident response process aligned with DORA Article 17 notification requirements.

Children

DoraPilot is a B2B compliance tool. It is not directed at children and we do not knowingly collect data from anyone under 16.

Changes to this notice

We'll update this page when our processing changes. If the change is material, we'll notify account holders by email at least 30 days before the change takes effect.

Contact

Data Protection Officer (interim role, held by the founder until appointed): paulo@myneatflow.com.