Privacy Policy — Dobby AI

1. Introduction

DataOps Valley Ltd. ("Dobby AI", "we", "our", "us") is committed to protecting the privacy of our users and their organizations. This privacy policy explains how we collect, use, store, and protect personal and business data when you use the Dobby AI platform — the home for AI agents, connecting, monitoring, and controlling AI agents from any framework.

2. Data Controller

3. What Data We Collect

3.1 Account Data

• Name, email address, and profile information (via Google OAuth or GitHub OAuth)
• Organization name and workspace configuration
• Role and permission assignments within your organization

3.2 Platform Usage Data

• Agent configurations: agent definitions, policies, and approval rules you create
• Task data: tasks created, assigned, and executed by agents on your behalf
• Approval records: human-in-the-loop approval decisions and timestamps

3.3 Agentic Gateway Data

• LLM requests and responses: prompts, completions, and model metadata routed through our gateway to third-party LLM providers
• MCP tool calls: tool invocations and results processed via the gateway
• Metering data: token counts, cost tracking, and rate-limit metrics per gateway key

3.4 Audit and Security Data

• Audit trail: immutable log of all agent actions, policy decisions, and administrative changes
• Security events: authentication events, anomaly alerts, and access logs
• Gateway logs: request/response metadata for compliance and debugging

3.5 Technical Data

• IP address, browser type, and operating system
• Session data and authentication tokens
• Error logs and performance metrics

4. Lawful Basis for Processing

We process your data based on the following legal grounds:

• Contract performance: to provide the Service as agreed in our Terms of Service
• Legitimate interest: to maintain security, prevent fraud, improve the Service, and provide support
• Legal obligation: to comply with applicable laws, regulations, and legal processes
• Consent: for optional analytics and marketing communications (where applicable)

5. How We Use Your Data

• To provide, operate, and maintain the Dobby AI platform
• To route LLM and MCP requests through the Agentic Gateway to your selected providers
• To enforce governance policies, cost controls, and approval gates
• To maintain the immutable audit trail for compliance and accountability
• To detect anomalies, enforce rate limits, and protect platform security
• To provide technical support and respond to your inquiries
• To send service notifications and critical updates
• To improve and optimize the platform based on aggregated, anonymized usage data

We do not use your Customer Data (prompts, agent configurations, task content) to train AI models.

6. Third-Party Services and Sub-Processors

We share data with the following categories of third-party service providers, solely to operate the platform:

• LLM providers (e.g., Anthropic, OpenAI, Google, Mistral, AWS Bedrock, and others): your prompts and completions are routed to the provider(s) you select. Each provider processes data under their own terms.
• Cloud infrastructure (Google Cloud Platform): for secure compute, storage, and database services in your selected region
• Authentication (Google OAuth, GitHub OAuth): for identity verification during sign-in
• Payment processing (Stripe): for secure subscription billing — we do not store payment card details
• Caching and queuing (Upstash Redis): for session management and job processing
• Analytics (Google Tag Manager): for anonymized website usage analytics

We do not sell your personal data to any third party.

7. Data Residency and Transfers

During onboarding, you select a data residency region: Israel (IL), European Union (EU), or United States (US). Your tenant data (tasks, agent configurations, audit logs, and gateway records) is stored in the selected region. This selection is permanent for the lifetime of the tenant.

Where data is transferred outside your selected region (e.g., to LLM providers in other jurisdictions), we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) where required under GDPR or equivalent data protection legislation.

8. Data Security

We implement comprehensive security measures including:

• AES-256 encryption for sensitive data at rest (credentials, API keys, LLM provider tokens)
• TLS encryption for all data in transit
• SHA-256 hashing for API keys and gateway keys
• Role-based access control (RBAC) at three levels (Platform, Organization, Tenant)
• DLP (Data Loss Prevention) with configurable PII detection patterns on gateway requests
• Emergency kill-switch to halt all gateway traffic when needed
• Regular security audits and vulnerability assessments
• Parameterized database queries to prevent SQL injection

9. Data Retention

• Audit trail and security events: retained for 365 days
• Gateway request logs: retained for 90 days
• Anomaly alerts: retained for 90 days
• Account and task data: retained while your account is active
• After account deletion: personal data is deleted within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records)

Enterprise customers may negotiate custom retention periods as part of their Data Processing Agreement (DPA).

10. Your Rights (GDPR and Applicable Law)

Under applicable data protection laws, you have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data (right to be forgotten)
• Data portability: receive your data in a structured, machine-readable format
• Restriction: request that we limit processing of your data
• Objection: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent, you may withdraw it at any time

11. How to Exercise Your Rights (DSAR)

To submit a Data Subject Access Request (DSAR) or exercise any of your data protection rights, contact us using one of the following methods:

If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with a supervisory authority. In Israel, this is the Privacy Protection Authority (PPA). In the EU, contact your local Data Protection Authority.

12. Cookies

We use cookies and similar technologies for essential platform functionality, session management, and analytics. For full details, see our Cookie Policy.

13. Children

The Dobby AI platform is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a notice within the platform at least 30 days before they take effect. The "Last updated" date below reflects the most recent revision.

15. Contact Us