Privacy Policy - Dossier

DOSSIER
Privacy Policy
Effective Date: May 15, 2026 Last Updated: May 15, 2026
Entity: Dossier Technologies Inc., a corporation incorporated in British Columbia, Canada
Contact: support@askdossier.ai | Vancouver, BC, Canada

This Privacy Policy describes how Dossier Technologies Inc. ("Dossier," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the Dossier platform, website, and related services (collectively, the "Services").

Dossier is a business-to-business software-as-a-service platform. Our customers are organizations ("Customers"), and their authorized users ("Users") interact with our Services on behalf of those organizations. This policy applies to both Customers and Users.

We are committed to compliance with applicable privacy laws, including:
British Columbia Personal Information Protection Act (BC PIPA)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for cross-border transfers
EU/UK General Data Protection Regulation (GDPR / UK GDPR) for individuals in the European Economic Area and United Kingdom
Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
California Consumer Privacy Act (CCPA / CPRA) for California residents

Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this policy.

1. Scope and Application
This policy covers personal information we collect and process in connection with the Services. It does not cover:
Information collected by third-party websites or services linked to or from our platform
Information that Customers independently collect about their own end-users or constituents outside the Dossier platform

Dossier processes two primary categories of data:
Account and billing data about Customers and Users (described in Section 3)
Content Data submitted by Customers through the Services, including email content via BCC ingestion and uploaded documents (described in Section 4)

For Content Data, Dossier acts as a data processor on behalf of the Customer, who is the data controller. Customers may request a Data Processing Agreement (DPA) from Dossier governing our role as a processor and our handling of Content Data. Customers subject to GDPR, UK GDPR, or other data protection regulations that require a formal DPA should contact us at support@askdossier.ai.

Customers are responsible for ensuring they have appropriate authority and consent to submit Content Data to our Services, including content that may contain personal information about third parties such as residents, tenants, contractors, or other individuals mentioned in organizational communications.

2. Key Definitions
Personal Information / Personal Data: Any information about an identifiable individual, as defined under applicable privacy laws.

Processing: Any operation performed on personal information, including collection, storage, retrieval, analysis, or deletion.

Customer: An organization or individual that has entered into a subscription agreement with Dossier and uses the Services.

User: An individual authorized by a Customer to access and use the Services on the Customer's behalf.

Content Data: Emails, documents, and other materials submitted by Customers to the Services for processing, storage, and retrieval.

Derived Data: Machine-readable representations generated from Content Data, including vector embeddings, search indexes, metadata, and structural representations used to operate the Services. Derived Data does not contain original documents or communications themselves.

Sub-processor: A third-party service provider that processes personal information on our behalf.

3. Account and Billing Data We Collect
When Customers and Users create accounts or interact with our Services, we collect:

3.1 Information You Provide Directly
Name and email address (required to create an account)
Organization name and role
Password (stored in hashed form - we never store plaintext passwords)
Billing contact information (name, email, billing address)
Communications you send us, including support requests

3.2 Information Collected Automatically
IP address and approximate geographic location
Browser type and version, operating system
Pages visited, features used, and actions taken within the Services
Session duration and timestamps
Technical logs and security monitoring data, which may be retained for up to 12 months for security and operational purposes
Referral source

3.3 Payment Information
Billing and payment card information is processed directly by Stripe, Inc., our payment processor. Dossier does not receive, store, or process payment card numbers. Stripe's privacy policy governs the handling of your payment information and is available at stripe.com/privacy.

4. Content Data - How It Is Processed
The core function of Dossier is to ingest, analyze, and make searchable the organizational content that Customers submit. This Content Data may include:
Email content submitted via the BCC ingestion feature
PDF and DOCX document uploads (meeting minutes, bylaws, contracts, reports, correspondence)
Metadata associated with emails and documents (sender, recipient, date, subject line, filename)

This Content Data frequently contains personal information about third parties - individuals who are not direct users of Dossier - including residents, property owners, tenants, contractors, vendors, and others mentioned in organizational communications.

4.1 How We Use Content Data
Content Data is used exclusively to provide the Services to the Customer that submitted it. Specifically:
To parse, chunk, and index content for retrieval
To generate Derived Data (including vector embeddings, search indexes, and metadata) to enable search, retrieval, and analysis
To synthesize answers to natural language queries submitted by authorized Users
To extract structured information such as decisions, commitments, dates, and action items
To enable citation of source documents in generated responses

We do not use Content Data to train AI models. We do not use Content Data for any purpose other than providing the Services to the submitting Customer.

4.2 Derived Data
In order to provide the Services, Dossier generates Derived Data from submitted Content Data, including vector embeddings, search indexes, metadata, and other machine-readable representations that enable search, retrieval, and analysis.

These Derived Data structures do not contain the original documents or communications themselves and are used solely to operate and improve the functionality of the Services for the relevant Customer. Derived Data generated from a Customer's Content Data is never shared with, or used to benefit, any other Customer.

When a Customer's account is terminated and Content Data is deleted, associated Derived Data is also deleted within the same retention window.

4.3 AI Processing of Content Data
To provide our Services, certain AI processing functions are performed using contracted AI service providers acting as sub-processors under strict data processing agreements. These providers process Content Data only to the extent necessary to deliver the requested functionality. Sub-processors are described in Section 7.

Dossier does not use Customer Content Data to train third-party AI models, and our AI provider agreements prohibit this use.

4.4 AI-Generated Output - Important Limitations
The Services generate responses, summaries, and analyses using automated systems and machine learning models. These outputs are generated based on patterns in submitted Content Data and may contain inaccuracies, omissions, or outdated information.

AI-generated outputs are provided for informational and assistive purposes only. They do not constitute legal advice, professional advice, or authoritative determinations of fact. Users are responsible for reviewing source materials and exercising independent judgment before relying on any AI-generated output. Dossier is not liable for any decisions made, actions taken, or losses incurred in reliance on AI-generated outputs.

4.5 Support Access
Authorized Dossier personnel may access limited Content Data when necessary to provide customer support, troubleshoot technical issues, investigate security incidents, or maintain system integrity. Such access is limited to what is necessary for the specific purpose and is subject to confidentiality obligations.

4.6 Customer Responsibility for Content Data
Customers are responsible for ensuring they have appropriate legal authority to submit Content Data to Dossier, including:
The right to process personal information of third parties mentioned in submitted content
Compliance with their own applicable privacy obligations when submitting content that contains personal information of residents, tenants, contractors, or other individuals
Notifying individuals whose personal information may be included in Content Data, where required by applicable law

Customers represent and warrant that they have the legal right to submit Content Data to the Services and to authorize Dossier to process that data in accordance with this Privacy Policy and the applicable Terms of Service.

Dossier does not independently verify the legality of Content Data submitted to the Services and relies on Customers to ensure that their submission and use of the Services complies with applicable privacy, data protection, and confidentiality laws.

5. Purposes for Processing Personal Information
We process personal information for the following purposes:

5.1 Providing the Services
We process account data and Content Data to deliver, operate, and improve the Dossier platform and to fulfill our contractual obligations to Customers.

5.2 Account Management and Authentication
We process account information to create and maintain user accounts, authenticate access, and enforce security.

5.3 Billing and Payments
We process billing contact information to manage subscriptions, issue invoices, and coordinate with our payment processor.

5.4 Communications
We use contact information to send transactional communications (account confirmations, security alerts, service updates), and, where you have consented, to send product updates and announcements. You may opt out of non-transactional communications at any time.

5.5 Safety, Security, and Abuse Prevention
We process certain technical data to detect, investigate, and prevent fraud, abuse, unauthorized access, and other harmful activity.

5.6 Legal Compliance
We may process personal information to comply with applicable laws, respond to lawful requests from government authorities, and enforce our agreements.

5.7 Improving Our Services
We use aggregated, de-identified analytics data to understand how our Services are used and to improve their functionality. We do not use Content Data for this purpose.

6. Legal Bases for Processing
The legal basis for our processing depends on the type of data and your location.

6.1 Contract Performance
Processing of account data and Content Data is necessary to perform our contract with Customers and to provide the Services.

6.2 Legitimate Interests
We process certain technical and analytics data on the basis of our legitimate interests in operating and improving our Services, preventing fraud and abuse, and maintaining the security of our systems.

6.3 Consent
Where we send non-transactional marketing communications, we rely on your consent, which you may withdraw at any time.

6.4 Legal Obligation
We may process personal information where required to comply with applicable law.

6.5 BC PIPA / PIPEDA
For individuals in Canada, processing is conducted in accordance with applicable Canadian privacy law principles, including meaningful consent, limited collection, appropriate use, and reasonable security safeguards.

6.6 Australian Privacy Act
For individuals in Australia, we process personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

7. Sub-processors and Third-Party Sharing
To provide our Services, we engage the following categories of sub-processors that may process personal information or Content Data on our behalf. We have entered or will enter into appropriate data processing agreements with each sub-processor.

7.1 AI and Machine Learning Services
OpenAI, L.L.C. (United States) - Used for natural language generation, text embeddings, and document analysis. OpenAI retains API data only for a limited period necessary to provide and secure its services (currently up to 30 days), after which it is deleted in accordance with OpenAI's policies. OpenAI does not use API customer data to train its models. OpenAI's privacy policy: openai.com/privacy
Cohere Inc. (Canada) - Used for re-ranking retrieved content to improve search relevance. Cohere's privacy policy: cohere.com/privacy

7.2 Vector Database
Pinecone Systems, Inc. (United States) - Used for storing and querying vector embeddings and associated metadata used for retrieval. Embeddings are numerical representations derived from Content Data rather than the original documents themselves. Pinecone's privacy policy: pinecone.io/privacy

7.3 Infrastructure and Hosting
Fly.io (United States) - Cloud hosting and compute infrastructure
Amazon Web Services, Inc. (United States) - Document storage (S3)

7.4 Payment Processing
Stripe, Inc. (United States) - Payment processing. Stripe is an independent data controller for payment information. Stripe's privacy policy: stripe.com/privacy

7.5 Other Disclosures
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes. We may disclose personal information:
To comply with a legal obligation, court order, or lawful request from a government authority
To enforce our Terms of Service or protect the rights, property, or safety of Dossier, our Customers, or others
In connection with a business transaction such as a merger, acquisition, or sale of assets, subject to confidentiality obligations and notice to affected users

8. Cross-Border Data Transfers and Data Residency
Dossier Technologies Inc. is incorporated in British Columbia, Canada. Data may be processed in the United States and Canada depending on the infrastructure used to provide the Services. Our sub-processors are located primarily in the United States.

Content Data and account data processed through our Services may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.

For transfers of personal information outside Canada, we rely on contractual arrangements with our sub-processors that require them to maintain protections consistent with Canadian privacy law standards.

For transfers subject to GDPR or UK GDPR, we rely on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms as required by applicable law.

For Australian users, we note that our sub-processors are located outside Australia. We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles.

9. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Account data is retained for the duration of the Customer's subscription and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements
Content Data is retained for the duration of the Customer's active subscription. Upon termination of a Customer's account, Content Data and associated Derived Data are deleted within 90 days unless the Customer requests earlier deletion or applicable law requires longer retention
Backup copies may persist for up to 30 additional days after deletion
Technical logs and security monitoring data may be retained for up to 12 months for security and operational purposes
Anonymized or aggregated data derived from usage may be retained indefinitely

Customers may request deletion of their Content Data at any time by contacting support@askdossier.ai. We will process deletion requests within 30 days.

10. Security
We implement appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or destruction, including:
Encryption of data in transit using TLS/HTTPS
Encryption of data at rest
Access controls limiting data access to authorized personnel
Multi-tenant data isolation ensuring one Customer cannot access another Customer's data
Regular security assessments

Dossier maintains security practices aligned with recognized industry standards and is working toward formal security certifications.

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that poses a real risk of significant harm, we will notify affected individuals and relevant authorities as required by applicable law.

11. Your Privacy Rights
Depending on your location, you may have the following rights with respect to your personal information:

11.1 Rights for All Users
Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete personal information
Deletion: Request deletion of your personal information, subject to legal retention requirements
Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing

11.2 Additional Rights for EEA and UK Residents (GDPR / UK GDPR)
Data portability: Receive your personal information in a structured, machine-readable format
Restriction of processing: Request that we restrict processing in certain circumstances
Object to processing: Object to processing based on legitimate interests
Automated decision-making: Not be subject to decisions based solely on automated processing that produce significant legal effects. Dossier's AI responses are informational outputs for human review and do not constitute automated binding decisions
Lodge a complaint: Lodge a complaint with your local supervisory authority (e.g., the Information Commissioner's Office in the UK, or your relevant EU data protection authority)

11.3 Additional Rights for California Residents (CCPA / CPRA)
Know: Know what personal information we collect, use, disclose, and sell
Delete: Request deletion of your personal information
Opt-out of sale: We do not sell personal information
Non-discrimination: We will not discriminate against you for exercising your privacy rights
Correction: Request correction of inaccurate personal information

11.4 Rights for Australian Residents
Access and correction rights under the Australian Privacy Principles
The right to make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

11.5 Rights for Canadian Residents
Access and correction rights under BC PIPA and PIPEDA
The right to make a complaint to the Office of the Information and Privacy Commissioner for BC (oipc.bc.ca) or the Office of the Privacy Commissioner of Canada (priv.gc.ca)

To exercise any of these rights, contact us at support@askdossier.ai. We will respond within the timeframe required by applicable law (generally 30 days, with the possibility of extension in complex cases). We may require verification of your identity before processing your request.

Note: For requests concerning Content Data, we may need to coordinate with the relevant Customer, as the Customer is the data controller for that content.

12. Children's Privacy
Dossier is a business-to-business service intended for use by organizations and their adult representatives. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take steps to delete that information promptly. If you believe we have collected such information, please contact us at support@askdossier.ai.

13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Customers of material changes by email or by posting a prominent notice on our website at least 30 days before the changes take effect. For non-material changes, we will update the "Last Updated" date at the top of this policy. Your continued use of the Services after a policy change constitutes acceptance of the revised policy.

14. Contact Us
For privacy inquiries, requests to exercise your rights, data processing agreement requests, or complaints, please contact:

Privacy Officer
Dossier Technologies Inc.
Vancouver, BC, Canada
support@askdossier.ai

We are committed to resolving privacy complaints promptly and in good faith. If you are not satisfied with our response, you have the right to escalate your complaint to the applicable regulatory authority for your jurisdiction as listed in Section 11.

Appendix A - Sub-processor Summary
The following table summarizes our key sub-processors as of the effective date of this policy. We will notify Customers of material changes to our sub-processor list.

This document does not constitute legal advice. Dossier Technologies Inc. recommends that Customers with complex privacy obligations consult qualified legal counsel.