LEGAL

Privacy Policy

Last Updated: November 13, 2025

At DossiAIr, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Quick Summary

  • We only collect data necessary to provide our service
  • Your regulatory submission data is encrypted and isolated
  • We never sell your data to third parties
  • You own your data and can export or delete it anytime
  • We're HIPAA compliant and SOC 2 Type II certified

1. Information We Collect

1.1 Account Information

When you create a DossiAIr account, we collect:

  • Name and email address
  • Company name and role
  • Password (encrypted and never stored in plain text)
  • Billing information (processed securely through Stripe)

1.2 Regulatory Submission Data

When you use DossiAIr for regulatory submissions, we process and store:

  • Documents you upload (PDFs, Word files, source data)
  • Extracted content (tables, figures, text)
  • Generated submissions and eCTD packages
  • Version history and change tracking data
  • Comments, annotations, and collaboration data

Important: All regulatory submission data is encrypted at rest and in transit using AES-256 encryption. Each customer's data is logically isolated in our database.

1.3 Usage Data

We automatically collect certain information about how you use DossiAIr:

  • IP address and browser type
  • Pages visited and features used
  • Time spent on different sections
  • Error logs and performance metrics

This data helps us improve the platform and provide better support.

1.4 Cookies

We use cookies for authentication, preferences, and analytics. You can disable non-essential cookies in your browser settings. See our Cookie Policy below for details.

2. How We Use Your Information

We use your information to:

  • Provide the Service: Process documents, generate submissions, and enable collaboration
  • Improve the Platform: Analyze usage patterns to enhance features and performance
  • Provide Support: Respond to your questions and troubleshoot issues
  • Send Updates: Notify you about new features, security updates, and important changes
  • Ensure Security: Detect and prevent fraud, abuse, and unauthorized access
  • Comply with Laws: Meet legal obligations including audit trails and record retention

We do NOT: Sell your data, use it for advertising, or share it with third parties except as described in this policy.

3. How We Share Your Information

We share your information only in these limited circumstances:

3.1 Service Providers

We work with trusted service providers who help us operate DossiAIr:

  • Cloud Infrastructure: AWS (for hosting and storage)
  • Payment Processing: Stripe (for billing)
  • AI Models: Anthropic (Claude API for content intelligence)
  • Analytics: PostHog (privacy-focused analytics)
  • Email: SendGrid (for transactional emails)

All service providers sign Data Processing Agreements (DPAs) and are contractually obligated to protect your data.

3.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect the rights, property, or safety of DossiAIr, our users, or others.

3.3 Business Transfers

If DossiAIr is acquired or merged with another company, your information may be transferred. We will notify you before this happens and provide options if the new entity has materially different privacy practices.

3.4 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Security

We implement industry-leading security measures to protect your data:

  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Data Isolation: Each customer's data is logically separated
  • Backups: Daily encrypted backups with 30-day retention
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Audits: Regular third-party security audits and penetration testing

We maintain SOC 2 Type II certification and follow HIPAA guidelines for protected health information. See our Security page for full details.

5. Data Retention

We retain your information for as long as necessary to provide our service and comply with legal obligations:

  • Account Data: Until you delete your account
  • Regulatory Submission Data: As long as you maintain your account, or as required by regulatory guidelines (typically 5-7 years after submission)
  • Usage Logs: 90 days for operational logs, 1 year for analytics
  • Backups: 30 days

When you delete your account, we permanently delete your data within 30 days, except where we must retain it for legal or regulatory reasons.

6. Your Privacy Rights

You have the following rights regarding your data:

6.1 Access

You can access your account information and submission data anytime through the DossiAIr dashboard. For a complete data export, contact privacy@dossiair.com.

6.2 Correction

You can update your account information directly in the platform. For other corrections, contact our support team.

6.3 Deletion

You can delete your account from Settings → Account → Delete Account. This will permanently remove your data within 30 days.

6.4 Export

You can export your submission data in standard formats (PDF, eCTD, XML) anytime. For a complete data archive, contact us.

6.5 Object to Processing

You can object to certain types of data processing, such as marketing emails (opt out anytime) or analytics cookies (disable in browser).

6.6 GDPR Rights (EU Users)

If you're in the EU, you have additional rights under GDPR including data portability and the right to lodge a complaint with your supervisory authority.

6.7 CCPA Rights (California Users)

California residents have rights under CCPA to know what data we collect, request deletion, and opt out of sale (note: we don't sell data). Contact privacy@dossiair.com to exercise these rights.

7. International Data Transfers

DossiAIr is based in the United States. If you access our service from outside the US, your data may be transferred to, stored, and processed in the US and other countries where our service providers operate. We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU.

9. Children's Privacy

DossiAIr is not intended for use by anyone under 18 years old. We do not knowingly collect information from children. If we learn we have collected data from a child, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and by posting the new policy on this page with an updated "Last Updated" date. Your continued use of DossiAIr after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Email: privacy@dossiair.com

Mail: DossiAIr, Inc., Attn: Privacy Officer, 123 Innovation Drive, Suite 400, San Francisco, CA 94105

Phone: +1 (415) 555-0200

Related Legal Documents

📄

Terms of Service

Our service agreement and user responsibilities

🔒

Security

How we protect your data and maintain compliance

📧

Contact Us

Get in touch with questions or concerns