Privacy Policy

Last updated: 5 May 2026

Contents

Data Controller
What Data We Collect
Purpose of Collection
Subprocessors and Third-Party Services
Google API User Data — Limited Use Disclosure
Data Security
Cookies and Tracking
Your Rights
Data Retention and Deletion
Children's Privacy
International Transfers
Changes to This Policy
Governing Law

1. Data Controller

Dotts ("we", "us") operates the website dotts.info and the application at app.dotts.info. For questions about this policy or to exercise your privacy rights, contact us at hello@dotts.info.

2. What Data We Collect

When you use Dotts, we may collect and process the following categories of data:

Account data

Authentication identifiers (email address, password hash via Supabase Auth)
Display name and locale preference

Financial data

Credentials for connected financial institutions, encrypted at rest with per-user data encryption keys (AES-256-GCM, AAD-bound) wrapped by AWS KMS. Plaintext credentials never leave the scraper VM during a scrape session and are never logged.
Account balances, transactions, holdings, deposits, loans, real estate, vehicles, pension/insurance/provident-fund products, and other financial information retrieved from institutions you connect
Documents you upload (statements, tax forms, pension XML/XLS) — stored encrypted in object storage

Optional integrations

Gmail (read-only) OAuth tokens, when you opt in to inbox monitoring for transactional email parsing — see §5
AI advisor conversation history, when you use the chat feature

Telemetry

Application usage events (which pages opened, which scrapers triggered) for operational diagnostics — no analytics or advertising trackers

Providing data to Dotts is not legally required. However, some of it (such as financial-institution credentials) is essential to operate the service; without it, the scrapers cannot run on your behalf.

3. Purpose of Collection

All data collected is used solely to provide the Dotts personal-finance dashboard and the integrations you enable. Specifically:

Authenticate you and protect your account
Run the financial-institution scrapers that retrieve your data, on your behalf
Aggregate, classify, and visualise your finances in your personal dashboard
Provide AI-assisted insights and tax/retirement planning when you opt in
Diagnose and fix application errors

We do not sell, rent, share, or transfer your personal data to third parties for advertising or marketing purposes. We do not use your data to train any AI model.

4. Subprocessors and Third-Party Services

Dotts uses the following subprocessors. Each is bound by its own data processing terms; data flows are limited to what each integration requires.

Supabase (database + authentication) — stores user accounts, encrypted credentials, and financial records. Hosted in the EU region.
AWS KMS (key management) — wraps and unwraps the per-user data encryption keys. AWS never sees plaintext financial data; we never store the master key plaintext.
Anthropic (Claude) — processes transaction descriptions for category classification when AI classification is enabled. Anthropic's API does not retain prompts beyond 30 days for abuse monitoring; we send only descriptions and amounts, never PII like account numbers or names.
OpenAI — powers the optional AI advisor chat feature when enabled. Same minimal-PII policy as above.
Google APIs (Gmail) — when you opt in, we read Gmail messages in read-only mode to detect financial transactions in real time. See §5 for the Limited Use disclosure.
Resend — transactional email delivery (sign-in links, security notifications).

5. Google API User Data — Limited Use Disclosure

Dotts's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Gmail account to Dotts, we request the read-only scope gmail.readonly. We use this access only to:

Identify and parse transactional emails from financial institutions you have connected
Extract transaction details (amount, date, merchant) to enrich your dashboard

We do not use Gmail data for advertising, do not transfer Gmail data to third parties except as needed to provide the service (and only the minimum necessary subset), do not allow humans to read Gmail data except for security or as required by law, and do not use Gmail data to train AI/ML models. You can disconnect Gmail at any time from your Dotts settings; we delete the OAuth refresh token immediately on disconnect.

6. Data Security

Dotts is engineered with security-first design:

All bank credentials and OAuth tokens are encrypted with AES-256-GCM using per-user data encryption keys, with AAD binding the ciphertext to the owning user_id (cross-user decryption is cryptographically impossible)
Data encryption keys are wrapped by AWS KMS; the master key never leaves AWS
All HTTPS traffic uses TLS 1.2+ with HSTS
Database access is restricted to the application service role; Supabase row-level security enforces per-user isolation
No financial credential is ever logged in plaintext
Dotts can also be self-hosted entirely on your own infrastructure for maximum control

7. Cookies and Tracking

This site uses only essential cookies — your authentication session and the cookie-consent preference. We do not use analytics, advertising, or third-party tracking cookies. If we ever introduce non-essential cookies, we will request your explicit consent before setting them.

8. Your Rights

Under the Israeli Protection of Privacy Law, 5741-1981, and applicable data-protection regulations (including GDPR principles where relevant), you have the right to:

Access the personal data we hold about you
Request correction of inaccurate or incomplete data
Request deletion of your data ("right to be forgotten")
Withdraw consent for processing at any time
Export your data in a portable format (JSON via the in-app backup feature)
Disconnect any third-party integration (Gmail, AI advisor) and have associated tokens deleted immediately

To exercise any of these rights, contact hello@dotts.info. We respond within 30 days.

9. Data Retention and Deletion

You control your data lifetime. The application's "Delete all my data" feature wipes every record we hold about you, including encrypted credentials, transactions, documents, AI conversation history, and OAuth tokens — typically within minutes. Self-hosted deployments are fully under your control.

10. Children's Privacy

Dotts is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. International Transfers

Dotts hosts primary infrastructure in the European Union (Supabase EU region) and Israel. Some subprocessors (AWS KMS, Anthropic, OpenAI) operate from the United States; data sent to those services is governed by their data-processing agreements and standard contractual clauses where required.

12. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated on this page with an updated revision date and, where appropriate, by email to active users.

13. Governing Law

This policy is governed by the laws of the State of Israel, including the Protection of Privacy Law, 5741-1981, and its amendments. Any disputes shall be resolved in the competent courts of Tel Aviv-Jaffa.