Doow logoDoow

Privacy Policy

Updated: 15th of May, 2026

Introduction
This Privacy Policy explains how Doow (“Doow,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects information about you when you use our website at doow.co and our spend management platform (collectively, the “Service”).
Please read this policy carefully. By using the Service, you acknowledge that you have read and understood how we handle your data. If you have questions, contact us at support@doow.co.
Who We Are
Doow is a B2B SaaS spend management platform that helps organisations track, analyse, and optimise their software subscriptions and employee SaaS usage. We are the data controller for personal data collected through doow.co and the Doow platform.
Contact: support@doow.co
Data We Collect
Data you provide directly
When you create an account, complete onboarding, or contact us, we collect:
  • Identity data: first name, last name, email address, phone number, country, job title, and role
  • Account credentials: password (stored as a one-way bcrypt hash — never in plaintext)
  • Organisation details: business name, domain, website, and country of incorporation
  • Financial verification (KYC/KYB): date of birth, nationality, residential address, government-issued ID type and number, business registration numbers, director and shareholder information, and supporting documents — collected only where required for financial compliance
  • Communications: messages you send us via our contact form or support channels
Data collected automatically
When you use the Service we automatically collect:
  • Device and browser information: IP address, browser type, operating system, and device type
  • Usage data: pages visited, features used, session duration, and navigation patterns
  • Authentication activity: login timestamps, login method, IP address, user agent, and country — retained for security auditing
  • Performance and error data: application errors, response times, and request traces — collected via Azure Application Insights and Sentry
Data from connected integrations
When your organisation administrator connects a third-party integration, we access and store data from that service. The specific data collected per integration is described in the “Connected Integrations” section below.
How We Use Your Data
We use your data only for the purposes described below. Where GDPR applies, we have identified the legal basis for each use.
  • To provide and operate the Service — processing your data is necessary to fulfil our contract with you. This includes account management, authentication, licence tracking, spend analysis, and generating utilisation reports.
  • To verify your identity and comply with financial regulations — KYC and KYB data is processed on the basis of legal obligation where applicable, and legitimate interests where fraud prevention is required.
  • To send service communications — transactional emails (password resets, invitations, integration sync alerts) sent on the basis of contract performance.
  • To improve the Service — aggregated, anonymised usage data analysed on the basis of our legitimate interest in understanding how the product is used.
  • To detect and prevent security threats — authentication logs and error tracking retained on the basis of legitimate interest in keeping the Service secure.
  • To power AI-assisted features — if you use Doow's AI chat or insights features, your messages and relevant organisational context are processed by LLM providers. See “AI Features” below.
  • To comply with legal obligations — where we are required to retain or disclose data by law, regulation, or court order.
How We Share Your Data
We do not sell your personal data. We share data only with the service providers listed below, and only to the extent necessary for them to perform their function. All providers are contractually required to handle data securely and only for the specified purpose.
Infrastructure and operations
  • Microsoft Azure — cloud hosting, file storage (documents, receipts, avatars), and application performance monitoring. All data stored on Azure is encrypted at rest and in transit.
  • Sentry — error tracking. Receives error context including request IDs, member IDs, and organisation IDs when an application error occurs. No message content or financial data is sent.
Communications
  • ZeptoMail (Zoho) — transactional email delivery. Receives your email address, name, and the content of service emails such as invitation links and password reset codes.
  • Termii — SMS delivery for phone verification and two-factor authentication codes. Receives your phone number and the one-time code.
  • Crisp — in-product chat support. If you contact us via the chat widget, Crisp receives your name, email, and the content of your support conversation.
Payments and financial services
  • Stripe — card funding and payment processing. Receives payment amounts and session tokens for completing top-up transactions. Stripe is PCI-DSS certified; we do not store full card numbers.
  • Fincra — virtual account issuance and card transaction processing. Receives organisation details and transaction metadata required for card operations.
  • Plaid — bank account linking and transaction sync where enabled. Receives your banking credentials during the link flow and returns account details and transactions. Plaid manages its own data handling under its privacy policy.
Analytics
  • PostHog — product analytics. Collects anonymised event data about how features are used. You can opt out by enabling Do Not Track in your browser or by contacting support@doow.co.
  • Azure Application Insights — server-side performance telemetry. Receives request metadata (path, latency, status code), error traces, and identifiers for diagnosing issues.
Legal disclosure
We may disclose your data where required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Doow, our users, or the public.
Connected Integrations
Doow's core value is derived from connecting your organisation's existing tools. All integrations are authorised by a designated organisation administrator. Individual end users cannot initiate or disconnect integrations. Data accessed via any integration is scoped strictly to the authorising organisation's account.
Google Workspace
  • What we access: employee directory (name, email, admin status), OAuth token activity reports (which third-party apps employees have authorised), and workspace usage metrics (last SSO activity timestamps).
  • Why: to build an employee roster, detect shadow IT, and score licence utilisation.
  • Token security: OAuth access and refresh tokens are AES-256 encrypted before being stored in our database. Tokens are decrypted only at the point of use for scheduled syncs and are never logged.
  • Cross-tenant access: architecturally impossible — all queries are scoped to the authorising administrator's domain only.
  • Retention: data is retained while the integration is active.
  • Deletion: when the integration is disconnected, all associated OAuth tokens are immediately revoked and permanently deleted. All synced Google Workspace data (user records, activity data, usage metrics) is purged from our systems within 30 days.
Identity providers (Microsoft Entra ID / Azure AD, Okta)
  • What we access: user directory (name, email, group memberships) and authentication activity logs.
  • Why: to maintain an accurate employee roster and identify active versus inactive users for licence utilisation scoring.
  • Retention and deletion: tokens are revoked immediately on disconnection; synced data is purged within 30 days.
HRIS integrations (Gusto, Deel, BambooHR, Zoho People)
  • What we access: employee records including name, email, job title, employment status, department, hire date, and compensation data where provided.
  • Why: to map SaaS licence usage to employees and departments for department-level spend and utilisation analysis.
  • Retention and deletion: synced employee records are retained while the integration is active and purged within 30 days of disconnection.
Banking integrations (Plaid)
  • What we access: bank account metadata (institution name, masked account number, account type, balance) and transaction history (amount, merchant, date, category).
  • Why: to identify SaaS-related expenses and reconcile them against licence records for accurate spend tracking.
  • Retention and deletion: bank access tokens are revoked and transaction data is purged within 30 days of disconnection.
Accounting integrations (Xero and others)
  • What we access: expense records, GL account references, and transaction data relevant to software spend.
  • Why: to reconcile accounting records with detected SaaS spend.
  • Retention and deletion: synced accounting data is purged within 30 days of disconnection.
AI Features
Doow includes AI-assisted features (such as the Doow AI chat interface) powered by large language model (LLM) providers. When you use these features:
  • Your messages and relevant organisational context (such as app names and spend summaries) are sent to one or more LLM providers — which may include Anthropic (Claude), OpenAI, or Google Gemini — for processing.
  • We do not send KYC/KYB documents, full financial records, or raw integration tokens to LLM providers.
  • Chat history is stored in our systems and subject to the retention periods described below.
  • Under the enterprise agreements we operate under, LLM providers do not use your data to train their models.
Cookies and Tracking Technologies
We use cookies and similar tracking technologies on doow.co and within the platform, falling into three categories:
  • Strictly necessary cookies — required for authentication and session management. These cannot be disabled without breaking core functionality. They include HTTP-only, secure session tokens set at login.
  • Analytics cookies — set by PostHog to help us understand feature usage and improve the product. These collect anonymised event data tied to a pseudonymous session ID. You can opt out by enabling Do Not Track in your browser or by contacting support@doow.co.
  • Performance monitoring — Azure Application Insights collects server-side telemetry. This processes IP addresses and request metadata but does not set a persistent browser cookie.
Data Retention and Deletion
We retain data only for as long as necessary for the purposes described in this policy. The following periods apply by data category:
  • Account data — retained for the lifetime of your active account. On account closure, data is soft-deleted immediately and permanently purged within 90 days, unless legal retention obligations apply.
  • Integration data (Google Workspace, HRIS, banking, accounting, identity providers) — retained while the integration is active. Tokens are revoked immediately on disconnection; all synced data is purged within 30 days.
  • Session tokens — expire automatically after 3 days of inactivity and are immediately revoked on logout.
  • Personal access tokens — expire on their configured expiry date or when manually revoked.
  • Application usage insights — retained for 30 days, then automatically deleted by a scheduled cleanup job.
  • Chat attachments — deleted automatically on a per-attachment expiry schedule.
  • Sign-in activity logs — retained for 12 months for security auditing.
  • KYC/KYB verification data — retained for the duration required by applicable financial regulations, typically 5–7 years after the end of the business relationship.
  • Financial transaction records — retained for the duration required by applicable tax and financial regulations.
To request early deletion of your data, contact support@doow.co. Requests will be processed within 30 days, subject to any legal retention obligations.
Data Security
We implement industry-standard technical and organisational measures to protect your data:
  • Encryption in transit — all data between your browser and our servers is encrypted using TLS.
  • Encryption at rest — sensitive fields including OAuth tokens and integration credentials are encrypted using AES-256-CBC before being stored in our database.
  • Password hashing — passwords are hashed using bcrypt and are never stored in recoverable form.
  • Token hashing — session tokens and personal access tokens are stored as one-way bcrypt hashes. The original token is never retained after issue.
  • Access controls — data is accessible only to employees and service providers who require it to deliver the Service, with role-based access control enforced throughout the platform.
  • Two-factor authentication — available for all user accounts via authenticator app or TOTP.
Despite these measures, no system is completely secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law.
International Data Transfers
Doow operates globally. Your data may be processed in countries outside your own, including the United States, where our service providers operate. These include Microsoft Azure, Sentry, ZeptoMail, Termii, Stripe, Plaid, Anthropic, OpenAI, and Google (for AI features).
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission — in accordance with GDPR requirements.
For questions about safeguards applied to your data, contact support@doow.co.
Your Rights
Rights under GDPR (EEA and UK users)
  • Right to access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing — request that we limit how we use your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests, including for analytics purposes.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Rights under CCPA (California residents)
  • Right to know what personal information we collect, use, disclose, and sell.
  • Right to delete personal information we have collected from you.
  • Right to opt out of the sale of personal information. We do not sell personal data.
  • Right to non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact support@doow.co. We will respond within 30 days. We may need to verify your identity before processing your request.
Children's Privacy
The Doow Service is intended for use by organisations and their adult employees. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us at support@doow.co and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you by email or via a notice within the platform.
Your continued use of the Service after any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.
Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:
support@doow.co
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.