Privacy Policy

1. Introduction

DoughOps ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our production intelligence platform for donut shops (the "Service").

Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, phone number, company name, business address
• Billing Information: Payment method details (processed securely by Stripe)
• Business Data: Product information, recipes, ingredients, pricing, production quantities, sales records, waste logs
• Team Information: Names and email addresses of team members you invite
• Communications: Messages you send us via email or support channels
• Profile Information: Profile photos, preferences, settings
• B2B Contact Data: Business names, contact names, email addresses, phone numbers, and addresses of wholesale prospects and accounts you manage through the CRM
• Equipment Data: Asset details, maintenance records, nameplate photos, and service history

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device Information: Device type, operating system, browser type, screen resolution
• Usage Data: Pages visited, features used, time spent, click patterns
• Log Data: IP address, access times, referring URLs, error logs
• Location Data: General geographic location based on IP address (for weather features)
• Mobile Device Tokens: Push notification tokens when you enable notifications in the mobile app
• Cookies: Session identifiers and preferences (see our Cookie Policy)

2.3 Photo and Image Data

When using photo-based features, images are uploaded to secure AWS S3 storage:

• Waste Capture Images: When using the photo-based waste capture feature (Pro plan), photographs of your display case are uploaded for AI analysis. These images are retained for 90 days and then automatically deleted. Images are processed by OpenAI's API to identify and count items.
• Equipment Nameplate Photos: When using the nameplate OCR feature, photos of equipment nameplates are uploaded and processed by OpenAI's API to extract equipment information. These images are retained for the duration of the asset record.
• Crew Member Avatar Photos: If you upload photos of crew members, these are stored in S3 and retained for the duration of the crew member's active status in your account. These images are resized to 400x400 pixels upon upload.
• Product and Equipment Images: General product photos and equipment images you upload are retained for the duration of the associated record.

2.4 Crew Member Data

If you use our crew management features (Pro plan), you may store information about non-login employees including:

• Full names and contact information
• Skill tags and station assignments
• Assigned locations and shift data
• Optionally, profile photos

Crew member data is stored within your tenant's isolated data environment. This data is not shared with third parties. You are responsible for ensuring you have appropriate consent from crew members to store their information in the Service, in accordance with applicable employment and privacy laws in your jurisdiction.

2.5 AI and Machine Learning Processing

Certain features use third-party AI services to process images, text, and audio. When you use these features, the relevant data is transmitted to the applicable AI provider:

• Photo Waste Capture: Display case photographs are sent to OpenAI's API (GPT-4o) for product identification and counting.
• Equipment Nameplate OCR: Nameplate photographs are sent to OpenAI's API for text extraction and equipment data recognition.
• Nutrition Data Fallback: When USDA database lookups do not return a match, ingredient names may be sent to OpenAI's API for nutrition estimation.
• Voice Transcription: When using voice input features (Pro plan), audio recordings are sent to AWS Transcribe for speech-to-text conversion. Audio data is processed in real-time and is not stored by AWS after transcription is complete.

OpenAI's data usage and privacy policies apply to data processed through their API. You can review OpenAI's policies at openai.com/policies/privacy-policy. DoughOps does not use your data to train AI models, and our API usage with OpenAI is subject to OpenAI's API data usage policies, which do not use API inputs to train their models by default.

2.6 B2B Wholesale Portal Data

If you use the wholesale portal feature (Pro plan), your business customers ("Portal Users") may access a self-service portal to view pricing, place orders, and manage account details. We collect and process:

• Portal User contact information: Business name, contact name, email address, phone number, and delivery address as provided by you (the account owner)
• Authentication data: Magic link tokens and session data (automatically expired and cleaned up)
• Order data: Orders placed through the portal, including products, quantities, and delivery details

Portal Users do not create passwords or traditional accounts. Authentication is via single-use magic links sent to their email. You are responsible for ensuring your Portal Users are aware of how their data is handled and for obtaining any necessary consent.

2.7 Information from Third Parties

We may receive information from third-party services you connect:

• Square POS: Product catalog, sales transactions, employee/crew data, location data (when you authorize the integration)
• Clover POS: Product catalog, sales transactions, employee data, location data (when you authorize the integration)
• Weather Services: Forecast data based on your location
• Event APIs: Local event information for your area
• OpenStreetMap: Business information from public map data (when using prospect discovery features)
• Google Places: Address and location data (when using address autocomplete)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing the Service

• Creating and managing your account
• Processing payments and managing subscriptions
• Generating production predictions and recommendations
• Providing sales analytics and reporting
• Enabling team collaboration features
• Powering AI-driven features — including our demand prediction engine, baseline optimization, and analytics algorithms — using your business data for your account only

3.2 Improving the Service

• Analyzing usage patterns to improve features
• Improving our prediction algorithms using aggregated, anonymized data
• Conducting research and analytics
• Testing new features and functionality

AI Model Training: We do not use your business data, images, or customer information to train third-party AI models. Data sent to OpenAI's API is governed by OpenAI's API data usage policies, which do not use API inputs to train their models by default.

No Cross-Customer Data Sharing: Your business data — including sales figures, product catalog, recipes, waste records, and any other business-specific information — is used exclusively to power the Service for your account. We will never share, sell, rent, or disclose your business data to other DoughOps customers, competitors, data brokers, or advertisers. The only exceptions are: (a) aggregated, anonymized data as described in Section 4.5, which cannot identify you or your business; (b) disclosures required by law; and (c) third-party service providers who process data on our behalf under strict confidentiality obligations (as described in Section 4.1).

3.3 Communication

• Sending daily production plan emails
• Sending push notifications to your mobile device (if you have enabled them in the mobile app)
• Providing customer support
• Sending service updates and announcements
• Marketing communications (with your consent)

3.4 Legal and Security

• Complying with legal obligations
• Protecting against fraud and abuse
• Enforcing our Terms of Service
• Maintaining security of the Service

4. Sharing Your Information

We do not sell, rent, or share your personal information or business data with other customers, competitors, data brokers, or advertisers. We may share your information only in these limited circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

• Stripe: Payment processing
• Amazon Web Services (AWS): Cloud hosting and infrastructure
• AWS SES: Email delivery
• Analytics providers: Usage analytics (anonymized)
• Open-Meteo: Weather forecast data
• Google Analytics / Facebook Pixel: Website analytics and marketing attribution
• Cloudflare: Website hosting and security for our marketing site

These providers are contractually bound to protect your data and use it only for the services they provide to us.

4.2 POS Integrations

When you connect a POS system (Square or Clover), we access your POS data according to the provider's API terms. We do not share your DoughOps data with POS providers beyond what's necessary for the integration. Data synced from your POS (products, sales, employee/crew information) is stored within your tenant's isolated data environment.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights or property
• Prevent fraud or security issues
• Protect the safety of users or the public

4.4 Business Transfers

If DoughOps is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

4.5 Aggregated Data

We may share aggregated, anonymized data that cannot identify you for research, marketing, or other purposes.

4.6 Email Tracking

Emails sent through the Service (such as production plan notifications, task reminders, and B2B communications) may include tracking technologies to measure delivery, open rates, and link clicks. This data helps us improve our email communications and is processed in accordance with this policy. You can opt out of marketing emails at any time using the unsubscribe link provided in each email.

5. Data Retention

We retain your information as follows:

5.1 While Your Account Is Active

• Core data (products, recipes, team members, settings): Retained indefinitely while active
• Completed task records: Retained indefinitely as work records
• Production plans, sales, waste records: 5 years (used for AI predictions and reporting)
• Pending/unfinished tasks, summaries, escalations: 3 years
• Audit and activity logs: 90 days
• Session security events: 90 days
• Waste capture images: 90 days, then automatically deleted from storage
• Weather cache and past events: 30 days
• Authentication tokens: 30 days after expiry
• B2B portal sessions and magic links: Automatically cleaned up upon expiry

5.2 After Account Cancellation

• You have 30 days to export your data after cancellation
• Core account data (Tenant, User records) is deleted after the 30-day export window
• Backup systems may retain data for up to 90 additional days before automatic purging
• Aggregated, anonymized data may be retained indefinitely
• Some data may be retained longer if legally required

You may request deletion of your data at any time (see Your Rights section). Data deletion is performed automatically by our scheduled cleanup processes and can be expedited upon request by contacting privacy@doughops.com.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict role-based access to production systems
• Infrastructure: Hosted on AWS (AWS maintains SOC 2 and ISO 27001 certifications)
• Password Security: Passwords are hashed using bcrypt with 12 rounds
• Monitoring: Continuous security monitoring and logging
• Backups: Regular encrypted backups with tested recovery procedures

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights

You have the following rights regarding your data:

7.1 Access

You can access most of your data through your account settings. You may also request a copy of all data we hold about you.

7.2 Correction

You can update your account information at any time. Contact us if you need assistance correcting other data.

7.3 Deletion

You can request deletion of your account and data. We will delete your data within 30 days, except where retention is legally required.

7.4 Export

You can export your data in common formats (CSV, JSON) through the Service's export features.

7.5 Objection

You can object to certain processing of your data, including marketing communications.

7.6 Restriction

You can request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@doughops.com.

8. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you signed in
• Remember your preferences
• Understand how you use the Service
• Improve our Service

For detailed information about the cookies we use, please see our Cookie Policy.

9. Third-Party Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those services. We encourage you to review their privacy policies.

Key Third-Party Services:

• Stripe: stripe.com/privacy
• Square: squareup.com/legal/privacy
• Clover: clover.com/privacy-policy
• Amazon Web Services: aws.amazon.com/privacy (hosting, email, and voice transcription)
• OpenAI: openai.com/policies/privacy-policy (photo waste capture, nameplate OCR, and nutrition AI fallback)
• Google: policies.google.com/privacy (Places API for address autocomplete, Analytics)

10. International Data Transfers

Your data may be transferred to and processed in the United States, where our servers are located. If you are located outside the United States, please be aware that data protection laws may differ from your jurisdiction.

For users in the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• AWS's compliance with the EU-US Data Privacy Framework

11. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You can request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.

12.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out

We do not sell personal information. If this changes, we will provide an opt-out mechanism.

12.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

12.5 Categories of Personal Information

In the past 12 months, we have collected: identifiers, commercial information, internet activity, geolocation data, and professional information.

To exercise your CCPA rights, contact us at privacy@doughops.com.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

13.1 Legal Basis

We process your data based on:

• Contract: Processing necessary to provide the Service you requested
• Legitimate Interests: Processing for our legitimate business interests (improving the Service, preventing fraud)
• Consent: Processing based on your explicit consent (marketing communications)
• Legal Obligation: Processing required by law

13.2 Additional Rights

In addition to the rights listed in Section 7, you have the right to:

• Lodge a complaint with your local data protection authority
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time (without affecting prior processing)

13.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@doughops.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Sending an email notification for material changes

We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@doughops.com
• Support: support@doughops.com
• Data Protection Officer: dpo@doughops.com
• Website: https://doughops.com

---

This Privacy Policy is effective as of March 6, 2026.