Privacy Policy

1. Introduction

DoughOps ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our production intelligence platform for donut shops (the "Service").

Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, phone number, company name, business address
• Billing Information: Payment method details (processed securely by Stripe)
• Business Data: Product information, recipes, ingredients, pricing, production quantities, sales records, waste logs
• Team Information: Names and email addresses of team members you invite
• Communications: Messages you send us via email or support channels
• Profile Information: Profile photos, preferences, settings

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device Information: Device type, operating system, browser type, screen resolution
• Usage Data: Pages visited, features used, time spent, click patterns
• Log Data: IP address, access times, referring URLs, error logs
• Location Data: General geographic location based on IP address (for weather features)
• Cookies: Session identifiers and preferences (see our Cookie Policy)

2.3 Information from Third Parties

We may receive information from third-party services you connect:

• Square POS: Product catalog, sales transactions, location data (when you authorize the integration)
• Weather Services: Forecast data based on your location
• Event APIs: Local event information for your area

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing the Service

• Creating and managing your account
• Processing payments and managing subscriptions
• Generating production predictions and recommendations
• Providing sales analytics and reporting
• Enabling team collaboration features

3.2 Improving the Service

• Analyzing usage patterns to improve features
• Training and improving our AI prediction models
• Conducting research and analytics
• Testing new features and functionality

3.3 Communication

• Sending daily production plan emails
• Providing customer support
• Sending service updates and announcements
• Marketing communications (with your consent)

3.4 Legal and Security

• Complying with legal obligations
• Protecting against fraud and abuse
• Enforcing our Terms of Service
• Maintaining security of the Service

4. Sharing Your Information

We do not sell your personal information. We may share your information only in these circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

• Stripe: Payment processing
• Amazon Web Services (AWS): Cloud hosting and infrastructure
• SendGrid/AWS SES: Email delivery
• Analytics providers: Usage analytics (anonymized)

These providers are contractually bound to protect your data and use it only for the services they provide to us.

4.2 Square Integration

When you connect Square, we access your Square data according to Square's API terms. We do not share your DoughOps data with Square beyond what's necessary for the integration.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights or property
• Prevent fraud or security issues
• Protect the safety of users or the public

4.4 Business Transfers

If DoughOps is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

4.5 Aggregated Data

We may share aggregated, anonymized data that cannot identify you for research, marketing, or other purposes.

5. Data Retention

We retain your information as follows:

• Active Account: We retain your data while your account is active
• After Cancellation: Data is retained for 30 days to allow for reactivation, then deleted
• Backup Systems: Backups may retain data for up to 90 days
• Legal Requirements: Some data may be retained longer if legally required
• Anonymized Data: Aggregated, anonymized data may be retained indefinitely

You may request deletion of your data at any time (see Your Rights section).

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict role-based access to production systems
• Infrastructure: Hosted on AWS with SOC 2 compliance
• Password Security: Passwords are hashed using bcrypt with 12 rounds
• Monitoring: Continuous security monitoring and logging
• Backups: Regular encrypted backups with tested recovery procedures

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights

You have the following rights regarding your data:

7.1 Access

You can access most of your data through your account settings. You may also request a copy of all data we hold about you.

7.2 Correction

You can update your account information at any time. Contact us if you need assistance correcting other data.

7.3 Deletion

You can request deletion of your account and data. We will delete your data within 30 days, except where retention is legally required.

7.4 Export

You can export your data in common formats (CSV, JSON) through the Service's export features.

7.5 Objection

You can object to certain processing of your data, including marketing communications.

7.6 Restriction

You can request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@doughops.com.

8. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you signed in
• Remember your preferences
• Understand how you use the Service
• Improve our Service

For detailed information about the cookies we use, please see our Cookie Policy.

9. Third-Party Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those services. We encourage you to review their privacy policies.

Key Third-Party Services:

• Stripe: stripe.com/privacy
• Square: squareup.com/legal/privacy
• Amazon Web Services: aws.amazon.com/privacy

10. International Data Transfers

Your data may be transferred to and processed in the United States, where our servers are located. If you are located outside the United States, please be aware that data protection laws may differ from your jurisdiction.

For users in the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• AWS's compliance with the EU-US Data Privacy Framework

11. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You can request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.

12.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out

We do not sell personal information. If this changes, we will provide an opt-out mechanism.

12.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

12.5 Categories of Personal Information

In the past 12 months, we have collected: identifiers, commercial information, internet activity, geolocation data, and professional information.

To exercise your CCPA rights, contact us at privacy@doughops.com or call [phone number].

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

13.1 Legal Basis

We process your data based on:

• Contract: Processing necessary to provide the Service you requested
• Legitimate Interests: Processing for our legitimate business interests (improving the Service, preventing fraud)
• Consent: Processing based on your explicit consent (marketing communications)
• Legal Obligation: Processing required by law

13.2 Additional Rights

In addition to the rights listed in Section 7, you have the right to:

• Lodge a complaint with your local data protection authority
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time (without affecting prior processing)

13.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@doughops.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Sending an email notification for material changes

We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@doughops.com
• Support: support@doughops.com
• Data Protection Officer: dpo@doughops.com
• Website: https://doughops.com

---

This Privacy Policy is effective as of January 15, 2024.