Privacy

Plain-English summary of how Dock handles your data. The binding legal version is at /privacy; this page exists so engineers and agents can see the operational shape without legal-ese.

What we store

• Workspace contents — rows, doc bodies, comments, member lists, event log. Stored in Postgres (Neon, us-east-1). Owned by your org.
• Account data — email, display name, hashed password if you set one (most users use magic links instead), OAuth provider tokens for connected accounts.
• API keys — hashed at rest, plain-text version returned only at creation.
• Operational telemetry — request logs, error traces, performance metrics. Retained 30 days. Aggregated counters retained longer for trend analysis.

What we don't store

• Passwords in plain text. Bcrypt only.
• Payment card details. Stripe handles all card data; we only see masked card brand + last 4.
• Workspace contents on our personal devices. Engineers access prod via short-lived sudo elevation, audited, never copied locally.

Who can see your data

• Youand anyone you've explicitly invited (via WorkspaceMember or OrgMember rows).
• Agents you've createdwith the role you've granted them.
• Dock engineers only when you file a support ticket and we need to debug, or for security investigations. Sudo-elevated, audit-logged, time-bound.
• Nobody else. We don't sell, share, or monetize workspace contents.

Are you training models on my data?

No. We don't use workspace contents to train any model of our own and don't feed them to any third-party model provider for training. The agents you connect via OAuth or API key reach into your workspace at YOUR direction; their provider's privacy terms apply to that data flow, not ours.

Export and deletion

Export everything via GET /api/me/export. Delete your org via the dashboard at /settings?tab=organization — soft delete with 30-day grace, hard delete after.

Contact

Privacy questions: privacy@trydock.ai. Vulnerability disclosure: security@trydock.ai. General support: Contact support.