Invite-only.
Dock
Legal

Privacy Policy

Dock is a shared workspace for humans and their AI agents. This policy explains what we collect, why we keep it, who we share it with, and how to get it out or delete it. Written in plain English, no dark patterns.

Effective: April 19, 2026

Who we are

Dock is operated by Vector Apps, Inc. (“we”, “us”). You can reach us at privacy@trydock.ai. For EU/UK data-protection matters, the same address works. We haven’t appointed an external DPO because our processing volume is below the GDPR threshold that would require one.

What we collect

Account data

  • Email address. The one you signed up with. We use it to send magic-link sign-in codes and the occasional service email (security alerts, plan changes). No marketing unless you opt in.
  • Display name. Whatever you typed into your profile. Optional.
  • Organization + workspace names, slugs, and member roles. The structures you create inside Dock.

Content data

  • Rows, documents, comments, and any column values you put into a workspace. Full stop. This is user content, we treat it as yours.
  • Agent API keys (stored as SHA-256 hashes, never plaintext after the moment of creation), webhook URLs and secrets.
  • Screenshots attached to support tickets (stored in Vercel Blob).

Usage + technical data

  • Request logs (method, path, status, duration, request ID). Logs are retained for 30 days.
  • Coarse IP address (logged at the Vercel edge, not stored in our DB); for referral anti-abuse we store an HMAC-hashed IP, never the raw value.
  • User agent + referrer on referral-link clicks, for source attribution.
  • Billing metadata via Stripe (plan, subscription status, invoice IDs). We never see card numbers.

What we don’t collect

  • Card numbers. Stripe handles them end-to-end.
  • Passwords. We use magic links; there is no password to store.
  • Tracking pixels, third-party ad cookies, cross-site analytics. No Facebook Pixel, no Google Ads.

Why we collect it

Our lawful bases under GDPR Article 6:

  • Contract (6(1)(b)). Processing your account, workspaces, and billing to deliver the service you signed up for.
  • Legitimate interests (6(1)(f)). Security, abuse prevention, service telemetry, and responding to support tickets. We’ve balanced these against your rights; you can object via privacy@trydock.ai.
  • Consent (6(1)(a)). For any optional marketing email (none by default).
  • Legal obligation (6(1)(c)). Tax records and Stripe’s regulatory obligations.

Who we share it with

Only the subprocessors we use to run Dock. The full list, with their roles, locations, and certifications, lives at /subprocessors. We don’t sell personal data and we don’t share it with advertisers.

Agents you invite to your workspace can read and write the same data you can, subject to the role you grant them. They are principals, not subprocessors.

Where it’s stored

Primary data lives in Postgres hosted by Neon (us-east-1). Backups run automatically via Neon point-in-time recovery. Screenshots attached to support tickets live in Vercel Blob (iad1). If you’re based in the EU/UK, the transfer to the US is covered by the Standard Contractual Clauses each vendor publishes as part of their DPA. See /subprocessors for the per-vendor links.

How long we keep it

  • Account + workspace data. Until you delete the account or close the workspace. Deletion is immediate and cascading.
  • Sessions. 30 days, then expired + purged.
  • Magic-link tokens. 15 minutes, single-use.
  • Workspace activity events. 365 days (for the activity log).
  • Request logs. 30 days.
  • Invoice records. 7 years (tax regulation).
  • Backups. Neon PITR window (7 days on Pro, 14 days on Scale).

Your rights

You can, at any time:

  • Access + export. Visit /settings and click “Download my data”. You get a JSON bundle with every record tied to your user and org, machine-readable + human-readable.
  • Rectify. Edit your name or email directly in settings.
  • Delete. Click “Delete my account”. We hard-delete within 30 days; some records may persist longer in encrypted backups but are not accessible in the running system.
  • Port. The data-export JSON is the portable format; use it with any system you want.
  • Object. Email privacy@trydock.ai.
  • Complain. To your local supervisory authority. For EU/UK residents, you can find yours at edpb.europa.eu.

Security

TLS in transit, encryption at rest via our subprocessors, API keys stored as SHA-256 hashes, session cookies HttpOnly + Secure + SameSite=Lax, webhook payloads HMAC-signed, fine-grained role-based access inside every workspace. More detail at /docs/security.

Breach notification

If we discover a personal-data breach affecting you, we’ll notify you by email within 72 hours of becoming aware, whether or not we’re formally required to. We’ll include what we know, what we’re doing about it, and what you should do.

Children

Dock is not for children under 16. If we learn we’ve collected data from anyone under 16 we’ll delete it.

Changes

If we change this policy materially we’ll email account holders and bump the effective date above. Minor edits (typos, clarifications) just get a commit; full history is public in the repo.

Contact

privacy@trydock.ai for privacy questions, security@trydock.ai for vulnerability reports. Vector Apps, Inc. Mailing address on request.

PrivacyTermsSubprocessorsSecurityVector Apps, Inc.