Free for 30 days on Scale.Start free
Legal

Privacy Policy

What we collect, why, how long we keep it, and how to get it out or delete it. Plain English, no dark patterns. Written for procurement review and aligned with our Data Processing Addendum.

Effective: May 10, 2026

1. Who we are

Dock is operated by Vector Apps, Inc. (“we”, “us”). Reach the privacy team at privacy@trydock.ai. For EU / UK GDPR matters, the same address works. We have not appointed an external DPO because our processing volume is below the GDPR threshold that would require one.

2. Scope

This policy covers the Dock service at trydock.ai and its subdomains, the Dock REST API, the MCP server at /api/mcp, the outbound webhook system, and the Dock CLI and desktop client. It does not cover third-party agents or applications that you connect to Dock; those are governed by their own policies and your authorization scope.

3. Personal data we collect

3.1 Account data

  • Email address. The one you signed up with. We use it to send magic-link sign-in codes, transactional email (security alerts, plan changes), and the changelog digest if you opt in.
  • Display name and avatar URL. Whatever you typed into your profile. Optional.
  • Organization name, workspace name, slugs. The structures you create inside Dock.

3.2 Content data

  • Rows, document bodies, comments, attachments, and column values you put into a workspace. This is user content; we treat it as yours and process it on your behalf as Processor under the DPA.
  • Agent API keys are stored as SHA-256 hashes immediately on creation; we never see plaintext after the moment you received it.
  • Webhook URLs you configure. Webhook secrets are stored in a form recoverable by the application because outbound HMAC signing requires plaintext access; encryption at rest is on the roadmap.

3.3 Technical telemetry

  • IP address — received at request time for rate limiting and abuse prevention. We do not persist raw IPs in your database row: where IPs are stored for abuse tracking (referrals, agent-join requests), we store a salted SHA-256 hash, not the raw address. Vercel edge logs receive full IPs and are retained per Vercel’s policy (thirty days).
  • Coarse user-agent string — the first two hundred characters, for audit log context and abuse triage.
  • Request identifiers and timestamps.

3.4 Authentication artefacts

  • Session tokens for the browser cookie. Hashing of these at rest is on the roadmap; today the plaintext sits in the database row.
  • OAuth access tokens and refresh tokens (for MCP connectors). Stored as SHA-256 hashes at rest. Plaintext is shown to the issuing client exactly once.
  • Magic-link verification tokens. Single-use, fifteen-minute TTL, deleted upon redemption.

4. Lawful basis (GDPR Article 6)

  • Contract (Art. 6(1)(b)): processing necessary to provide the Service to a user who signed up and accepted the Terms.
  • Legitimate interest (Art. 6(1)(f)): security, abuse prevention, fraud detection, log retention, product analytics on aggregate non-PII signals.
  • Legal obligation (Art. 6(1)(c)): tax records, regulatory requests, lawful government subpoenas.
  • Consent (Art. 6(1)(a)): the changelog digest and any future marketing communication. Consent is opt-in and one-click revocable.

5. How we use personal data

  • Authenticate users and gate access to workspace data.
  • Store, retrieve, and synchronise the content you create.
  • Deliver event notifications to webhook endpoints you configure.
  • Maintain audit logs of workspace state changes.
  • Send transactional email (sign-in links, security alerts, plan changes, support replies).
  • Detect and prevent abuse (rate-limit enforcement, IP reputation, brute-force prevention).
  • Diagnose production faults and operate the Service.

6. What we deliberately do not do

Sometimes the more useful question is what a SaaS chooses not to do. Our list:

  • No third-party analytics. No Google Analytics, Segment, PostHog, Mixpanel, Heap, or equivalent. We have not added a tracking script to this site.
  • No AI or LLM connected to Dock’s software. The only AI that reads your workspace data is the agent you yourself authorized via your own API key or OAuth grant. We do not run user content through any model on our side.
  • No model fine-tuning on customer data.
  • No browser fingerprinting. We do not load FingerprintJS, canvas fingerprinting, or any other identification technique beyond a coarse user-agent string.
  • No selling of personal data. Our revenue is the subscription you pay. We do not have a data-broker relationship with anyone.
  • No advertising. We do not show ads on the Service. We do not share your data for cross-context behavioral advertising (the CCPA / CPRA term) and do not participate in any ad network.
  • No marketing email by default. The only unsolicited mail you receive from us is transactional (sign-in, security, billing). The changelog digest is opt-in.

7. Cookies

Dock sets two cookies, both classified as essential under the GDPR ePrivacy directive and therefore exempt from the consent-banner requirement:

  • dock-session — the authentication session cookie. HttpOnly, Secure (production), SameSite=Lax, thirty-day rolling TTL. Set on successful magic-link sign-in. Without it the Service does not function. Strictly necessary.
  • dock-elev — the elevated-session cookie for sensitive user operations (email change, account deletion, API key reveal). HttpOnly, Secure, SameSite=Strict, fifteen-minute TTL. Set on click-through from an emailed elevation link. Strictly necessary for the sudo-mode pattern.

We do not set tracking cookies, advertising cookies, or analytics cookies. There is no consent banner because there is no non-essential cookie to consent to.

8. Who we share personal data with

We share personal data only with vendors that operate the infrastructure Dock runs on (sub-processors), and only to the extent needed to provide the Service. The current list:

  • Neon— primary Postgres database (us-east-1).
  • Vercel— edge hosting, serverless functions, Blob object storage.
  • Resend— transactional email delivery.
  • Stripe— subscription billing. We never see card numbers; Stripe handles all payment data on their PCI DSS Level 1 attested infrastructure.
  • Sentry— error monitoring. Stack traces with scrubbed request data.
  • Upstash— Redis backend for the rate limiter. Sees IP hashes and rate-limit counters; no content.

Each sub-processor is contractually bound to data-protection obligations no less protective than this policy. The current list with what each touches is published at /subprocessors.

9. International transfers

Vector Apps is established in the United States. Primary data storage is in US-East-1. For customers in the European Economic Area, the United Kingdom, or Switzerland, our Data Processing Addendum incorporates the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and the UK Addendum by reference for transfers to the United States. EU data residency is on the roadmap and tied to the Team plan launch.

10. Data retention

  • Account and workspace content:retained for as long as your account exists. On request or account deletion, removed within thirty days (see “Your rights” below).
  • Audit log events: three hundred sixty- five (365) days. Includes the action taken, actor identity, and the payload of the state change (e.g. the row body that was written). Storage-layer encryption (AES-256 via Neon) covers the data at rest; application-layer encryption of event payloads for sensitive workspaces is on the roadmap. Customers with stricter retention requirements should email privacy@trydock.ai.
  • Magic-link tokens: fifteen minutes, single-use, deleted on redemption.
  • OAuth access tokens: seven days.
  • OAuth refresh tokens: thirty days, sliding window. Idle tokens expire; actively-used tokens never need re-authentication.
  • Sessions: thirty days rolling, deleted on logout or session rotation.
  • Failed webhook deliveries: retained for ninety days, then purged.
  • Vercel edge request logs: thirty days, managed by Vercel.
  • Postgres backups: seven days point-in-time recovery on Free and Pro tiers, fourteen days on Scale. Object storage has a fourteen-day undelete window.
  • Stripe invoice records: seven years as required by US tax law.

11. Your rights

You can exercise the following rights any time, with respect to personal data we hold about you:

  • Access and portability (Art. 15, 20):get a machine-readable export of every record tied to your user and the orgs you own. Visit Settings → Data export and click “Download my data”, or hit GET /api/me/export while signed in. The export is a JSON file with your account, orgs, workspaces, rows, doc bodies, comments, agents, API key metadata, OAuth client metadata, referrals, and memberships. Plaintext credentials are deliberately excluded; they were shown to your client exactly once at creation and are non-recoverable.
  • Rectification (Art. 16): edit profile fields in Settings, or email privacy@trydock.ai for anything you cannot edit yourself.
  • Erasure (Art. 17): delete your account in Settings → Account → Delete account, or hit DELETE /api/me. Cascade deletion removes your User row, organization memberships, workspace memberships, agents, API keys, OAuth tokens, sessions, support tickets, and any workspace where you are the sole owner. Audit log entries that name you are retained as required by the immutable-ledger contract, with your personal identifiers replaced by an anonymized handle so surviving customers can continue to audit their own activity coherently. Completion within thirty days.
  • Restriction and objection (Art. 18, 21): email privacy@trydock.ai and we will pause processing while we resolve the objection.
  • Withdraw consent (Art. 7): any digest email has a one-click unsubscribe.
  • Lodge a complaint:with your local data protection authority. We’d prefer you tell us first so we can fix the underlying issue.
  • CCPA / CPRA rights (California): right to know, right to delete, right to opt out of sale or sharing for cross-context behavioral advertising (we do neither), right to limit use of sensitive personal information (we do not knowingly collect sensitive personal information under the CCPA definition). Exercise all of these via the same privacy@trydock.ai address.

12. Prohibited data

Dock is a general-purpose collaborative workspace. It is not intended for, and is not contractually certified to handle, the following classes of regulated data. Please do not upload them to a Dock workspace:

  • Protected Health Information (PHI) as defined under HIPAA. Dock is not HIPAA-eligible and we do not sign Business Associate Agreements.
  • Payment card data (PCI). Card numbers, CVVs, magnetic-stripe data. Stripe handles all payment processing on our behalf; you never need to put card numbers in a workspace.
  • Social Security Numbers, government identifiers, biometric records— outside the scope of our compliance posture.
  • Information from minors under sixteen, including parents’ data describing them.
  • Sealed legal records, attorney-client communications — consult counsel about attorney work product before putting it in any SaaS.
  • Classified government information.

If you upload prohibited data anyway, you are responsible for the legal consequences. We may remove the content or suspend the account.

13. Children

Dock is not directed to children under sixteen (16). We do not knowingly collect personal data from anyone under sixteen. If we learn we have collected data from a minor, we will delete it. Operators of family or educational accounts are responsible for ensuring users under sixteen do not sign up.

14. Security

How we protect personal data — encryption in transit and at rest, authentication, authorization, audit logging, network egress controls, content sanitization, rate limiting, employee access controls, vulnerability disclosure, and incident response — is documented in detail at /security. That policy is the technical companion to this one. The short version: TLS 1.3 everywhere, AES-256 at rest, every credential SHA-256 hashed at rest, every workspace operation gated by a single canonical access check.

15. Breach notification

If we discover a personal data breach affecting your data, we will notify the controller (you, if you are using Dock for your own account; the org owner, if you are a member of a customer’s org) within seventy-two (72) hours of becoming aware of it where the breach is likely to result in a risk to the rights and freedoms of natural persons. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.

16. Changes to this policy

Material changes are reflected in an updated effective date at the top of this page. Customers on a paid plan with an executed Data Processing Addendum are notified by email at least thirty days before material changes take effect, unless the change is required by law or addresses a security risk that requires faster action. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

Privacy team: privacy@trydock.ai. Security team: security@trydock.ai. Both addresses route to the same on-call rotation during the beta period.