Back to Dock AI

Privacy Policy

Last updated: January 25, 2025

1. Introduction

Tadam SASU ("we", "us", or "the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use Dock AI ("the Service"). We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Dock AI SAS is the data controller for the personal data collected through the Service. You can contact us at: privacy@dockai.co

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Organization name
  • Authentication provider data (if using social login)

3.2 Entity Data

For registered businesses, we collect:

  • Business name and description
  • Domain name
  • Physical address (optional)
  • Business category
  • Contact information
  • Capability configurations (webhooks, API endpoints)

3.3 Execution Logs

When AI agents execute capabilities, we log:

  • Hashed User IDs: We store a SHA-256 truncated hash (16 characters) of user identifiers. This is a one-way hash that cannot be reversed to identify individuals.
  • Execution metadata: Timestamp, capability ID, response status, duration
  • Sanitized parameters: We remove or mask sensitive fields from logs
  • Source information: MCP client name (e.g., Claude, ChatGPT)

Important: We never store email addresses, full names, or other directly identifiable information in execution logs. User IDs are hashed and non-reversible.

3.4 Technical Data

We automatically collect:

  • IP addresses (for rate limiting and security)
  • Browser/client information
  • Usage patterns and analytics

4. How We Use Your Data

We process your data for the following purposes:

  • Service Delivery: Providing the MCP registry service, enabling capability discovery and execution
  • Security: Detecting and preventing fraud, abuse, and security incidents
  • Analytics: Understanding usage patterns to improve the Service
  • Communication: Sending service-related notifications and updates
  • Legal Compliance: Meeting our legal obligations

5. Legal Basis for Processing

Under GDPR, we process your data based on:

  • Contract: Processing necessary to provide the Service you requested
  • Legitimate Interest: Security, fraud prevention, and service improvement
  • Legal Obligation: Compliance with applicable laws
  • Consent: Where required for specific processing activities

6. Data Sharing

We may share your data with:

  • AI Agents: Public entity data and capability information is shared with AI agents via the MCP protocol
  • Service Providers: We use Supabase (database), Vercel (hosting), Resend (email), and Upstash (rate limiting)
  • Legal Requirements: When required by law or to protect our rights

We do not sell your personal data to third parties.

7. Data Retention

We retain your data for:

  • Account Data: Until you delete your account
  • Entity Data: Until you delete your entity or account
  • Execution Logs: 90 days by default (configurable for enterprise plans)
  • Technical Logs: 30 days

8. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at privacy@dockai.co. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures:

  • Encryption in transit (TLS) and at rest
  • Access controls and authentication
  • Regular security audits
  • Webhook secret hashing (never stored in plain text)
  • Row-level security in our database

10. International Transfers

Your data may be processed in countries outside the EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

11. Cookies

We use essential cookies for authentication and session management. We use Vercel Analytics for usage statistics, which does not use cookies and does not track users across sites.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when this policy was last revised.

14. Supervisory Authority

If you are in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (www.cnil.fr).

15. Contact

For privacy-related questions or to exercise your rights: