Privacy Policy
Last updated: April 2026
Dotty is an AI biography interview app. You share your life stories through conversations, and Dotty turns them into written biographies. We take the privacy of your personal stories seriously. This policy explains what data we collect, how we protect it, and what rights you have.
1. Who We Are
Dotty is operated from Finland. For questions about your data, you can reach us at hello@dotty.ai. Our supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi).
2. What Data We Collect
We collect only what is necessary to provide the service:
- Account information: Your name, email address, and password (hashed). If you sign in with Google, we receive your Google account ID, name, and email.
- Conversation transcripts: The questions Dotty asks and the answers you provide during biography interviews. If you use voice input, the audio is processed in real time to produce a text transcript — we do not store audio recordings.
- Biography content: The written biographies generated from your conversations.
- Extracted facts: Key details (names, dates, places) that Dotty identifies from your conversations to improve the biography.
- Usage metadata: Session information (IP address, session timestamps), interview progress, and active time spent in interviews.
3. How We Use Your Data
- To conduct biography interviews and generate your written biography
- To save your progress so you can return to interviews later
- To verify your email address and secure your account
- To respond to support requests
We do not use your personal stories for advertising, profiling, or any purpose other than delivering the Dotty service to you.
4. How We Protect Your Data
Your conversations and biographies are sensitive. We protect them with multiple layers of security:
- Encryption at rest: All interview content (questions, answers, facts, biographies) is encrypted using AES-256-GCM with a unique per-user encryption key. Even if our database were compromised, your content would remain unreadable without your key.
- Encryption in transit: All connections use HTTPS/TLS.
- Session security: We use httpOnly session cookies that cannot be accessed by JavaScript in your browser.
- EU data storage: Your data is stored on servers located in the European Union (Hetzner, Germany/Finland), subject to EU data protection law.
5. Third-Party Services
We use OpenAI to power the AI that conducts your interviews and writes your biography. When you interact with Dotty, the text of your conversation is sent to OpenAI's API to generate responses. OpenAI processes this data according to their API data usage policy, which states that API inputs and outputs are not used to train their models.
We do not sell, rent, or share your personal data with any other third parties.
6. Cookies
We use a single httpOnly session cookie to keep you signed in. This cookie is essential for the service to work and cannot be used for tracking. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.
7. Your Rights
Under the General Data Protection Regulation (GDPR) and other applicable laws, you have the right to:
- Access your data: You can export all of your data (account details, conversations, biographies, and facts) as a JSON file at any time from your account settings.
- Delete your data: You can delete your account from your account settings. When you do, your per-user encryption key is immediately destroyed, making all your encrypted content permanently unreadable (crypto erasure). Your account enters a 30-day soft-delete period, after which all records are permanently removed from our database.
- Data portability: The export feature provides your data in a structured, machine-readable JSON format.
- Rectification: You can update your account information at any time. To correct content within interviews, contact us at hello@dotty.ai.
- Lodge a complaint: You have the right to file a complaint with the Finnish Data Protection Ombudsman or your local supervisory authority.
8. Data Retention
- Active accounts: Your data is retained for as long as your account exists.
- After deletion: When you delete your account, your encryption key is destroyed immediately (making content unreadable). Database records are kept in a soft-deleted state for 30 days, then permanently removed.
- Audit logs: Non-personal audit records (e.g., "account deleted on [date]") may be retained for legal and security purposes. These contain no personal content.
9. Children's Privacy
Dotty is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has created an account, please contact us at hello@dotty.ai and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or through a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us: