PRIVACY POLICY

1.1 Overview.

Doe Labs, Corp. provides an AI-powered work productivity software-as-a-service platform designed for enterprise customers. Our Services leverage artificial intelligence and machine learning to automate workflows, analyze work data, and improve team productivity. This Policy governs our processing of Personal Information and Enterprise Data in connection with those Services.

1.2 Scope.

This Policy applies to: (a) information collected through our Services, websites, and applications; (b) information provided directly by enterprise customers and their authorized users; and (c) information collected through our marketing and business development activities. This Policy does not apply to third-party services or integrations that customers connect to our platform, which are governed by those third parties’ own privacy policies.

1.3 Enterprise Customer Data.

When Doe Labs processes data on behalf of enterprise customers as a data processor, such processing is governed by the applicable Master Services Agreement, Terms of Service, and Data Processing Addendum, which take precedence over this Policy with respect to Customer Data.

2.1 “Personal Information”

means any information that identifies or could reasonably be used to identify a natural person, directly or indirectly, including names, email addresses, IP addresses, and similar identifiers.

2.2 “Customer Data”

means all data, content, and information submitted by or on behalf of an enterprise customer or its authorized users through the Services, including work product, documents, communications, and workflow data.

2.3 “Usage Data”

means information about how the Services are accessed and used, including log data, device information, feature usage statistics, and performance metrics.

2.4 “AI Features”

means the artificial intelligence and machine learning capabilities integrated into the Services, including automated workflow tools, content generation, analysis, and recommendations.

2.5 “CCPA”

means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CPRA”), and their implementing regulations.

2.6 “GDPR”

means the EU General Data Protection Regulation 2016/679, and, where applicable, the UK GDPR as defined in the Data Protection Act 2018.

3.1 Account and Registration Information.

When enterprise customers create accounts or execute agreements with Doe Labs, we collect: organization name, billing information, authorized user names and email addresses, job titles, and contact information for designated representatives.

3.2 Customer Data.

Enterprise customers and their users submit Customer Data to the Services in the course of using the platform. This may include documents, communications, workflow data, calendar information, meeting notes, task data, and other work-related content. Doe Labs processes Customer Data as a data processor on behalf of the enterprise customer.

3.3 Connected Services Data.

If authorized by the customer, our Services may integrate with third-party platforms (such as email clients, calendar systems, project management tools, and communication platforms). We access only the data necessary to provide the requested integration functionality, in accordance with the permissions granted by the customer and the third party’s terms.

3.4 Usage and Technical Data.

We automatically collect Usage Data when you interact with the Services, including: IP addresses, browser type and version, operating system, device identifiers, pages visited, features used, session duration, error logs, and performance data. This information is collected through cookies, log files, and similar technologies.

3.5 Communications Data.

We collect information you provide when contacting our support team, sales team, or other Doe Labs personnel, including the content of messages and any attachments you share.

3.6 AI Interaction Data.

When you use our AI Features, we may collect prompts, inputs, outputs, feedback, and corrections you provide to AI components, subject to the limitations set forth in Section 11 of this Policy.

4.1 Service Delivery.

We use the information we collect to: provide, operate, and maintain the Services; process transactions and send related information; respond to comments, questions, and support requests; send technical notices, updates, security alerts, and administrative messages; and fulfill contractual obligations to enterprise customers.

4.2 Service Improvement.

We use aggregated and de-identified Usage Data to: analyze usage trends and patterns; monitor and improve the performance and reliability of the Services; develop new features and products; and conduct internal research and analytics.

4.3 AI and Machine Learning.

Doe Labs may use anonymized and aggregated interaction data to improve its AI models and the Services by default, subject to each enterprise customer’s right to opt out as described in Section 11.6. Doe Labs will NOT use identifiable Customer Data — meaning data that can be attributed to a specific Customer or individual — to train AI or machine learning models without explicit written consent from the enterprise customer. AI models used within the Services may be fine-tuned using aggregated, de-identified, or synthetic data. Any model training that involves identifiable Customer Data requires a separate written agreement and will be subject to enhanced data security measures.

4.4 Security and Fraud Prevention.

We use information to detect, investigate, and prevent fraudulent transactions, abuse, security incidents, and other potentially illegal activities, and to protect the rights, property, and safety of Doe Labs, our customers, and others.

4.5 Legal Compliance.

We may use and disclose information as required to comply with applicable laws and regulations, respond to legal process, enforce our terms and agreements, and protect our legal rights.

4.6 Marketing and Communications.

With the prior consent of enterprise customer contacts, we may send product updates, newsletters, and information about features, events, and offers. Recipients may unsubscribe at any time by following the instructions in the communications or by contacting legal@doe.so.

5.1 No Sale of Personal Information.

Doe Labs does not sell Personal Information to third parties for monetary or other valuable consideration, consistent with the definition of “sale” under the CCPA.

5.2 Service Providers.

We engage trusted third-party vendors to perform services on our behalf, including cloud hosting (e.g., AWS, GCP), payment processing, customer support software, analytics tools, and security services. These vendors are contractually bound to process data only as directed by Doe Labs and to maintain appropriate security measures.

5.3 Subprocessors.

A current list of our subprocessors is available upon request at legal@doe.so. We will provide at least thirty (30) days’ advance notice of material changes to our subprocessor list, allowing enterprise customers to raise objections in accordance with any applicable Data Processing Addendum.

5.4 Business Transfers.

If Doe Labs is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, information may be transferred as part of that transaction. We will provide notice before Personal Information is transferred and becomes subject to a different privacy policy.

5.5 Legal Requirements.

We may disclose information if we believe disclosure is required by applicable law, regulation, legal process, or government request, or to protect the safety, rights, or property of Doe Labs, our users, or the public. Where permitted, we will notify affected enterprise customers prior to disclosure.

5.6 With Consent.

We may share information with third parties when you have provided explicit consent or instructed us to do so.

6.1 Retention Periods.

We retain Customer Data for the duration of the active enterprise agreement plus thirty (30) days following termination or expiration, unless a longer retention period is required by law or agreed in writing. Following the retention period, Customer Data is securely deleted or anonymized.

6.2 Account Information.

We retain account registration and billing information for the period required by applicable tax and accounting laws, typically seven (7) years following the end of the business relationship.

6.3 Usage Data.

Aggregated and de-identified Usage Data may be retained for longer periods for analytics, product development, and business purposes. This data is not associated with individual users or enterprise accounts.

6.4 Deletion Requests.

Enterprise customers may request deletion of Customer Data prior to the end of the standard retention period by submitting a written request to legal@doe.so. We will complete deletion within thirty (30) days of receiving a verified request, subject to legal hold obligations.

7.1 Security Program.

Doe Labs maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Customer Data. Our security controls include encryption in transit and at rest, role-based access controls, multi-factor authentication, vulnerability scanning, penetration testing, and incident response procedures.

7.2 SOC 2 Type II.

Doe Labs maintains SOC 2 Type II certification, evidencing our compliance with the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. A copy of our current SOC 2 Type II report is available to enterprise customers under NDA upon request.

7.3 Incident Response.

In the event of a security incident affecting Customer Data, Doe Labs will: (a) take immediate steps to contain and remediate the incident; (b) notify affected enterprise customers without undue delay and in any event within seventy-two (72) hours of discovery if required by applicable law; and (c) cooperate with customers in investigating and remediating the incident.

7.4 Customer Responsibilities.

Enterprise customers are responsible for: maintaining the confidentiality of access credentials; ensuring authorized users comply with applicable use policies; promptly notifying Doe Labs of any suspected unauthorized access; and configuring the Services in accordance with their own security and compliance requirements.

8.1 General Rights.

Subject to applicable law, individuals whose Personal Information is processed by Doe Labs may have the right to: (a) access their Personal Information; (b) correct inaccurate or incomplete information; (c) request deletion of their information; (d) object to or restrict certain processing; (e) receive their information in a portable format; and (f) withdraw consent where processing is based on consent.

8.2 CCPA Rights.

California residents have the following rights under the CCPA/CPRA: the right to know what Personal Information is collected; the right to delete Personal Information; the right to opt out of the sale or sharing of Personal Information (Doe Labs does not sell Personal Information); the right to non-discrimination for exercising CCPA rights; and the right to limit use and disclosure of sensitive personal information. To submit a CCPA request, contact legal@doe.so.

8.3 GDPR Rights.

For individuals in the European Economic Area and United Kingdom, we process Personal Information on the following legal bases: (a) performance of a contract, when processing is necessary to deliver the Services; (b) legitimate interests, for analytics, security, and service improvement; (c) legal obligation, when required by applicable law; and (d) consent, where explicitly obtained. EEA/UK individuals may contact us at legal@doe.so to exercise data subject rights under the GDPR.

8.4 Enterprise Customer Requests.

Because Doe Labs processes Customer Data on behalf of enterprise customers as a data processor, requests from individual end users regarding Customer Data should be directed to the applicable enterprise customer (the data controller). Doe Labs will assist enterprise customers in fulfilling such requests to the extent required by law and the applicable Data Processing Addendum.

8.5 Response Timeline.

We will respond to verified individual rights requests within forty-five (45) calendar days of receipt. We may extend this period by an additional forty-five (45) days where reasonably necessary, with advance notice to the requester.

9.1 Primary Processing Location.

Doe Labs’ primary data processing infrastructure is located in the United States. Enterprise customers contracting with Doe Labs from outside the United States should be aware that their information may be transferred to, stored, and processed in the United States.

9.2 Transfer Mechanisms.

For transfers of Personal Information from the EEA, UK, or Switzerland to the United States, Doe Labs relies on: (a) the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission; (b) the UK International Data Transfer Agreement (IDTA) as applicable; and (c) other legally recognized transfer mechanisms. Enterprise customers requiring a Data Processing Addendum incorporating SCCs should contact legal@doe.so.

9.3 Supplementary Measures.

Where required by applicable data protection law, Doe Labs implements supplementary technical and organizational measures (TOMs) to ensure an essentially equivalent level of protection for transferred Personal Information, consistent with the recommendations issued by the European Data Protection Board.

10.1 Types of Cookies.

We use the following types of cookies and similar technologies: (a) Strictly necessary cookies, required for the Services to function; (b) Performance and analytics cookies, to understand how the Services are used; (c) Functionality cookies, to remember preferences and settings; and (d) Marketing cookies, used with consent to deliver relevant communications.

10.2 Cookie Management.

Enterprise customers and their users can manage cookie preferences through our cookie preference center available on our website or by adjusting browser settings. Disabling strictly necessary cookies may impair the functionality of the Services.

10.3 Do Not Track.

Some browsers transmit “Do Not Track” signals. Our Services do not currently respond to Do Not Track signals. We will update this Policy if our practices change.

11.1 AI-Powered Services.

The Doe Labs platform incorporates AI Features including automated workflow execution, content generation, task prioritization, meeting summarization, and predictive recommendations. These features use machine learning models to process and analyze inputs provided by authorized users.

11.2 No Autonomous Decision-Making.

Doe Labs’ AI Features are designed to assist human decision-making, not replace it. Our AI does not make solely automated decisions that produce legal or similarly significant effects on individuals without human review. Enterprise customers are responsible for reviewing AI outputs before relying on them for business decisions.

11.3 AI Data Usage Restrictions.

Doe Labs does not: (a) use Customer Data to train general-purpose AI models for use with other customers; (b) share Customer Data with third-party AI model providers beyond what is necessary to deliver the Services; or (c) retain AI interaction data for longer than necessary to provide the requested service, unless required by law or agreed otherwise. Any AI model fine-tuning that uses Customer Data requires explicit written consent.

11.4 Third-Party AI Providers.

The Services may incorporate third-party AI model providers (such as large language model APIs). A current list of AI subprocessors is available upon request. These providers process inputs only as necessary to generate responses and are bound by data processing agreements that restrict further use.

11.5 Connected Services and Agent Actions.

When customers authorize AI Features to interact with Connected Services (e.g., calendars, email, project tools), the AI will take actions only within the scope of the permissions explicitly granted. Audit logs of AI-initiated actions are available to enterprise administrators. Customers may revoke connected service permissions at any time through the platform settings.

11.6 Opt-Out of AI Improvement.

As described in Section 4.3, Doe Labs may by default use anonymized and aggregated interaction data to improve its AI models. Enterprise customers may opt out of contributing such anonymized and aggregated interaction data for AI model improvement at any time by contacting legal@doe.so. For the avoidance of doubt, this opt-out right applies to anonymized and aggregated data only; the use of identifiable Customer Data for AI training is subject to a separate explicit written consent requirement and is not affected by this opt-out. Opting out will not affect access to or performance of the core Services.

12.1 DPA Availability.

Enterprise customers who execute a Doe Labs Pilot Master Services Agreement receive a Data Processing Addendum (“DPA”) as Exhibit B to that agreement. The DPA governs the processing of Personal Data by Doe Labs as data processor on behalf of Customer, and incorporates applicable Standard Contractual Clauses for cross-border transfers. Enterprise customers without an executed Master Services Agreement may request a standalone DPA by contacting legal@doe.so.

12.2 Standard Contractual Clauses.

The DPA (Exhibit B of the Pilot Master Services Agreement) includes the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), as adopted by the European Commission, as well as the UK International Data Transfer Agreement (IDTA), as applicable. These mechanisms govern cross-border transfers of Personal Data from the EEA, UK, and Switzerland to the United States.

12.3 CCPA Service Provider.

For purposes of the CCPA, Doe Labs acts as a “service provider” with respect to Personal Information processed on behalf of enterprise customers. Doe Labs does not sell or share such Personal Information for cross-context behavioral advertising.

15.1 Updates.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide at least thirty (30) days’ advance notice to enterprise customers via email to the designated legal contact and by posting the updated Policy on our website. Continued use of the Services after the effective date of the updated Policy constitutes acceptance of the revised terms. Notwithstanding the foregoing, to the extent required by applicable law (including the GDPR), material changes to the processing of personal data will not take effect without affirmative acknowledgment or consent from the relevant data subjects or Customers, as applicable.

15.2 Prior Versions.

Prior versions of this Policy will be archived and available upon request.