1. Introduction
This Privacy Policy explains how Doodledapp (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our visual smart contract builder at doodledapp.com and the API at api.doodledapp.com (together, “the Service”). We are committed to protecting your privacy and handling your data transparently.
2. Data controller
Doodledapp is the data controller for all personal data processed through the Service. For questions or requests, contact us at [email protected].
3. What we collect
3.1 Account data
When you sign in via Google OAuth, GitHub OAuth, or magic link email, we collect:
- Email address: provided by your authentication provider or entered for magic link sign-in
- Display name: provided by your authentication provider
- Authentication provider ID: your unique identifier from Google or GitHub
We do not collect or store your authentication provider passwords. Authentication is handled entirely by Google, GitHub, or via single-use magic link tokens sent to your email.
3.2 Contract and project data
When you use the Service, we store:
- Smart contract data: the contracts and settings you create in the editor
- Project metadata: project names, team assignments, and organizational structure
- Deployment records: records of contract deployments, including target blockchain networks
- Version history: snapshots of your contract changes for the undo/redo and history features
3.3 AI interaction data
If you use the AI builder feature, we process:
- Prompts: the natural language instructions you provide
- Contract context: your current contract is sent to a third-party AI provider for modification
- AI usage metrics: usage counts and timestamps for billing and plan enforcement
We do not use your contract data or AI prompts to train AI models. Our AI provider does not use API inputs for model training.
3.4 Team and collaboration data
If you use team features, we store:
- Team membership: roles, permissions, and team structure
- Invitations: invitee email addresses and permissions. Invitations expire after 7 days
3.5 Payment data
If you subscribe to a paid plan (Builder or Enterprise), payment processing is handled entirely by Stripe. We receive and store:
- Plan tier and billing status
- Billing email: the email address associated with your subscription (may differ from your account email)
- Billing address: street address, city, state, postal code, and country
- Tax ID: VAT or other tax identification number, if provided
We do not receive, process, or store your credit card numbers, bank account details, or other payment instrument data. See Stripe’s Privacy Policy.
3.6 Voluntary submissions
When you contact us, submit feedback, or participate in public features, we may collect your name, email address, message content, and uploaded files. IP addresses may be collected to prevent abuse.
3.7 Technical and usage data
- Session data: authentication session cookies
- Cookie consent preferences: your choices about analytics cookies
- Server logs: IP addresses and request timestamps retained for 30 days for security monitoring
- Client-side storage: the editor caches data locally in your browser for performance. This data never leaves your device
4. How we use your data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Authenticate you and manage your session | Account data, session cookies | Contract performance |
| Store and retrieve your contracts | Contract data, project metadata | Contract performance |
| Compile, test, and deploy your contracts | Contract data | Contract performance |
| Provide AI-powered contract modification | Contract data, prompts | Contract performance |
| Manage teams, roles, and permissions | Team data, invitation data | Contract performance |
| Process subscription payments | Plan tier, billing status, billing address, tax ID | Contract performance |
| Send transactional emails (magic links, team invitations) | Email addresses | Contract performance |
| Enforce plan limits and feature access | Plan tier, resource counts | Contract performance |
| Respond to inquiries and process voluntary submissions | Submitted data (name, email, message, files) | Consent |
| Prevent abuse on public features | IP addresses | Legitimate interest |
| Detect unauthorized access and prevent abuse | Server logs, IP addresses | Legitimate interest |
| Improve the Service using aggregated, non-identifying data | Usage patterns | Legitimate interest |
| Analytics cookies (optional) | Cookie data | Consent |
5. Data sharing
We share personal data only with third-party service providers, solely to provide the Service:
- Google and GitHub for sign-in authentication (Google Privacy Policy, GitHub Privacy Policy)
- Stripe for payment processing (Stripe Privacy Policy)
- Third-party providers for AI features, email delivery, and infrastructure hosting
We do not sell your personal data. We do not share your data with advertisers or data brokers.
6. Data retention
| Data | Retention period |
|---|---|
| Account data | While your account is active. Deleted immediately upon account deletion |
| Contract and project data | While your account is active. Deleted immediately upon account deletion |
| AI interaction logs | Not stored persistently. Temporary in-memory sessions are cleared automatically within one hour |
| Server logs | 30 days, then purged |
| Payment records | Retained as required by tax and accounting law |
| Voluntary submissions | Retained while useful for the purpose submitted, then deleted |
| Expired invitations | Invalidated after 7 days; records purged periodically |
7. Cookies
We use the following cookies:
| Cookie | Type | Purpose |
|---|---|---|
| Session cookie | Essential | Authentication session. Required for the Service to function |
| Consent cookie | Essential | Stores your cookie consent preferences |
| Analytics cookies | Optional | Set only with your consent. Manage via “Cookie Settings” in the footer |
We do not use advertising or tracking cookies.
8. Your rights
GDPR rights (EEA, UK, Switzerland)
You have the right to:
- Access your personal data and receive a copy
- Rectify inaccurate or incomplete data
- Erase your personal data (“right to be forgotten”)
- Restrict processing of your data
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (e.g., analytics cookies via Cookie Settings)
- Lodge a complaint with your local data protection authority
CCPA rights (California residents)
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
- Correct inaccurate personal information
9. How to submit a data request
We respond to verified requests within 30 days (GDPR) or 45 days (CCPA).
Email: Send your request to [email protected] with the subject line “Data Subject Request”. Include your account email address and the specific right you wish to exercise.
We verify your identity using the email address associated with your account before processing requests.
California residents may designate an authorized agent to submit requests on their behalf with written authorization.
10. Security
- All data in transit is encrypted via TLS (HTTPS)
- Authentication sessions use secure, HTTP-only cookies
- We do not store passwords; authentication is handled via Google, GitHub, or single-use magic link tokens
- Database access is restricted and protected by firewalls
- Infrastructure is regularly reviewed for security
11. International transfers
Your data may be processed in jurisdictions outside your country of residence, including the United States (where our sub-processors operate). Where applicable, we rely on Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms to ensure adequate protection.
12. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.
13. Changes to this policy
We may update this policy from time to time. We will notify you of material changes through the Service or via email. The date at the top of this page indicates the last revision. Continued use of the Service after changes take effect constitutes acceptance.
14. Contact
For privacy questions, data requests, or complaints:
- Email: [email protected]
- Response time: Within 30 days
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
For details on how we process data on behalf of teams and organizations, see our Data Processing Agreement.