Privacy Policy

1. Introduction

This Privacy Policy explains how Doodledapp (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our visual smart contract builder at doodledapp.com and the API at api.doodledapp.com (together, “the Service”). We are committed to protecting your privacy and handling your data transparently.

2. Data controller

Doodledapp is the data controller for all personal data processed through the Service. For questions or requests, contact us at [email protected].

3. What we collect

3.1 Account data

When you sign in via Google OAuth, GitHub OAuth, or magic link email, we collect:

  • Email address: provided by your authentication provider or entered for magic link sign-in
  • Display name: provided by your authentication provider
  • Authentication provider ID: your unique identifier from Google or GitHub

We do not collect or store your authentication provider passwords. Authentication is handled entirely by Google, GitHub, or via single-use magic link tokens sent to your email.

3.2 Contract and project data

When you use the Service, we store:

  • Smart contract data: the contracts and settings you create in the editor
  • Project metadata: project names, team assignments, and organizational structure
  • Deployment records: records of contract deployments, including target blockchain networks
  • Version history: snapshots of your contract changes for the undo/redo and history features

3.3 AI interaction data

If you use the AI builder feature, we process:

  • Prompts: the natural language instructions you provide
  • Contract context: your current contract is sent to a third-party AI provider for modification
  • AI usage metrics: usage counts and timestamps for billing and plan enforcement

We do not use your contract data or AI prompts to train AI models. Our AI provider does not use API inputs for model training.

3.4 Team and collaboration data

If you use team features, we store:

  • Team membership: roles, permissions, and team structure
  • Invitations: invitee email addresses and permissions. Invitations expire after 7 days

3.5 Payment data

If you subscribe to a paid plan (Builder or Enterprise), payment processing is handled entirely by Stripe. We receive and store:

  • Plan tier and billing status
  • Billing email: the email address associated with your subscription (may differ from your account email)
  • Billing address: street address, city, state, postal code, and country
  • Tax ID: VAT or other tax identification number, if provided

We do not receive, process, or store your credit card numbers, bank account details, or other payment instrument data. See Stripe’s Privacy Policy.

3.6 Voluntary submissions

When you contact us, submit feedback, or participate in public features, we may collect your name, email address, message content, and uploaded files. IP addresses may be collected to prevent abuse.

3.7 Technical and usage data

  • Session data: authentication session cookies
  • Cookie consent preferences: your choices about analytics cookies
  • Server logs: IP addresses and request timestamps retained for 30 days for security monitoring
  • Client-side storage: the editor caches data locally in your browser for performance. This data never leaves your device

4. How we use your data

PurposeData usedLegal basis (GDPR)
Authenticate you and manage your sessionAccount data, session cookiesContract performance
Store and retrieve your contractsContract data, project metadataContract performance
Compile, test, and deploy your contractsContract dataContract performance
Provide AI-powered contract modificationContract data, promptsContract performance
Manage teams, roles, and permissionsTeam data, invitation dataContract performance
Process subscription paymentsPlan tier, billing status, billing address, tax IDContract performance
Send transactional emails (magic links, team invitations)Email addressesContract performance
Enforce plan limits and feature accessPlan tier, resource countsContract performance
Respond to inquiries and process voluntary submissionsSubmitted data (name, email, message, files)Consent
Prevent abuse on public featuresIP addressesLegitimate interest
Detect unauthorized access and prevent abuseServer logs, IP addressesLegitimate interest
Improve the Service using aggregated, non-identifying dataUsage patternsLegitimate interest
Analytics cookies (optional)Cookie dataConsent

5. Data sharing

We share personal data only with third-party service providers, solely to provide the Service:

We do not sell your personal data. We do not share your data with advertisers or data brokers.

6. Data retention

DataRetention period
Account dataWhile your account is active. Deleted immediately upon account deletion
Contract and project dataWhile your account is active. Deleted immediately upon account deletion
AI interaction logsNot stored persistently. Temporary in-memory sessions are cleared automatically within one hour
Server logs30 days, then purged
Payment recordsRetained as required by tax and accounting law
Voluntary submissionsRetained while useful for the purpose submitted, then deleted
Expired invitationsInvalidated after 7 days; records purged periodically

7. Cookies

We use the following cookies:

CookieTypePurpose
Session cookieEssentialAuthentication session. Required for the Service to function
Consent cookieEssentialStores your cookie consent preferences
Analytics cookiesOptionalSet only with your consent. Manage via “Cookie Settings” in the footer

We do not use advertising or tracking cookies.

8. Your rights

GDPR rights (EEA, UK, Switzerland)

You have the right to:

  • Access your personal data and receive a copy
  • Rectify inaccurate or incomplete data
  • Erase your personal data (“right to be forgotten”)
  • Restrict processing of your data
  • Port your data to another service in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (e.g., analytics cookies via Cookie Settings)
  • Lodge a complaint with your local data protection authority

CCPA rights (California residents)

You have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate personal information

9. How to submit a data request

We respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

Email: Send your request to [email protected] with the subject line “Data Subject Request”. Include your account email address and the specific right you wish to exercise.

We verify your identity using the email address associated with your account before processing requests.

California residents may designate an authorized agent to submit requests on their behalf with written authorization.

10. Security

  • All data in transit is encrypted via TLS (HTTPS)
  • Authentication sessions use secure, HTTP-only cookies
  • We do not store passwords; authentication is handled via Google, GitHub, or single-use magic link tokens
  • Database access is restricted and protected by firewalls
  • Infrastructure is regularly reviewed for security

11. International transfers

Your data may be processed in jurisdictions outside your country of residence, including the United States (where our sub-processors operate). Where applicable, we rely on Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms to ensure adequate protection.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.

13. Changes to this policy

We may update this policy from time to time. We will notify you of material changes through the Service or via email. The date at the top of this page indicates the last revision. Continued use of the Service after changes take effect constitutes acceptance.

14. Contact

For privacy questions, data requests, or complaints:

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

For details on how we process data on behalf of teams and organizations, see our Data Processing Agreement.