Privacy Policy

1. Who we are

dou is operated by JAAC Collective LTD T/A Dou, a company registered in England and Wales. dou provides a platform that connects service providers in the beauty and wellness industry with consumers who book and pay for those services.

Throughout this policy, "dou", "we", "us" and "our" refer to JAAC Collective LTD T/A Dou. "You" and "your" refer to any individual who accesses or uses the dou platform, whether as a service provider, a consumer, or a visitor to our website.

Our data protection contact email is info@getdou.app.

2. About this policy

This privacy policy explains how dou collects, uses, stores, shares and protects your personal data when you use our website, mobile applications, APIs and related services (together, the "Platform").

This policy applies to all users of the Platform, including service providers who create accounts to manage their businesses, consumers who browse or book services, and visitors who access our marketing pages or public booking pages.

We may update this policy from time to time. When changes are material, we notify you by email or through a prominent notice on the Platform. The "Last updated" date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically.

3. What data we collect

(a) Data you provide directly

Account information: name, email address, phone number, password, profile photo and role (provider or consumer)
Business information (providers): business name, trading address, service descriptions, pricing, staff details, opening hours and service area
Booking data: appointment dates and times, services selected, provider and consumer identities, consultation notes and special requests
Messages:content of messages sent through the Platform's messaging feature between providers and consumers
Reviews and ratings: star ratings, written reviews and any photos attached to reviews
Photos and media: profile photos, service images, portfolio images and booking page assets uploaded to the Platform
Financial information: bank account details for provider payouts (collected and stored by Stripe, not by dou directly), invoice data and transaction records

(b) Data collected automatically

Device information: device type, operating system, browser type and version, screen resolution and unique device identifiers
IP address: your Internet Protocol address, used for security, fraud prevention and approximate geolocation
Usage analytics: pages visited, features used, click patterns, session duration, referral source and search queries within the Platform
Cookies and similar technologies: session tokens, authentication cookies, preference cookies and analytics identifiers (see section 12 for full details)

(c) Data from third-party sources

Calendar sync (Google Calendar): when you connect your Google Calendar, we receive event titles, descriptions, locations, start and end times, and recurrence rules to synchronise your availability. We do not request or store attendee lists, attachments or other calendar metadata
Payment processor (Stripe): transaction status, payment method type (not full card numbers), payout status and dispute information
Accounting integrations (Xero, QuickBooks): where you connect your accounting software, we sync invoice and customer reference data to keep your books up to date
Video meeting integration (Zoom): where you connect Zoom, we receive meeting links and basic meeting metadata to attach to bookings

(d) Mobile app permissions

The dou mobile app requests the following device permissions. You can grant or revoke each permission from your device settings at any time.

Camera: to take photos of services, portfolio work or to upload a profile picture
Photo library: to select existing images to attach to your profile, services or messages
Microphone: for voice features in consultation notes and the Scribe assistant
Push notifications: to deliver booking confirmations, reminders, messages and other in-app alerts
Face ID / Touch ID (biometric): used locally to unlock the app when you enable app lock. Biometric data never leaves your device and is not transmitted to dou
Location (approximate): used only when you opt in, to surface nearby providers on the discover page
Contacts:used only when you tap "Import from contacts" to add Clients. dou reads the contacts you select and does not upload your full address book
Reminders: used only when you opt in, to mirror upcoming appointments into the iOS Reminders app
Native iOS Calendar:used only when you opt in, to write appointments to your device's built-in Calendar (this is separate from the Google Calendar sync described above)
Bluetooth, NFC and local network: used only by Providers who accept in-person payments via a supported Stripe card reader or Tap to Pay on iPhone

4. How we use your data

We use your personal data for the following purposes:

Providing the service: creating and managing your account, displaying your profile or business listing, enabling bookings between providers and consumers, and delivering the core Platform functionality
Processing payments: facilitating payment transactions between consumers and providers via Stripe, processing refunds, managing provider payouts and preventing payment fraud
Communications: sending booking confirmations, appointment reminders, cancellation notices, receipts, and other transactional messages by email, SMS or push notification
Calendar synchronisation: syncing your dou schedule with your connected Google Calendar to prevent double-bookings and keep your availability up to date
Platform improvement: analysing anonymised usage data to understand how the Platform is used, identify bugs, improve features and develop new functionality
Safety and security: detecting and preventing fraud, abuse, security incidents and other harmful activity, and enforcing our terms of service
Legal compliance: complying with applicable laws, regulations, legal processes or enforceable governmental requests, including tax reporting obligations to HMRC
Marketing (with consent): sending promotional emails about new features, tips for growing your business on dou, or relevant service recommendations, where you have opted in to receive such communications

5. Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each type of processing we carry out. The table below maps our processing activities to the applicable legal basis.

Processing activity	Lawful basis
Account creation and management	Contract — necessary to perform our agreement with you
Processing bookings and payments	Contract — necessary to facilitate the service you requested
Transactional emails, SMS and push notifications	Contract — necessary to deliver booking confirmations and reminders
Calendar synchronisation with Google Calendar	Consent — you choose to connect your calendar and can revoke access at any time
AI-assisted features (Scribe, in-app chat, suggestions)	Contract — necessary to deliver the AI features you choose to use, with legitimate interests for quality monitoring
Accounting sync (Xero, QuickBooks) and video meeting integration (Zoom)	Consent — you choose to connect each integration and can revoke access at any time
Fraud detection and platform security	Legitimate interests — protecting our users and the Platform from abuse
Anonymised product analytics and improvements	Legitimate interests — understanding usage patterns to improve the Platform
Tax records and financial reporting	Legal obligation — required by HMRC and applicable financial regulations
Marketing and promotional communications	Consent — you can withdraw consent at any time via email preferences or by contacting us
Search ranking and personalised recommendations	Legitimate interests — providing relevant search results and recommendations to improve user experience
Displaying reviews and ratings publicly	Legitimate interests — enabling trust and transparency on the marketplace

6. Provider and consumer data

The dou Platform serves both service providers and consumers. The role dou plays under data protection law depends on the context.

When dou is the data controller

dou acts as the data controller for personal data relating to:

Consumer accounts, profiles and marketplace browsing activity
Provider accounts, business listings and Platform usage
Reviews and ratings displayed on the marketplace
Data used for Platform analytics, security and improvement
Marketing communications sent by dou

When the provider is the data controller

Service providers using dou are independent data controllers for:

Client consultation notes and health or allergy information recorded during service delivery
Staff and team member data they add to their dou account
Client communications initiated by the provider outside of the Platform

Providers are responsible for ensuring they have a lawful basis for collecting and processing this data and for informing their clients accordingly.

When dou is a data processor

dou acts as a data processor on behalf of providers when processing their clients' booking data, payment transactions and appointment records through the Platform. In this capacity, dou processes data only on the provider's instructions and in accordance with our data processing agreement.

7. Who we share data with

We share your personal data only with trusted third-party processors who help us operate the Platform. Each processor has access only to the data necessary to perform its specific function.

Processor	Data shared	Purpose	Country
Stripe	Name, email, payment method details, transaction amounts	Payment processing, payouts, fraud prevention	Ireland / United States
Supabase	All Platform data (accounts, bookings, messages, files)	Database hosting, authentication, file storage	European Union
Resend	Email address, name, email content	Transactional and marketing email delivery	United States
Twilio	Phone number, SMS message content	SMS notifications (booking reminders, verifications)	United States
Google	Calendar event data (titles, times, attendees)	Calendar synchronisation for availability management	United States
Mapbox	Approximate location (postcode or coordinates entered by user)	Geolocation, map display, service area visualisation	United States
Apple / Google / Expo	Device push token, notification content	Mobile push notifications	United States
OpenAI	Consultation notes, chat messages and other content you submit to AI features	AI-assisted features (Scribe, in-app chat, content suggestions)	United States
Langfuse	AI prompts, responses and associated metadata	AI observability and quality monitoring	United States
Sentry	Error reports, stack traces, user ID, basic device context	Crash and error monitoring	United States
Mixpanel	User ID, device identifiers, in-app events, screen recordings of mobile app sessions	Product analytics and mobile session replay	United States
Google Analytics	Page views, anonymised usage events, approximate location, device type	Website analytics	United States
Vercel	Page views and aggregated performance metrics (no cross-site tracking)	Web hosting, web analytics, performance monitoring	United States
Zoom	Host and attendee email, meeting metadata (start time, duration)	Video meeting links for online appointments	United States
Xero	Invoice data, customer reference data, transaction summaries	Optional accounting sync for providers	Australia / United States
Intuit (QuickBooks)	Invoice data, customer reference data, transaction summaries	Optional accounting sync for providers	United States

We never sell your personal data to third parties.

8. International data transfers

Our primary database is hosted in the European Union by Supabase. However, some of our third-party processors are based in the United States, which means your personal data may be transferred outside of the United Kingdom.

The following processors involve transfers to the United States: Stripe, Resend, Twilio, Google, Google Analytics, Vercel, Mapbox, Apple, Expo, OpenAI, Langfuse, Mixpanel, Sentry, Zoom and Intuit (QuickBooks). Xero may also process data in Australia in addition to the United States.

To ensure your data is adequately protected during these transfers, we rely on the following safeguards:

Standard Contractual Clauses (SCCs): EU-approved contractual terms that bind the receiving party to protect personal data to European standards
UK International Data Transfer Agreement (UK IDTA):the UK-specific addendum to the SCCs, approved by the Information Commissioner's Office, ensuring compliance with UK data protection law
Processor certifications: where available, we select processors who maintain certifications such as SOC 2 Type II and who participate in recognised data protection frameworks

You may request a copy of the relevant transfer safeguards by contacting us at info@getdou.app.

9. How we protect your data

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

Encryption in transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
Encryption at rest: all data stored in our database is encrypted at rest using AES-256 encryption
Row Level Security (RLS):database-level access controls ensure that users can only access data they are authorised to view. Providers cannot access other providers' data, and consumers cannot access other consumers' private information
Access controls: internal access to production systems is restricted to authorised personnel on a need-to-know basis, with multi-factor authentication enforced
Regular security reviews: we conduct periodic reviews of our security practices, infrastructure configuration and dependency vulnerabilities
Secure payment handling: all payment card data is processed directly by Stripe (a PCI DSS Level 1 certified processor). dou never stores, processes or has access to full card numbers

No method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

10. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following schedule outlines our retention periods by data category:

Data category	Retention period
Active account data	Retained for the duration of your active account
Booking history	3 years after the date of the last booking
Financial records and transaction data	7 years, as required by HMRC for tax and accounting purposes
Messages	2 years from the date the message was sent
Analytics data	26 months, then anonymised or deleted
Deleted account data	Personal identifiers removed within 30 days of account deletion. Anonymised records (such as aggregated booking statistics) may be retained indefinitely. Financial records are retained for the statutory 7-year period.

11. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of access: you can request a copy of the personal data we hold about you
Right to rectification: you can ask us to correct inaccurate or incomplete personal data
Right to erasure: you can ask us to delete your personal data where there is no compelling reason for us to continue processing it
Right to restrict processing: you can ask us to suspend the processing of your personal data in certain circumstances, for example while we verify its accuracy
Right to data portability: you can request that we provide your personal data in a structured, commonly used and machine-readable format, or transmit it directly to another controller where technically feasible
Right to object: you can object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent: where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal
Right to lodge a complaint:you have the right to lodge a complaint with a supervisory authority, in particular the Information Commissioner's Office (see section 19)

To exercise any of these rights, email us at info@getdou.app. We will respond to your request within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request to protect your personal data from unauthorised access.

12. Cookies

We use cookies and similar technologies on the Platform. Cookies are small text files placed on your device that help us provide and improve the service. We categorise our cookies into four tiers:

Essential cookies

These cookies are strictly necessary for the Platform to function. They include session cookies that keep you logged in and authentication tokens that verify your identity. These cannot be disabled.

Functional cookies

These cookies remember your preferences, such as your preferred language, timezone or display settings, so you do not have to re-enter them each time you visit.

Analytics cookies

These cookies collect anonymised information about how you use the Platform, including which pages you visit, how long you spend on each page and any errors you encounter. This data helps us understand usage patterns and improve the Platform. Analytics data is aggregated and does not identify you personally.

Marketing cookies

We do not currently use marketing or advertising cookies. If this changes in the future, we will update this policy and request your consent before placing any marketing cookies.

You can manage your cookie preferences through the cookie banner displayed on your first visit to the Platform, or by adjusting your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

13. Google Calendar integration

If you choose to connect your Google Calendar to dou, the following applies:

Data accessed

We access the following data from your Google Calendar: event titles, descriptions, locations, start and end times, recurrence rules, event status (confirmed / tentative / cancelled), free-or-busy (transparency) setting, and the link back to the event in Google Calendar. We do not access attendee lists, attachments, calendar ACL information, or any other calendar metadata.

How the data is used

Calendar data is used solely to synchronise your availability on dou, ensuring that bookings are not scheduled at times when you already have commitments. We do not use your Google Calendar data for advertising, profiling or any purpose unrelated to availability management.

How to revoke access

You can disconnect your Google Calendar at any time from your dou account settings. You can also revoke dou's access directly from your Google Account permissions page. Upon disconnection, we delete cached calendar data within 24 hours.

Google API compliance

dou's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

14. AI features

dou includes optional AI-assisted features such as the Scribe consultation-note assistant, in-app chat and content suggestions. These features are powered by OpenAI via the OpenAI API.

Data sent to OpenAI

When you use an AI feature, the text you provide (for example, consultation notes, chat messages or content prompts) is transmitted to OpenAI to generate a response. We do not send your name, email address, phone number or payment data alongside the prompt.

How OpenAI handles your data

Under OpenAI's API Data Usage Policies, content submitted via the API is not used to train OpenAI's models. OpenAI may retain API inputs and outputs for up to 30 days for the sole purpose of monitoring for abuse and misuse, after which the data is deleted. We do not have a Zero Data Retention agreement in place; if this changes, we will update this policy.

Observability (Langfuse)

We use Langfuse to monitor the quality of AI outputs and diagnose issues. Langfuse receives the prompts and responses associated with AI feature usage, along with technical metadata such as latency and token counts. Langfuse does not use this data for any purpose other than providing the observability service to us.

Your control

AI features are optional. You can choose not to use them, and where an AI feature is available, the action that triggers it is always explicit (for example, tapping a "Generate" button). We do not automatically send your data to any AI service in the background.

15. Automated decision-making

dou uses automated processing in the following areas:

Search ranking: when consumers search for services on the discover page, results are ranked using automated algorithms that consider factors such as location proximity, service relevance, provider ratings and availability
Personalised recommendations: we may suggest services or providers to consumers based on their browsing history, previous bookings and stated preferences

These automated processes assist in providing a better user experience but do not produce solely automated decisions that have legal effects or similarly significant effects on you. All booking and payment decisions require your active input and confirmation.

You have the right to request human review of any automated decision. Contact us at info@getdou.app if you have concerns about automated processing.

16. Children

The dou Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to dou, please contact us at info@getdou.app, and we will take steps to delete such data promptly.

17. Third-party links

The Platform may contain links to third-party websites, services or applications that are not operated by dou. If you follow a link to any third-party site, please note that those sites have their own privacy policies, and dou does not accept any responsibility or liability for those policies or for any personal data that may be collected through those sites. We encourage you to review the privacy policy of every site you visit.

18. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify you by email (sent to the email address associated with your account) or by displaying a prominent notice on the Platform before the changes take effect.

Non-material changes, such as clarifications or formatting updates, may be made without prior notice. Your continued use of the Platform after any changes to this policy constitutes your acceptance of the revised policy.

We recommend reviewing this policy periodically for the latest information on our privacy practices.

19. Contact and complaints

If you have any questions, concerns or requests regarding this privacy policy or our handling of your personal data, please contact us:

Email: info@getdou.app
Company: JAAC Collective LTD T/A Dou

If you are not satisfied with our response, or if you believe that we are processing your personal data in a way that is not compliant with data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

We encourage you to contact us first so that we have an opportunity to address your concerns directly before you escalate to the ICO.