Privacy policy

Introduction

This privacy policy describes how Dosel (“we,” “us,” or “our”) collects, uses, and protects your information when you use our desktop application (the “App”). We are committed to protecting your privacy and maintaining the security of your data.

1. Information we collect

1.1 Information you provide directly

Account information: Email address (for account creation and authentication), name (optional), and payment information (processed securely by our payment processor; we do not store full credit card details).

Application settings: API keys (stored locally and encrypted on your device), browser preferences and configuration, and account lists and website URLs you choose to manage. You may optionally enable use of your existing Chrome browser profile to improve bot detection bypass rates; this is entirely local and your Chrome data is never transmitted to us or any third party.

CSV import data: When you import passwords from your password manager, this data is processed entirely locally on your device, stored temporarily in memory during operations, never transmitted to our servers or any third party, never logged or written to disk in plaintext, and cleared from memory immediately after use. Imported CSV data may optionally be encrypted at rest on disk using AES-256-GCM with keys stored in macOS Keychain; original plaintext files are securely deleted after encryption.

Gmail access (optional): The app may optionally access your Gmail account via OAuth/IMAP to retrieve 2FA verification codes during password changes. This access is limited to reading specific verification emails; emails are not stored or transmitted to any third party.

1.2 Automatically collected information

Application usage data: Number of password change operations performed, success/failure rates (without specific account details), feature usage statistics, error reports and crash logs (with sensitive data redacted), and application version and operating system information.

Technical information: Device type and model, operating system version, app version number, and unique installation identifier (for license verification).

1.3 Information we do not collect

2. How we use your information

Core functionality: Authenticate your account and manage your subscription, process password change operations locally on your device, store your preferences and settings, and provide customer support.

Service improvement: Analyze usage patterns to improve features (aggregated data only), identify and fix bugs and technical issues, and monitor application performance and reliability.

Communication: Send you important updates about the app, notify you of changes to terms or privacy policy, respond to your support requests, and send subscription renewal reminders.

3. How we share your information

Third-party service providers

Supabase (authentication & database): Used for user authentication, account management, and subscription data. Data shared includes email address, user ID, and subscription status.

OpenRouter (AI API): Used for AI-powered browser automation for password changes. Data shared includes website URLs, task instructions, DOM/page structure content for AI navigation, and activity logs with all sensitive data redacted (passwords replaced with “[REDACTED]”). We have implemented comprehensive redaction to ensure no passwords are ever sent to OpenRouter.

Stripe (payment processor): Used for processing subscription payments. Data shared includes email and payment information. We do not store full credit card details.

4. Data security

Local data protection: API keys encrypted at rest using libsodium (NaCl), encryption keys stored in macOS Keychain, passwords held in memory only (never written to disk), comprehensive redaction in all logs and error reports, and secure inter-process communication (IPC) between app components.

Network security: All network communications use HTTPS/TLS encryption, minimal data transmission (only authentication and usage analytics), and no password transmission over any network.

Application security: Code signed with Apple Developer ID certificate, notarized by Apple for malware protection, and regular security updates.

5. Data retention

Account data: Retained while your account is active. Deleted within 30 days of account closure (or as required by law).

Usage analytics: Retained for up to 24 months for service improvement. Aggregated and anonymized after 90 days.

Logs and error reports: Retained for up to 7 days (configurable); daily log rotation. Automatically purged after retention period.

Passwords: Never stored or retained at any time. Immediately cleared from memory after use.

6. Your rights and choices

Under GDPR (EU users)

If you are in the European Union, you have the following rights: right to access, right to rectification, right to erasure (“right to be forgotten”), right to restrict processing, right to data portability, right to object, and right to withdraw consent.

Under CCPA (California users)

If you are a California resident, you have the following rights: right to know what personal information we collect and how we use it, right to delete your personal information, right to correct inaccurate personal information (CPRA), right to opt-out of sale of personal information (note: we do not sell your information), and right to non-discrimination for exercising your rights.

General account controls

Data export: Contact hello@dosel.app to request your account data. We will provide your email address, user ID, and subscription status from our database. Delivered in CSV or JSON format within 30 days.

Account deletion: Contact hello@dosel.app to delete your account. All associated data will be permanently deleted within 30 days.

7. Children's privacy

Dosel is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child under 18, please contact us immediately at hello@dosel.app and we will delete it.

8. International data transfers

Dosel is based in the United States. If you are accessing the app from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

For EU users, we comply with GDPR requirements for international data transfers. Data processing agreements are available with third-party processors, and standard contractual clauses are in place where required.

9. Network connectivity

The app connects to the following domains during normal operation:

• openrouter.ai — AI API for browser automation
• *.supabase.co — Authentication and account management
• github.com — Application updates

While password operations are performed locally, the app is not fully offline. It requires network connectivity for authentication, AI-powered automation, and update checks. The app does not track users across third-party websites.

10. Automatic updates

The app checks for updates periodically and may download and install updates automatically. Update checks connect to GitHub releases. No personal data is sent during update checks.

11. Local data storage

The app stores data locally at ~/Library/Application Support/dosel/ including: application logs (7-day retention), encrypted settings and API keys, Chromium browser binary for automation (~200MB), and temporary automation data.

12. Changes to this privacy policy

We may update this privacy policy from time to time. When we make changes, we will update the “last updated” date at the top of this policy. For material changes, we will notify you via email or in-app notification. Continued use of the app after changes constitutes acceptance of the updated policy.

13. Contact us

If you have questions, concerns, or requests regarding this privacy policy or your personal information, please contact us: