Privacy Policy

Last updated: March 12, 2026

1. Information We Collect

When you use Dokai, we collect the following categories of information:

1.1 Account Information

  • Full name, email address, and mobile phone number (optional) when you create an account.
  • Organization name and workspace details when you create or join a team.
  • Billing details including payment method type and last four digits of your card (full card details are handled exclusively by Stripe and never stored on our servers).

1.2 Authentication Data

  • Passwords are securely hashed using industry-standard algorithms — we never store plaintext passwords.
  • Two-factor authentication secrets and recovery codes (encrypted at rest).
  • OAuth tokens when you sign in via Google or GitHub (encrypted at rest).
  • Session data including your IP address and user agent for active session management.

1.3 Document Data

  • Images of identity documents submitted via our API for parsing (MyKad, KTP, NRIC, passports, driving licenses, and other ASEAN identity documents).
  • Extracted structured data from parsed documents, including names, identification numbers, addresses, and dates of birth.
  • A cryptographic hash of each submitted image for deduplication purposes.
  • Selfie images when using identity verification features (face match, liveness detection).

1.4 Usage and Technical Data

  • API call logs including endpoint, processing time, and resource usage metrics.
  • Browser type, operating system, IP address, and user agent for security and fraud prevention.
  • Aggregated daily statistics (parse counts, success rates, processing times) per organization.

2. How We Use Your Information

  • Service delivery: To process your API requests, extract structured data from documents, and return results.
  • Account management: To authenticate your identity, manage team memberships, and handle billing and subscriptions.
  • Security: To detect and prevent fraud, abuse, and security threats through multiple layers of automated validation.
  • Communications: To send transactional emails including account confirmations, billing receipts, password change alerts (with IP and device context), trial and payment reminders, security alerts, and team invitations.
  • Improvement: To monitor service performance, improve parsing accuracy, and maintain aggregate usage analytics.
  • Compliance: To maintain audit logs, fulfill legal obligations, and respond to lawful requests.

3. Data Security

We implement multiple layers of security to protect your data:

  • Encryption in transit: All connections are encrypted using modern TLS. HSTS headers enforce HTTPS across all services.
  • Encryption at rest: Sensitive fields (2FA secrets, recovery codes, OAuth tokens, webhook signing secrets) are encrypted at rest using industry-standard encryption.
  • Password security: Passwords are securely hashed using industry-standard algorithms. We check passwords against known breach databases and notify you if your password has been compromised.
  • API key security: API keys are cryptographically hashed before storage. Plaintext keys are shown only once at creation and cannot be retrieved afterward.
  • Bot protection: Authentication forms are protected by CAPTCHA and additional anti-bot measures.
  • Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
  • Two-factor authentication: 2FA is available for all accounts and can be enforced at the organization level with configurable grace periods.
  • Security headers: All responses include standard security headers to protect against common web vulnerabilities.
  • Service-to-service security: Communication between our internal services is cryptographically authenticated.
  • Webhook signing: All webhook deliveries are cryptographically signed so you can verify their authenticity.

4. Data Retention

We retain your data according to the following schedule:

  • Parse results and document images: Retained according to your plan's data retention period (configurable per subscription tier). An automated daily purge process deletes expired results and their associated images from storage. You are notified before data is purged.
  • Audit logs: Retained according to your plan's audit log retention period, then automatically purged.
  • Session data: Active sessions expire after a period of inactivity.
  • Security event logs: Retained indefinitely for compliance and threat analysis purposes.
  • Account data: Retained for the duration of your account. Upon account deletion, your personal data is removed in accordance with this policy.
  • Verification selfies: Deleted when the verification session expires.

5. Third-Party Services

We share limited data with the following third-party services:

  • Stripe: Processes payments and manages subscriptions. Receives your email and payment method details. Dokai never stores full card numbers.
  • AI model providers: Document data is sent to an appropriate AI model for data extraction. When OCR text is available, only the text is sent — not the original image. Images are resized to a maximum of 1024px before being sent to any provider.
  • CAPTCHA provider: Provides bot protection on authentication forms. Receives only verification tokens — no document or personal data.
  • OAuth providers: Used only for social login authentication. We receive your name, email, and profile identifier — no document data is shared with these providers.
  • Analytics: We may use analytics tools on our landing page to understand site usage. No analytics tracking is applied to the application dashboard.

We do not sell your personal information to third parties. Each third-party provider is bound by their own privacy policies and applicable data processing agreements.

6. Cookies and Session Management

We use the following cookies and similar technologies:

  • Session cookie: An essential cookie that maintains your authenticated session. Expires after a period of inactivity.
  • Security cookie: Protects against cross-site request forgery attacks.
  • Remember me cookie: An optional persistent cookie set when you select "Remember me" during login.
  • Analytics cookies: Optional analytics cookies on our landing page. You can manage these through our cookie banner.

Session data is stored server-side and includes your user ID, active workspace, IP address, and user agent.

7. Audit Logging

We maintain detailed audit logs of actions performed on your account and organization for security, compliance, and debugging purposes. Audit records include:

  • The action performed (create, update, delete) and the affected resource.
  • Before and after values for changed fields.
  • The user who performed the action, their IP address, user agent, and the request URL.
  • Integrity verification for each audit record.

Audit logs are scoped to your organization and retained according to your subscription plan's audit log retention period.

8. Your Rights

You have the right to:

  • Access: View the personal data we hold about you through your dashboard settings.
  • Correction: Update your name, email, phone number, and profile information at any time.
  • Deletion: Delete your account and request removal of your personal data. Parse results and associated images are deleted according to retention policies or immediately upon request.
  • Portability: Export your data in a portable format.
  • Objection: Object to or restrict processing of your data for specific purposes.
  • Withdraw consent: Disconnect social login accounts, disable 2FA, or withdraw consent for optional data processing at any time.
  • Notification preferences: Configure which email notifications you receive through your notification settings.

9. Children's Privacy

Dokai is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through a notice on our dashboard. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this privacy policy or wish to exercise your data rights, please contact us at privacy@dokai.dev.