Privacy Policy
Last updated: 8 April 2026
1. Data Controller
dotcph ("we", "us") operates the dotcph Sales Agency OS at dotcph.com. We are the data controller for personal data processed through this service. Contact us at privacy@dotcph.com for any data protection inquiries.
2. What Data We Collect
We collect the following categories of personal data:
| Category | Data | Lawful Basis |
|---|---|---|
| Account data | Name, email, phone, market | Contract performance (Art. 6(1)(b)) |
| Customer data | Company name, contacts, addresses, VAT numbers | Legitimate interest (Art. 6(1)(f)) |
| Order data | Order details, delivery addresses, invoices | Contract performance (Art. 6(1)(b)) |
| Email content | Email messages sent/received through the platform | Legitimate interest (Art. 6(1)(f)) |
| Financial data | Invoices, commissions, payroll (if used) | Legal obligation (Art. 6(1)(c)) |
| Session data | Session cookie (strictly necessary, no tracking) | Legitimate interest (Art. 6(1)(f)) |
3. How We Use Your Data
We process personal data to:
- Provide and maintain the dotcph service (account management, order processing, invoicing)
- Send transactional emails (account verification, password resets, order notifications)
- Process subscription payments via Stripe
- Ensure platform security (login protection, rate limiting, fraud prevention)
- Comply with legal obligations (financial records, tax reporting)
4. Data Processors (Sub-processors)
| Processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting, database, email delivery, file storage | EU (North Europe) |
| Stripe | Payment processing | EU/US (EU SCCs) |
5. Data Retention
We retain data according to the following schedule:
- Account data: Retained while account is active, deleted within 90 days of account deletion request.
- Order and invoice data: 5 years after creation (legal requirement for financial records in Denmark, cf. Bogføringsloven).
- Email messages: 2 years, then automatically purged.
- Activity/audit logs: 1 year.
- AI assistant conversations: 6 months.
- Feedback and voice notes: 1 year.
6. Your Rights (GDPR Articles 15–22)
As a data subject in the EU/EEA, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten", Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
Agency administrators can delete their entire agency and all associated data from Settings → Delete Agency. For other requests, email privacy@dotcph.com.
7. Cookies
We use only strictly necessary session cookies to maintain your login session. We do not use any analytics, advertising, or tracking cookies. No third-party cookies are set.
8. Data Security
We protect your data through:
- Encrypted database connections (TLS)
- Password hashing (scrypt)
- CSRF protection on all forms
- Rate limiting on authentication endpoints
- Per-tenant database isolation (each agency has a separate database)
- Content Security Policy headers
- Encrypted token storage (Fernet) for third-party integrations
9. International Transfers
Your data is primarily processed within the EU (Microsoft Azure North Europe). Where sub-processors operate outside the EU (e.g. Stripe), transfers are protected by EU Standard Contractual Clauses (SCCs).
10. Changes to This Policy
We may update this policy. Material changes will be communicated via email or in-app notification. Continued use after changes constitutes acceptance.
11. Contact & Complaints
Email: privacy@dotcph.com
You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).