Privacy Policy
Effective Date: January 4, 2026 · Last Updated: January 4, 2026
Important Notice: This Privacy Policy is provided as a template and has not been reviewed by a licensed attorney or data protection specialist. We strongly recommend consulting with a qualified professional before relying on this policy. DoraPass is committed to protecting your privacy and has drafted this policy in good faith.
1. Introduction
DoraPass ("we", "us", "our") is a software-as-a-service platform that helps EU financial entities compile and validate their DORA Register of Information (RoI).
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service at https://dorapass.com.
We are committed to compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
The data controller for your personal data is:
DoraPass
Email: hello@dorapass.com
Website: https://dorapass.com
For data protection inquiries, contact us at: hello@dorapass.com
3. What Data We Collect
3.1 Account Data
When you register for DoraPass, we collect:
- Email address — For account access and communication
- Name — To personalize your experience
- Organization name — To identify your account
- Country — For regulatory context and billing
3.2 Billing Data
When you subscribe, our payment processor (Stripe) collects:
- Payment card details (we do not store card numbers)
- Billing address
- VAT number (if applicable)
We receive from Stripe: transaction confirmations, subscription status, and invoice records.
3.3 Customer Data (RoI Data)
You input data about your organization's ICT third-party service providers, including:
- Provider names and identifiers (LEI, registration numbers)
- Contract details
- Service descriptions
- Contact information for vendors
This data is your property. We process it solely to provide the Service.
3.4 Usage Data
We automatically collect:
- IP address (anonymized for analytics)
- Browser type and version
- Pages visited and features used
- Timestamps of activity
- Error logs (for troubleshooting)
3.5 Communication Data
When you contact us:
- Email correspondence
- Support ticket content
- Feedback you provide
4. Legal Basis for Processing
Under GDPR, we process your data based on the following legal grounds:
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Account Data | Contract performance | Art. 6(1)(b) |
| Billing Data | Contract performance | Art. 6(1)(b) |
| Customer Data (RoI) | Contract performance | Art. 6(1)(b) |
| Usage Data | Legitimate interests | Art. 6(1)(f) |
| Communication Data | Contract / Legitimate interests | Art. 6(1)(b)/(f) |
| Marketing emails | Consent | Art. 6(1)(a) |
5. How We Use Your Data
We use your data to:
1. Provide the Service
- Create and manage your account
- Process and validate your RoI data
- Generate export files
- Process payments
2. Improve the Service
- Analyze usage patterns (anonymized)
- Fix bugs and errors
- Develop new features
3. Communicate with You
- Send transactional emails (account confirmations, receipts)
- Respond to support requests
- Send service updates (maintenance, security)
- Send marketing communications (only with your consent)
4. Comply with Legal Obligations
- Maintain financial records
- Respond to lawful requests from authorities
6. Data Sharing
6.1 We Do Not Sell Your Data
We never sell, rent, or trade your personal data to third parties.
6.2 Subprocessors
We share data with the following service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure | Germany (EU) |
| Stripe, Inc. | Payment processing | EU/US (EU-US DPF certified) |
We maintain Data Processing Agreements with all subprocessors.
6.3 Legal Requirements
We may disclose data if required by law, court order, or to protect our legal rights.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before this occurs.
7. International Data Transfers
7.1 Primary Storage
All Customer Data is stored in the European Union (Germany, Hetzner data centers).
7.2 Transfers Outside the EU
Stripe: Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for international transfers.
We only use subprocessors that provide adequate safeguards for international data transfers under GDPR Chapter V.
8. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account + 2 years |
| Billing Data | 7 years (legal requirement) |
| Customer Data (RoI) | Duration of account + 30 days after deletion request |
| Usage Data | 12 months (anonymized thereafter) |
| Communication Data | 3 years |
| Marketing consent records | Duration of consent + 3 years |
After the retention period, data is securely deleted or anonymized.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
9.1 Technical Measures
- TLS/SSL encryption for all data in transit
- Encryption at rest for sensitive data
- Regular security updates and patches
- Access controls and authentication
- Regular backups with encryption
9.2 Organizational Measures
- Limited access on a need-to-know basis
- Security awareness practices
- Incident response procedures
- Regular security reviews
9.3 Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours (if required)
- We will notify affected individuals without undue delay (if high risk)
- We will document the breach and remediation steps
10. Your Rights
Under GDPR, you have the following rights:
10.1 Right of Access (Art. 15)
You can request a copy of your personal data.
10.2 Right to Rectification (Art. 16)
You can request correction of inaccurate data.
10.3 Right to Erasure (Art. 17)
You can request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
10.4 Right to Restrict Processing (Art. 18)
You can request that we limit how we process your data.
10.5 Right to Data Portability (Art. 20)
You can request your data in a structured, machine-readable format.
10.6 Right to Object (Art. 21)
You can object to processing based on legitimate interests.
10.7 Right to Withdraw Consent (Art. 7)
Where processing is based on consent, you can withdraw it at any time.
10.8 How to Exercise Your Rights
To exercise any of these rights:
- Email: hello@dorapass.com
- Subject: "Data Rights Request"
We will respond within 30 days. We may request identification to verify your request.
10.9 Right to Complain
You have the right to lodge a complaint with a supervisory authority. The relevant authority depends on your location. For example:
- Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
- Germany: Die Bundesbeauftragte für den Datenschutz
11. Cookies and Tracking
11.1 Our Cookie Policy
We use minimal, functional cookies only. We do not use advertising or third-party tracking cookies.
11.2 Cookies We Use
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Maintain login state | Session | Strictly necessary |
| Preferences | Remember your settings | 1 year | Functional |
11.3 No Consent Banner Required
Because we only use strictly necessary and functional cookies, we do not require a cookie consent banner under GDPR and ePrivacy regulations.
11.4 Analytics
If we implement analytics in the future, we will:
- Use privacy-friendly solutions (e.g., self-hosted, no personal data)
- Update this policy accordingly
- Obtain consent where required
12. Marketing Communications
12.1 Opt-In Required
We only send marketing emails if you have explicitly opted in.
12.2 Unsubscribe
Every marketing email includes an unsubscribe link. You can opt out at any time.
12.3 Transactional Emails
Service-related emails (account confirmations, receipts, security alerts) are not marketing and do not require consent.
13. Children's Privacy
DoraPass is a business-to-business service. We do not knowingly collect data from individuals under 18 years of age.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will:
- Post the updated policy on our website
- Update the "Last Updated" date
- Notify you by email for material changes
15. Contact Us
For questions about this Privacy Policy or our data practices:
DoraPass
Email: hello@dorapass.com
Website: https://dorapass.com
For formal data protection requests, email hello@dorapass.com with subject line "Data Protection Request".
By using DoraPass, you acknowledge that you have read and understood this Privacy Policy.