Privacy Policy
Docklet ("we", "us", "our") provides a deployment and collaboration platform for AI-generated HTML artifacts. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar laws.
This is a plain-English summary of standard industry practice. If you have any question, write to privacy@docklet.io.
Contents
1. Who we are
Docklet is the trade name for our service, operated from Dubai, United Arab Emirates. For the personal data described in this policy, Docklet is the data controller, unless you upload content as part of an organization that uses Docklet — in which case that organization is the controller and Docklet acts as a data processor on its behalf.
We handle privacy inquiries by email at privacy@docklet.io. We do not publish the operator's personal identity on this site.
2. What data we collect
2.1 Account data
When you sign up we collect your name, email address, account password (hashed), and the identity provider you signed in with (e.g. Google, Okta, custom OIDC). For paying customers we also collect billing details, which are processed by our payment processor — we do not store full payment-card numbers.
2.2 Content you publish
Docklets you publish, the HTML/assets that make them up, version history, comments, and feedback you and your audience leave on them. This content is private to you and your organization by default; you choose its visibility per artifact.
2.3 Usage data
Technical data about how you use Docklet: pages opened, actions taken, device type, browser, approximate location derived from IP, and diagnostic logs. We use this to operate and improve the product.
2.4 Audience data on your Docklets
For people who view your published Docklets, we collect aggregated and pseudonymous analytics: views, time on page, interactions, and approximate location. Where a viewer is signed in to Docklet, their identity may be attributed to comments and reactions they leave — this is the same model used by collaborative document tools.
2.5 AI-tool integrations (MCP)
When you connect Docklet to an AI assistant through MCP, we receive the artifacts that AI assistant submits on your behalf, plus minimal metadata about the integration (tool name, request timestamps). We do not receive your full chat transcripts.
2.6 Communications
If you contact us by email or chat, we keep that conversation along with anything you choose to share with us.
3. Why we use your data and our legal bases
| Purpose | Legal basis (EEA / UK) |
|---|---|
| Providing the Docklet service — accounts, publishing, collaboration, analytics for your own Docklets. | Performance of a contract. |
| Billing, fraud prevention, and account security. | Performance of a contract; legitimate interests. |
| Sending operational emails (e.g. password resets, security alerts). | Performance of a contract. |
| Sending marketing emails about Docklet's product. | Consent (you can unsubscribe at any time). |
| Anonymized analytics to improve the service. | Legitimate interests / consent for non-essential cookies. |
| Complying with legal obligations (e.g. tax records, lawful requests). | Legal obligation. |
We do not sell your personal data, and we do not use the content of the Docklets you publish to train AI models.
4. Who we share data with
We share data only with carefully selected processors and only to the extent necessary:
- Cloud infrastructure — hosting and database providers (e.g. AWS, GCP).
- Payment processor — to charge subscriptions.
- Email service — to deliver transactional and (with consent) marketing email.
- Microsoft Clarity — session replay and usage analytics for the marketing site only (Microsoft Privacy Statement).
- Customer support tooling — to help you when you contact us.
- Authorities — only where required by law and after independent legal review.
All processors are bound by contracts that require equivalent levels of data protection.
5. How long we keep your data
We keep account data for as long as your account is active and for up to 90 days after account deletion to allow recovery and to honour legal obligations. Published Docklets are deleted with your account; analytics derived from them is retained in aggregated, non-identifying form. Billing records are kept for the duration required by tax law (typically 7 years).
6. International data transfers
Docklet operates globally. Where we transfer data outside of the EEA or the UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. Enterprise customers can request EU or US data residency.
7. How we keep your data safe
- Encryption in transit (TLS 1.2+) and at rest.
- Least-privilege access controls and audited admin access.
- Regular dependency and infrastructure vulnerability scans.
- SSO and 2FA for our internal systems.
- Independent penetration tests at least annually.
- Documented incident response — we will notify affected users and regulators within 72 hours where required by law.
8. Your rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Erase your data ("right to be forgotten") subject to legal exceptions.
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time where processing is based on consent.
- Opt out of "sale" or "sharing" of personal information (CCPA / CPRA) — we do not sell or share personal data for cross-context behavioural advertising.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@docklet.io. We aim to respond within 30 days.
9. Children
Docklet is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete it.
10. Cookies & similar technologies
We use a small number of cookies. Essential cookies are required for Docklet to work; you can accept or reject non-essential cookies at any time using the banner shown on first visit or by clicking "Cookie preferences" in the footer.
| Cookie group | What it does | How long |
|---|---|---|
| Essential | Sign-in session, security tokens, consent state, preference (theme, language). | Session — 12 months. |
| Analytics | Microsoft Clarity — heatmaps, session replay, and usage metrics for the marketing site. Sets first-party cookies (_clck, _clsk) only after you opt in. Sensitive fields may be masked per Microsoft defaults. | Up to 12 months. |
| Marketing | Aggregated attribution — which campaign brought you to us — never used for cross-site tracking. | Up to 12 months. |
You can also block or delete cookies at any time in your browser settings. Doing so for essential cookies may break parts of the site.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we'll notify you by email or via a notice in the product before they take effect. The "Last updated" date at the top of this page always reflects the current version.
12. How to contact us
Docklet · Dubai, United Arab Emirates
privacy@docklet.io
Users in the EEA or UK: contact the same address for data-protection
requests; if we appoint a local representative, we will publish their
details here.