Privacy Policy

1. Introduction & Scope

DOUGH.ID ("we","our","us") operates the website dough.id and provides an AI API gateway service (the "Service"). This Privacy Policy explains in detail how we collect, use, store, share, and protect your personal information when you visit our website, create an account, or use our API Service.

This policy applies to all DOUGH.ID users, including website visitors, registered users, and developers using our API. By accessing or using the Service, you consent to the practices described in this policy. If you disagree, please do not use our Service.

This policy is designed to comply with applicable data protection regulations including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Indonesia's Personal Data Protection Law (UU PDP), and other relevant privacy regulations.

2. Definitions

For clarity, the following terms have specific meanings in this policy:

• Personal Data — Any information relating to an identified or identifiable individual. Includes email, name, IP address, and other unique identifiers.
• Processing — Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
• Data Controller — The entity that determines the purposes and means of processing Personal Data. DOUGH.ID is the Data Controller for user account data.
• Data Processor — A third party that processes Personal Data on behalf of the Data Controller. Examples: Supabase (database hosting), upstream AI providers.
• Data Subject — The individual whose Personal Data is processed. You are the Data Subject.
• API Content — Prompt text, code, conversations, files, and other data you submit through our API endpoints to upstream AI models.
• Cookie — A small text file stored on your device by your web browser. Used to maintain sessions and preferences.

3. Data We Collect

3.1 Account Data (Provided by You)

When you create a DOUGH.ID account, we collect the following information you voluntarily provide:

We do NOT require: phone number, credit card, physical address, date of birth, identity number, or any financial information to create an account.

3.2 API Usage Data (Collected Automatically)

Each time you make an API request through our gateway, our system automatically logs the following metrics for operational purposes and limit enforcement:

• Token count — Number of tokens consumed per request (prompt + completion)
• Model ID — The specific AI model accessed (e.g. kr/deepseek-3.2)
• Timestamp — Time and date of the request (UTC)
• API Key ID — Unique API key identifier (not the key itself)
• Status kode — HTTP response code (200, 401, 429, 500, etc.)
• Latency — Response time in milliseconds

IMPORTANT: We do NOT log or store your API request content — that is, prompt text, code, conversation history, model outputs, or any data you send or receive through the API. See Section 7 for details.

3.3 Technical Data (Server Logs)

Like virtually all web services, our servers automatically log certain technical data for each HTTP request. This data is used for debugging, security, and service improvement:

• IP Address — Your device's internet protocol address (retained 30 days)
• User-Agent — Your browser/HTTP client identification string
• Referrer URL — The page that referred you to our site (if any)
• HTTP Method & Endpoint — GET, POST, etc. and the URL path requested
• Status Code — HTTP response code (200, 404, 500, etc.)
• Response Size — Response content size in bytes

3.4 Communication Data

If you contact us via email ([email protected], [email protected], etc.), we retain the content of that communication and your email address to respond and maintain support records. This data is retained for up to 2 years after the support ticket is closed.

3.5 Data We Explicitly Do NOT Collect

• ❌ API Content — Prompts, code, conversations, model outputs
• ❌ Payment Information — Credit card numbers, bank accounts
• ❌ Precise Location Data — GPS coordinates
• ❌ Biometric Data — Fingerprints, facial recognition
• ❌ Sensitive Data Categories — Race, religion, sexual orientation, health, politics
• ❌ Cross-Site Browsing History — Activity on other websites

4. How We Collect Data

4.1 Directly From You

Most data is collected directly when you interact with the Service: when signing up, logging in, creating API keys, making API requests, changing account settings, or contacting support.

4.2 Automatically

API usage data and server logs are collected automatically by our infrastructure during normal Service operation.

4.3 From Third Parties

If you sign in using Google OAuth, we receive your name, email, and profile picture URL from Google. Google is subject to their own privacy policy for data they collect.

5. Legal Basis for Processing

Under GDPR and applicable data protection laws, we process your Personal Data on the following legal bases:

6. Purposes of Data Use

We use your Personal Data exclusively for the following purposes. We do NOT use your data for purposes outside this list without notice and consent:

1. Service Provision — Processing API requests, managing API keys, enforcing rate limiting, routing to upstream AI models.
2. Authentication & Account Security — Verifying identity, detecting unauthorized access, preventing account takeover.
3. Service Improvement — Analyzing aggregated usage metrics to optimize performance, model selection, and infrastructure capacity planning.
4. Security & Abuse Prevention — Detecting and blocking malicious activity, DDoS attacks, credential stuffing, API abuse, and Terms of Service violations.
5. Service Communication — Sending transactional emails: account verification, password reset, security notifications, material policy changes. We do NOT send promotional emails without explicit opt-in.
6. Legal Compliance — Responding to valid legal requests, court orders, or regulatory obligations.

We NEVER sell your Personal Data. Not to advertisers, data brokers, or any third party. Our business model does not rely on selling data.

7. API Request Content

This section is one of the most important in our policy. DOUGH.ID is a real-time proxy gateway. When you send an API request to our endpoint, here is what happens:

1. Your request (including prompt, code, conversation history) arrives at our proxy server
2. The proxy validates your API key and checks rate limits
3. The proxy forwards the request to the upstream AI provider (DeepSeek, Google, Anthropic, etc.)
4. The upstream provider processes the request and returns a response
5. The proxy forwards the response back to you

Key point: Our proxy server operates in pass-through (relay) mode. Your API request and response content flows through our server in memory (RAM) for the duration of the request and is never written to disk, never logged, and never stored in any form. Once the HTTP connection completes, the data is gone from server memory.

Each upstream AI provider has its own privacy policy. We encourage you to review them:

• DeepSeek — deepseek.com/privacy
• Google (Gemini) — policies.google.com/privacy
• Anthropic (Claude) — anthropic.com/legal/privacy
• Moonshot AI (Kimi) — moonshot.ai/privacy

8. Cookies & Tracking Technologies

8.1 Cookies We Use

DOUGH.ID uses the absolute minimum cookies for essential functionality. We do not use third-party cookies, advertising cookies, or analytics cookies.

8.2 Technologies We Do NOT Use

• ❌ Advertising Cookies — None. We do not display ads.
• ❌ Analytics Cookies — No Google Analytics, no Mixpanel, no analytics tools whatsoever.
• ❌ Tracking Cookies — No Facebook Pixel, no LinkedIn Insights, no trackers of any kind.
• ❌ Fingerprinting — We do not use browser or device fingerprinting.
• ❌ Web Beacons / Pixels — We do not embed tracking pixels in our pages or emails.

Summary: DOUGH.ID has ZERO trackers. You can verify this with your browser's privacy inspection tools.

8.3 How to Manage Cookies

You can disable cookies through your browser settings. However, disabling essential cookies will prevent you from logging into DOUGH.ID.

9. Third-Party Services

DOUGH.ID relies on the following third-party services to operate. Each has its own privacy policy:

10. Data Sub-processors

Below is the list of third-party data processors that handle Personal Data on behalf of DOUGH.ID:

We will update this list if we add or change processors. Registered users will be notified of material changes via email.

11. Data Storage & Encryption

11.1 Storage Location

All user Personal Data is stored on Supabase servers located in Singapore (ap-southeast-1). Our proxy server is also located in Singapore. We chose Singapore for its proximity to our Asia-Pacific user base and strong data protection standards.

11.2 Encryption

• Encryption in Transit — All connections use TLS 1.3 (minimum TLS 1.2). This applies to: your browser ↔ DOUGH.ID, DOUGH.ID ↔ Supabase, and DOUGH.ID ↔ upstream AI providers.
• Encryption at Rest — The Supabase database is encrypted at rest using AES-256.
• Password Hashing — User passwords are hashed using bcrypt with unique per-user salt. We never store plain-text passwords.
• API Key Hashing — API keys are hashed before storage. The original key is shown only once at creation — we cannot recover it.

12. Data Retention Periods

We retain data only as long as necessary for the purposes described in this policy:

13. Data Security

We implement technical and organizational security measures to protect your Personal Data:

• ✅ TLS 1.3 encryption for all connections
• ✅ bcrypt hashing for passwords
• ✅ AES-256 database encryption at rest
• ✅ Row-Level Security (RLS) in Supabase — each user can only access their own data
• ✅ Strict firewall — only ports 80/443 open to public
• ✅ Automatic security updates on server OS
• ✅ SSH keys for server access (no password access)
• ✅ 24/7 monitoring for suspicious activity
• ✅ Database access restricted — only authorized services can connect
• ✅ Environment separation: production, staging, development

While we implement the above measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

14. Data Breach Notification

In the event of a data breach involving your Personal Data, we will:

1. Notify you via email within 72 hours of becoming aware of the breach (per GDPR requirements)
2. Describe the nature of the breach, affected data, and measures we are taking
3. Provide recommendations on steps you can take to protect yourself
4. Report to relevant data protection authorities if required by law

15. Your Rights — GDPR & CCPA

15.1 Rights Under GDPR (EU/EEA Users)

If you are in the European Union or European Economic Area, you have the following rights:

15.2 Rights Under CCPA (California Users)

If you are a California resident, you have the following rights:

• Right to Know — Categories of Personal Data we collect, sources, and purposes
• Right to Delete — Request deletion of your Personal Data
• Right to Opt-Out — We do not sell data, so this right is already satisfied by default
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

15.3 Rights Under Indonesia's PDP Law

Under Indonesia's Personal Data Protection Law (UU No. 27/2022), you have rights to information, rectification, termination of processing, deletion, consent withdrawal, objection, and compensation for data processing violations.

16. How to Exercise Your Rights

To exercise the above rights, you have two options:

16.1 Self-Service (Recommended)

• Delete account: Go to Dashboard → Settings → Delete Account. All your data will be permanently deleted within 30 days.
• Correct data: Go to Dashboard → Settings → Profile to edit your display name.
• Revoke API key: Go to Dashboard → API Keys → Delete on the key you want to revoke.

16.2 Via Email

Send a request to [email protected] with the subject "Data Request" or "Permintaan Data". Include:

• Your full name
• The email address registered with DOUGH.ID
• The specific right you wish to exercise
• Any additional details relevant to your request

We will respond within 30 calendar days (per GDPR requirements). If the request is particularly complex, we may extend up to 60 days with notice. Identity verification may be required for certain requests.

17. International Data Transfers

DOUGH.ID is based in Indonesia with servers in Singapore. If you access the Service from outside these regions, your Personal Data will be transferred to and processed in Singapore and/or Indonesia.

Singapore has been recognized by the European Commission as providing an adequate level of data protection. For transfers to Indonesia, we rely on Standard Contractual Clauses (SCCs) and transfer impact assessments to ensure equivalent protection.

By using DOUGH.ID, you explicitly consent to the transfer, processing, and storage of your Personal Data in Singapore and Indonesia as described in this policy.

18. Children's Privacy

DOUGH.ID is not intended for children under 13 (or 16 in certain EU jurisdictions). We do not knowingly collect Personal Data from children.

If you are a parent or guardian and believe your child has provided us with Personal Data, contact us immediately at [email protected]. We will delete such data within 48 hours of verification.

19. Do Not Track

DOUGH.ID does not track users across websites. Because we perform no tracking whatsoever, browser Do Not Track (DNT) signals do not change our behavior — our default behavior already respects your privacy.

20. Inactive Accounts

Accounts inactive for 12 consecutive months (no login and no API activity) may be deleted after 30 days' prior email notice. This helps us maintain database hygiene and security.

21. Changes to This Policy

We may update this Privacy Policy from time to time. Our procedure for changes:

• Minor Changes — Typos, clarifications, non-substantive updates: effective immediately upon posting.
• Material Changes — Significant changes to data practices, new processors, new legal bases: notified via email at least 14 days before effective date.

The "Last updated" date at the top of this page indicates the latest version. Version history is available upon request.

22. Contact Information

DOUGH.ID is operated by:

📧 Email: [email protected]
📷 Instagram: @ananta_1c
🌐 dough.id

23. Supervisory Authority

If you believe that the processing of your Personal Data violates applicable law, you have the right to lodge a complaint with the data protection supervisory authority in your country.

In Indonesia, the competent authority is the Ministry of Communication and Informatics (Kominfo). In the EU, you may contact the authority in your member state. We encourage you to contact us first at [email protected] so we can resolve your concern directly.