DollarbazDOLLARBAZ

Legal

Privacy Policy

Last updated 1 February 2025·How we collect, use, and protect your data.

Who we are

Dollarbaz (“Dollarbaz”, “we”, “us”, “our”) is the data controller for personal data processed through our website at dollarbaz.com and through our Trust & Risk Engine platform. We are incorporated in the European Union and operate primarily in EU and UK markets.

For any data protection enquiry, contact us at privacy@dollarbaz.com.

What we collect

We collect personal data in the following categories:

Account data

When you create an account, we collect your name, work email address, and organisation name. This is provided directly by you during sign-up.

Usage data

We collect information about how you interact with the platform — pages visited, features used, actions taken, and timestamps. This is collected automatically via server logs and analytics.

Communications data

If you contact us by email or via our contact form, we retain the contents of that communication and your contact details.

Technical data

IP address, browser type, operating system, and device identifiers collected automatically when you access our website or platform.

Fund and claims data

Important: Fund documents, sustainability claims, evidence items, and approval records processed through the Trust & Risk Engine are stored in your Microsoft Dataverse instance within your Microsoft 365 tenant. This data is yours. We process claim text in transit via our AI endpoint — we do not store, log, or retain fund data on Dollarbaz infrastructure. See our Trust & Security page for full details.

How we use your data

We use personal data for the following purposes:

  • Providing and maintaining your account and access to the platform
  • Processing payments and managing your subscription
  • Sending transactional emails — account verification, password reset, billing receipts
  • Responding to support requests and communications you initiate
  • Understanding how the platform is used to improve it
  • Sending product updates and feature announcements (you can unsubscribe at any time)
  • Complying with legal obligations including financial regulation and tax law

We do not sell your personal data. We do not use your data to train AI models.

We process personal data under the following legal bases as defined by the UK GDPR and EU GDPR:

  • Contract — processing necessary to provide the service you have contracted with us for (account management, platform access, billing).
  • Legitimate interests — product analytics, fraud prevention, security monitoring, and improving the platform, where these interests are not overridden by your rights.
  • Legal obligation — where we are required to process data to comply with applicable law.
  • Consent — for marketing communications. You can withdraw consent at any time by clicking “unsubscribe” in any marketing email or by contacting us.

Sharing your data

We share personal data only with the following categories of third parties, and only to the extent necessary to provide the service:

  • Supabase — authentication and database infrastructure. Your account data (name, email, organisation) is stored in Supabase. Supabase processes data in accordance with GDPR. Data is stored in the EU region.
  • Microsoft Azure — the AI endpoint that processes claim text runs on Azure infrastructure. Text is processed in transit and not retained.
  • Stripe — payment processing. We share billing information required to process payments. Stripe is a PCI DSS Level 1 certified processor.
  • Analytics providers — we use privacy-preserving analytics to understand platform usage. No personal identifiers are shared with analytics providers.

We do not share data with advertisers. We do not sell data to any third party. We do not transfer data to any party for their own use without your explicit consent.

International transfers

We are based in the EU. Where personal data is transferred outside the EEA or UK — for example to US-based service providers — we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission or the UK Information Commissioner’s Office as applicable.

Retention

We retain account data for the duration of your subscription and for up to 12 months after account closure, to allow for reactivation and to comply with legal obligations. We retain billing records for 7 years in accordance with applicable tax law. We delete or anonymise usage and analytics data on a rolling 24-month basis.

Fund and claims data processed through the platform is subject to your own data retention policies — it lives in your tenant and we have no ongoing access to it.

Your rights

Under UK GDPR and EU GDPR you have the following rights in relation to your personal data:

  • Access — request a copy of personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Erasure — request deletion of your personal data in certain circumstances
  • Restriction — request we restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@dollarbaz.com. We will respond within 30 days. We will not charge a fee for reasonable requests.

Cookies

We use the following categories of cookies on our website:

  • Strictly necessary — session management, authentication tokens, security. These cannot be disabled.
  • Analytics — understanding how visitors use our website. We use privacy-preserving analytics that do not set third-party cookies or fingerprint users.

We do not use advertising cookies, social media tracking pixels, or any cookies that track you across third-party websites.

Security

We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. Specific measures include:

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest
  • Access controls — personal data is accessible only to staff who require it
  • Supabase Row Level Security on all database tables
  • Regular dependency and security review

No method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

Children

Our service is directed at businesses and professionals. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we hold data relating to a child, we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify account holders by email at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy. The “last updated” date at the top of this page indicates when the current version was published.

Contact & complaints

For any data protection question or to exercise your rights:

privacy@dollarbaz.com
Dollarbaz
European Union

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the EU this is your national data protection authority. In the UK this is the Information Commissioner’s Office (ICO) at ico.org.uk.