Privacy Policy

Last updated: February 2026

DoppelDown — Brand Protection Platform

Operated by Dobson Development Pty Ltd

ABN: 43 688 593 606

Queensland, Australia

Last Updated: 2 February 2026

Effective Date: 2 February 2026

---

1. Introduction

Dobson Development Pty Ltd (ACN 688 593 606) ("Company", "we", "us", or "our") operates the DoppelDown brand protection platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you access or use the Service.

We are committed to protecting your privacy and handling your personal information in accordance with:

The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs");
The General Data Protection Regulation (EU) 2016/679 ("GDPR"), where applicable to users in the European Economic Area ("EEA"), the United Kingdom, and Switzerland; and
Other applicable privacy and data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

---

2. Definitions

"Personal Information" means information about an identified individual, or an individual who is reasonably identifiable, as defined under the Privacy Act 1988 (Cth). For GDPR purposes, this includes "personal data" as defined under the GDPR.
"Brand Data" means brand names, logos, domain names, trademarks, keywords, or other identifying information you submit for monitoring.
"Scan Results" means threat intelligence data, reports, alerts, and analysis generated by the Service.
"Usage Data" means information collected automatically about how you interact with the Service.
"AI Processing" means the use of artificial intelligence and machine learning technologies to analyse data within the Service.

---

3. Information We Collect

3.1 Information You Provide

| Data Category | Examples | Purpose |

|---|---|---|

| Account Information | Name, email address, company name, job title | Account creation, authentication, communication |

| Brand Data | Brand names, domain names, trademarks, logos, keywords, social media handles | Threat monitoring and detection |

| Billing Information | Payment method details (processed via Stripe) | Subscription billing and payment processing |

| Communications | Emails, support tickets, feedback | Customer support, service improvement |

3.2 Information We Collect Automatically

| Data Category | Examples | Purpose |

|---|---|---|

| Usage Data | Pages visited, features used, actions taken, timestamps | Service improvement, analytics, troubleshooting |

| Device Information | Browser type, operating system, screen resolution, IP address | Security, compatibility, analytics |

| Log Data | Server logs, error logs, access logs | Security monitoring, debugging, performance |

| Cookies & Similar Technologies | Session cookies, analytics cookies | Authentication, preferences, analytics |

3.3 Information Generated by the Service

| Data Category | Examples | Purpose |

|---|---|---|

| Scan Results | Detected threats, risk scores, domain analysis, phishing indicators | Core service delivery |

| AI Outputs | Threat classifications, pattern analysis, automated recommendations | Threat assessment and alerting |

| Alert History | Notification records, alert status, response actions | Service delivery, audit trail |

3.4 Information from Third Parties

We may collect publicly available information from:

Public domain registration databases (WHOIS);
Public DNS records;
Public website content and metadata;
Public social media profiles and posts; and
Threat intelligence feeds and databases.

This information is collected solely for the purpose of providing the Service and is not used to build profiles on individuals.

---

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery

Providing, maintaining, and improving the Service;
Monitoring brands and detecting potential threats;
Generating Scan Results, alerts, and reports;
Processing AI-powered threat analysis;
Managing your Account and Subscription.

4.2 Billing and Payments

Processing subscription payments through Stripe;
Managing invoices, receipts, and billing history;
Handling refunds and billing disputes.

4.3 Communication

Sending service-related notifications and alerts;
Responding to support enquiries and feedback;
Providing product updates and security notices.

4.4 Security and Compliance

Protecting against fraud, abuse, and unauthorised access;
Monitoring for violations of our Terms of Service;
Complying with legal obligations and regulatory requirements.

4.5 Service Improvement

Analysing usage patterns and trends;
Improving AI model accuracy and threat detection capabilities;
Developing new features and functionality;
Conducting internal research and analytics.

4.6 Legal Bases for Processing (GDPR Users)

If you are located in the EEA, UK, or Switzerland, our legal bases for processing your personal data are:

| Legal Basis | Processing Activity |

|---|---|

| Performance of Contract | Providing the Service, managing your Account, billing |

| Legitimate Interests | Service improvement, analytics, security, AI model improvement |

| Legal Obligation | Compliance with applicable laws, responding to legal process |

| Consent | Marketing communications (where required), cookie consent |

You may withdraw your consent at any time where consent is the legal basis for processing. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

---

5. Artificial Intelligence and Automated Processing

5.1 How We Use AI

The Service employs artificial intelligence and machine learning to:

Analyse domain registrations and website content to identify potential phishing or impersonation;
Classify and score threats based on similarity to your brand;
Detect patterns of coordinated brand abuse;
Generate automated alerts and threat summaries; and
Improve detection accuracy over time.

5.2 Data Used by AI

AI Features process:

Your Brand Data (to understand what to protect);
Publicly available data (to identify potential threats); and
Scan Results (to refine threat detection and reduce false positives).

5.3 AI Data Isolation

We do not use your Brand Data or Scan Results to train general-purpose AI models shared with or accessible to other customers. Your data is used only to provide and improve the Service for your benefit and to enhance our overall threat detection capabilities in an aggregated, de-identified manner.

5.4 Automated Decision-Making (GDPR)

For users in the EEA, UK, or Switzerland: The Service uses automated processing to generate threat assessments and risk scores. These outputs are decision-support tools and do not constitute solely automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR. All enforcement decisions remain under your control.

If you believe an automated decision has significantly affected you, you may contact us at privacy@doppeldown.com to request human review.

---

6. Data Storage and Infrastructure

6.1 Cloud Infrastructure

The Service is hosted on cloud infrastructure provided by Supabase and related cloud service providers. Data may be stored in data centres located in various jurisdictions, depending on our infrastructure provider's architecture.

6.2 Data Locations

We primarily store data in cloud regions that provide the best performance and compliance for our users. Your data may be processed in:

Australia;
The United States;
The European Union; and
Other jurisdictions where our cloud infrastructure providers operate.

6.3 International Data Transfers

Where your personal information is transferred outside your country of residence, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, where transfers are from the EEA;
Compliance with the APPs for transfers from Australia;
Contractual obligations with our sub-processors to maintain equivalent levels of data protection; and
Any other mechanisms permitted under applicable law.

---

7. Data Sharing and Disclosure

7.1 Service Providers (Sub-Processors)

We share personal information with trusted third-party service providers who assist us in operating the Service:

| Provider | Purpose | Data Shared |

|---|---|---|

| Supabase | Database hosting, authentication | Account data, Brand Data, Scan Results |

| Stripe | Payment processing | Billing information, email address |

| Email service provider | Transactional email delivery | Email address, notification content |

| Analytics provider | Usage analytics | Anonymised/aggregated usage data |

All service providers are contractually obligated to protect your data and process it only on our instructions.

7.2 Legal Requirements

We may disclose personal information where required to:

Comply with applicable law, regulation, or legal process;
Respond to valid government requests, including from law enforcement;
Protect the rights, privacy, safety, or property of you, us, or others; or
Enforce our Terms of Service.

7.3 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

7.4 With Your Consent

We may share your personal information with third parties when you have given us explicit consent to do so.

7.5 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

---

8. Data Retention

8.1 Retention Periods

We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

| Data Category | Retention Period |

|---|---|

| Account Information | Duration of account + 30 days after deletion request |

| Brand Data | Duration of account + 30 days after deletion request |

| Scan Results | Duration of account + 90 days (for audit and continuity purposes) |

| Billing Records | 7 years from the date of the transaction (as required by Australian tax law) |

| Usage Data | 24 months from collection |

| Log Data | 12 months from collection |

| Communications | Duration of account + 12 months after last interaction |

8.2 Deletion

When personal information is no longer required, we will securely delete or de-identify it. Deletion from active systems occurs promptly; deletion from backup systems may take up to an additional 90 days.

8.3 Post-Cancellation

Upon cancellation of your Subscription:

Your Account and associated data will be retained for 30 days to allow for reactivation;
After 30 days, your data will be queued for permanent deletion in accordance with the retention periods above; and
Billing records will be retained as required by law.

---

9. Data Security

9.1 Security Measures

We implement industry-standard technical and organisational measures to protect your personal information, including:

Encryption of data in transit (TLS/SSL) and at rest;
Access controls and authentication mechanisms;
Regular security assessments and monitoring;
Secure development practices;
Employee access limited to those with a legitimate need; and
Incident response procedures.

9.2 Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth);
Notify affected individuals as required by law;
For EEA/UK users, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR; and
Take immediate steps to contain and remediate the breach.

9.3 Your Responsibility

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. You are responsible for maintaining the security of your Account credentials and for any activity under your Account.

---

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

| Cookie Type | Purpose | Duration |

|---|---|---|

| Essential Cookies | Authentication, session management, security | Session / persistent |

| Functional Cookies | User preferences, settings | Persistent (up to 12 months) |

| Analytics Cookies | Usage patterns, performance monitoring | Persistent (up to 24 months) |

10.2 Cookie Consent

We use essential cookies that are strictly necessary for the operation of the Service. For non-essential cookies (functional and analytics), we will obtain your consent where required by applicable law (including the GDPR ePrivacy Directive for EEA/UK users).

10.3 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Service.

---

11. Your Rights

11.1 Rights Under Australian Privacy Law

Under the Australian Privacy Act 1988, you have the right to:

Access your personal information held by us;
Correction of inaccurate, out-of-date, incomplete, or misleading personal information;
Complaint to the OAIC if you believe we have breached the APPs.

11.2 Rights Under the GDPR (EEA/UK/Swiss Users)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR, including:

Right of Access — Request a copy of your personal data;
Right to Rectification — Request correction of inaccurate personal data;
Right to Erasure ("Right to be Forgotten") — Request deletion of your personal data;
Right to Restriction of Processing — Request that we limit how we use your data;
Right to Data Portability — Request your data in a structured, commonly used, machine-readable format;
Right to Object — Object to processing based on legitimate interests or for direct marketing purposes;
Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent; and
Right to Lodge a Complaint — Lodge a complaint with your local data protection supervisory authority.

11.3 Exercising Your Rights

To exercise any of your rights, please contact us at:

Email: privacy@doppeldown.com

We will respond to your request within:

30 days under Australian Privacy Law; or
One month under the GDPR (extendable by up to two additional months for complex requests).

We may need to verify your identity before processing your request. We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.

---

12. Children's Privacy

The Service is not directed at individuals under the age of 18 and is designed for business use. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

---

13. Third-Party Links

The Service may contain links to third-party websites, platforms, or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you interact with.

---

14. Marketing Communications

14.1 Service Communications

We will send you service-related communications (e.g., account notifications, threat alerts, billing confirmations) that are necessary for the operation of the Service. These are not marketing communications and cannot be opted out of while you maintain an active Account.

14.2 Marketing Communications

We may send you marketing communications about new features, product updates, or relevant offers. You can opt out of marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email;
Updating your communication preferences in your Account settings; or
Contacting us at privacy@doppeldown.com.

We will process your opt-out request promptly, and no later than within 5 business days.

---

15. Data Protection Officer

While we are not currently required to appoint a Data Protection Officer ("DPO") under the GDPR, we have designated a privacy contact to handle all privacy-related enquiries:

Privacy Contact

Email: privacy@doppeldown.com

Location: Queensland, Australia

---

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated Privacy Policy on our website with a revised "Last Updated" date;
Sending a notification to the email address associated with your Account; and/or
Displaying a prominent notice within the Service.

Material changes will be communicated at least 30 days before they take effect. Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes.

---

17. Complaints

17.1 Contact Us First

If you have a concern about how we handle your personal information, please contact us first at privacy@doppeldown.com. We take all complaints seriously and will endeavour to resolve your concern promptly.

17.2 Australian Users

If you are not satisfied with our response, you may lodge a complaint with the:

Office of the Australian Information Commissioner (OAIC)

Website: https://www.oaic.gov.au

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

17.3 EEA/UK Users

If you are located in the EEA or UK, you may lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

---

18. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Dobson Development Pty Ltd

Email: privacy@doppeldown.com

Support: support@doppeldown.com

Location: Queensland, Australia

---

*This Privacy Policy was last updated on 2 February 2026.*