Last updated: June 10, 2026
1. Controller and scope
This Privacy Policy explains how dossaro processes personal data in connection with the dossaro website, account area, MCP endpoint, connectors, billing flows, documentation, support and public-register research service. The controller for this processing is Hagen Hoferichter, Reuterstr. 1, 12053 Berlin, Germany, acting as an individual provider under the trade name dossaro ("dossaro", "we", "us").
For privacy questions, data-subject requests or customer-reference opt-outs, contact privacy@dossaro.com.
2. What dossaro does
dossaro helps authenticated business users research public company records and supporting documents. The service may search public registers, retrieve public filings, parse documents, extract source-backed facts, show source trails and present research output inside dossaro or a customer-selected MCP client such as ChatGPT or Claude.
dossaro does not create official register extracts and does not make solely automated legal, financial, investment, compliance or similarly significant decisions about individuals.
3. Data we process
| Category | Examples |
|---|---|
| Website and device data | IP address, user agent, request logs, security events, pages viewed, technical cookies or local storage required for the service. |
| Account data | Email address, authentication identifiers, organization name, user role, session data, account status and consent records. |
| Billing data | Plan, credits, invoices, payment status, Stripe customer and subscription identifiers, billing contact details and tax information. |
| MCP usage data | Tool calls, prompts or query parameters, operation type, credit reservations, quota events, source requests, errors, timestamps and diagnostic logs. |
| Support data | Messages, feedback, contact details, issue descriptions and related account or usage context. |
| Public-register research data | Company names, register numbers, officers, directors, shareholders, signatories, addresses, filings, document metadata, source URLs, source hashes, extracted text and parser metadata. |
4. Purposes and legal bases
We process personal data only where we have a lawful basis. The main purposes and legal bases are:
| Processing | Purpose | Legal basis |
|---|---|---|
| Website, security and device data | Operate the website, secure the service, diagnose errors, prevent abuse and maintain request records. | Legitimate interests, Article 6(1)(f) GDPR. |
| Account, authentication and session data | Create accounts, authenticate users, manage organizations, enforce access controls and provide account features. | Contract performance, Article 6(1)(b) GDPR, and legitimate interests, Article 6(1)(f) GDPR. |
| Billing, credits and tax records | Process payments, administer subscriptions, enforce credits, issue invoices, handle disputes and keep statutory records. | Contract performance, legal obligations and legitimate interests, Articles 6(1)(b), 6(1)(c) and 6(1)(f) GDPR. |
| MCP usage, tool calls and prompts | Deliver requested tool output, enforce quotas, debug failures, provide support, prevent abuse and document usage or credit events. | Contract performance and legitimate interests, Articles 6(1)(b) and 6(1)(f) GDPR, or customer instructions where dossaro acts as processor. |
| Public-register research data | Provide source-backed company research, retrieve public filings, parse documents, preserve source trails, deduplicate retrieval, verify results and document limitations. | Legitimate interests, Article 6(1)(f) GDPR, or customer instructions where dossaro acts as processor. |
| Support, feedback and communications | Respond to requests, investigate issues, improve the service, handle disputes and keep customer communication records. | Contract performance and legitimate interests, Articles 6(1)(b) and 6(1)(f) GDPR. |
| Customer references and logo use | Identify business customers or users in website, sales, investor or customer communications, subject to opt-out. | Contract performance and legitimate interests, Articles 6(1)(b) and 6(1)(f) GDPR. |
Legitimate interests include operating a B2B research service, securing the service, preserving source integrity, preventing abuse, enforcing credits, documenting source limitations, handling disputes, making public-register information usable for evidence-focused company research, and identifying business customers in ordinary B2B communications. Where we rely on legitimate interests for public-register enrichment, caching or source trails, we apply necessity and balancing safeguards, including source attribution, authenticated access, bounded retrieval, security controls, rights-request channels, restriction review and avoidance of unsupported beneficial-ownership conclusions.
5. Public-register data and Article 14 GDPR
Public-register research data is usually obtained from official registers, public filings, public APIs, register portals, company disclosures, customer-directed queries or other public source systems rather than directly from the individuals named in those records. Those records can include personal data about company officers, directors, shareholders, beneficial-owner-like references where present in source material, representatives, signatories and other persons connected to a legal entity.
Providing an individual notice to every person named in every public register document may involve disproportionate effort, especially where the data comes from public-source material, contact details are not reliably available, the volume of named persons can be high, requests are customer-directed, and the processing is part of transient or reusable source-backed research workflows. dossaro therefore documents its legitimate-interest analysis and Article 14(5)(b) GDPR position separately and provides this public notice as a general transparency measure.
Safeguards include authenticated B2B access, source attribution, source limitation display where available, no official certification of register content, no use of dossaro as the sole basis for legally significant decisions about individuals, rights-request channels, restriction or objection review, and source limitation handling where technically feasible and legally required.
You may contact privacy@dossaro.com if you believe public-register data about you is inaccurate, outdated, unlawfully processed or should be restricted, erased or supplemented with a source limitation.
6. Controller and processor roles
dossaro generally acts as controller for website operation, account management, billing, security, abuse prevention, product analytics, customer references and service administration.
Where a business customer uses dossaro to process personal data for its own research purposes and determines the purposes and means of that processing, dossaro may act as processor. In that case, the Data Processing Agreement applies where applicable, and the customer remains responsible for its own legal basis, notices, instructions, retention decisions and use of results.
7. Sharing, subprocessors and connectors
We share personal data only where needed for the service, legal compliance, security, billing, support, public-source retrieval or customer-directed connector use. Current service providers and relevant third-party environments include:
| Provider or environment | Purpose or role | Transfer position |
|---|---|---|
| Cloudflare | Hosting, edge delivery, security, Workers, storage, routing, logs and related infrastructure. | May process outside the EEA under applicable safeguards. |
| Supabase | Authentication, account data, sessions, database storage, usage records and credit records. | May process outside the EEA under applicable safeguards. |
| Stripe | Checkout, billing, invoices, payment processing, fraud prevention, customer portal, tax and compliance records. | May process outside the EEA under applicable safeguards and payment-network requirements. |
| Modal | Document retrieval, OCR, parsing and compute workers for register-document workflows. | May process outside the EEA under applicable safeguards. |
| Google/Gemini | OCR, extraction or model fallback where those features use Google-hosted model services. | May process outside the EEA under applicable safeguards. |
| Public registers, public APIs and source portals | Independent source systems queried to retrieve requested public records and filings. | Depends on the source system, jurisdiction and customer-directed query. |
| Customer-selected MCP clients | OpenAI/ChatGPT, Anthropic/Claude or another client only where you choose to connect dossaro through that environment. | Controlled by your provider account and governed by that provider's terms, privacy policy and data-use settings. |
Some providers may process data outside the European Economic Area. Where required, we rely on adequacy decisions, the EU-US Data Privacy Framework where applicable, standard contractual clauses, data processing agreements or other lawful transfer safeguards.
8. Retention
We keep personal data only for as long as needed for the purposes described above, including account operation, billing, legal compliance, security, abuse prevention, source integrity, deduplication, credit enforcement, auditability, dispute handling, legal claims and product operation.
Account and billing records may be retained for statutory retention periods. Usage, security and diagnostic logs are retained as needed for operation, security, debugging, credit enforcement and abuse prevention. Public-register cache entries, source metadata, document hashes, extracted text and parser metadata may be retained where needed to avoid repeated retrieval, preserve source trails, verify results, enforce credits, document limitations, resolve disputes or support legal claims.
Public-register material may remain available at the original register, public source, portal or third-party system even if dossaro restricts, corrects or deletes its own copy. Deletion, restriction and objection requests are assessed under applicable GDPR limits and may be refused or limited where legal obligations, legal claims, contractual records, security records, public-source integrity, source attribution or overriding legitimate grounds require retention.
9. Cookies and storage
The V0 service is not designed to use marketing cookies by default. We may use technical cookies, local storage, session storage or similar browser storage where needed for authentication, session continuity, security, account operation, billing flows, UI state, service operation or abuse prevention.
If dossaro later uses non-essential analytics, advertising or marketing storage, we will provide the required notice, consent mechanism or other lawful basis before using that storage where required by applicable law.
10. Your GDPR rights
Subject to the conditions and limits in applicable law, you may request access, rectification, erasure, restriction, portability and information about processing. You may object to processing based on legitimate interests, including public-register enrichment, where your particular situation gives grounds for objection.
You may also withdraw consent where processing is based on consent, and you may lodge a complaint with a competent data-protection supervisory authority. To exercise rights, contact privacy@dossaro.com. We may need to verify your identity and may refuse or limit requests where required or permitted by law, including where public-register retention, legal claims, contractual records, security records or overriding legitimate grounds apply.
11. Security and international use
We use technical and organizational measures designed to protect the service, including authenticated access, provider security controls, logging, quota enforcement and operational monitoring. No internet service can be guaranteed to be secure, and you are responsible for protecting your credentials, third-party connector accounts and downstream exports.
dossaro is intended for business use. It is not directed to children and should not be used to submit children's personal data.
12. Changes
We may update this Privacy Policy as the service, providers, legal requirements or public-register workflows change. The date at the top shows the latest update. Material changes may be notified through the website, account area or email where appropriate.
