The short version
- We don't train AI on your code, prompts, or files.
- Each workspace is private. Strong isolation between accounts — other customers can't read your files.
- We share data with a short list of third-party services — AI, payments, email, CDN, infrastructure. The categories are listed below. Customers under NDA can request the named list.
- You can export or delete your data any time. Email legal@doosrabox.com.
What we collect
Account
- Email address, display name, hashed password.
- Tenant membership, role, billing state.
- IP address and user agent of each session (for security alerts and abuse handling).
Workspace
- Files you create or upload to your workspace.
- Chat history with Claude (stored per session for replay; you can delete a session anytime).
- App screenshots when Claude explicitly requests them as part of a tool call.
Operational telemetry
- Per-seat AI usage counts (so we can show you usage).
- Container uptime, region, build version.
- Error logs (sanitized — no file contents, no chat content).
What we don't collect
- We do not train AI models on your data, ever.
- We do not sell or rent any personal data.
- We don't use third-party analytics that fingerprint visitors. The marketing site sets no third-party cookies; the app sets exactly one (your session cookie).
Where data lives
Our account infrastructure (sign-in, billing, account metadata) runs in Frankfurt, Germany. Your workspace's files, browser session, and chat history live in the region you picked at signup — Frankfurt or Mumbai. Enterprise customers can pin to dedicated infrastructure.
Subprocessors
We use a small number of third-party services to run Doosra Box. They're listed by category below; the named list is available to customers under NDA — email legal@doosrabox.com.
- AI provider — receives the prompts you send to the workspace assistant so it can answer.
- Payment processor — handles all card, UPI, and netbanking transactions; receives billing-related contact information.
- Email service — delivers our transactional emails (sign-up verification, password reset, billing).
- CDN provider — serves this marketing site at the edge.
- Cloud infrastructure provider — runs the servers your workspace lives on.
We don't add new categories of subprocessors without notice. If a named provider in any category changes, we update the named list we maintain for NDA customers; the categories above are stable.
Your rights
You can export your data, correct it, or delete your account at any time. EU/UK customers have full GDPR rights; Indian customers have full DPDP Act rights. Email legal@doosrabox.com with the request and we'll respond within 30 days (usually within 5 business days).
Security
Passwords are hashed and never stored in plain text. Sign-in cookies are tightly scoped and only sent over HTTPS. Public traffic is encrypted in transit. Each account's workspace is isolated at the operating-system level so a bug in our app code can't expose one customer's files to another.
Changes
When we update this policy in a way that affects your rights, we email everyone with an active account at least 14 days before the change. Routine clarifications are noted at the top of this page with a new "last updated" date.
Contact
Email legal@doosrabox.com. For deletion or export requests specifically, mention "Data subject request" in the subject line and we'll route it to the right person.