Privacy Policy

DoraPass ("we", "us", "our") is a software-as-a-service platform that helps EU financial entities compile and validate their DORA Register of Information (RoI).

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service at https://dorapass.com.

We are committed to compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

The data controller for your personal data is:

DoraPass
Email: hello@dorapass.com
Website: https://dorapass.com

For data protection inquiries, contact us at: hello@dorapass.com

3.1 Account Data

When you register for DoraPass, we collect:

• Email address — For account access and communication
• Name — To personalize your experience
• Organization name — To identify your account
• Country — For regulatory context and billing

3.2 Billing Data

When you subscribe, our payment processor (Stripe) collects:

• Payment card details (we do not store card numbers)
• Billing address
• VAT number (if applicable)

We receive from Stripe: transaction confirmations, subscription status, and invoice records.

3.3 Customer Data (RoI Data)

You input data about your organization's ICT third-party service providers, including:

• Provider names and identifiers (LEI, registration numbers)
• Contract details
• Service descriptions
• Contact information for vendors

This data is your property. We process it solely to provide the Service.

3.4 Usage Data

We automatically collect:

• IP address (anonymized for analytics)
• Browser type and version
• Pages visited and features used
• Timestamps of activity
• Error logs (for troubleshooting)

3.5 Communication Data

When you contact us:

• Email correspondence
• Support ticket content
• Feedback you provide

Under GDPR, we process your data based on the following legal grounds:

We use your data to:

1. Provide the Service

• Create and manage your account
• Process and validate your RoI data
• Generate export files
• Process payments

2. Improve the Service

• Analyze usage patterns (anonymized)
• Fix bugs and errors
• Develop new features

3. Communicate with You

• Send transactional emails (account confirmations, receipts)
• Respond to support requests
• Send service updates (maintenance, security)
• Send marketing communications (only with your consent)

4. Comply with Legal Obligations

• Maintain financial records
• Respond to lawful requests from authorities

6.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal data to third parties.

6.2 Subprocessors

We share data with the following service providers who process data on our behalf:

We maintain Data Processing Agreements with all subprocessors.

6.3 Legal Requirements

We may disclose data if required by law, court order, or to protect our legal rights.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before this occurs.

7.1 Primary Storage

All Customer Data is stored in the European Union (Germany, Hetzner data centers).

7.2 Transfers Outside the EU

Stripe: Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for international transfers.

Google Analytics: Google LLC is certified under the EU-US Data Privacy Framework. Analytics data is processed with IP anonymization enabled.

We only use subprocessors that provide adequate safeguards for international data transfers under GDPR Chapter V.

We retain your data for the following periods:

After the retention period, data is securely deleted or anonymized.

We implement appropriate technical and organizational measures to protect your data:

9.1 Technical Measures

• TLS/SSL encryption for all data in transit
• Encryption at rest for sensitive data
• Regular security updates and patches
• Access controls and authentication
• Regular backups with encryption

9.2 Organizational Measures

• Limited access on a need-to-know basis
• Security awareness practices
• Incident response procedures
• Regular security reviews

9.3 Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours (if required)
• We will notify affected individuals without undue delay (if high risk)
• We will document the breach and remediation steps

Under GDPR, you have the following rights:

10.1 Right of Access (Art. 15)

You can request a copy of your personal data.

10.2 Right to Rectification (Art. 16)

You can request correction of inaccurate data.

10.3 Right to Erasure (Art. 17)

You can request deletion of your data ("right to be forgotten"), subject to legal retention requirements.

10.4 Right to Restrict Processing (Art. 18)

You can request that we limit how we process your data.

10.5 Right to Data Portability (Art. 20)

You can request your data in a structured, machine-readable format.

10.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests.

10.7 Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you can withdraw it at any time.

10.8 How to Exercise Your Rights

To exercise any of these rights:

• Email: hello@dorapass.com
• Subject: "Data Rights Request"

We will respond within 30 days. We may request identification to verify your request.

10.9 Right to Complain

You have the right to lodge a complaint with a supervisory authority. The relevant authority depends on your location. For example:

• Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
• Germany: Die Bundesbeauftragte für den Datenschutz

11.1 Our Cookie Policy

We use functional cookies for site operation and analytics cookies to understand how visitors use our website. We do not use advertising or behavioral tracking cookies.

11.2 Cookies We Use

11.3 Google Analytics

We use Google Analytics (GA4) to understand how visitors interact with our website. This helps us improve the user experience and measure the effectiveness of our content.

• Google Analytics uses cookies to collect anonymous usage data
• IP addresses are anonymized before processing
• We do not enable advertising features or data sharing with Google
• Google LLC is certified under the EU-US Data Privacy Framework

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

11.4 Managing Cookies

Most browsers allow you to control cookies through their settings. You can delete existing cookies and block new ones. Note that blocking strictly necessary cookies may affect site functionality.

12.1 Opt-In Required

We only send marketing emails if you have explicitly opted in.

12.2 Unsubscribe

Every marketing email includes an unsubscribe link. You can opt out at any time.

12.3 Transactional Emails

Service-related emails (account confirmations, receipts, security alerts) are not marketing and do not require consent.

DoraPass is a business-to-business service. We do not knowingly collect data from individuals under 18 years of age.

We may update this Privacy Policy from time to time. We will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify you by email for material changes

For questions about this Privacy Policy or our data practices:

DoraPass
Email: hello@dorapass.com
Website: https://dorapass.com

For formal data protection requests, email hello@dorapass.com with subject line "Data Protection Request".