Privacy Policy

Effective date: December 18, 2025

Welcome to Doven (“we”, “us”, “our”). Doven is an email automation platform that helps users send and manage email campaigns using their own Gmail accounts. This Privacy Policy explains what information we collect, how we use it, how we store it, and how you can control it.

1. What data we collect

• Account information: name, email address, and other profile data you provide when you create an account on Doven.
• OAuth tokens (Google): encrypted access tokens and refresh tokens issued by Google when you connect your Gmail account via Google OAuth. Tokens are used only to perform actions you authorize (for example, sending mail).
• Usage and logs: activity logs, error logs, and basic analytics for diagnosing issues and improving service quality (IP addresses, timestamps, user agent).
• Campaign metadata: campaign names, recipients you provide, templates and scheduling metadata. We do not keep or use content beyond what you explicitly store in the app for sending your campaigns.

2. Google / Gmail access — exactly what we request and why

When you connect a Gmail account via Google OAuth, Doven will request only the scopes necessary for the feature you enable. Example scopes we may request:

• openid, email, profile — used to authenticate you and obtain your basic profile (name and email) so we can create and sign in to your Doven account.
• https://www.googleapis.com/auth/gmail.send — used to send email on your behalf (campaign delivery, verification messages, transactional messages). Doven will not read the content of your incoming mail.
• https://www.googleapis.com/auth/gmail.readonly or https://www.googleapis.com/auth/gmail.modify — only requested if the user explicitly authorizes additional features such as mailbox synchronization or label management. These are requested separately and justified in the consent screen.

We will never request sensitive/restricted scopes such as full “mail.google.com” access unless previously justified and explicitly approved by Google and by you.

3. How we use the data

• Authenticate users and create user accounts.
• Send email messages using your connected Gmail account when you explicitly request a send (campaign send or test mail).
• Show campaign and account status, deliverability metrics, and basic usage analytics.
• Detect and prevent abuse (rate limits, spam detection) to protect your account and Doven’s reputation.

4. Token storage & security

OAuth tokens are stored encrypted at rest. Key points:

• Tokens are encrypted using a server-side encryption key and written with restricted file permissions.
• Only the minimum services necessary can read or decrypt tokens, and employees do not have direct access to plaintext tokens.
• We rotate and protect encryption keys using secure storage practices. If a token refresh fails (for example, because the token was revoked), we remove the stored token so the user can re-authorize safely.

5. How to revoke or disconnect

You can disconnect Doven from your Google account at any time:

1. Within Doven: go to Accounts → Disconnect for the connected Gmail account. This removes the stored token from our servers and stops further sends.
2. From Google: visit Google Account > Security > Third-party apps with account access and remove Doven.

6. Data retention & deletion

We retain your account data and encrypted tokens only as long as necessary for the features you use. When you delete your Doven account or disconnect a Gmail account we will:

• Remove the associated OAuth token(s) from our servers.
• Remove campaign metadata and personal data upon request (see contact below).

To request full deletion of your account and stored data, contact support@doven.com. We will respond to deletion requests promptly and confirm completion.

7. Cookies & third-party services

We use cookies and similar technologies for session management and to provide the user interface. We also use third-party services for hosting, analytics, and email delivery infrastructure. These may include (but are not limited to) Render, Google Cloud services, and analytics providers. We do not sell your personal data.

8. International transfers & legal basis

Doven is operated from (your company country here). If you are located outside that country, your data may be transferred to — and processed in — the country where our servers and service providers operate. For users in jurisdictions with data protection laws (for example, GDPR), our legal basis for processing your data is your consent and our need to perform the service you request.

9. Children

Doven is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us and we will remove it.

10. Security incidents

If a security incident affecting your personal data occurs, we will follow applicable notification laws and inform affected users and regulators as required.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new policy at https://doven.onrender.com/privacy and update the effective date at the top of the page.

12. Contact

If you have questions about this policy, would like to request data deletion, or need support, contact us at:

support@doven.com

---

Thank you for trusting Doven. We only access the minimum data required and we take security and transparency seriously.