Privacy Policy
This policy explains what data DOZUS collects about you, why, and what you can do about it. It applies to the DOZUS mobile app and to dozus.app (this website).
We tried to write it in plain English. If anything is unclear, email dombthomas@icloud.com and we’ll explain.
01Who we are
DOZUS is operated by Dominic Thomas, trading as a sole trader. We are the data controller for the personal data described in this policy.
Contact: dombthomas@icloud.com
Jurisdiction: England & Wales
Last updated: 2026-05-27 (v1)
We are based in the United Kingdom. Our app is available globally, so this policy reflects UK GDPR, EU GDPR, the California Consumer Privacy Act (CCPA), and the U.S. Children’s Online Privacy Protection Act (COPPA) where each applies to you.
02What data we collect
We collect only what we need to run the service. Specifically:
| Category | Source | Purpose |
|---|---|---|
| Email and password hash | You at signup | Account creation, authentication |
| Listening history (sessions) | The app during playback | Track progress, day-number, completion |
| Selected protocol settings | You in the app | Personalise your experience |
| Purchase records | The app / Apple IAP (when added) | Deliver content you have paid for |
| Crash and error reports (device model, OS version, app version, anonymised IP) | The app, via Sentry | Find and fix bugs |
| Email-confirmation tokens | Resend transactional email | Verify you own the email address |
We do not collect: your name, your phone number, your address, your date of birth, your contacts, your location, your photo library, your microphone input, your advertising identifier, or any biometric data. We do not run third-party advertising trackers or analytics SDKs inside the app.
03Why we collect it (lawful basis)
Under UK and EU GDPR, every piece of personal data we hold sits under a specific lawful basis. Here is ours:
| Category | Purpose | Lawful basis |
|---|---|---|
| Email + password hash | Account creation, auth | Contract (Art. 6(1)(b)) |
| Listening history | Track progress within a protocol | Contract (Art. 6(1)(b)) |
| Selected protocol settings | Personalisation | Contract (Art. 6(1)(b)) |
| Purchase records | Provide purchased content | Contract (Art. 6(1)(b)) |
| Crash & error reports | Detect and fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Email-confirmation tokens | Verify email ownership | Contract (Art. 6(1)(b)) |
Our legitimate interest in crash reporting is keeping the app working for everyone. We balance this against your privacy by anonymising IP addresses, by not collecting screen contents, and by capping retention at 90 days.
04Who we share it with (sub-processors)
We use a small set of trusted vendors to run the service. Each one only sees the data needed for their specific job, under a written data-processing agreement.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Authentication, database, storage (audio, signed URLs) | EU (eu-west-2, London) |
| Functional Software Inc. d/b/a Sentry | Crash + error reporting | US — Standard Contractual Clauses + UK addendum |
| Apple Inc. | App delivery, IAP receipt validation (when added) | US — SCCs + UK addendum |
| Resend (Resend.com) | Transactional email (sign-up confirmation, password reset) | US — SCCs + UK addendum |
We do not sell your personal data to anyone, ever. We do not share it with advertisers. We do not use it to train external machine-learning models.
05International transfers
Our primary database is hosted in the EU (Supabase, eu-west-2, London). For UK and EU users, account data and listening history stay in the EU.
Three of our sub-processors (Sentry, Apple, Resend) are based in the United States. When we send personal data to them, we rely on the European Commission’s Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum to provide an equivalent level of protection.
For users in the United States, the relevant data is processed under U.S. law.
06How long we keep it
- Account data (email, password hash, listening history, settings, purchases): kept for as long as your account exists. Deleted within 30 days of you closing the account, except where we are required to retain a record (e.g. tax law for purchase receipts).
- Crash and error reports: kept on a rolling 90-day window, then deleted by Sentry automatically.
- Email-confirmation tokens: deleted within 24 hours of issue.
- Purchase records retained by Apple under their policies, separately from our database.
07Your rights (UK and EU)
If UK GDPR or EU GDPR applies to you, you have the following rights (Articles 12–22):
- Access — ask for a copy of the personal data we hold on you.
- Rectification — ask us to correct anything inaccurate.
- Erasure (“right to be forgotten”) — ask us to delete your account and the data tied to it. The fastest route is the in-app delete (see how to delete your account).
- Restriction — ask us to pause processing while a dispute is being resolved.
- Portability — ask for a copy of your account data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest (i.e. crash reporting).
- Automated decision-making — we don’t make any decisions about you using automated processing alone, so there is nothing to object to under Article 22 right now. If that ever changes, this policy will be updated first.
08Your rights (California — CCPA)
If you are a California resident, the California Consumer Privacy Act gives you the following rights:
- Right to know — what personal information we collect and how it is used.
- Right to delete — ask us to delete personal information we hold about you.
- Right to opt out of sale — we do not sell or share personal information for cross-context behavioural advertising. There is nothing to opt out of, but you have that right on principle.
- Right to non-discrimination — we will not deny you service, charge you a different price, or give you a lower-quality experience for exercising any of these rights.
To exercise these rights, email dombthomas@icloud.com with “CCPA request” in the subject line. We will respond within 45 days.
09Children
DOZUS is intended for users aged 16 and over. At sign-up, every user must confirm they are 16 or older.
We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created a DOZUS account, please email dombthomas@icloud.com and we will delete the account and any data associated with it.
For users in the United States, we comply with the Children’s Online Privacy Protection Act (COPPA), which protects children under 13. As above — we do not knowingly collect data from anyone under 16, which includes anyone under 13.
10Cookies and similar technologies
The DOZUS app uses no advertising cookies, no advertising trackers, no third-party analytics SDKs, and no cross-app identifiers.
The DOZUS website (dozus.app) does not set tracking cookies. We may use localStorage in your browser to remember quiz progress or theme preference — that data stays on your device and is never sent to us.
11How to exercise your rights
Email dombthomas@icloud.com from the address tied to your account. Tell us which right you want to exercise.
We will:
- Confirm we received your request within 7 days.
- Respond substantively within 30 days (UK/EU GDPR) or 45 days (CCPA).
- Not charge you a fee for a first request. If a request is manifestly unfounded or excessive, we may charge a reasonable admin fee — but we’ll tell you first, and you can always withdraw.
The fastest way to exercise your right to erasure is the in-app delete button (You tab → cog → Delete account). See account deletion for details.
12Right to complain
If you think we’ve mishandled your data, please tell us first — we’d much rather fix it directly. If you’re not satisfied with our response, you have the right to complain to a data protection authority:
- UK: Information Commissioner’s Office (ICO) — ico.org.uk
- EU: your local national data protection authority (the EDPB maintains a list at edpb.europa.eu).
- California: California Attorney General — oag.ca.gov/privacy
13Changes to this policy
When we make changes, we update the “Last updated” date at the top and bump the version number. For material changes (anything that meaningfully affects what we collect, why, or who we share it with) we will also notify you inside the app before the new policy takes effect.
14Contact
Contact: dombthomas@icloud.com
Jurisdiction: England & Wales
Last updated: 2026-05-27 (v1)
If you prefer to write by post, contact us first by email for a current postal address.