Privacy Policy
Last Updated: May 19, 2026
01. Scope of Personal Data Collection
When you log in to this platform, we collect basic information (such as your email address and public display name) through Google OAuth to create your account and perform identity verification.
The platform stores and manages general documents, Spec documents, QA test case documents, Project Documents, versions, comments, external resources, custom templates, user preferences, and onboarding demo state. Access is controlled by account, collaborator, and project permissions.
In addition, after analytics consent is granted, this platform may collect usage behavior data through third-party analytics tools (see Section 03) to improve service quality.
02. AI Key Privacy & Security
Important Security Statement
This platform manages your AI API key for Gemini, OpenAI, or Claude through server-side flows. Your key is transmitted via HTTPS and stored in the Supabase cloud database, protected by Row Level Security (RLS) and account-level access rules.
- Once saved, your key is never returned to the browser — only a boolean "configured" status is sent back.
- When you use AI features, DahTahDoc's authenticated server API reads the key and calls the AI provider API. The key does not appear in your browser network requests.
- The key record in the database is protected by RLS, ensuring only your account can access it.
Security tip: We strongly recommend setting a daily or monthly usage/spending limit on your API key in your provider's console. BYOK provider costs and quotas remain controlled by your provider account settings.
03. Analytics Tools & Tracking Technologies
Google Analytics 4 (GA4)
After you consent to analytics cookies, this platform uses Google Analytics 4 to analyze website traffic and user behavior in order to improve service quality. GA4 may collect page views, session duration, device and browser information, approximate geographic location, traffic sources, and user interaction events. Data is processed by Google LLC and may be transferred to the United States.
Please refer to the Google Privacy Policy for details.
Google Tag Manager (GTM)
This platform uses Google Tag Manager to manage third-party tracking scripts. GTM itself is a tag management container that does not directly collect personal user data; the platform injects GTM only after analytics cookie consent is granted.
Please refer to the Google Privacy Policy for details.
Microsoft Clarity (Session Replay & Heatmaps)
This platform uses Microsoft Clarity for user experience analysis, including Heatmap and Session Replay features.
Microsoft Clarity may collect mouse movement paths, click positions, scroll behavior, time spent on pages, and replayable session recordings. This platform has enabled Clarity's automatic masking feature, which automatically obscures sensitive fields such as password inputs. However, please avoid recording highly confidential information in your documents.
This data is collected to understand user interaction patterns and identify interface design issues in order to continuously improve the product experience. Data is processed by Microsoft Corporation and may be transferred to the United States.
Please refer to the Microsoft Privacy Statement and the Microsoft Clarity Privacy page for details.
Accesserty
This platform may load accessibility checking or assistance scripts provided by Accesserty to help improve public-page accessibility. Data processing for that service is governed by the provider's own policy.
Google Search Console
This platform uses Google Search Console to monitor the website's indexing status and search performance on Google. This tool is used exclusively for site administration purposes. It does not set cookies on your device and does not collect any personally identifiable information.
Microsoft Bing Webmaster Tools
This platform uses Microsoft Bing Webmaster Tools to monitor the website's indexing status on Bing. This tool is used exclusively for site administration purposes. It does not set cookies on your device and does not collect any personally identifiable information.
04. Cookie Policy
This platform uses the following cookies. Cookies are small text files stored in your browser to identify user sessions or remember preferences.
| Cookie Name | Source | Purpose | Retention |
|---|---|---|---|
| sb-access-token | This Platform / Supabase Auth | Maintains authenticated sessions | Up to 7 days |
| _ga | Google Analytics | Distinguishes unique users | 2 years |
| _ga_* | Google Analytics | Maintains session state | 2 years |
| _gid | Google Analytics | Distinguishes users (short-term) | 24 hours |
| _clck | Microsoft Clarity | Identifies user for Clarity analysis | 1 year |
| _clsk | Microsoft Clarity | Links page views in the same session | 1 day |
| CLID | Microsoft Clarity | Identifies first-visit timestamp | 1 year |
| dahtahdoc-cookie-consent | This Platform localStorage | Stores cookie consent choice | Until cleared or reset by the user |
| auth_redirect_lang | This Platform localStorage | Preserves language preference after OAuth redirect | Short-lived |
| sa-editor-* / govspec-* | This Platform localStorage | User preference fallback, legacy migration, or transient state | Until cleared or superseded by account preferences |
| i18n_redirected | This Platform | Remembers your language preference | Session |
You can manage or delete cookies through your browser settings. Disabling cookies may affect the normal operation of some features on this platform.
05. Data Security Measures
This platform uses cloud services and HTTPS to protect data transmission. We use Supabase Row Level Security (RLS) and application-level permission checks to protect documents, projects, versions, comments, external resources, custom templates, user preferences, and AI key records from unauthorized cross-account access.
06. Third-Party Services & AI Features
When you use AI-assisted features, the platform server reads your stored API key and sends only the content needed for that feature to your configured AI service provider (Gemini, OpenAI, or Claude). AI writing assistance may use current document context or selected content; QA generation uses compressed Spec content only when the user explicitly enables the LLM option; Role Review reads only the current Spec document and does not read the whole project, external resources, split-view documents, comments, or links; Spec Change Plan is available only for editable Project Specs and, after the user enters a proposed change or explicitly sends one comment into the change description, reads the current Spec and that change request only. It does not read the whole project, QA files, all comments, anchors, links, external resources, or version history, and it does not save results; Reader Brief reads only the selected published Spec version; Folder Q&A reads only visible, non-deleted documents in the selected folder after you submit a question and returns source documents. Each user's per-folder Q&A history is saved under their account until they clear it, including source-document snapshots for answers so older answers can be flagged as stale. Please refer to each AI provider's privacy policy to understand how they handle data. Your API key is not returned to your browser at any point in this process.
07. Your Privacy Rights
Under applicable privacy laws, you have the following rights regarding your personal data:
- Right to Access: You may request confirmation of whether this platform holds your personal data.
- Right to Deletion: You may request deletion of your account and associated document data.
- Right to Opt Out of Tracking: You may use the Google Analytics Opt-out Browser Add-on to disable GA4 tracking, or clear Microsoft Clarity cookies via your browser settings to stop session recording.
To exercise any of the above rights or for any privacy-related inquiries, please contact us through the platform's provided contact channels.
08. Updates to This Policy
This Privacy Policy may be updated periodically to reflect changes in our business practices or legal requirements. For significant changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify users via in-platform announcements. We encourage you to review this page regularly to stay informed of the latest content.
You can withdraw your consent at any time on the Privacy Policy page.