Privacy Policy

Last updated: 17 December 2025

Our commitment to your privacy:
Your trust is essential to us. This privacy policy explains how Dagg Intelligence Systems collects, uses, protects, and shares your information when you use our services.

1. Introduction

This Privacy Policy describes how Dagg Intelligence Systems (“DIS”, “we”, “us”, or “our”) collects, uses, and protects personal data when you use our agent-native software development platform and knowledge machine.

DIS is designed for small and mid-sized software development teams and integrates with tools like GitHub, Linear, Slack, Notion, and Google Docs to provide intelligent project insights and automated analysis.

This policy applies to all users of DIS, including workspace administrators, team members, and visitors to our website. This Privacy Policy should be read in conjunction with our Terms of Use.

2. Who We Are

Data Controller: Dagg Intelligence Services AB (registration number 559543-9513), Sweden

For questions about this privacy policy or to exercise your data rights, please contact us at: privacy@dagg.ai

3. Information We Collect

Account and Identity Information

• Authentication data: Email address, name, and profile information from your SSO provider (Google, etc.).
• Account details: User ID, workspace/project memberships, roles, and permissions.
• Contact information: Email address for account notifications and service communications.

Customer Content

When you connect DIS to your development tools, we collect and process the following to power our knowledge graph and AI agents:

• Source code: Repository content, commits, branches, comments, Continuous Integration/Deployment results, and pull requests from your Version Control System.
• Documentation: Pages, comments, and content from Notion, Google Docs, GitHub, or similar platforms.
• Project data: Issues, tickets, project plans, and metadata from Linear or similar tools.
• Communications: Selected messages and conversations from Slack or other integrated platforms.
• Meeting Notes: Meeting notes, transcripts, decisions, and similar data from Google Docs, Google Meet or similar platforms.
• Metadata: Timestamps, author information, file names, and structural data associated with the above.

Usage and Technical Information

• Log data: IP addresses, browser types, device information, and access times.
• Usage metrics: Features used, agent interactions, query patterns, and performance data.
• Cookies: We use only strictly necessary cookies required for authentication and session management.

AI and Model Data

• Prompts and completions: Queries sent to AI models and their responses.
• Vector embeddings: Mathematical representations of your content for semantic search.
• Graph data: Relationships and connections between entities in your knowledge graph.

4. How We Use Your Information

We use your personal data for the following purposes:

To Provide and Improve Our Services

• Process and analyze your development data to generate insights and recommendations.
• Power our AI agents and knowledge machine functionality.
• Maintain and improve the performance, reliability, and security of DIS.
• Provide customer support and respond to your requests.

To Communicate With You

• Send service notifications, security alerts, and account updates.
• Respond to your inquiries and support requests.
• Share product updates and feature announcements (with your consent where required).

For Security and Legal Compliance

• Detect, prevent, and investigate security incidents and abuse.
• Enforce our Terms of Service and other policies.
• Comply with legal obligations and respond to lawful requests from authorities.

For Analytics and Product Development

• Analyze usage patterns to understand how customers use DIS.
• Develop new features and improve existing functionality.
• Conduct internal research and testing.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process your personal data based on:

• Contract performance: Processing necessary to provide DIS services under our Terms of Service.
• Legitimate interests: Improving our services, ensuring security, and conducting analytics (where not overridden by your data protection rights).
• Legal compliance: Meeting legal obligations such as data retention requirements.
• Consent: Where we have obtained your explicit consent for specific processing activities (e.g., marketing communications).

6. How We Share Your Information

We do not sell your personal data. We share your information only in these limited circumstances:

Service Providers and Subprocessors

We share data with trusted third-party service providers who help us operate DIS:

• Google Cloud Platform (GCP): Infrastructure, storage, and databases.
• Auth0: Authentication and identity management.
• Langfuse: LLM Inference tracking and measuring.
• Neo4j Aura: Graph database hosting.
• AI/LLM providers: OpenAI, Anthropic, Grok, and others for powering AI features.

These providers are contractually obligated to protect your data and use it only for providing services to DIS.

Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders).
• Requests from law enforcement or government authorities.
• Protection of our legal rights, safety, or property.

Business Transfers

If DIS is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

With Your Consent

We may share data with other third parties when you explicitly authorize us to do so.

7. Data Processing for AI and Machine Learning

How We Use AI

DIS uses large language models and machine learning to provide intelligent features. Your content may be processed by:

• Third-party AI providers (OpenAI, Anthropic, Grok) to generate responses and insights.
• Our own systems to create vector embeddings and maintain your knowledge graph.

Your Data Is Not Used for Training

Important guarantee:

• We do not use your content to train or fine-tune DIS models.
• We configure third-party AI providers to opt out of using your data for their model training where possible.
• Prompts and completions are logged for up to 30 days for debugging and abuse detection, then deleted.

Data Isolation

• Vector embeddings are stored in shared PostgreSQL databases with strict logical separation enforced through tenant identifiers and application-level access controls.
• Graph data is logically separated by tenant-scoped customer group IDs in Neo4j.
• Your data is isolated through multi-layered access controls and is never mixed with or exposed to other customers.

8. Data Storage and Retention

Where We Store Your Data

• All customer data is stored in Google Cloud Platform (GCP) infrastructure.
• Our production environment operates exclusively in EU regions.
• Backups are also stored within the EU.

How Long We Keep Your Data

• Active data: Customer content and metadata are retained while your project is active to support the knowledge machine and provide continuous context.
• Logs: System logs, authentication events, and AI prompts are retained for 30 days.
• Backups: Encrypted backups are retained for 7-30 days depending on the system.
• After deletion: When you delete a project, data is hard-deleted from active stores within 24 hours. Remaining traces exist only in encrypted backups until they expire.

9. Data Security

We implement industry-standard security measures to protect your data. For detailed information, please see our Security & Trust documentation.

Key security measures include:

• Encryption in transit: All data transmission uses TLS encryption.
• Encryption at rest: All databases and backups are encrypted.
• Access controls: Strict least-privilege access to production systems.
• Application-level encryption: Sensitive tokens are encrypted before storage.
• Network security: VPC isolation, firewalls, and DDoS protection.
• Security scanning: Automated SAST, SCA, and secret scanning in our development process.

10. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EEA and UK Users)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (subject to legal obligations).
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent for processing activities that require it.
• Right to lodge a complaint: File a complaint with your local data protection authority.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@dagg.ai
• Or through your DIS account settings (for deletion and data export when available)

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

Project Deletion

Workspace owners can delete entire projects through the DIS interface. This triggers:

• Hard deletion of all project data from active databases within 24 hours.
• Automatic expiration of encrypted backups at the end of their retention period.
• Permanent removal of associated AI prompts, embeddings, and graph data.

11. Data Processing Roles

Controller vs. Processor:

• For most purposes, you (the customer organization) are the data controller for the content and personal data you ingest into DIS.
• DIS acts as a data processor, processing your data on your behalf according to your instructions and this privacy policy.
• For account administration and usage analytics, DIS may act as a controller for certain account-level data.

A Data Processing Agreement (DPA) is available for enterprise customers. Contact us at legal@dagg.ai to request one.

12. International Data Transfers

DIS currently operates exclusively within the EU, and all customer data is stored in EU-based infrastructure.

If we expand to serve customers in other regions or use subprocessors outside the EU, we will:

• Ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
• Update this privacy policy to reflect any changes.
• Notify affected customers of material changes to data residency.

13. Cookies and Tracking Technologies

Cookies We Use

DIS uses strictly necessary cookies only. These are essential for:

• Authentication and session management.
• Security and fraud prevention.
• Basic functionality of the service.

What We Do Not Use

• No third-party advertising cookies.
• No social media tracking pixels.
• No analytics cookies beyond essential operational metrics.

Managing Cookies

You can configure your browser to refuse cookies, but this may limit your ability to use DIS.

14. Children’s Privacy

DIS is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

If you believe we have inadvertently collected data from a child, please contact us at privacy@dagg.ai and we will promptly delete it.

15. Third-Party Links and Integrations

DIS integrates with third-party services (GitHub, Linear, Slack, Notion, Langfuse, Google Docs, etc.). These services have their own privacy policies, which govern how they handle your data.

We are not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies before connecting them to DIS.

16. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or service features.

When we make material changes, we will:

• Update the “Last updated” date at the top of this policy.
• Notify you via email or through an in-app notification.
• For significant changes, we may request your consent where required by law.

Your continued use of DIS after changes are posted constitutes your acceptance of the updated privacy policy.

17. Contact Us

If you have questions, concerns, or requests regarding this privacy policy or our data practices:

• Privacy inquiries: privacy@dagg.ai
• Legal inquiries: legal@dagg.ai
• Security reports: security@dagg.ai

We take your privacy seriously and will respond to all legitimate requests within 30 days.

Additional Resources:
For more information about how we protect your data and operate our service, please review:

• Terms of Use - Legal terms governing your use of DIS
• GDPR Data Policy - Our GDPR compliance and data subject rights
• Data Processing Addendum - Our data processing terms and obligations
• Security & Trust - Our security architecture and practices