Privacy Policy
Last updated: May 27, 2026
1. Who We Are
Dott is operated by LFG Events LLC ("we," "us," or "our"). We provide an Event Portfolio Intelligence System at usedott.com that helps teams plan, forecast, prove, and score the value of sponsored events. This policy explains how we collect, use, and protect information when you use our Service.
2. Information We Collect
Account information: When you sign up, we collect your email address, display name, organization name, role, and organization preferences. This is required to create and manage your account.
Event and portfolio data: Information you enter into Dott including event details, team rosters, retro responses, meeting transcripts (via NoteCrush), budgets, forecasts, vendor information, evidence links, scores, agent conversation history, and uploaded files and documents. You control what data you input.
Voice and audio data: If you use voice features or upload audio for NoteCrush transcription, we process this data to generate transcripts and insights. See Section 7 for retention specifics.
Connected accounts: When you connect third-party services (Google, Slack, Zoom, Notion, etc.), we receive an OAuth access token from that provider and pull the specific data scopes you authorized. Tokens are encrypted at rest.
Usage data: Anonymized analytics about how you interact with the Service — pages visited, features used, session duration. We use PostHog for product analytics. We also log security-relevant actions (auth events, role changes, exports) to an internal audit log.
Payment information: Payment processing is handled entirely by Lemon Squeezy, our Merchant of Record. We do not store credit card numbers, bank account details, or other financial information on our servers.
3. How We Use Your Information
We use your information to: operate and maintain the Service; personalize your portfolio experience; generate Dott Scores, reports, agent insights, and PROVE Scorecards from your event data; send essential account communications (confirmations, security alerts, service updates); process billing through Lemon Squeezy; detect and prevent fraud, abuse, and security incidents; and improve the Service based on anonymized usage patterns. We do not use your event data, transcripts, or any customer content to train AI models. AI processing occurs only to generate insights within your organization.
4. AI Processing and Agents
Dott uses AI services (currently Anthropic Claude) to power agents, generate insights, score events, and process meeting transcripts. When you use AI features, relevant portions of your event data are sent to the AI provider for processing under their data processing agreement. AI providers do not use your data to train their models. AI-generated outputs are stored within your Dott organization and are subject to the same access controls as your other data. The agent system includes safety measures to prevent cross-organization data leakage and filter unsafe outputs. The system may also extract anonymized learnings per user per organization (for example, your preferred event terminology) to personalize future interactions — you can review and clear this memory at any time.
5. Attendee Data (Kickoff)
If you use Dott Kickoff to manage event registration and check-in, attendees of your events submit information directly to Dott (name, email, role, and any custom fields you configure). In this flow, you (the event organizer) are the data controller and Dott acts as a data processor on your behalf. You are responsible for collecting valid consent from attendees and providing them appropriate privacy notices. Dott processes attendee data only to operate the registration, check-in, and wallet-pass features you have enabled, and to surface attendance information back to you in your portfolio. Attendees may contact us at hello@usedott.com to exercise their data rights, and we will route those requests to the relevant organizer where applicable.
6. Location Data
If you enable geofence arrival detection in Kickoff, an attendee's device may briefly share its location with Dott at the moment they attempt to check in, in order to confirm they are at the event venue. Location is checked only at the check-in moment — Dott does not continuously track attendee location or retain ongoing location history. Attendees can decline the location prompt and check in via QR code instead. Apple and Google wallet passes generated through Kickoff may include device identifiers required by those platforms to render and update the pass; we do not use these identifiers for any other purpose.
7. Voice and Audio (NoteCrush)
NoteCrush is consent-driven by design — we never deploy bots to join live calls. Meeting intelligence is generated only from data you bring to Dott via three methods: (a) a synced transcript from a platform you connected (Zoom, Google Meet, Microsoft Teams), (b) text you paste directly, or (c) an audio file you upload manually for transcription via a third-party speech-to-text provider (which we will name in Section 10 once this feature is fully active in production). The resulting transcript is stored in your organization, the original audio file is deleted within 30 days unless you re-export it, and transcripts are subject to the same access controls as your other event data and can be deleted by you at any time.
8. Email Intelligence
If you connect Gmail or Outlook to Dott's Email Intelligence feature, we read only the email threads you have explicitly labeled (for example, with a "Dott" label or your configured label name). We do not read your inbox at large. Gmail and Outlook only grant read permission at the mailbox level — Dott enforces the label-only limit in our own code rather than at the OAuth layer. You can revoke access at any time from your Dott settings or directly from your email provider's account settings, which immediately cuts off our read access. Extracted insights (vendor costs, booking confirmations, etc.) are shown to you as suggestions you can approve or dismiss — nothing is auto-written to your event data without your action.
9. Data Storage and Security
Your data is stored in Supabase (PostgreSQL), hosted on secure cloud infrastructure in the United States. We implement Row Level Security (RLS) policies so each organization's data is isolated and accessible only to authorized members. All data transmission uses TLS encryption. Encrypted token storage and HMAC timing-safe secret comparison protect OAuth tokens and webhook signatures. We use Arcjet for rate limiting and bot protection, Sentry for error tracking and performance monitoring, and a Zod-validated input layer on our API. Security-relevant actions are recorded to an internal audit log. We maintain regular backups and follow industry-standard security practices. In the event of a security incident affecting your personal information, we will notify affected users and applicable authorities without undue delay and in accordance with applicable law.
10. Sub-Processors
We rely on the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements: Supabase (database hosting, authentication, file storage), Vercel (application hosting, edge delivery), Anthropic (AI inference for agents and insights), Lemon Squeezy (payment processing as Merchant of Record), Resend (transactional email), PostHog (anonymized product analytics), Arcjet (rate limiting and bot protection), Sentry (error monitoring). We may add or change sub-processors and will update this list when we do.
11. Data Sharing
We do not sell, rent, or trade your personal information or event data to third parties. We share data only with: (a) the sub-processors listed in Section 10, which act on our instructions to operate the Service; (b) other members of your organization, according to the role and access controls you configure; and (c) third parties when required by law, subpoena, or to protect our legal rights, safety, or property.
12. Your Rights
Subject to applicable law (including GDPR for EU/UK residents and CCPA/CPRA for California residents), you have the right to: access the personal information we hold about you; port or export your data through the Service or by request; correct inaccurate information in your account or organization; delete your account and associated personal data (see Section 13); object to or restrict certain processing; withdraw consent where we rely on it; and opt out of non-essential communications. California residents have the right to opt out of any "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, but you may still submit a request at hello@usedott.com. To exercise any right, contact us at hello@usedott.com — we will respond within 30 days.
13. Account Deletion
You can delete your account at any time from your account settings, which calls our account deletion endpoint. On deletion, your personal information and event data are removed within 30 days, except where we are required to retain certain records (for example, financial records for tax compliance, or audit log entries required for security investigations) — those are retained only for the minimum period required by law and then deleted. Anonymized, aggregated data that cannot identify you may be retained indefinitely.
14. Cookies and Tracking
Dott uses essential cookies for authentication and session management. We use PostHog for anonymized product analytics. We do not use advertising cookies, retargeting pixels, or share data with advertising networks. You can manage cookie preferences in your browser settings; disabling essential cookies will prevent you from signing in.
15. International Data Transfers
Your data is stored in the United States. If you access Dott from outside the United States, you understand and consent to the transfer and processing of your data in the United States, where data protection laws may differ from those in your jurisdiction. Where required by applicable law, we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our sub-processors.
16. Children's Privacy
Dott is designed for business use and is not intended for individuals under 18. We do not knowingly collect information from minors. If we learn that we have collected data from someone under 18, we will delete it promptly. Event organizers using Kickoff should not collect attendee data from minors without appropriate parental consent.
17. Changes and Contact
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last updated" date at the top reflects the most recent revision. Questions about your privacy, requests to exercise your rights, or notices of a security concern? Contact us at hello@usedott.com.