Legal

Privacy Policy

Last Updated: April 11, 2026  ·  Effective: April 11, 2026

1. Overview

DoughBase ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use the DoughBase predictive fermentation platform ("Service").

This policy applies to all users worldwide and is designed to meet or exceed the requirements of the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and applicable privacy laws in other jurisdictions.

2. Information We Collect

2a. Information You Provide

  • Account data: Name and email address. If you sign up with email/password, your password is hashed using bcrypt before storage and is never accessible in plain text by us or anyone else.
  • Kitchen/business name: Optionally provided during onboarding to personalize your dashboard.
  • Batch & recipe data: Fermentation parameters, dough records, bake schedules, and notes you enter into the Service.
  • Contact data: Any messages you send us via email or support channels.

2b. Third-Party Sign-In

You may sign in using Google OAuth2. In this case, we receive only the basic profile information Google provides (name, email, and profile picture). We do not receive or store your Google password. Google's privacy policy governs data collected by Google during this process.

2c. Information Stored Locally on Your Device

DoughBase stores the following data exclusively in your browser's localStorage — it never leaves your device unless you are signed in and choose to sync:

  • doughbase_prefs — your recipe preferences, oven settings, and defaults
  • doughbase_ddt — your DDT calculator inputs (room temp, flour temp)
  • doughbase_log — your fermentation batch history
  • doughbase_home_active — your active batch state on the Home Dashboard
  • doughbase_cookie_consent — your cookie consent decision (EU/applicable regions)

2d. Server Log Data

Our hosting infrastructure may automatically record standard access logs, including IP address and request timestamps. These logs are used solely for security and operational purposes and are not used for behavioral tracking.

2e. No Financial Data

DoughBase does not currently collect or process credit card or payment information.

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To authenticate your identity and keep your account secure
  • To perform fermentation calculations (DDT, phase timelines, bake scheduling) using data you provide
  • To remember your dashboard preferences and batch state across sessions
  • To send transactional emails such as account verification and password resets
  • To respond to support inquiries you initiate
  • To comply with legal obligations

DoughBase does not operate third-party analytics tools (no Google Analytics, Mixpanel, Hotjar, or similar). We do not sell your personal data. We do not use your data to serve advertising.

4. Data Sharing

We may share your information only in these limited circumstances:

  • Service providers: Infrastructure and hosting providers (e.g., server/database hosting) who process data solely on our behalf under data processing agreements
  • Legal requirements: When required by law, court order, or to protect the rights, safety, or property of DoughBase or others
  • Business transfers: In connection with a merger, acquisition, or sale of assets — you will be notified prior to any such transfer

5. Data Retention

We retain your account data for as long as your account is active. If you close your account, we will delete or anonymize your personal data within 90 days, except where we are required to retain it for legal or regulatory purposes.

Anonymized, aggregate data derived from your usage may be retained indefinitely for product research.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request that we correct inaccurate or incomplete data
  • Deletion: Request erasure of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Objection / Restriction: Object to or restrict certain types of processing
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at privacy@doughbase.com. We will respond within 30 days (or as required by applicable law).

California residents: Under the CCPA, you have the right to know what personal information is collected, the right to delete it, and the right to opt-out of the sale of your data. We do not sell personal data.

EU/EEA residents: You have the right to lodge a complaint with your local data protection supervisory authority.

7. Cookies & Local Storage

DoughBase uses browser localStorage to persist your dashboard preferences and batch state entirely on your device. This data does not leave your browser.

For authentication, we use a session cookie (pb_auth) to keep you signed in across page loads. It is configured as follows:

  • SameSite: Strict — the cookie is not sent on cross-site requests
  • Secure — only transmitted over HTTPS in production
  • Duration: 7 days (604,800 seconds)
  • Not HttpOnly — the PocketBase client SDK requires JavaScript access to this cookie to function

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

8. Security

We implement industry-standard security measures, including:

  • HTTPS encryption for all data in transit on production
  • Bcrypt password hashing (cost factor 10) — passwords are one-way hashed and can never be retrieved in plain text
  • Strict SameSite + Secure session cookies to resist CSRF attacks
  • PocketBase's built-in access rule system ensuring users can only access their own records

No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@doughbase.com.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from minors. If we learn that we have done so, we will delete that information promptly.

10. International Data Transfers

DoughBase is operated in the United States. If you are accessing the Service from outside the US, your information may be transferred to and processed in the US. We implement appropriate safeguards for cross-border transfers as required by applicable law (including EU Standard Contractual Clauses where applicable).

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you by updating the "Last Updated" date at the top of this page and, for material changes, by emailing registered users. Your continued use of the Service after changes are posted constitutes acceptance.

12. Contact Us

For privacy requests or inquiries:

DoughBase — Privacy
Email: privacy@doughbase.com
Support: support@doughbase.com
Terms of Service← Back to DoughBase