Doolo

Doolo – Privacy Policy

Effective date: April 20, 2026

Last updated: April 20, 2026

Controller: Keslem Oy

Business ID: 2554341-5

Registered office: Helsinki, Finland

Contact: sami.kyoperi@keslem.fi

Language: English (Finnish version available at /privacy-fi)

1. Controller Identity

The controller of personal data processed in connection with the Doolo service (“Service”) is:

Keslem Oy
Business ID: 2554341-5
EUID: FIFPRO.2554341-5
LEI: 743700021711XG894Y38
Registered office: Helsinki, Finland
Postal address: Runkokatu 17 C 16, 33340 Tampere, Finland
Email: sami.kyoperi@keslem.fi
Website: www.keslem.fi

This Privacy Policy describes how Keslem Oy (“Keslem”, “we”, “us”) collects, uses, stores, shares, and protects personal data in connection with the Service in accordance with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), the Finnish Data Protection Act (1050/2018), and, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”).

2. Categories of Personal Data Processed

We process the following categories of personal data about users of the Service:

Account data:

  • email address,
  • hashed password (stored as a bcrypt hash, never in plain text),
  • name (optional),
  • account creation and last login timestamps.

Billing and transactional data:

  • Stripe customer ID (payment card details are processed directly by Stripe and are not stored on our servers),
  • credit balance, credit transactions, total credits purchased, total credits used,
  • Stripe session IDs, invoice metadata, purchase timestamps,
  • receipts issued.

Technical data:

  • IP address,
  • fingerprintId (a device fingerprint used to prevent repeated abuse of free trials),
  • User-Agent header and browser details,
  • JSON Web Token (JWT) session identifiers (7-day validity),
  • server, application, and error logs.

Content data (user-submitted or generated through the Service):

  • URLs submitted by the User (for cloning, editing, or business content fetching),
  • prompts, instructions, and AI chat messages,
  • generated websites, components, and their source code,
  • images and videos uploaded by the User or generated through third-party AI providers,
  • custom domain names and DNS information,
  • dynamic overrides, integration settings (e.g. Formspree form IDs).

Usage telemetry:

  • API input and output token counts per request,
  • endpoint-level usage statistics,
  • credit transaction history,
  • aggregated cost metrics.

Personal data contained within Content submitted by the User (for example, names, addresses, or contact details that the User puts into their own website) is processed by us as a processor on the User’s behalf. For such data, the User acts as controller.

3. Legal Bases for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): creating and maintaining an Account, providing the Service, processing payments, delivering generated sites, enabling publishing and export.
  • Legitimate interests (Art. 6(1)(f)): fraud and abuse prevention (including trial abuse prevention via fingerprintId), information security, service improvement, internal analytics, legal defence. Before relying on a legitimate interest, we balance it against the User’s rights and freedoms.
  • Consent (Art. 6(1)(a)): non-essential cookies and analytics, direct marketing where applicable, and any optional features explicitly requiring consent. Consent can be withdrawn at any time.
  • Legal obligation (Art. 6(1)(c)): accounting and bookkeeping records under the Finnish Accounting Act (1336/1997), tax compliance, responding to lawful requests from authorities.

4. Processing Purposes

We process personal data for the following purposes:

  • registering, authenticating, and managing Accounts,
  • generating, editing, publishing, and exporting websites using AI pipelines (Inspiration, Edit, Build, Brand modes),
  • generating AI images and videos and storing them in object storage,
  • processing payments, billing, credit top-ups, and refunds,
  • enforcing usage limits and preventing circumvention of trial limits,
  • providing customer support and responding to enquiries,
  • monitoring, securing, and maintaining the Service,
  • detecting, investigating, and preventing fraud, abuse, or unlawful activity,
  • complying with legal and accounting obligations,
  • developing and improving the Service, including aggregated analytics,
  • sending transactional email (e.g. receipts, password resets, service notices),
  • exercising or defending legal claims.

5. Sub-processors and Recipients of Data

We use the following sub-processors and service providers to deliver the Service. Each processes personal data only on documented instructions and under written data processing agreements where required by GDPR Art. 28.

  • Anthropic PBC (USA) — AI model provider (Claude). Processes prompts, uploaded content references, and generation outputs.
  • OpenAI, L.L.C. (USA) — AI model provider (Sora video generation). Processes prompts and video generation outputs.
  • Replicate, Inc. (USA) — AI model provider (Imagen-4 image generation). Processes prompts and generated image URLs.
  • Amazon Web Services EMEA SARL / AWS S3 (eu-north-1, Sweden) — object storage for user assets, screenshots, and generated sites.
  • MongoDB, Inc. / MongoDB Atlas (EU region) — database hosting for Account, Site, Image, BrandBook, and Transaction data.
  • Cloudflare, Inc. (USA / global edge network) — hosting, CDN, and DNS for published websites.
  • Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA) — payment processing, subscription management, invoicing.
  • Salesforce, Inc. / Heroku (USA) — application hosting and dyno infrastructure for the Doolo backend.
  • ApiFlash (operated by 10 BITS SAS, France) — website screenshot capture service used during cloning.
  • Resend, Inc. (USA) — transactional email delivery (receipts, password resets, relay email for published sites).

We may engage additional sub-processors in the future. A current list is available on request by emailing sami.kyoperi@keslem.fi.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

6. International Transfers

Some of our sub-processors are located outside the European Economic Area (“EEA”), in particular in the United States. Where personal data is transferred outside the EEA, we rely on:

  • the European Commission’s Standard Contractual Clauses (SCCs) (Decision 2021/914),
  • the EU-U.S. Data Privacy Framework where the recipient is certified,
  • supplementary technical and organisational measures where required, and
  • the User’s explicit consent or contractual necessity under Art. 49 GDPR where applicable.

You may request a copy of the safeguards used for any specific transfer by contacting us.

7. Retention Periods

We retain personal data only for as long as necessary for the purposes described above.

  • Account data: for the duration of the active Account plus 30 days after deletion (to allow recovery and closing out of transactions). After that, the Account is permanently erased, subject to legal retention duties.
  • Billing and accounting records: 6 years from the end of the calendar year in which the transaction took place, as required by the Finnish Accounting Act.
  • Sites and user content: until deleted by the User, or up to 67 days after cancellation of a paid subscription (three-phase deletion: warning – suspension – permanent erasure).
  • Trial fingerprintId: 12 months, for abuse prevention purposes.
  • Application and security logs: 30 days.
  • Support correspondence: up to 24 months after the conversation ends.
  • Claude API prompt and output audit metadata: up to 30 days (longer retention only where required for dispute resolution).

After the applicable retention period, personal data is deleted or anonymised.

8. Your Rights as a Data Subject (GDPR Art. 15–22)

You have the following rights:

  • Right of access (Art. 15) — to receive confirmation of whether we process your personal data and, if so, a copy of the data.
  • Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17, “right to be forgotten”) — to have your data deleted where legal conditions are met.
  • Right to restriction of processing (Art. 18) — to limit how we use your data in specified circumstances.
  • Right to data portability (Art. 20) — to receive data you provided in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling for such purposes.
  • Right not to be subject to solely automated decisions (Art. 22) — no decisions producing legal or similarly significant effects are made about you solely by automated means in the Service.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

9. How to Exercise Your Rights

To exercise any of your rights, contact us at sami.kyoperi@keslem.fi. We will respond within 30 days of receiving a verifiable request, as required by GDPR Art. 12(3). In complex cases, we may extend the response time by a further two months, in which case we will inform you within the initial 30-day period.

We may request additional information to verify your identity before acting on a request. Exercising these rights is free of charge, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

10. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

In Finland, the supervisory authority is:

Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Telephone: +358 29 566 6700
Email: tietosuoja@om.fi
Website: https://tietosuoja.fi

11. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • passwords stored only as bcrypt hashes (never in plain text),
  • JWT-based authentication with expiring tokens,
  • HTTPS/TLS encryption for all traffic to and from the Service,
  • AES-256-CBC encryption for sensitive stored secrets,
  • environment-based secret management; no secrets committed to source control,
  • role-based access limited to personnel who need access for their role,
  • logging, monitoring, and alerting on production infrastructure,
  • regular backups with controlled retention,
  • vendor security assessments for sub-processors,
  • automatic stripping of non-ASCII metadata and sanitisation of user inputs where applicable.

12. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.

Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay, as required by GDPR Art. 34.

13. Age Limit

The Service is intended for users aged 16 or older. If you are under 16, you may use the Service only with verifiable consent from a parent or legal guardian, and that parent or guardian is responsible for the use of the Service.

We do not knowingly collect personal data from children under 16 without such consent. If we become aware that we have collected such data, we will delete it.

14. Automated Decision-Making

The Service uses artificial intelligence to generate and edit websites, images, and videos. These AI-driven generations are not decisions that produce legal effects or similarly significantly affect the User within the meaning of GDPR Art. 22.

The User retains full control: generated content can always be reviewed, edited, discarded, or regenerated before publication.

15. Cookies

The Service uses strictly necessary cookies (for example, for authentication and session management) and, subject to consent where required, limited analytics cookies.

For details about the specific cookies used, their purposes, lifespans, and how to manage them, please see our Cookies Policy.

16. California Privacy Rights (CCPA/CPRA Addendum)

This section applies to residents of California, United States, and supplements the rest of this Privacy Policy.

Categories of personal information collected in the last 12 months (as defined in Cal. Civ. Code § 1798.140):

  • Identifiers (email, IP address, account ID),
  • Customer records (name, billing details via Stripe),
  • Commercial information (purchase history, credit balance),
  • Internet or other network activity (log data, User-Agent, fingerprintId),
  • Inferences drawn from the above for service personalisation and abuse prevention,
  • Content submitted by the User (prompts, URLs, uploaded media).

Sources: directly from the User, automatically from the User’s devices, and from our sub-processors (e.g. Stripe).

Business or commercial purposes: as described in Sections 3 and 4 of this Policy.

Sale or sharing of personal information: we do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.

Sensitive personal information: we do not use or disclose sensitive personal information for purposes beyond those permitted by Cal. Civ. Code § 1798.121.

Your California privacy rights:

  • right to know the categories and specific pieces of personal information collected,
  • right to delete personal information (subject to exceptions),
  • right to correct inaccurate personal information,
  • right to opt out of the sale or sharing of personal information (we do not sell or share, but you can still submit a request),
  • right to limit the use and disclosure of sensitive personal information,
  • right to non-discrimination for exercising these rights.

How to exercise your California rights: email sami.kyoperi@keslem.fi with the subject line “California Privacy Request”. You may also submit a “Do Not Sell or Share My Personal Information” request via the same email. We will verify your identity using the email address associated with your Account or reasonable equivalent.

Authorized agents: you may designate an authorized agent to submit a request on your behalf. The agent must provide written, signed permission from you, and we may require you to verify your own identity directly before completing the request.

Retention: see Section 7 for retention periods applicable to each category of data.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ prior notice through the Service or by email to the address associated with your Account before the changes take effect. Non-material changes (e.g. clarifications, typo fixes) may take effect immediately upon publication.

The version history, including previous effective dates, is available on request.

18. Contact

For any questions about this Privacy Policy or the processing of your personal data, please contact:

Keslem Oy
Attn: Data Protection
Email: sami.kyoperi@keslem.fi
Postal address: Runkokatu 17 C 16, 33340 Tampere, Finland

Terms of Service · Cookies Policy · Tietosuojaseloste (suomeksi)