Privacy Policy

ULTIMATE KLOUD UNIPESSOAL LDA

NIPC: 519404670

Rua Dr. Francisco Sá Carneiro nº 371, Vila Nova de Paiva, Portugal

Data protection contact: dpo@dotgrey.co

This policy applies to dotgrey AI, available at app.dotgrey.co, and to the dealership CRM, AI assistance, communications, and WhatsApp Business features operated by ULTIMATE KLOUD UNIPESSOAL LDA.

Data you provide directly

• Identification data, such as name, email, and phone number
• Account data, including credentials and preferences
• Business data, including company name, NIPC, and address
• Customer, lead, contact, vehicle, deal, and process data entered into the platform
• Operational communications, including support, email, inbox, WhatsApp, notes, and feedback
• Documents, attachments, proofs, contracts, and photos associated with operations

Google and Gmail data

When an authorized user connects a Gmail account, ULTIMATE KLOUD UNIPESSOAL LDA uses Google OAuth and may request Gmail permissions to identify the connected email address, read inbound messages and metadata for the dotgrey AI inbox, and send replies from the connected account when the user or an approved workflow chooses to send an email.

Gmail data may include the connected account address, message and thread identifiers, headers, senders, recipients, subjects, message bodies, timestamps, labels, and related operational metadata. We use this data only for visible CRM, inbox, lead routing, support, filtering, approved automations, and email reply features.

ULTIMATE KLOUD UNIPESSOAL LDA does not sell Google user data, use it for advertising, use it to determine credit or financing eligibility, or use Gmail content to train general-purpose AI models.

Users can disconnect Gmail in dotgrey AI settings and revoke access in their Google Account permissions. Deletion requests can be sent to privacy@dotgrey.co. Our use of information received from Google APIs complies with the Google API Services User Data Policy, including Limited Use requirements.

Data collected automatically

• IP address and device information
• Browser type and operating system
• Navigation data, visited pages, and features used
• Cookies and similar technologies, as described in our Cookie Notice

AI conversation data

When you use AI-assisted features, we may process text, instructions, operational context, usage metadata, and in specific workflows vehicle photos to perform the requested feature, auditing, security, and operational improvement.

Where feasible, we apply minimization, pseudonymization, tokenization, human validation, and purpose limitation. Sensitive document flows are processed locally or subject to manual review where appropriate.

Third-party data entered by business customers

If you use the platform to manage customers, leads, suppliers, buyers, sellers, or other third parties, you usually act as controller for that data and we act as processor to provide the platform. You are responsible for ensuring an appropriate legal basis, notices, and permissions.

We do not sell your personal data. We may share information only where needed with:

• Infrastructure, authentication, database, and storage providers, such as cloud providers and Supabase
• Approved AI providers, such as OpenAI, for specific support, summarization, generation, classification, and operational analysis features
• Communication providers, such as Resend, Meta WhatsApp, and Twilio, when you enable those channels
• Payment and billing providers, such as Stripe
• Competent authorities, advisers, and auditors when required by law or needed to defend rights
• Partners or integrations activated by you, only according to your configuration or authorization

Some providers may operate in the European Economic Area, the United Kingdom, the United States, or other countries. Where data is transferred outside the EEA, we apply appropriate safeguards and assess the legal basis for the transfer.

• European Commission adequacy decisions
• EU-approved Standard Contractual Clauses
• Approved certifications or codes of conduct

For more information about transfers relevant to your account, contact privacy@dotgrey.co. For data subjects in Switzerland, we also apply nFADP/LPD principles.

Under the GDPR, you may exercise the following rights:

To exercise rights, use Privacy Settings in your account or contact dpo@dotgrey.co. We respond within 30 days as required by the GDPR.

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit and at rest
• Two-factor authentication available
• Role-based access control
• Security audits, secure backups, and recovery plans
• Data protection training for staff
• Minimization, redaction, or tokenization in selected AI flows
• Human review and audit trails for sensitive workflows

We use AI systems for customer assistance, reply suggestions, summaries, operational classification, structured extraction, productivity support, assisted vehicle assessment, and marketing, sales, and communication content generation.

These features support human teams and do not replace human review where a decision is sensitive, contractual, financial, or legally relevant. Under GDPR Art. 22, we do not make solely automated decisions that produce legal effects or similarly significant effects without applicable human oversight.

Financing autofill extension

The DotGrey Financing Autofill extension helps authorized users transfer financing application data from dotgrey AI into third-party bank portal forms. The extension does not collect bank credentials, does not submit final forms, and runs only after a temporary session created by an authenticated user.

When portal field classification is needed, the request may contain labels, options, placeholders, and visual form context. We do not send customer values or uploaded documents for AI classification of those fields.

Our service is not intended for minors under 18. We do not knowingly collect data from minors. If you learn that a minor provided us with personal data, contact us immediately so we can delete it.

We may update this policy periodically. Significant changes will be notified by email or platform notice. Continued use after publication constitutes acceptance of the changes.

ULTIMATE KLOUD UNIPESSOAL LDA acts as controller for account, billing, security, own marketing, website management, support, consented analytics, and legal compliance data. It acts as processor when processing end-customer, lead, seller, buyer, employee, or third-party data entered by business customers to provide the platform.

When we act as processor, we process data on documented customer instructions unless legally required otherwise. The customer remains responsible for privacy notices to its own contacts, legal bases, data subject requests, and correct configuration of permissions, retention, and integrations.

The platform is not designed to collect special categories of data at scale, criminal-offence data, health data, biometric data for unique identification, or minors’ data. If the customer uploads such data, it must ensure a specific legal basis, minimization, restricted access, and appropriate additional safeguards.

Identity documents, proofs, contracts, statements, photos, financial data, or credit information may contain sensitive or highly confidential data. The customer should upload only what is necessary and redact or remove excessive information where possible.

We may use hosting, database, authentication, storage, email, messaging, payment, analytics, monitoring, AI, security, support, and productivity providers. We require relevant vendors to apply appropriate technical and organizational measures and contractual limitations proportionate to risk.

Where a customer activates a third-party integration, that third party may act as an independent controller, customer processor, or ULTIMATE KLOUD UNIPESSOAL LDA subprocessor depending on the flow. The customer should also review those third-party terms and policies.

We may send transactional, technical, security, administrative, and support communications. Promotional communications from ULTIMATE KLOUD UNIPESSOAL LDA are sent only where an appropriate legal basis exists and can be refused through an unsubscribe link or direct contact.

When customers use the platform to contact third parties, the customer is responsible for consents, objections, suppression lists, opt-in proof, content, timing, platform rules, and applicable direct-marketing obligations.

We maintain measures to prevent, detect, and respond to security incidents. Where an incident is a personal data breach and a legal notification duty applies, we will notify customers or competent authorities according to the applicable role, available information, and statutory timelines.

Backups, logs, and security records may retain data for limited periods after operational deletion where needed for recovery, integrity, fraud prevention, audit, legal defense, or compliance.

We may request additional information to confirm identity, authority, or relationship with an organization before responding to access, portability, rectification, erasure, objection, or restriction requests. Manifestly unfounded, excessive, or repetitive requests may be refused or charged where permitted by law.

Where a request concerns data entered by a business customer, we may refer or coordinate the response with that customer because it is usually the primary controller.

Where data is transferred outside the EEA, we use legally recognized mechanisms such as adequacy decisions, Standard Contractual Clauses, supplementary measures, vendor assessments, and access controls proportionate to risk.

Certain features may be blocked, limited, or subject to human review if vendor documentation, transfer basis, region, subprocessor status, or risk assessment is not appropriate for the intended flow.

To protect the platform, we may process technical signals, usage patterns, logs, IP addresses, device identifiers, authentication attempts, permission events, errors, action audit trails, and integration metadata.

These processing activities are necessary for security, fraud prevention, abuse investigation, compliance, legal defense, and maintaining service integrity.

For data protection questions or to exercise rights, contact dpo@dotgrey.co.