Database and storage

This page explains how Dozy stores and structures your data. It gives you full transparency into what is saved, where it lives, how it is protected, and how long it is kept. All data is hosted on Supabase, a managed cloud infrastructure provider, and is never sold or shared with third parties for purposes other than those described here.

1 What Is Supabase?

Supabase is an open source Backend as a Service platform built on top of PostgreSQL, the industry standard relational database. Dozy uses Supabase as its sole backend infrastructure. Your data is stored in a fully managed PostgreSQL database, and Dozy does not operate any custom servers of its own.

• Supabase provides Dozy with a PostgreSQL database that is used for all structured data, including users, tasks, projects, and subscriptions.

• Supabase provides Dozy with authentication services that are used for account creation, login, and session management.

• Supabase provides Dozy with file storage that is used for profile pictures and project file attachments.

• Supabase provides Dozy with Row Level Security, also called RLS, so that each user can access only their own data.

Supabase infrastructure is hosted on AWS, meaning Amazon Web Services data centres. Data is encrypted at rest and in transit using industry standard TLS and SSL. For Supabase own privacy and security policies, you can see supabase.com/privacy.

2 Row Level Security (RLS)

Every database table in Dozy has Row Level Security, or RLS, enabled. RLS is a PostgreSQL feature that enforces access control at the database level, not just in the application code. This means that even if there were a bug in the app, the database itself would refuse to return another user data.

• As a general rule, you can only read, update, or delete your own records.

• As a general rule, shared project data is governed by explicit invite and accept policies, meaning that a collaborator only gains access after you personally invite them and they accept.

• As a general rule, subscription and payment records are readable only by the account they belong to.

• As a general rule, storage buckets enforce that each user can upload only to their own folder path.

3 Authentication and Session Data

Dozy uses Supabase Auth to manage all account authentication.

• For email and password accounts, passwords are never stored in plain text, and Supabase Auth uses bcrypt hashing so that Dozy never has access to your raw password.

• For Google Sign In and Google Calendar, Dozy stores a short lived OAuth access token and a refresh token that are scoped to calendar access only, and Dozy does not access your Gmail, Drive, or other Google data.

• For Microsoft Outlook, the same OAuth token model applies, and tokens can be revoked at any time from your account settings or from Microsoft own security dashboard.

• For sessions, Supabase issues a JSON Web Token, or JWT, on login, and sessions expire automatically and are not stored in a way that is readable by Dozy staff.

4 File Storage

Dozy uses Supabase Storage, backed by AWS S3 compatible object storage, for two categories of files.

4.1 Profile Pictures

Profile pictures are stored in a public storage bucket called profile-pictures. Files are organised by user ID, so your picture is stored at a path like profile-pictures/{your-user-id}/avatar.jpg. Because this bucket is public, your profile picture URL is accessible to anyone with the direct link. You can delete or replace your profile picture at any time from your account settings.

4.2 Project Resource Files

Files attached to projects are stored in a private storage bucket. Access to these files is restricted to the project owner and accepted collaborators only, and this restriction is enforced by Supabase Storage RLS policies. These files are not accessible to the public or to Dozy staff.

4.3 What Is Not Stored

Dozy does not permanently store copies of your Google Calendar or Microsoft Outlook data. Calendar content is fetched on demand for scheduling purposes and is not mirrored in Dozy database beyond what is needed for the scheduled task feature.

5 Data Retention

Data retention periods and deletion procedures are governed by Dozy Account Termination policy page.

• In summary, active account data is retained for as long as your account exists.

• In summary, when you delete your account, all user linked records are cascade deleted from the database automatically, including tasks, projects, subscriptions, notifications, and stored files.

• In summary, Stripe billing records may be retained by Stripe independently as required by financial regulations, while Dozy internal Stripe references are deleted alongside your account.

• In summary, database backups may retain your data for up to 30 days after deletion, after which they are permanently purged in line with Supabase backup retention policy.

For full details on deletion timelines, you should see the Account Termination page.

6 Security Measures

The following technical safeguards protect your data.

• Encryption at rest means that all data stored on Supabase is encrypted at rest by AWS infrastructure.

• Encryption in transit means that all connections use TLS 1.2 or higher and that no data is sent over unencrypted HTTP.

• Row Level Security means that every table enforces user level access control at the database engine level, not just in app code.

• Password hashing means that passwords are hashed with bcrypt and that plain text passwords are never stored or logged.

• OAuth token scoping means that Google and Microsoft tokens are scoped to the minimum required permissions, which is calendar only.

• Storage isolation means that files in private buckets are namespaced by user ID and protected by storage level RLS.

Restricted API keys mean that Dozy app connects via a restricted Supabase API key and that no superuser credentials are exposed client side.

7 Data Location and Transfers

Your data is stored on Supabase managed servers hosted on AWS infrastructure. The specific region depends on the Supabase project configuration set by Dozy. By using Dozy, you acknowledge that your data may be processed in a country other than the one you reside in.

Dozy does not transfer your personal data to any external databases or storage systems beyond those listed in this document and in the Privacy Policy.

8 Your Control Over Stored Data

• You have direct control over your stored data.

• You can request an export by privacy@dozy.site to ask for a copy of your data.

• You can edit all profile data, task content, and project content directly within the app.

• You can delete individual tasks and projects permanently from within the app.

• You can revoke calendar access by disconnecting Google and Microsoft OAuth tokens from Calendar → Integrations.

• You can delete your account to remove all linked data, as described on the Account Termination page.

9 Contact

For questions about data storage or to submit a data access or deletion request, you can contact us,

For questions about this policy, to exercise your rights, or to report a privacy concern, please contact us.

Name: David Kelen
Email: privacy@dozy.site
Response time: Within 30 days