Privacy Policy

How DAPITA LTD handles your data. Plain English. UK GDPR compliant.

Last updated: 1 May 2026 · Effective date: 1 May 2026

1. Who we are

DAPITA LTD ("DAPITA", "we", "us") is a software company registered in the United Kingdom under Companies House number 16634395, with its registered office in London, UK. We are the data controller for personal data processed through our website (dapita.net) and our products.

Contact for data protection matters: info@dapita.net.

2. Data on dapita.net

This website (dapita.net) is a static informational site about DAPITA and its products. We do not collect cookies or personal data on dapita.net. No tracking, no analytics, no advertising pixels.

The only client-side storage we use is a single entry in your browser's localStorage to remember your cookie banner preference. This data never leaves your device.

3. Data in DAPITA Auth (account registration)

When you create an account in the DAPITA ecosystem (via auth.dapita.net), we process the following:

  • Account identifier: an anonymized internal ID. The registration API itself is anonymized.
  • Email address: only if you provide it (used for account recovery, security alerts, and product communications).
  • Phone number: only if you provide it (used for two-factor authentication and account recovery).
  • Language preference: stored to deliver the interface in your language.
  • Session cookie: a server-issued session identifier required for you to remain logged in. This cookie is essential — without it, login is technically impossible.
  • Authentication factors: hashed passwords (Argon2id), passkey public keys, TOTP secrets — all encrypted at rest using AES-256 via HashiCorp Vault.
  • Audit logs: records of login events, IP addresses, and security-relevant actions. Retention varies by plan (15–90 days).

We do not sell, rent, or share this data with third parties for marketing.

4. Data in our products

Each product (Core, BaaS, Algo, Security) has its own privacy considerations. In summary:

  • DAPITA Core is self-hosted on your own server. We do not have access to data inside your Core installation. License validation is the only call your Core makes to our servers.
  • DAPITA BaaS processes API requests you make. We log API key usage, request metadata (timestamp, endpoint, IP), and response status for billing and abuse prevention. We do not log request bodies or response payloads.
  • DAPITA Algo stores your chats, files, and project data on our servers. Encryption at rest is available on the Dapitium plan. AI prompts may be sent to third-party AI providers (OpenAI, Anthropic, Google, etc.) — please review their privacy policies separately.
  • DAPITA Security details are in section 3 above.

5. Legal basis (UK GDPR)

We process personal data on the following lawful bases:

  • Contract: to provide the services you sign up for.
  • Legitimate interest: security monitoring, abuse prevention, and service improvement.
  • Consent: for any optional communications you opt into.
  • Legal obligation: tax records, law enforcement requests with valid legal basis.

6. Your rights

Under UK GDPR you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data in a portable format
  • Object to processing
  • Withdraw consent at any time
  • Lodge a complaint with the UK Information Commissioner's Office (ICO)

To exercise any of these rights, contact info@dapita.net. We respond within 30 days.

7. Data retention

We retain personal data only as long as necessary for the purpose it was collected, plus any legally required retention periods (typically 6 years for tax records). Account data is deleted within 30 days of account closure, except where retention is required by law.

8. International transfers

Our infrastructure is primarily hosted in the European Union and the United Kingdom. Where data is processed outside the UK/EU (for example, by AI providers in DAPITA Algo), transfers are made under appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

9. Changes to this policy

We may update this policy. The "Last updated" date at the top reflects the most recent version. Material changes will be communicated by email to registered users.

10. Contact

Email: info@dapita.net
Phone: +44 20 4577 0719
Post: DAPITA LTD, London, United Kingdom (Companies House 16634395).

UK supervisory authority: Information Commissioner's Office (ICO).