Dossia
Request a 14-day POC

Privacy Policy

Our privacy policy and how we use your data

Last updated: June 10, 2026

Dossia ("we", "us") provides document-collection software for mortgage brokers and other professionals ("Service"). This policy explains what personal data we process, why, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who is responsible for your data

For data relating to our customers (brokers, their team members and visitors to this website), Dossia acts as the data controller. For documents and personal data that brokers collect from their own clients through the Service, the broker is the data controller and Dossia acts as a data processoron the broker's instructions. We sign a Data Processing Agreement (DPA) with every customer on request.

2. Data we process

  • Account data — name, email address, team and role information you provide when you create an account.
  • Client file data (as processor)— documents and information uploaded by a broker's clients through a private link: identity documents, income statements, bank statements and other documents required to assemble a loan or case file.
  • Usage data — log and device information needed to operate and secure the Service.
  • Contact data — messages you send us through the contact form or by email.

3. Why we process it (legal bases)

  • Performance of a contract — providing the Service to you and your team.
  • Legitimate interest — securing the Service, preventing abuse, improving the product.
  • Consent — optional communications such as product updates; you can withdraw consent at any time.
  • Legal obligation — where we must retain or disclose data under applicable law.

4. Where your data lives

All application data and uploaded documents are stored inside the European Union (data centers in Frankfurt, Germany). Files do not leave the EU. Access is protected by row-level security: each brokerage can only access its own data.

5. Sub-processors

We use a small number of infrastructure providers to operate the Service (hosting, database and storage, email delivery). All sub-processors are bound by data-processing terms consistent with this policy, and a current list is available on request.

6. How long we keep data

Account data is kept for as long as you have an account, then deleted within 30 days of account closure. Client file data is retained according to the controlling broker's instructions — brokers can delete a client file at any time, and deletion is propagated to storage. Backups expire automatically on a rolling schedule.

7. Your rights

Under the GDPR you can request access to, rectification of, or erasure of your personal data, restriction of or objection to its processing, and a portable copy of it. If you are a broker's client, the Service includes a built-in erasure flow — you can also contact the broker handling your file directly, or contact us and we will relay the request. You have the right to lodge a complaint with your supervisory authority (in France, the CNIL; in Portugal, the CNPD).

8. Security

Data is encrypted in transit and at rest. Access to client files is scoped per brokerage and per role. Private upload links are unique, unguessable and revocable.

9. Contact

For any privacy question or to exercise your rights, contact us via the contact page.