← Back to Dottie

Privacy Policy

Last updated: 27 March 2026

We've written this policy in plain English. We want you to understand exactly what we do with your data — and why.

1. Who we are

Dottie ("Dottie", "we", "us", "our") is an invoicing and business management tool built specifically for UK childminders and childcare professionals. Our service is available at www.dottie.cloud.

We are the data controller for the personal data you provide to us. If you have any questions about this policy or how we handle your data, please contact us at support@dottie.cloud.

2. Data we collect

We collect the following categories of personal data:

Account & profile data

  • Full name and email address
  • Phone number
  • Home or business address (including postcode)
  • Ofsted registration number (optional)

Financial data

  • Bank account name, sort code, and account number (for inclusion on invoices you send to parents)
  • Subscription payment details (processed by Stripe — we do not store raw card numbers)

Children's data (entered by you)

  • Child's first and last name
  • Child's date of birth (used to verify parent identity when accessing invoices)
  • Parent or guardian name, email address, and phone number
  • Care schedule (days and session types)
  • Childcare rates
  • Any notes you choose to add

Usage and technical data

  • Log data (browser type, IP address, pages visited) — retained for security purposes
  • Authentication tokens managed by Supabase

We collect only what is necessary to provide the service. We do not collect sensitive special-category data beyond children's dates of birth, which are used solely for invoice access verification.

3. How we use your data

  • To create and manage your account
  • To generate, store, and send invoices on your behalf
  • To display your bank details on invoices you send to parents
  • To allow parents to securely access their child's invoices (using DOB as verification)
  • To process subscription payments via Stripe
  • To send transactional emails (welcome, trial reminders, payment confirmations) via Resend
  • To generate draft invoices using AI assistance (Anthropic Claude) — see Third-party Processors
  • To provide expense tracking and tax-year reports
  • To respond to support requests
  • To comply with our legal obligations

4. Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

Processing activityLawful basis
Providing the invoicing serviceContract (Article 6(1)(b))
Processing subscription paymentsContract (Article 6(1)(b))
Sending transactional emailsContract (Article 6(1)(b))
Security monitoring and fraud preventionLegitimate interests (Article 6(1)(f))
Complying with tax/legal obligationsLegal obligation (Article 6(1)(c))

Children's dates of birth are processed under contract (necessary to provide invoice verification) and legitimate interests (preventing unauthorised access to financial documents).

5. Third-party processors

We use the following sub-processors to provide our service. Each is bound by their own privacy policies and, where applicable, Data Processing Agreements (DPAs):

SupabaseEU/UK

Database, authentication, and file storage

StripeEU/UK

Subscription payment processing

ResendEU

Transactional email delivery

Anthropic (Claude AI)USA (Standard Contractual Clauses apply)

AI-assisted invoice generation. When invoices are auto-generated, schedule and rate data is sent to Anthropic's API. No child names or contact details are included in these requests.

We do not sell your data to third parties. We do not use your data for advertising or profiling.

6. Children's data

As a childminder, you enter data about the children in your care. This data belongs to you and is used solely to provide the invoicing service. We act as your data processor for this information — you are the data controller for the children's data.

By using Dottie, you confirm that you have appropriate consent or another lawful basis (such as the performance of a contract with the child's parent/guardian) to enter and process this data within the app.

We store children's dates of birth for the sole purpose of verifying parent identity when they access an invoice. This verification step protects your bank details from unauthorised access.

We do not share children's data with any third party other than the sub-processors listed above, and only to the extent necessary to deliver the service.

7. Data retention

Data typeRetention period
Active account dataFor the duration of your subscription
Data after account cancellation30 days (then permanently deleted)
Invoice records6 years (UK tax law requirement)
Payment records (Stripe)As required by financial regulations
Security/access logs90 days

Invoice records are retained for 6 years in accordance with HMRC requirements for self-employed income records. All other personal data is deleted within 30 days of account closure.

8. Your rights

Under UK GDPR, you have the following rights. To exercise any of them, email us at support@dottie.cloud. We will respond within 30 days.

Right of access: Request a copy of all personal data we hold about you.
Right to rectification: Ask us to correct inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data (the "right to be forgotten"). Note: invoice records may be retained as required by law.
Right to data portability: Request your data in a structured, machine-readable format (JSON or CSV).
Right to restrict processing: Ask us to pause processing your data in certain circumstances.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where we rely on consent, you can withdraw it at any time.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies

We use only essential cookies required for the service to function. These include session authentication cookies managed by Supabase. We do not use advertising cookies, analytics cookies, or any third-party tracking.

Essential cookies cannot be disabled as they are necessary for you to log in and use the app. No cookie consent banner is shown because we do not use non-essential cookies.

10. Security

  • All data is encrypted in transit using TLS 1.2+
  • Data at rest is encrypted using AES-256 (managed by Supabase)
  • Row-level security ensures your data is isolated from other users
  • Bank details on invoices are protected by a date-of-birth verification step for parent access
  • We perform regular security reviews
  • Access to production systems is restricted and logged

While we take all reasonable precautions, no internet service is completely secure. If you believe your account has been compromised, contact us immediately at support@dottie.cloud.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of Dottie after a change is posted constitutes your acceptance of the updated policy.

12. Contact us

For any questions, requests to exercise your rights, or data concerns, please contact us:

Dottie

support@dottie.cloud

www.dottie.cloud

If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk.