Privacy Policy
Last updated: Jan 13th 2026
This Privacy Policy explains how Dobby (“we”, “us”, “our”) collects, uses, and protects your personal data when you interact with our website, products, and services. We take privacy seriously and are committed to handling your data transparently and responsibly.
1. Introduction
This Privacy Policy explains how Dobby A/S (“Dobby”, “we”, “us”) processes personal data and how we ensure compliance with the EU General Data Protection Regulation (GDPR). Dobby provides a B2B software platform for coffee distributors, service operators and roasters. In most cases, Dobby processes personal data on behalf of its customers, who act as data controllers. In some cases, Dobby acts as an independent data controller. This Privacy Policy applies to:
- Use of the Dobby platform including webportal, webshop and smartphone apps
- Website visitors (dobby.io)
- Marketing and sales activities
- Contractual and billing relationships
2. Data controller details
Legal entity: Dobby A/S
Registered address : Østersøvej 28A, 2150 Nordhavn, Denmark
Company registration number: 44 04 74 03
Contact email: hello@dobby.io
Dobby has not appointed a formal Data Protection Officer (DPO). Privacy-related enquiries can be directed to the contact email above.
3. Roles under GDPR
3.1 Dobby as data processor
Dobby acts as a data processor when processing personal data on behalf of customers using the Dobby platform.
In this role:
- The customer is the data controller
- The customer determines the purpose and legal basis for processing
- Dobby processes personal data only on documented instructions
- Processing is governed by a Data Processing Agreement (DPA)
Typical examples:
- User accounts created by customers
- Service staff data entered by customers
- End-customer contact data stored in the platform
- Logs and metadata generated through platform use
Typical examples:
3.2 Dobby as data controller
Dobby acts as a data controller when processing personal data for its own business purposes, including:
- Website visitors
- Sales and marketing contacts
- Contractual and billing contacts
- Customer communication outside the platform
4. Categories of personal data
Depending on context and customer configuration, Dobby may process:
4.1 Account and identity data
- Name
- Work email address
- Phone number
- Job title or role
- User ID
4.2 Technical and usage data
- IP address
- Device and browser information
- Login records
- System and activity logs
- Audit and access logs
4.3 Support and communication data
Dobby acts as a data controller when processing personal data for its own business purposes, including:
- Website visitors
- Sales and marketing contacts
- Contractual and billing contacts
- Customer communication outside the platform
4.3 Support and communication data
- Support tickets
- Email correspondence
- Meeting notes where relevant
4.4 Contractual and billing data
- Company contact persons
- Invoices and payment references
Dobby does not intentionally process sensitive personal data unless explicitly instructed and contractually agreed with a customer.
5. Purposes of processing
When acting as data processor
Personal data is processed solely to:
- Provide, operate, and maintain the Dobby platform
- Deliver development, support, and maintenance services
- Troubleshoot issues and ensure platform security
- Comply with customer instructions under the DPA
When acting as data controller
Personal data is processed to:
- Respond to enquiries and sales requests
- Manage customer relationships
- Fulfil contractual and legal obligations
- Maintain security and prevent abuse
- Conduct marketing activities
6. Legal basis for processing
Processor activities
Processing is based on Article 6.1. of the General Data Protection Regulation as determined by the customer (controller). Dobby does not independently determine the legal basis in these cases.
Processor activities
Processing is based on Article 6.1. of the General Data Protection Regulation as determined by the customer (controller). Dobby does not independently determine the legal basis in these cases.
Controller activities
Dobby relies on the following legal bases of the General Data Protection Regulation:
- Performance of a contract (Article 6.1.b)
- Legal obligations (Article 6.1.c)
- Legitimate interests (Article 6.1.f), e.g. security and business operations
- Consent (Article 6.1.a) where required
7. Sub-processors and data sharing
Dobby uses carefully selected sub-processors to deliver its services. All sub-processors are contractually bound by GDPR-compliant agreements. Our sub-processors include:
- Amazon Web Services (AWS) – cloud hosting (EU region)
- Techscale ApS – software development (EU)
- Techscale (SMC-PVT) LTD – software development and support (Pakistan)
- Microsoft: Email, calendar, document storage and collaboration
- HubSpot: Customer relationship management (CRM), sales, and marketing communications
- Glyphic AI Limited: Transciptions and analysis of meetings
- Notion Inc.: Internal collaboration
Sub-processors are authorised and governed in accordance with Dobby’s DPA .
8. International data transfers
Where personal data is processed outside the EU/EEA:
- Transfers are made only on documented customer instructions
- EU Standard Contractual Clauses (SCCs) are used
- Additional technical and organisational safeguards are applied
Primary non-EU processing may occur in Pakistan through approved sub-processors that perform software development and support services.
9. Data retention
Personal data is retained only for as long as necessary:
- Customer data: For the duration of the contract and deleted or returned upon termination
- Logs and security data: Retained for a limited period for security and compliance
- Accounting data: Retained in accordance with Danish legal requirements
Deletion and return procedures are governed by the DPA.
10. Security measures
Dobby implements appropriate technical and organisational security measures, including:
- Encryption in transit and at rest
- Role-based access control and logging
- Monitoring and incident response procedures
- Regular security reviews
- Regular security reviews
Security measures are aligned with recognised standards such as ISO 27001 / ISO 27701 as described in the DPA.
11. Data subject rights
Individuals have the right to:
- Access their personal data
- Rectify inaccurate data
- Request erasure
- Restrict processing
- Object to processing
- Request data portability
- Withdraw consent (where applicable)
For data processed on behalf of customers, requests must be directed to the relevant customer, who acts as data controller. Dobby will assist customers in handling such requests in accordance with the DPA.
12. Complaints
If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with: Datatilsynet (Danish Data Protection Authority): www.datatilsynet.dk
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via our website or directly to customers where appropriate.
14. Cookies and Tracking Technologies
Dobby uses cookies and similar tracking technologies on dobby.io and related landing pages. Cookies are small text files stored on a user’s device when visiting a website. They help us ensure proper website functionality, improve performance, and support marketing activities.
14.1 Types of cookies we use
a) Strictly necessary cookies
These cookies are required for the website to function properly and cannot be disabled in our systems. They are typically set in response to actions such as:
- Submitting forms
- Setting privacy preferences
- Logging in
- Security and fraud prevention
Legal basis: Article 6(1)(f) GDPR (legitimate interest in providing secure website functionality).
b) Analytics and performance cookies
These cookies help us understand how visitors interact with our website, including:
- Pages visited
- Traffic sources
- Session duration
- Device and browser type
We use HubSpot analytics tools to measure website performance and optimise content and user experience.
Legal basis: Consent (Article 6(1)(a) GDPR), where required.
c) Marketing and advertising cookies
These cookies may be used to:
- Track visitors across websites
- Measure campaign performance
- Deliver relevant advertising
- Manage lead tracking and CRM integration
HubSpot may place tracking cookies when users submit forms, download materials, or engage with marketing emails.
Legal basis: Consent (Article 6(1)(a) GDPR).
14.2 HubSpot integration
Dobby uses HubSpot as its CRM and marketing automation platform. HubSpot may set cookies to:
- Identify returning visitors
- Associate website activity with CRM contact records
- Track campaign effectiveness
- Manage email subscriptions and preferences
HubSpot processes data in accordance with its GDPR commitments and applicable data transfer safeguards.
For more information about HubSpot’s privacy practices, please refer to: https://legal.hubspot.com/privacy-policy
14.3 Cookie consent management
Visitors to dobby.io are presented with a cookie banner allowing them to:
- Accept all cookies
- Reject non-essential cookies
- Customise cookie preferences
Non-essential cookies are only activated upon user consent, where required under applicable law.
Users can withdraw or modify consent at any time via the cookie settings link available on our website.
14.4 Managing cookies via browser settings
Users can also manage or delete cookies through their browser settings. Please note that disabling certain cookies may affect website functionality.
14.5 Retention of cookie data
Cookie data is retained only for as long as necessary for the purposes described above and in accordance with applicable legal requirements.
Contact us
If you have questions about this Privacy Policy or how we handle your data, please contact:
Dobby
hello@dobby.io