Privacy Policy
Last updated: 2026-05-28
Who we are
Domi is built and operated by JF Gailleur, sole engineer during V1, based in Quebec, Canada. Contact: hello.domiapp@gmail.com.
What we collect
- Account information. Your email address, and the household name you choose during onboarding.
- Information you ingest. Documents, photos, and structured data you provide about your household, vehicles, residences, appliances, members, and obligations.
- Usage telemetry. LLM call costs, error logs, audit-log entries for your account's mutations.
- Sign-in cookies. A session cookie (essential for staying signed in) and a sign-in challenge cookie. We do not set tracking cookies.
How we use your data
Solely to provide the service: organizing your household graph, running predictions, sending reminders, and processing documents you upload. LLM calls are routed to the provider configured in your strategy (default: Anthropic). We never sell or rent your data, and we do not train AI models on your data. We never share your raw data with third parties except as listed under sub-processors below.
Storage and security
- Storage region: all data at rest is stored in Canada. Postgres is hosted on Neon (Montreal); object storage on Cloudflare R2 (Canada).
- Encryption: sensitive fields (document filenames, chat message bodies, OAuth tokens) are envelope-encrypted with a per-tenant Data Encryption Key wrapped by an operator-held Key Encryption Key. We use libsodium-wrappers for primitives.
- Tenant isolation: Postgres row-level security enforces that no tenant can read another tenant's rows. The rule is enforced at the database level, not the application level.
- Audit log: every mutation is logged to an INSERT-only audit schema with the actor, the action, and a timestamp.
Sub-processors
We share data with the following sub-processors strictly to operate the service:
- Vercel — application hosting; functions run in the Canada region (Montréal,
ca-central-1), encrypted in transit. Vercel is a US-incorporated company. - Neon — Postgres database (Canada region).
- Cloudflare R2 — object storage for uploaded files (Canada region).
- Anthropic — default LLM provider for chat, document extraction, and plan generation.
- OpenAI — alternative LLM provider, used only if you select it in your strategy.
- Resend — transactional email delivery (magic-link sign-in, account notifications).
- Sentry — error and performance telemetry (no message content sent).
- Google Cloud Pub/Sub — the channel Gmail uses to notify Domi of new emails (only used if you connect Gmail).
International transfers
Your data at rest stays in Canada, and application hosting (Vercel) runs in the Canada region (Montréal). LLM calls transit US-based provider APIs (Anthropic, OpenAI). Some sub-processors, including Vercel, are US-incorporated companies even though the compute runs in Canada. Where US transfer occurs, it is necessary for service operation and is disclosed here.
Your rights (Quebec Law 25)
You have the right to access, correct, delete, and port your personal information. You can delete your account and all its data yourself, directly in the app — no email or support request needed: open Settings → Delete account & data. Deletion is recorded immediately and the data is kept on file for 30 days (in case of mistake), then permanently and automatically deleted — including documents, uploaded files, and your login. For access, correction, or portability requests, contact us at the email above; we respond within 30 days.
Data retention
Your data is retained while your account is active. On account closure, data is retained for 30 days (in case you change your mind), then permanently deleted. Audit-log entries are retained for 12 months as required for security investigations.
Children
Domi is not directed at children under 14, the age of digital consent in Quebec. Adults may add household members under 14 to their own account; access by those minors to the platform itself is not supported in V1.
Changes to this Policy
We may update this Policy as the service evolves. Material changes will be communicated by email to the address on file at least 14 days before they take effect.