1-Who we are

This Privacy Policy explains how DORIX Ltd collects and uses personal data when you use the DORIX mobile application and related services for smart access. DORIX Ltd is incorporated in England and Wales. Registered office: 19 Berkeley Street, London W1J 8ED, United Kingdom. Contact our privacy team at privacy@dorix.com.

This Policy applies to the DORIX app, any cloud or web services that support the app, and compatible smart access products such as smart locks and smart cylinders that you manage through the app.

2-What this Policy covers

• The DORIX mobile application and any updates.
• Service features including device onboarding, lock and unlock commands, digital keys, schedules, alerts, audit logs, and integrations.
• The DORIX web portal if you use it for administration.
• Compatible devices that you manage through the app. We refer to these collectively as the “Services”.

3-Our role and legal bases

DORIX is the controller of personal data processed through the Services. We rely on the following legal bases:

• Contract. To create your account, operate the app, issue digital keys, manage access schedules, and provide support.
• Legitimate interests. To protect accounts and devices, prevent misuse, measure performance, and improve security. We balance these interests against your rights.
• Consent. For optional features such as precise location for proximity functions, camera for QR onboarding, Bluetooth scanning, push notifications, and marketing. You can withdraw consent in the app settings or your device OS settings.
• Legal obligation. To meet legal and regulatory duties, including safety and fraud prevention.

4- Personal data we collect

4.1 Data you provide

• Account details such as name, address, email, mobile number, and password.
• Profile data such as preferred language and display name.
• Access sharing details such as the identifiers of people you invite and the permissions you set for them.
• Support enquiries and feedback.

4.2 Data collected automatically

• Device identifiers such as mobile device ID, OS version, app version, IP address, time zone, and crash or diagnostics data.
• App activity such as login time, feature use, and notification settings.

4.3 Smart access data

• Lock and cylinder metadata such as model, serial, firmware, connectivity, battery status, and signal strength.
• Event data such as lock and unlock actions, the account or key used, scheduled access windows, and system alerts.
• Biometric templates. If a device supports biometric entry, the template is stored on the device or key locally and is not uploaded to DORIX servers.

4.4 Optional permissions

We may request permission to use:

• Bluetooth for device onboarding and control.
• Location for proximity features and security alerts.
• Camera for QR code onboarding and optional photos for profiles or property notes.
• Push notifications for access events and safety messages.
• You can switch these off at any time. Certain features may not work without them.

5- How we use personal data

• To provide and maintain the Services and your account.
• To issue, manage, and revoke digital keys and access schedules.
• To send security, safety, and service notifications.
• To provide customer support and fix problems.
• To monitor performance, prevent misuse, and improve the Services.
• To meet legal obligations and respond to lawful requests.

We do not sell personal data. We do not use third-party advertising SDKs. If we use analytics or crash reporting, we configure them to minimise identifiers.

6- Sharing personal data

We share data only as needed to operate the Services:

• Service providers such as cloud hosting, content delivery, analytics, crash reporting, customer support tooling, and email or SMS delivery. These providers act under contract and only on our instructions.
• Authorised partners such as a distributor or installer named on a commercial account, with access limited to the work they do for you.
• Corporate events. If we merge or sell part of our business, personal data may transfer to the new owner under the same protections.
• Legal and safety. Where required by law or to protect people, property, or security.

7- International data transfers

If personal data is transferred outside the UK or EEA, we put in place one of the following safeguards:

• The UK International Data Transfer Agreement or Addendum.
• The EU Standard Contractual Clauses, including required transfer risk assessments.
• An adequacy decision by the UK or EU.

We keep transfer records and review them regularly.

8- Data retention

We keep personal data only for as long as needed for the purposes described above.

• Account data. Kept while your account is active. Deleted or anonymised within 30 days after account closure unless we must retain it by law.
• Event logs. Default retention is 12 months. Commercial administrators can request shorter or longer periods within lawful limits.
• Diagnostics and analytics. Kept for the shortest period that supports service health and security, then anonymised.

9- Security

We use technical and organisational measures to protect personal data. These include encryption in transit and at rest where appropriate, role‑based access controls, key management, network segregation, and continuous monitoring for unauthorised access.

Biometric templates remain on the device. You are responsible for keeping your credentials and devices secure.

10- Your rights

Subject to legal limits, you have the right to:

• Access a copy of your personal data.
• Request correction of inaccurate data.
• Request deletion of your data and account.
• Object to processing based on our legitimate interests.
• Restrict processing.
• Receive your data in a portable format for data you provided to us and which we process by automated means.
• Withdraw consent for optional features at any time.

You can make requests through the app or by emailing privacy@dorix.com. We will respond within one month, or explain if we need more time for complex requests.

You can complain to the UK Information Commissioner’s Office at ico.org.uk. If you are in the EEA, you can also complain to your local data protection authority.

11- Children

The Services are not intended for children under 13 in the UK or under the age that applies in your country if higher. For EEA users this may be up to 16. We do not knowingly collect data from children without verifiable consent from a parent or legal guardian. See the Children’s Privacy Notice below for a plain language summary.

12- Third-party services

Some features rely on third-party cloud platforms and integrations. We do not control third-party terms or availability. We may change or discontinue integrations when needed for security, performance, or legal reasons.

13- Changes to this Policy

We may update this Policy to reflect new features or changes in law. If changes are material, we will notify you through the app or by email if we hold your contact details. Continued use after changes take effect means you accept the updated Policy.

14- Contact us

DORIX Ltd, 19 Berkeley Street, London W1J 8ED, United Kingdom

Email: privacy@dorix.com

15- Governing law and jurisdiction

This Privacy Policy and any non-contractual obligations arising out of or in connection with it are governed by the laws of England. The courts of England have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Policy.