This Privacy Policy explains how Zovix Limited ("Zovix", "we", "our", or "us") collects, uses, and protects information in connection with the Dolly mobile application ("Dolly" or the "App"). By downloading or using Dolly, you acknowledge that you have read and understood this Privacy Policy. Where applicable law requires affirmative consent, we will seek your explicit consent through in-app mechanisms before processing your data.

1. Our Core Privacy Principle

Dolly is designed with a privacy-first architecture. Your financial data is stored exclusively on your device. We do not store, sell, or share your personal financial records with any third party.

2. Information We Collect

2.1 Information You Provide

When you use Dolly, the following data is created and stored locally on your device:

• Transaction records (merchant name, amount, date, category, payment method)
• Receipt images (stored on your device only)
• Bank statement data imported via PDF (see §2.3 for how bank statements are processed before local storage)
• Savings goals and financial targets you create
• Notes and custom categories you add

2.2 Information Sent to Our Servers

To provide AI-powered features, Dolly transmits limited data to our secure cloud servers:

• Receipt images: uploaded temporarily to a Firebase Cloud Function for AI text extraction via Google Gemini AI. Images are deleted from our servers within 24 hours of processing.
• Bank statement files: uploaded temporarily for AI processing as described in §2.3 below.
• OCR-extracted text: the text extracted from receipts or statements is processed by Google Gemini AI for categorisation and analysis. This text contains transaction details. Although not linked to your registered identity, it may constitute personal data under applicable law if you are identifiable from it.
• Anonymous usage metrics: non-identifiable usage counts (e.g., number of scans per month) used solely for quota enforcement.

2.3 Bank Statement Processing

When you upload a bank statement PDF, the following steps occur:

• The PDF is transmitted to Google Gemini AI via Firebase Cloud Functions solely to identify transaction data.
• Our Cloud Functions apply strict whitelist filtering: only date, merchant, amount, currency, and category fields are returned and stored.
• The original PDF, raw extracted text, account numbers, card numbers, cardholder names, and addresses are never stored by Zovix Limited.
• Transmitted text is processed transiently by Google Gemini AI and is subject to Google's data processing terms.

2.4 Automatically Collected Technical Information

We collect minimal technical data necessary to operate the App:

• Firebase Authentication ID linked to your sign-in method (Email/password, Google Sign-In, or Sign in with Apple)
• App version and device operating system (for compatibility purposes)
• Subscription plan status (Trial, Go, Pro, or Free)
• Standard server access logs, retained for up to 30 days for security and abuse prevention

2.5 Information We Do Not Collect

If you use Dolly without creating an account, we do not collect any identifying information. If you sign in with Email, Google, or Apple, Firebase Authentication processes your login email address to authenticate your identity. Zovix Limited does not store your email on our own servers; authentication is managed entirely by Firebase.

We do not collect:

• Your name, phone number, or contact information beyond your login email (if applicable)
• Your bank account numbers, credit card numbers, or financial account credentials
• Your location data
• Your device contacts, photos library (beyond receipt capture), or microphone
• Any data from children under the applicable minimum age in your jurisdiction (see Section 7)

2.6 SDK and Technical Identifiers

Dolly integrates third-party software development kits (SDKs) that may collect limited technical data:

• Firebase SDK: may process anonymised device identifiers solely for authentication and cloud function security. Firebase Crashlytics may collect anonymous crash reports to help us diagnose and fix bugs. You may disable crash reporting at any time in Settings → Help Improve Dolly.
• RevenueCat SDK: processes App Store or Google Play purchase tokens and subscription status. RevenueCat does not access your financial transaction data.
• No advertising identifiers (IDFA / GAID) are accessed or processed by Dolly.

3. How We Use Your Information

We use the limited information we collect solely to:

• Provide AI-powered receipt scanning and bank statement parsing
• Enforce fair-use quotas based on your subscription plan
• Deliver AI-generated financial insights and spending analysis within the App
• Maintain the security and integrity of our services
• Comply with applicable legal obligations

We do not use your information for advertising, profiling, or any purpose beyond operating Dolly.

3A. Legal Basis for Processing (EEA and UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under GDPR Article 6:

Contract Performance (Article 6(1)(b))

We process OCR-extracted text from your receipts and bank statements, and your Firebase authentication ID, because this processing is necessary to provide the AI-powered features you have requested when using Dolly. We also process your subscription status via RevenueCat because this is necessary to manage your subscription and enforce the features available under your plan.

Legitimate Interests (Article 6(1)(f))

We retain anonymised usage quota counters for up to 13 months to manage fair use, prevent abuse, and for billing reconciliation. Our legitimate interest is the sustainable and secure operation of the App. We have assessed that this interest is not overridden by your interests or fundamental rights.

Legal Obligation (Article 6(1)(c))

We may process data where required to comply with applicable legal obligations, including court orders, regulatory requests, or mandatory disclosure requirements.

4. Third-Party Services

We are in the process of executing Data Processing Agreements (DPAs) with each of the processors listed below, as required by GDPR Article 28 and equivalent applicable laws. These will be completed prior to public launch.

4.1 Google Firebase

We use Firebase for user authentication (Email/password, Google Sign-In, or Sign in with Apple) and cloud processing functions. Firebase is operated by Google LLC. Your user ID is processed by Firebase solely to authenticate your requests and route Cloud Function calls. See: firebase.google.com/support/privacy

4.2 Google Gemini AI

Dolly uses Google Gemini AI, accessed via Firebase Cloud Functions, to perform text extraction (OCR) and intelligent transaction categorisation on data you submit. When you scan a receipt or import a bank statement, the image or document is transmitted to a Firebase Cloud Function, which securely forwards it to the Gemini API. Gemini performs both the optical character recognition and the structured analysis of transaction details in a single step, returning categorised data to your device. Gemini does not retain your submitted content for model training under our API agreement. The same pipeline processes both receipt images and bank statement PDFs as described in §2.3.

For bank statement processing, our Cloud Functions apply server-side whitelist filtering before any data reaches your device. Only structured transaction fields (date, merchant, amount, currency, category) are returned. Account numbers, cardholder names, and other personal identifiers are filtered out at the server level and are not transmitted to or stored by Zovix Limited. See: ai.google.dev/gemini-api/terms

4.3 RevenueCat

Dolly uses RevenueCat to manage in-app subscriptions. RevenueCat processes your subscription status and purchase history. RevenueCat does not have access to your financial transaction data. See: revenuecat.com/privacy

4.4 Apple App Store

Your iOS app purchase and subscription billing is handled by Apple Inc. under their own terms and privacy policy. We do not have access to your Apple ID or payment information. See: apple.com/legal/privacy

4.5 Google Play Store

Your Android app purchase and subscription billing is handled by Google LLC under their own terms and privacy policy. We do not have access to your Google Account or payment information. See: policies.google.com/privacy

5. Data Storage and Security

5.1 Local Storage

All your financial transaction data, receipt images, and personal records are stored in a local database on your device (SQLite via Drift). This data never leaves your device except as described in Sections 2.2 and 2.3. We are in the process of implementing full at-rest encryption for the local database prior to the public launch of Dolly.

5.2 Cloud Security

Data transmitted to our servers is encrypted in transit using TLS 1.2 or higher. Our Firebase Cloud Functions are secured with authentication token verification to prevent unauthorised access.

5.3 Data Retention

• Receipt images and bank statement files: deleted from our servers within 24 hours of processing.
• Standard server access logs: retained for up to 30 days for security and abuse prevention purposes.
• Anonymous usage quota counters: retained for up to 13 months for billing and abuse prevention.
• Firebase authentication records: retained for the lifetime of your account or until you request deletion.

5.4 Security Limitations

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of data transmitted over the internet.

5.5 Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR or equivalent applicable law, and notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

To report a suspected data security incident, contact us at: [email protected]

6. Your Rights and Choices

6.1 Data Access, Portability, and Deletion

Because your financial data is stored locally on your device, you have direct control over it. You may delete individual transactions, export your data, uninstall the App, or contact us to request deletion of any server-held data.

6.2 GDPR Rights (EEA and UK Users)

Right	What it means for you
Access (Art. 15)	Request a copy of the personal data we hold about you.
Rectification (Art. 16)	Request correction of inaccurate personal data.
Erasure (Art. 17)	Request deletion of your personal data ('right to be forgotten').
Restriction (Art. 18)	Request that we restrict processing of your data in certain circumstances.
Data Portability (Art. 20)	Receive your personal data in a structured, machine-readable format.
Object (Art. 21)	Object to processing based on legitimate interests or for direct marketing purposes.
Automated Decision-Making (Art. 22)	Dolly's AI analysis generates spending insights for your information only and does not make automated decisions with legal effects.
Withdraw Consent (Art. 7(3))	Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise your rights: [email protected]. We will respond within 30 days.

6.3 CCPA / CPRA Rights (California Residents)

California residents have the right to know, delete, opt out of sale (we do not sell personal information), and non-discrimination. Contact: [email protected]

California residents also have the right to limit the use and disclosure of their sensitive personal information, including financial transaction data, under the California Privacy Rights Act (CPRA). We do not use your financial data for any purpose beyond operating Dolly.

6.4 PDPO Rights (Hong Kong Users)

Under the Personal Data (Privacy) Ordinance (Cap. 486), you have the right to request access to and correction of any personal data we hold. Contact: [email protected]

6.5 PIPL Rights (China Users)

If you are located in the People's Republic of China, your personal information is processed in accordance with the Personal Information Protection Law (PIPL). Use of AI-powered features involves transfer of OCR-extracted text to servers outside mainland China. Cross-border data transfers are conducted in accordance with PIPL Article 38–40 compliance mechanisms. By using features that require data processing, you provide your explicit consent to such cross-border transfer as required under PIPL. Contact: [email protected]

6.6 Other Jurisdictions

We respect the privacy rights of users in all jurisdictions, including LGPD (Brazil), PDPA (Singapore), Australian Privacy Act, India DPDP Act, Japan APPI, South Africa POPIA, and Thailand PDPA. Contact: [email protected]

Australian users may also lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

7. Children's Privacy

Dolly is not directed to children. The minimum age to use Dolly is 13 years old in general, 16 years old in certain EEA member states, and 18 years old for the AI Financial Insights Chat feature in all jurisdictions. We do not knowingly collect personal information from children below the applicable minimum age. Contact: [email protected]

8. International Data Transfers

When you use AI-powered features, your OCR-extracted text and bank statement documents may be processed by Google's servers, which may be located outside your country of residence. EEA/UK users: Google provides appropriate safeguards including Standard Contractual Clauses (SCCs). Other jurisdictions: we rely on applicable transfer mechanisms as required by local law.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice within the App at least 30 days before the change takes effect.

10. Contact Us

Company	Zovix Limited
Privacy Enquiries	[email protected]
Security / Breach Reports	[email protected]
Website	dolly.zovix.ai

Zovix Limited currently does not have an appointed EU or UK representative. EEA and UK users may direct all data protection enquiries to our Privacy Officer at [email protected]. We are assessing this obligation and will appoint a representative if required before expanding distribution to EU/EEA markets.

Please read these Terms of Service ("Terms") carefully before using the Dolly mobile application ("App") operated by Zovix Limited ("Zovix", "we", "our", or "us"). By downloading, installing, or using Dolly, you agree to be bound by these Terms.

1. Acceptance of Terms

These Terms constitute a legally binding agreement between you and Zovix Limited. By using Dolly, you confirm that you are at least 13 years of age (or the minimum age applicable in your jurisdiction), have the legal capacity to enter into this agreement, and will comply with all applicable laws and regulations.

2. Description of Service

Dolly is a personal finance management application that provides AI-powered receipt scanning, bank statement import and analysis, expense tracking and categorisation, and AI-generated financial insights. Dolly is a personal productivity tool. It is not a licensed financial institution, investment adviser, tax adviser, or accounting firm. No feature of Dolly constitutes regulated financial advice.

3. AI Financial Information Disclaimer

Dolly's AI analysis is based solely on the transaction data you input and may be incomplete or inaccurate. You should not make any significant financial decision based solely on information provided by Dolly. Always consult a qualified and licensed financial professional. Zovix accepts no liability for any financial loss arising from reliance on Dolly's AI-generated outputs.

4. User Accounts and Authentication

Dolly supports Email/Password, Sign in with Google, and Sign in with Apple. You may use the App with an account linked to your email address. Your account credentials are managed securely by Firebase Authentication, a Google service, and are never stored by Zovix in plain text. You are responsible for maintaining the security of your device and account credentials. If your device is lost or stolen, we recommend immediately changing your password.

5. Subscription Plans and Payments

5.1 Available Plans

Plan	Price	Key Features
Dolly Trial	Free (35 days)	Full Pro access; no credit card required. Automatically transitions to Fallback after 35 days if no subscription is activated.
Dolly Go	Starting from $3.99/mo	100 AI receipt scans/month; unlimited saving goals; CSV / PDF export; no ads
Dolly Pro	Starting from $9.99/mo	Unlimited AI receipt scans; bank statement auto-import; AI Financial Insights; Apple Pay auto-capture; unlimited saving goals + AI optimisation; CSV / PDF export; no ads
Free (Fallback)	Free	Manual entry: unlimited; transaction history: read-only; CSV export: available; AI features: not available

5.2 Free Trial

New users receive a 35-day free trial with full Pro features upon account creation. No credit card is required to start the trial. At the end of the trial period, access to AI features will be restricted unless a paid subscription is activated. Your transaction data remains accessible in read-only mode regardless of subscription status, in accordance with your data portability rights.

• Automatic conversion: If you select a paid plan during the trial, your subscription will automatically activate at the end of the trial period at the then-current price, unless you cancel before the trial expires.
• Cancellation during trial: You may cancel at any time during the trial period at no charge. On iOS, manage your subscription in your Apple ID Account Settings. On Android, visit your Google Play subscriptions page at play.google.com/store/account/subscriptions.
• Fallback plan: If no subscription is activated before the trial ends, your account automatically reverts to the Free (Fallback) plan. You will not be charged.
• One trial per user: Free trials are available once per user account. Zovix reserves the right to withhold a trial offer from accounts that have previously utilised a free trial.
• EEA consumers: If you are an EEA consumer, your statutory right of withdrawal (see §5.7) applies to any paid subscription that begins at the end of the trial period.

5.3 Billing — iOS (Apple App Store)

All iOS payments are processed by Apple Inc. Subscriptions automatically renew unless cancelled at least 24 hours before the end of the current billing period. Manage and cancel your subscription in your Apple ID Account Settings.

5.4 Billing — Android (Google Play)

All Android payments are processed by Google LLC through the Google Play Store. Subscriptions automatically renew unless cancelled at least 24 hours before the end of the current billing period. Manage and cancel your subscription at play.google.com/store/account/subscriptions. Refund requests for Android purchases are subject to Google Play's refund policy; contact Google Play Support for refund requests.

5.5 Refunds — iOS

Refund requests for iOS purchases are subject to Apple's standard refund policy. Contact Apple Support at reportaproblem.apple.com.

5.6 Price Changes

We will provide at least 30 days' prior notice of any price increase via in-app notification. You may cancel before the new price takes effect without penalty.

5.7 EU/EEA Right of Withdrawal

If you are a consumer in the EEA, you have the right to withdraw from your subscription within 14 days of purchase. To exercise this right, contact us at [email protected] within 14 days of purchase. Note: your right of withdrawal will be waived once you begin using the subscription service and confirm your acknowledgement that the right of withdrawal is lost upon commencement, in accordance with Article 16(m) of Directive 2011/83/EU.

6. Acceptable Use

You agree not to violate any applicable laws, circumvent subscription limits, reverse engineer the App, use it to process third-party data commercially, transmit malicious code, or attempt to gain unauthorised access to our systems.

7. Intellectual Property

Dolly, including its design, code, branding, and content, is owned by Zovix Limited. You are granted a limited, non-exclusive, non-transferable, revocable licence to use the App for personal, non-commercial purposes. You retain ownership of all financial data you input into Dolly.

8. Data and Privacy

Your use of Dolly is also governed by our Privacy Policy (Version 2.2), which is incorporated into these Terms by reference.

9. Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DOLLY IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND. We do not warrant that the App will be uninterrupted, error-free, or that AI-generated analysis will be accurate or complete. Nothing in this Section affects your statutory rights as a consumer.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ZOVIX LIMITED SHALL NOT BE LIABLE FOR any indirect, incidental, special, consequential, or punitive damages, or any damages exceeding the amount you paid to Zovix in the 12 months preceding the claim.

11. Indemnification

You agree to indemnify and hold harmless Zovix Limited from claims arising from your wilful misconduct, material violation of these Terms, or infringement of any third-party right. This indemnification does not apply to claims arising from Zovix's own acts or negligence.

12. Termination

We may suspend or terminate your access to Dolly immediately for material violations, or with at least 30 days' prior notice for any other reason if you are a paying subscriber. Paid subscribers terminated without cause will receive a pro-rated refund for the unused portion of their billing period.

13. Governing Law and Dispute Resolution

These Terms are governed by the laws of the Hong Kong Special Administrative Region. EU/EEA and UK consumers retain rights under their local consumer protection laws. Any dispute shall first be attempted via good-faith negotiation. US users: unresolved disputes shall be resolved by binding individual arbitration (JAMS Consumer Arbitration Rules). EU users may use the ODR platform at ec.europa.eu/odr.

14. Changes to Terms

We will notify you of significant changes by posting a notice within the App at least 30 days before the changes take effect.

15. Severability

If any provision of these Terms is found to be unenforceable, that provision shall be limited to the minimum extent necessary so that these Terms otherwise remain in full force.

16. Force Majeure

Zovix shall not be liable for failure or delay in performance caused by circumstances beyond its reasonable control, including acts of God, pandemic, war, government actions, or third-party service outages.

17. Business Continuity and Corporate Changes

In the event of a merger or acquisition, we will notify you within 30 days. In the event Zovix ceases operations, we will provide at least 90 days' notice, paid subscribers will receive a pro-rated refund, and all server-side data will be deleted within 30 days of cessation.

18. Complaints Procedure

• Step 1: Email [email protected]. We acknowledge within 3 business days and aim to resolve within 15.
• Step 2: Escalate to [email protected] if unsatisfied.
• Step 3: Refer to your local consumer protection or data protection authority.

19. Entire Agreement

These Terms, together with our Privacy Policy (Version 2.2), constitute the entire agreement between you and Zovix Limited regarding Dolly.

20. Contact Us

Company	Zovix Limited
General Support	[email protected]
Legal	[email protected]
Website	dolly.zovix.ai