Data Protection Policy

Dojo Labs ("we", "us", or "our") is committed to protecting the personal data of our clients, partners, and website visitors. This Data Protection Policy outlines our approach to data protection and our compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant international data protection legislation.

This policy applies to all personal data processed by Dojo Labs, whether in the context of providing our AI consulting and development services, operating our website, or in our internal operations.

We adhere to the following data protection principles when processing personal data:

• Lawfulness, Fairness & Transparency — Data is processed lawfully, fairly, and in a transparent manner
• Purpose Limitation — Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
• Data Minimization — Data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed
• Accuracy — Data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay
• Storage Limitation — Data is kept for no longer than is necessary for the purposes for which it is processed
• Integrity & Confidentiality — Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage
• Accountability — We are responsible for and able to demonstrate compliance with these principles

We process personal data only where we have a lawful basis to do so. The lawful bases we rely on include:

Consent

Where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter or opting in to marketing communications.

Contract

Where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract, such as providing our consulting services.

Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. This includes improving our services, website analytics, and business development.

Legal Obligation

Where processing is necessary to comply with a legal obligation, such as tax reporting, regulatory requirements, or responding to lawful requests from authorities.

Under applicable data protection laws, individuals whose personal data we process have the following rights:

• Right of Access — You have the right to request a copy of the personal data we hold about you
• Right to Rectification — You have the right to request that we correct any inaccurate or incomplete personal data
• Right to Erasure — You have the right to request deletion of your personal data where there is no compelling reason for its continued processing
• Right to Restrict Processing — You have the right to request that we restrict the processing of your personal data in certain circumstances
• Right to Data Portability — You have the right to receive your personal data in a structured, commonly used, machine-readable format
• Right to Object — You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes
• Rights Related to Automated Decision-Making — You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you

To exercise any of these rights, please submit a request to hello@dojolabs.co. We will process your request within 30 days and may ask for additional information to verify your identity.

We maintain robust technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and role-based permissions for all systems handling personal data
• Regular security audits and vulnerability assessments
• Employee training on data protection and security best practices
• Incident response procedures for detecting, reporting, and investigating data breaches
• Secure development practices for all AI systems and applications we build
• Regular backups with secure storage and tested recovery procedures

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will also notify the affected individuals without undue delay.

Our breach notification process includes identifying the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures taken or proposed to address the breach.

Where we transfer personal data outside of the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we ensure that appropriate safeguards are in place. These safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequate level of data protection as determined by relevant authorities
• Binding Corporate Rules for intra-group transfers
• Explicit consent of the data subject for specific transfers

Where we engage third-party service providers (sub-processors) to process personal data on our behalf, we enter into Data Processing Agreements (DPAs) that require the sub-processor to implement appropriate technical and organizational measures and process data only in accordance with our documented instructions.

We regularly review and audit our sub-processors to ensure ongoing compliance with data protection requirements.

We conduct Data Protection Impact Assessments (DPIAs) when introducing new technologies or processing activities that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs help us identify and minimize data protection risks associated with our AI solutions and consulting services.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods are determined by the nature of the data, the purposes of processing, and applicable legal and regulatory requirements.

When personal data is no longer required, it is securely deleted or anonymized using industry-standard methods that prevent reconstruction or re-identification.

All Dojo Labs employees and contractors receive regular data protection training appropriate to their roles and responsibilities. This training covers data protection principles, security practices, breach identification and reporting, and the handling of data subject requests.

This Data Protection Policy is reviewed and updated periodically to reflect changes in our data processing activities, legal requirements, or best practices. Any material changes will be communicated through our website. We encourage you to review this policy regularly.

If you have any questions, concerns, or complaints about this Data Protection Policy or our data processing practices, please contact us:

• Email: hello@dojolabs.co
• Location: Wyoming, United States
• Website: dojolabs.co

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.