Privacy Policy

Dammit ("we", "us", "our") is a digital asset management service operated at dammit.app. We provide a metadata and organisation layer on top of Google Drive - we do not store your files.

If you have questions about this policy or your data, contact us at support@dammit.app.

We collect the following categories of information:

Google account information

When you sign in with Google, we receive your name, email address, and profile picture. This is used to create and identify your Dammit account.

Google Drive metadata

When you connect a Google Shared Drive, we read file metadata - filenames, MIME types, folder structure, modification dates, and thumbnail references. We use this metadata to build a browsable asset library with tagging and rights tracking.

We do not download, copy, or store the contents of your files. All file binaries remain in Google Drive at all times. We only read metadata and generate cached thumbnail images for display purposes.

Data you provide directly

Tags, rights classifications, collection names, portal configurations, team member invitations, and any other content you create within Dammit.

Usage and analytics data

We collect anonymised usage data to improve the product - pages visited, features used, and performance metrics. This is collected via PostHog and does not include personally identifiable information beyond what is needed to associate activity with your account.

Error and diagnostic data

We use Sentry to capture application errors. Error reports may include technical details about your browser, device, and the action that triggered the error. This data is used solely for debugging and improving reliability.

We use your Google account data for the following purposes only:

• Authentication - to verify your identity and manage your session
• Profile display - to show your name and avatar within the app
• Drive metadata sync - to read file metadata from your connected Shared Drive and build your asset library
• Thumbnail caching - to generate and cache thumbnail images from Drive for display in the app and on Portals

We do not use Google user data for advertising, sell it to third parties, or share it with anyone outside of the services listed in this policy.

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Your data is processed and stored by the following services:

• Supabase (database and authentication) - hosted on AWS infrastructure. Your account data, workspace configuration, asset metadata, tags, and rights classifications are stored here. Cached thumbnail images are stored in Supabase Storage.
• Vercel (application hosting) - our web application runs on Vercel's edge network. Vercel processes requests but does not persistently store your data.
• Google Drive - your files remain in Google Drive. We access them via the Google Drive API using OAuth tokens you grant during setup.

All data is transmitted over encrypted connections (TLS/HTTPS). Google Drive OAuth tokens are encrypted at rest using AES-256-GCM before storage.

We use the following third-party services to operate Dammit. Each receives only the minimum data required for its function:

• Supabase - database, authentication, and file storage (thumbnails)
• Vercel - application hosting and edge functions
• Google - OAuth authentication and Drive API
• PostHog - product analytics (anonymised usage data)
• Sentry - error monitoring and diagnostics
• Google (Gemini AI) - AI-powered auto-tagging, semantic search, and color extraction (cached thumbnail images and asset metadata are sent to Google Gemini for tag suggestions, search relevance ranking, and brand color identification - no original file contents are shared)
• Resend - transactional email (invitations, notifications)

We retain your data for as long as your account is active.

• Account and workspace data - retained until you delete your account or request deletion
• Asset metadata and tags - retained while your workspace is active. Deleted when your workspace is deleted.
• Cached thumbnails - retained while the corresponding asset exists in your workspace. Removed when the asset is removed from Dammit or your workspace is deleted.
• Google OAuth tokens - retained while your Drive connection is active. Revoked and deleted when you disconnect your Drive or delete your account.
• Analytics data - retained according to PostHog's retention policy (typically 12 months)
• Error logs - retained according to Sentry's retention policy (typically 90 days)

Dammit uses the following cookies:

• Session cookie - an httpOnly, secure, SameSite=Strict cookie that maintains your authenticated session. This is essential for the app to function and cannot be disabled.
• Analytics cookies - PostHog may set cookies to track anonymised usage patterns. These are not essential and can be blocked without affecting core functionality.

We do not use advertising cookies or share cookie data with advertisers.

You have the following rights regarding your data:

• Access - you can request a copy of the data we hold about you
• Correction - you can request correction of inaccurate data
• Deletion - you can request deletion of your account and all associated data
• Data portability - you can request an export of your data in a machine-readable format
• Revoke Google access - you can revoke Dammit's access to your Google account at any time via your Google Account permissions page

To exercise any of these rights, email us at support@dammit.app. We will respond within 30 days.

When you request account deletion, we will delete all of the following:

• Your user account and profile data
• Your workspace and all associated data (if you are the workspace owner)
• All asset metadata, tags, and rights classifications
• All cached thumbnail images
• All stored Google OAuth tokens
• All team invitations and activity logs

Your files in Google Drive are not affected - we never modify or delete your Drive files. Deletion will be completed within 30 days of your request.

Dammit is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this privacy policy from time to time. If we make significant changes, we will notify you via email or an in-app notice. The "last updated" date at the top of this page will always reflect the most recent revision.

For any questions about this privacy policy or your data, contact:

Rae Downes
support@dammit.app