doxo Privacy and Security Policy

Version 1.2
Effective date: July 24, 2020

doxo is designed for doxo users to pay their bills, organize Provider accounts; manage personal account information, reminders, and documents; and establish connections with Providers to receive documents paperlessly, all in one place.

doxo is committed to maintaining the confidentiality, integrity and security of any and all personal information about doxo users. This Privacy and Security Policy (the “Policy”) explains how doxo protects information provided through our websites doxostaging.wpengine.com, secure.doxo.com, pay.doxo.com, and user.doxo.com and applications accessing those websites (the “Site”) and how doxo uses that information in connection with the doxo service offered through the Site (the “Service”). “Private Information” for purposes of this Policy means information provided to us that identifies you, such as your name, address, phone number, email address, any account information or other information you store about your relationship with your Providers, and any documents and accompanying information that are stored on your behalf by doxo. doxo privacy standards are designed to guard against identity theft, to protect sensitive data, and provide security for your Private Information. doxo regularly re-evaluates privacy and security policies and adapts them as necessary to deal with new challenges. Capitalized terms used by not defined in this Policy will have the meanings defined in the doxo User Terms of Service

1. Your Private Information is not for sale

Simply put, doxo will not sell or rent your Private Information to anyone, for any reason, at any time. doxo uses and discloses your Private Information only as follows:

  • to deliver and post your payments to Providers;
  • to analyze Site usage and improve the Service;
  • to deliver to you any administrative notices, alerts and communications relevant to your use of the Service;
  • for market research, project planning, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity;
  • to third-party contractors that provide services to doxo and are bound by privacy restrictions at least as protective as this Policy (e.g. auditors, technical consultants);
  • to enforce the doxo User Terms of Service; and as otherwise set forth in this Policy.

2. What information doxo collects and stores for you

Certain areas and features of the Site are available to you without registration or the need to provide doxo any information. However, other features of the Site or the Service require registration, which may involve provision to doxo of an email address, a password and your zip code (collectively the “Registration Information”). In order to benefit from the full functionality of the Service, you may be required to provide additional information:

  • if you choose to establish a “connection” with a Provider on doxo (“Connect” or “Connection”) and/or if you choose to make a payment on doxo, you also may be required to provide your account credentials for those Providers (“Account Credentials”). When you submit Account Credentials for a Provider within the Service, you elect to share certain information from your doxo user profile with that Provider or other information (“Account Information”), and any Account Information or documents you exchange with that Provider will be accessible to that Provider.

doxo may de-identify or aggregate Private Information and use and disclose such data only in a non-personally identifiable manner to:

  • improve the design, functionality and content of the Service;
  • to enable Providers to improve their use of the Service and to benefit their customers through the Service;
  • to provide reports and analysis that may benefit doxo users or Providers; or
  • to develop products and services that might interest doxo users and Providers.

Such information does not identify you individually. To verify the identity of users and/or detect patterns of activity that may indicate or help prevent fraud, our Service may utilize fraud prevention services and methods designed to protect payment account information or other Private Information from being used in a fraudulent manner through the Service. These methods utilized include use of Sift Science’s anti-fraud service. Sift Science can use your Private Information in accordance with their privacy policy on their website at siftscience.com. doxo personnel (including employees, agents or contractors) may need to access your Private Information in accordance with this Privacy Policy, including to provide support or for security, fraud, or other problems involving your account. Any such access is only conducted to the extent necessary. Any personnel that conduct such activity have been selected in accordance with doxo security policies and practices and are bound by confidentiality obligations. They are subject to discipline, including termination, if they fail to meet the standards of these policies and practices.

3. Changes to the information doxo collects

If your Registration Information or any other information stored in doxo changes, you may update it any time by logging into the Service and editing the information online via your account.

4. Technologies doxo uses to optimize your experience

When you visit the Site, doxo may collect session activity (including replay activity) and technical and navigational information, such as computer browser type, Internet Protocol address, pages visited, and average time spent on the doxo Site and store it in log files. This information does not include information such as payment card number or financial information and may be used, for example, to alert you to software compatibility issues, to ensure successful payment delivery, optimize the user experience, and assist in customer support requests, or it may be analyzed to improve the design and functionality of the Site or Service.

We may combine this automatically collected log information with other information we collect about you. We do this to provide customer support to you, and to improve the quality and functionality of the Service we offer to you. Technologies such as: cookies, beacons, tags and scripts are used by doxo and our analytics or service providers (e.g. online customer support provider). These technologies are used in analyzing trends, administering the Site, tracking users’ movements around the Site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies for authentication and personalization of the Service. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our Site, but your ability to use some features or areas of our Site may be limited. doxo may use third party service providers to help doxo analyze certain online activities. For example, these service providers may help doxo measure the performance of doxo online campaigns or analyze visitor activity on the Site. doxo may permit these service providers to use cookies and other technologies to perform these services for doxo. doxo does not share any Private Information about doxo customers with these third party analytics service providers, and these service providers do not collect such information on behalf of doxo. doxo third party service providers are required to comply fully with this Policy.

5. How we share information with 3rd parties

doxo does not share your Private Information with third parties for their promotional or marketing purposes. doxo may share your Private Information with third party service providers who assist doxo in providing Service to you or who provide fraud detection or similar services on doxo’s or any vendor’s behalf. doxo has contracts with these service providers that only allow them to use your Private Information in connection with the services they perform for doxo and not for their own benefit. 

In addition, there are a number of features of doxo that are dependent on you making a Connection with your Providers. If you choose to use these features, you will be asked to disclose information about your relationship with that Provider to the Provider. You should evaluate the practices of Providers before deciding to provide them information and Connect with them on doxo. doxo is not responsible for their privacy practices. doxo may also share Private Information with the applicable Provider as necessary to fix security, fraud, or other problems. Any information you share with your Providers is up to you. It may be information that is already known by that Provider as part of your existing relationship with them. Any additional information beyond that which is used to establish a Connection with the Provider will only be shared with and used by doxo to optimize your relationship with that Provider. If you click on a link to a third-party site, doxo encourages you to check the privacy policy of that site. doxo may present links in a format that enables doxo to keep track of whether these links have been followed and whether any action has been taken on a third party Web site. doxo uses this information to improve the quality of the doxo Service.

6. Disclosure of information when required by law

Notwithstanding anything to the contrary in this Policy, doxo reserves the right (and you hereby authorize doxo) to share and disclose your Private Information when doxo determines, in its sole discretion, that the disclosure of such information is necessary or appropriate:

  • To enforce doxo’s rights against you or in connection with a breach by you of this Policy or the doxo User Terms of Service;
  • To prevent prohibited or illegal activities; or
  • When required by any applicable law, rule regulation, court order, warrant, subpoena or other legal process.

In such an event, if permitted by law, doxo will make reasonable efforts to notify you and give you the opportunity to seek a protective order. If doxo is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Web site (doxostaging.wpengine.com) of any change in ownership or uses of your Private Information, as well as any choices you may have regarding your Private Information. Should such a change occur, doxo will require that the new entity follow this Policy with respect to your Private Information. If your Private Information could be used contrary to this Policy, you will receive prior notice and the opportunity to communicate preferences you may have, if applicable.

7. You have complete control over your data

Your data is yours. You can remove it anytime you want. We will retain your information for as long as your account is active or as needed to provide the Service to you. If you wish to cancel your account or request that we no longer use your information to provide the Service to you, you may close your account using the settings menus, and if you have questions you may contact us at support.doxo.com. We, and our service providers, will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. When you request doxo to delete your doxo account, your data will be permanently expunged from doxo’s primary production servers and further access to your account will not be possible. doxo will also promptly disconnect any Connection between you and Providers on the Service. All Providers that you were Connected to will be notified that you no longer choose to be Connected via doxo and it is up to each Provider to begin communications via alternative means (for example, begin sending documents to you via US Mail instead of doxo). It is the responsibility of the Provider to take action and facilitate communication with you through the appropriate channel. doxo may also retain aggregated or de-identified data derived from your Account Information indefinitely. Your information may also remain on a backup server or media. If your Private Information changes, or if you no longer wish to use the Service, you may correct, update or delete inaccuracies by making the change within your account and you can request assistance by visiting us at support.doxo.com.

8. Email communications from doxo

doxo provides you with periodic summaries of your account and email alerts for certain events having to do with your doxo account – for example, when a Connection with a Provider has been accepted or declined, a Provider we believe you might have a relationship with has joined the doxo network, a new document from a Provider is received, information about payments, when a bill is coming due, or if new product features have become available to you. You have the ability to opt-out of receiving some emails via settings in doxo or by clicking the unsubscribe mechanism in the email doxo sends you

9. Your data is accessible only by you

doxo uses a combination of firewall barriers, encryption techniques and authentication procedures, among others, designed to maintain the security of your online session and to protect doxo accounts and systems from unauthorized access. When you register for the Service, doxo requires a password from you for your privacy and security. doxo servers are operated in highly secure facilities. Access requires multiple levels of authentication, including biometrics (hand print scan) procedures. Security personnel monitor the facilities 7 days a week, 24 hours a day. doxo databases are protected from general employee access both physically and logically. doxo encrypts your Service password so that your password cannot be recovered, even by doxo. All backup drives and tapes also are encrypted. All Private Information (including any documents stored on your behalf) is always encrypted with 256 bit encryption or better, and is only viewable by you after entering your login credentials. No employee may put any sensitive content on any insecure machine (i.e., nothing can be taken from the database and put on an insecure laptop). doxo tests the Site daily for any failure points that would allow hacking. However, it is important to understand that these precautions apply only to the Site and doxo systems. doxo exercises no control over how your information is stored, maintained or displayed by you, third parties or on third-party sites. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security

10. doxo uses highly secure communications

From the time you submit your login credentials, the communications between your computer and doxo are encrypted using industry-standard 128 bit TLS 1.1 or higher technology or better. TLS enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering and message forgery. Any data transmitted between one of your Providers and doxo (e.g. when establishing a Connection or sending and receiving documents from the Provider) is secured using TLS and encrypted in transport between the Provider and doxo.

11. You are responsible for protecting your access credentials

doxo maintains strict rules to help prevent others from guessing your password. doxo also recommends that you change your password periodically. You are responsible for maintaining the security of your doxo user name and password. You are specifically restricted from providing these credentials to any third party. If you believe that they have been stolen or been made known to others, you must contact doxo immediately at security@doxo.com and change your password immediately via the Service. doxo is not responsible if someone else accesses your account through Registration Information they have obtained from you or through a violation by you of this Policy or the doxo User Terms of Service.

If you have a security related concern, please contact doxo at security@doxo.com. doxo will work closely with you to ensure a rapid and personal response to your concerns. Our Site may offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. To request removal of your Private Information from our blog or community forums, contact us at security@doxo.com. In some cases, we may not be able to remove your Private Information, in which case we will let you know if we are unable to do so and why.

12. Doxo posts updates to this Policy from time to time

doxo reserves the right to modify this Policy at any time, so please review it frequently. If doxo makes material changes to this Policy, doxo will notify you here, by email, by means of a notice to the doxo home page, or via a notification in your doxo account prior to the change becoming effective. The date last revised appears at the top of the Policy.

13. Contact Doxo if you have questions or concerns

If you have questions, comments, concerns or feedback regarding this Policy or any other privacy or security concern, send an e-mail to security@doxo.com. Doxo Inc. 101 Stewart St Suite 800 Seattle, WA 98101.

14. Your California Privacy Rights

The California Consumer Privacy Act of 2018 (“CCPA”) provides certain rights to residents of California. This section of the Policy applies if you are a natural person who is a resident of California (“California Consumer”) and uses our Service. This notice supplements the information in the Policy with respect to California Consumers. Certain terms used below have the meanings given to them in the CCPA. We collect and disclose the following categories of personal information as indicated below:

Collected Disclosed
A. Identifiers such as a real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address and account name. Yes Yes
B. Personal information as defined in the California customer records law, such as name, contact information, and financial information. Yes Yes
C. Characteristics of protected classifications under California or federal law, such as gender and date of birth. Yes No
D. Commercial information, such as transaction information, purchase history, financial details and payment information. Yes Yes
E. Biometric information, such as fingerprints and voiceprints. No No
F. Internet or other electronic network activity information, such as browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems and advertisements. Yes Yes
G. Geolocation data, such as device location. No No
H. Audio, electronic, visual and similar information, such as images and audio, video or call recordings created in connection with our business activities. Yes No
I. Professional or employment-related information, such as job title as well as work history and experience. No No
J. Education information subject to the federal Family Educational Rights and Privacy Act, such as student records. No No
K. Inferences drawn from any of the personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics. Yes No

We collect this personal information from you and from other categories of sources such as: public and publicly available sources; our vendors, data suppliers, and service providers; and partners with which we may offer co-branded services or engage in joint event or marketing activities.

We share this personal information with: our service providers; the administrators authorized by Providers with whom you Connect and/or pay, and other parties where required by law or to protect our rights. For more details, please see Section 5 (How we share information with 3rd parties) and Section 6 (Disclosure of information when required by law) of this Policy.

We may use this personal information to: operate, manage, and maintain our business, to provide our products and services, to communicate with you, for our vendor management purposes, and to accomplish our business purposes and objectives, including, for example, using personal information to: develop, improve, repair, and maintain our products and services; process or fulfill a request or other transactions submitted to us; personalize our products and services; provide customer support; conduct research, analytics, and data analysis; undertake quality and safety assurance measures; conduct risk and security control and monitoring; detect and prevent fraud; perform identity verification; perform accounting, audit, and other internal functions; comply with law, legal process, and internal policies; maintain records; exercise and defend legal claims; and fulfill legal obligations.

Doxo does not sell personal information to third parties within the scope of the application of the CCPA.

California Privacy Rights

California residents have the right to request:

  • The categories of personal information we collect, along with the categories of sources from which we collect such information, the categories of third parties to whom we disclose it, and the business purposes for such disclosure;
  • The specific pieces of information we have collected about you;
  • Deletion of certain personal information we have collected from you; and
  • To opt-out of the sale of your personal information, to the extent that such sales occur.

We will not deny, charge different prices for, or provide a different level of quality of services if you choose to exercise these rights. Note that each of these rights is subject to certain restrictions and exceptions under California law; for example, we may need to retain certain information for record keeping or legal purposes.

California residents may exercise their California privacy rights by submitting a request via one of the methods in the “How to Contact Us” section. You also have the right to designate an agent to exercise these rights on your behalf.

For security purposes, we will verify your identity – in part by verifying your email account or requesting certain information from you – when you request to exercise your California privacy rights. Once we have verified your identity (and your agent, as applicable), we will respond to your request as appropriate. Consistent with California law, we do not disclose government IDs or financial account numbers.

Shine the Light Disclosure

The California “Shine the Light” law gives residents of California the right under certain circumstances to request information regarding the manner in which we share certain categories of Personal Information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your Personal Information with third parties for their own direct marketing purposes.

Menu