diff --git a/Dockerfile b/Dockerfile
index 365b035..d1bbd8d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,13 +9,12 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Copy app
 COPY app/ app/
 
-# Non-root user
-RUN useradd -r -u 1001 appuser && chown -R appuser /app
+# Data dir (will be bind-mounted read-only in production) + non-root user
+RUN mkdir -p /data && \
+    useradd -r -u 1001 appuser && \
+    chown -R appuser /app /data
 USER appuser
 
-# Data dir (will be bind-mounted read-only in production)
-RUN mkdir -p /data
-
 EXPOSE 8001
 
 ENV PORT=8001