Privacy Policy

Effective Date: January 1, 2025 | Last Updated: December 30, 2024

Doclayer ("we", "us", or "our") operates the Doclayer platform at doclayer.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our document processing services.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Organization name
• Password (encrypted)
• Billing information (processed by Stripe)

1.2 Documents You Upload

When you use our service, you may upload documents for processing. These documents may contain:

• Text content
• Images and graphics
• Metadata (filename, creation date, author)
• Any information contained within the documents

1.3 Usage Data

We automatically collect:

• API requests and responses
• Processing logs and job status
• Feature usage patterns
• Error logs for debugging
• IP addresses
• Browser type and version
• Device information

1.4 Cookies and Tracking

We use essential cookies for:

• Authentication and session management
• Security and fraud prevention
• User preferences

We do not use third-party advertising cookies.

2. How We Use Your Information

We use collected information to:

• Provide Services: Process your documents, run extractions, and deliver results
• Improve Our Platform: Analyze usage patterns to enhance features and performance
• Communicate: Send service updates, security alerts, and support responses
• Billing: Process payments and manage subscriptions
• Security: Detect and prevent fraud, abuse, and security threats
• Legal Compliance: Meet regulatory and legal obligations

3. Document Processing

3.1 How We Process Documents

• Documents are processed using AI models to extract structured data
• Processing occurs on secure cloud infrastructure
• Documents are encrypted in transit (TLS 1.3) and at rest (AES-256)

3.2 AI Model Usage

• We use third-party AI providers (Google Gemini, OpenAI, Anthropic) for document understanding
• Document content may be sent to these providers for processing
• We have Data Processing Agreements with all AI providers
• AI providers do not use your data to train their models

3.3 Data Retention

• Active documents: Retained while your account is active
• Deleted documents: Permanently removed within 30 days
• Processing logs: Retained for 90 days for debugging
• Account data: Retained for 7 years after account closure for legal compliance

4. Data Sharing

We do not sell your personal information. We share data only with:

4.1 Service Providers

• Cloud Infrastructure: Google Cloud Platform, AWS
• AI Processing: Google (Gemini), OpenAI, Anthropic
• Payment Processing: Stripe
• Email: SendGrid
• Analytics: PostHog (self-hosted)

4.2 Legal Requirements

We may disclose information when required by:

• Law, regulation, or legal process
• Government requests
• Protection of rights, privacy, safety, or property

4.3 Business Transfers

In the event of a merger, acquisition, or sale, your information may be transferred to the acquiring entity.

5. Data Security

We implement industry-standard security measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access, multi-factor authentication
• Infrastructure: SOC 2 Type II compliant cloud providers
• Monitoring: 24/7 security monitoring and intrusion detection
• Auditing: Regular security audits and penetration testing
• Isolation: Tenant data isolation and segregation

6. Your Rights

6.1 All Users

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and data
• Export your data
• Opt out of marketing communications

6.2 European Users (GDPR)

If you are in the EEA, UK, or Switzerland, you also have the right to:

• Data portability
• Restrict processing
• Object to processing
• Withdraw consent
• Lodge a complaint with a supervisory authority

Legal Basis for Processing:

• Contract performance (providing services)
• Legitimate interests (security, improvement)
• Legal obligations (compliance)
• Consent (marketing)

6.3 California Users (CCPA)

California residents have the right to:

• Know what personal information is collected
• Know if personal information is sold or disclosed
• Opt out of the sale of personal information (we do not sell data)
• Non-discrimination for exercising rights

7. International Data Transfers

Customer documents and data are stored in Germany (EU). Your data may be processed in:

• Germany (primary data storage)
• European Union
• United States (AI processing via API calls)

For transfers outside the EEA, we use:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable

8. Children's Privacy

Doclayer is not intended for users under 16 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.

9. Third-Party Integrations

When you connect Doclayer to third-party services (Make.com, Zapier, etc.):

• Those services have their own privacy policies
• We share only the data necessary for the integration
• You control which integrations are active

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Email notification
• Banner on our website
• In-app notification

Continued use after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries:

12. Supervisory Authority

If you are in the EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection authority.