Legal
Privacy Policy
DocPeel® is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, and how we use and protect it.
Last updated: April 13, 2026
1. Information We Collect
1.1 Information you provide directly
- Account details: name, email address, and password when you register. If you use Google sign-in, we receive your name, email, and profile picture from Google.
- Documents and files: PDFs, DOCX files, images (PNG, JPG, WEBP), and EML email files you upload for extraction.
- Extraction templates: the field definitions and instructions you create to structure your extraction output.
- Support communications: messages, attachments, and other information you send when contacting our support team.
- Workspace and team data: workspace names, invite emails, and member roles if you use team features.
1.2 Information collected automatically
- Usage data: which features you use, extraction job counts, credit consumption, API call volume, error events, and dashboard navigation.
- Log data: IP address, browser type and version, operating system, referring URL, and timestamps of requests.
- Session cookies: a session token stored in a secure, http-only cookie to keep you signed in.
- Webhook and integration logs: payloads sent and received when you enable third-party integrations, stored for debugging purposes.
1.3 Information from third parties
- Paddle (billing): subscription status, plan tier, billing cycle, next billing date, and transaction history. We do not receive or store full card numbers; Paddle tokenises all payment details.
- Google OAuth: name, email, and profile picture, only if you choose to sign in with Google.
- Connected integrations: when you authorise an integration (Google Drive, Dropbox, etc.), we receive only the data you explicitly grant access to for the purpose of that integration.
2. How We Use Your Information
We use the data we collect to:
- Deliver the Service: process your documents, return extracted JSON, maintain your job history and credit balance.
- Manage billing: track your subscription plan, process payments via Paddle, issue invoices, and enforce credit limits.
- Authenticate and secure your account: verify your identity on login, detect unusual access patterns, and protect against unauthorised use.
- Send transactional emails: account-creation confirmation, magic-link sign-ins, password reset links, extraction-complete notifications, and payment receipts.
- Provide customer support: respond to your questions and diagnose issues using your logs and usage data.
- Prevent abuse: detect and block fraudulent accounts, spam API usage, and policy violations.
- Improve the Service: analyse aggregated, anonymised usage trends to prioritise features and fix performance issues.
- Comply with legal obligations: retain billing records and respond to lawful requests from authorities.
3. Document Processing
When you submit a document for extraction, the file is:
- Uploaded over an encrypted HTTPS connection to our servers
- Stored in secure cloud storage while the job is queued and processed
- Sent to our AI inference provider for processing — only the document content relevant to your extraction template is transmitted
- The structured JSON result is returned to your account and the original file is retained in your job history so you can preview it at any time
Documents processed via API are handled identically to those submitted through the dashboard. If you connect integrations (e.g. auto-process files from a Google Drive folder), those files are fetched, processed, and stored under the same policy.
4. Legal Basis for Processing (GDPR & UK GDPR)
For users in the EU, EEA, and United Kingdom, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): processing your documents, managing your account and subscription, and delivering the features you have paid for.
- Legitimate interests (Art. 6(1)(f)): preventing fraud and abuse, securing the platform, improving service quality, and maintaining audit logs. Our legitimate interests do not override your fundamental rights.
- Legal obligation (Art. 6(1)(c)): retaining billing records, responding to lawful data access requests, and complying with tax regulations.
- Consent (Art. 6(1)(a)): sending optional marketing or product-update emails (you can opt out at any time via the unsubscribe link).
5. Data Sharing and Sub-Processors
We never sell your personal data. We share it only with the following categories of sub-processors who are contractually bound to process it under our instructions:
| Provider | Purpose | Data location |
|---|---|---|
| Payment Processor | Payment processing, subscription management | UK / US |
| AI Inference Provider | AI document processing | US |
| Cloud Infrastructure | Database, authentication, storage, hosting | US / EU |
We may also disclose personal data when required by law, court order, or governmental authority, or to protect the safety, rights, or property of DocPeel® or others.
6. Data Security
- All data in transit is encrypted with TLS 1.2 or higher
- Data at rest is encrypted with AES-256 via our managed cloud storage
- API keys are hashed (SHA-256) before storage; the full key is shown only once at creation
- Passwords are hashed using bcrypt with a cost factor of at least 10; plaintext passwords are never stored
- Production database access is restricted to application service roles; no direct human access is granted routinely
- Webhook signatures are verified using HMAC-SHA256 to prevent spoofed events
- Dependencies are audited regularly for known CVEs
Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to hellodocpeel@gmail.com.
7. Data Retention
- Active accounts: data is retained for the lifetime of your account.
- Documents: original uploaded documents and their extraction results are retained for the lifetime of your account so you can preview them at any time.
- Closed accounts: personal data (name, email, documents, extraction results) is deleted within 30 days. Anonymised aggregate usage data may be retained indefinitely.
- Billing records: transaction history is retained for 7 years to comply with financial regulations, regardless of account status.
- Access and error logs: retained for up to 90 days for security monitoring and debugging, then automatically purged.
- Support communications: retained for up to 2 years to provide context for ongoing support relationships.
8. Your Rights
Depending on where you are located, you may have rights under GDPR, UK GDPR, CCPA, or other applicable laws:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete information. You can update most account details directly in your dashboard settings.
- Erasure ("right to be forgotten"): request deletion of your personal data by contacting us directly.
- Restriction of processing: ask us to stop processing your data while a dispute is resolved.
- Data portability: receive your extraction results and account data in a machine-readable format (JSON). Export is available from the dashboard.
- Objection: object to processing based on legitimate interests; we will cease unless we have compelling legitimate grounds.
- Withdraw consent: opt out of marketing emails at any time via the unsubscribe link, or contact us directly. Withdrawal does not affect prior processing.
- California residents (CCPA): you have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.
To exercise any right, email hellodocpeel@gmail.com. We will respond within 30 days (EU/UK: within 1 calendar month). We may ask you to verify your identity before acting on a request.
9. Cookies and Tracking
We use only essential cookies. No third-party advertising, analytics, or tracking cookies are set on our domain.
| Cookie | Purpose | Expiry |
|---|---|---|
| access-token | Auth session (access token) | 1 hour |
| refresh-token | Auth session (refresh token) | 60 days |
Disabling cookies will prevent you from logging in. No cookie consent banner is shown because we do not use non-essential cookies.
10. International Transfers
Our sub-processors operate primarily in the United States and European Union. When personal data is transferred from the EU/EEA or UK to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards, as the legal transfer mechanism.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at hellodocpeel@gmail.com and we will delete it promptly.
12. Changes to This Policy
We may revise this Privacy Policy periodically. For material changes, we will notify you by email at least 14 days before the change becomes effective, and update the "Last updated" date above. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.
13. Contact and Data Controller
DocPeel® is the data controller for personal data collected through the Service. For privacy questions, data subject requests, or complaints:
- Email: hellodocpeel@gmail.com
If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.