Privacy Policy

Doc Custodian ("Company," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal information and data entrusted to us by our users. This Privacy Policy ("Policy") describes in detail how we collect, use, process, store, disclose, transfer, and safeguard your personal information and other data when you access, browse, or use our cloud-based document management platform and all related websites, applications, features, tools, and services (collectively, the "Service"). This Policy applies to all visitors, registered users, workspace administrators, workspace members, and any other individuals who access or interact with the Service in any capacity, and applies to information collected in the United States, Canada, and any other jurisdiction from which you may access the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, processing, and disclosure of your personal information as described in this Policy. If you do not agree with any aspect of this Policy, you should not access or use the Service. We encourage you to read this Policy carefully and in its entirety, and to review it periodically for updates and changes.

1. Information We Collect

We collect various types of information from and about you in connection with your use of the Service. The types of information we collect depend on how you interact with the Service and what features you use. We may collect information directly from you, automatically through your use of the Service, and from third-party sources as described below.

1.1 Account and Registration Information

When you create an account, register for the Service, or update your account settings, we may collect the following information:

• Full name, display name, and any other name or alias you choose to provide
• Email address, including primary and any secondary email addresses associated with your account
• Profile photograph or avatar image, if provided by you or by your third-party identity provider during the authentication process
• Authentication credentials and related security information, which are managed securely and, where applicable, through dedicated third-party authentication and credential management services
• Account preferences, settings, and configuration options that you select or modify during your use of the Service

1.2 Workspace, Organization, and Subscription Information

When you create or join a workspace, manage workspace settings, or subscribe to a plan, we may collect:

• Workspace name, slug, and configuration settings, including but not limited to workspace preferences and administrative settings
• Subscription plan details, billing status, billing cycle, payment history, and related subscription management information
• Workspace membership information, including the email addresses, roles, and permissions of all members within your workspace
• Invitation records, including the email addresses of individuals you invite to join your workspace and the status of such invitations

1.3 User Content and Document Data

When you upload, create, modify, or otherwise interact with documents and files through the Service, we collect and process:

• PDF documents, images, scanned files, photographs, and any other files you upload to the Service in any supported format
• Extracted text, structured data, parsed information, and other derivative content generated by the Service's document extraction and conversion features from your uploaded documents
• AI-generated analysis, summaries, classifications, categorizations, and other output produced by the Service's artificial intelligence and machine learning features in connection with your documents
• Digital signatures, electronic signature records, signature audit trails, signing certificates, and approval records created through the Service's signature workflow features
• Document metadata, including but not limited to file names, file sizes, file types, upload dates, modification dates, version history, and folder organization

1.4 Automatically Collected Usage and Technical Information

When you access or use the Service, we may automatically collect certain technical and usage information, including but not limited to:

• Activity logs and audit trail data, including records of document uploads, document downloads, document modifications, document deletions, feature usage, administrative actions, and other interactions with the Service
• Browser type and version, browser language and locale settings, operating system type and version, device type, device identifiers, screen resolution, and other technical information about the hardware and software you use to access the Service
• Internet Protocol (IP) address, approximate geographic location derived from your IP address, internet service provider information, and network-related information
• Pages and features of the Service that you visit, view, or interact with, the date and time of your access, the duration of your sessions, the sequence of pages and actions within the Service, referring and exit URLs, and clickstream data
• Error logs, crash reports, performance metrics, and diagnostic data generated by the Service during your use thereof

2. How We Use Your Information

We use the information we collect for the following purposes, to the extent permitted by applicable law:

• To Provide, Operate, and Maintain the Service: We use your information to process and store your documents, perform document extraction and conversion, generate AI-powered analysis, facilitate digital signature workflows, manage your workspace, authenticate your identity, process subscription payments, deliver the core functionality of the Service, and otherwise fulfill our contractual obligations to you.
• To Manage and Administer Your Account: We use your information to create and manage your account, authenticate your access to the Service, manage workspace settings and member permissions, process subscription billing and payments, communicate billing-related information, and maintain the integrity and security of your account.
• To Improve, Develop, and Enhance the Service: We may use aggregated, anonymized, or de-identified usage data and technical information to analyze usage patterns and trends, identify areas for improvement, develop new features and functionality, optimize the performance and reliability of the Service, conduct internal research and analytics, and otherwise improve the overall quality of the Service. We do not use your User Content for this purpose.
• To Communicate with You: We use your contact information to send you transactional communications related to your account and subscription, including but not limited to account verification emails, subscription confirmation emails, billing and payment notices, password reset emails, security alerts, and service-related announcements. With your express consent, we may also send you promotional communications, product updates, newsletters, and marketing materials. You may opt out of non-essential communications at any time.
• To Ensure Security and Prevent Abuse: We use your information to detect, investigate, and prevent fraud, unauthorized access, security breaches, abuse of the Service, violations of these Terms, and other harmful, illegal, or unauthorized activities. This may include monitoring usage patterns for anomalies and maintaining security logs.
• To Comply with Legal Obligations: We use your information to comply with applicable laws, regulations, legal processes, governmental requests, court orders, and subpoenas, and to enforce our Terms of Service, protect our legal rights, and defend against legal claims.

We do not sell, rent, lease, or trade your personal information to third parties for their marketing or advertising purposes. We do not use your uploaded documents, User Content, or document data to train, improve, fine-tune, or otherwise develop artificial intelligence models, machine learning models, or any other algorithmic systems, whether our own or those of third parties. Your documents are processed solely to provide the Service to you and are not used for any other purpose.

3. Third-Party Service Providers

We engage certain third-party companies, organizations, and individuals ("Service Providers") to assist us in providing, operating, maintaining, improving, and securing the Service. These Service Providers may have access to your personal information and data only to the extent necessary to perform the specific services they provide to us, and are contractually obligated to protect the confidentiality and security of your information and to use it only for the purposes for which it was disclosed to them. The categories of Service Providers we may engage include, but are not limited to:

• Authentication and Identity Providers: We use third-party identity providers and authentication services to verify your identity and facilitate secure sign-in to the Service. When you authenticate through a third-party identity provider, that provider may collect and process certain information in accordance with its own privacy policy and terms of service, which we encourage you to review. We do not control and are not responsible for the privacy practices of third-party identity providers.
• Payment Processing Providers: All subscription billing, payment processing, and payment-related transactions are handled by a third-party payment processor. Your payment information, including credit card numbers, debit card numbers, bank account information, and other financial data, is collected and processed directly by the payment processor and is not stored on our servers. The payment processor's handling of your financial information is governed by its own privacy policy and security practices.
• Cloud Infrastructure and Hosting Providers: Your documents, files, account data, and other information associated with your use of the Service are stored on secure cloud infrastructure located in the United States, operated by enterprise-grade hosting providers that maintain robust physical, network, and data security measures. These providers may process your data as necessary to provide hosting, storage, and related infrastructure services to us.
• AI and Document Processing Providers: Certain features of the Service, including document extraction, document conversion, AI-powered analysis, and summarization, utilize third-party artificial intelligence and document processing services. When you use these features, relevant portions of your documents may be transmitted to these providers for real-time processing. Documents are processed on-demand, are not intended to be retained by these providers beyond the active processing session, and are not used by these providers to train their AI models, subject to the terms of our agreements with them.
• Email and Communication Providers: We may use third-party email delivery services to send transactional emails, notifications, and other communications related to the Service.

4. Data Sharing and Disclosure

We value the privacy and confidentiality of your information and limit the sharing and disclosure of your personal information to the following circumstances:

• With Your Consent or at Your Direction: We may share your information when you explicitly authorize or direct us to do so, including when you choose to integrate the Service with third-party applications or services.
• With Workspace Members: Documents, files, data, and other User Content within a workspace may be accessible to other authorized members of that workspace in accordance with the roles, permissions, and visibility settings configured by the workspace administrator. The workspace administrator is responsible for managing access to shared content within the workspace.
• With Service Providers: We share information with the categories of third-party Service Providers described in Section 3, who are contractually obligated to protect your data and use it only as directed by us to provide their services.
• For Legal Compliance and Protection: We may disclose your information if we believe in good faith that such disclosure is necessary or appropriate to: (a) comply with applicable law, regulation, legal process, governmental request, court order, or subpoena; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, privacy, safety, or security of the Company, our users, or the public; (d) detect, prevent, or address fraud, security issues, or technical issues; or (e) respond to an emergency involving danger of death or serious physical injury to any person.
• In Connection with Business Transfers: We may share, transfer, or disclose your information in connection with, or during negotiations of, any merger, sale of company assets, financing, acquisition, dissolution, reorganization, bankruptcy, receivership, or similar business transaction involving the Company or any of its assets. In such event, we will make reasonable efforts to ensure that the acquiring entity or successor is bound by privacy protections no less restrictive than those set forth in this Policy.
• Aggregated or De-Identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for analytics, research, benchmarking, or other lawful purposes.

5. Cookies, Tracking Technologies, and Similar Technologies

We use cookies and similar technologies to facilitate the operation of the Service, maintain your session, and remember your preferences. The specific types of cookies and technologies we use include:

• Strictly Necessary / Essential Cookies: These cookies are essential for the proper functioning of the Service and cannot be disabled without significantly impacting your ability to use the Service. They are used for authentication, session management, CSRF (Cross-Site Request Forgery) protection, security, load balancing, and other core functionality. Without these cookies, the Service cannot function properly.
• Preference and Functionality Cookies: These cookies store your preferences and settings, such as your selected theme (light or dark mode), language preferences, and other user interface configurations, to enhance your experience and provide personalized functionality when you return to the Service.

We do not use third-party advertising cookies, behavioral advertising technologies, cross-site tracking technologies, or social media tracking pixels. We do not participate in any advertising networks, and we do not share your browsing data with advertisers or ad networks. We do not build advertising profiles based on your use of the Service.

6. Data Retention

We retain your personal information and User Content for as long as reasonably necessary to fulfill the purposes for which it was collected, to provide and maintain the Service, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The specific retention periods may vary depending on the type of data, the applicable legal requirements in your jurisdiction, and our legitimate business needs. General retention practices include:

• Active Accounts: We retain your account information, workspace data, and User Content for as long as your account remains active and your subscription is in good standing. You may access, modify, export, or delete your information at any time during your active subscription.
• After Subscription Cancellation: Following the cancellation or expiration of your subscription, we may retain your account information and User Content for a limited grace period to allow you to reactivate your subscription, retrieve your data, or export your documents. After this grace period, your data may be permanently and irrevocably deleted from our active systems. The length of the grace period is determined at our sole discretion and may vary.
• After Account Deletion Request: Upon receipt of a verified request for account deletion, we will make commercially reasonable efforts to remove your personal information and User Content from our active systems within a reasonable timeframe. However, residual copies of your information may remain in our backup systems, archived storage, or disaster recovery systems for a limited period before being permanently purged, and certain information may be retained as required by applicable law.
• Operational Logs and Analytics: Usage logs, activity data, error logs, and other operational data may be retained for a reasonable period for security monitoring, fraud prevention, incident investigation, system diagnostics, and other legitimate operational purposes, after which they are deleted or anonymized.
• Legal Holds: Notwithstanding the foregoing, we may retain information for longer periods as required by applicable law, regulation, legal process, litigation hold, or governmental investigation.

7. Your Privacy Rights

7.1 Rights Available to All Users

Regardless of your location, we provide all users of the Service with the following rights with respect to their personal information, which you may exercise by contacting us using the information provided in Section 12:

• Right of Access: You have the right to request access to the personal information we hold about you, including a summary of the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it has been shared.
• Right of Correction: You have the right to request that we correct or update any personal information that is inaccurate, incomplete, or outdated.
• Right of Data Portability: You have the right to request a copy of your personal information and User Content in a commonly used, machine-readable format, to the extent technically feasible.
• Right of Deletion: You have the right to request the deletion of your account and associated personal information, subject to certain exceptions as permitted or required by applicable law (for example, where we are required to retain information for legal compliance purposes).
• Right to Opt Out: You have the right to opt out of receiving non-essential communications from us at any time by following the unsubscribe instructions in any such communication or by contacting us directly.

7.2 Additional Rights for California Residents (CCPA/CPRA)

If you are a resident of the State of California, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), provides you with the following additional rights with respect to your personal information:

• Right to Know: You have the right to request that we disclose to you the categories of personal information we have collected about you, the categories of sources from which the personal information was collected, the business or commercial purposes for collecting the personal information, the categories of third parties with whom we share personal information, and the specific pieces of personal information we have collected about you, covering the twelve (12) month period preceding your request.
• Right to Delete: You have the right to request that we delete any personal information about you that we have collected, subject to certain exceptions provided by law.
• Right to Opt Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information, as those terms are defined under the CCPA/CPRA. We do not sell or share your personal information within the meaning of the CCPA/CPRA, and we have not done so in the preceding twelve (12) months.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying you the Service, charging you different prices, providing a different level or quality of service, or suggesting that you will receive a different price or quality of service.
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information to certain purposes specified under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

7.3 Additional Rights for Canadian Residents (PIPEDA and Provincial Legislation)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation (including, where applicable, the Alberta Personal Information Protection Act, the British Columbia Personal Information Protection Act, and Quebec's Act Respecting the Protection of Personal Information in the Private Sector) provide you with the following additional rights:

• Right of Access: You have the right to request access to the personal information we hold about you and to be informed of the use that has been made of it and of any third parties to which it has been communicated.
• Right of Correction: You have the right to challenge the accuracy and completeness of your personal information and to have it amended as appropriate.
• Right to Withdraw Consent: You have the right to withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and upon reasonable notice. Withdrawal of consent may affect our ability to provide the Service to you.
• Right to Complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or with the applicable provincial privacy commissioner if you believe that we have not handled your personal information in accordance with applicable privacy legislation.

To exercise any of these rights, please contact us using the information provided in Section 12 below. We may require you to verify your identity before we can respond to your request. We will respond to verified requests within the timeframes required by applicable law.

8. Children's Privacy

The Service is designed for use by adults and is not intended for, directed at, or designed to attract individuals under the age of sixteen (16). We do not knowingly collect, solicit, or receive personal information from children under the age of 16, and we do not knowingly allow children under the age of 16 to register for or use the Service. If we become aware that we have inadvertently collected personal information from a child under the age of 16, we will take prompt steps to delete such information from our records and to terminate the child's account. If you are a parent or guardian and believe that your child under the age of 16 has provided us with personal information without your consent, please contact us immediately using the information provided in Section 12, and we will take appropriate steps to investigate and address the situation.

9. International Data Transfers

Your personal information and User Content are primarily stored and processed on servers and infrastructure located in the United States of America. If you access or use the Service from a location outside the United States, including from Canada, the European Economic Area, the United Kingdom, or any other jurisdiction, you acknowledge and understand that your personal information will be transferred to, stored in, and processed in the United States, where data protection and privacy laws may differ from, and may provide a lesser degree of protection than, the laws of your home jurisdiction. By accessing or using the Service, you expressly consent to the transfer, storage, and processing of your personal information in the United States and in any other country in which we or our Service Providers maintain facilities. We will take reasonable steps to ensure that your personal information is treated securely and in accordance with this Policy, regardless of where it is processed.

10. Security of Your Information

We implement commercially reasonable technical, administrative, and organizational security measures designed to protect the confidentiality, integrity, and availability of your personal information and User Content against unauthorized access, disclosure, alteration, destruction, loss, and misuse. However, you acknowledge and agree that no method of electronic transmission over the internet, no method of electronic storage, and no security system is completely secure, impenetrable, or immune from attack. While we strive to use commercially reasonable and industry-standard means to protect your information, we cannot and do not warrant or guarantee the absolute security of your personal information or User Content transmitted to, stored on, or processed by the Service, and we shall not be liable for any unauthorized access to, alteration of, or destruction of your information resulting from a security breach or any other cause. For additional information about our security practices, please review our Security Policy.

11. Changes to This Privacy Policy

We reserve the right to modify, amend, update, or replace this Privacy Policy at any time and from time to time, in our sole discretion. When we make changes, we will update the "Last updated" date at the top of this page and, where we consider it appropriate or where required by applicable law, we may provide additional notification of material changes through email, in-app notification, or other means. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued access to or use of the Service following the posting of any revised Privacy Policy constitutes your acceptance of and agreement to the revised Policy. If you do not agree with the changes, you should discontinue your use of the Service and, if applicable, request deletion of your account.

12. Contact Us

If you have any questions, concerns, comments, complaints, or requests regarding this Privacy Policy, our data practices, or your privacy rights, or if you wish to exercise any of the rights described in this Policy, please contact us using the following information:

• Email: customerservice@doccustodian.com
• Website: doccustodian.com

For Canadian residents, you may also contact the Office of the Privacy Commissioner of Canada or the applicable provincial privacy commissioner. For California residents, you may contact the California Attorney General's Office or the California Privacy Protection Agency.