Privacy Policy | Doc Custodian

Doc Custodian ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our document management platform ("Service"). This policy applies to users in the United States and Canada.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information provided by your identity provider:

Name and email address
Profile picture (if provided by your identity provider)
Authentication tokens (managed securely, not stored in plaintext)

1.2 Workspace and Subscription Information

Workspace name and configuration
Subscription plan, billing cycle, and payment status
Workspace membership and role assignments

1.3 User Content

Documents, files, and data you upload to the Service, including:

PDF documents, images, and scanned files
Extracted text and structured data generated from your documents
AI-generated analysis and summaries of your documents
Digital signatures and approval records

1.4 Usage Information

We automatically collect certain information when you use the Service:

Activity logs (document uploads, extractions, and modifications)
Feature usage patterns
Browser type, operating system, and device information
IP address and approximate geographic location
Pages visited and actions taken within the Service

2. How We Use Your Information

We use the information we collect to:

Provide the Service: Process your documents, perform extractions, store files, and deliver core functionality.
Manage Your Account: Authenticate you, manage workspace settings, and process subscriptions.
Improve the Service: Analyze usage patterns to enhance features, performance, and reliability.
Communicate: Send transactional emails (subscription confirmations, billing notices) and, with your consent, product updates.
Ensure Security: Detect and prevent fraud, unauthorized access, and abuse.
Comply with Law: Meet legal obligations, respond to lawful requests, and enforce our Terms of Service.

We do not sell your personal information. We do not use your uploaded documents to train AI models or for any purpose other than providing the Service to you.

3. Third-Party Service Providers

We share information with the following categories of service providers, solely to operate the Service:

3.1 Authentication Providers

We use Google, Microsoft (Entra ID), and Auth0 for user authentication. These providers receive your authentication credentials during sign-in. Their privacy policies govern their handling of your data.

3.2 Payment Processing

Stripe processes all subscription payments. We do not store your credit card numbers or payment method details on our servers. Stripe's handling of your payment information is governed by the Stripe Privacy Policy.

3.3 Cloud Infrastructure

Your documents and data are stored on Microsoft Azure infrastructure located in the United States. Azure provides enterprise-grade physical and network security for all stored data.

3.4 AI Processing

Document extraction and AI analysis features use third-party AI services. Documents are processed in real-time and are not retained by AI service providers beyond the processing session.

4. Data Sharing and Disclosure

We may share your information only in the following circumstances:

With Your Consent: When you explicitly authorize sharing.
Workspace Members: Documents and data within a workspace are accessible to other members of that workspace based on their assigned roles and permissions.
Service Providers: With third-party vendors who assist in operating the Service, bound by contractual obligations to protect your data.
Legal Requirements: When required by law, subpoena, court order, or government regulation applicable in the United States or Canada.
Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
Safety: To protect the rights, property, or safety of Doc Custodian, our users, or the public.

5. Cookies and Tracking

We use the following types of cookies:

Essential Cookies: Required for authentication and core functionality (session tokens, CSRF protection). These cannot be disabled.
Preference Cookies: Store your settings such as theme preference (light/dark mode).

We do not use third-party advertising cookies or cross-site tracking technologies.

6. Data Retention

Active Accounts: We retain your data for as long as your account is active and your subscription is in good standing.
After Cancellation: Following subscription cancellation, we retain your data for 90 days to allow for reactivation or data export, after which it is permanently deleted.
After Account Deletion: Upon request for account deletion, we will remove your personal information and User Content within 30 days, except where retention is required by law.
Logs and Analytics: Usage logs are retained for up to 12 months for security and operational purposes.

7. Your Rights

7.1 All Users

You have the right to:

Access your personal information and User Content
Correct inaccurate information
Export your data in a portable format
Delete your account and associated data
Opt out of non-essential communications

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and its amendments:

Right to know what personal information we collect, use, and disclose
Right to delete your personal information
Right to opt out of the sale or sharing of personal information (we do not sell your information)
Right to non-discrimination for exercising your privacy rights
Right to correct inaccurate personal information
Right to limit the use of sensitive personal information

7.3 Canadian Residents (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation provide you with rights including:

Right to access your personal information held by us
Right to challenge the accuracy and completeness of your information and have it amended
Right to withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
Right to file a complaint with the Office of the Privacy Commissioner of Canada

8. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

9. International Data Transfers

Your data is stored and processed in the United States on Microsoft Azure infrastructure. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.

10. Security

We implement appropriate technical and organizational measures to protect your information. For details, please see our Security Policy. While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to file a complaint, please contact us at:

Email: customerservice@doccustodian.com
Website: doccustodian.com

For Canadian residents, you may also contact the Office of the Privacy Commissioner of Canada. For California residents, you may contact the California Attorney General's Office.