Privacy Policy

1. Introduction

DocAnalyzer ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our contract analysis platform at docanalyzer.co.uk (the "Service").

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you provide directly to us:

• Account Information: Name, email address, and password when you create an account
• Payment Information: Billing address and payment details (processed securely by Stripe)
• Profile Information: Optional profile details and team information
• Communications: Messages sent through our support chat or email

2.2 Documents and Content

When you use our Service, we collect:

• Uploaded Documents: PDF files and images you upload for analysis
• Document Content: Text extracted from your documents for AI analysis
• Analysis Results: AI-generated insights, clause extractions, and risk assessments
• Pasted Text: Text you paste directly for analysis

2.3 Usage Information

We automatically collect information about how you use our Service:

• Usage Data: Pages analyzed, features used, token consumption
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, pages viewed, referring URLs
• Analytics: Website usage statistics (via Plausible Analytics)

2.4 Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication and security
• Analytics Cookies: Privacy-focused analytics (Plausible - GDPR compliant, no personal data)
• Chat Support Cookies: Support chat functionality (Crisp)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

• Process and analyze your documents using AI
• Provide contract insights, clause extraction, and risk assessments
• Enable document comparison and export features
• Facilitate team collaboration and document sharing

3.2 Account Management

• Create and manage your account
• Process subscription payments and credit purchases
• Track token usage and billing
• Send account-related notifications

3.3 Improvement and Analytics

• Improve our AI models and analysis accuracy
• Analyze usage patterns to enhance features
• Monitor system performance and errors
• Conduct research and development

3.4 Communication

• Respond to your support requests
• Send important service updates
• Provide customer support via live chat

3.5 Legal Basis (UK GDPR)

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service
• Legitimate Interests: Improving our Service, fraud prevention, security
• Consent: Marketing communications (where applicable)
• Legal Obligation: Compliance with tax and accounting requirements

4. How We Share Your Information

We share your information only in the following circumstances:

4.1 Service Providers

We use trusted third-party services to operate our platform:

• Anthropic (Claude AI): AI-powered document analysis (US-based)
• Google Cloud Vision: OCR text extraction from scanned documents (US-based)
• Cloudflare R2: Secure document storage (EU region)
• Stripe: Payment processing (EU-based operations)
• Clerk: Authentication and user management (US-based)
• Vercel: Application hosting (EU region)
• Neon Database: Secure database storage (EU region)
• Inngest: Background job processing (US-based)
• Crisp: Customer support chat (EU-based)
• Plausible Analytics: Privacy-focused analytics (EU-based)
• Sentry: Error monitoring (US-based)

All service providers are contractually required to protect your data and use it only for the purposes we specify.

4.2 Team Members

If you are part of a team, your uploaded documents and analyses may be visible to other team members with appropriate permissions.

4.3 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal obligations or court orders
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Respond to government requests

4.4 Business Transfers

If DocAnalyzer is involved in a merger, acquisition, or sale of assets, your information may be transferred to the new owner.

5. International Data Transfers

Some of our service providers are based in the United States or other countries outside the UK/EU. When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
• Data Processing Agreements with all US-based providers
• EU/UK adequacy decisions (where applicable)

Your documents are primarily stored in EU data centers (Cloudflare R2, Neon Database) with temporary processing in US-based AI services.

6. Data Retention

We retain your information for as long as necessary to provide the Service:

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Data deleted within 30 days of account deletion
• Uploaded Documents: Retained until you delete them or close your account
• Billing Records: Retained for 7 years for tax compliance (UK law)
• Analytics Data: Aggregated and anonymized data retained indefinitely
• Backups: Deleted data may persist in backups for up to 30 days

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: TLS 1.3 encryption for data in transit, AES-256 encryption at rest
• Authentication: Secure authentication via Clerk (OAuth 2.0)
• Access Control: Role-based access controls (ADMIN/MEMBER)
• Monitoring: 24/7 security monitoring via Sentry
• Regular Audits: Security reviews and vulnerability scanning
• Data Isolation: Team data is isolated and cannot be accessed by other teams

However, no system is 100% secure. Please use a strong password and enable two-factor authentication for additional protection.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of all personal data we hold about you. Go to Settings → Account → Export Data to download your data.

8.2 Right to Rectification

You can update your account information at any time in Settings → Account.

8.3 Right to Erasure ("Right to be Forgotten")

You can delete your account and all associated data at Settings → Account → Delete Account. All data will be permanently deleted within 30 days.

8.4 Right to Restriction of Processing

You can request that we temporarily stop processing your data by contacting support.

8.5 Right to Data Portability

You can export your data in machine-readable format (JSON) via Settings → Account → Export Data.

8.6 Right to Object

You can object to processing based on legitimate interests by contacting us.

8.7 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

9. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for material changes)

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us:

12. Privacy in Plain English