Privacy Policy

1. Scope

This Privacy Policy applies to personal information we process when you:

visit our websites or portals;

create or use an account;

upload, send, forward, import, connect, verify, or manage files, communications, or metadata through the Services;

contact us for support, sales, or other inquiries;

receive communications from us; or

interact with our integrations, APIs, cookies, analytics, and security tools.

This Privacy Policy does not govern third-party websites, platforms, apps, cloud-storage providers, email services, messaging systems, or other services that may integrate with DocuProof. Those third parties have their own privacy policies and practices.

2. Roles of the Parties

Depending on the context, DocuProof may act as:

a controller or similar business operator for personal information we collect directly for our own business purposes, such as account administration, billing, security, support, analytics, and marketing; and/or

a processor, service provider, or similar role when we process personal information on behalf of a customer in connection with the customer’s use of the Services.

If you are an end user whose data was submitted to DocuProof by one of our customers, that customer may be the party primarily responsible for your data and for responding to certain rights requests. In those cases, we may direct your request to the relevant customer or assist them in responding.

3. Categories of Personal Information We Collect

Depending on how you use the Services, we may collect the following categories of personal information:

A. Account and profile information

name

email address

phone number

organization name

job title

login credentials or authentication identifiers

account preferences and settings

B. Verification and content-related information

documents, files, photos, screenshots, and uploads

emails, messages, attachments, and related metadata

sender and recipient details

timestamps, file names, hashes, device or source metadata

audit events, evidence records, certificates, and verification outputs

comments, notes, labels, folders, and workflow actions

C. Technical and device information

IP address

browser type

operating system

device identifiers

log files

crash data

session activity

approximate location derived from IP

API usage information

D. Billing and transaction information

billing name and address

subscription details

plan type

payment-related metadata

invoices

transaction history

We generally use payment processors for card handling and do not store full payment card numbers ourselves unless explicitly stated.

E. Communications and support information

support requests

emails and chat messages sent to us

call notes

feedback

survey responses

sales communications

F. Marketing and website usage information

page views

referral URLs

cookie or similar identifier data

campaign performance metrics

email engagement data, where permitted

G. Sensitive information

Because our platform may be used to handle evidentiary, legal, claims, or other sensitive materials, users may choose to submit information that is considered sensitive under certain laws. We do not ask users to submit sensitive personal information unless needed for the Services, and users are responsible for ensuring they have lawful authority to submit it.

4. Sources of Personal Information

We collect personal information:

directly from you;

from your employer, firm, or organization;

from users acting on behalf of an organization;

from files, messages, or records uploaded, forwarded, or connected to the Services;

from third-party integrations such as cloud-storage, email, identity, telephony, messaging, or timestamping providers;

from cookies, logs, analytics, and security tools; and

from public or commercially available sources where permitted by law.

5. Purposes of Processing

We may collect and use personal information for the following purposes:

to provide, operate, maintain, and improve the Services;

to authenticate users and manage accounts;

to capture, ingest, process, hash, timestamp, index, verify, and organize data and records;

to generate audit logs, certificates, verification records, and related outputs;

to provide customer support and respond to requests;

to process billing, payments, renewals, and account administration;

to monitor security, detect fraud, prevent abuse, and protect the integrity of the Services;

to troubleshoot, debug, analyze performance, and improve reliability;

to communicate with you about updates, service notices, invoices, security alerts, and support matters;

to send marketing communications where permitted by law;

to comply with legal obligations and lawful requests;

to establish, exercise, or defend legal claims; and

to train, improve, or quality-check internal systems where legally permitted and contractually allowed.

6. Legal Bases for Processing

Where GDPR or similar laws apply, we rely on one or more of the following legal bases:

performance of a contract, such as providing the Services you request;

legitimate interests, such as operating, securing, improving, and administering the Services, provided those interests are not overridden by your rights;

consent, where required or where we specifically ask for it;

legal obligation, where processing is necessary to comply with law; and

legal claims or vital/public interest grounds, where applicable under law.

Under PIPEDA, organizations are generally expected to identify purposes and obtain meaningful consent, subject to limited exceptions, while also maintaining openness about their privacy practices.

7. Cookies and Similar Technologies

We may use cookies, pixels, SDKs, local storage, and similar technologies to:

keep you signed in;

remember settings and preferences;

analyze traffic and usage;

improve performance and security;

measure campaign effectiveness; and

support certain product features.

You can usually control cookies through your browser settings. Some features may not function properly if cookies are disabled.

Where required by law, we will request consent for non-essential cookies or similar technologies.

8. How We Disclose Personal Information

We may disclose personal information to:

affiliates and related entities;

hosting, infrastructure, storage, analytics, security, and support vendors;

payment processors;

identity, email, messaging, telephony, cloud-storage, and integration providers;

professional advisers such as auditors, lawyers, insurers, and consultants;

corporate transaction counterparties in connection with a merger, financing, restructuring, sale, or acquisition;

law enforcement, regulators, courts, or government authorities where required or permitted by law; and

others at your direction or with your consent.

We do not sell personal information for money.

We also do not share personal information for cross-context behavioral advertising unless we specifically say so and provide any required rights or opt-outs.

9. International and Cross-Border Transfers

DocuProof may process and store personal information in Canada, the United States, the European Economic Area, and other jurisdictions where we or our service providers operate.

If personal information is transferred outside the EEA, UK, or Switzerland, we will use an appropriate transfer mechanism where required by law, such as contractual safeguards or another lawful transfer basis. GDPR transparency rules require organizations to inform individuals about international transfers and related safeguards.

You understand that privacy laws in other jurisdictions may differ from those in your home jurisdiction.

10. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

provide the Services;

maintain verification records, logs, and security records;

comply with legal, tax, accounting, and regulatory obligations;

resolve disputes; and

enforce our agreements.

Retention periods may vary by account type, plan, contractual requirements, legal obligations, and the nature of the data. Under PIPEDA’s fair information principles, personal information should be retained only as long as needed for the identified purposes, unless otherwise required by law.

Where appropriate, we may delete, de-identify, anonymize, or aggregate information.

11. Data Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, and disclosure. However, no system can be guaranteed to be completely secure.

You are responsible for maintaining the security of your account credentials, devices, networks, and any third-party systems you connect to the Services.

12. Your Privacy Rights

Depending on your location and applicable law, you may have the right to:

know whether we process your personal information;

access personal information we hold about you;

request correction of inaccurate information;

request deletion of personal information;

object to or restrict certain processing;

withdraw consent where processing is based on consent;

request portability of certain data;

opt out of certain disclosures, sales, sharing, profiling, or targeted advertising, where applicable; and

lodge a complaint with a supervisory or regulatory authority.

The GDPR gives individuals rights over their personal data, and California law gives covered consumers rights including the right to know, delete, opt out of sale or sharing, and non-discrimination for exercising those rights.

To exercise rights, contact us using the details below. We may need to verify your identity before responding. Where we process information on behalf of a customer, we may refer your request to that customer.

We will not unlawfully discriminate against you for exercising applicable privacy rights.

13. Canada Privacy Rights

If PIPEDA or a substantially similar Canadian private-sector privacy law applies, you may request access to your personal information and request corrections where appropriate. PIPEDA’s openness and access principles require organizations to make privacy practices understandable and available, and to explain how individuals can request access.

If you are dissatisfied with our response, you may have the right to complain to the Office of the Privacy Commissioner of Canada or another applicable regulator.

14. EEA, UK, and Switzerland Privacy Rights

If you are located in the EEA, UK, or Switzerland, you may have rights under applicable data protection law, including the rights of access, rectification, erasure, restriction, objection, and portability, subject to legal exceptions.

You may also have the right to lodge a complaint with your local data protection authority.

15. U.S. State Privacy Notice

Residents of certain U.S. states may have additional rights under applicable privacy laws. Depending on the state and the law, these may include rights to access, correct, delete, obtain a copy of data, and opt out of targeted advertising, sale, certain profiling, or some sensitive-data uses.

Because U.S. state privacy laws continue to expand and differ by state, we may provide state-specific supplements or additional disclosures where required.

16. California Privacy Notice

This section applies to California residents to the extent the California Consumer Privacy Act, as amended, applies.

Categories of personal information collected

In the past 12 months, we may have collected the categories listed in Section 3 above, including identifiers, commercial information, internet or network activity, professional information, communications content, and other information that may relate to a person or household, depending on use of the Services.

Purposes

We collect and use personal information for the purposes described in Sections 5 through 8.

Disclosures

We may disclose the categories of personal information listed above to the categories of recipients described in Section 8 for business purposes.

Sales and sharing

We do not sell personal information for money. We do not knowingly share personal information for cross-context behavioral advertising unless specifically disclosed.

California rights

Subject to applicable exceptions, California residents may have the right to:

know what personal information we collect, use, disclose, sell, or share;

request deletion;

request correction;

opt out of sale or sharing;

limit certain uses of sensitive personal information where applicable; and

be free from discrimination for exercising these rights.

California’s official guidance states that consumers have rights to know, delete, opt out of sale or sharing, and non-discrimination.

To exercise California rights, contact us using the contact details below.

17. Children’s Privacy

The Services are not directed to children, and we do not knowingly collect personal information directly from children in violation of applicable law. If you believe a child has provided personal information unlawfully, contact us so we can investigate and take appropriate action.

18. Automated Decision-Making and AI Features

If we offer AI-assisted analysis, classification, extraction, anomaly detection, summarization, or similar features, those features may involve automated processing of content and related data.

Unless expressly stated otherwise, such features are intended to assist users and should not be treated as the sole basis for legal, insurance, employment, regulatory, or similarly significant decisions without human review.

Where required by law, we will provide additional notice or rights related to automated processing.

19. Do Not Track and Global Privacy Control

Some browsers offer “Do Not Track” signals, but there is not a uniform standard for responding to them.

Where required by applicable law, we will honor legally recognized opt-out preference signals, such as the Global Privacy Control, for relevant data practices. California guidance notes that consumers may opt out of sale or sharing, including via GPC.

20. Breach Notification

If we become aware of a breach affecting personal information, we will investigate and provide notices as required by applicable law, taking into account the nature of the incident, our legal obligations, and the jurisdictions involved. All U.S. states have breach notification laws, and Canada also imposes breach-related obligations in applicable cases.

21. Third-Party Services

Our Services may link to or integrate with third-party services. We are not responsible for the privacy, security, or data-handling practices of those third parties. You should review their privacy policies separately.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version and revise the “Last Updated” date. Where required by law, we will provide additional notice or obtain consent.

California’s guidance recommends that privacy policies be updated at least annually.

23. Contact Us

If you have questions or would like to exercise privacy rights, contact:

Docical / DocuProof

Brampton, Ontario

info@docuproof.app

24. EU / UK Representative and Data Protection Officer

If required by applicable law, we will identify our Data Protection Officer and/or EU or UK representative here:

Data Protection Officer: info@docuproof.app