1. Introduction
DocuLume ("we", "us", or "our") is committed to protecting your personal data and your right to privacy. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what rights you have in relation to it.
This policy applies to all users of the DocuLume platform and website. Please read it carefully.
2. Data We Collect
We collect the following categories of personal data:
- Account Data: Name, email address, username, company name, profile picture, and password hash (encrypted).
- Authentication & Security Data: Login timestamps, IP addresses, browser user-agent strings, and Terms & Conditions acceptance records (for legal audit purposes).
- Usage Data: Pages accessed, features used, search queries within the platform, session duration, and error logs.
- Document Content: Documents, contracts, and other files you upload to the Service. This content is processed solely to provide the Service to you.
- Communication Data: Any information you include in support requests, feedback forms, or other communications with us.
- Payment & Billing Data: Where applicable, payment information is processed by our third-party payment processor and is not stored directly by DocuLume.
3. How We Use Your Data
We use your personal data for the following purposes:
- To create and manage your account and provide access to the Service.
- To process and analyse documents you upload as requested by you.
- To ensure platform security, detect fraud, and prevent abuse.
- To record evidence of your acceptance of our Terms & Conditions.
- To send essential transactional communications (e.g. password resets, security alerts).
- To improve and develop our products and features (using aggregated or anonymised data).
- To comply with legal obligations.
We do not sell your personal data to third parties. We do not use your content (documents you upload) to train AI models without your explicit consent.
4. Legal Bases for Processing (GDPR)
Where the General Data Protection Regulation (GDPR) applies, we process your personal data on the following legal bases:
- Contract: Processing necessary to provide the Service you have subscribed to.
- Legal Obligation: Processing required to comply with applicable law.
- Legitimate Interests: Security monitoring, fraud prevention, and product improvement, where these do not override your rights.
- Consent: Where we rely on consent (e.g. optional marketing communications), you may withdraw consent at any time.
5. Data Sharing
We may share your data with the following categories of third parties only as necessary to provide the Service:
- Cloud Infrastructure Providers (e.g. Microsoft Azure) for hosting and storage.
- AI / LLM Service Providers for document analysis features. Any such providers are contractually required to process data only for the purpose of providing the requested AI service and not to retain or train on your data.
- Authentication Providers where SAML/SSO is configured by your organisation.
- Legal & Compliance: Where we are required to do so by law, court order, or regulatory authority.
Sub-processor Transparency: A current list of our third-party sub-processors is available upon request. We will provide commercial account owners with reasonable notice before authorizing any new sub-processor to process personal data, granting you the opportunity to object to such changes. All sub-processors are bound by data processing agreements and are required to maintain appropriate security measures.
6. Data Retention
We retain your personal data for as long as your account is active or as necessary to provide the Service. Login history and consent records may be retained for legal and audit purposes. When you delete your account, we will delete or anonymise your personal data within 90 days, except where retention is required by law.
Trial account data may be deleted 30 days after the trial period ends without further notice.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention requirements.
- Restriction: Request that we restrict processing of your data.
- Data Portability: Request a machine-readable export of your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Where consent is the legal basis, withdraw it at any time without affecting prior processing.
To exercise your rights, please use the in-platform Settings pages or contact us via the Help section. We will respond within 30 days (or as required by applicable law).
8. Cookies & Tracking
DocuLume uses strictly necessary cookies and session tokens (including an HttpOnly refresh token cookie) solely to authenticate users and maintain session security. We do not use advertising or third-party tracking cookies.
9. International Data Transfers
Your data may be processed in countries outside your own. Where transfers occur outside the European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
10. Security
We implement industry-standard technical and organisational security measures including encryption in transit (TLS), encryption at rest, access controls, audit logging, and regular security assessments. Despite our efforts, no system is completely immune to security risks. We recommend using strong, unique passwords and enabling any available multi-factor authentication.
We maintain comprehensive incident response policies. In the event of a verified security breach that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of your personal data or Document Content, we will notify you without undue delay. Notifications will include the nature of the breach, the likely consequences, and the measures we are taking to mitigate any adverse effects, in accordance with applicable legal and regulatory requirements.
11. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the version number and effective date above, and by prompting you to review and accept the updated terms on your next login.
13. Contact & Data Protection Officer
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us via the in-platform Help section or through the contact information on our website.
If you are located in the EU/EEA and believe your data protection rights have been infringed, you have the right to lodge a complaint with your local data protection supervisory authority.