DOCFLO
LEGAL_DOCUMENT

Privacy
Policy

LAST_UPDATED: 22 FEB 2026EFFECTIVE: 22 FEB 2026

This policy explains what personal data DocFlo collects, how we use it, and your rights under the GDPR, UK GDPR, and CCPA. We collect the minimum data required to operate the service.

01

Who We Are & How to Contact Us

DocFlo (“we”, “our”, “us”) operates docflo.app and provides browser-based PDF processing tools. For GDPR purposes, DocFlo is the data controller. We do not currently have a formal DPO — all privacy enquiries are handled directly by our team.

SERVICEDocFlo
WEBSITEhttps://docflo.app
PRIVACYprivacy@docflo.app
SUPPORThello@docflo.app

We acknowledge requests within 72 hours and respond fully within 30 calendar days.

02

Data We Collect

ACCOUNT DATA — REGISTERED USERS ONLY

  • Email address — required to identify your account
  • Display name — optional, from Google OAuth if used
  • Profile photo URL — optional, from Google OAuth
  • Hashed password (never stored in plaintext)
  • Account creation date and last sign-in timestamp
  • Stripe customer ID (a reference token, not card data)
  • Subscription plan, status, and renewal date

USAGE DATA — ALL USERS

  • Anonymous session ID (random UUID in a cookie) for rate-limit enforcement only
  • Type of PDF operation performed — not the file contents
  • Page count and approximate file size per operation
  • Timestamp of each operation
  • HTTP metadata: truncated IP, browser user-agent, referring page

IPs are truncated to /24 (IPv4) or /48 (IPv6) before storage — individual devices cannot be identified.

WE DO NOT COLLECT

Special category data (health, race, religion, biometrics)
Social media profile data beyond OAuth basics
Advertising or behavioural analytics data
Any data we sell, rent, or trade
03

Lawful Basis for Processing (GDPR Art. 6)

Every processing activity requires a lawful basis under the GDPR. The table below sets out our basis for each activity.

PROCESSING ACTIVITY
DATA INVOLVED
LAWFUL BASIS
Account creation & authentication
Email, name, hashed password
Contract — Art. 6(1)(b)
Payment processing & billing
Stripe customer ID, subscription data
Contract — Art. 6(1)(b)
Rate-limit enforcement (anonymous)
Anonymous ID, operation counts
Legitimate interests — Art. 6(1)(f)
Service security & fraud prevention
Truncated IP, user-agent, timestamps
Legitimate interests — Art. 6(1)(f)
Transactional emails
Email address
Contract — Art. 6(1)(b)
Legal & financial record keeping
Payment records, invoices
Legal obligation — Art. 6(1)(c)
Support correspondence
Email content
Legitimate interests — Art. 6(1)(f)

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA). You may request a copy at privacy@docflo.app.

04

How We Use Your Data

  • 01Create and manage your account, including authentication and session management
  • 02Deliver the PDF processing operations you request
  • 03Process subscription payments and issue invoices via Stripe
  • 04Enforce per-user and per-IP operation quotas and prevent abuse
  • 05Send service-critical transactional emails: password reset, subscription confirmations, receipts
  • 06Investigate and respond to security incidents, fraud, or Terms of Service violations
  • 07Comply with applicable laws and respond to valid legal requests
  • 08Maintain accurate financial and business records as required by law

We do not use your data for:

Advertising, behavioural profiling, selling to third parties, training ML models, or any purpose not listed above. We do not send marketing emails.

05

Your Files — What We Do and Don’t Do

TRANSMISSION

Files are uploaded over HTTPS/TLS 1.3.

PROCESSING

Files are held in memory or a temporary server path only for the duration of the operation (typically seconds).

DELETION

Files are deleted from our servers immediately after the processed output is returned to you.

NO PERMANENT STORAGE

We do not write files to any persistent database or long-term object storage.

NO INSPECTION

We do not read, index, scan, or analyse file contents beyond executing the requested operation.

NO SHARING

Your files are never shared with third parties, used for ML training, or disclosed to any other user.

06

Sub-Processors & Third-Party Services

We share personal data only with the following sub-processors, each bound by DPAs and appropriate safeguards. We use no advertising networks, analytics platforms, or data brokers.

Stripe, Inc.POLICY →
PURPOSEPayment processing, subscription management, invoice generation
DATA SHAREDEmail address, Stripe customer ID, subscription metadata
LOCATIONUnited States (EU-US Data Privacy Framework)
SAFEGUARDSPCI-DSS Level 1, GDPR DPA, EU Standard Contractual Clauses
Supabase, Inc.POLICY →
PURPOSEStoring user account data, session records, operation logs
DATA SHAREDEmail, name, hashed password, subscription status, operation metadata
LOCATIONEU region (Frankfurt, Germany — AWS eu-central-1)
SAFEGUARDSGDPR-compliant DPA, data stored within the EU
DigitalOcean, LLCPOLICY →
PURPOSETemporary file buffer during active PDF processing only
DATA SHAREDUploaded PDF files (held transiently, minutes maximum)
LOCATIONEU region (Amsterdam, Netherlands)
SAFEGUARDSGDPR-compliant DPA, files deleted immediately after each job
Vercel, Inc.POLICY →
PURPOSEServing the web application and API routes
DATA SHAREDHTTP request metadata (IP, user-agent) in server logs
LOCATIONGlobal CDN; primary compute in EU where available
SAFEGUARDSGDPR DPA, SOC 2 Type II certified
Google LLCPOLICY →
PURPOSEOptional "Sign in with Google" authentication
DATA SHAREDBasic profile scopes only: email, name, profile photo URL
LOCATIONUnited States (EU-US Data Privacy Framework)
SAFEGUARDSOptional — email/password sign-in available as alternative
07

International Data Transfers

Our primary infrastructure is in the EU. Some sub-processors (Stripe, Vercel, Google) are US-based. For transfers outside the EU/EEA we rely on:

EU Standard Contractual Clauses (SCCs)

Incorporated into DPAs with US-based sub-processors, providing enforceable data protection obligations under EU law.

EU-US Data Privacy Framework (DPF)

Where sub-processors are DPF-certified (Stripe, Google, Vercel), this provides an EU Commission adequacy decision.

UK IDTAs / UK SCC Addendum

For transfers affecting UK residents, we rely on IDTAs or the UK addendum to SCCs.

08

Cookies & Local Storage

We use strictly necessary cookies only — no advertising, analytics, or tracking cookies. For the full cookie reference table, browser management instructions, and legal basis under the ePrivacy Directive, see our Cookie Policy →

09

Data Retention Schedule

DATA TYPE
RETENTION PERIOD
REASON
Uploaded PDF files
Deleted within minutes of processing
No ongoing need after operation
Account data (email, name, password hash)
Until account deletion + 30 days
Grace period for recovery
Session tokens
30 days rolling
Authentication session management
Rate-limit logs (operation type, timestamp)
90 days
Rolling quota enforcement window
Truncated IP / user-agent server logs
30 days
Security incident investigation
Payment records (invoices, Stripe events)
7 years
Legal obligation — accounting & tax
Support email correspondence
2 years from last contact
Legitimate interest — follow-up
Subscription / account history
7 years from subscription end
Legal obligation — financial records

Retention periods expire automatically via scheduled cleanup jobs. If you request account deletion before a natural expiry, we delete all data immediately except where legally required to retain it.

10

Your Rights

GDPR RIGHTS — EU / EEA / UK RESIDENTS

ACCESS — Art. 15

Request a copy of all personal data we hold about you.

RECTIFICATION — Art. 16

Correct inaccurate data or complete incomplete data without undue delay.

ERASURE — Art. 17

"Right to be Forgotten" — request deletion where data is no longer necessary, consent is withdrawn, or you object and we have no overriding grounds.

PORTABILITY — Art. 20

Receive your personal data in a structured, machine-readable format (JSON or CSV).

RESTRICTION — Art. 18

Limit processing while you contest accuracy or await objection resolution.

OBJECTION — Art. 21

Object to processing based on legitimate interests. We will stop unless we demonstrate compelling overriding grounds.

SUPERVISORY COMPLAINT

Lodge a complaint with your national DPA (EU: edpb.europa.eu · UK: ico.org.uk). We prefer the chance to address concerns first.

HOW TO EXERCISE YOUR RIGHTS

Email privacy@docflo.app with your account email. We acknowledge within 72 hours, respond fully within 30 days (up to 90 for complex requests). We verify identity before fulfilling requests to prevent unauthorised disclosure.

11

Automated Decision-Making

DocFlo does not use automated decision-making or profiling (as defined in GDPR Art. 22) that produces legal or similarly significant effects on individuals. Rate-limit enforcement uses simple counters — no profiling of characteristics or behaviour.

12

Children’s Privacy

DocFlo is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, email privacy@docflo.app and we will delete it promptly. We apply 16 as our default threshold across all jurisdictions; where a Member State permits a lower age (minimum 13), a parent or guardian should contact us before a child uses the service.

13

Security Measures

ENCRYPTION IN TRANSIT

HTTPS with TLS 1.2 minimum (TLS 1.3 preferred). HTTP redirected to HTTPS.

ENCRYPTION AT REST

Database encrypted at rest by Supabase using AES-256.

PASSWORD STORAGE

bcrypt with cost factor 12. Plaintext passwords never logged or stored.

CSRF PROTECTION

All authenticated mutations require a valid CSRF token (NextAuth).

SECRETS MANAGEMENT

API keys and credentials stored as environment variables, never hard-coded.

ACCESS CONTROL

DB access restricted to least-privilege service accounts. No public internet DB access.

DEPENDENCY MONITORING

Automated vulnerability scanning with prompt updates.

FILE ISOLATION

Uploaded files processed in isolated temporary paths, never accessible to other users.

Found a vulnerability? Report it responsibly to security@docflo.app.

14

Data Breach Notification

In the event of a personal data breach likely to result in risk to your rights and freedoms:

SUPERVISORY AUTHORITY

Notified within 72 hours of becoming aware — GDPR Art. 33.

AFFECTED INDIVIDUALS

Notified without undue delay where breach likely results in high risk — GDPR Art. 34.

NOTIFICATION CONTENT

Nature of breach, data categories affected, likely consequences, and remediation measures taken.

15

California Residents (CCPA / CPRA)

RIGHT TO KNOW

Request disclosure of the categories and specific pieces of personal information we've collected in the past 12 months.

RIGHT TO DELETE

Request deletion of your personal information, subject to certain exceptions.

RIGHT TO CORRECT

Request correction of inaccurate personal information.

RIGHT TO OPT-OUT

We do NOT sell or share your personal information for cross-context behavioural advertising. This right is not applicable to DocFlo.

NON-DISCRIMINATION

We will not discriminate against you for exercising your CCPA rights.

To exercise CCPA rights, email privacy@docflo.app with subject line “CCPA Request”.

16

Changes to This Policy

We may update this policy periodically. For material changes we will update the “Last updated” date, post a notice on the site for 30 days, and — where required by law — notify registered users by email before changes take effect. Your continued use of DocFlo after the effective date constitutes acceptance. Previous versions are available on request from privacy@docflo.app.