Privacy Policy

Last updated: November 22, 2025

At Docuscry, we take your privacy seriously. This policy explains what data we collect, how we use it, and your rights regarding your personal information.

1. Information We Collect

1.1 Account Information

When you create a Docuscry account, we collect:

  • Email address (required for account creation and login)
  • Display name (optional)
  • Password (encrypted and never stored in plain text)
  • Workspace name and settings

1.2 Content You Upload

When you use Docuscry, we process and store:

  • Documents you upload (PDFs, Word docs, text files, etc.)
  • Document metadata (file names, upload dates, file sizes)
  • Search queries and chat messages within the application
  • Vector embeddings generated from your documents (used for semantic search)

1.3 Usage Data

We automatically collect certain information when you use Docuscry:

  • Search queries and usage patterns (for analytics and improvement)
  • Browser type and version
  • IP address and approximate location (country/region)
  • Device information (operating system, screen resolution)
  • Pages visited and features used
  • Time and date of visits

1.4 Billing Information

Payment processing is handled by Stripe. We do not store your full credit card information. We receive and store only:

  • Last 4 digits of your card
  • Card brand (Visa, Mastercard, etc.)
  • Billing email address
  • Billing history and invoices

2. How We Use Your Information

We use your information to:

  • Provide the Service: Process your documents, generate search results, and deliver AI-powered answers
  • Improve the Service: Analyze usage patterns to enhance search quality, performance, and user experience
  • Communicate with You: Send important updates, security alerts, and respond to support requests
  • Billing and Payments: Process payments and send invoices
  • Security: Detect and prevent fraud, abuse, and unauthorized access
  • Legal Compliance: Comply with legal obligations and enforce our Terms of Service

3. AI and Third-Party Services

3.1 OpenAI API

We use OpenAI's API for generating embeddings (semantic search) and AI chat responses. Important points about OpenAI usage:

  • Zero-retention policy: We use OpenAI's API with zero data retention. Your data is not used to train OpenAI models.
  • No cross-workspace contamination: Your documents and queries are isolated to your workspace only.
  • Temporary processing: Document content is sent to OpenAI only for embedding generation, then immediately discarded.

3.2 Supabase (Database and Hosting)

Your data is stored in Supabase (PostgreSQL on AWS infrastructure):

  • Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Primary region: US East (Virginia) - EU/UK regions coming Q2 2025
  • SOC 2 Type II compliant infrastructure
  • Daily automated backups with 30-day retention

3.3 Vector Storage (pgvector)

Vector embeddings are stored in Supabase using pgvector for semantic search:

  • Embeddings are isolated per workspace using Row Level Security (RLS)
  • Data encrypted in transit and at rest (same as all Supabase data)
  • SOC 2 Type II compliant infrastructure
  • Embeddings cannot be reverse-engineered to reconstruct original text

3.4 Analytics

We use analytics to understand how users interact with Docuscry:

  • Google Analytics via Google Tag Manager for usage analytics
  • Analytics only runs after you grant consent via our cookie banner
  • You can reject analytics tracking when prompted, or clear your browser cookies to reset your preference

3.5 Email Service

We use Resend for transactional emails (account verification, password resets, important updates). We do not send marketing emails without your explicit consent.

4. Data Storage and Security

We implement industry-standard security measures:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Workspace Isolation: Row Level Security (RLS) ensures your data is isolated from other workspaces
  • Access Control: Role-based permissions (Owner, Admin, Member) control who can access what
  • Monitoring: 24/7 security monitoring and incident response
  • Backups: Daily automated backups stored in separate regions

For more details, see our Security page.

5. Data Retention

We retain your data as follows:

  • Active accounts: Data is retained as long as your account is active
  • Deleted accounts: Account data is deleted within 30 days of account deletion
  • Backups: Backup copies are retained for 30 days, then permanently deleted
  • Billing records: Retained for 7 years for tax and legal compliance
  • Usage logs: Aggregated analytics data retained indefinitely (anonymized)

6. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Correct any inaccurate or incomplete data
  • Deletion: Request deletion of your account and all associated data
  • Portability: Export your data in a machine-readable format (JSON)
  • Restriction: Restrict processing of your data in certain circumstances
  • Objection: Object to processing of your data for specific purposes
  • Withdraw Consent: Withdraw consent for data processing at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Cookies and Tracking

We use minimal cookies for essential functionality:

  • Authentication cookie: Keeps you logged in (required)
  • Session cookie: Manages your session state (required)
  • Analytics cookies: Track usage patterns (optional, can be disabled)

We do not use third-party advertising cookies or trackers.

8. Data Sharing and Disclosure

We do not sell or rent your personal data. We may share data only in these limited circumstances:

  • Service Providers: Third parties that help us operate (Supabase, OpenAI, Stripe, Resend) - under strict data processing agreements
  • Legal Obligations: When required by law, court order, or government request
  • Business Transfer: In the event of a merger, acquisition, or sale of assets (with notice to users)
  • Security and Fraud: To protect against fraud, abuse, or security threats

9. International Data Transfers

Your data is primarily stored in the United States (AWS US East region). If you are located outside the US, your data may be transferred to and processed in the US. We use Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers.

Coming Q2 2025: EU and UK data residency options for customers who require data to remain in specific regions.

10. Children's Privacy

Docuscry is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected].

11. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you via email and update the "Last updated" date at the top of this page. Continued use of Docuscry after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this privacy policy or your personal data, contact us:

We will respond to privacy inquiries within 30 days.

Data Protection Officer

For EU/UK residents, our Data Protection Officer can be reached at [email protected].

Supervisory Authority

If you are located in the EU or UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data properly.

Questions About Privacy?

We're committed to transparency and protecting your data. If you have any questions about how we handle your information, we're here to help.

View Security DetailsContact Privacy Team
Terms of ServiceSecurityContact Us