Privacy Policy

1. Who We Are

Docuplete, Inc. ("Docuplete", "we", "us", "our") is a document-automation company incorporated in Delaware, USA. We operate the Docuplete platform available at docuplete.com and related subdomains.

For privacy enquiries, contact our Data Protection team at legal@docuplete.com.

2. Information We Collect

2.1 Information you provide to us (Account holders)

Account information: name, email address, organisation name, billing address, and payment details when you create an account or subscribe.
Profile information: job title, phone number, and other details you optionally add to your profile.
Customer Data: PDF templates, field configurations, and any data you upload or configure on the platform.
Communications: emails and other communications you send to us.

2.2 Information collected from end clients (via Interview Sessions)

When your clients complete an Interview Session, Docuplete collects on your behalf:

Form answers entered by the client.
Electronic signature image and typed name (for e-signature packages).
Email address and OTP verification record (for email-authenticated packages).
IP address, user agent, and timestamp for audit-trail purposes.

This data is Customer Data — Docuplete processes it as a data processor on your instruction. See Section 5.

2.3 Automatically collected information

Log data: IP address, browser type, pages visited, referring URL, and timestamps.
Device data: device type, operating system, screen resolution.
Performance data: response times, error rates, and usage metrics (via Sentry).

3. How We Use Information

We use information to:

Provide, operate, and improve the Services.
Process transactions and send billing notices.
Authenticate users and prevent fraud and abuse.
Generate, store, and deliver Output Documents and e-signature audit trails.
Send service communications (account confirmations, security alerts, feature updates).
Send marketing communications (with your consent, where required by law).
Comply with legal obligations, respond to lawful requests, and enforce our Terms.
Conduct aggregate analytics and improve the Services.

Legal bases (GDPR): We process personal data on the bases of: contract performance (providing the Services you subscribed to); legitimate interests (security, fraud prevention, product improvement); compliance with legal obligations; and consent (marketing communications).

We share information only as follows:

Service providers (sub-processors): companies that help us deliver the Services, including cloud hosting (Cloudflare R2), email delivery (Resend), payment processing (Stripe), error tracking (Sentry), authentication (Clerk), and queue infrastructure (Redis via Upstash). Each sub-processor is bound by data processing agreements requiring appropriate safeguards. A full sub-processor list is available on request or at docuplete.com/legal/dpa/.
Business transfers: if Docuplete is involved in a merger, acquisition, or asset sale, Customer Data may be transferred as a business asset. We will notify you before your data is transferred and becomes subject to a different privacy policy.
Legal requirements: we may disclose information if required to do so by law or in response to a valid legal process (subpoena, court order). We will notify you of such disclosures to the extent permitted by law.
With your consent: we may share information in other ways if you have given us explicit permission.

We do not sell personal information to third parties for their own marketing purposes.

5. Customer Data and Our Role as Processor

When Customers use Docuplete to collect and process data about their own clients, Docuplete acts as a data processor and the Customer acts as the data controller. In this capacity:

We process Customer Data only on the Customer's documented instructions (as reflected in these Terms and any executed DPA).
We do not use Customer Data for our own marketing or analytics purposes.
We assist Customers in fulfilling data subject rights requests as set out in our DPA.
Customers who process personal data of EU/UK data subjects may execute our standard Data Processing Agreement at docuplete.com/legal/dpa/.
Customers who process Protected Health Information (PHI) under HIPAA may execute our Business Associate Agreement at docuplete.com/legal/baa/.

6. Cookies and Tracking

We use the following categories of cookies and similar technologies:

Strictly necessary: session authentication, CSRF protection, and security tokens. These cannot be disabled.
Functional: remembering your preferences (theme, language, timezone).
Analytics: aggregate usage data to understand how the platform is used. We minimise collection and do not enable cross-site tracking.

A cookie consent banner is displayed to visitors where required by law. You can manage cookies in your browser settings. Note that disabling certain cookies may affect Service functionality.

7. Data Security

We implement technical and organisational measures to protect personal data, including:

Encryption at rest: Customer Data and documents are encrypted using AES-256-GCM with per-account Data Encryption Keys (DEKs) wrapped by versioned master keys.
Encryption in transit: all communications use TLS 1.2 or higher.
Access controls: role-based access, least-privilege principles, and multi-factor authentication for staff.
Vulnerability management: regular security assessments, dependency auditing, and penetration testing.
Incident response: documented procedures for detecting, responding to, and reporting data security incidents.
Multi-tenant isolation: technical controls enforce strict data separation between customer accounts.

Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

8. Data Retention

Account data: retained for the duration of your Subscription and for 90 days after termination, then deleted.
Customer Data / documents: retained per your Subscription plan settings, then deleted. Customers may configure shorter retention periods or request immediate deletion.
Audit logs and e-signature records: retained for a minimum of 7 years to support legal enforceability of electronic signatures, unless Customer requests earlier deletion and applicable law permits it.
Log data: retained for up to 90 days for security and troubleshooting purposes.

You may request deletion of your data at any time by contacting legal@docuplete.com.

9. International Data Transfers

Docuplete is based in the United States. If you are located outside the US, your personal data may be transferred to and processed in the US and other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
The UK International Data Transfer Agreement (IDTA) for transfers from the UK.
Data Processing Agreements with all sub-processors that require equivalent protections.

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
Restriction: request that we limit processing of your data in certain circumstances.
Portability: receive your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interests or for direct marketing.
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact legal@docuplete.com. We will respond within 30 days (or within the timeframe required by applicable law). We may request verification of your identity before processing your request.

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

The right to know what personal information we collect, use, disclose, and sell.
The right to delete personal information we have collected, subject to exceptions.
The right to opt out of the sale or sharing of personal information. Docuplete does not sell or share personal information for cross-context behavioural advertising.
The right to correct inaccurate personal information.
The right to limit use and disclosure of sensitive personal information.
The right to non-discrimination for exercising your CCPA rights.

To submit a CCPA request, contact legal@docuplete.com. We do not respond to browser "Do Not Track" signals at this time because no uniform industry standard exists.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or the UK GDPR, including those listed in Section 10 above. Additionally:

You have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your EU national supervisory authority).
Where we rely on legitimate interests as a legal basis, you may object to that processing and we will stop unless we have compelling legitimate grounds.
For EU/UK customers processing personal data through the Services, our standard Data Processing Agreement (available at docuplete.com/legal/dpa/) governs our role as data processor.

13. Children's Privacy

The Services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete it. If you believe we may have information from or about a child under 16, contact legal@docuplete.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated effective date and, where required by law, by sending you an email notification. We encourage you to review this page periodically. Your continued use of the Services after a change becomes effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact:

Docuplete, Inc.
Privacy Team
Email: legal@docuplete.com

We aim to respond to all privacy enquiries within 5 business days.