Privacy Policy

1. Introduction

DocWhisper ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document management service.

By using DocWhisper, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Authentication Information: Email address, name, and profile picture from your Google or Microsoft account
• Document Content: Files you upload for classification and organization
• Document Passwords: Encrypted passwords you provide for password-protected documents
• Cloud Storage Access: OAuth tokens to access your Google Drive or OneDrive
• User Preferences: Settings and preferences you configure

2.2 Information Collected Automatically

• Usage Data: Number of documents processed, search queries performed, API usage metrics
• Document Metadata: File names, sizes, types, creation dates, modification dates
• Processing History: Classification results, confidence scores, assigned tags and categories
• Log Data: IP addresses, browser type, device information, timestamps of actions
• Session Data: Authentication tokens, session identifiers, CSRF tokens

2.3 Information from Third Parties

• OAuth Providers: Basic profile information from Google or Microsoft
• Cloud Storage Providers: File lists and metadata from your connected Google Drive or OneDrive

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Process and classify your documents using AI
• Organize files in your connected cloud storage
• Provide semantic search capabilities across your documents
• Extract text from password-protected documents
• Create and maintain vector embeddings for search functionality

3.2 Account Management

• Authenticate and authorize access to your account
• Maintain your account settings and preferences
• Track usage against your pricing tier limits
• Process billing and payments for paid subscriptions

3.3 Service Improvement

• Analyze usage patterns to improve classification accuracy
• Monitor system performance and reliability
• Debug and fix technical issues
• Develop new features and functionality

3.4 Communication

• Send service-related notifications and updates
• Respond to your inquiries and support requests
• Notify you of important changes to our Terms or Privacy Policy
• Send optional marketing communications (with your consent)

3.5 Legal Compliance

• Comply with legal obligations and regulatory requirements
• Protect our rights and enforce our Terms of Service
• Prevent fraud, abuse, and security threats
• Respond to lawful requests from authorities

4. Third-Party Services and Data Sharing

4.1 OpenAI API

We use OpenAI's API to process and classify your documents:

• Document content is sent to OpenAI for analysis
• We configure the API to prevent OpenAI from using your data for model training
• OpenAI's data retention policies apply (typically 30 days)
• All transmissions are encrypted in transit
• OpenAI's Privacy Policy: https://openai.com/policies/privacy-policy

4.2 Cloud Storage Providers

We integrate with Google Drive and OneDrive:

• We access files in your cloud storage with your explicit authorization
• Your documents remain in your cloud storage (we don't store copies)
• We store OAuth tokens securely to maintain authorized access
• You can revoke access at any time through provider settings
• Google Privacy Policy: https://policies.google.com/privacy
• Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement

4.3 Service Providers

We may share information with trusted service providers:

• Hosting providers (for infrastructure and data storage)
• Payment processors (for subscription billing)
• Analytics services (for usage monitoring)
• Customer support tools (for handling inquiries)

All service providers are contractually obligated to protect your information and use it only for authorized purposes.

4.4 Legal Disclosures

We may disclose your information if required to:

• Comply with legal obligations (court orders, subpoenas)
• Protect our rights, property, or safety
• Prevent fraud or abuse of our services
• Respond to emergencies involving danger of death or serious injury

5. Data Storage and Security

5.1 Where We Store Data

• Your Documents: Stored in your connected Google Drive or OneDrive (not on our servers)
• Metadata: Stored in PostgreSQL database (encrypted at rest)
• Vector Embeddings: Stored in LanceDB with tenant isolation (per-user databases)
• Document Passwords: Encrypted using AES-256 encryption before storage
• OAuth Tokens: Encrypted and stored securely in our database

5.2 Security Measures

We implement industry-standard security measures:

• TLS/SSL encryption for all data in transit
• Encryption at rest for sensitive data
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Monitoring for suspicious activity and security threats
• Regular backups with secure storage

5.3 Data Retention

• Active Accounts: Data retained as long as your account is active
• Deleted Accounts: Metadata and embeddings deleted within 30 days
• Legal Requirements: Some data may be retained longer if legally required
• Backups: Data in backups deleted according to backup retention schedules
• Your Documents: Remain in your cloud storage under your control

5.4 Data Breach Notification

In the event of a data breach:

• We will notify affected users within 72 hours of discovery
• Notification will include nature of the breach and steps being taken
• We will notify relevant regulatory authorities as required by law
• We will provide guidance on steps you can take to protect yourself

6. Your Privacy Rights

6.1 Access and Portability

You have the right to:

• Request a copy of your personal data
• Export your data in a machine-readable format
• Review what information we have collected about you

6.2 Correction and Update

You can:

• Update your account information through settings
• Correct inaccurate or incomplete data
• Request correction of data you cannot change yourself

6.3 Deletion

You have the right to:

• Delete your account and associated data
• Request deletion of specific information
• Revoke cloud storage access at any time

Note: Some data may be retained for legal or legitimate business purposes (e.g., billing records, fraud prevention).

6.4 Objection and Restriction

You can:

• Object to certain data processing activities
• Restrict processing of your personal data
• Opt-out of marketing communications
• Withdraw consent for optional data collection

6.5 How to Exercise Your Rights

To exercise any of these rights:

• Email us at: privacy@docwhisper.ai
• Use the account settings page for self-service options
• We will respond within 30 days of your request
• We may verify your identity before fulfilling requests

7. GDPR and International Data Transfers

7.1 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data under:

• Contract Performance: Processing necessary to provide our services
• Consent: Where you have given explicit consent
• Legitimate Interests: For service improvement and security
• Legal Obligations: To comply with applicable laws

7.2 International Data Transfers

Your data may be transferred and processed in countries outside your residence:

• We use Standard Contractual Clauses approved by the EU Commission
• Data is protected by adequate safeguards regardless of location
• Third-party processors comply with applicable data protection laws

7.3 EU Representative

For GDPR-related inquiries, you may contact our EU representative at: gdpr@docwhisper.ai

8. Children's Privacy

Our Service is not intended for children under 18 years of age:

• We do not knowingly collect information from children under 18
• If we discover we have collected data from a child, we will delete it promptly
• If you believe we have data from a child, contact us at: privacy@docwhisper.ai

9. Cookies and Tracking Technologies

9.1 Cookies We Use

• Essential Cookies: Required for authentication and security (session_id, csrf_token)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand usage patterns (with your consent)

9.2 Your Cookie Choices

You can control cookies through:

• Browser settings (most browsers allow you to block cookies)
• Our cookie preference center (if available)
• Note: Blocking essential cookies may affect Service functionality

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time:

• We will update the "Last Updated" date at the top
• We will notify you of material changes via email or Service notification
• Changes take effect 30 days after notice (unless legally required sooner)
• Your continued use constitutes acceptance of the updated policy
• You may review previous versions by contacting us

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices: