Privacy Policy

This Privacy Policy describes how DocVerify ("DocVerify", "we", "us", or "our") collects, uses, shares, and protects personal information in connection with our website, REST API, Model Context Protocol (MCP) endpoints, AI Agent Workflows, ID verification workflow, SDKs, and related services (together, the "Service"). It applies alongside our Terms of Service and forms part of them.

"Personal data" and "personal information" are used interchangeably and mean any information relating to an identified or identifiable individual, as defined by applicable law (GDPR, UK GDPR, CCPA/CPRA, India's DPDP Act, LGPD, PIPEDA, Australia's Privacy Act, and similar statutes).

• —We collect the minimum personal data needed to run your account, bill you, and deliver document-analysis results.
• —On the Free Tier, documents you submit for document analysis — through the Console, API, MCP, or an AI Agent Workflow — are retained in an access-controlled training corpus that only our engineering and training processes can read. We use them to improve detection accuracy.
• —ID verification media is excluded from Free-Tier training retention.We do not retain ID documents or liveness media for training, regardless of whether the attempt uses free or paid credits.
• —On the Paid Tier, we do not retain documents. They are processed in memory and discarded at the end of the response.
• —Console users get an end-to-end encrypted personal scan history that we cannot decrypt, auto-deleted within ~24 hours. This is separate from the Free-Tier training corpus.
• —We do not sell your personal information, do not use it for third-party advertising, and do not engage in cross-site tracking.
• —You have strong rights over your personal data. Email privacy@docverify.app to exercise them.

Account & billing data. DocVerify is the data controller (EEA/UK GDPR) / Data Fiduciary (DPDP Act) / business (CCPA/CPRA) for personal data about you as an account holder: identity, email, billing, usage counts, and API-key metadata.

Content you submit for analysis. When you upload a document for a one-off document analysis through the Console, API, or MCP, DocVerify processes it on your instructions. In most cases we treat this as processing on your behalf (we are your processor) with any personal data in the document being processed only to return the analysis result and, on the Free Tier, for the training purpose you consent to in the Terms of Service. This training purpose does not apply to ID verification media. See Section 6 for the detail.

AI Agent Workflows. If you are an Operator of an AI Agent Workflow, you determine the agent's purpose and the data it ingests. For Content your End Users submit to your AI Agent Workflow, you are the controller / Data Fiduciary / business and DocVerify is your processor. We process the Content solely to execute the configuration you supply. You are responsible for giving End Users an appropriate privacy notice and for any consents required for our processing. Our Data Processing Addendum (DPA) applies automatically where the GDPR, UK GDPR, or DPDP Act are engaged, and is available at legal@docverify.app.

4.1 You provide directly:

• —Account identifiers — email, name (optional), Google profile information if you sign in with Google.
• —Authentication credentials — password hashes held by Firebase Authentication; we never see plaintext passwords.
• —Billing information — company name, VAT/GST ID (if applicable), billing address. Payment card details are collected directly by Stripe; DocVerify never sees or stores card numbers.
• —Support and correspondence — any messages or documents you send us.
• —Content you submit — documents, images, PDFs, prompts, and agent configurations. These may contain personal data of third parties; you are responsible for the lawful basis for including them. See Section 6.
• —ID verification data — the ID document image, liveness media, challenge responses, verification signals, fraud-prevention metadata, and receipts generated when you use the ID verification workflow. See Section 6.7.

4.2 Generated automatically when you use the Service:

• —Request metadata — timestamp, HTTP status, cost type (free/paid), IP address truncated for geolocation, user-agent string, file size, computed verdict, and an API-key reference (a hashed identifier, never the full key).
• —Security events — failed logins, rate-limit hits, suspected abuse patterns.
• —Cookies and local storage — see Section 10.

4.3 From third parties:

• —Identity providers (Google) — profile information we need to create your account when you use single sign-on.
• —Stripe — payment confirmation status, subscription plan, country of the billing address, and tax-residence information needed for VAT/GST.

The EEA/UK GDPR requires that we identify a lawful basis for each processing purpose. The table below summarises the purposes, the categories of data involved, and the basis we rely on. Similar framing applies under the DPDP Act (consent or legitimate use) and under US/other laws (business purpose).

• —Providing the Service. Account data, submitted Content, request metadata. Legal basis: performance of the contract (GDPR Art. 6(1)(b)); necessary-for-the-service consent (DPDP Sec. 7(a)).
• —Training and improving models (Free Tier only). Submitted document analysis Content and derived analysis metadata, excluding ID verification media. Legal basis: your explicit consent given by choosing the Free Tier and accepting Section 9 of our Terms of Service (GDPR Art. 6(1)(a)); you may withdraw consent at any time by switching to a Paid Tier or requesting deletion (Section 11 below).
• —Billing, fraud prevention & compliance. Account, billing, usage metadata, limited Content fingerprints. Legal basis: legal obligation (GDPR Art. 6(1)(c)) and our legitimate interests in accurate billing and abuse detection (Art. 6(1)(f)).
• —Security & service integrity. IP, user-agent, failed-login and rate-limit events. Legal basis: our legitimate interests in protecting users and the platform from abuse (Art. 6(1)(f)); legal obligation where we must report a breach.
• —Product analytics. Cookie-based aggregated usage. Legal basis: your consent for non-essential cookies (ePrivacy Directive / PECR); our legitimate interests in first-party aggregated analytics that do not involve cross-site tracking.
• —Corporate communications. Email address, name, support history. Legal basis: legitimate interests (service announcements, security notices) and consent (marketing where required).

Where we rely on legitimate interests, we balance those interests against your rights and freedoms and will not proceed where your rights override. You can object at any time (see Section 11).

This section reflects Section 9 of our Terms of Service and is the part you should read most carefully before uploading any document.

6.1 Free Tier — training-dataset retention. When you submit document analysis Content on the Free Tier through the Console, API, MCP, or an AI Agent Workflow invoked without a paid credit, we retain a copy of the file together with the analysis metadata — score, verdict, flags, heatmap, detected content type — in an internal training corpus. This does not apply to ID verification media.The corpus is stored in access-controlled cloud infrastructure and is not exposed through any client-facing product surface; only authorized production services can read it. Access is logged and audited.

6.2 Paid Tier — no training retention. Content submitted under a purchased credit or an active subscription is processed in memory and discarded at the end of the response. We do not add it to the training corpus.

6.3 Console history — end-to-end encrypted. For logged-in Console users we also store a personal scan-history entry under scans/{userId}/{scanId}. The uploaded image and the analysis response are encrypted in your browser using AES-GCM with a 256-bit key kept in your browser's local storage. DocVerify does not hold a copy of that key and cannot decrypt the history entry. The entry is automatically deleted by a scheduled cleanup function within approximately 24 hours. This history copy is independent of the Free-Tier training copy described in Section 6.1.

6.4 What we do NOT do.

• —We do not sell Content or personal data.
• —We do not use Content for targeted advertising or cross-site tracking.
• —We do not share Content with third-party LLM providers other than the sub-processors you explicitly configure for an AI Agent Workflow (see Section 8).
• —We do not hand Content to governments or law-enforcement absent a legally valid order, and we challenge overbroad requests.

6.5 What not to upload on the Free Tier. Do not submit Content that contains special-category data under GDPR Article 9 (for example health data, racial or ethnic origin, religious or political beliefs, sexual orientation, biometric data for identification, genetic data), sensitive personal data under the DPDP Act, protected health information under HIPAA, personal data of children under the age of digital consent, identity documents of third parties without their authorisation, or any Content whose retention in a training corpus would breach a confidentiality obligation. Use a Paid Tier plan, or redact the document, before submitting. This restriction concerns document-analysis uploads; the dedicated ID verification workflow is governed by Section 6.7 and still requires a valid legal basis, required notice, and required consent.

6.6 Deletion of retained samples. You can ask us to delete a specific Free-Tier training sample at any time by emailing privacy@docverify.app with the approximate upload date, the filename, and — if you have it — the sampleId returned with the response. We will remove the record from active storage within 30 days and from back-ups within the normal back-up-rotation cycle.

The Service runs automated pattern-analysis over the Content you submit and returns probabilistic signals about manipulation, AI generation, and metadata anomalies. These outputs are not, by themselves, decisions that produce legal or similarly significant effects on individuals. If you are designing a workflow where an output could have such effects (for example credit, insurance, hiring, housing, immigration, medical, or safety-critical decisions), you must ensure meaningful human review and comply with applicable law — including the EU AI Act, US anti-discrimination laws, and the DPDP Act's rules on automated decision-making. See also Section 5.5 of our Terms of Service.

We engage the following sub-processors to operate the Service. Each is bound by contractual safeguards consistent with our obligations under applicable law.

• —Google Cloud Platform / Firebase (United States / regional) — authentication, hosting, storage, database, compute, analytics, and managed AI processing under commercial and data-processing terms.
• —Specialized infrastructure providers (United States / regional) — compute capacity needed to operate document analysis and ID verification workflows, under commercial and data-processing terms.
• —Stripe (Ireland / United States) — payment processing, tax collection, subscription management.
• —Resend or equivalent transactional email provider — operational emails (welcome, billing, security).
• —ngrok / Cloudflare (as applicable) — edge routing.

If you build an AI Agent Workflow that calls additional third-party tools (for example a search engine, knowledge base, workflow API, or additional LLM), those tools become your sub-processors for the Content the agent passes to them. Your configuration choices control which tools are invoked.

We may also disclose personal data to (a) professional advisers under obligations of confidentiality, (b) a successor entity in the event of a merger, acquisition or sale of assets (subject to continued protection consistent with this policy), and (c) where required by law, regulation, or valid legal process.

DocVerify is based in the United States and uses sub-processors in the United States and other jurisdictions. Where personal data originates from the EEA, UK, or Switzerland and is transferred outside those regions, we rely on one or more of the following mechanisms:

• —The EU Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) in combination with supplementary technical and organisational measures identified by a transfer-impact assessment.
• —The UK International Data Transfer Addendum to the EU SCCs, for UK data.
• —The Swiss-specific addendum to the SCCs issued by the FDPIC, for Swiss data.
• —Data Privacy Framework certification where the recipient is a DPF-certified organisation (for example Google LLC for in-scope transfers).

For transfers out of India, we comply with the cross-border-transfer provisions of the DPDP Act 2023 and any notifications the Central Government issues restricting transfer to particular countries.

A copy of the SCCs or equivalent safeguards we rely on is available on request from privacy@docverify.app.

Our cookie banner presents a granular choice on your first visit. We split cookies into strictly necessary and non-essential categories.

• —Strictly necessary — Firebase Authentication session cookies, CSRF tokens, and local-storage entries required for the Service to function (including the AES-GCM key that encrypts your Console history). These cannot be disabled without breaking core features.
• —Analytics (non-essential) — Google Analytics 4 with IP truncation enabled, first-party only, used in aggregate to understand which features are used. Set only if you accept.
• —Preferences — docverify_cookie_consent, UI-state keys such as tab selections.

We do not run advertising, retargeting, session-replay, or cross-site tracking cookies. We honour the Global Privacy Control (GPC) header where your browser sends it.

Subject to applicable law and the verification of your identity, you may exercise the following rights:

• —Access a copy of your personal data.
• —Rectification / correction of inaccurate or incomplete data.
• —Erasure ("right to be forgotten") — including deletion of your account and of any Free-Tier samples that have been retained.
• —Restriction or objection to certain processing, in particular any based on legitimate interests.
• —Data portability — receive your data in a structured, machine-readable format.
• —Withdraw consent — where we rely on consent, you can withdraw it at any time, without affecting processing done before the withdrawal.
• —Complain to your local supervisory authority (for example your national Data Protection Authority in the EEA, the ICO in the UK, the Data Protection Board in India, or your state attorney general in the US).
• —Not be subject to solely automated decisions producing legal or similarly significant effects — see Section 7.
• —Nominate another person to exercise rights on your behalf (DPDP Act), including in the event of death or incapacity.

To exercise any right, email privacy@docverify.app. We aim to respond within 30 days (or the period required by applicable law — 45 days CCPA/CPRA, within the statutory DPDP Act period). We will not charge a fee unless your request is manifestly unfounded or excessive.

We will not discriminate against you for exercising your rights.

• —Paid-Tier Content — not retained (processed in memory only).
• —Free-Tier Content (training corpus) — retained until deletion on request or until we no longer need it for the training purpose, whichever is sooner. We review the corpus annually and delete or reduce samples that are no longer informative.
• —ID verification media — not retained for training on any tier, including Free Tier. Limited verification records may be retained for workflow operation, abuse prevention, and auditability as described in Section 6.7.
• —Console history (E2E encrypted) — approximately 24 hours, then deleted by a scheduled function.
• —Account data — retained while your account is active and for up to 30 days after deletion, subject to longer retention required by law (for example tax records: 6–10 years depending on jurisdiction).
• —Billing records — retained for as long as required by applicable tax and accounting law (typically 6–10 years).
• —Request / audit logs — up to 12 months for billing reconciliation and 24 months for security event analysis.
• —Analytics — as configured in Google Analytics 4 (default 26 months); we apply IP truncation and data-retention controls.
• —Back-ups — deleted data may persist in encrypted back-ups until the rotation deletes them (typically up to 35 days).

We apply technical and organisational measures appropriate to the risks, including:

• —Encryption in transit (TLS 1.2+) and encryption at rest for back-ups and sensitive stores.
• —End-to-end encryption of Console history using a user-held AES-GCM key that DocVerify does not possess.
• —Strict access controls on restricted training-dataset paths; access only via authenticated production services.
• —Scoped API keys, per-tenant quota enforcement, Stripe webhook signature verification.
• —Principle of least privilege for staff access; logged and audited.
• —Documented incident-response procedures; timely notification to affected users and regulators where a breach triggers a notification obligation (GDPR Art. 33–34 and equivalent DPDP / US state laws).

No system can be perfectly secure. If you believe you have found a vulnerability, email security@docverify.app. We operate a good-faith disclosure programme and will not pursue researchers who act within scope.

The Service is not directed to children under the age of digital consent in their jurisdiction (13 in the US, 16 in the EEA unless a member state sets a lower age down to 13, 18 in India for DPDP purposes). We do not knowingly collect personal data from children without verifiable parental consent. If you believe a child has provided us personal data, email privacy@docverify.app and we will delete it.

You must not submit on the Free Tier a document containing personal data about a child.

• —In addition to the rights in Section 11, you have the right to lodge a complaint with your national supervisory authority (for example the CNIL in France, the BayLDA in Bavaria, the ICO in the UK, the FDPIC in Switzerland).
• —When we rely on legitimate interests, you may request a summary of our balancing test.
• —When we rely on your consent, you may withdraw it at any time by emailing privacy@docverify.app.
• —EU Representative (Art. 27 GDPR). If DocVerify does not have an establishment in the EU, our appointed representative is identified in the footer of this page and can be contacted at eu-rep@docverify.app.
• —UK Representative. Where required by UK GDPR Art. 27, contact our UK representative at uk-rep@docverify.app.
• —Data Protection Officer. Our DPO (where one is required or voluntarily appointed) can be reached at dpo@docverify.app.

This section applies to California residents whose personal information is "collected" within the meaning of the California Consumer Privacy Act as amended by the CPRA.

Categories of personal information collected. Identifiers (email, name), customer records, commercial information, internet / electronic-network activity, inferences, and sensitive personal information limited to account credentials and payment information. See Section 4 for detail.

Sources. Directly from you, automatically via your use of the Service, and from third parties such as identity providers and payment processors (Section 4).

Business purposes. Delivering the Service, billing, security, legal compliance, model training for Free-Tier document-analysis submissions as disclosed in Section 6, and aggregate analytics (Section 5).

Third-party disclosures. Sub-processors as listed in Section 8. We do not "sell" personal information. We do not "share" personal information for cross-context behavioural advertising.

Your rights. You have the right to (i) know what personal information we collect, use, disclose, and sell/share; (ii) request deletion; (iii) request correction; (iv) opt out of sale / share (not applicable — we do not sell or share); (v) limit the use of sensitive personal information; (vi) non-discrimination for exercising your rights. Authorized agents may submit requests on your behalf with verified authorisation.

How to exercise. Email privacy@docverify.app. We will respond within 45 days, extendable by 45 days with notice.

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request information about personal information disclosed to third parties for their direct-marketing purposes. We do not currently disclose personal information for such purposes.

This section applies to Data Principals (as defined by the DPDP Act) whose personal data we process.

• —Role. DocVerify is a Data Fiduciary for account and billing data. For Content processed through an AI Agent Workflow or API, DocVerify acts on the instructions of the Operator and may be a Data Processor or Data Fiduciary depending on who determines the purpose.
• —Consent & notice. By using the Service you provide consent to the processing described in this policy and in the Terms of Service. You may withdraw consent at any time; continuing to use the Service may be impossible without that consent.
• —Rights. Access, correction, erasure, grievance redressal, right to nominate a person to exercise rights in the event of death or incapacity, and right to request information about processing of your personal data.
• —Children. Personal data of individuals under 18 will be processed only with verifiable consent of a parent or lawful guardian, and no tracking, behavioural monitoring, or targeted advertising will be performed.
• —Grievance Officer. Email grievance@docverify.app. The Grievance Officer will acknowledge your grievance within 24 hours and respond substantively within the time-frame required by the DPDP Act and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
• —Significant Data Fiduciary obligations. If DocVerify is notified as a Significant Data Fiduciary, additional obligations (DPO, DPIA, audit) will apply and will be reflected in a revision to this policy.

• —Brazil (LGPD). Under Law 13.709/2018 you have rights of confirmation, access, correction, anonymisation or deletion, portability, information about sharing, revocation of consent, and to lodge complaints with the ANPD.
• —Canada (PIPEDA, Quebec Law 25). You have rights to access, correction, and withdrawal of consent, and in Quebec further rights to transparency about automated decisions and to data portability.
• —Australia (Privacy Act / APPs). You have rights to access and correct your personal information under Australian Privacy Principles 12 and 13.
• —South Korea (PIPA), Japan (APPI), other APAC. Rights of access, correction, and deletion as required by local law.
• —For any other jurisdiction, we honour mandatory data-subject rights granted by your local law. Email privacy@docverify.app.

We honour the Global Privacy Control (GPC) signal in browsers that send it. When GPC is present we treat it as a validly communicated opt-out request for sale or sharing of personal information (even though we do not currently sell or share), and as a withdrawal of consent for non-essential analytics cookies.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-product notice at least 30 days before the change takes effect, unless a shorter period is required by law. The "Last updated" date at the top of this page reflects the latest revision.

• —Privacy, data-subject rights, deletions: privacy@docverify.app
• —Data Protection Officer: dpo@docverify.app
• —EU Representative: eu-rep@docverify.app
• —UK Representative: uk-rep@docverify.app
• —India Grievance Officer: grievance@docverify.app
• —Security & vulnerability reports: security@docverify.app
• —DMCA / copyright: copyright@docverify.app
• —General / legal: legal@docverify.app

The DocVerify contracting entity, its registered address, and company-registration details are published in the site footer and in our Terms of Service.