Privacy Policy

Last updated: February 28, 2026

DocuSearch AI ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

DocuSearch AI acts as the data controller for the personal data processed through the Service. For data protection inquiries, contact us at: privacy@docusearch.eu

2. Data We Collect

2.1 Account Data

• Email address: used for authentication, communication, and account recovery
• Password: stored as a secure bcrypt hash; we never store or have access to your plain-text password
• First and last name: collected during profile completion
• Primary use case: an optional answer (Receipts & invoices, Contracts, Research / reports, Other) collected during signup so we can tailor the onboarding experience
• Account creation date

2.2 Uploaded Documents

• Documents you upload for OCR processing (PDFs, images, Word files)
• OCR output (markdown text and extracted images)
• Document embeddings stored in our vector database for search functionality

2.3 Usage Data

• Pages processed, queries made, and features used
• Subscription plan and billing history
• Chat conversations with the AI assistant (saved to your account so you can revisit them; you can delete any conversation at any time)

2.4 Technical Data

• Browser type and version
• IP address (server logs)
• Access timestamps

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide OCR, embedding, and chat services	Performance of contract (Art. 6(1)(b))
Account authentication and security	Performance of contract (Art. 6(1)(b))
Send transactional emails (verification, password reset, receipts)	Performance of contract (Art. 6(1)(b))
Send usage alerts and service notifications	Legitimate interest (Art. 6(1)(f))
Usage tracking and billing	Performance of contract (Art. 6(1)(b))
Service improvement and debugging	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))

4. Third-Party Services

We use the following third-party services to provide the Service:

Service	Purpose	Data Shared	Location
Mistral AI	OCR processing, embeddings, AI chat	Document content	France (EU)
Qdrant	Vector database for document search	Embeddings & metadata	France (EU)
Stripe	Payment processing	Email, payment method	EU processing
Resend	Transactional email delivery	Email address, email content	US (SCCs)
Dropbox (optional)	Cloud file import (user-initiated)	OAuth tokens, file access	US (SCCs)
Google (optional)	Sign-in, only if you use “Continue with Google”	Email, basic profile	US (SCCs)

Each third-party service processes data according to their own privacy policies. We only share the minimum data necessary for each service to function.

Team workspaces. If you join a team (Business) workspace, content you place in or explicitly share with that workspace (including any Dropbox folder you choose to “share with the team”) becomes visible to other members of that workspace who have access to the relevant folder. Content you keep private (your personal storage and any Dropbox folder you have not shared) is never visible to other members, including workspace administrators. Sharing is always an explicit action on your part; connecting Dropbox never shares anything automatically.

5. Data Retention

• Account data: Retained while your account is active and for 30 days after deletion
• Uploaded documents and OCR output: Stored until you delete them or close your account
• Document embeddings: Stored until you delete the file or folder, or close your account
• Usage logs: Retained for 12 months for billing and support purposes
• Server logs: Retained for 90 days
• Chat conversations: Saved to your account until you delete the conversation or close your account. Included in your data export and erased when you delete your account.

6. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format
• Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances
• Right to Object (Art. 21): Object to processing based on legitimate interest
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@docusearch.eu. We will respond within 30 days.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Passwords are hashed using bcrypt with salt
• Authentication via JWT tokens with limited expiry
• User data is isolated; each user can only access their own documents and folders
• Database access is restricted to the application layer
• Third-party API keys are stored as environment variables, not in code

8. Cookies and Local Storage

We do not use traditional cookies. The Service uses browser localStorage to store:

• Your authentication token (for maintaining your login session)
• Your email address (for display purposes)

This data is stored locally on your device and is not transmitted to third parties. You can clear this data at any time by logging out or clearing your browser storage.

9. International Data Transfers

All core data processing occurs within the European Union. Our application is hosted on Azure France Central. Our AI provider (Mistral AI) and vector database (Qdrant) are both hosted in France. Transactional email delivery via Resend may involve processing outside the EEA; where such transfers occur, Standard Contractual Clauses (SCCs) apply. Dropbox file imports are user-initiated and subject to Dropbox's own data processing terms. For full details, see our Security & Compliance page.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service at least 30 days before taking effect. The "Last updated" date at the top indicates when the policy was last revised.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

13. Contact

For privacy-related questions or to exercise your data rights:

• Email: privacy@docusearch.eu
• General support: support@docusearch.eu