Privacy Policy

1. Introduction

At Docuwall, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure document sharing and payment platform.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us, including:

• Account Information: Name, email address, password, and company details
• Payment Information: Payment Information: Billing address, payment method metadata (last 4 digits, card brand), and Stripe customer identifiers. Full payment card details are processed and stored securely by our payment processor (Stripe) and are never stored on our servers.
• Profile Information: Optional information such as email addresses and details submitted by you when you use the service
• Documents: Files and documents you upload to our platform
• Communications: Messages, feedback, and support requests you send to us
• Customer Information: When you add customers to your account, we collect their name, email address, phone number, and optional profile information to facilitate document sharing and payment processing.

2.2 Automatically Collected Information

When you use our Service, we automatically collect certain information, including:

• Usage Data: Information about how you interact with our platform, including features used and actions taken
• Device Information: IP address, browser type, and potentially some device or session identifiers
• Log Data: Server logs, access times, and error reports
• Cookies: Data collected through cookies and similar tracking technologies
• Transaction Data: Payment amounts, currencies, transaction status, platform fees, and payment timestamps for financial record-keeping and compliance.

3. How We Use Your Information

We use the collected information for various purposes, including:

• Providing, maintaining, and improving our Service
• Processing your transactions and managing your account
• Sending you technical notices, updates, and security alerts
• Responding to your comments, questions, and support requests
• Analyzing usage patterns to improve user experience
• Detecting, preventing, and addressing technical issues and fraudulent activity
• Complying with legal obligations and enforcing our Terms & Conditions

4. Data Storage and Security

4.1 Security Measures

We implement industry-standard security measures to protect your information, including:

• TLS/HTTPS encryption for all data transmission
• Encryption at rest for stored documents
• Secure password hashing (Django's PBKDF2)
• Access token-based document sharing with unique identifiers
• Stripe-certified payment processing (PCI DSS compliant)
• Regular security audits and monitoring
• Multi-factor authentication options
• Secure data centers with physical and digital access controls

4.2 Data Retention

We retain your personal information for as long as necessary to provide the Service. Specifically:

• Documents: Active documents are retained indefinitely. Paid documents may be automatically archived 30 days after payment, and archived documents may be automatically deleted 90 days after archiving. You can manually archive or delete documents at any time. Once deleted, document files are permanently removed from our servers, though transaction records are retained for compliance.
• Transaction Records: Retained for 7 years for tax and compliance purposes
• Account Data: Retained until account deletion, then deleted within 30 days
• Audit Logs: Retained for 12 months for security and compliance
• Deleted accounts scheduled for deletion: 30-day grace period before permanent deletion

5. Data Sharing and Disclosure

Within Your Organization: If you are part of a team/tenant organization, your account owner and administrators may have access to documents, customers, and activity logs within your shared workspace.

We do not sell your personal information. We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorise us to share information
• Service Providers: With trusted third-party vendors who assist in operating our Service (e.g., payment processors, cloud storage providers)
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Legal Requirements: When required by law or to protect our rights, property, or safety
• Document Recipients: When you choose to share documents with specific individuals or organisations

6. Your Rights and Choices

6.1 Access and Control

You have the right to:

• Access, update, or delete your personal information through your account settings
• Export your data in a portable format
• Opt-out of marketing communications
• Request deletion of your account and associated data

6.2 Data Protection Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR, including:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your login session (Django session cookies)
• Remember your preferences (theme, language)
• Track usage analytics (if using Google Analytics/similar)

Essential cookies are required for the Service to function. You can control cookie preferences through your browser settings, though disabling essential cookies wil prevent you from using the Service.

8. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

9. Children's Privacy

Our Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

10. International Data Transfers

10.1 Data Storage

Your data is primarily stored on servers located in Ireland (European Union). We may use additional data centers in other regions for redundancy and performance optimization.

10.2 Cross-Border Transfers

Docuwall is available to users in over 60 countries worldwide. If you are accessing the Service from outside the EU, your information may be transferred to and processed in the EU and other jurisdictions where our service providers operate.

We ensure appropriate safeguards are in place for international data transfers through:

• EU Standard Contractual Clauses (SCCs) with service providers
• GDPR-compliant data processing agreements
• Adequate security measures as outlined in this policy
• Compliance with local data protection laws where applicable

10.3 Regional Data Protection Laws

We comply with applicable data protection laws in the regions we serve, including:

• GDPR (European Union & EEA)
• UK GDPR (United Kingdom)
• PDPA (Singapore)
• PDPL (United Arab Emirates)
• LGPD (Brazil)
• PIPEDA (Canada)
• Privacy Act (Australia)
• Other applicable regional privacy regulations

10.4 Stripe Connect Global Operations

Payment processing through Stripe Connect may involve data transfers to Stripe's global infrastructure. Stripe maintains compliance with regional payment regulations and data protection laws.

11. Additional Information

11.1 Payment Processing

We use Stripe Connect to facilitate payments between document buyers and sellers globally. Stripe Connect is available in 47+ countries and complies with local payment regulations.

When you receive payments:

• Stripe processes payment information directly from buyers
• We receive transaction metadata (amount, status, fees) but not full card details
• Stripe may collect additional information for fraud prevention and compliance
• Payment processing complies with PCI DSS and local payment regulations
• Currency conversion is handled automatically for multi-currency transactions

Stripe's operations and data handling vary by region. For details, see:

• Stripe's Privacy Policy: https://stripe.com/privacy
• Stripe's Global Operations: https://stripe.com/global

11.2 Email Communications

We use Microsoft Graph API to send transactional emails (receipts, notifications, invitations). Microsoft may process email metadata in accordance with their privacy policy.

11.3 Curency Conversion

We use exchangerate-api.com to provide accurate currency conversions for multi-currency transactions. This service may log API requests containing currency codes and amounts (no personal information is shared).

11.4 Transaction Monitoring & Tax Compliance

To prevent abuse and ensure fair usage, we monitor transaction patterns, including commission rates and feature usage, to determine refund eligibility when you downgrade your plan.

Tax Responsibility: You are responsible for determining and complying with your local tax obligations, including VAT/GST collection and remittance. We provide VAT/GST rate information for reference, but this does not constitute tax advice. The tax rates displayed are standard rates and may not reflect reduced rates, exemptions, or special circumstances that may apply to your business.

We recommend consulting with a local tax professional to ensure compliance with your jurisdiction's tax laws.

11.5 Regional Tax & VAT Information

Our platform supports users in regions with different tax systems:

• EU/UK: VAT (Value Added Tax) ranging from 17-27%
• UAE/GCC: VAT ranging from 0-15%
• Australia/New Zealand: GST (Goods and Services Tax)
• Canada: GST/HST (varies by province)
• Singapore: GST
• United States: No federal VAT (state sales tax may apply)
• Other regions: Various consumption taxes

You can configure your tax settings in your account profile. If you enable tax display on invoices, your configured tax rate will be shown to customers. You are responsible for:

• Registering for tax collection in your jurisdiction (if required)
• Collecting and remitting taxes to appropriate authorities
• Maintaining accurate tax records
• Complying with cross-border tax rules (if applicable)

Platform fees charged by Docuwall are separate from any taxes you collect from your customers.

12. Automated Document Management

Automatic archiving and deletion of documents occurs after the specified period post-sale. Once deleted, document files are permanently removed from our servers, though transaction records are retained for compliance purposes.

13. Security Incident Response

In the event of a data breach, we will notify affected users within 72 hours and report to relevant authorities as required by law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Support Portal: https://www.docuwall.com/support/
• Email: [email protected]

Response Time: We aim to respond to all privacy inquiries within 72 hours.

16. Jurisdiction and Governing Law

16.1 Governing Law

This Privacy Policy and our data processing practices are governed by the laws of the jurisdiction in which Docuwall operates, without regard to its conflict of law provisions.

16.2 International Users

By using Docuwall, users outside the EU consent to the transfer of their data to the EU for processing in accordance with this Privacy Policy and applicable data protection laws.

16.3 Compliance with Local Laws

Where local laws impose additional requirements or provide greater protections than this Privacy Policy, those local laws will apply. We commit to complying with applicable data protection laws in all jurisdictions where we operate.

16.4 Restricted Countries

We do not knowingly provide services to users in countries subject to international sanctions or where our services would violate local laws. Currently restricted: Iran, North Korea, Syria, Cuba, and Crimea region.