Skip to content

Privacy policy

Last updated 2026-03-30 — Documenzo is the data controller for the service.

This Privacy Policy explains how Documenzo (“we”, “us”, “our”) processes personal data when you use Documenzo (the “Service”: our websites, web application, APIs, and related features).

We aim to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the applicable laws of Republic of Cyprus where we operate, and—where relevant—the UK GDPR and the Data Protection Act 2018. This document is information for you, not legal advice to your business. You should have qualified counsel review it for your situation.

1. Who is the data controller?

The controller responsible for personal data processed in connection with the Service is Documenzo.

Full legal identity and registered office details are available on request using the contact below.

Privacy & data protection contact: support@documenzo.com. Use this address for access or erasure requests, questions about this policy, and (where applicable) complaints you wish to raise with us before contacting a supervisory authority.

2. Scope: who this policy covers

  • Visitors and prospects: people who browse our public website or contact us before registering.
  • Registered users: people who create an account and use the Service.
  • Business users entering client data: if you use the Service for your own business, you may upload personal data about your customers, suppliers, or employees. Sections 3 and 12 describe how we treat that data and your responsibilities.

If you interact with us only as an employee or contact of our customer, you should read Section 12 and may also request information directly from our customer (they often decide why your data is processed).

3. Categories of personal data we process

  • Account & profile: name, email address, username, password hash, company name, business address, phone, language preference, tax identifiers and registration numbers you choose to store, optional profile or branding fields.
  • Authentication & security: session identifiers, “remember me” tokens where enabled, security and rate-limit logs tied to IP address and timestamp, device/browser information in server logs, optional two-factor data if you enable it.
  • Billing & subscriptions (paid plans): subscription status, plan identifiers, usage tied to your account. Payment card data are processed by our payment provider (typically Stripe); we do not store full card numbers on our servers.
  • Documents you create: quotations, invoices, receipts, line items, PDFs, notes, attachments, and related metadata may contain personal data about third parties (e.g. your clients).
  • Communications: messages you send via our contact forms, support channels, or email; in-app help chat messages you type (do not paste passwords, card numbers, or special-category data there).
  • Third-party sign-in (optional): if you use “Sign in with Google”, Google Ireland Limited / Google LLC process certain identity data under their own policies; we receive profile identifiers and email as permitted by Google.
  • Technical & usage data: IP address, HTTP headers, URLs accessed, error and audit logs, aggregated usage information for reliability and abuse prevention.
  • Marketing (where applicable): if we send optional marketing communications, we process contact details and engagement data based on consent or applicable soft opt-in rules.

We do not intentionally collect special categories of data (e.g. health, religion) via the Service. Please do not upload such information unless strictly necessary and lawful.

4. Purposes and legal bases (GDPR Article 6)

Depending on the activity, we rely on one or more of the following:

  • Performance of a contract (Art. 6(1)(b)): registering your account, providing the Service, processing your instructions, billing paid subscriptions.
  • Legitimate interests (Art. 6(1)(f)): securing the Service, preventing fraud and abuse, improving features, debugging, enforcing our terms, limited internal reporting in non-identifying form. Where required, we balance these interests against your rights.
  • Legal obligation (Art. 6(1)(c)): retaining records where tax, accounting, or court orders require it.
  • Consent (Art. 6(1)(a)): where we use optional non-essential cookies or send certain marketing messages—you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Cookies and similar technologies

We use cookies and similar storage on our domains, including:

  • Strictly necessary: session cookies for login and CSRF protection; optional “remember me” cookie if you select it.
  • Preferences: theme (light/dark) and language may be stored in cookies or local storage to remember your choices.
  • Our public marketing site: typically only essential cookies unless we add analytics—see any updated cookie list in this policy if we change that.

You can control cookies through your browser settings. Blocking strictly necessary cookies may prevent sign-in or degrade the Service.

6. Recipients, processors, and international transfers

We use trusted service providers who process data on our instructions (“processors”), for example:

  • Infrastructure & hosting where the Service and database are operated.
  • Payment processing: Stripe Technology Europe Ltd / Stripe, Inc. and related entities.
  • Email delivery: transactional and support email through our SMTP provider.
  • Authentication: Google (if you use Google sign-in).

Some providers may process data in countries outside the European Economic Area (EEA). Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on adequacy decisions or derogations under GDPR Chapter V.

We do not sell your personal data and do not share it for third-party behavioural advertising as a default practice.

7. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects about you under Article 22 GDPR. We may use automated systems for fraud prevention, rate limiting, and product telemetry in non-discriminatory ways.

8. Data retention

  • Active account: we retain your data for as long as your account exists and you use the Service.
  • After deletion: if you delete your account through the in-app account deletion flow, we erase application data tied to your tenant in normal operation within our technical means. Residual copies (e.g. encrypted backups, server or provider logs) may persist for a limited period according to our backup rotation and provider practices, then are overwritten or expired.
  • Legal holds: where law requires retention (e.g. tax, invoicing records), we may keep certain records notwithstanding erasure requests, strictly to the extent required.

9. Security

We apply technical and organisational measures appropriate to the risk, such as TLS in transit, access controls and authentication, separation of customer data by account, logging, and encryption of selected sensitive fields where configured. No method of storage or transmission is 100% secure; please use a strong, unique password and enable additional security options we offer.

10. Your rights (EEA, UK, and similar laws)

Subject to applicable law, you may have the right to:

  • Access your personal data and obtain a copy (Art. 15);
  • Rectify inaccurate data (Art. 16);
  • Erase data (“right to be forgotten”) in certain cases (Art. 17);
  • Restrict processing in certain cases (Art. 18);
  • Data portability for data you provided, where processing is automated and based on contract or consent (Art. 20);
  • Object to processing based on legitimate interests (Art. 21);
  • Withdraw consent at any time, where we relied on consent;
  • Lodge a complaint with a supervisory authority—in Cyprus: the Commissioner for Personal Data Protection (dataprotection.gov.cy); in other countries, the authority where you live or work.

To exercise rights, contact support@documenzo.com. We may need to verify your identity. Account deletion: authenticated users can permanently delete their organisation data and account from the Service’s account / security settings (danger zone), after password confirmation. For portability, you may use available export features (e.g. CSV / data exports in the application) where offered, or request assistance by email.

11. Data Protection Officer (DPO)

We are not legally required to appoint a Data Protection Officer for all cases under the GDPR, but we designate the contact above for all privacy matters. If we appoint a DPO in the future, we will publish their details here.

12. If you upload other people’s personal data (business users)

When you store information about your customers or contacts in the Service, GDPR may treat you as a controller (or joint controller) of that data. You must have a lawful basis under GDPR (e.g. contract, consent, legitimate interests) and provide your own privacy notices to those individuals where required.

We process such data only as a processor on your behalf, to provide the Service you requested, unless we are required by law to process it independently. You instruct us through your use of the product features. If you need a formal Data Processing Agreement (DPA), request one at the privacy contact email.

13. Children

The Service is not directed at children under 16 (or the digital consent age in your country). We do not knowingly collect children’s personal data. If you believe we have, please contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will change. If changes are material, we will provide notice through the Service or by email where appropriate. Continued use after notice may constitute acceptance where permitted by law.

15. Related documents

Our Terms of Service govern use of the Service and form part of our agreement with you.

← Back · Terms of Service