Privacy Policy

Last updated: June 2026 · Effective: June 2026

Who we are

DocGovernance ("we," "us," or "our") provides tamper-evident document evidence infrastructure for legal, compliance, and regulated teams. Contact us at [email protected].

What data we collect

Account data: Email address, password hash, organization name, plan tier.
Document data: PDF files you upload, SHA-256 hashes, extracted text (for interrogation), metadata you provide.
Event ledger data: Cryptographic records of actions taken on documents (uploads, approvals, exports). This data is immutable by design.
Usage data: API request logs, feature usage, error logs. Retained for 90 days.
Communication data: Support emails and messages you send us.

How we use your data

To provide and operate the DocGovernance service.
To generate cryptographic custody records and verification bundles as requested by you.
To send transactional emails (account confirmation, password reset, export notifications).
To improve the service (aggregated, anonymized analytics only).
To comply with legal obligations.

What we do not do

We do not sell your data to third parties.
We do not use your document content to train AI models.
We do not share your documents with other tenants or organizations.
We do not access your documents except to provide the service or when required by law.

Data retention

Account data is retained while your account is active and for 30 days after deletion. Document data and event ledger records are retained per your configured retention policy (Business/Enterprise) or for 12 months (Team). Cryptographic event records are immutable by design — deletion produces a deletion receipt in the ledger rather than physically removing the record.

Tenant isolation

Your data is isolated at the database level using tenant identifiers. No other organization can access your documents, lineages, approval records, or event ledger.

Subprocessors

We use a limited number of subprocessors for cloud infrastructure, transactional email, and analytics. A current subprocessor list is available to Business and Enterprise customers on request: [email protected].

Your rights (GDPR)

If you are in the EEA or UK, you have rights to access, correct, port, restrict, and delete your personal data. Contact [email protected] to exercise these rights. Note that cryptographic event ledger records may be subject to retention requirements for the integrity of other users' bundles.

Data Processing Addendum

A GDPR Article 28-compliant DPA is available for Business and Enterprise customers. Request the DPA →

Contact

Privacy questions: [email protected]
General: [email protected]