Privacy Policy

1. Overview

This privacy policy explains how Documind ("we", "us", "our") collects, uses, and protects your data. It applies to both the website at documind.app and the Documind iOS app.

2. Data Controller

Uwe Holland Agnes-Gierck-Weg 10 22419 Hamburg Germany

Email: support[at]documind.app

3. Data Processing on the Website

3.1 Server Logs

When you visit our website, the hosting provider Vercel automatically collects the following data in server logs:

• IP address
• Date and time of access
• Requested URL
• HTTP method and status code
• User agent (browser and operating system)
• Referrer URL

This data is technically necessary for the secure and stable operation of the website. It is not combined with other data sources. Server logs are automatically deleted after 3 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the website).

4. Data Processing in the App

4.1 Device ID (UUID)

Using the app does not require registration or a user account. Neither name nor email address are collected. For technical request attribution, a randomly generated device ID (UUID) is used. This UUID constitutes pseudonymized data within the meaning of the GDPR. It is automatically deleted one year after the last use of the app. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.2 Document Analysis

AI-powered document analysis is the core function of the app. When scanning a document, the page images are transmitted to Azure OpenAI for analysis (see Section 5, Microsoft Ireland Operations Ltd.). The images are used solely for analysis and are not permanently stored on our servers or by the sub-processor. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.3 Anonymous Usage Statistics

During document analysis, only the detected document type (e.g. "invoice", "contract") is stored in anonymous form — without any association to a device ID, timestamp, or other attributes that could allow identification of individual users. This purely statistical data does not constitute personal data within the meaning of the GDPR and is used solely for the further development of the app.

4.4 Local Data Processing

All documents, analysis results, and reminders are stored exclusively on the user's device. Reminders are managed by the local operating system – no push tokens or notification data are transmitted to our servers.

5. Sub-processors (Art. 28 GDPR)

We use the following sub-processors:

• Brevo (Sendinblue GmbH) (registered in Paris, France; server location: EU/France) – newsletter delivery. When you subscribe to our newsletter, your email address is stored with Brevo. Brevo processes data in accordance with GDPR. You can unsubscribe at any time.
• Microsoft Ireland Operations Ltd. (registered in Ireland; server location: Frankfurt am Main, Azure Germany West Central) – AI-powered document analysis via Azure OpenAI. Document images are transmitted solely for the purpose of analysis and are not permanently stored.
• Neon Inc. (registered in USA; server location: Frankfurt am Main, AWS eu-central-1) – database operations (NeonDB). No personal data is stored, only anonymous document type statistics. Data processing based on EU Standard Contractual Clauses (SCC) and Data Processing Addendum (DPA).
• Vercel Inc. (registered in USA; server location: Frankfurt am Main, eu-central-1) – hosting of website and API backend. Data processing based on EU Standard Contractual Clauses (SCC) and Data Processing Addendum (DPA). Server logs may contain IP addresses and are automatically deleted after 3 days.

6. Data Transfers to Third Countries

The sub-processors Vercel Inc. and Neon Inc. are based in the USA. Data processing takes place on servers in Frankfurt am Main (EU). To the extent that access from the USA may occur in the context of support or maintenance, this is carried out on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as well as supplementary technical and organizational measures.

7. Newsletter

When you subscribe to our newsletter, your email address is stored with Brevo (Sendinblue GmbH). You may withdraw your consent at any time by using the unsubscribe link in each email or by contacting us at gdpr[at]documind.app. Legal basis: Art. 6(1)(a) GDPR (consent). The right to withdraw consent exists at any time pursuant to Art. 7(3) GDPR, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

8. Your Rights (GDPR)

You have the right to:

• Access your personal data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)

9. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The competent supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Ludwig-Erhard-Str. 22, 7. OG 20459 Hamburg https://datenschutz-hamburg.de

10. Contact

For privacy-related inquiries, please contact:

Email: gdpr[at]documind.app