DocuProof Privacy Policy

Effective Date: March 11, 2026

This Privacy Policy describes how DocuProof Inc. ("DocuProof," "we," "us," or "our") collects, uses, shares, and protects your personal information when you access or use our website, platform, and related services (collectively, the "Service"). The Service provides immutable document storage, cryptographic proof of integrity, and features like multi-signature workflows and secure sharing. By using the Service, you consent to the practices described here. If you do not agree, do not use the Service.

We comply with applicable privacy laws, including GDPR and CCPA where relevant. This policy applies to users, visitors, and those interacting with the Service but not to third-party sites or services linked from ours.

1. Information We Collect

We collect information from you directly, automatically, and from third parties.

• Personal Information You Provide:

  • Account registration: Name, email, phone number, company details, ID verification documents (e.g., government ID for certain roles).

  • Onboarding: SMS OTP, invite links, private keys issued by admins.

  • Usage: Documents uploaded (we do not read or interpret contents; only process hashes and metadata), signatures (PKI/asymmetric cryptography), comments, transaction details in workflows (e.g., multi-signature participants, inter-account sharing).

  • Billing: Payment information (processed via Stripe, including card details).

  • Communications: Inquiries, support requests, feedback.

• Automatically Collected Information:

  • Device and usage data: IP address, browser type, OS, device ID, access times, pages viewed, search queries.

  • Logs: Audit trails (append-only, including actions like uploads, views, signatures, tied to verified identities).

  • Cookies and tracking: For session management, analytics (e.g., Google Analytics), preferences; we use cookies, web beacons for performance and marketing.

• From Third Parties:

  • Identity verification providers (e.g., for ID checks).

  • Payment processors (Stripe).

  • External anchoring services (TSA or blockchain, if enabled).

  • Other users in workflows (e.g., shared document recipients).

Note on Documents: We store documents immutably using SHA-256 hashing and WORM storage. We collect metadata (e.g., upload time, hash, actor ID) but do not access or alter contents. Audit trails record all actions cryptographically.

2. How We Use Your Information

We use your information to:

• Provide and maintain the Service: Process uploads, enforce immutability, generate evidence bundles, facilitate signatures and sharing, verify integrity.

• Manage accounts: Onboarding, seat management, RBAC enforcement.

• Billing and payments: Process subscriptions via Stripe.

• Security and compliance: Detect fraud, enforce terms, log audits, comply with laws.

• Improve the Service: Analyze usage, customize experiences, develop features.

• Communications: Send notifications (e.g., workflow updates, webhooks), marketing (opt-out available), support responses.

• Legal purposes: Respond to requests, protect rights, investigate issues.

We may use aggregated, anonymized data for any purpose.

3. Sharing Your Information

We share information as follows:

• With Your Consent or Direction: In workflows (e.g., multi-signature with selected signers, inter-account transfers); via public verification portals (hash/timestamp/audit summary, no login required).

• Service Providers: Vendors for hosting, analytics, payment processing (Stripe), identity verification, external anchoring; they are bound by confidentiality.

• Affiliates and Business Transfers: To subsidiaries or in mergers/acquisitions.

• Legal Requirements: To comply with laws, subpoenas, audits; prevent harm or fraud.

• Other Users: Scoped access in private data collections (e.g., shared documents visible only to participants via Hyperledger Fabric).

• Aggregated Data: Shared without restriction.

We do not sell personal information. Documents and audits are shared only as needed for the Service, with access controlled by RBAC. Due to immutability, shared data persists.

4. Data Security

We implement measures to protect your information:

• Encryption at rest (storage/DB) and in transit (TLS).

• KMS-managed keys; envelope encryption.

• Tenant isolation: Data scoped by tenant_id.

• Strict IAM: No delete/overwrite permissions.

• Logging and monitoring: Separate security logs; alerts on suspicious activity.

However, no system is fully secure. You are responsible for securing your credentials. We are not liable for unauthorized access beyond our control.