GDPR Compliance

Last Updated: November 17, 2024

1. Introduction

DeepDocs.io is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This document outlines our GDPR compliance measures and your rights under GDPR.

2. Legal Basis for Processing

We process personal data under the following legal bases:

2.1 Contractual Necessity

Processing is necessary to provide the Service you have requested and to fulfill our contractual obligations to you, including:

• Account creation and management
• Document processing and AI analysis
• Service delivery and support
• Payment processing

2.2 Legitimate Interests

Processing is necessary for our legitimate interests, including:

• Service improvement and optimization
• Security and fraud prevention
• Analytics and performance monitoring
• Marketing to existing customers (with opt-out option)

2.3 Consent

Where required, we obtain your explicit consent for:

• Marketing communications to prospects
• Non-essential cookies and tracking
• Optional data processing activities

2.4 Legal Obligations

Processing is necessary to comply with legal obligations, such as:

• Tax and accounting requirements
• Regulatory compliance
• Legal proceedings

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data. You can request a copy of your personal data in a commonly used electronic format.

3.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

3.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten") when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

3.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification of legitimate grounds

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

3.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

3.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

3.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

• Email: gdpr@deepdocs.io or privacy@deepdocs.io
• Subject line: "GDPR Rights Request"

Please include:

• Your full name and email address associated with your account
• The specific right(s) you wish to exercise
• Any relevant details to help us process your request
• Proof of identity (if required for security purposes)

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of the extension.

5. Data Protection Principles

We adhere to the following GDPR data protection principles:

5.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate our data processing activities through our Privacy Policy and this GDPR Compliance document.

5.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

5.3 Data Minimization

We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

5.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

5.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.

5.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

5.7 Accountability

We are responsible for and can demonstrate compliance with the GDPR principles.

6. Data Security Measures

We implement comprehensive security measures, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security audits and penetration testing
• Employee training on data protection
• Incident response and breach notification procedures
• Secure data centers with physical security measures
• Regular backups and disaster recovery plans
• Pseudonymization and anonymization where appropriate

7. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)
• Additional security measures as required

You can request information about the specific safeguards we use for international transfers by contacting us at gdpr@deepdocs.io.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Provide information about the nature of the breach, likely consequences, and measures taken
• Document all data breaches, including facts, effects, and remedial actions

9. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments for processing activities that are likely to result in high risks to individuals' rights and freedoms, particularly when:

• Using new technologies
• Processing large-scale sensitive data
• Systematic monitoring of publicly accessible areas
• Automated decision-making with legal or significant effects

10. Third-Party Processors

We work with third-party service providers who process personal data on our behalf. We ensure that:

• Processors are carefully selected and vetted
• Data Processing Agreements (DPAs) are in place
• Processors provide sufficient guarantees of GDPR compliance
• Processors only process data according to our instructions
• Appropriate security measures are implemented

A list of our sub-processors is available upon request.

11. Children's Data

We do not knowingly process personal data of children under 16 years of age (or the applicable age in your jurisdiction) without parental consent. If we become aware that we have collected data from a child without proper consent, we will delete it promptly.

12. Automated Decision-Making and Profiling

We use AI and automated systems to analyze documents and generate responses. However:

• We do not make automated decisions that produce legal effects or similarly significantly affect you
• AI analysis is used to assist you in understanding your documents, not to make decisions about you
• You maintain control over how you use AI-generated information
• We do not use profiling for marketing or other purposes without your consent

13. Data Retention Periods

We retain personal data according to the following schedule:

• Account Data: Retained while your account is active and for 30 days after deletion
• Document Content: Retained according to your subscription plan; deleted upon request or account closure
• Usage Logs: Retained for 90 days
• Financial Records: Retained for 7 years as required by law
• Marketing Data: Retained until you withdraw consent or for 2 years of inactivity
• Support Communications: Retained for 3 years

14. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO at:

• Email: dpo@deepdocs.io
• Subject line: "Attention: Data Protection Officer"

15. Supervisory Authority

If you are not satisfied with our response to your GDPR request or believe we are not processing your data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority.

For a list of EU supervisory authorities, visit:https://edpb.europa.eu/about-edpb/board/members_en

16. Updates to This Document

We may update this GDPR Compliance document to reflect changes in our practices or legal requirements. We will notify you of material changes through the Service or by email.

17. Contact Information

For GDPR-related questions or to exercise your rights, contact us at:

• Email: gdpr@deepdocs.io
• Privacy Email: privacy@deepdocs.io
• DPO Email: dpo@deepdocs.io