Docuvamp Privacy Policy
Effective Date: 26 February 2026
Docuvamp Ltd ("we", "us", "our") is a company registered in England and Wales with company number 16963683 and registered office at 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data in connection with the Docuvamp platform and services ("Services") — an enterprise SaaS solution provided exclusively to UK-based business customers for creating, sharing, managing, and tracking interactive digital documents, catalogs, or publications.
We comply fully with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related UK laws. As a B2B enterprise-only service, we process personal data solely in a professional/business context (e.g., details of authorised company representatives, administrators, billing contacts, support users). We do not collect, process, or allow consumer/individual non-business use of the Services. No personal data from children or minors is knowingly collected or processed.
We act as data controller for personal data about your representatives (e.g., account setup, usage, billing, support data) and as data processor for any personal data you (the Customer, as controller) include in uploaded Customer Content (e.g., names/emails in documents). Processor activities are governed by our Data Processing Addendum (DPA) incorporated into our Terms of Service.
By your organisation using the Services, it acknowledges and accepts this Policy on behalf of itself and its representatives.
1. Personal Data We Collect
We collect only the minimum personal data necessary for enterprise service provision:
Provided directly by your representatives:
- Account and identification: full name, job title/role, business email address, telephone number (optional), company name and details.
- Billing and financial: company billing address, contact details for invoicing; payment method references (full sensitive card details are never stored by us—handled exclusively by processors).
- Support and communications: details submitted in tickets, emails, live chat, or forms (e.g., issue descriptions, preferences).
Automatically collected/technical data:
- Device and network: IP address (used for country-level geolocation only), browser type/version, operating system, device identifiers, approximate location (country/region for security/fraud prevention).
- Usage and interaction: login/logout times, pages/features accessed, session duration, clicks/interactions within the platform, error logs.
- Metadata: limited technical details from uploaded files (e.g., file creation/modification dates, file types) where required for functionality.
From Customer Content (as processor):
- Any personal data embedded by you in uploaded documents/publications (e.g., contact names, emails, images of individuals). You remain the data controller; we process strictly per your instructions and our DPA.
We do not collect special category/sensitive personal data (e.g., health, ethnicity, political opinions) unless you incidentally include it in Content—in which case you are solely responsible for lawful basis and compliance.
2. How We Collect Personal Data
- Directly: during account onboarding/invitation, subscription setup, Order Forms, support requests, or voluntary communications.
- Automatically: through server logs, cookies/similar technologies, and analytics tools during platform use.
- Indirectly: from authorised third-party integrations you enable or from payment processors confirming transactions.
3. Purposes of Processing and Lawful Bases (UK GDPR Article 6)
| Purpose | Examples of Data Categories | Lawful Basis | Notes / Balancing (where Legitimate Interests) |
|---|---|---|---|
| Provide, operate, and support the Services (account creation, access control, feature delivery, technical support) | Account/contact, usage/technical, support interactions | Contractual necessity – Art. 6(1)(b) | Necessary to perform our subscription agreement with your organisation. |
| Manage subscriptions, invoicing, payments, and renewals | Billing/contact | Contractual necessity – Art. 6(1)(b) | Essential for billing and service continuity. |
| Ensure platform security, detect/prevent fraud/abuse, debug issues | Usage/technical, IP, logs | Legitimate interests – Art. 6(1)(f) | Our legitimate interest in a secure/reliable service; minimal intrusion, no profiling, opt-out not applicable as core to service. |
| Improve Services (aggregate analytics, performance monitoring) | Usage/technical (anonymised/aggregated where possible) | Legitimate interests – Art. 6(1)(f) | Balanced against rights; helps enterprise users via better features. |
| Send essential business communications (service updates, security alerts, contract notices) | Contact | Legitimate interests – Art. 6(1)(f) | Necessary for relationship management; easy opt-out for non-essential. |
| Send limited marketing about related enterprise features/upgrades (B2B only) | Contact | Legitimate interests – Art. 6(1)(f) | Targeted at business contacts; clear opt-out in every email/footer. |
| Comply with legal/regulatory obligations (tax records, audits, disputes) | All relevant | Legal obligation – Art. 6(1)(c) | Required by UK law. |
| Process Customer Content as instructed (processor role) | Content-embedded personal data | Processor contract with you (controller) | Governed by DPA; no independent use. |
We do not carry out automated decision-making (including profiling) that produces legal or similarly significant effects.
4. Sharing Personal Data
Personal data is shared only on a need-to-know basis:
- Processors/sub-processors: Cloud hosting (e.g., AWS), analytics (aggregate via Google Analytics/Microsoft Clarity), payment processing (e.g., Stripe), transactional email (e.g., Mailgun), support/CRM tools—all under strict UK GDPR Article 28 contracts.
- Professional advisors: Lawyers, accountants, insurers for compliance/advice.
- Business transfers: In merger, acquisition, or asset sale—with continued protection and notice where feasible.
- Legal requirements: To comply with court orders, regulatory demands, or protect rights/safety.
We do not sell, rent, or trade personal data.
5. International Transfers of Personal Data
Some processors are located outside the UK (primarily US/EU). We ensure adequate protection via:
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses.
- Transfer Risk Assessments (TRA) conducted in line with ICO guidance.
- Supplementary measures where needed (e.g., encryption, pseudonymisation).
Full details of transfers/safeguards available on request to privacy@docuvamp.com.
6. Data Retention Periods
We retain personal data only as long as required:
- Active account data (representatives): Duration of your organisation’s subscription + up to 6 years post-termination (for tax, accounting, potential disputes).
- Usage/technical logs: Up to 12 months (longer if linked to security incident).
- Customer Content: Retained during active subscription; deleted within 30 days of termination (unless legally required to retain).
- Aggregate/anonymised analytics: Indefinitely for business insights (non-identifiable).
Deletion requests honoured subject to legal exceptions.
7. Security Measures
We maintain appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS) and at rest.
- Access controls, regular security testing/audits.
- Monitoring for threats, incident response plans.
Measures are proportionate to risks and aligned with industry standards.
8. Your Rights under UK GDPR
Individuals (e.g., your representatives) have rights including:
- Access to personal data held about them.
- Rectification of inaccurate/incomplete data.
- Erasure (subject to exceptions, e.g., contractual necessity or legal retention).
- Restriction of processing.
- Objection to processing based on legitimate interests (including marketing—opt-out via link or contact).
- Data portability (in structured format).
To exercise rights, email privacy@docuvamp.com. We may verify identity (e.g., via company admin) and respond within one month (extendable for complexity). No fee usually charged.
If unsatisfied, complain to the UK Information Commissioner’s Office (ico.org.uk/make-a-complaint).
9. Cookies and Similar Technologies
Essential cookies enable core functionality (authentication, security). Non-essential analytics cookies improve the platform (managed via our cookie banner/consent tool or browser settings).
10. Children's Privacy
The Services are not directed to children under 16 and are not intended for use by or collection of data from minors. We do not knowingly process children's personal data.
11. Changes to This Privacy Policy
We may update this Policy from time to time. The effective date will be updated. Material changes will be notified via email to your account contact and/or prominent notice on the Platform. Continued use after changes constitutes acceptance.
12. Contact Us
For privacy questions, rights requests, DPA copies, or complaints:
- Email: privacy@docuvamp.com (including for DPO matters)
- Postal: Docuvamp Ltd, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom