Privacy Policy


Privacy Policy

Last Updated: January 8, 2026

Docmet, Inc. ("Docmet," "we," "us," or "our") operates the Docmet platform, accessible at docmet.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last Updated" date of this Privacy Policy. Any changes or modifications will be effective immediately upon posting the updated Privacy Policy, and you waive the right to receive specific notice of each such change or modification.

You are encouraged to periodically review this Privacy Policy to stay informed of updates. You will be deemed to have been made aware of, will be subject to, and will be deemed to have accepted the changes in any revised Privacy Policy by your continued use of the Service after the date such revised Privacy Policy is posted.



1. Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use our Service, and information from third-party sources.

1.1 Information You Provide to Us

Account Registration Information

  • Full name
  • Email address
  • Company name
  • Job title
  • Phone number (optional)
  • Password (encrypted and never stored in plain text)

Billing Information

  • Payment information is processed by Stripe, our payment processor
  • We do not directly collect or store credit card numbers
  • We receive confirmation of successful payments and billing email addresses

Profile Information

  • Profile photo (optional)
  • Bio or description (optional)
  • Department or team affiliation
  • User preferences and settings

Content Data

  • Documents, pages, and files you upload
  • Comments and annotations you create
  • Search queries you submit
  • Feedback and correspondence with support
  • Any other content you create, store, or share through the Service

Communication Data

  • Support tickets and help requests
  • Emails you send to us
  • Survey responses
  • Webinar registrations and attendance

1.2 Information We Collect Automatically

Usage Information

  • Features you use and how you use them
  • Pages and documents you view
  • Search queries and results
  • Time spent on pages
  • Click patterns and navigation paths
  • Agent interactions and conversations

Device Information

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Timezone and language settings
  • User agent string

Technical Information

  • Session duration
  • Access times and dates
  • Referring URLs
  • Exit pages
  • Performance metrics (page load times, API response times)
  • Error logs and debugging information

Cookies and Tracking Technologies

  • Session cookies (essential for functionality)
  • Preference cookies (remember your settings)
  • Analytics cookies (understand usage patterns)
  • See Section 9 for detailed Cookie Policy

1.3 Information from Third-Party Sources

Single Sign-On (SSO) Providers
If you use SSO to access the Service (e.g., Okta, Azure AD, Google), we receive:

  • Name
  • Email address
  • Profile photo
  • Organization identifier
  • Group memberships

Third-Party Integrations
If you connect third-party services (Slack, Google Drive, Salesforce):

  • Basic profile information from those services
  • Permissions you grant for data access
  • Integration usage data

AI Model Providers
When using AI features powered by OpenAI, Anthropic, or other LLM providers:

  • We send your queries to these providers
  • We have Data Processing Agreements prohibiting use of your data for model training
  • See Section 4 for details on AI data processing



2. How We Use Your Information

We use the information we collect to provide, maintain, and improve our Service, and to protect the security of our Service and users.

2.1 Service Delivery

  • Provide Core Functionality: Process your documents, enable search, power AI agents
  • Personalization: Customize your experience based on preferences and usage
  • Authentication: Verify your identity and maintain secure sessions
  • Data Storage: Store your content securely and make it accessible when needed
  • Collaboration: Enable sharing and collaboration features with team members

2.2 Service Improvement

  • Analytics: Understand how users interact with the Service to identify improvements
  • Feature Development: Determine which features are valuable and should be prioritized
  • Performance Optimization: Monitor system performance and optimize speed/reliability
  • Bug Identification: Detect and fix technical issues
  • A/B Testing: Test new features and improvements with subsets of users

2.3 Communication

  • Service Notifications: Account updates, security alerts, system maintenance notices
  • Support: Respond to your support requests and troubleshoot issues
  • Product Updates: Inform you about new features and product improvements (opt-out available)
  • Marketing: Send promotional materials about our services (opt-out available)
  • Surveys: Request feedback about your experience (optional participation)

2.4 Security and Legal Compliance

  • Fraud Prevention: Detect and prevent fraudulent activity and abuse
  • Security Monitoring: Identify security threats and vulnerabilities
  • Compliance: Meet legal obligations and enforce our Terms of Service
  • Audit: Maintain audit logs for compliance and security purposes
  • Legal Requests: Respond to lawful requests from authorities

2.5 AI and Machine Learning

Important Clarification: We use AI to power the Service, but we do not use your data to train AI models.

How AI Processes Your Data:

  • Your queries are sent to LLM providers (OpenAI, Anthropic) in real-time
  • Providers process your data to generate responses
  • Providers do not retain your data or use it for training (per our DPAs)
  • We store query/response pairs in your account for your reference only

Internal Machine Learning:

  • We may use aggregated, anonymized data to improve our own ML models (e.g., entity recognition)
  • This never includes personally identifiable information or actual content
  • You can opt-out by contacting [email protected]



3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, our legal basis for collecting and using your information depends on the data and context:

3.1 Contractual Necessity

We process your data to fulfill our contract with you (Terms of Service):

  • Provide the Service you signed up for
  • Process payments
  • Provide customer support
  • Deliver core functionality

3.2 Legitimate Interests

We process data based on our legitimate business interests:

  • Improve and develop the Service
  • Ensure security and prevent fraud
  • Understand user behavior through analytics
  • Send service-related communications

We only rely on legitimate interests when they are not overridden by your data protection rights.

3.3 Consent

For certain processing activities, we ask for your explicit consent:

  • Marketing communications
  • Non-essential cookies
  • Optional data collection

You can withdraw consent at any time through your account settings or by contacting us.

3.4 Legal Obligation

We process data to comply with legal requirements:

  • Tax and accounting regulations
  • Response to legal requests
  • Regulatory compliance



4. How We Share Your Information

We do not sell your personal information. We share your information only in limited circumstances:

4.1 Within Your Organization

  • Content you create is shared with team members according to permissions you set
  • Workspace administrators can access usage data for their workspace
  • Organization owners can manage user accounts and access

4.2 Service Providers

We share data with third-party service providers who help us operate the Service:

Infrastructure Providers:

  • Microsoft Azure: Cloud hosting and infrastructure
  • Amazon Web Services (AWS): Additional infrastructure services

AI Model Providers:

  • OpenAI: GPT-4 and GPT-5 model access
  • Anthropic: Claude model access
  • Mistral AI: Open-source model hosting

Important: All AI providers have Data Processing Agreements (DPAs) that:

  • Prohibit using your data to train models
  • Require data deletion after processing
  • Ensure data security and confidentiality

Other Service Providers:

  • Stripe: Payment processing (receives billing information only)
  • SendGrid: Transactional email delivery
  • Zendesk: Customer support ticketing
  • Google Analytics: Usage analytics (anonymized)
  • Sentry: Error tracking and monitoring

All service providers are contractually required to:

  • Use data only for providing their service
  • Maintain appropriate security measures
  • Delete or return data upon contract termination
  • Comply with applicable data protection laws

Subprocessor List: View our complete list of subprocessors at docmet.app/subprocessors

4.3 Business Transfers

If Docmet is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Court orders or subpoenas
  • Legal processes
  • Government or regulatory requests
  • Protection of rights, property, or safety

We will notify you of such requests unless legally prohibited or in emergency situations.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.



5. International Data Transfers

Docmet is based in the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the United States.

5.1 EU-U.S. Data Transfers

For users in the EEA, UK, or Switzerland, we ensure adequate protection through:

Standard Contractual Clauses (SCCs):
We use European Commission-approved SCCs with all processors handling EU data.

Data Residency Options:
EU customers can choose EU-West Azure region for data storage, ensuring data remains within the EU.

Supplementary Measures:
We implement additional technical and organizational measures beyond SCCs:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Audit logging
  • Security certifications (SOC2, ISO 27001)

5.2 Transfer Impact Assessment

We conduct Transfer Impact Assessments to ensure:

  • U.S. government access to EU data is limited
  • Appropriate safeguards are in place
  • Your rights under GDPR are protected



6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy.

6.1 Active Account Data

  • Content Data: Retained while you maintain an active account
  • Account Information: Retained while your account is active
  • Usage Data: Retained for 2 years for analytics and service improvement

6.2 Deleted Data

Soft Deletion (Recovery Period):

  • Deleted content: 30-day recovery period
  • Deleted accounts: 30-day grace period

Hard Deletion (Permanent):

  • After recovery period: Permanent deletion from production systems
  • Backup removal: Data removed from backups within 90 days
  • Archive removal: Data removed from cold storage within 1 year

6.3 Audit Logs

  • Retained for 7 years by default (configurable for Business+ customers)
  • Required for compliance, security, and legal purposes
  • Anonymized after active retention period if no legal hold

6.4 Legal Hold

If we receive a legal hold notice or have reason to believe data may be relevant to litigation, we will preserve that data until the hold is lifted.

6.5 Account Closure

Upon account termination:

  • Access to Service is immediately revoked
  • Data enters 30-day soft deletion period
  • After 30 days: Data permanently deleted (except as noted in Section 6.3)

You can request immediate permanent deletion by contacting [email protected]



7. Your Data Protection Rights

Depending on your location, you may have certain rights regarding your personal information.

7.1 Rights Under GDPR (EEA, UK, Switzerland)

Right to Access:
Request a copy of your personal information we hold.

Right to Rectification:
Request correction of inaccurate or incomplete information.

Right to Erasure ("Right to be Forgotten"):
Request deletion of your personal information.

Right to Restrict Processing:
Request that we limit how we use your information.

Right to Data Portability:
Receive your data in a structured, machine-readable format.

Right to Object:
Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent:
Withdraw consent for processing that requires it.

Right to Lodge a Complaint:
File a complaint with your local data protection authority.

Automated Decision-Making:
We do not make solely automated decisions with legal or significant effects.

7.2 Rights Under CCPA/CPRA (California)

Right to Know:
Request information about data we collect, use, and disclose.

Right to Delete:
Request deletion of your personal information.

Right to Opt-Out of Sale:
We don't sell personal information, so this right is automatically satisfied.

Right to Non-Discrimination:
We won't discriminate against you for exercising your rights.

Right to Correct:
Request correction of inaccurate information.

Right to Limit Use of Sensitive Personal Information:
Request limits on use of sensitive information (we don't process sensitive data beyond necessary service provision).

7.3 How to Exercise Your Rights

Through Your Account:

  • Access and update profile information in Account Settings
  • Delete content through the interface
  • Export data via Data Export tool

Email Request:
Send requests to [email protected] with:

  • Subject line: "Data Rights Request"
  • Your full name and email address
  • Description of your request
  • Verification information

Verification Process:
We must verify your identity before fulfilling requests. We may ask for:

  • Email confirmation
  • Account credentials
  • Additional identifying information

Response Timeline:

  • We respond within 30 days for most requests
  • Complex requests may take up to 60 days with notice
  • We'll inform you if we cannot fulfill your request and explain why

No Fees:
We do not charge fees for reasonable requests. Excessive, repetitive, or unfounded requests may incur a fee.



8. Data Security

We implement appropriate technical and organizational measures to protect your information from unauthorized access, use, disclosure, alteration, and destruction.

8.1 Technical Measures

Encryption:

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all data transmission
  • Key Management: Separate encryption keys per tenant with regular rotation

Access Controls:

  • Multi-factor authentication (MFA) support
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews

Network Security:

  • Firewalls and network segmentation
  • DDoS protection
  • Intrusion detection and prevention systems
  • VPC isolation for Business+ customers

Application Security:

  • Regular security assessments and penetration testing
  • Vulnerability scanning
  • Secure development lifecycle
  • Code reviews and static analysis

Monitoring:

  • 24/7 security monitoring
  • Anomaly detection
  • Incident response procedures
  • Security information and event management (SIEM)

8.2 Organizational Measures

Security Training:

  • All employees receive security awareness training
  • Developers receive secure coding training
  • Incident response drills

Access Management:

  • Background checks for employees with data access
  • Access is provisioned based on role
  • Access is revoked immediately upon termination

Vendor Management:

  • Security assessments of all vendors
  • Data Processing Agreements with all processors
  • Regular vendor security reviews

Incident Response:

  • Documented incident response plan
  • Defined escalation procedures
  • Post-incident reviews and improvements

8.3 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

If you become aware of a security vulnerability, please report it to [email protected]



9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and collect information about usage.

9.1 What Are Cookies?

Cookies are small text files stored on your device that help websites remember information about your visit.

9.2 Types of Cookies We Use

Essential Cookies (Required)
Necessary for the Service to function. Cannot be disabled.

  • Session Cookies: Maintain your login session
  • CSRF Tokens: Protect against cross-site request forgery
  • Load Balancing: Distribute traffic across servers

Functionality Cookies (Optional)
Remember your preferences and choices.

  • Language Preference: Remember your language selection
  • UI Preferences: Remember sidebar state, theme, layout
  • Recently Viewed: Track your navigation history

Analytics Cookies (Optional)
Help us understand how you use the Service.

  • Google Analytics: Usage patterns, page views, session duration
  • Mixpanel: Feature usage, conversion funnels
  • Heap: User behavior tracking

Performance Cookies (Optional)
Monitor performance and identify issues.

  • Error Tracking: Sentry for error monitoring
  • Performance Monitoring: Page load times, API response times

9.3 Third-Party Cookies

Some cookies are placed by third-party services:

  • Stripe: Payment processing
  • Intercom: Customer support chat
  • Google Analytics: Usage analytics

These third parties have their own privacy policies.

9.4 Cookie Control

Browser Settings:
You can control cookies through your browser settings:

  • Block all cookies
  • Block third-party cookies only
  • Delete existing cookies
  • Receive notifications when cookies are set

Note: Disabling essential cookies will prevent you from using the Service.

Cookie Preference Center:
Manage non-essential cookies in your Account Settings → Privacy → Cookie Preferences

Do Not Track:
Our Service does not currently respond to Do Not Track signals.

9.5 Cookie Retention

  • Session Cookies: Deleted when you close your browser
  • Persistent Cookies: Expire after a set period (typically 1 year)
  • Analytics Cookies: Typically expire after 2 years



10. Children's Privacy

The Service is not intended for children under the age of 16, and we do not knowingly collect personal information from children under 16.

If you believe we have collected information from a child under 16, please contact us at [email protected], and we will promptly delete such information.



11. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.1 Information We Collect

See Section 1 for detailed information about data collection.

11.2 Categories of Personal Information

We collect the following categories (California law):

  • Identifiers (name, email, IP address)
  • Commercial information (purchase history)
  • Internet activity (browsing behavior, usage data)
  • Professional information (job title, company)
  • Inferences (preferences, characteristics)

11.3 Sale of Personal Information

We do not sell personal information and have not sold personal information in the past 12 months.

11.4 Sensitive Personal Information

We do not collect or process sensitive personal information as defined by California law, except:

  • Precise geolocation (only if you enable location services)
  • Account credentials (used only for authentication)

11.5 Exercising California Rights

See Section 7.2 for California-specific rights and Section 7.3 for how to exercise them.

11.6 Shine the Light Law

California residents may request information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose information for third-party direct marketing.



12. Nevada Privacy Rights

Nevada residents have the right to opt-out of the sale of covered information. We do not sell covered information as defined under Nevada law.

If you are a Nevada resident and would like to exercise this right, contact [email protected].



13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons.

13.1 Notice of Changes

Material Changes:
For significant changes, we will:

  • Update the "Last Updated" date
  • Send email notification to registered users
  • Display a prominent notice on the Service
  • Provide 30 days' notice before changes take effect

Non-Material Changes:
Minor changes take effect immediately upon posting.

13.2 Your Acceptance

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If you do not agree with changes, you should stop using the Service and request account deletion.



14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: [email protected]

Data Protection Officer:
[Name]
Docmet, Inc.
[Address]
San Francisco, CA 94105
United States

Phone: +1 (415) 555-0199

Mail:
Docmet, Inc.
Attn: Privacy Team
[Address Line 1]
San Francisco, CA 94105
United States

EU Representative (for GDPR matters):
[EU Representative Name]
[EU Address]
Email: [email protected]

Response Time:
We aim to respond to all inquiries within 5 business days.

15. Supervisory Authority

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority:

EU Data Protection Authorities:
Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113

Swiss Federal Data Protection and Information Commissioner (FDPIC):
Website: https://www.edoeb.admin.ch

Appendix A: Data Processing Details

Categories of Data Subjects

  • Account holders
  • Workspace members
  • Website visitors
  • Email recipients
  • API users

Categories of Personal Data

  • Identity data (name, email, username)
  • Contact data (email, phone, company)
  • Technical data (IP address, browser, device)
  • Usage data (how you use the Service)
  • Content data (documents, files, queries)
  • Profile data (preferences, settings)

Purposes of Processing

  • Service delivery
  • Customer support
  • Product improvement
  • Security and fraud prevention
  • Legal compliance
  • Marketing (with consent)

Categories of Recipients

  • Cloud infrastructure providers
  • AI model providers
  • Payment processors
  • Email service providers
  • Customer support tools
  • Analytics providers

Cross-Border Transfers

  • Transfers to United States (Standard Contractual Clauses)
  • EU data residency option available
  • Adequate safeguards in place for all transfers

Retention Periods

  • Active data: Duration of account
  • Deleted data: 30 days (soft delete) + 90 days (backup removal)
  • Audit logs: 7 years (default)

Appendix B: Glossary

Controller: Entity that determines purposes and means of processing (you, for your content)

Processor: Entity that processes data on behalf of controller (Docmet, for your content)

Personal Information/Data: Information relating to an identified or identifiable person

Processing: Any operation performed on personal data (collection, storage, use, etc.)

Data Subject: Individual whose personal data is processed

Supervisory Authority: Independent public authority overseeing data protection compliance