Privacy Policy
This Privacy Policy explains how DocFast (a private limited company under Dutch law, KvK 62029339, Wijnberg 22, 2716 PE Zoetermeer, the Netherlands) collects, uses, shares and protects personal data when you use the DocFast service or visit our website.
We are the controller of the personal data we process about you as an account holder or website visitor. When you upload or generate document content that contains personal data about other people, you are the controller of that content and DocFast acts as a processor on your behalf — that relationship is governed by our Data Processing Agreement.
1. What we collect
We try to collect the minimum we need to run the service.
Account data
- Name, e-mail address, and password hash (handled by our authentication provider, PropelAuth).
- Organisation name and role, if you provide them.
Billing data
- Billing name, address, VAT number, country.
- Payment-method metadata (card brand, last 4 digits, expiry) — collected and stored by Stripe; we do not see or store full card numbers.
- Invoice and transaction history.
Content data
- Text, brand assets (logos, colours, fonts), and generated documents you upload or create. This content may contain personal data about third parties — see “Your role as controller” below.
Technical data
- IP address, browser type, device type, language, timestamps.
- Application logs (which features you used, errors, performance metrics) — used to operate, secure, and improve the service.
Support data
- Anything you send us when you contact support, including the e-mail thread and any attachments.
2. Why we process it, and on what legal basis
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the service (accounts, document generation, downloads) | Account, content, technical | Performance of a contract (Art. 6(1)(b)) |
| Billing and tax compliance | Billing | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Security, abuse prevention, fraud detection | Technical, account | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and debugging (aggregated, non-content metrics) | Technical | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests | Support, account | Contract and legitimate interest (Art. 6(1)(b), (f)) |
| Service announcements (e.g. outages, important changes) | Account | Legitimate interest (Art. 6(1)(f)) |
| Marketing e-mails (optional, you can unsubscribe at any time) | Account | Consent (Art. 6(1)(a)) |
We do not sell your data, we do not use your content for advertising, and we do not feed it back into any machine-learning training set.
3. Sub-processors and other recipients
To run DocFast we rely on a small number of vetted sub-processors. Each is bound by a written processing agreement and, where required, EU Standard Contractual Clauses.
| Provider | Role | Location |
|---|---|---|
| Scaleway (France) | Application hosting, object storage | nl-ams (Amsterdam, NL) |
| PlanetScale (USA) | Managed MySQL database | EU region |
| PropelAuth (USA) | Authentication, account management | USA — transfers under SCCs / DPF |
| OpenAI (USA / Ireland) | AI text clean-up | EU data residency where available; SCCs / DPF otherwise |
| Anthropic (USA / Ireland) | AI text clean-up | EU data residency where available; SCCs / DPF otherwise |
| Stripe Payments Europe Ltd. (Ireland) | Payment processing | EU; some operations USA under SCCs |
We may also disclose personal data to legal or regulatory authorities when we are required to do so by law, and to professional advisers (e.g. lawyers, accountants) under confidentiality obligations.
When we change sub-processors, we update this list. If you have an active subscription and we add a sub-processor that materially changes how your content is handled, we will notify you at least 7 days in advance.
4. International transfers
We host the application in the European Union. Some of our sub-processors are established in the United States. Where personal data is transferred outside the EEA, the transfer is covered by the EU Commission’s Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (DPF) where the recipient is certified, or another transfer mechanism recognised under GDPR Chapter V.
5. How long we keep it
- Account data — for as long as your account is active, and for up to 90 days after closure (to allow account recovery and to handle disputes), then deleted.
- Content data — by default, generated documents are retained for 90 days and then deleted. You can delete documents earlier from the app.
- Billing data — kept for 7 years after the relevant transaction, in line with Dutch fiscal law (Algemene wet inzake rijksbelastingen, art. 52).
- Application logs — retained for up to 90 days.
- Support correspondence — retained for up to 2 years after the ticket is closed.
6. Security
We take reasonable technical and organisational measures to protect personal data, including:
- TLS 1.2+ for all data in transit;
- AES-256 encryption for data at rest in our storage and database layers;
- Access controls, least-privilege IAM, and audit logging on infrastructure;
- Regular dependency and infrastructure updates;
- Backups with restricted access and encryption.
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and, where required, notify affected users without undue delay.
7. Your rights under GDPR
You have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data, subject to retention obligations.
- Restriction — ask us to limit how we process your data.
- Objection — object to processing that we carry out on the basis of legitimate interest.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — at any time, where processing is based on consent (this does not affect prior lawful processing).
- Complain — lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or the supervisory authority where you live.
To exercise any of these rights, e-mail privacy@docfast.ai. We will respond within one month and may ask you to verify your identity before we act.
8. Your role as controller (customer content)
The content you upload, paste, or generate may include personal data about your clients, colleagues, or other third parties. With respect to that content, you are the controller and DocFast acts as a processor on your behalf. Your obligations as a controller (including providing notice to data subjects, having a lawful basis, and responding to data-subject requests) remain with you. Our processor obligations are set out in the Data Processing Agreement.
9. Cookies
We use a small number of essential and functional cookies and similar storage technologies. See our Cookie Policy for details.
10. Children
DocFast is a professional tool and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy as the service evolves. If a change is material, we will notify account holders by e-mail or through the app at least 7 days before it takes effect. The “Last updated” date at the top of this page always reflects the current version.
12. Contact
- Privacy questions and data-subject requests: privacy@docfast.ai
- General support: support@docfast.ai
- Post: DocFast, Wijnberg 22, 2716 PE Zoetermeer, the Netherlands
- KvK: 62029339