Privacy Notice

Learn about the types of personal data we collect, as well as details about our practices for using, safeguarding, and disclosing such data during your interaction with our services.

Last edited: 12/14/2023

We, Apolytus OÜ, residing at Sepapaja tn 6, 15551 Tallinn, Estonia (we), place great importance at your privacy. This privacy notice describes the information that we collect that personally identifies you (personal information or personal data) and how we use, protect, and disclose your personal information when you interact with DocuChat app and its website (collectively, DocuChat).

This privacy notice applies to personal information in situations where we decide how and why your personal information is to be processed (or to use the European terminology, where we act as a data controller). It does not apply where we are acting merely as a service provider to another organization who decides how and why we process your personal information (or to use the European terminology, where we act as a data processor).

What data do we collect?

The personal data we collect from you are not only information that we actively collect while you interact with our services but also information that you voluntarily provide to us in various contexts (such as by sending an email to us). Therefore, it is not possible to define an exclusive list of all potential types of personal data that we may collect from you. However, we provide below the typical types of personal data we collect from you:

  • Your name and email address;
  • If you are a paid subscriber, payment and purchase information as well as invoice details (except we never store your credit card information as payments are processed by our payment processor);
  • Information about how you interacted with our emails, including whether you opened our email, the links you clicked, and how you use DocuChat after clicking a link;
  • Information about how you use DocuChat, including the pages visited, the date, time, and duration of the visit, and other interaction with the website and its content;
  • Technical information related to your use, including network connection type, browser type, language, operating system;
  • Non-precise location information (inferred from the IP address).

How do we collect your data?

You directly provide us with most of the data we collect (for instance, by signing up) but we also use automated processes to collect some information about you.

As described above in more detail, we collect and process your data when:

  • You use DocuChat or visit its website, in which case we use cookies and similar technologies (more on this below);
  • You interact with and read our emails;
  • You contact us or interact with our services in any other manner.

Cookies and Similar Technologies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

We use cookies to:

  • Collect analytics information, for which we use privacy-friendly analytics providers;
  • Help you via our support chat function, for which we use support service providers.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies visit

Why do we process your data and what are the lawful bases?

PurposeLegal Basis
Sign up processes: To allow you to sign up to DocuChatPerformance of a contract (6(1)(b) of the GDPR)
Service provision: To facilitate and process service requests on DocuChat, to carry out financial, accountancy, and operational processes in relation to your subscriptions, and to collect payment from youPerformance of a contract (6(1)(b) of the GDPR) insofar as the purpose relates to the execution of a contract agreed with you or the provision of a service requested by you. Otherwise, the legal basis is legitimate interests (6(1)(f) of the GDPR).
Customer support: To respond to your requests, to provide customer support on pre-sale and/or post-sale queries and issues, to help you solve any issues you may have with DocuChat, to update you about changes to our terms of service or privacy notice, or to contact you to know how your experience with us wasPerformance of a contract (6(1)(b) of the GDPR) and legitimate interests in retaining you as a customer (6(1)(f) of the GDPR)
Service analysis and improvement: To perform analytics and conduct customer research, to evaluate and develop new features and improvements to DocuChat by analyzing your interactionsLegitimate interests in running our business and improving our website and your experience (6(1)(f) of the GDPR)
Service maintenance: To administer, operate, and maintain DocuChat, to understand, diagnose, troubleshoot, and fix issues with our appLegitimate interests in running our business (6(1)(f) of the GDPR)
Cyber security: To ensure information security of our services and prevent any malicious use of DocuChatLegitimate interests in ensuring the security of our services (6(1)(f) of the GDPR)
Compliance: To comply with legal obligations and law enforcement requests, including participation in investigations and proceedings, complying with information requests from third parties based on any statutory information rights they have against us, retention and storage of your personal data to comply with specific legal retention requirementsLegal obligation (6(1)(c) of the GDPR)
Legal proceedings: To establish, exercise, or defend legal claimsLegitimate interests in protecting our business (6(1)(f) of the GDPR)

If you are from Canada, we collect, use, disclose and otherwise process the personal information described above with prior notice in the applicable situations or as authorized by Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

To whom do we transfer your data?

RecipientsReason for sharing your data
Technical service providersWe work with technical service providers who operates the technical infrastructure that we need, assist in protecting and securing our systems and services, and provide technical services to us for the provision of our services to you. These include but are not limited to email, customer support, and hosting service providers.
Payment service providersAs we offer different payment options to our customers, we partner with payment service providers (sometimes called "payment processors") to ensure a smooth purchase experience for you.
ConsultantsWe work with advisors (legal, financial, tax, or similar) to comply with applicable laws and exercise our rights, and these advisors may, from time to time, require access to your personal data to provide services to us.
AuthoritiesWe share your personal data when it is necessary for us to do so to comply with a legal obligation under applicable law or respond to a valid legal process.
We may share your personal data with third parties located in countries other than your country. Your personal data, therefore, may be subject to privacy laws that are different from those in your country. Personal data collected within the European Union may, for example, be transferred to and processed by third parties located in a country outside of the European Union. In such instances, we ensure that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures are in place such as the Standard Contractual Clauses approved by the EU Commission.

Data Protection and Security

At DocuChat, we take the protection and security of your personal data, including Google (Drive) user data, very seriously. We have implemented robust security measures to safeguard your information:

  • Encryption: We use industry-standard encryption protocols to protect your data both in transit and at rest. This ensures that your information remains confidential and secure when it's transmitted over networks and stored in our systems.
  • Access Controls: We maintain strict access controls and authentication procedures to ensure that only authorized personnel can access your data. This includes the use of strong passwords, multi-factor authentication, and regular access reviews.
  • Secure Infrastructure: Our systems are hosted on secure, industry-leading cloud infrastructure with multiple layers of security controls, including firewalls, intrusion detection systems, and regular security audits.
  • Data Minimization: We collect and retain only the data necessary for the functioning of our services, reducing the risk of unnecessary data exposure.
  • Employee Training: Our team undergoes regular security awareness training to ensure they understand and follow best practices for data protection.
  • Incident Response Plan: We have a comprehensive incident response plan in place to quickly detect, respond to, and mitigate any potential data breaches or security incidents.

These security procedures are in place to protect the confidentiality, integrity, and availability of your data, including any Google (Drive) user data we may process. We continuously review and update our security measures to adapt to evolving threats and maintain the highest standards of data protection.

No training of AI models

We never use any of your documents in DocuChat to develop, improve, or train generalized AI and/or ML models. This includes any files, websites, or Google Drive folders/files you might have added to your document library. Also Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

How long do we keep your data?

We will store your personal data as long as is necessary for the purposes named in this privacy notice, especially for the fulfilment of our contractual and legal obligations. In general, we retain the data you provide to us for as long as you have your account with us and thereafter for such period as you may have questions or a claim in relation to our services, notwithstanding any superior retention period that we may be obliged to observe in accordance with legal requirements applicable to us.

The specific retention periods for personal data are documented in our regional data retention guidelines because how long we retain personal data may vary depending on the services we provide and our legal obligations under applicable national law. The following factors typically affect the retention period:

  • Necessity for the provision of our services. This includes executing the user agreement with you, maintaining, and improving the performance of our services, keeping our systems secure, and maintaining appropriate business and financial records. Most of our retention periods are determined based on this general rule.
  • Consent-based processing of personal data. If we process personal data based on consent, we store the data for as long as necessary in order to process it according to your consent.
  • Statutory, contractual, or other similar obligations. Retention obligations may arise, for example, from laws or official orders. It may also be necessary to store personal data regarding pending or future legal disputes. Personal data contained in contracts, notifications and business letters may be subject to statutory storage obligations depending on national law.

What are your rights?

Depending on relevant laws in your country, you may have rights such as rights to request access, port, object, correct and erase the personal information that we hold about you.

Your EEA, UK, and Swiss Rights

If you are located in the European Economic Area (EEA), the UK or Switzerland, you have the following privacy rights:

  • You can access, correct, update, or delete your personal information.
  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
  • If you do not want us to use your email address to promote our own or third parties’ products or services, you can opt-out of receiving marketing emails at any time.
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

Your California Privacy Rights

This Section of our privacy notice provides information for California consumers, as required under California privacy laws, including the California Consumer Privacy Act (“CCPA”).

  • You may request access to, or for a copy of the personal information we have collected, used, disclosed, and sold about you over the past twelve (12) months.
  • You may also request that we delete certain personal information we have collected from you.
  • You have a right not to receive discriminatory treatment for the exercise of your CCPA privacy rights.
  • You can request, under California Civil Code Section 1798.83, certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.
  • California consumers have the right to opt-out of the sale of their personal information. We do not and will not sell your personal information. We may provide third parties with certain personal information to provide or improve our products and services, for example to deliver services at your request. In such cases, we require those third parties to handle the information in accordance with applicable laws and regulations.

California privacy laws also require that we provide California consumers information about how we use their personal information, whether collected online or offline. This document and specifically the sections above are intended to satisfy that requirement.

Your Canadian Privacy Law Rights

If your information is collected from within Canada, you have the following privacy rights:

  • You can access, correct, update, or delete your personal information.
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time.
  • If you wish to make a complaint about a breach of Personal Information Protection and Electronic Documents Act (PIPEDA), please contact us using the details below and we will take reasonable steps to investigate the complaint and respond to you. If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Privacy Commissioner of Canada.

Inquiries and Requests

You can reach out to us for general questions on privacy and to exercise your data protection rights by sending an email to Please note that to protect your personal information, we may need to verify your identity by a method appropriate to the type of request you are making.


We keep our privacy notice under regular review and might introduce updates from time to time. We will notify you of any changes by posting the new privacy notice on this page. For significant changes, we will notify you by email or by placing a prominent notice on our website.