Privacy Policy

Your privacy is important to us. This policy outlines how we collect, use, and protect your information.

DocMaster Privacy Policy

Effective date: 17 February 2026
Controller (for account/admin data): SIA DocMaster, reg.no.40203699978, Ceriņu street 5, Lielvārde, Ogres nov., LV-5070
Contact (privacy): janis@docmaster.ai

This Privacy Policy explains how we process personal data when you visit our website, create or manage an account, communicate with us, or purchase the Service. Processing of Customer Data uploaded into the Service is primarily governed by our Terms of Service and DPA (processor role), but we also summarize it here for clarity.


1) Roles: controller vs processor

1.1 When we are the controller
We act as data controller for personal data related to:

  • website visitors (where applicable)

  • sales and customer support contacts

  • account administration (authentication identifiers, access management)

  • billing and contract administration

  • security and abuse prevention logs

1.2 When we are the processor
For personal data contained in files/documents you upload into DocMaster (Customer Data), you are the controller and DocMaster is the processor, processing data only on your documented instructions as set out in the Terms/DPA.


2) What personal data we collect (controller context)

Depending on how you interact with us, we may process:

2.1 Account and identity data

  • name, email, company name (if provided)

  • user identifier from Microsoft identity sign-in (Identity API / Microsoft Entra ID context)

  • role/entitlement information needed to authorize access (e.g., subscription status, access allowed/denied)

2.2 Billing and contract data

  • billing contact name/email

  • invoicing details (company legal name, registration number, VAT number, billing address)

  • payment status and invoice history
    Bold note: that information is not certain and i am makind an educated estimate if you use an external payment processor (Stripe, etc.). If you do, the processor will also handle payment method data directly under their own privacy terms.

2.3 Support and communications

  • messages you send to us (email/content)

  • attachments you provide to support (only if you choose to send them)

2.4 Website and device data (if enabled)

  • IP address, device/browser info, basic usage logs, cookies
    Bold note: that information is not certain and i am makind an educated estimate because I do not know whether your site uses analytics or non-essential cookies. If you do not use analytics/marketing cookies, this section becomes minimal.

2.5 Security and audit logs

  • timestamps, authentication events, IP address, user agent (where logged)

  • actions within the Service needed for security, troubleshooting, and abuse prevention
    We avoid logging Customer Data content.


3) Purposes and legal bases (GDPR)

We process personal data for these purposes:

3.1 Provide and administer the Service (Art.6(1)(b) contract)

  • create/manage accounts

  • authenticate users and enforce access rights

  • deliver customer support

3.2 Billing and contractual administration (Art.6(1)(b) and Art.6(1)(c))

  • invoicing, payment tracking

  • accounting and tax compliance where required by law

3.3 Security, fraud prevention, and service integrity (Art.6(1)(f) legitimate interests)

  • prevent unauthorized access

  • detect abuse (e.g., bypassing limits, malicious uploads)

  • maintain and improve operational reliability
    Our legitimate interest is keeping the Service secure and usable for business customers.

3.4 Website functionality and (if used) analytics (Art.6(1)(a) consent for non-essential cookies; Art.6(1)(f) for strictly necessary)

  • necessary cookies for site operation

  • analytics only if you consent (where applicable)

3.5 Legal claims (Art.6(1)(f) and/or Art.6(1)(c))

  • establish, exercise, or defend legal claims

  • comply with lawful requests by authorities


4) Customer Data inside the Service (processor context)

When you upload documents/files into the Service:

  • data is transmitted to DocMaster infrastructure hosted in Microsoft Azure (North Europe, EU)

  • DocMaster sends necessary parts for AI extraction to Google Vertex AI configured for EU-only processing

  • data is processed transiently for the duration technically necessary to complete the request

  • we do not store Customer Data or Output after the processing session ends (as described in your ToS/DPA)

  • data transmission uses TLS encryption


5) Recipients and subprocessors

We may share personal data with:

  • Microsoft Azure (hosting/infrastructure, EU region)

  • Google Vertex AI (AI processing, EU-only configuration)

  • service providers supporting operations (e.g., email hosting, logging/monitoring) only if used
    Bold note: that information is not certain and i am makind an educated estimate because I don’t have your exact vendor list beyond Azure + Google.

We do not sell personal data.


6) International transfers

We intend to keep processing within the European Union (Azure North Europe; Vertex AI EU-only). If we ever introduce a vendor that processes outside the EU/EEA, we will update this policy and implement appropriate safeguards (e.g., SCCs) where required.


7) Data retention

7.1 Controller data (accounts, billing, communications)

  • account/admin records: retained for the duration of the customer relationship and a reasonable period after termination

  • billing/tax records: retained as required by applicable law (typical business practice is several years)
    Bold note: that information is not certain and i am makind an educated estimate because I don’t know your exact internal retention schedule and legal counsel position.

7.2 Customer Data (processor)

  • processed in real time / per session

  • not persisted after the processing session completes (per ToS/DPA)


8) Security

We use reasonable technical and organizational measures appropriate for a SaaS service, including:

  • encrypted transmission (TLS)

  • access controls and authentication

  • limiting access to systems to authorized personnel only

  • minimizing logging of content

No system is perfectly invulnerable, but we aim for the boring kind of secure where nothing interesting happens.


9) Your rights (GDPR)

Where DocMaster is controller, you may have rights to:

  • access your personal data

  • correct inaccurate data

  • delete data (where applicable)

  • restrict or object to processing (where applicable)

  • data portability (where applicable)

  • withdraw consent (only where processing is based on consent)

  • lodge a complaint with your supervisory authority

Processor note: If your request concerns personal data inside Customer Data you uploaded, you should direct the request to the Customer (controller) first. We will assist the controller as required by the DPA, to the extent data is within our systems (which is limited due to non-persistence).


10) Cookies

We may use strictly necessary cookies for website functionality. If we use analytics or marketing cookies, we will present a cookie consent mechanism where required and you can control preferences there.
Bold note: that information is not certain and i am makind an educated estimate because I don’t know your current cookie/analytics setup.


11) Children

The Service is offered B2B only and is not intended for children.


12) Changes to this policy

We may update this policy. If changes are material, we will provide notice via the website or Service UI. The effective date at the top shows when the current version applies.

Scroll to Top