GDPR Compliance
Last updated: 1 September 2025
This page explains how Docoply complies with the UK GDPR and the EU GDPR when we provide our services and operate our website. It should be read together with our Privacy Policy, Data Processing Addendum (DPA), Sub-processors List, and Security page.
1) Who we are & contacts
Controller: Educational Whiteboards Limited (trading as “Docoply”)
Company number: 14554635
Registered office: 124 City Road, London, England, EC1V 2NX
Primary privacy contact / DPO (or privacy lead): privacy@docoply.com
Supervisory authority (UK): Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO.
EU/EEA representative (if required under Art. 27 GDPR): Details will be published here if appointed.
2) Scope & roles (Controller vs Processor)
When we are a Controller: We act as a data controller for data we collect about you when you visit our website, create an account, communicate with us, pay for subscriptions, and receive marketing (where permitted).
When we are a Processor: When customers upload or submit contracts and related documents to be analysed by Docoply, we process that personal data on the customer’s documented instructions and for their purposes. In those cases, the customer is the Controller and Docoply is the Processor under the DPA.
Our current sub-processors and their purposes are listed at /legal/sub-processors.
3) Lawful bases for processing
We rely on one or more of the following lawful bases (UK/EU GDPR Art. 6):
- Performance of a contract – to provide and support the Docoply service you’ve requested.
- Legitimate interests – to run, secure, and improve our services (balanced against your rights and expectations).
- Consent – for non-essential cookies/analytics/ads and any optional uses you agree to.
- Legal obligation – to meet our tax, accounting, and regulatory duties.
Lawful basis matrix (summary)
| Category | Purpose | Lawful basis |
|---|---|---|
| Account & service data | Provision of Docoply, customer support | Contract; Legitimate interests (support) |
| Uploaded contracts & attachments (customer content) | Contract analysis & report generation | Contract (Processor role under DPA) |
| Payments & billing | Subscription processing, fraud prevention | Contract; Legal obligation |
| Technical & security logs | Security monitoring, incident response | Legitimate interests; Legal obligation (where applicable) |
| Product analytics (derived, non-essential) | Improve features and UX | Consent (where required); Legitimate interests (strictly necessary analytics) |
| Marketing | Updates, news (opt-in) | Consent (or soft opt-in where permitted) |
4) What we process & purposes
- Customer content (Processor): contracts, NDAs, consultancy/SaaS agreements, DPAs, and related attachments submitted for analysis. Processed to generate risk flags, explanations, suggested rewrites, and exportable reports.
- Account data (Controller): name, email, organisation, role, seat assignments, settings.
- Usage & device data: IP address, device/OS info, timestamps, events, error logs, and performance metrics for reliability and security.
- Payments: limited billing data (handled primarily by our payment processor, e.g., Stripe).
- Support & communications: messages you send us and our replies for troubleshooting and service quality.
- Product analytics: aggregated or de-identified metrics to improve features and documentation.
Full details appear in our Privacy Policy.
5) AI processing, profiling & human review
Docoply uses AI models to parse contracts, identify risk patterns, and draft suggested clause rewrites. Outputs are intended to assist (not replace) professional judgement.
- No training on your content by default: We do not use your uploaded documents or outputs to train our models unless you provide explicit, revocable consent.
- Transient processing: Customer content is processed transiently to produce results. Where temporary caching is technically necessary, it is short-lived and access-controlled. See DPA for details.
- Human in the loop: We do not make decisions with legal or similarly significant effects solely by automated means.
- Quality & safety: We maintain benchmark tests and human spot-checks to evaluate accuracy and reduce hallucinations or bias.
6) Your data protection rights
Under the UK/EU GDPR, you have the right to:
- Access your personal data and receive a copy;
- Rectify inaccurate or incomplete data;
- Erase data in certain circumstances (“right to be forgotten”);
- Restrict or object to processing in certain cases (including legitimate interests and direct marketing);
- Portability – receive data you provided in a commonly used format and have it transmitted to another controller where technically feasible;
- Withdraw consent at any time where processing relies on consent.
How to exercise your rights: Email privacy@docoply.com. We will respond within one month (extendable by up to two additional months for complex or numerous requests). We may request verification of identity.
If your data was provided to Docoply by your organisation (our customer) or analysed through our Processor role, please contact your organisation first. We will assist them as required by the DPA.
9) Security measures
We apply administrative, technical, and physical measures proportionate to risk, including:
- Encryption in transit (TLS) and at rest (where applicable);
- Access controls, MFA for privileged accounts, least-privilege permissions;
- Network and application hardening, dependency monitoring;
- Logging, alerting, and incident response procedures;
- Secure development practices and periodic testing;
- Vendor due diligence aligned with our sub-processor oversight.
Further details appear on our Security page.
10) Data retention
- Customer content (contracts uploaded for analysis): processed transiently to generate results and then removed within 24 hours, unless your organisation enables a feature to save artefacts (e.g., stored reports) — in which case they are retained under your organisation’s control until deleted.
- Account & subscription records: kept for the life of the account and then for up to 6 years to meet tax/accounting obligations.
- Security & audit logs: typically retained for 90 days (longer where required for investigations).
- Support tickets & communications: retained for up to 2 years after resolution.
- Marketing data: retained until you unsubscribe or your consent is withdrawn, plus a short period (up to 6 months) to maintain suppression lists.
Retention may be extended where necessary to establish, exercise, or defend legal claims or comply with legal obligations.
11) Breach reporting
If we become aware of a personal data breach, we will assess risk and, where required, notify the ICO within 72 hours and affected individuals without undue delay when there is a high risk to their rights and freedoms. Customers will be notified per the DPA.
12) Records of processing (ROPA) & DPIAs
We maintain Records of Processing Activities (Art. 30) for both our Controller and Processor roles. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing — including significant changes to AI features, model providers, or data flows.
13) Children
Docoply is designed for business use and is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, please contact us so we can delete it.
14) Changes & how to contact us
We may update this page to reflect changes in our practices or law. We will post the new date at the top, and where appropriate we will notify customers.
Questions or requests: privacy@docoply.com
Docoply
AI-powered legal document analysis for startups and growing businesses. Identify legal risks before they become costly problems.
© 2025 Docoply. All rights reserved. | Built for UK startups navigating complex compliance requirements.