Privacy Policy

1) Who we are

Docoply (“we”, “us”, “our”) provides contract-review tools at docoply.com.

• Legal entity: EDUCATIONAL WHITEBOARDS LIMITED (trading as “Docoply”), company number 14554635, registered in England & Wales.
• Registered office: Educational Whiteboards Limited, 124 City Road, London, England, EC1V 2NX
• Website: https://docoply.com
• Privacy contact: privacy@docoply.com

Role under data protection law: we act as controller for site/app telemetry, accounts, billing, support and marketing; and as processor for documents you upload for analysis, processing them only on your instructions under our Customer Agreement and DPA.

2) Scope & who this policy applies to

This Policy covers our website and product experiences, including trials, paid customers, authorised users, support and sales communications. It excludes third-party sites/services we don’t operate, and employee/candidate data (see our separate notice).

Territorial scope: we follow UK GDPR and PECR, and—where applicable—EU GDPR for individuals in the EEA.

3) Personal data we collect — overview

We handle the following categories (details and examples are provided in the app or on request):

• Account & profile data (identity/contact, credentials, preferences, billing contact).
• Content you upload (contracts and related materials, plus processing/file metadata; outputs we generate).
• Usage & device data (technical logs, performance, security events).
• Product analytics (pseudonymised/aggregated feature usage to improve UX and reliability).
• Communications & support (emails, tickets, chat and notes).
• Payments & billing (payer details, invoices/transactions via our payment provider).
• Marketing & cookies (newsletter sign-ups, campaign attribution, cookie/consent preferences).
• Vendors/partners (business contact details), public/source data, and aggregated/de-identified data.

Special-category data: not intended; if such data appears within uploaded documents, we process it only to provide the service on your instructions and with safeguards.

4) How we use your data & our lawful bases

We rely on Contract (to provide the service), Legitimate Interests (operate, secure, improve), Consent (marketing and non-essential cookies), and Legal Obligations (tax/records). When you upload documents, your organisation is the controller and chooses the lawful basis; we process only as instructed under the DPA.

7/8) International transfers & safeguards

Some providers may process data outside the UK/EEA. Where transfers occur, we use approved safeguards (e.g., SCCs with UK Addendum/IDTA) plus technical and organisational measures. Transfer impact assessments are performed as appropriate.

9) Sharing & sub-processors

• We do not sell your content or personal data.
• We share data with vetted service providers necessary to provide the service (e.g., hosting/CDN, OCR/indexing/AI runtime, analytics/ads, email, payments) under Art. 28-compliant terms.
• Current providers are listed on our Sub-processor List (we notify of material changes per the DPA).

10) Data retention

• Source uploads: kept for the shortest time needed to analyse and deliver your report, then deleted within [72h] by default.
• Generated reports/outputs: kept for the life of your workspace or [12 months] after closure unless you delete earlier.
• Operational/server logs: typically retained for [90 days]; diagnostics/security events up to [180 days]. Aggregated analytics retained longer without personal identifiers.
• Backups: rolling [30 days].
• Billing/tax records: retained for 6–7 years to meet legal obligations.

12) Your rights (UK/EU)

You may have rights of access, rectification, erasure, restriction, portability, and objection, plus the right to withdraw consent (for consent-based processing) and to complain to the ICO/EEA authority. To exercise rights, email privacy@docoply.com. We may need to verify your identity; authorised agents may be asked for proof.

13) Role-based notices

When Docoply is the controller

Applies to accounts & profiles, usage/device logs, product analytics (with consent), communications/support, payments/billing, vendor/public-source data. See Sections above for purposes, bases, retention and transfers.

When Docoply is the processor (your uploads)

For documents you upload for analysis, we process only on your documented instructions under our Customer Agreement and DPA (subject-matter, duration, types of data and data subjects are described in the DPA). You should direct data-subject requests to your organisation; we’ll assist per the DPA.

14) Children

Our services are intended for business users and are not directed to children. If you believe a child has provided data, contact privacy@docoply.com so we can delete it.

15) Changes to this Policy

We’ll post updates here and, for material changes (e.g., new non-essential cookies or new marketing uses), notify you in advance via in-app/banner, email to the account/billing/admin contact, and/or a prominent site notice. Each version shows a “Last updated” date. Material changes take effect on the date stated in the notice.

16) Contact