Privacy Policy

1. Introduction

Welcome to Hocusdocs. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI-powered document translation platform.

2. Data Controller

The data controller responsible for your personal data is:

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Data You Provide Directly

• Account Information: Name, email address, password (hashed)
• Documents: Files you upload for translation (PDF, DOCX, XLSX, etc.)
• Payment Information: Processed securely through Stripe; we do not store card details
• Communications: Messages you send to our support team

3.2 Data Collected Automatically

• Usage Data: Translation history, feature usage, page quota consumption
• Technical Data: IP address, browser type, device information, access times
• Cookies: Essential session cookies for authentication (see Section 10)

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide our translation services, manage your account, and process payments
• Legitimate Interests (Art. 6(1)(f)): Service improvement, security, fraud prevention, and analytics
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws, tax requirements, and legal requests
• Consent (Art. 6(1)(a)): Where required, such as for marketing communications (you may withdraw consent at any time)

5. How We Use Your Data

We use your personal data to:

• Provide AI-powered document translation services
• Create and manage your user account
• Process payments and manage subscriptions
• Track your page quota usage
• Send service-related notifications and updates
• Respond to your support requests
• Improve our services and develop new features
• Ensure security and prevent fraud
• Comply with legal obligations

6. AI Processing and Third-Party Providers

To provide translation services, we use AI technology from the following providers:

• OpenAI (USA) - for AI-powered translations
• Mistral AI (France/EU) - for AI-powered translations and OCR

Important Information:

• Document content is transmitted to AI providers solely for translation purposes
• We have Data Processing Agreements (DPAs) with our AI providers
• Your documents are NOT used to train AI models
• For transfers to the USA (OpenAI), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission

7. Data Recipients

We may share your data with:

• AI Service Providers: OpenAI, Mistral AI (for document processing)
• Payment Processor: Stripe (for secure payment processing)
• Cloud Infrastructure: Hosting providers with EU data centers
• Legal Authorities: When required by law or valid legal process

We do not sell your personal data to third parties.

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When transferring data internationally, we ensure adequate protection through:

• EU Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Data Processing Agreements with appropriate safeguards

You may request a copy of the safeguards we use by contacting us.

9. Data Retention

We retain your data for the following periods:

• Documents and Translations: Automatically deleted 30 days after upload
• Account Data: Retained while your account is active; deleted within 30 days of account deletion request
• Payment Records: Retained for 7 years as required by tax law
• Usage Logs: Retained for 12 months for security and analytics
• Backup Data: Deleted within 90 days of data deletion from primary systems

10. Cookies

We use only strictly necessary cookies required for our service to function:

• Session Cookies: For authentication and maintaining your login state
• Security Cookies: For CSRF protection and security features

We do NOT use advertising, tracking, or third-party analytics cookies.

11. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time (without affecting lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with a supervisory authority (see Section 12)

To exercise any of these rights, contact us at info@hocusdocs.com. We will respond within 30 days.

12. Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.

A list of EU supervisory authorities can be found at: European Data Protection Board Members

13. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest
• Secure password hashing (bcrypt)
• Regular security assessments and updates
• Access controls and authentication
• Secure cloud infrastructure with EU data centers
• Regular backups with encryption

14. Automated Decision-Making

Our AI-powered translation service uses automated processing to translate documents. This processing does not produce legal effects or similarly significantly affect you. The translations are tools to assist you and do not constitute legally binding documents unless verified by a certified translator.

15. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

16. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or prominent notice on our website. We encourage you to review this policy regularly. The "Last Updated" date at the top indicates when changes were made.

17. Contact Us

For any questions, concerns, or to exercise your rights regarding this Privacy Policy or your personal data, please contact us: