Privacy Policy
Last updated: March 13, 2026
This Privacy Policy explains how DocGL ("we", "us", or "our") collects, uses, stores, and shares your information when you use our document generation platform and API services ("the Service"). By using the Service, you agree to the practices described in this policy. If you do not agree with this Privacy Policy, do not use the Service.
1. Data We Collect
We collect the following categories of information:
Account Data
When you register for an account, we collect:
- Email address — used for authentication, account management, and transactional communications.
- Display name — used to personalise your experience within the platform.
- Authentication credentials — passwords are hashed and never stored in plain text; if you use third-party authentication (e.g., Google via Firebase), we receive only the authentication token and basic profile info provided by that provider.
Usage Data
As you interact with the Service, we automatically collect:
- API call metadata — timestamps, endpoints called, response codes, and generation counts (but not the content of payloads — see Section 3).
- Log data — server-side logs including IP addresses, browser or client user-agent strings, and error traces.
- Device and session information — browser type, operating system, and session identifiers for security and debugging purposes.
Template Data
Templates you create and save using the DocGL editor are stored on our infrastructure so that you can access and use them across sessions.
API Input Data (Payloads)
JSON payloads submitted to our API endpoints for document generation contain the data you supply to populate your templates. Please refer to Section 3 for important details on how this data is handled.
2. How We Use Your Data
We use the information we collect for the following purposes:
- Operating the Service — authenticating users, serving the editor, processing API calls, and delivering generated documents.
- Plan enforcement — tracking generation counts against your subscription limits.
- Security and abuse prevention — detecting and mitigating fraudulent activity, unauthorised access, and ToS violations.
- Debugging and support — diagnosing technical issues and responding to support requests. Template data is only accessed with your explicit consent (see Section 1).
- Service improvement — analysing aggregated, anonymised usage patterns to improve reliability, performance, and features.
- Communications — sending account-related notifications such as billing confirmations, plan limit alerts, and security alerts. We do not send marketing emails without your opt-in.
3. Data Processing of API Payloads
When you submit a JSON payload to our generation API:
- Payloads are processed entirely in-memory during the PDF generation process. We do not write your payload data to persistent storage at any stage of the generation pipeline.
- PDF outputs generated from your templates and data are stored on our infrastructure only if you have enabled the PDF storage option in your account settings. If this option is disabled, the generated PDF is streamed directly to you and is not retained by DocGL.
You are responsible for ensuring that any personal data included in your API payloads is handled in accordance with applicable data protection laws (e.g., GDPR, LGPD).
4. Third-Party Services
We use the following third-party providers to operate the Service. Each receives only the data necessary for its specific function.
Hetzner (Infrastructure / Hosting)
Our backend servers and storage infrastructure are hosted on Hetzner Cloud. Hetzner processes server traffic, stored templates, and PDF outputs (if storage is enabled). Hetzner acts as a data processor under our instruction and does not use your data for its own purposes.
Firebase (Authentication and Backend Services)
We use Google Firebase for user authentication. Firebase receives your email address and authentication credentials in order to create and manage your account. Firebase may process data on Google's infrastructure in accordance with Google's data processing terms.
Stripe (Payment Processing)
Payments are processed by Stripe. When you subscribe to a plan or update billing information, Stripe collects and processes your payment card details and billing address. DocGL does not store full payment card numbers. Stripe's privacy policy governs how it handles your payment data.
5. Cookies and Tracking
We use cookies only as necessary to support authentication provided through Firebase. We do not use cookies for advertising, analytics, behavioural tracking, or similar marketing purposes, and we do not use third-party analytics scripts such as Google Analytics on the Service.
6. Data Retention
We retain your data for as long as your account or workspace remains active. Specifically:
| Data Category | Retention Period |
|---|---|
| Account data (email, name, credentials) | Retained while account is active |
| Templates | Retained while account is active |
| PDF outputs (if storage enabled) | Retained while account is active |
| Server logs | Retained while account is active |
| API payloads | Never persisted (processed in-memory only) |
When you delete your account, your account data is retained for 30 days before permanent deletion so that account recovery may be requested during that period. After the 30-day retention window ends, the relevant account data is permanently deleted, subject to any legal obligations that require longer retention.
7. Data Security Practices
We implement appropriate technical and organisational measures to protect your data, including:
- Access controls — access to production systems and stored user data is restricted to authorised personnel only, using role-based access controls and multi-factor authentication.
- Encryption in transit — all data transmitted between your client and our servers is encrypted using TLS (HTTPS).
- Encryption at rest — stored templates and PDF outputs are encrypted at rest on our infrastructure.
- Least-privilege principle — internal systems and personnel access only the data they strictly require.
Incident Response
In the event of a security incident that affects your data, we will notify affected users promptly in accordance with applicable law. If you discover or suspect a security vulnerability, please contact us immediately at [email protected].
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Under LGPD (Brazil) and GDPR (EU/EEA)
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request that inaccurate or incomplete data be corrected.
- Right to erasure — request deletion of your personal data. You can exercise this right by deleting your account, which starts the 30-day retention period described in Section 6 before permanent deletion.
- Right to data portability — request your data in a machine-readable format. You can export your templates and account data from your account settings page.
- Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to object — object to processing of your data in certain circumstances.
To exercise any of these rights, contact us at [email protected].
We will respond to your request within the timeframes required by applicable law (30 days under GDPR; 15 days under LGPD).
9. International Data Transfers
DocGL operates infrastructure hosted in data centres managed by Hetzner (located in the European Union) and uses Firebase (Google), which may process data across multiple regions globally.
If you are located outside the EU/EEA or Brazil, your data may be transferred to and processed in a country with different data protection laws than your own. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives adequate protection.
By using the Service, you acknowledge and consent to these transfers.
10. Contact Us
If you have privacy-related questions or requests, including exercising your rights under LGPD, GDPR, or any other applicable data protection law, please contact us:
Email: [email protected]
We aim to respond to all privacy requests within 15 business days.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and provide notice by in-product notice, or another reasonable method where appropriate. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.