Effective Date: June 2, 2026 Last Updated: June 2, 2026 Version: 1.0
1. Who We Are
DocuJSON, Inc. ("DocuJSON," "we," "us," "our") is a Delaware corporation. We operate the DocuJSON platform, a software-as-a-service product that converts JSON data into PDF documents ("Services"), available at https://docujson.com.
This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect personal information when you visit our website, create an account, or use our Services.
Controller vs. Processor distinction:
- For personal data of our customers and website visitors, DocuJSON is the data controller.
- For personal data contained in customer data submitted through the API (e.g., end-user information your business puts into a JSON payload to generate a PDF), DocuJSON acts as a data processor on behalf of the customer, who is the controller. A separate Data Processing Addendum (DPA) governs this relationship.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, password (hashed), company name.
- Billing information: Payment card details handled by Stripe (we do not see or store card numbers), billing address, tax ID where applicable.
- Customer Content: JSON data payloads, templates, images/logos, and other material you submit to be rendered as PDFs.
- Custom template materials: If you use our AI-assisted custom template feature, the prompts, reference screenshots, sample data, and related input you provide.
- Communications: Support tickets, emails, feedback, and any other messages you send us.
2.2 Information Collected Automatically
When you use the Services, we automatically collect:
- Usage data: API requests made, templates used, generation timestamps, request/response sizes, errors encountered, and plan-usage metrics.
- Device and connection data: IP address, browser type, operating system, device identifiers, referring URL, pages visited, and time spent.
- Cookies and similar technologies: See Section 11 below.
2.3 Information from Third Parties
- Payment and fraud data from Stripe (transaction status, risk scores).
- Authentication data if you sign in via a third-party identity provider (e.g., Google).
- Public information about your business from publicly available directories, when relevant for sales or support.
2.4 Information We Do NOT Intentionally Collect
- Protected Health Information (PHI): DocuJSON is not HIPAA-compliant. Do not submit PHI. If you submit PHI without a signed Business Associate Agreement, you agree you are responsible, and we will delete the PHI once we discover it.
- Payment card numbers: Handled by Stripe.
- Government-issued IDs, SSNs, or biometric data: Do not submit these.
- Children's data: The Services are not directed to children. See Section 9.
3. How We Use Information
We use personal information for the following purposes:
3.1 To Provide the Services
- Authenticate users, authorize API access.
- Render and deliver PDFs.
- Store Generated Output for the applicable retention period (see Section 6).
- Process subscriptions and billing.
- Provide customer support.
3.2 To Improve the Services
- Analyze usage patterns (in aggregated, de-identified form).
- Debug and troubleshoot errors.
- Develop new features and templates.
3.3 To Communicate With You
- Send transactional messages (receipts, security alerts, service notices).
- Send product updates and marketing messages (only with your consent in jurisdictions requiring it; you can unsubscribe at any time).
- Respond to inquiries and support requests.
3.4 For Security and Compliance
- Detect, prevent, and investigate fraud, abuse, and unauthorized access.
- Enforce the Terms of Service (including the Acceptable Use section).
- Comply with legal obligations, court orders, and regulatory requests.
3.5 For Business Operations
- Maintain corporate records.
- Conduct analytics and business planning.
- Prepare for audits, compliance reviews, and potential transactions (e.g., financings, acquisitions).
3.6 What We Do NOT Do
- We do not sell personal information. (See the CCPA/CPRA section below.)
- We do not use Customer Content to train generative AI models except where you explicitly opt in via a feature that so states.
- We do not share data with advertising networks for cross-site behavioral advertising.
- We do not use dark patterns to collect consent or prevent cancellation.
4. Legal Bases for Processing (GDPR / UK GDPR)
If you are in the European Economic Area, United Kingdom, or Switzerland, we process personal data under one or more of the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Services under contract | Performance of a contract (Art. 6(1)(b)) |
| Billing and fraud prevention | Legitimate interest / Legal obligation |
| Marketing communications | Consent (withdrawable at any time) |
| Security and abuse prevention | Legitimate interest |
| Compliance with laws, audits, and legal requests | Legal obligation |
5. How We Share Information
We share personal information only as described below.
5.1 Sub-processors and Service Providers
We use trusted third-party service providers to operate the Services. They process personal information on our instructions and under confidentiality obligations. Our current sub-processors are listed at /sub-processors and include:
- Vercel, Inc. — application hosting and infrastructure
- Supabase, Inc. — database, authentication, and storage
- Amazon Web Services, Inc. (AWS) — upstream infrastructure
- Stripe, Inc. — payment processing
- Sentry.io / Functional Software, Inc. — error monitoring and application diagnostics
- Vercel AI Gateway and configured AI model providers — AI model inference for optional custom-template generation
- Langfuse — optional AI observability for template-generation traces, enabled only when configured
- Additional operational tools as disclosed on the sub-processor list
We may add or change sub-processors from time to time with at least 30 days' notice to paid customers via email or the sub-processor page.
5.2 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to standard confidentiality protections. We will notify affected users of any material change in control.
5.3 Legal Requirements
We may disclose information:
- In response to lawful requests from public authorities, including to meet national security or law enforcement requirements.
- To comply with applicable law, regulation, court order, or legal process.
- To protect the rights, property, or safety of DocuJSON, our users, or others.
- To enforce the Terms of Service or defend against legal claims.
5.4 With Your Consent
We may share information for any other purpose with your explicit consent.
5.5 Aggregated or De-identified Data
We may share aggregated or de-identified data that cannot reasonably be used to identify you — for example, usage analytics, industry benchmarks, or product telemetry.
6. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy:
| Data Category | Retention Period |
|---|---|
| Account information | Active lifetime + 6 months after account deletion |
| Customer Content (JSON payloads sent to the API) | Processed transiently; deleted after PDF generation and delivery, except for request metadata logs |
| Generated Output (PDFs) | Stored for up to 24 hours after generation, then deleted by our scheduled cleanup process. Auth-gated PDF links may expire sooner depending on workspace settings. |
| Usage logs and API request metadata | 12 months, then aggregated or deleted |
| Billing and tax records | 7 years (legal requirement) |
| Security logs and audit events | 1 year; 6 years for records touching PHI once a HIPAA tier is available |
| Marketing contacts | Until you unsubscribe + 6 months |
| Custom template designs you've saved | Active lifetime + 30 days after deletion request |
| Support correspondence | 2 years |
Backups: Backups are retained on a rolling basis for up to 30 days; deletion requests are honored in live systems immediately and purged from backups within 30 days.
Deletion right: You can request deletion of your personal information at any time via privacy@docujson.com, subject to legal retention requirements (e.g., tax records).
7. Your Rights
7.1 General Rights (Available to Everyone)
You have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated personal information (subject to legal retention).
- Export a copy of your data in a portable format.
- Opt out of marketing emails via the unsubscribe link.
Submit requests at privacy@docujson.com. We respond within 30 days.
7.2 California Residents (CCPA / CPRA)
As a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell or share.
- Access your personal information via a verifiable request.
- Delete your personal information (subject to legal retention).
- Correct inaccurate personal information.
- Opt out of sale and sharing. We do not "sell" personal information as defined by the CCPA. We do not "share" personal information for cross-context behavioral advertising.
- Limit use of Sensitive Personal Information. We do not use Sensitive Personal Information for purposes beyond what is necessary to provide the Services.
- Non-discrimination. We will not discriminate against you for exercising your rights.
- Authorized agent. You may use an authorized agent to submit a request. We will verify identity and authorization.
Submit California rights requests to privacy@docujson.com with "CCPA Request" in the subject.
Categories of personal information collected (CCPA):
- Identifiers (name, email, IP address)
- Commercial information (subscriptions, transactions)
- Internet activity (usage data)
- Geolocation (IP-based, coarse)
- Audio/visual (only if you upload images or logos)
- Professional or employment-related (company name)
- Inferences (usage patterns)
We do not collect Sensitive Personal Information beyond what is strictly necessary to operate the Services (account credentials; payment information handled by Stripe).
No financial incentive programs. We do not offer financial incentives in exchange for personal information.
7.3 Residents of the EEA, UK, Switzerland (GDPR / UK GDPR)
You have the additional rights to:
- Object to processing based on legitimate interests.
- Restrict processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local Data Protection Authority.
Submit requests to privacy@docujson.com.
International transfers: Our Services are hosted in the United States. When personal data is transferred from the EEA/UK/Switzerland to the US, we rely on the European Commission's Standard Contractual Clauses and, where applicable, supplementary measures. Contact us for a copy of the clauses.
EU Representative (Art. 27): If/when we formally serve EU customers at scale, we will appoint an EU representative and update this Policy.
7.4 Other US States
Users in Virginia, Colorado, Connecticut, Utah, Texas, and other US states with privacy laws have substantially similar rights. Use the same contact channel at privacy@docujson.com.
8. Security
We implement commercially reasonable security measures including:
- TLS encryption for data in transit.
- Encrypted storage at rest (provider-managed).
- Role-based access controls, with access to production systems limited to authorized personnel.
- Multi-factor authentication for internal systems.
- API key hashing (SHA-256) — we never store raw API keys after creation.
- Regular security reviews and updates.
For detailed security practices and roadmap items (SOC 2 Type I in progress, HIPAA on roadmap), see our Security Page.
No system is perfectly secure. If you believe your account or data has been compromised, notify security@docujson.com immediately.
9. Children's Privacy
The Services are intended for business use and are not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18, and in no event from a child under 13 (consistent with the U.S. Children's Online Privacy Protection Act). If we learn we have collected such information, we will delete it promptly. Contact privacy@docujson.com with concerns.
If you are a California resident under 18 who has submitted content to the Services, you may request its removal by emailing privacy@docujson.com. Removal may not be complete in all circumstances (e.g., if content was shared elsewhere before removal).
10. AI Transparency Disclosure
10.1 How We Use AI
Our custom-template generation feature uses third-party large language models routed through Vercel AI Gateway or another configured AI provider to translate your prompts, reference materials, and sample data into HTML templates. The model provider may vary by feature configuration and may include providers such as Alibaba, Google, Anthropic, or OpenAI. When you use this feature:
- Your inputs (prompts, reference images, sample JSON) are transmitted to the model provider for inference.
- We do not use your inputs or the model outputs to train our own models.
- Model providers may retain inputs briefly for abuse detection; see the applicable provider policies. API inputs are not intended to be used to train provider models unless a provider-specific feature explicitly states otherwise.
10.2 AI-Generated Content
The template HTML produced by the AI feature is provided "as-is." We sanitize output for malicious code using DOMPurify and related controls, but we do not guarantee that AI-generated templates are free of errors, bias, or suitability for any particular purpose. You are responsible for reviewing generated templates before putting them into production.
10.3 AI Training Transparency (incl. California AB 2013)
We do not train or develop generative AI models. We use third-party models as described above. Our role is that of a platform that sends user inputs to a model and presents outputs.
11. Cookies and Similar Technologies
This section explains how we use cookies and similar technologies on our website (https://docujson.com) and within our dashboard. We do not use advertising cookies, cross-site tracking, or third-party retargeting.
11.1 Categories
- Strictly necessary — required for the site to function (e.g., authentication, security).
- Functional — remember your preferences, if those features are enabled.
- Analytics — help us understand, in aggregate, how the site is used, if analytics is enabled.
11.2 Strictly Necessary Cookies
| Name | Purpose | Duration | Set by |
|---|---|---|---|
| Supabase auth cookies | Authenticate and refresh your session | Session / provider-configured duration | Supabase |
| Workspace selection cookie | Remembers your selected workspace in the dashboard | Session / short-term | DocuJSON |
These cannot be turned off without breaking the site.
11.3 Functional Cookies
| Name | Purpose | Duration | Set by |
|---|---|---|---|
| Preference cookies, if enabled | Remember non-essential interface preferences such as dismissed notices or display choices | Varies by preference | DocuJSON |
We do not currently rely on functional cookies for advertising or cross-site tracking.
11.4 Analytics
We do not currently use advertising analytics, cross-site behavioral tracking, or a cookie-based analytics provider. If we add privacy-preserving analytics in the future, we will update this Policy and the sub-processor list before using it for production traffic. If we add any cookie-based analytics provider, we will list the cookies it sets and obtain prior opt-in consent where required.
11.5 Stripe (Billing Pages Only)
Stripe sets its own cookies to enable secure payment processing and fraud detection. These apply only when you interact with checkout pages. See Stripe's cookie policy at https://stripe.com/cookies-policy/legal.
11.6 Your Choices
- Browser controls: You can block or delete cookies through your browser settings. Blocking strictly necessary cookies will break login.
- EEA / UK users: We do not currently load non-essential cookie-based analytics or advertising cookies by default. If that changes, we will provide consent controls where required.
- California users: We do not sell personal information and do not use cookies for cross-context behavioral advertising. If you enable the Global Privacy Control (GPC) signal, we treat it as an opt-out of any sale/share (although no such sale/share currently occurs).
11.7 Do Not Track
Because there is no industry standard for responding to Do Not Track (DNT) signals, we do not currently respond to them. We do honor GPC as described above.
12. Changes to This Policy
We may update this Policy from time to time. When we do, we will:
- Post the new version at https://docujson.com/privacy.
- Update the "Last Updated" date at the top.
- For material changes, notify you by email or in-product notice at least 30 days before the change takes effect.
Continued use of the Services after an update constitutes acceptance.
13. Contact Us
For privacy questions, data subject requests, or to report a concern:
- Email: privacy@docujson.com
- Security issues: security@docujson.com
- Mailing address: Request the current privacy notice address at privacy@docujson.com
We have not appointed a Data Protection Officer. Direct privacy questions to privacy@docujson.com.
14. Related Documents
- Terms of Service (includes our Acceptable Use terms)
- Data Processing Addendum (DPA)
- Sub-processor List
- Security
This Privacy Policy applies to DocuJSON, Inc. and the Services identified above. It does not apply to third-party websites or services linked from our Services.