Privacy Policy
Effective Date: March 27, 2026
Last Updated: March 27, 2026
This Privacy Policy describes how DocSift (available at doc-sift.com), operated by DocSift (“DocSift,” “we,” “us,” or “our”), collects, uses, stores, and protects your personal information.
We built DocSift to handle sensitive professional documents, and we take data privacy seriously. This policy is written in plain English so you can understand exactly what happens with your data.
1. Who We Are
DocSift is a document processing and analysis platform operated by DocSift. Our service is based in the United States.
Contact: support@doc-sift.com
2. Information We Collect
2.1 Information You Provide
| Data | Purpose |
|---|---|
| Account information (email address, name, password) | To create and manage your account |
| Documents you upload (PDFs, images, Word files, text files) | To provide AI extraction and analysis |
| Workspace information (workspace names, descriptions) | To organize your documents |
| Chat messages (questions you ask about your documents) | To provide cross-document Q&A |
| Payment information (processed by Stripe, not stored by us) | To process subscription payments |
2.2 Information We Generate
| Data | Purpose |
|---|---|
| Extracted text from your documents | To enable search, chat, and export features |
| Structured extraction data (dates, amounts, parties, obligations) | To provide structured data output |
| Document chunks and vector embeddings | To power cross-document search and Q&A |
| AI-generated chat responses | To answer your questions about your documents |
2.3 Information Collected Automatically
| Data | Purpose |
|---|---|
| Usage data (pages visited, features used, timestamps) | Product analytics to improve DocSift |
| Device information (browser type, operating system) | To ensure compatibility and debug issues |
| IP address | Security, rate limiting, and fraud prevention |
3. How We Use Your Information
We use your information only to:
- Provide the Service: Process your documents, generate extractions, answer questions, and produce exports
- Maintain your account: Authentication, session management, and account preferences
- Send transactional emails: Account verification, password resets, and important service notifications
- Improve the Service: Analyze aggregate usage patterns to prioritize features and fix issues
- Ensure security: Detect and prevent fraud, abuse, and unauthorized access
We do NOT use your information to:
- Train AI models (neither ours nor our AI provider's)
- Sell, rent, or share your data with advertisers
- Profile you for marketing purposes
- Make automated decisions about you
4. AI Processing Disclosure
This section is important. Please read it carefully.
When you upload documents to DocSift, the text content of those documents is sent to Anthropic's Claude API for analysis. This is how we extract structured data and answer questions about your documents.
What you should know:
- Anthropic does not use your data to train their AI models. This is guaranteed by our commercial agreement with Anthropic.
- Anthropic may temporarily retain API inputs and outputs for up to 30 days for safety monitoring purposes, after which the data is deleted. They do not use this data for training.
- We have a Data Processing Agreement (DPA) with Anthropic that governs their handling of your data, including GDPR and CCPA compliance obligations.
- AI outputs may contain errors. We do not guarantee the accuracy of any AI-generated content. See our Terms of Service for details.
When you use the chat feature, your question and relevant excerpts from your documents (not the full documents) are sent to Anthropic's API to generate an answer.
We also use OpenAI's text-embedding-3-small model to generate search embeddings — mathematical representations of your document text that enable the chat search feature. Your document text is sent to OpenAI's API for this purpose only.
- OpenAI does not use API data to train their models. Data sent via the API is not used for training (per OpenAI's API data usage policy).
- No document content is permanently stored by OpenAI. Embeddings are computed and returned; the original text is not retained.
5. How We Store and Protect Your Data
5.1 Storage
| Data | Location | Encryption |
|---|---|---|
| Account data, extracted text, chat messages | Neon Postgres (US) | AES-256 at rest, TLS 1.2+ in transit |
| Original uploaded files | Vercel Blob / AWS S3 (US) | AES-256 at rest, TLS 1.2+ in transit |
| Vector embeddings | Neon Postgres (US) | AES-256 at rest, TLS 1.2+ in transit |
5.2 Access Controls
- No DocSift employee can view your documents. We have no admin panel, no document viewer, and no support tool that displays file contents. This is by design, not just policy.
- Your files are stored in private cloud storage. There are no public URLs to your documents.
- Every database query is scoped to your user account. You can only access your own workspaces and documents.
- All file access requires authentication and ownership verification.
5.3 Security Measures
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- File uploads are validated for type and size
- Rate limiting is applied to prevent abuse
- Session management is handled by a secure authentication system
6. Third-Party Service Providers
We share your data with the following service providers, solely to operate DocSift:
| Provider | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Anthropic | AI document analysis and chat | Document text, chat queries | anthropic.com/privacy |
| Vercel | Hosting and file storage | All application data, uploaded files | vercel.com/legal/privacy-policy |
| Neon | Database | Account data, extracted text, embeddings | neon.tech/privacy-policy |
| Resend | Transactional email | Email address, verification tokens | resend.com/legal/privacy-policy |
| PostHog | Product analytics | Usage data, device information, IP address | posthog.com/privacy |
| Stripe | Payment processing (when applicable) | Payment details (not stored by us) | stripe.com/privacy |
| Sentry | Error monitoring | Error messages, stack traces, browser/OS info, IP address | sentry.io/privacy |
| OpenAI (planned) | Text embeddings for document search (may be used in a future update) | Document text chunks | openai.com/privacy |
We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertisers.
7. Data Retention
7.1 Active Accounts
Your documents and data are retained for as long as your account is active and you have not deleted them. There is no automatic expiration.
7.2 When You Delete Documents
When you delete a document, we perform a hard delete:
- The original file is deleted from cloud storage immediately
- Extracted text, structured data, and vector embeddings are deleted from our database immediately
- Chat history that references the deleted document is preserved (your questions and answers remain, but source links become inactive)
There is no trash folder or recovery period. Deletion is permanent.
7.3 When You Delete Your Account
When you delete your account:
- All your workspaces, documents, extractions, chat history, and uploaded files are permanently deleted
- All authentication records are deleted
- Deletion from active systems is completed within 24 hours
Backups: Our database provider (Neon) retains backups for up to 30 days with point-in-time recovery. This means deleted data may persist in backups for up to 30 days after deletion, after which it is permanently purged. We do not restore individual data from backups.
7.4 What We Retain After Account Deletion
- Anonymized, aggregated usage metrics (e.g., total documents processed, total queries run) with no personally identifiable information
- Payment records, if applicable, are retained by Stripe per their legal obligations — not by us
Nothing else.
8. Your Rights
Depending on where you live, you may have some or all of the following rights regarding your personal data:
8.1 For All Users
- Access and export your data.You can download your original files, extraction results, and chat history at any time through the application. We also provide a “Download All My Data” feature in account settings.
- Delete your data. You can delete individual documents, entire workspaces, or your full account at any time. Deletion is immediate and permanent.
- Correct your data. You can update your profile information (name, email) in account settings. You can re-upload documents if extraction results need correction.
8.2 For EU/EEA Residents (GDPR)
In addition to the above, you have the right to:
- Restrict processing: You can delete documents to stop them from being used in future queries. Contact us if you need to restrict processing in other ways.
- Object to processing: We do not use your data for profiling, marketing, or automated decision-making. If you object to our processing, contact us and we will address your concern.
- Data portability: Use our export feature to receive your data in a structured, machine-readable format (JSON, CSV).
- Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
8.3 For California Residents (CCPA)
- Right to know: This Privacy Policy describes all categories of personal information we collect and how we use them.
- Right to delete: Use our self-service deletion features or contact us.
- Right to opt-out of sale: We do not sell your personal information. We have never sold personal information. We will never sell personal information.
- Non-discrimination: We will not treat you differently for exercising your CCPA rights.
8.4 Exercising Your Rights
For most rights, you can use the self-service features in your DocSift account (export, delete, update profile). No manual request is needed.
If you need to make a request that cannot be handled through the application, email us at support@doc-sift.com. We will respond within 30 days. We may need to verify your identity before processing your request.
9. Legal Basis for Processing (GDPR)
If you are in the EU/EEA, our legal bases for processing your personal data are:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (document processing, chat, export) | Contract performance — necessary to deliver the service you signed up for |
| Account management and authentication | Contract performance |
| Transactional emails (verification, password reset) | Contract performance |
| Product analytics (usage patterns, feature usage) | Legitimate interest — improving the Service |
| Security monitoring (rate limiting, fraud prevention) | Legitimate interest — protecting the Service and its users |
10. International Data Transfers
DocSift is based in the United States. All our infrastructure providers (Vercel, Neon, Anthropic) process data in the United States.
If you are located outside the United States (including the EU/EEA), your data will be transferred to and processed in the United States. These transfers are protected by:
- Standard Contractual Clauses (SCCs)available in our service providers' standard DPAs. We are in the process of executing individual Data Processing Agreements with Anthropic, Vercel, and Neon
- EU-US Data Privacy Framework where applicable (Vercel is certified)
By using DocSift, you consent to the transfer of your data to the United States.
11. Cookies and Tracking
We use a minimal set of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Keeps you logged in | Session / 30 days |
| PostHog analytics | Performance | Anonymous usage analytics | Per PostHog policy |
- No advertising cookies. We do not serve ads and do not use advertising trackers.
- No third-party tracking cookies. We do not allow third parties to track you on our site.
You can disable analytics cookies in your browser settings. The Service will function normally without them.
12. Do Not Sell My Personal Information
Under the California Consumer Privacy Act (CCPA), California residents have the right to opt out of the sale of their personal information.
We do not sell your personal information. We have never sold personal information, and we have no plans to do so. This applies to all users, not just California residents.
We share data with the service providers listed in Section 6 solely to operate DocSift. This is not a “sale” under the CCPA.
13. Children
DocSift is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at support@doc-sift.com and we will delete it promptly.
14. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach
- Describe the nature of the breach, the data affected, and the steps we are taking
- Notify relevant supervisory authorities as required by law (e.g., the California Attorney General if more than 500 California residents are affected)
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Sending an email to the address associated with your account
- Posting a notice on the Service
Material changes will take effect 30 days after notification. Your continued use of DocSift after the effective date constitutes your acceptance of the updated policy.
Non-material changes (such as formatting or clarifications that do not affect your rights) may take effect immediately.
16. Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
Email: support@doc-sift.com
Website: doc-sift.com
For GDPR inquiries, you may also contact your local data protection supervisory authority.
This Privacy Policy was last updated on March 27, 2026.