Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how CV Web Services (“we”, “us”, or “our”), operating the DocumentAI.dev platform, collects, uses, and protects your personal data when you use our service.

1. Data Controller

The data controller for the purposes of applicable data protection legislation is:

• Company: CV Web Services
• Email: contact@documentai.dev
• Website: documentai.dev

2. Data We Collect

2.1 Account Data

When you create an account, we collect your email address. If you sign in with Google, we receive your email address from Google. Passwords are handled by Firebase Authentication and are never stored in plaintext.

2.2 Workspace & Team Data

We store workspace membership information, including email addresses of workspace members, their assigned roles, and invitation records.

2.3 Documents & Content

When you use our APIs, the documents and text you submit are processed to extract content, generate Markdown, produce structured JSON, or create semantic embeddings. For the Store & Search API, document text and vector embeddings are stored in our database until you choose to delete them.

2.4 Billing Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers or banking details. We store only references to your Stripe customer account (customer ID, subscription ID, and plan information) to manage your subscription status.

2.5 Usage Data

We track credit consumption, document counts, and API key usage timestamps to enforce plan limits and provide usage information in your dashboard.

2.6 Transactional Emails

We send emails for workspace invitations and usage alerts (e.g., when your credits are running low). These emails are sent to workspace owners and billing managers only.

3. How We Use Your Data

We use your data to:

• Provide and operate the Service (account management, API processing, document storage)
• Process payments and manage subscriptions
• Send transactional notifications (invitations, usage alerts)
• Enforce usage limits and prevent abuse
• Improve and maintain the Service

We do not use your documents or data to train AI models. We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use analytics or tracking tools.

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

• Contract performance — Processing your account data, documents, and billing information is necessary to provide the Service you signed up for.
• Legitimate interest — Security measures, fraud prevention, and service maintenance serve our legitimate interests while being proportionate to your rights.

5. Third-Party Service Providers

We use the following third-party services to operate the platform. Each processes data in accordance with their own privacy policies and applicable data protection agreements:

• Google Cloud Platform / Firebase — Authentication, database (Firestore), hosting, cloud functions, and AI-powered document processing (OCR, content extraction, embedding generation). All data is stored and processed in the EU (europe-west region).
• Stripe — Payment processing and subscription management. Stripe operates as an independent data controller for payment data.
• Cloudflare Turnstile — Bot protection on public playground features. No personal data is stored; only a verification token is exchanged.

6. Data Storage & Residency

All data is stored and processed within the European Union. Our infrastructure runs on Google Cloud in EU regions. We do not transfer your data outside the EU except as strictly necessary through our third-party providers, who maintain appropriate safeguards (such as Standard Contractual Clauses) in compliance with GDPR.

7. Data Retention

We retain your personal data for as long as your account is active and as needed to provide the Service. You may delete your documents, dataspaces, and data at any time through the dashboard or API.

When you delete your account, your personal data and account information are removed. We may retain anonymized or aggregated data that cannot be used to identify you.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate data.
• Erasure — Request deletion of your personal data.
• Restriction — Request that we limit how we use your data.
• Portability — Request your data in a portable format.
• Objection — Object to the processing of your data.

To exercise any of these rights, please contact us at contact@documentai.dev. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL).

9. Cookies & Local Storage

We use a minimal number of cookies and local storage items, all strictly necessary for the operation of the Service. We do not use any analytics, advertising, or tracking cookies. For full details, please see our Cookie Policy.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), cryptographic hashing of API keys (SHA-256), and role-based access controls for workspaces. However, no system is completely secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at contact@documentai.dev.