Privacy Policy

Last updated: May 9, 2026

The docule.dev website and API service is operated by Katse Holding Oy (Finnish business ID 3274118-8), referred to in this policy as "we", "us", or "our". This page describes how we collect, use, and protect your information.

1. Data controller

Katse Holding Oy
Business ID: 3274118-8
Finland
Contact: support@docule.dev

2. Information we collect

Account information. When you sign up, we collect your email address. We use passwordless authentication via magic links — we do not store passwords.

Usage data. We log API requests including timestamps, document page counts, processing method, and credit consumption. We do not log the content of your documents.

Payment information. If you subscribe to a paid plan, payment is processed by Stripe. We do not store credit card numbers. We receive your Stripe customer ID and subscription status.

3. How we use your information

• To provide and maintain the service
• To authenticate you and manage your account
• To track usage and enforce rate limits
• To process payments via Stripe
• To send transactional emails (magic links, billing notifications)
• To improve the service based on aggregate usage patterns
• To prevent fraud, abuse, and unauthorised access

Legal basis (GDPR Article 6). We process your personal data on the following bases:

• Performance of a contract (Art. 6(1)(b)) — providing the API service, billing, account management, transactional email.
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, abuse mitigation, aggregate analytics, debugging.
• Consent (Art. 6(1)(a)) — optional analytics cookies. You can withdraw consent at any time from the cookie banner.
• Legal obligation (Art. 6(1)(c)) — retention of accounting records as required by Finnish bookkeeping law.

4. Document processing

Your documents are not stored. Files uploaded via the API are processed in memory and discarded after parsing is complete. We do not retain, read, or use the content of your documents for any purpose other than returning the parsed output to you.

AI-assisted parsing. Most pages are processed by local libraries on our own servers. For pages where local extraction is insufficient (complex tables, scanned content, charts), the relevant page image or text is sent to OpenAI for processing via the OpenAI API. OpenAI processes this data on our behalf as a sub-processor and, under the OpenAI API data policy, does not use API inputs or outputs to train its models. Data is encrypted in transit and is retained by OpenAI for up to 30 days for abuse monitoring before deletion.

Parsed results. The parsed output is cached for retrieval and automatically deleted after 24 hours. Job metadata (filename, page count, timestamps, status) is retained for billing and history.

We never use your documents or parsed output to train any machine-learning models.

5. Sub-processors and data sharing

We do not sell or rent your personal information. We share data only with the sub-processors listed below, each of which is contractually bound to process data on our behalf:

• Stripe, Inc. (United States) — payment processing and subscription management. Receives your email and Stripe customer ID.
• Resend (United States) — transactional email delivery (magic links, billing notifications). Receives your email and message content.
• Clerk, Inc. (United States) — authentication and session management. Receives your email and login metadata.
• OpenAI, L.L.C. (United States) — AI-assisted document parsing as described in section 4. Receives page images or text from documents requiring AI processing. Does not train on API data.
• Hetzner Online GmbH (Germany, EU) — hosting infrastructure. Stores account data and short-term parse results within the EU.

We may also disclose information when required by applicable law, court order, or to protect our legal rights.

6. International data transfers

Some of our sub-processors (Stripe, Resend, Clerk, OpenAI) are based in the United States. When personal data is transferred outside the European Economic Area, the transfer is protected by the European Commission's Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. Where a sub-processor is certified under the EU–U.S. Data Privacy Framework, that adequacy mechanism additionally applies.

Hosting and primary data storage take place within the European Union (Germany).

7. Data retention

• Account data: retained while your account is active
• Usage logs: retained for 12 months for billing and analytics
• Uploaded documents: not retained (processed in memory only)
• Parsed results: cached for 24 hours, then deleted

8. Security

We use industry-standard security measures including:

• TLS encryption for all connections
• API keys stored as SHA-256 hashes (we cannot see your key)
• Passwordless authentication (no password database to breach)
• Session cookies with HttpOnly, Secure, and SameSite flags

9. Your rights

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under GDPR:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your account and associated data.
• Right to restriction of processing (Art. 18) — limit how we use your data while a dispute is being resolved.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — withdraw consent for analytics cookies at any time.
• Right to lodge a complaint (Art. 77) — complain to the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

You can also revoke API keys at any time from the dashboard, and delete your account from Settings. To exercise any other right, contact us at support@docule.dev; we respond within 30 days.

10. Cookies

We use cookies for two purposes only:

• Authentication — a session cookie that keeps you signed in.
• Analytics (optional) — if you click "Accept" on the cookie banner, we set docule_analytics to record how people use the site (page views, time on page, button clicks) so we can improve it. The data stays on our own servers — no third-party trackers, no ads, no cross-site profiles. You can opt out at any time from the cookie preferences link.

If you do not consent, analytics events are dropped at the server — nothing about your visit is stored.

11. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of the service constitutes acceptance of the updated policy.

12. Contact

For questions about this privacy policy, contact us at support@docule.dev.