Privacy Policy
At Docstruct Technologies Private Limited, we understand that trust is the foundation of every document workflow. This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have over it — whether you are a Primary Organisation administrator, an internal team member, a Third Party User, or a visitor to our website.
Section 01
Overview
Docstruct operates a B2B Software-as-a-Service platform centred on Zero-Touch Document Orchestration. In the course of delivering this Service, we inevitably process personal data — of the people who administer and use the platform, and potentially of the individuals whose information appears within documents processed through it.
This Policy applies to two distinct categories of data:
- —Platform Data — data about users of the Docstruct platform (e.g., account holders, team members, Third Party Users) that Docstruct processes as a Data Fiduciary.
- —Customer Data — documents and data uploaded or processed by Primary Organisations through the Service, for which the PO acts as the Data Fiduciary and Docstruct acts as a Data Processor / Data Fiduciary on behalf of that PO.
Section 02
Who We Are
Docstruct Technologies Private Limited is a company incorporated under the Companies Act, 2013, with its registered office in Bengaluru, Karnataka, India. We are the Data Fiduciary for Platform Data collected in connection with access to and use of the Docstruct Service.
For Customer Data processed within the Service on behalf of a Primary Organisation, Docstruct acts as a Data Processor. The PO's obligations as Data Fiduciary for its own end-data subjects are governed by the Data Processing Agreement (DPA) executed between the parties.
Section 03
Scope of This Policy
This Policy applies to:
- —Visitors to the Docstruct website (docstruct.ai and subdomains);
- —Prospective customers who submit enquiries, register for demos, or sign up for a trial;
- —Primary Organisation (PO) administrators and their internal team members (Makers, Checkers, Approvers);
- —Third Party (TP) representatives and Third Party Users (TPUs) who access the platform at a PO's invitation; and
- —Any other individual whose personal data Docstruct processes as a Data Fiduciary.
This Policy does not govern the personal data of individuals that appears within documents processed by a PO via the Service. That data is governed by the PO's own privacy notices and the DPA between Docstruct and the PO.
Section 04
Data We Collect
| Category | Examples | Who It Relates To |
|---|---|---|
| Identity Data | Full name, job title, employee ID | PO users, TPUs, prospects |
| Contact Data | Work email address, phone number, organisation name | PO users, TPUs, prospects |
| Account & Credential Data | Hashed passwords, SSO tokens, MFA configuration | All registered users |
| Role & Permission Data | Assigned roles (Maker, Checker, Approver), workspace access scope | All registered users |
| Usage & Behavioural Data | Feature interactions, page views, session duration, workflow steps triggered, error events | All registered users |
| Technical & Device Data | IP address, browser type, OS, device identifiers, time-zone | All users & website visitors |
| Audit & Activity Log Data | Timestamp, action type, document ID, user ID for every workflow action | All registered users |
| Communication Data | Support tickets, chat transcripts, email correspondence with Docstruct | All users & prospects |
| Payment & Billing Data | Invoice details, GST number, billing contact name — payment card data is held by our payment processor, not Docstruct | PO billing contacts |
| Marketing Preference Data | Newsletter opt-in/out, campaign interaction | Prospects, website visitors |
Section 05
How We Collect Data
5.1 Directly from You
When you register for an account, fill in a contact form, request a demo, respond to a survey, raise a support ticket, or communicate with us by email or chat.
5.2 Automatically Through the Service
When you use the platform, our servers, application logs, and analytics tools automatically record usage data, technical data, and audit log data. This includes all actions taken within the Immutable Audit Chain.
5.3 From Your Organisation (PO)
If a PO administrator invites you to the platform as an internal user or as a TPU, we receive your name, email address, and role from that administrator. The PO is responsible for obtaining any consent required for this sharing.
5.4 From Third-Party Services
We may receive data from identity providers (e.g., SSO via Google Workspace or Microsoft Entra), payment processors, CRM tools, and marketing platforms. We use this data only in accordance with this Policy.
5.5 Cookies & Similar Technologies
See Section 14 for full details on cookies and tracking. You can manage your cookie preferences at any time via our Cookie Settings page.
Section 06
Lawful Basis for Processing
Under the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable data-protection law, Docstruct relies on the following grounds to process personal data:
| Ground | When We Rely on It |
|---|---|
| Consent | Marketing communications; optional analytics; where explicitly indicated at point of collection |
| Contractual Necessity | Providing, maintaining, and supporting the Service; account management; billing |
| Legitimate Interests | Security monitoring; fraud prevention; product analytics (where not overriding your interests); direct marketing to existing customers |
| Legal Obligation | Responding to lawful requests from regulators or courts; maintaining tax and audit records |
| Vital Interests | Emergency scenarios where processing is necessary to protect life |
Section 07
How We Use Your Data
Docstruct uses Platform Data for the following purposes:
- —Service Delivery: Provisioning and maintaining your account, processing document workflows, enforcing RBAC permissions, and enabling Connector integrations.
- —Authentication & Security: Verifying identities, detecting and preventing unauthorised access, fraud, abuse, and security threats.
- —Audit & Compliance: Writing and maintaining the Immutable Audit Chain; generating governance reports for PO administrators.
- —Support & Communication: Responding to support requests, providing onboarding assistance, and sending service-critical notifications.
- —Product Improvement: Analysing usage patterns to improve performance, reliability, and features — using aggregated or pseudonymised data wherever possible.
- —Billing & Payments: Processing invoices, collecting fees, and maintaining financial records.
- —Marketing (with consent): Sending newsletters, product updates, webinar invitations, and event communications. You may opt out at any time.
- —Legal & Regulatory Compliance: Meeting obligations under applicable law, including DPDPA 2023, GST regulations, Companies Act, and sector-specific requirements.
We do not use Platform Data to build profiles for sale to third parties, and we do not make automated decisions that have significant legal or similarly significant effects on individuals without human oversight.
Section 08
Customer Data & Document Processing
Customer Data — the documents, extracted fields, metadata, and outputs generated within a PO's workspace — belongs to the PO. Docstruct processes Customer Data strictly as instructed by the PO and only to the extent necessary to provide the Service.
Specifically, Docstruct:
- —Does not access Customer Data for any purpose other than providing, maintaining, and troubleshooting the Service;
- —Does not disclose Customer Data to any third party except as required by law or as expressly authorised by the PO;
- —Does not use Customer Data to train, fine-tune, or evaluate AI or machine-learning models (see Section 9); and
- —Processes Customer Data in accordance with the PO's configured Rules, Connectors, and workflow instructions — not at Docstruct's discretion.
POs are responsible for obtaining all necessary consents from individuals whose personal data appears in documents submitted to the Service.
Section 09
AI Processing & Zero-Training Commitment
The Docstruct platform uses artificial intelligence — including large language models, OCR, and classification models — to extract, validate, and classify data from documents.
AI-extracted outputs are provided as operational aids. They pass through your configured Maker-Checker Workflow for human validation before any downstream action. Docstruct does not make legally binding determinations solely on the basis of automated AI processing.
Where Docstruct uses third-party AI model providers, those providers process data only under strict data-processing terms prohibiting model training on customer inputs.
Section 11
International Data Transfers
Docstruct's primary infrastructure is hosted in India. Where we engage sub-processors outside India, we ensure appropriate safeguards:
- —Standard contractual clauses or equivalent mechanisms recognised under DPDPA 2023;
- —Transfer only to countries or organisations providing adequate data protection; and
- —Contractual restrictions prohibiting onward transfers without written consent.
Customers requiring data residency in India may request this through their Enterprise plan. Contact privacy@docstruct.ai for details.
Section 12
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & Identity Data | Duration of account + 90 days post-termination | Contractual necessity |
| Audit Chain / Activity Logs | Minimum 7 years (or as required by applicable law) | Legal obligation, regulatory compliance |
| Customer Data (documents) | Per DPA / Subscription Plan; 30-day export window post-termination | Contractual; as instructed by PO |
| Usage & Analytics Data | 24 months (pseudonymised) | Legitimate interests |
| Financial & Billing Records | 8 years | Legal obligation (GST, Companies Act) |
| Support Correspondence | 3 years post-closure of ticket | Legitimate interests |
| Marketing Preference Data | Until opt-out + 30 days | Consent |
After the applicable retention period, data is securely deleted or irreversibly anonymised.
Section 13
Security
Docstruct implements appropriate technical and organisational measures to protect personal data:
- —Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+);
- —Access Controls: Strict RBAC, least-privilege principles, and MFA enforced for all internal personnel;
- —Immutable Audit Chain: All platform actions logged in a tamper-evident, append-only record;
- —Vulnerability Management: Regular penetration testing, dependency scanning, and timely patching;
- —Incident Response: Documented incident response plan aligned to DPDPA 2023 breach-reporting obligations; and
- —Sub-Processor Oversight: Security assessments on all material sub-processors before engagement.
No method of data transmission or storage is completely secure. In the event of a breach likely to result in risk to your rights, we will notify you and the relevant Data Protection Board as required by law.
Section 15
Your Privacy Rights
Subject to applicable law, you have the following rights. To exercise any, submit a request to privacy@docstruct.ai. We will respond within 30 days.
Right to Access
Request a copy of the personal data we hold about you and information about how it is processed.
Right to Correction
Request that inaccurate or incomplete personal data be corrected or updated.
Right to Erasure
Request deletion of your personal data where there is no overriding legal basis for retention.
Right to Data Portability
Request your personal data in a structured, commonly used, machine-readable format.
Right to Withdraw Consent
Where processing is based on consent, withdraw it at any time — this does not affect prior lawful processing.
Right to Grievance Redressal
Raise a grievance with our Data Protection Officer and receive a timely response under DPDPA 2023.
Right to Nominate
Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
Right to Complain
Lodge a complaint with the Data Protection Board of India if you believe your rights have been violated.
Section 16
Children's Privacy
The Docstruct Service is intended exclusively for business use by adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted, contact us at privacy@docstruct.ai.
Section 17
DPDPA 2023 Compliance
Docstruct's data practices are designed in alignment with the Digital Personal Data Protection Act, 2023 (DPDPA). Our commitments include:
- —Purpose Limitation: Personal data collected only for specified, explicit, and lawful purposes;
- —Data Minimisation: We collect only data that is adequate and necessary;
- —Accuracy: Reasonable steps to ensure data is accurate and up to date;
- —Storage Limitation: Data not retained longer than necessary (see Section 12);
- —Integrity & Confidentiality: Appropriate security measures implemented (see Section 13);
- —Accountability: Internal records of processing activities and appointed DPO;
- —Breach Notification: Material breaches reported to DPB India and affected individuals; and
- —Consent Management: Clear records and easy withdrawal mechanisms.
Where sector-specific regulations apply, the applicable PO is responsible for their own compliance, and Docstruct will support through the DPA as agreed.
Section 18
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- —Update the "Last Updated" date at the top of this page;
- —Notify registered users via email or an in-product banner at least 30 days before the change takes effect; and
- —Where required by law, seek fresh consent for any new processing purposes.
Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
Section 19
Contact & Data Protection Officer
If you have any questions, concerns, or requests relating to this Privacy Policy or Docstruct's data practices, please contact our Data Protection Officer (DPO).
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India, once established under DPDPA 2023.