Privacy Policy

Version 2026-05-24 · Last updated: 24 May 2026

1. Who we are

DocDrawer is a software service operated by DocDrawer Limited, registered in England and Wales (company number 12730020). Registered office details are at the end of this document. For the purposes of UK data protection law, we are the data controller of personal information you provide directly when using DocDrawer, and the data processor for personal information contained within invoices, certificates and other documents your organisation processes through DocDrawer.

We are registered with the Information Commissioner's Office (ICO) under registration number ZB282653.

2. What information we collect

Account information you provide:

• Name and email address of users you invite to the platform
• Password (stored only as a one-way hash, never in plaintext)
• Company name, country, billing details, and PayProp connection credentials (where supplied)

Document and invoice data you upload or forward to us:

• Invoice and certificate PDFs (or images) sent by you, by your suppliers, or by third parties on your behalf
• Information extracted from those documents — supplier names, addresses, invoice amounts, VAT numbers, registration numbers, dates, descriptions, bank account details where present on the document, property addresses, and any other text the documents contain
• Email metadata when documents are forwarded by email (sender address, subject, time, attachment names)

Information we generate automatically:

• Audit logs of actions taken on documents (who reviewed, who published, when)
• System logs for diagnostics and abuse prevention
• Aggregated, non-identifying usage metrics

Information from third parties:

• Property and supplier records synced from your PayProp account, where you have authorised the connection
• UK VAT registration verification responses from HM Revenue & Customs (when you check a supplier VAT number against the HMRC API)

3. How we use this information

We process your personal data to provide DocDrawer's core service:

• Extracting structured data from documents you upload or forward
• Matching documents to properties and suppliers in your records
• Publishing approved invoices to your connected accounting / property management system (e.g. PayProp)
• Sending notifications about new documents, status changes, mentions, and mismatches
• Verifying supplier VAT numbers against HMRC's public register
• Account administration, support, and billing
• Detecting abuse, debugging issues, and improving service reliability

The lawful basis for this processing is contract performance (Article 6(1)(b) UK GDPR) for customer accounts, and legitimate interests (Article 6(1)(f)) for diagnostics, security, and abuse prevention.

We do not use the contents of your documents to train any third-party AI model. The AI providers we use (see below) are configured to not retain or train on the data we send them. We do not sell your data, and we do not show advertising.

4. Who we share information with

We use the following third-party services to operate DocDrawer. Each one acts as a sub-processor, bound by the same UK GDPR obligations. Data sent to each service is limited to what's needed for that service's specific purpose.

• Supabase — database and document storage. Hosted on AWS (eu-west-2, London) for UK customers.
• Vercel — application hosting and serverless functions. Edge requests served from the closest region; sensitive processing runs in EU regions.
• Anthropic — AI extraction (Claude). Data sent: invoice document content. Configured to disable model training on submitted content.
• Voyage AI — generates embedding vectors for property and supplier matching. Data sent: addresses and business names.
• Resend — transactional email (login, notifications, supplier payment summaries). Data sent: recipient email + message body.
• PayProp — your authorised property management platform. Data sent: published invoice payment instructions and supplier updates you approve.
• HM Revenue & Customs (HMRC) — VAT registration verification API. Data sent: a UK VAT number for verification. We do not transmit personal data, business names, or any other identifying detail to HMRC.

We do not transfer your data to any other third party except where required by law or to protect our legal rights.

5. International transfers

Your data is stored in the United Kingdom and European Economic Area where reasonably possible. Some of our sub-processors (Anthropic, Voyage, Vercel) operate from the United States. Where data is transferred outside the UK / EEA, that transfer is covered by the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, which provide UK-equivalent protection.

6. How long we keep your data

• Active accounts: for the duration of your subscription.
• Invoices and documents: retained while your account is active so you can search, audit, and re-export historical data.
• Soft-deleted records: retained for 180 days after deletion (recoverable by a Platform Admin during this window) before being permanently and irreversibly purged by an automated cron job.
• Audit logs: retained for at least 12 months for security and accountability.
• Closed accounts: all customer data is permanently removed within 30 days of formal account closure, except where retention is required by law (e.g. tax records).

7. Security

• All traffic between you, our service, and our sub-processors is encrypted in transit using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256 (provided by AWS Key Management Service via Supabase).
• User passwords are stored as one-way hashes, never in plaintext.
• Two-factor authentication is mandatory for all users. Every account must enrol either an authenticator-app factor (TOTP) or a passkey (WebAuthn — Touch ID, Face ID, Windows Hello, YubiKey, or platform-equivalent) before reaching the dashboard. Trusted devices are remembered for 30 days; sign-ins from a new browser require a fresh second factor. Platform Admin accounts get a tighter 12-hour trust window. Only the SHA-256 hash of each device token is stored — the raw token never leaves the user's browser. A password change automatically revokes every trusted device for the affected user.
• Sensitive integration credentials (PayProp API keys, OAuth tokens) are encrypted at the application layer with AES-256-GCM using a key not exposed to the browser, in addition to the at-rest encryption above.
• Daily encrypted backups, point-in-time recovery within a 7-day window.
• Role-based access control: each user only sees data for the companies they belong to. Platform-level access is restricted to a small number of named administrators.
• Two-system separation for payments: DocDrawer holds invoice data and supplier identifiers; bank account details for payments live exclusively in PayProp and are entered there by an authorised user. No path exists in DocDrawer to set or modify a supplier's bank account. This means a compromised DocDrawer account cannot redirect a single payment.
• We do not knowingly process special-category personal data (health, biometric, etc).

8. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten") subject to our legal retention obligations
• Restrict or object to certain processing
• Receive your data in a portable format
• Withdraw any consent you previously gave
• Lodge a complaint with the Information Commissioner's Office at ico.org.uk

To exercise any of these rights, contact us at privacy@docdrawer.co.uk. We will respond within one calendar month.

9. Cookies and analytics

DocDrawer uses a small number of strictly-necessary cookies and browser local storage entries to keep you signed in and remember your preferences. We do not use advertising cookies, third-party tracking, or any external analytics service such as Google Analytics, Mixpanel, or PostHog.

On our public marketing pages (/landing.html and /pricing.html), we use lightweight first-party analytics so we can measure how visitors arrive at the site and how they progress through the funnel:

• We capture UTM parameters from the URL (e.g. utm_source, utm_medium, utm_campaign) when you arrive from a campaign link, and store them in sessionStorage so attribution survives navigating between landing and pricing within the same browser tab. This data is cleared when you close the tab.
• We log a single anonymous "page visited" event per page load, plus a "demo link clicked" event if you click one of our "Book a demo" buttons. These records are stored in our own database (Supabase, UK / EU region) — they never leave our infrastructure to a third party.
• Each event records the page path, any UTM parameters, your browser's user-agent string, and a hashed representation of your IP address. We do not store your raw IP, and we do not link these anonymous events to your identity unless you subsequently book a demo or sign up — at which point you've explicitly given us that information through the form.

Our lawful basis for this processing is legitimate interest: measuring marketing performance is a normal business activity, the data is anonymous, no profiling takes place, and the impact on your privacy is minimal. If you'd prefer to opt out, blocking app.docdrawer.co.uk/api/track-pixel in your browser (or using any standard tracker-blocker extension) prevents the events from being recorded — the rest of the site continues to work normally.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to account-holders by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

11. Contact

Questions about this policy or how we handle your data: privacy@docdrawer.co.uk.

DocDrawer Limited · company number 12730020 · registered office Flass Hall, Esh, Durham, DH7 9QD, United Kingdom · ICO registration ZB282653.

12. Reporting a security issue

If you believe you've found a security vulnerability in DocDrawer, or you are a third party who suspects a breach affecting our systems, please contact us at security@docdrawer.co.uk. We aim to acknowledge reports within one working day. Please include any details that would help us reproduce the issue and refrain from publicly disclosing the issue until we've had a chance to investigate and respond.

A machine-readable security contact in the standard RFC 9116 format is also published at /.well-known/security.txt.

The factual content (sub-processors, data flows, retention windows, security posture) reflects DocDrawer's actual implementation as of the date above. This document is published as a working draft and has not yet been reviewed by external counsel; review by a UK GDPR specialist is planned before significant expansion of the user base.