DocShare

Privacy Policy

Last updated: 26 April 2026

DocShare ("we", "us", "the service") is a document personalization tool that helps authenticated Google users generate per-recipient personalized copies of a document template they author and share those documents with the intended recipients. This page explains what we collect, why, how long we keep it, and the rights you have over your data.

1. Data we collect

Account data

  • Your name, email, and a hashed password (we never store your password in plain text).
  • Plan and billing status. Payment details are handled by Stripe; we never see your card.

Workspace data

  • Templates, document sets, recipient lists, custom fields, webhooks, integration settings, and activity generated within the app.

Connected Google accounts

  • When you authorize a Google account, we store the OAuth refresh and access tokens (encrypted at rest with AES-256-GCM).
  • We use these tokens only to create Google Docs / Slides files on your behalf based on your template, populate them with the per-recipient values you supplied, share them with the recipient you specified using Google's native sharing, poll Drive Activity for engagement on files DocShare itself created, and refresh access tokens as needed.
  • We do not read your emails, do not access files you did not create through DocShare, and do not store the content of those documents in our database. The drive.file scope strictly limits us to files DocShare itself creates.

Third-party API keys

  • If you configure SendSpark, Hyperise, Instantly, Smartlead, HeyReach, GetSales, Plusvibe or similar integrations, we store the API keys encrypted at rest.

Operational data

  • Server logs (IP, user agent, request path, timestamp) for security and debugging. Retained 30 days.
  • Activity log of important actions you take (campaign launched, share sent, account connected). Retained for the lifetime of your account, exportable at any time.

2. How we use it

  • To run the service you signed up for.
  • To bill you (via Stripe).
  • To detect abuse, fraud, or violations of our Terms.
  • To respond to support requests.

We do not sell your data. We do not use it to train models. We do not share it with third parties except the sub-processors listed below, which are strictly necessary to operate the service.

3. Sub-processors

These vendors process data on our behalf to deliver DocShare. Each is bound by GDPR-compliant DPAs.

  • Vercel (USA / EU) — application hosting, edge runtime.
  • Supabase (EU, eu-west-1) — database, encryption at rest.
  • Railway (USA) — background worker.
  • Google — Drive, Docs, Slides, Drive Activity APIs (only against the account you connect).
  • Stripe (USA / EU) — billing.
  • Resend (USA) — transactional email.
  • Zapmail (USA) — backend mailbox provisioning when you buy inboxes through us. We never share your DocShare data with Zapmail; we only forward the inbox metadata you ask us to create.

4. Retention

  • Account & workspace data: retained while your account is active. Deleted within 7 days of account deletion.
  • Connected Google tokens: revoked and deleted immediately when you disconnect or delete your account.
  • Server logs: 30 days.
  • Backups: rolling 30-day window.

5. Your rights (GDPR / CCPA)

You can:

  • Access all your data: Settings → Account → Data export gives you a JSON dump and CSV exports.
  • Rectify incorrect data: edit it in the relevant page (templates, leads, profile).
  • Erase: Settings → Account → Delete account hard-deletes everything within minutes.
  • Object to processing or restrict it: email us at privacy@docshare.email.
  • Port your data: the JSON export above is portable.
  • Complain to your local data protection authority.

6. Cookies

We set one HTTP-only cookie called docshare_session for keeping you logged in. We do not use marketing or analytics cookies on the application itself.

7. Security

  • HTTPS everywhere, HSTS enforced.
  • OAuth tokens, third-party API keys, and webhook secrets stored AES-256-GCM encrypted.
  • Database connection encrypted in transit.
  • Principle of least privilege on all production credentials.

8. Contact

Privacy questions, GDPR requests, security disclosures: privacy@docshare.email.

Data controller: DocShare (the operator of docshare.email).