Privacy Policy

This Privacy Policy describes how FinalDoc Technologies Private Limited ("FinalDoc", "we", "us", or "our") collects, uses, discloses, and safeguards your personal information when you use our website at finaldoc.io and our knowledge base platform ("the Service").

This policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, password (stored as a bcrypt hash), and organization name when you register
• Billing Information: Payment details (processed and stored by Stripe; we do not store credit card numbers)
• Content: Articles, categories, documents, images, and other content you create or upload to the Service
• Communications: Emails, support requests, and feedback you send to us
• Team Member Information: Names and email addresses of team members you invite

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, search queries, click events, and session duration
• Device Information: Browser type, operating system, device type, and screen resolution
• Log Data: IP address, access timestamps, referring URLs, and server response codes
• Cookies: Session cookies for authentication and CSRF protection (see Section 7)

1.3 Information from Third Parties

• SSO Providers: If you log in via SAML SSO, we receive your name and email from your identity provider
• Payment Processor: Stripe provides us with subscription status and billing history (not card numbers)

2. How We Use Your Information

Purpose	Data Used	Legal Basis
Provide and maintain the Service	Account info, content	Contract performance
Process payments	Billing info (via Stripe)	Contract performance
Send transactional emails	Email address	Contract performance
AI writing features (Ved AI)	Content you submit to AI	Consent / contract
Analytics and improvements	Usage data, device info	Legitimate interest
Customer support	Communications, account info	Contract / legitimate interest
Security and fraud prevention	Log data, IP address	Legitimate interest
Legal compliance	As required	Legal obligation

3. AI Data Processing

When you use Ved AI features (AI writer, AI chatbot, AI diagrams), your content is sent to third-party AI providers for processing:

• OpenAI (GPT-4o-mini): For text generation, editing, translation, and optimization
• Google Gemini (Gemini 2.0 Flash): For AI-generated diagrams

We do not use your content to train AI models. Content is processed in real-time and is subject to the respective providers' data processing policies. AI-generated content is your responsibility to review before publishing.

4. Information Sharing and Disclosure

We do not sell your personal information. We share information only in the following circumstances:

• Service Providers: Trusted third-party services that help us operate the Service (see below)
• Your Team: Team members within your organization can access shared content and account information based on their role
• Knowledge Base Readers: Content you publish publicly is visible to anyone; private content is visible only to authenticated readers you invite
• Legal Requirements: When required by law, court order, or government regulation
• Business Transfer: In connection with a merger, acquisition, or sale of assets, with prior notice to you

4.1 Third-Party Service Providers

Provider	Purpose	Data Shared
Stripe	Payment processing	Billing info, email
DigitalOcean Spaces	File storage (uploads, images)	Uploaded files
OpenAI	AI writing features	Content submitted to AI
Google (Gemini)	AI diagram generation	Diagram descriptions
SMTP provider	Transactional emails	Email address, name

5. Data Storage and Security

5.1 Storage Location. Your data is stored on servers located in data centers operated by our hosting providers. Our primary server is located in a secure facility with physical and network security controls.

5.2 Security Measures. We implement reasonable security practices as required under the IT Act 2000 and the SPDI Rules 2011, including:

• Encryption in transit (HTTPS/TLS for all connections)
• Encrypted passwords (bcrypt hashing with salt)
• Session-based authentication with secure, expiring tokens
• CSRF protection via double-submit cookie pattern
• Rate limiting on authentication endpoints
• Role-based access control (Owner, Admin, Editor, Author, Viewer)
• Regular security audits and vulnerability assessments
• Helmet.js security headers

5.3 Data Breach. In the event of a data breach affecting your personal information, we will notify you via email and comply with applicable breach notification requirements under Indian law.

6. Data Retention

• Active Accounts: We retain your data for as long as your account is active
• Deleted Accounts: Upon account deletion, your personal data and content are permanently removed within 30 days
• Cancelled Subscriptions: Your data is preserved (under Free plan limits) unless you request deletion
• Logs and Analytics: Server logs are retained for up to 90 days; aggregated analytics data may be retained indefinitely
• Backup Data: Backup copies are retained for up to 30 days after deletion from production systems

7. Cookies

We use the following cookies:

Cookie	Type	Purpose	Duration
Session token	Essential	Authentication	24 hours
CSRF token	Essential	Security (prevent cross-site request forgery)	Session

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Our analytics are built into the platform and do not rely on external tracking services.

8. Your Rights

Under applicable Indian law, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your personal information and account
• Data Portability: Export your content using our built-in export tools (PDF, Markdown, JSON)
• Withdraw Consent: Withdraw consent for optional data processing (e.g., AI features) at any time
• Grievance Redressal: Lodge a complaint with our Grievance Officer (see below)

To exercise any of these rights, email us at support@finaldoc.io. We will respond within 30 days.

9. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.

10. International Data Transfers

Your data may be processed by third-party service providers located outside India (e.g., OpenAI in the United States, Stripe in the United States). By using the Service, you consent to such transfers. We ensure that appropriate safeguards are in place with these providers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 15 days before the changes take effect. The "Last updated" date at the top of this policy indicates the most recent revision.

12. Grievance Officer

In accordance with the Information Technology Act, 2000, and the rules made thereunder, the contact details of the Grievance Officer are:

• Designation: Grievance Officer
• Organization: FinalDoc Technologies Private Limited
• Address: Vignan Nagar, Bengaluru, Karnataka, India, Pin: 560037
• Email: support@finaldoc.io
• Phone: +91 80937 12301

Grievances will be acknowledged within 48 hours and resolved within 30 days.

13. Contact Us

For questions or concerns about this Privacy Policy, please contact us:

• FinalDoc Technologies Private Limited
• Vignan Nagar, Bengaluru, Karnataka, India, Pin: 560037
• Email: support@finaldoc.io
• Phone: +91 80937 12301
• Website: https://finaldoc.io