This Privacy Policy explains how Documentation.AI ("Documentation.AI,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use our websites, apps, and related services (collectively, the “Services”).

By using the Services, you agree to the collection and use of information as described in this Policy. If you do not agree, do not use the Services.

Note about GDPR: We are not yet representing compliance with the EU/UK General Data Protection Regulation (GDPR). A GDPR-specific addendum will be added when we complete our compliance program. Until then, the GDPR rights and mechanisms referenced in many EU-focused policies do not apply to our Services.

1) Who we are & scope

Documentation.AI provides AI-powered tools to create, manage, and collaborate on technical documentation. This Policy applies to information we collect through our websites, the Documentation.AI app, APIs, SDKs, and customer support channels.

2) Information we collect

We collect the following categories of information:

A. Account & contact information

• Name, email address, password (hashed), company/organization, role, and preferences.

• If you sign in with a third‑party provider (e.g., Google, GitHub), we receive basic profile info according to your settings with that provider.

B. Workspace content you choose to provide

• Documentation, source text or code snippets, files, images, prompts, model inputs/outputs, comments, tags, and project metadata you upload or create in the Services.

• If you enable integrations (e.g., repositories, knowledge bases, ticketing, chat), we access only the data necessary to perform the integration as configured by you.

C. Payment information

• If you purchase a paid plan, billing name, email, and payment method details are processed by our payment processor. We do not store full credit/debit card numbers on our systems.

D. Device & usage data (collected automatically)

• IP address, device identifiers, browser type, operating system, timestamps, pages viewed, referral URLs, crash/diagnostic logs, and product interaction events.

E. Cookies & similar technologies

• We use cookies and similar technologies to remember your settings, keep you signed in, understand usage, and improve the Services. You can control cookies via your browser settings. Essential cookies are required for core functionality.

F. Communications & support

• Messages you send to us (including email, chat, and support tickets), plus related metadata.

3) How we use information

We use information to:

• Provide, operate, and secure the Services;

• Generate and improve documentation and AI‑assisted outputs you request;

• Personalize features and recommend content;

• Process transactions and send transactional communications;

• Provide customer support and troubleshoot issues;

• Monitor, prevent, and detect fraud, abuse, and security incidents;

• Analyze usage to improve performance, features, and user experience;

• Comply with applicable laws and enforce our agreements.

We may de‑identify or aggregate information for analytics, research, and business reporting. De‑identified/aggregated data does not identify you and may be used for any purpose.

4) AI processing & model providers

• To generate outputs you request, we may process your prompts, documents, and related context using models we host or third‑party AI model providers under contract. We require such providers to use your information only to deliver the Services to you and not for their own advertising or profile building.

• Model improvement: By default, we do not permit third‑party foundation model providers to use your workspace content to train or improve their general models. If we ever offer an opt‑in program for improvements, we will clearly ask for your permission first.

• Human review: A limited number of authorized personnel may review content only for abuse investigation, debugging, or to resolve a support request you initiate, and are bound by confidentiality and access controls.

5) Legal basis (non‑GDPR framing)

We process information to perform our contract with you (provide the Services), for our legitimate business interests (e.g., securing and improving the Services), and to comply with legal obligations. We currently do not rely on GDPR‑specific lawful bases; a GDPR addendum will be published when our compliance program is complete.

6) How we share information

We do not sell your personal information.

We share information with:

• Service providers/Processors that host infrastructure, store data, provide analytics, customer support tools, payment processing, email delivery, logging, and security services;

• Integrations you enable, to the extent needed to perform the integration you configure;

• Professional advisors (lawyers, auditors, insurers) under confidentiality obligations;

• Compliance and safety: when required by law, subpoena, or to protect rights, safety, and the integrity of the Services;

• Business transfers: as part of a merger, acquisition, financing, or sale of assets. We will continue to protect your information consistent with this Policy.

Service providers may access personal information only to perform services on our behalf and are required to protect it.

7) Data retention

We keep personal information for as long as your account is active and as needed to provide the Services. After account closure, we generally retain limited records (e.g., billing, audit logs, backups) for up to 24 months, unless a longer period is required by law or necessary to defend our legal rights. Backups are purged on a rolling schedule.

8) Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information (including encryption in transit and access controls). No method of transmission or storage is 100% secure; if we become aware of a breach affecting your information, we will notify you as required by law.

9) International transfers

We may process and store information in the United States and other countries where we or our service providers operate. Data protection laws in these locations may differ from those in your jurisdiction. We will implement appropriate safeguards for international transfers as required by applicable law. A GDPR‑specific transfer mechanism (e.g., standard contractual clauses) will be described in our future GDPR addendum.

10) Your choices & rights

• Access, update, delete: You can access and update profile information in the app, or request deletion of your account and associated content (subject to retention noted above) by contacting us at [email protected]

• Email preferences: You may opt out of non‑transactional emails by using the unsubscribe link in those messages.

• Cookies: Control cookies via your browser or device settings. Essential cookies may be required for the Services to work.

When our GDPR program is complete, EU/UK residents will have additional rights which we will outline in an addendum (e.g., access, deletion, portability, objection, and complaint rights with a supervisory authority).

11) Children’s privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will take appropriate action.

12) Third‑party links & sites

Our Services may contain links to third‑party websites or services. Their practices are governed by their own privacy policies, and we are not responsible for their content or practices.

13) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by posting the new Policy and updating the “Last updated” date. In some cases, we may also notify you by email or in‑product notice.

14) Contact us

If you have questions or requests about this Policy or your personal information, contact us at: Documentation.AI

Email: [email protected]

15) Roles: controller vs. processor & your responsibilities

• Controller (we): For account, billing, marketing, website telemetry, and security logs, Documentation.AI is the controller.

• Processor (we) for customer workspaces: For content you upload or generate in your workspace, we act as your processor/service provider.

• Customer responsibilities (you): You are responsible for having a lawful basis and notices for any personal data you input about others, honoring deletion/retention requirements you impose internally, and configuring integrations/permissions appropriately. You must not upload special category data or highly sensitive personal data unless our contract explicitly permits it.

• DPA & subprocessors: A Data Processing Addendum (DPA) is available on request. We maintain a list of subprocessors (hosting, analytics, email, support, payments, model providers) and will post updates before material changes.

16) U.S. State privacy notice (CA/CO/CT/UT/VA/OR/TX)

This section provides disclosures for residents of certain U.S. states with comprehensive privacy laws and serves as our “Notice at Collection” for California.

Categories of personal information collected (last 12 months):

• Identifiers: name, email, IP address, device identifiers.

• Commercial information: subscription tier, transaction history (via payment processor).

• Internet/electronic activity: usage analytics, logs, crash reports.

• Geolocation: coarse location from IP (no precise geolocation).

• Inferences: product preferences derived from usage.

• Sensitive personal information: account login credentials (passwords are hashed; we do not collect government IDs, precise geolocation, or biometric data).

Sources: directly from you; your devices/browsers; integrations you enable; our service providers.

Purposes: to provide and secure the Services; improve features; process transactions; support; comply with law; prevent fraud/abuse.

Disclosure for business purposes: we disclose the above categories to service providers and integrations you enable, under contracts restricting their use to our business purposes.

Sale/Share: We do not sell personal information and we do not share it for cross‑context behavioral advertising as defined by CA law. If this changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism and honor Global Privacy Control (GPC) signals.

Your state privacy rights (where applicable): access/know, correct, delete, portability, opt out of targeted advertising (if any), opt out of sale/share (if any), and limit use/disclosure of sensitive personal information. We do not discriminate for exercising your rights.

How to exercise your rights & verification: Email [email protected] with your request and the email associated with your account. We will verify your identity by email confirmation or by asking you to authenticate in‑product. You may use an authorized agent where allowed by law; we may require proof of authorization and verification of your identity.

Appeals: If we deny your request, you may appeal by replying to our decision email with “Privacy Appeal.” We will review and respond within the timeframe required by applicable law.

Retention: See Section 7. We retain each category of personal information for the periods needed to fulfill the purposes described above, comply with law, and protect our rights, after which we delete or de‑identify the data.

Children: We do not have actual knowledge of selling or sharing personal information of consumers under 16.

17) Cookies, analytics, and signals (DNT/GPC)

We use essential cookies and limited analytics. You can control cookies via your browser. At this time we do not respond to Do Not Track (DNT) signals. We will honor Global Privacy Control (GPC) signals if and when our processing falls within opt‑out requirements (e.g., sale/share or targeted advertising).

18) Data portability & export

You can request a machine‑readable export of your workspace content by emailing [email protected]. Exports may exclude proprietary system logs and data we are legally required to retain.

19) Security practices (additional detail)

We implement least‑privilege access, audit logging, encryption in transit, and routine backups. Passwords are hashed using industry‑standard algorithms. Where available, we recommend enabling multi‑factor authentication (MFA). We will provide breach notifications as required by law.

20) Payment processing

Payments are handled by our payment processor. We do not store full card numbers on our systems. The processor’s use of your personal information is governed by its own privacy policy and contract with us.

21) Model inputs/outputs & logging

Prompts, context, and outputs may be temporarily logged to operate, troubleshoot, secure, and improve the Services for your account (not to train third‑party foundation models, unless you opt in to a future program). Access is tightly controlled and audited.