Privacy Policy

1. Introduction

This Privacy Policy explains: (a) what information we collect; (b) how we use it; (c) with whom we share it; (d) how we protect it; (e) how long we retain it; and (f) your rights with respect to it. Changes to this Policy are governed by Section 14.

2. Our Role as Data Controller and Data Processor

DecoverAI operates in two distinct capacities depending on the type of data involved:

2.1 Data Controller

We act as a data controller with respect to information we collect directly from individuals, including account registration data, billing information, website analytics, and communications data. As a data controller, we determine the purposes and means of processing this information.

2.2 Data Processor

We act as a data processor with respect to Customer Data — content, documents, and other information uploaded or processed through the Services by our enterprise Customers. In this capacity, we process Customer Data solely on behalf of and under the instructions of the Customer. Customers retain control over and responsibility for their Customer Data. A Data Processing Agreement (“DPA”) governing our obligations as data processor is available upon request.

3. Information We Collect

We collect the following categories of information:

3.1 Account and Registration Data

When you or your organization registers for the Services, we may collect:

• Full name and job title
• Business email address
• Company name and size
• Password (stored in hashed form)
• Account preferences and settings

3.2 Billing and Payment Data

We collect information necessary to process payments, which may include:

• Billing name and address
• Payment method details (credit/debit card numbers are processed directly by our payment processor, Stripe, and are not stored on our systems)
• Transaction history and invoice records
• Subscription tier and usage entitlements

3.3 Usage and Product Data

To improve product quality, we collect anonymized and aggregated usage metrics, including:

• Feature interaction events (clicks, navigation paths)
• Query types and volume (not query content)
• Search latency and performance metrics
• Session duration and time-on-task data
• Error rates and crash logs

We do not collect or store actual search queries, document contents, document metadata, or any information that could personally identify a user through their usage behavior.

3.4 Customer Data (Legal Discovery Content)

Customer Data consists of documents, case files, communications, and other content uploaded or processed through the Services by enterprise Customers. Customer Data is treated as strictly confidential. We process Customer Data only as directed by the Customer, solely for the purpose of providing the Services, and never for our own business purposes. Customer Data may include Protected Health Information (PHI) where a Customer has executed a Business Associate Agreement (BAA) with us. Please see Section 12 for our HIPAA-specific provisions.

3.5 Device and Connection Information

We collect approximate, anonymized technical information, including:

• Browser type and version
• Operating system type
• Approximate geographic region (country or state level only; precise location is not collected)
• IP address (anonymized and not linked to individual user identity)
• Referring URL and exit page

3.6 Communications Data

When you contact us, we collect:

• Name and email address (from feedback or support submissions)
• Content of support tickets, chat logs, and email correspondence
• Survey or interview responses

3.7 Cookies and Tracking Technologies

We use the following types of cookies and similar tracking technologies:

• Essential Cookies: Required for core platform functionality, authentication, and security. These cannot be disabled.
• Functional Cookies: Enable features such as remembering user preferences and settings.
• Analytics Cookies: Used to collect anonymized data about how users interact with the Services (e.g., Google Analytics, Heap). This data is aggregated and not linked to individual identities.
• Marketing Cookies: Used to measure the effectiveness of our advertising campaigns. We do not use marketing cookies to profile users for third-party advertising.

You may manage cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may impair platform functionality. We honor Do Not Track (DNT) signals for analytics cookies.

3.8 Integration and Third-Party Data

If you connect third-party services (e.g., document management systems, email platforms, identity providers) to the Services, we may receive data from those services as necessary to enable the integration. Such data is processed in accordance with this Policy and any applicable DPA.

4. Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA) or United Kingdom (UK), we process personal data on the following legal bases under the GDPR and UK GDPR:

• Contractual Necessity (Article 6(1)(b)): Processing required to perform our contract with you, including account management, service delivery, billing, and customer support.
• Legitimate Interests (Article 6(1)(f)): Processing for product improvement, fraud prevention, security monitoring, and business analytics, where our interests are not overridden by your rights and freedoms.
• Consent (Article 6(1)(a)): Processing based on your freely given, specific, and informed consent, including for marketing emails and non-essential cookies. You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable law, including responding to lawful legal process and regulatory requests.
• Vital Interests or Public Task: Where applicable in exceptional circumstances.

5. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Providing, operating, maintaining, and personalizing the Services.
• Account Management: Creating and managing user accounts, authenticating users, and managing permissions.
• Billing and Payments: Processing payments, issuing invoices, managing subscriptions, and handling disputes.
• Customer Support: Responding to inquiries, troubleshooting issues, and improving support quality.
• Product Improvement: Analyzing aggregated usage patterns to develop new features and enhance platform performance.
• Security and Fraud Prevention: Detecting, investigating, and preventing unauthorized access, fraud, abuse, and other security incidents.
• Legal Compliance: Complying with applicable laws, regulations, and legal process, including responding to court orders and government requests.
• Communications: Sending transactional and administrative messages (e.g., account confirmations, security alerts, service updates). These are not promotional and cannot be opted out of while you maintain an active account.
• Marketing: Sending promotional content and product updates, subject to your consent or, where permitted by law, on the basis of our legitimate interests. You may opt out at any time.
• Dispute Resolution: Enforcing our Terms of Service and resolving disputes.
• Analytics: Measuring platform performance, conversion rates, and user experience through anonymized aggregate data.

6. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

6.1 Service Providers and Sub-Processors

We share information with vetted third-party vendors who assist us in providing the Services, including:

• Cloud Infrastructure: Amazon Web Services (AWS) — data storage and compute (United States)
• Payment Processing: Stripe — billing and payment handling
• Analytics: Google Analytics, Heap — anonymized usage analytics
• Customer Support: Support ticketing and communication tools
• Identity and Authentication: Single sign-on and identity providers
• Security: Intrusion detection and monitoring services

All sub-processors are bound by data processing agreements consistent with our obligations under this Policy and applicable law. An updated sub-processor list is available upon request.

6.2 Enterprise Customers

Your employer or enterprise Customer may have access to information associated with your account, including usage data, as permitted under their agreement with us.

6.3 Legal Process and Law Enforcement

We may disclose information when required by law, court order, subpoena, regulatory authority, or other legal process. Where permitted, we will notify affected users prior to disclosure. We may also disclose information where we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of any person.

6.4 Business Transfers

In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred as a business asset. We will notify affected users by email or prominent notice on our website prior to such a transfer and will require the acquiring entity to honor this Privacy Policy.

6.5 Professional Advisors

We may share information with our legal counsel, accountants, auditors, and other professional advisors under applicable duties of confidentiality.

6.6 Consent

We may share your information for any other purpose disclosed to you with your prior consent.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption in Transit: All data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All data stored in our systems is encrypted using AES-256 encryption.
• Access Controls: Access to personal data and Customer Data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls (RBAC).
• SOC 2 Type II Certification: Our security controls are independently audited against the AICPA SOC 2 Trust Services Criteria on an annual basis.
• HIPAA Safeguards: Administrative, physical, and technical safeguards are in place for systems that handle Protected Health Information (PHI).
• Penetration Testing: We conduct regular third-party penetration tests and vulnerability assessments.
• Incident Response: We maintain a documented incident response plan and will notify affected parties of a data breach as required by applicable law.
• Employee Training: All employees with access to personal data receive regular privacy and security training and are bound by confidentiality obligations.

While we employ industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your information.

8. Data Breach Notification

In the event of a security breach affecting personal data, we will:

• Notify affected enterprise Customers without undue delay, and in any event within 72 hours of becoming aware of the breach (GDPR Article 33), where required.
• Notify affected individual users in accordance with applicable state breach notification laws (including California, New York, and other applicable states).
• Notify relevant supervisory authorities as required by applicable law.
• For breaches involving Protected Health Information (PHI), provide notification in accordance with the HIPAA Breach Notification Rule (45 CFR § 164.400), including notice to affected individuals within 60 days and to the Secretary of Health and Human Services.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

• Account and Registration Data: Retained for the duration of the active account, plus 90 days following account closure to enable reactivation, then deleted.
• Billing and Payment Records: Retained for 7 years from the date of the transaction, as required by applicable tax and accounting regulations.
• Usage and Product Analytics Data: Retained in anonymized, aggregated form for 6 months in identifiable form; aggregate data may be retained indefinitely.
• Customer Data: Retained for the duration of the Customer’s subscription. Following contract termination, Customer Data will be deleted or returned (at Customer’s election) within 30 days, unless longer retention is required by law.
• Communications Data (Support/Feedback): Retained for 3 years from the date of the interaction.
• Security and System Logs: Retained for 12 months for security monitoring and incident investigation purposes.
• Legal Hold: Where required by law, regulation, or pending litigation, data may be retained beyond standard retention periods until the hold is released.

Deletion is performed using secure erasure methods consistent with NIST SP 800-88 guidelines. Backup copies may persist for up to 90 days following deletion from production systems.

10. International Data Transfers

Our Services are operated in the United States. If you access the Services from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): We incorporate the European Commission’s Standard Contractual Clauses (2021/914/EU) into our Data Processing Agreements with Customers and sub-processors.
• UK International Data Transfer Agreements (IDTAs): For UK-originating data, we use UK IDTAs or addenda to SCCs as approved by the UK Information Commissioner’s Office.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.

A copy of our standard Data Processing Agreement and applicable transfer mechanisms is available upon request at support@decover.ai.

11. Your Privacy Rights

11.1 Rights Under GDPR (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data, subject to certain legal exceptions.
• Right to Restriction of Processing (Article 18): Request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on our legitimate interests, including for direct marketing.
• Rights Related to Automated Decision-Making (Article 22): Request human review of any solely automated decisions that significantly affect you.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority.

11.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to purposes necessary to perform the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

11.3 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to support@decover.ai with the subject line “Privacy Rights Request.” We will verify your identity before processing your request. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA) of receiving a verifiable request. If we need additional time, we will notify you of the extension and the reason.

12. HIPAA Compliance

DecoverAI is a HIPAA-compliant platform. Where Customers use the Services in connection with Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations:

• Business Associate Agreement (BAA): Customers whose use of the Services involves PHI must execute a BAA with DecoverAI prior to processing any PHI through the Services. A standard BAA is available upon request.
• Minimum Necessary Standard: We access, use, and disclose PHI only to the minimum extent necessary to perform the Services or as otherwise required by law.
• Permitted Uses and Disclosures: PHI is processed only as permitted under the BAA and applicable HIPAA regulations.
• Safeguards: We maintain administrative, physical, and technical safeguards for PHI as required under the HIPAA Security Rule (45 CFR Part 164, Subpart C).
• Breach Notification: In the event of a breach of unsecured PHI, we will notify affected Customers in accordance with the HIPAA Breach Notification Rule, including notification to the HHS Secretary and affected individuals within required timeframes.
• Subcontractors: All subcontractors who access PHI on our behalf are required to execute Business Associate Agreements with us and maintain equivalent HIPAA safeguards.

13. Children’s Privacy

The Services are not directed to children under the age of 16 (or under the age of 13 in jurisdictions where COPPA applies). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal information from a child under the applicable age, we will promptly delete such information. If you believe we have collected information from a child, please contact us at support@decover.ai.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes by:

• Posting a prominent notice on our website and within the platform at least 30 days prior to the change taking effect;
• Sending an email notification to the email address associated with your account; and/or
• Requiring you to affirmatively acknowledge the updated Policy at your next login, where required by law.

Your continued use of the Services after the effective date of any updated Privacy Policy constitutes your acceptance of the updated terms. The date at the top of this Policy indicates when it was last updated.

15. Contact Us

15.1 Privacy Contact

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

• Email: support@decover.ai (subject: “Privacy Inquiry”)
• Mail: DecoverHQ, Inc., Attn: Privacy, 333 W San Carlos St, San Jose, CA 95110
• Website: www.decover.ai/contact

15.2 EU/UK Representative

If you are located in the EEA or UK and wish to exercise your data subject rights or lodge a complaint, you may also contact your local data protection supervisory authority. A list of EEA supervisory authorities is available at the European Data Protection Board website. The UK supervisory authority is the Information Commissioner’s Office (ICO).

15.3 Governing Law

This Privacy Policy is governed by the laws of the State of California, without regard to conflict of law principles, except where superseded by applicable federal or international privacy law (including GDPR and UK GDPR where applicable).