PRIVACY POLICY OF THE DOKUM.AI SERVICE

Last updated: 05.01.2026

1. GENERAL PROVISIONS

1.1. This Privacy Policy defines the rules for the processing of personal data and the protection of the privacy of Users using the online service and SaaS software available under the name Dokum.ai (hereinafter the "Service"), in accordance with Regulation (EU) 2016/679 (GDPR), the Electronic Communications Act, and regulations governing digital markets (AI Act, Data Act).

1.2. The Controller of Users' personal data (within the meaning of the GDPR) is:

DOKUMIND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (Limited Liability Company) with its registered office in Opole, ul. Oleska, no. 121A, apt. 11, city: OPOLE, postal code 45-231, Poland. District Court in Opole, XIII Commercial Division of the National Court Register (KRS), KRS Number: 0001215170. Tax ID (NIP): 7543384735, REGON: 543634879

(hereinafter "Controller" or "Dokumind").

1.3. Contact with the Controller regarding data protection is possible via e-mail at: dpo@dokumind.com or in writing to the registered office address.

2. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

2.1. The Controller processes personal data for the following purposes:

  • Provision of electronic services (account management, document processing) – basis: Art. 6(1)(b) GDPR (necessity for the performance of a contract).
  • Financial and tax settlements – basis: Art. 6(1)(c) GDPR (legal obligation).
  • Fraud detection and ensuring AI security – basis: Art. 6(1)(f) GDPR (legitimate interest).

2.2. Artificial Intelligence and Personal Data (AI Transparency):

Within the Service, data is processed in an automated manner by AI/OCR algorithms for the purpose of reading it (data extraction).

  • Model Training: The Controller declares that data contained in user documents are NOT used by default for training, fine-tuning, or improving Artificial Intelligence models.
  • Exception (Anonymization): The use of data to improve algorithms may occur only if the User expresses separate consent (opt-in) in the Account settings. In such a case, the data is previously subject to permanent and irreversible anonymization, so that it no longer constitutes personal data within the meaning of the GDPR.
  • No Profiling: This processing does not lead to automated decision-making producing legal effects concerning natural persons (no profiling within the meaning of Art. 22 GDPR). The system performs an assistive function (human-in-the-loop).

3. DATA RECIPIENTS AND SUB-PROCESSORS

3.1. The Controller transfers personal data only to trusted processors with whom data processing agreements (DPA) have been concluded.

3.2. Key infrastructure and AI providers:

To ensure the operation of the OCR/AI service, we use the following sub-processors:

  • Cloud Provider: – Region: Frankfurt/Ireland (EEA).
  • AI/LLM Engines: – Region: Western Europe (Netherlands/France).
    • Guarantee: We use Enterprise-class services that guarantee that data submitted via API is not used by the model provider (e.g., Microsoft/OpenAI) to train their own models (so-called Zero Data Retention Policy for training purposes).

3.3. Other recipients:

  • Payment Operators:.
  • Accounting and invoicing systems:.
  • Transactional communication:.

4. USER RIGHTS AND THE AI ACT

4.1. Under the GDPR, the User has the right to: access data, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.

4.2. Rights in the context of Artificial Intelligence (AI Act):

  • Right to explanation (Art. 86 AI Act): If an AI system makes a decision that has a significant impact on the User, the User has the right to request an explanation of the logic of the system's operation and verification of the result by a human.
  • Right to information (Art. 50 AI Act): The User is informed that they are interacting with an AI system (e.g., through appropriate marking in the interface).

4.3. Rights arising from the Data Act:

As a professional User (B2B), you have the right to easily transfer data generated by using the Service (so-called switching) to another provider. Dokumind ensures the possibility of exporting data in an open format (e.g., JSON, XML, CSV).

5. DATA RETENTION

5.1. Account data is stored for the duration of the agreement.

5.2. Data in the OCR process: Files uploaded for analysis are stored only for the time necessary to perform the service (inference), and are then deleted or archived in accordance with the retention settings selected by the User in the panel (e.g., 30 days).

5.3. Upon termination of the agreement, the Controller applies a 30-day Transition Period, after which the data is permanently deleted, unless legal regulations (e.g., tax law) require their further retention (usually 5 years for invoices).

6. DATA TRANSFERS OUTSIDE THE EEA

6.1. The Service primarily uses infrastructure within the European Economic Area (EEA).

6.2. In the case of using sub-processors from the USA (e.g., AI technology providers), data transfer takes place on the basis of:

  • The European Commission's adequacy decision regarding the EU-US Data Privacy Framework (DPF) – for certified entities (e.g., Microsoft, Google, AWS).
  • Standard Contractual Clauses (SCC) – in other cases, ensuring additional security measures.

7. COOKIES AND ANALYTICS

7.1. The Service uses cookies to maintain the session and security (necessary) and, with the User's consent, for analytical purposes (Google Analytics 4 - with IP anonymization).

7.2. Consent management is handled via a cookie banner (Consent Mode v2).

8. CHANGES TO THE POLICY

8.1. The Controller reserves the right to make changes to the Privacy Policy in the event of changes in the law (in particular the implementation of subsequent stages of the AI Act) or the development of the Service's functionality.

8.2. Users will be notified of significant changes via e-mail with 14 days' advance notice.