DocuElevate – Privacy Notice

1. Data Controller

The controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) and equivalent privacy laws worldwide is:

Christian Louis IT Beratung
Alter Steinweg 3, 20459 Hamburg, Germany

Contact Email: docuelevate@christian-louis.de

For all privacy-related requests (access, deletion, rectification, opt-out, or complaints), please contact us at the email address above. We will respond within 30 days (or the period prescribed by applicable law).

2. Scope of this Privacy Notice

This notice applies to the DocuElevate web application, hosted at https://preprod.docuelevate.cklnet.com/.

It covers all users globally, including those in the European Union (EU), European Economic Area (EEA), Germany, United Kingdom (UK), Switzerland, Ukraine, United States (US), Canada, Latin America (Latam), Asia-Pacific, and Japan. Market-specific disclosures are provided in dedicated sections below.

3. Data Collection & Purposes

User Authentication: We use OAuth 2.0 (Google, Dropbox, Microsoft/OneDrive) and optional local authentication. Through OAuth, we may receive your name, email address, and profile picture.

Document Processing: Documents you upload are processed for OCR (optical character recognition), metadata extraction, and storage to your chosen cloud provider. Document content is processed only for the purpose you initiate and is not stored beyond what is operationally necessary.

Audit Logs: We maintain limited audit logs (action type, timestamp, user identifier) to ensure service integrity and security. These logs do not include document content.

Legal Basis (GDPR Art. 6): Our primary legal bases for processing are:

• (1)(b) Performance of a contract: to provide the DocuElevate service you have requested.
• (1)(c) Legal obligation: to comply with applicable laws and regulations.
• (1)(f) Legitimate interests: ensuring the security of the service and preventing fraud.

4. Data Minimization & Purpose Limitation

DocuElevate is designed with data minimization as a core principle (GDPR Art. 5(1)(c)):

• We collect only the minimum personal data required to operate the service.
• Document content is processed strictly for the purpose you initiate (OCR, storage, metadata extraction). We do not use your documents to train AI models or for any secondary purpose.
• No advertising, behavioural tracking, or profiling is performed.
• No tracking cookies or analytics scripts are loaded.
• Third-party AI services (e.g., OpenAI, Azure Document Intelligence) are invoked only when you initiate document processing, and data is transmitted under data processing agreements.

5. Use of Cookies & Similar Technologies

DocuElevate uses only strictly necessary session cookies to maintain your authenticated session. These cookies are essential for the service to function and are exempt from prior-consent requirements under the EU ePrivacy Directive (Art. 5(3)) and equivalent national laws.

We do not use: analytics cookies, advertising cookies, tracking pixels, or any third-party cookies that would require your consent.

For full details on the cookies we set, their names, duration, and purpose, please visit our Cookie Policy.

6. Third-Party Services

OAuth Providers (Google, Dropbox, Microsoft): When you choose to authenticate via OAuth, the respective provider processes your credentials and may share limited profile information with us. These providers maintain their own privacy policies.

Cloud Storage Providers (Google Drive, Dropbox, OneDrive, Amazon S3, Nextcloud, WebDAV/SFTP/FTP): Documents are stored in the cloud provider you configure. Your configured credentials are stored encrypted in the application database and are used solely to perform the storage operations you request.

AI Processing Services (OpenAI, Azure Document Intelligence, others): When you initiate OCR or AI-based metadata extraction, document data is transmitted to the AI service you or your administrator has configured. This transmission is governed by a data processing agreement with the respective provider.

No Sale or Sharing for Advertising: We do not sell, rent, or share your personal data with third parties for advertising, marketing, or any purpose unrelated to providing the service.

7. International Data Transfers

DocuElevate is hosted in the European Union / EEA by default. Where personal data is transferred outside the EEA (for example to US-based AI service providers such as OpenAI), we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914/EU) for transfers to processors and controllers in third countries.
• Adequacy Decisions where the European Commission has recognised an equivalent level of protection (e.g., United Kingdom, Switzerland, Canada (commercial organisations), Japan, South Korea).
• UK International Data Transfer Agreements (IDTAs) for transfers from the UK after Brexit.

You may request a copy of the relevant safeguards by contacting us at docuelevate@christian-louis.de.

8. Data Retention

We retain personal data only as long as strictly necessary to provide the DocuElevate service or to comply with legal obligations:

• Session data: Deleted when you log out or after session timeout.
• File records and metadata: Retained for the duration of your use of the service. You may delete individual files at any time through the application.
• Audit logs: Retained for up to 90 days for security and compliance purposes.
• OAuth tokens: Stored in encrypted form and revocable at any time via your OAuth provider.

To request deletion of your account and all associated personal data, please contact us at docuelevate@christian-louis.de.

9. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data, including:

• Encryption of credentials and sensitive configuration at rest.
• Transport Layer Security (TLS/HTTPS) for all communications.
• Role-based access controls limiting access to personal data.
• Regular security audits and dependency vulnerability scanning.
• CSRF protection on all state-changing requests.

10. Your Rights (EU / EEA / UK / Switzerland)

Under GDPR (and the UK GDPR / Swiss nFADP equivalent), you have the following rights:

• Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You may request deletion of your personal data where there is no overriding legitimate reason for us to retain it.
• Right to Restriction (Art. 18): You may request that we temporarily halt processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): You may object to processing based on legitimate interests at any time.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national Data Protection Authority (DPA). In Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). In the UK: Information Commissioner's Office (ICO). In Switzerland: Federal Data Protection and Information Commissioner (FDPIC).

To exercise any of the above rights, contact us at docuelevate@christian-louis.de. We will respond within one calendar month (extendable by two further months for complex requests).

11. Additional Rights – United States (CCPA / CPRA)

If you are a resident of California or another US state with applicable privacy legislation (including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA), the following additional disclosures apply:

• Categories of personal information collected: Identifiers (name, email), account authentication tokens, and document metadata that you choose to upload.
• Purpose of collection: Providing, improving, and securing the DocuElevate service. We do not sell or share personal information for cross-context behavioural advertising.
• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale / Sharing: We do not sell or share personal information as defined by CCPA/CPRA. No opt-out mechanism is required; however, you may contact us to confirm this.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the service.
• Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To submit a verifiable consumer request, contact us at docuelevate@christian-louis.de. We will respond within 45 days (extendable by an additional 45 days when reasonably necessary).

12. Additional Rights – Canada (PIPEDA / Québec Law 25)

If you are located in Canada, the following applies under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation (including Québec Law 25 / Bill 64):

• We collect, use, and disclose personal information only with your knowledge and consent, or as permitted by law.
• Right of Access: You may request access to your personal information and information about how it has been used or disclosed.
• Right to Correction: You may challenge the accuracy or completeness of your personal information and request correction.
• Right to Withdraw Consent: Subject to legal or contractual restrictions, you may withdraw consent to the collection, use, or disclosure of your personal information on reasonable notice.
• Québec residents: Under Law 25, you have additional rights including the right to data portability (effective September 2023) and the right to de-indexation where personal information is disseminated online.

Direct privacy complaints to our Privacy Officer at docuelevate@christian-louis.de, or to the Office of the Privacy Commissioner of Canada.

13. Additional Rights – Latin America (LGPD & Others)

Brazil (LGPD – Lei Geral de Proteção de Dados, Law 13.709/2018): If you are located in Brazil, you have the following rights under the LGPD:

• Confirmation of the existence of processing and access to your data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymisation, blocking, or deletion of unnecessary or excessive data.
• Portability of your data to another service or product provider.
• Deletion of personal data processed with your consent.
• Information about entities with which your data has been shared.
• Information about the possibility of not consenting and the consequences of refusal.
• Revocation of consent.

Other Latin American Countries: We also recognise applicable privacy laws in Argentina (PDPA), Mexico (LFPDPPP), Chile, Colombia (Ley 1581), and others. Users in these jurisdictions may exercise equivalent rights as outlined under their national law by contacting us.

Contact: docuelevate@christian-louis.de

14. Additional Rights – Asia-Pacific & Japan

Japan (APPI – Act on the Protection of Personal Information): Japanese residents may request disclosure, correction, addition or deletion, suspension of use, erasure, or suspension of third-party provision of their personal information held by us. Third-party disclosures require your prior consent except where permitted by law.

Australia (Privacy Act 1988 and Australian Privacy Principles): Australian residents may request access to and correction of their personal information. We will respond to access requests within 30 days. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC).

South Korea (PIPA – Personal Information Protection Act): Korean residents may request access, correction, deletion, and suspension of processing. We handle personal information of Korean residents in accordance with the PIPA.

Other APJ markets (Singapore PDPA, New Zealand Privacy Act, India DPDP Act): We recognise the data protection rights afforded to residents of these jurisdictions under their respective national laws. Contact us to exercise your rights.

Contact: docuelevate@christian-louis.de

15. Additional Rights – Ukraine

Users located in Ukraine are protected under the Law of Ukraine "On Personal Data Protection" (No. 2297-VI). Your rights include access to, correction, blocking, and deletion of your personal data, as well as the right to object to processing.

Contact: docuelevate@christian-louis.de

16. Updates to this Privacy Notice

We may update this notice from time to time to reflect changes in our practices or applicable laws. The "Last Updated" date at the top of this page indicates when the notice was last revised. Where changes are material, we will notify users via in-application notification or email where appropriate.

If you have any questions or concerns about this Privacy Notice or your personal data, please contact us at docuelevate@christian-louis.de.

Please also review our Terms of Service, Cookie Policy, and License Information.