Doc-Assure ("we", "us", or "our") operates the Doc-Assure platform at doc-assure.africa and doc-assure.app, including the Doc-Assure mobile application for iOS and Android (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights as a data subject.
We comply with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and, where applicable, the General Data Protection Regulation (GDPR) for users in the European Economic Area.
1. Information we collect
1.1 Information you provide
- Account information — Name, email address, username, password (stored hashed), and role within your organisation. Provided when you or an administrator creates your account.
- Files and documents — Any documents, images, or files you upload, scan, or create using the Service.
- Signatures — Drawn or uploaded images of your signature that you save in the signature library.
- Consent records — Details of consents you grant or revoke for document sharing with other parties (e.g., purpose, access level, expiry).
- Workflow data — Comments and decisions you make on workflow approval tasks.
- AI chat queries — The text of questions you ask about your documents through the AI chat feature.
- Support communications — Any information you provide when contacting support.
1.2 Information collected automatically
- Device information — Device type, operating system version, app version, unique device identifiers (for push notifications only).
- Usage data — How you interact with the Service (e.g., which screens you visit, which features you use), for the purpose of improving the product.
- Diagnostic data — Crash reports and performance metrics.
- Log data — IP address, timestamps, and endpoint accessed when you call our APIs.
1.3 Information the mobile app accesses on your device
The Doc-Assure mobile app requests the following device permissions. Each is used only for the stated purpose and only after you grant consent:
- Camera — Used exclusively for scanning documents within the Scan tab. Captured images are kept locally until you upload them to your Drive.
- Photo library — Used to let you pick existing photos to upload as documents or as signature images. We do not read, index, or scan your photo library in any other way.
- Face ID / Touch ID / Fingerprint — Used for the optional biometric app lock. Biometric templates never leave your device; we only receive a pass/fail result from the operating system.
- Push notifications — Used to send you alerts when someone views a shared file, shares a document with you, completes a workflow approval, or your storage is nearly full.
- Local storage — Used to cache starred files for offline access and to queue uploads while offline. Cached files use app-sandbox isolation on both iOS and Android.
What the mobile app does not collect: Your location, your contacts, microphone audio, advertising identifiers (IDFA/AAID), or any cross-app tracking data. The app never requests these permissions because it never needs them.
2. How we use your information
We use your information to:
- Provide, maintain, and improve the Service.
- Authenticate you and secure your account.
- Store, index, search, and preview your documents.
- Apply e-signatures to documents at your request.
- Route workflow tasks and approvals to the correct people.
- Respond to your AI chat queries. AI queries are processed by our intelligent query engine and may involve large language model (LLM) providers acting as data processors under contract.
- Send you transactional notifications (e.g., share views, workflow tasks).
- Detect and prevent abuse, fraud, and security incidents.
- Comply with legal obligations.
We do not use your personal information, documents, or AI chat queries to train any machine learning model.
3. Legal basis for processing (POPIA / GDPR)
We process personal information on the following bases:
- Consent — Where you have given clear consent (e.g., granting a POPIA consent for a specific document sharing purpose).
- Contract — Where processing is necessary to provide the Service you have signed up for.
- Legal obligation — Where processing is necessary to comply with applicable law.
- Legitimate interests — Where processing is necessary for our legitimate interests (e.g., securing the Service, preventing abuse), balanced against your rights.
4. Who we share your information with
We do not sell your personal information. We share information only in these circumstances:
4.1 Within your organisation
When you are a tenant user, your documents and workflow activity are visible to other members of your tenant in accordance with the permissions set by your administrator.
4.2 With people you explicitly share with
When you create a share link or grant a consent, the recipients you specify get access to the documents you shared, subject to the conditions you set (password, expiry, download limit).
4.3 With our service providers (subprocessors)
We use a small number of trusted subprocessors:
| Subprocessor | Purpose | Location |
|---|
| Our cloud infrastructure provider | Hosting, storage | South Africa and/or EU |
| MinIO | Encrypted object storage for your files | Same region as compute |
| Our LLM provider | AI chat query processing | Per signed DPA |
| Expo Application Services | Push notification delivery | United States |
| Apple Push Notification Service | iOS push delivery | United States |
| Google Firebase Cloud Messaging | Android push delivery | United States |
A current list of subprocessors is available on request at [email protected].
4.4 For legal reasons
We may disclose information if required by law, court order, or legitimate request from a South African or other relevant authority.
5. Data retention
- Active account data — Retained for as long as your account is active.
- Documents — Retained until you delete them. Trashed items are permanently deleted after 30 days unless restored.
- Audit logs — Retained for a minimum of 7 years for compliance purposes.
- Backup copies — Retained for up to 90 days in encrypted backup storage.
- Account closure — On request, we will delete your account and associated personal information within 30 days, except where we are legally required to retain it.
6. Your rights
Under POPIA and GDPR, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your personal information (subject to legal retention requirements).
- Object to processing based on legitimate interests.
- Portability — receive a copy of your data in a machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with the Information Regulator (South Africa) or your local data protection authority.
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
7. Data security
We protect your information using industry-standard safeguards:
- Encryption in transit — All network traffic uses TLS 1.2 or higher.
- Encryption at rest — Files stored in MinIO are encrypted using AES-256.
- Authentication — Passwords are stored as hashes. JWT access tokens are short-lived and stored in iOS Keychain / Android Keystore on mobile devices.
- Biometric lock — Optional second factor on the mobile app.
- Access controls — Role-based permissions enforced at every API endpoint, tenant isolation at the database and storage layer.
- Security monitoring — Automated intrusion detection and audit logging.
- Incident response — We will notify affected users of any personal information breach within 72 hours of becoming aware of it, as required by POPIA.
No system is perfectly secure, and we cannot guarantee absolute security. If you suspect your account has been compromised, contact [email protected] immediately.
8. International data transfers
Your data is primarily stored and processed in South Africa. Some subprocessors (e.g., push notification gateways, AI query providers) may process data in other jurisdictions. Where data is transferred outside South Africa, we rely on Standard Contractual Clauses or equivalent safeguards to ensure an adequate level of protection.
9. Children's privacy
Doc-Assure is designed for business use and is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Effective" date at the top. For material changes, we will notify you in the app and by email where appropriate.
11. Contact us
For complaints about how we handle your personal information, you can also contact the Information Regulator (South Africa):