Privacy Policy
Last updated: April 3, 2026
1. Data Controller
Spectrum Flare sp. z o.o. is the data controller for personal data processed through DocsAura. For privacy inquiries contact us at [email protected].
2. What Data We Collect
Account data
- Email address, name (provided at signup)
- Workspace name and settings
- Authentication credentials (password stored as PBKDF2 hash — we never store plaintext passwords)
Content data
- Text prompts, uploaded images, voice note transcripts, and screenshots you provide for document generation
- Generated HTML documents
- Brand profiles (logos, colours, fonts) you configure
Usage data
- Document view counts, creation timestamps
- Generation job metadata (status, processing times)
- IP address and user agent (for session security)
Payment data
- Stripe customer ID and subscription ID
- We do not store credit card numbers, CVVs, or bank details — these are handled entirely by Stripe
3. How We Use Your Data
- To generate, store, and serve your documents
- To authenticate you and maintain session security
- To process payments and manage subscriptions
- To send transactional emails (account, billing)
- To improve the Service (aggregated, non-identifiable analytics)
4. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, service improvement
- Legal obligation (Art. 6(1)(c)) — tax and accounting requirements
- Consent (Art. 6(1)(a)) — where applicable (e.g. optional marketing emails)
5. Third-Party Data Sharing
We share your data with the following providers, solely to operate the Service:
| Provider |
Data shared |
Purpose |
| Anthropic (Claude) |
Prompts, uploaded text/images |
AI document generation |
| Supabase |
Account data, documents, metadata |
Database and file storage |
| Stripe |
Email, name, payment method |
Payment processing |
| Cloudflare |
Request data (IP, headers) |
Hosting, CDN, security |
| Browserless |
Generated HTML |
PDF export, format rendering |
We do not sell your personal data. We do not share data with advertisers.
6. International Transfers
Some providers (Anthropic, Stripe, Cloudflare, Supabase) process data in the United States. These transfers rely on Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms maintained by each provider.
7. Data Retention
- Documents: retained as long as your account is active, or until you delete them
- Account data: retained while your account exists; deleted within 30 days of account deletion request
- Session tokens: automatically expire after 24 hours
- Payment records: retained as required by tax law (typically 5 years)
- Generation job logs: retained for 90 days for debugging, then deleted
8. Your Rights (GDPR)
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO).
9. Cookies
DocsAura uses only essential cookies and localStorage for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.
10. Security
We implement appropriate technical measures including:
- PBKDF2 password hashing (100,000 iterations)
- HTTPS/TLS encryption for all data in transit
- Time-limited session tokens (24-hour expiry)
- Row-level security in our database
No system is 100% secure. If you discover a vulnerability, please report it to [email protected].
11. Children
DocsAura is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "last updated" date at the top reflects the most recent revision.
13. Contact
Spectrum Flare sp. z o.o.
Email: [email protected]