Privacy Policy
Last updated: June 10, 2026
1. Introduction
Docusift ("we", "our", "us") is a product of Ekarche Private Limited (CIN U58200UW2026PTC253262, GSTIN 09AAJCE7033P1Z1, registered office Mathura, Uttar Pradesh 281502, India). We provide the docusift.co website and the Docusift document processing platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. More about the parent company at ekarche.com.
2. Information We Collect
Account information
When you create an account, we collect your name, email address, and organization name. If you subscribe to a paid plan, our payment processor collects billing information directly — we do not store credit card numbers.
Documents you upload
Documents you submit for processing are used solely to provide the extraction service. We do not use uploaded documents to train AI models. Documents are retained according to your tenant's configured retention period, which you can adjust in your account settings. Once the retention period expires, documents are automatically and permanently deleted.
Usage data
We collect standard log data (IP addresses, browser type, pages visited, timestamps) to operate and improve the service.
3. How We Use Your Information
- To provide and maintain the document processing service
- To manage your account and process payments
- To send transactional emails (account verification, password resets, billing receipts)
- To respond to support requests and inquiries
- To monitor and improve service performance and security
4. Data Sharing
We do not sell your personal information. We share data only with:
- Service providers — categories include cloud infrastructure, AI inference, email delivery, and payment processing. All are bound by data processing agreements. The current named subprocessor register is available on request via hello@docusift.co.
- Accounting integrations you connect — when you connect a QuickBooks (Intuit Inc.) or Xero (Xero Limited) workspace, we transmit the structured data extracted from your documents to that provider under the terms you accepted with them. We act as a sender on your behalf, not a recipient. You can disconnect the integration at any time from your Docusift settings; disconnection stops future transmissions but does not retrieve data previously sent.
- Legal requirements — when required by law, court order, or to protect our rights
5. Data Retention
Account data is retained while your account is active. Uploaded documents are retained for a configurable period set by your organization's admin (the default retention period is defined in your tenant settings). After the retention period, documents are automatically and permanently deleted. When you delete your account, all associated data is permanently removed within 30 days.
The per-category schedule below applies unless your admin shortens it:
- Account profile (name, email, role, password hash, MFA secret) — kept while the account exists; deleted within 30 days of account deletion. Lawful basis: contract performance (GDPR Art 6(1)(b) / DPDP §7).
- Authentication + session (refresh tokens, login timestamps, IP for the active session) — rolling 90 days after the last sign-in. Lawful basis: legitimate interest in account security (GDPR Art 6(1)(f) / DPDP §7).
- Uploaded documents + extracted structured data — tenant-configurable, default 365 days; deleted on a per-tenant purge job (see
scripts/retention-purge.ts). Lawful basis: contract performance. - Audit logs (who-changed-what on every entity) — kept for the lifetime of the tenant for security and accountability, purged on account deletion. Lawful basis: legal obligation + legitimate interest (GDPR Art 6(1)(c) / 6(1)(f)).
- Billing + invoicing records — 7 years (Indian Companies Act §128 + IT Act record-keeping). Lawful basis: legal obligation.
- Support tickets + email correspondence — 24 months from last update, then anonymised. Lawful basis: legitimate interest.
- Marketing analytics + consent records — consent log kept for the lifetime of the consent + 5 years post-withdrawal. Analytics is first-party only and not joined to account data. Lawful basis: consent (GDPR Art 6(1)(a) / DPDP §6).
- Subprocessor change notifications — sent at least 30 days before a new subprocessor handles your data.
6. Data Security
We use industry-standard measures to protect your data, including encryption in transit and at rest, application-layer encryption for sensitive secrets, and strict access controls. See our security page for a fuller description of our controls and compliance posture.
7. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. To exercise these rights, contact us at hello@docusift.co.
8. Cookies and Similar Technologies
We use a small set of strictly-necessary storage mechanisms to keep you signed in and to remember your in-app preferences. We do not use third-party advertising or cross-site tracking cookies, and we do not run third-party analytics on Docusift.
- Strictly necessary — an authentication session cookie issued at sign-in, plus a small amount of localStorage/sessionStorage used to keep your access token, theme preference, and dashboard layout across page loads. These cannot be disabled without breaking sign-in.
- Functional — none.
- Analytics — none.
- Marketing / advertising — none.
9. International Transfers
Docusift is operated from India. All customer data is currently hosted in the United States (AWS, us-east-1). Personal data may be transferred to and processed in the United States and India to deliver the Service. Cross-border transfers rely on appropriate contractual safeguards, including Standard Contractual Clauses where required by applicable law.
10. Children's Privacy
Docusift is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Where the GDPR applies, the relevant age floor in your member state (between 13 and 16, as set by that state) also applies.
11. Personal Data Breach Notification
If we become aware of a personal data breach affecting your data, we will notify the workspace admin by email without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notice will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate possible adverse effects. We will also notify regulators where required by applicable law (including the Data Protection Board of India under the DPDP Act and the relevant supervisory authority under GDPR Article 33).
12. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the following applies in addition to the rest of this Policy:
- Categories of personal information collected: identifiers (name, email), commercial information (subscription activity), internet activity (usage logs), professional or employment-related information (organization name, role), and content you upload through the Service.
- Purposes: to provide and operate the Service, manage your account, process payments, send transactional emails, respond to support requests, and monitor security and performance.
- Disclosures: to the categories of service providers listed in Section 4. We do not sell personal information and we do not share personal information for cross-context behavioural advertising.
- Right to know, delete, correct, and limit: you may request access to or deletion of your personal information, request a correction, or limit the use of sensitive personal information by emailing hello@docusift.co from the address on your account. We will not discriminate against you for exercising these rights.
- Retention: account data is retained while your account is active; uploaded documents are retained per your tenant retention setting; on account deletion, all associated data is permanently removed within 30 days.
13. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or a notice on our website.
14. Contact
If you have questions about this Privacy Policy, contact us at: hello@docusift.co