Privacy Policy
Last updated: 28 April 2026
TechPhysic (“we”, “us”, or “our”), operating DocumentFlowAI at trydocflow.com, is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.
By using the Service, you agree to the collection and use of information in accordance with this Policy. This Policy applies to all users of the Service, including visitors to our website and API consumers.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a bcrypt hash — never in plaintext)
- Plan and subscription status
1.2 API Usage Data
For each API call, we record:
- Timestamp of the request
- Document type detected (e.g., invoice, payslip)
- File name and size (not the file contents, which are stored separately)
- Plan at time of call
- Whether the extraction succeeded or failed
- Token usage (for internal cost tracking)
1.3 Documents You Submit
Documents you upload for extraction (PDFs, images) are transmitted over HTTPS and stored in encrypted cloud storage (Cloudflare R2). They are processed by Anthropic's Claude AI models to produce structured JSON output. Document files and their extracted results are automatically deleted 30 days after the extraction request.
1.4 Payment Information
We do not store credit card numbers or bank account details. All payment processing is handled by Paddle. We receive and store only transaction identifiers, subscription status, and billing plan information from these processors.
1.5 Technical Information
When you use the Service, we automatically collect:
- IP address (used for rate limiting and security)
- Browser type and version (for the web dashboard)
- Referring URL
- Pages visited and features used within the dashboard
- Error events and performance data
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: Process your documents and return structured extraction results.
- Manage your account: Authenticate API requests, enforce plan quotas and rate limits, and manage your subscription.
- Send transactional emails: Password reset links, billing receipts, and important service notifications.
- Improve the Service: Analyse aggregate usage patterns (not individual document contents) to improve accuracy, performance, and reliability.
- Security and fraud prevention: Detect and prevent abuse, unauthorised access, and violations of our Terms of Service.
- Legal compliance: Meet our obligations under applicable laws and respond to lawful requests from authorities.
We do not sell your data. We do not share your personal information or document contents with third parties for their marketing purposes.
3. Third-Party Services
We use the following third-party services to operate DocumentFlowAI. Each has its own privacy policy, linked below.
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic Claude | AI document extraction | Document content during processing |
| Cloudflare R2 | Document storage | Uploaded files (encrypted at rest) |
| NeonDB / Railway | Database hosting | Account data, usage logs |
| Upstash Redis | Caching & rate limiting | API key hashes, usage counters |
| Resend | Transactional email | Your email address, email content |
| Paddle | Payment processing (international) | Billing info, email address |
| Razorpay | Payment processing (alternative) | Billing info, email address |
| PostHog | Product analytics | Anonymised usage events, page views |
| Sentry | Error monitoring | Error stack traces (no doc contents) |
Document contents sent to Anthropic are governed by Anthropic's Privacy Policy. Anthropic does not use API inputs to train models by default.
4. Data Retention
Document files & extracted results
Deleted automatically 30 days after the extraction request.
Account data
Retained for the lifetime of your account. Deleted within 30 days of account closure upon request.
Usage logs
Retained for 13 months for billing dispute resolution, then aggregated and anonymised.
Payment records
Retained for 7 years as required by standard accounting and tax regulations.
5. Your Rights
Depending on where you are located, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and associated data (subject to legal retention obligations).
- Data portability: Request your account data in a machine-readable format.
- Opt-out of marketing: Unsubscribe from marketing communications at any time using the link in any marketing email. Note: transactional emails (billing receipts, password resets) cannot be opted out of while your account is active.
To exercise any of these rights, email us at [email protected] with the subject line “Privacy Request”. We will respond within 30 days.
6. Cookies
The DocumentFlowAI dashboard uses a single session cookie (af_has_session) to determine whether to show the login page. This cookie contains no personal data or secret — it is a simple presence signal. It is not used for tracking or advertising.
We use PostHog for product analytics, which may set analytics cookies. PostHog is configured to respect browser “Do Not Track” signals and can be opted out of via your browser settings.
7. Security
We take reasonable technical and organisational measures to protect your data, including:
- All data in transit is encrypted using TLS 1.2 or higher.
- Documents are stored encrypted at rest in Cloudflare R2.
- API keys are stored only as SHA-256 hashes — the plaintext key is shown to you once and never stored.
- Passwords are hashed using bcrypt with a strong work factor.
- Access to production systems is restricted to authorised personnel only.
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].
8. Children's Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us at [email protected] and we will delete it promptly.
9. International Data Transfers
Our infrastructure spans multiple regions globally. By using the Service, you acknowledge that your data may be processed outside your country of residence. Where we transfer data internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection law (including GDPR Standard Contractual Clauses where required).
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page and updating the “Last updated” date. For significant changes, we will also send an email notification at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
TechPhysic — Privacy Team
Operating as DocumentFlowAI
Email: [email protected]
Website: trydocflow.com
Response time: within 30 days of receiving your request.
Related: Terms of Service