Privacy Policy

Personal data means information relating to an identified or identifiable individual.

Processing means any operation performed on personal data, including collection, storage, use, disclosure, and erasure.

You means the individual using the Services, including account holders and (where applicable) individuals who interact with content you share through the Services.

This Policy applies to processing in connection with the Services. It does not apply to third-party websites, applications, or services that we do not control, including payment processing by Stripe (described in Section 8) and infrastructure subprocessors listed in Section 9.

If you subscribe to marketing communications or use optional features (for example, forwarding emails into PaperTrail), additional notices may apply at the point of collection.

Your use of the Services is also governed by our Terms of Service, including provisions on acceptable use, your content, and dispute resolution.

We process the following categories of personal data, depending on how you use the Services:

• Account and authentication. Email address, authentication tokens or codes associated with passwordless sign-in (magic link or one-time passcode), session identifiers, and security logs relating to sign-in events.
• Profile and preferences. Display name, notification preferences, time zone or locale where you provide them, and similar settings stored with your account.
• Document and renewal data. Files and images you upload or import, extracted or user-entered metadata (such as document type, issuer, expiry or renewal dates, reminders, notes, and renewal tracking information), and derived or OCR-assisted fields where you use those features. This category may include special categories of data if you choose to store such content; we do not require it.
• Sharing and collaboration. Information needed to operate share links or similar features, including access events, tokens, and coarse technical data associated with access (for example, truncated or aggregated network identifiers where we log access for security or abuse prevention).
• Inbound email or "drop" channels. If you send or forward messages or attachments to an address we provide, we process the content of those messages and attachments, headers and routing information, and associated metadata needed to deliver the feature.
• Newsletter and marketing. Email address and, where applicable, subscription status and engagement metrics, if you opt in to marketing communications.
• Support and communications. Information you provide when you contact us, including the content of your message and your contact details.
• Payment-related records. We do not receive full payment card numbers. We receive billing and subscription data from our payment processor as described in Section 8.

When you use the Services, we and our service providers may process technical and usage data, including IP address, device or browser type, operating system, approximate location derived from IP, timestamps, diagnostic and error data, referring URLs, and similar logs. We use this information to operate, secure, and improve the Services and to detect abuse.

We use cookies and similar technologies on our website and application as described in our Cookie Policy.

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:

• Contract (Article 6(1)(b)). Providing the Services, authenticating you, storing and displaying your content, sending service-related messages, and processing payments-related records needed to manage your subscription.
• Legitimate interests (Article 6(1)(f)). Securing the Services, preventing fraud and abuse, debugging and improving reliability, analysing aggregate usage, enforcing our terms, and defending legal claims. We balance these interests against your rights and, where required, offer opt-outs or controls.
• Consent (Article 6(1)(a)). Non-essential cookies, marketing emails where consent is required, and any other processing we expressly ask you to agree to. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Article 6(1)(c)). Compliance with applicable law, tax, or regulatory requirements.

Where we process special categories of personal data because you have uploaded such content, we treat that processing as necessary for the purposes you initiate within the Services and, where applicable, as based on your explicit consent or another ground permitted by law. You should not upload health or other sensitive information unless you choose to.

We disclose personal data only as described in this Policy or with your direction. Recipients include:

• Service providers who host, store, transmit, or support the Services on our behalf, subject to contractual confidentiality and security obligations (see Section 9).
• Payment processors, currently Stripe, for payment transactions and subscription lifecycle events.
• Professional advisers where required (for example, lawyers or auditors under confidentiality).
• Authorities if we believe disclosure is required by law, regulation, legal process, or to protect the rights, safety, or property of users, us, or others.
• Corporate transactions in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

We do not sell your personal data within the meaning of U.S. state privacy laws, and we do not share it for cross-context behavioural advertising as "sale" or "sharing" under the California Consumer Privacy Act as amended.

We may process and store personal data in the United Kingdom, the European Economic Area, the United States, and other countries where we or our service providers operate. Those countries may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data from the UK, EEA, or Switzerland to countries not subject to an adequacy decision, we implement appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or equivalent mechanisms required by applicable law, together with supplementary measures where appropriate.

You may request further information about those safeguards using the contact details below.

Subscription and checkout flows are handled by Stripe, Inc. and its affiliates. Stripe collects and processes payment method details and transaction data in accordance with its own privacy notice. We do not receive your full card number or CVV.

We receive and retain limited billing and subscription records from Stripe, such as customer identifier, subscription status, plan, billing email, invoice history, and partial payment method descriptors (for example, card brand and last four digits) where Stripe exposes them to us for reconciliation and customer support.

See Stripe's Privacy Policy for details of Stripe's processing.

We use vetted service providers to deliver the Services, including:

• Cloud hosting, database, authentication, file storage, and serverless compute (for example, infrastructure comparable to Vercel and Supabase).
• Email delivery for transactional and, where applicable, marketing messages.
• Stripe for payments, as described in Section 8.
• Error monitoring and diagnostics (Sentry) to detect faults and improve stability. We configure such tools to minimise personal data and to scrub or discard fields that are not needed for that purpose.

We impose data-processing terms on subprocessors that require them to protect personal data and to process it only on our instructions, except where law requires otherwise.

We retain personal data for as long as your account is active, as needed to provide the Services, and thereafter as required for legitimate purposes such as security, backup, dispute resolution, audit, or legal obligation.

Document content and associated metadata are retained until you delete them or close your account, subject to technical backup cycles and legal holds. We periodically review retention periods and anonymise or delete data when it is no longer needed.

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including access controls, encryption in transit, and vendor security requirements. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Depending on your location, you may have rights to access, rectify, erase, restrict, or object to certain processing, to data portability, and to withdraw consent where processing is consent-based. You may also have the right to lodge a complaint with a supervisory authority.

UK and EEA. You may exercise GDPR rights by emailing support@usepapertrail.com. You may also contact your local supervisory authority; in the UK, the Information Commissioner's Office (ico.org.uk).

United States (state laws). Residents of certain states may have additional rights under applicable law, including to know the categories of personal information we collect, the purposes of collection, and the categories of third parties to whom we disclose personal information; to request deletion or correction; and to appeal certain decisions. We do not sell personal information or use or disclose sensitive personal information for purposes that require a "limit" right under California law. To submit a request, email support@usepapertrail.com. We will verify your request in line with applicable law and respond within the statutory timeframe. You may designate an authorised agent where permitted.

The Services are not directed at children under 16 (or under 13 where U.S. children's privacy rules apply). We do not knowingly collect personal data from children below those ages. If you believe we have done so, contact us and we will take steps to delete the information.

We may update this Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Where changes are material and we are required to do so, we will provide additional notice (for example, by email or in-product message).

For privacy questions or requests, contact support@usepapertrail.com.

Physical correspondence: use the contact email on this page. Where the law requires a mailing address, we will provide it on request.