DocuFlag
Sign in

Privacy Policy

Last updated: May 2026

1. Who we are

DocuFlag is a self-help AI tool for individual Schengen visa applicants (and, on the Enterprise plan, for organisations processing visa files at volume), operated by DocuFlag, based in the United Kingdom. For privacy-related enquiries and data subject requests, write to [email protected]. For general support, write to [email protected]. This privacy policy explains how we collect, use, and protect information when you use our service.

Data Protection Officer: We are not required to appoint a Data Protection Officer under Article 37 UK GDPR. Our processing of special category data (passport photographs) occurs at a scale that does not meet the “large scale” threshold contemplated by the Article 29 Working Party guidance (WP 243): a small B2C user base where each user processes only their own documents, and an Enterprise tier whose individual customers each handle limited volumes. Should our processing scale change materially, we will reassess and appoint a DPO if required. For data protection enquiries, contact [email protected].

2. What we collect

Account data: Your email address and organisation name.

Case data — cloud sync is a user-controllable toggle (default ON): Case metadata (destination, dates, trip purpose), document files, checklist items, AI-analysis results, and cross-document checks. When cloud sync is on, this data is stored encrypted-at-rest in our European cloud storage under software-protected Cloud KMS keys; a local browser cache (IndexedDB) keeps pages fast and clearing browser data or switching devices is safe because the cloud copy is the durable source of truth. When cloud sync is off, no server-side copy of any case is kept — only the browser’s local cache holds the persistent copy. During analysis, documents transit through our EU-hosted relay in-memory only and are sent to Google’s Vertex AI EU endpoint for vision-model field extraction (see section 4) regardless of cloud-sync state.

Audit trail: Timestamps, action types (e.g. “document.analyzed”, “cloud.kms_decrypt”), and HMAC-hashed IP prefixes for accountability. Hashed IP prefixes are pseudonymous personal data under UK GDPR Recital 26 (still personal data, but not directly identifying). We log no plaintext PII. Audit-trail retention is described in section 8.

Payment data: Processed by Stripe. We do not store full card numbers.

Storage modes. The only choice at registration is whether cloud sync is on or off, and that choice is reversible from Settings.

Cloud sync ON. What gets stored: a copy of your case bundle, including the document files you uploaded (e.g. passport scans, bank statements, hotel reservations, employment letters — some of these images contain a facial photograph on the passport biographical-data page). What protects them at rest: each backup is encrypted on our server under a per-application AES-256-GCM data key (DEK); the DEK is then wrapped under an organisation-scoped key (KEK) held in Google Cloud KMS (europe-west1; software-protected, FIPS 140-2 Level 1). The KEK material lives only inside Cloud KMS and is inaccessible to DocuFlagengineers — our application identity is granted only the right to invoke Cloud KMS Encrypt and Decrypt against it, never the right to export or read the key bytes. DocuFlagCAN technically decrypt your cloud backups when you are signed in, and we will if compelled by valid legal process; we cannot decrypt offline or while you are signed out. Every Cloud KMS Decrypt call is recorded in Google’s independent audit stream and in our own application audit log; an operational alerting policy on bulk-decrypt anomalies is provisioned against the production project (configurable and reviewable by request to [email protected]). Forgetting your password works normally — a password reset does not lose your cloud data. You can disable cloud sync from Settings at any time; doing so wipes the cloud copy and schedules cryptographic erasure of the organisation’s encryption key (30-day Cloud KMS reversible window).

Cloud sync OFF (no server-side copy). No server-side copy of any case is kept. Documents still transit our EU analysis server in-memory for AI processing — processed in-memory only, never written to disk by the analysis pipeline or the AI provider — but only your browser’s local cache holds the persistent copy. Clearing browser data or switching devices loses your cases. Re-enable cloud sync from Settings to upload your local cache.

Storage details. Encrypted blobs are stored on self-managed encrypted object storage on OVHcloud’s EU infrastructure. Each blob carries a 180-day TTL that is reset on every access (upload OR download) — while you actively use a case, the data stays indefinitely; if a case is untouched for 180 consecutive days the blob is auto-deleted as part of our GDPR Art. 5(1)(e) storage-limitation obligation. The cloud storage flow is entirely separate from the analysis flow, which remains TLS-encrypted in-memory transit (section 4).

3. What we do NOT collect or do

  • We do not perform facial recognition, biometric matching, or any form of identity verification. We do not generate facial templates from passport photographs and do not match faces against any gallery, database, or other person’s image.
  • We do not use your data to train AI models, our own or any third party’s. The Google Cloud DPA covering Vertex AI confirms this for the analysis flow; the storage flow does no model training at all.
  • We do not use analytics, advertising, or tracking cookies. We do not sell or rent your data to anyone.
  • We do not currently send marketing emails. If we introduce marketing emails in the future, we will rely only on your prior explicit opt-in (at registration or in your account Settings) and you will be able to withdraw consent at any time via the unsubscribe link in any such email or by writing to [email protected].
  • We do not access your browser’s local cache directly — it is rebuilt on each sign-in from your encrypted cloud copy.
  • When cloud sync is off, no server-side copy of any case is kept — DocuFlag has nothing to access or decrypt. When cloud sync is on, DocuFlag can decrypt under your authenticated session (see section 2) — that is the deliberate trade-off for a working password reset.

4. How documents are processed

When you add a document, it is sent from your browser over TLS to our EU-hosted analysis server, which forwards it to Google's Vertex AI EU endpoint for AI analysis. During this analysis flow, documents are processed in-memory only and never written to disk— not by our analysis server, and not by Google.

The AI returns structured analysis results (field extractions and compliance observations). What happens next depends on your cloud-sync setting: when ON, the combined case bundle (document bytes plus analysis results) is encrypted at rest in our European cloud storage under a Cloud KMS-wrapped key our application can invoke under your authenticated session (every decryption logged). When OFF, no server-side copy is created — the bundle lives only in your browser's local cache (IndexedDB). You can verify the encrypted upload using your browser's developer tools (Network tab).

5. Third-party processors (sub-processors)

We use the following processors. The full sub-processor table with locations, processing purposes, and data-retention commitments is in our DPA — sub-processor list (single source of truth). This summary mirrors that list.

  • Google Cloud (Vertex AI, europe-west1): AI-powered document analysis. Operates with zero data retention — API requests/responses are not stored at rest on Google’s servers and are not used for model training. We have a Google Cloud DPA with Vertex AI data-retention controls configured at project level.
  • Google Cloud (Cloud KMS, europe-west1): Hosts the per-organisation key-encryption keys used by cloud-sync backups. Keys are software-protected (FIPS 140-2 Level 1) and the runtime application identity is granted only Encrypt/Decrypt against the KEK — never the right to export, list, or destroy key material. Not used when cloud sync is off (no server-side blob, so no key to wrap).
  • Stripe (US/EU): Payment processing for credit-pack purchases. We do not access or store full card details.
  • OVHcloud (EU, compute): Hosts the DocuFlag web application and the EU-hosted analysis relay. Documents transit through this layer in-memory only and are never written to disk by it.
  • OVHcloud (EU, self-managed encrypted object storage): Holds optional cloud-backup ciphertext. The storage layer holds encrypted data only and cannot decrypt — the wrapping keys live in Cloud KMS, never in the storage layer.
  • Cloudflare: CDN, TLS termination, and DDoS protection. Sees only TLS-decrypted request metadata and bodies in transit; nothing is persisted at the edge by our configuration.
  • Backblaze B2 (EU): Off-site disaster-recovery copies of our PostgreSQL database. Backups are age-encrypted before upload using a key DocuFlag controls; B2 holds ciphertext only.
  • Email transactional provider (SMTP, EU): Delivers magic-link sign-in emails and security notifications.

International transfers. Google LLC, Stripe, and Cloudflare are US-headquartered corporations with EU operating subsidiaries. Storage and processing ofDocuFlagdata takes place in the EU (europe-west1 for Google services; OVHcloud EU for compute and object storage; EU edge locations for Cloudflare). Where the involvement of a US parent creates a transfer concern, the safeguards we rely on are: (i) the EU Standard Contractual Clauses (Module 2) and the UK Addendum, attached by reference in each processor’s DPA (Google Cloud DPA, Stripe DPA, Cloudflare DPA); (ii) for Google LLC and Stripe, additional cover under the EU-US Data Privacy Framework (UK Extension); (iii) for Cloudflare, the data flowing through the edge is TLS-decrypted request metadata and bodies in transit with no edge-cache for authenticated routes, so the volume of personal data exposed is minimal. We have completed an internal Transfer Risk Assessment addressing the supplementary measures we rely on (EU residency, Cloud KMS with IAM-isolated KEK, IAM least-privilege, audit logging, optional cloud-sync-off mode that keeps case content out of server-side storage entirely). You may request a copy of the assessment at [email protected].

6. Lawful basis for processing

Account data and case data: processed on the basis of performance of a contract (Article 6(1)(b) UK GDPR / EU GDPR) — processing is necessary to deliver the service you signed up for.

Cloud KMS Decrypt operations performed under authenticated user session: performance of a contract (Article 6(1)(b)) — the decryption is necessary to return the cloud backup you asked for.

Audit-trail logging: legitimate interests(Article 6(1)(f)) — security monitoring, fraud prevention, and evidencing compliance under Article 32. Where the audit trail also serves a legal obligation (e.g. evidencing erasure under Article 17), the basis is also Article 6(1)(c).

Disclosure to authorities under valid legal process: compliance with a legal obligation (Article 6(1)(c)) where served under UK/EU process; in other jurisdictions, the basis is legitimate interests (Article 6(1)(f)) in defending or asserting legal rights, balanced against the rights of the data subject.

Special category data (Article 9): the documents you upload may contain personal data of special categories — passport biographical-data pages include a facial photograph, and other documents may incidentally contain Article 9 data (e.g. a marriage certificate showing religious ceremony, an employment letter from a faith-based employer).

We have considered carefully whether our processing of passport photographs constitutes processing of biometric data under Article 9(1). Our processing does not include generating facial templates, performing facial recognition or matching, or any form of identity verification by face. Vision-model field extraction by Vertex AI is performed for the purpose of extracting structured text fields (passport number, expiry, holder name, machine-readable-zone characters) — not for uniquely identifying any individual. Under the ICO biometric-recognition guidance (March 2024), biometric data within Article 9(1) requires processing aimed at the unique identification of a natural person; content extraction does not satisfy that test. Should a supervisory authority take a different view, the safeguards above (no template generation, no matching, no identity verification, transient processing for analysis only, optional cloud-sync-off mode that keeps content out of server-side storage entirely) remain in place and are documented in our DPIA.

For documents incidentally containing Article 9 data (other than passport photographs), the lawful basis is explicit consent (Article 9(2)(a)) given at the moment you choose to upload that specific document for the specific purpose of visa-application review. You retain the right to withdraw consent and delete the document at any time.

Children’s data. DocuFlagis intended for users aged 18 or older. We understand that visa applications may relate to minors — in that case, a parent or guardian uses DocuFlagon the minor’s behalf and uploads the minor’s documents. By doing so, the parent or guardian represents that they have the authority to provide that personal data to us. We do not knowingly collect personal data directly from any person under 13. If you believe a minor’s data has been provided without proper authority, write to [email protected] and we will delete it.

6a. Automated decision-making (Article 22)

The AI analysis returns structured observations comparing your documents against published consulate requirements. These observations are decision support, not decisions: the only entity that decides whether your visa is issued is the consular authority you submit to. DocuFlagoutput does not produce legal effects or significantly similar effects on you within the meaning of UK GDPR Article 22(1) — we neither approve nor reject visa applications, and our output does not bind any consulate or any other party. The user reviews every observation and decides what (if anything) to act on before submitting their application.

7. Data Processing Agreement

Enterprise customers using DocuFlag as a data processor on behalf of visa applicants are covered by our Data Processing Agreement (GDPR Article 28), which governs the processing relationship. We have also conducted a Data Protection Impact Assessment (GDPR Article 35) covering the risks and safeguards associated with AI-powered document analysis.

8. Data retention

  • Account data: retained while your account is active. After you request account deletion (Article 17), your account is soft-deleted immediately and hard-deleted 30 days later by an automated cron. The 30-day window is the grace period to recover from accidental or unauthorised deletion (you can contact [email protected] within that window to cancel).
  • Case data (encrypted in cloud by default): retained while the case is in use. Each cloud-backup blob carries a 180-day TTL that is reset on every access— an upload OR a download bumps the expiry forward. Active cases stay indefinitely; cases untouched for 180 consecutive days are auto-deleted by the daily cloud-storage cleanup cron under GDPR Art. 5(1)(e) storage-limitation. You can delete an individual case at any time; deletion is soft-marked immediately and hard-purged from object storage 7 days later. A local browser cache (IndexedDB) mirrors the cloud copy on each device for fast page loads; clearing browser data re-hydrates from cloud on next sign-in.
  • Cryptographic erasure on account deletion: when your account is hard-deleted at the 30-day mark, the org-scoped Cloud KMS key that wraps your backup data keys is scheduled for destruction. Cloud KMS waits a further 24 hours before destroying the key material; after that, your cloud-stored documents are mathematically unrecoverable even by us. This is the strongest erasure guarantee available short of physical-media destruction.
  • Audit trail (routine events): 1 year. Hard-deleted by an automated retention sweep.
  • Audit trail (security-relevant events — GDPR rights exercises, KMS operations, sensitive auth events): 6 years, aligned with the limitation period for contract claims under the Limitation Act 1980 s.5. Records are kept in pseudonymous form (no plaintext PII; HMAC-hashed IP prefixes only).
  • Disaster-recovery backups: encrypted copies of our PostgreSQL database, retained 30 daily + 12 monthly rotations. After your data has been erased from the live system, it remains in encrypted backups until those backups age out (worst case: 12 months). Within that window we will not restore the data to live processing without re-applying the pending erasure (ICO “beyond use” doctrine).
  • Documents during analysis: processed in-memory only by our EU analysis relay and by Vertex AI. Never written to disk by the analysis pipeline. The durable copy lives in our encrypted cloud storage as described above.

9. Your rights

Under UK GDPR / EU GDPR, you have the right to access your data (Article 15), rectify inaccuracies (Article 16), erase your data (Article 17), restrict processing (Article 18), move your data to another provider (Article 20), and object to processing based on legitimate interests (Article 21).

How to exercise these rights. Most rights are self-service:

  • Access / portability: Settings → GDPR → Export my data. Returns a ZIP archive containing a manifest, your account record, your audit log, and (when cloud sync is on) your cloud-backup files decrypted to JSON. The format is structured, commonly used, machine-readable.
  • Erasure: Settings → GDPR → Delete my account. Triggers the 30-day soft-delete window described in section 8.
  • Anything else (rectification, restriction, objection, complaints, or any request you prefer to send by email): write to [email protected]. We respond within one calendar month, extendable to three months for complex requests with notice within the first month (UK GDPR Article 12(3)).

Right to lodge a complaint. You may complain to a supervisory authority. In the UK, the Information Commissioner’s Office (ICO) at ico.org.uk. EU/EEA residents may contact their local supervisory authority.

10. Cookies

We use only strictly necessary cookies for session management and authentication. We do not use analytics cookies, marketing cookies, or third-party tracking.

11. International users and supervisory authorities

DocuFlagis established in the United Kingdom and our home regulator is the Information Commissioner’s Office (ICO). The service is available to users worldwide. UK GDPR governs our processing in all cases; where local law in your country of residence gives you additional rights as a data subject, those rights also apply, and you can lodge any complaint with your local supervisory authority as well as the ICO.

Users in the EU/EEA. DocuFlag does not market or direct the service at the EU/EEA market: pricing is in USD only, the service is available only in English, the domain is generic (.com), and we do not run EU-targeted advertising. The modal user is a third-country national applying for a Schengen short-stay visa from outside the EU. We have not designated a representative under GDPR Article 27 on this basis, and will appoint one before beginning any active EU/EEA marketing or paid acquisition. EU/EEA residents who happen to use the service may contact [email protected] for any data-protection request and may also lodge a complaint with their local supervisory authority.

Users elsewhere. The data-protection commitments described in this policy apply to you. Where your local law gives you additional rights or requires additional disclosures, contact [email protected] and we will work with you in good faith.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing, in the law, or in our sub-processor relationships. We will notify you of material changes by email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this page tells you which version is currently in force; previous versions are available on request from [email protected].

13. Contact

For privacy-related enquiries, data subject requests, or any questions about this policy, contact [email protected]. For general support, contact [email protected].