Pending counsel review: placeholder language, not yet finalized. These documents will be updated to counsel-drafted text before our first paid customer signs.

Privacy Policy

This Privacy Policy describes how Document Blueprint ("we", "us", "our") collects, uses, shares, and protects information about you when you use our service. We respect your privacy and are committed to handling your data carefully and transparently.

1. Information we collect

1.1 Account information

When you create an account we collect: your email address, your display name (if provided), and your authentication identifier from Google (when you sign in with Google). If you sign up for a paid plan, Stripe collects your payment information directly — we never see or store your payment-card details.

1.2 Content you upload

The service is a document-automation platform. You upload documents (PDFs and other file types), define templates, and create cases. The content you upload — including any personal data contained within those documents — is processed and stored to provide the service.

1.3 Sensitive data

The service supports storing sensitive personal data — Social Security Numbers, dates of birth, financial account numbers, tax identifiers, driver's license numbers, passport numbers, payment card numbers, medical record numbers, patient identifiers, and similar data — under enhanced encryption controls described in Section 5 below.

You are responsible for ensuring that you have legal grounds to process any personal data you upload, including data of third parties (your customers, employees, clients, patients).

1.4 Integration data

When you connect your Gmail account, we request gmail.readonly and gmail.modify OAuth scopes. We use these to read incoming messages matching your automation rules and to compose draft emails on your behalf.

Each automation you configure offers four optional capture choices: Sender, Subject, Body, and Files (attachments). By default, Sender, Subject, and Files are captured; Body capture is OFF by default and you must explicitly enable it per automation if you want the email body stored. When Body capture is enabled, the body of matching messages is stored on the corresponding case until you delete the case. When Body capture is disabled, the email body is never written to our database. Disable Body capture (or delete the case) at any time to remove this data.

When you connect your Google Drive account, we request drive.readonly and drive.file OAuth scopes. We use these to read files you have configured for ingestion and to save files we generate.

We never send emails directly. The service composes Gmail drafts in your account; you review and dispatch every email yourself.

1.5 Usage and technical data

We collect technical data automatically when you use the service: IP address, browser type and version, device characteristics, the pages you visit, and timestamps. We use this for security, performance monitoring, and product analytics. See Section 6 for cookie details.

2. How we use your information

We use the information we collect to:

Provide, maintain, and improve the service.
Process documents you upload, run AI extraction on them, fill your templates, and generate outputs.
Authenticate you, secure your account, and prevent abuse.
Communicate with you about the service (account notices, security alerts, billing receipts, important updates).
Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your content for advertising. We do not use your content to train any AI model — see Section 3.

3. AI processing

The service uses Google's Gemini API to extract structured data from your documents and to fill template fields. Specifically:

What is sent. When you trigger autofill, document extraction, or AI-assisted features, the relevant document content (PDF text, image data, prompts containing case data) is transmitted to Google's Gemini API.
Retention by Google. Per Google's published Gemini API terms, prompts and responses sent to the Gemini API are not retained beyond the request lifecycle and are not used for model training.
Deterministic mode. We use Gemini in a structured-output mode — the model fills constrained fields you have defined, not open-ended generation. Output is bounded by your template configuration. We do not share your content with any other AI provider.

We share your information only as described below:

Service providers. We share information with vendors that process data on our behalf to provide the service: Google (Firebase hosting, Authentication, Firestore database, Cloud Storage, KMS, Gemini API), Stripe (payments), SendGrid (transactional email), Vercel (CDN and edge compute). These providers are bound by data-processing terms aligned with applicable law.
Compliance and legal process. We may share information when required to comply with valid legal process, prevent fraud or abuse, or protect the rights, property, or safety of users, the public, or us.
Business transfers. If we are acquired or merge with another entity, your information may be transferred as part of that transaction. We will notify you and provide choices where required by law.
With your consent. We share information with third parties when you direct us to (e.g., when you grant a collaborator access to a case via the portal).

We do not sell your personal information. We do not share your information for cross-context behavioral advertising.

5. Data security

Security controls in place today:

Encryption in transit. All connections to the service use TLS 1.2 or higher.
Encryption at rest for sensitive data. Sensitive field values (SSN, DOB, financial, medical, etc.) and any documents containing them are encrypted at rest using AES-256-GCM via Google Cloud Key Management Service. Each tenant has its own KMS key. Decryption requires server-side authorization keyed to a "Manage Sensitive Data" capability assigned by your organization administrator.
Auto-detection. The service automatically detects common sensitive-data patterns and routes them through the encrypted storage path. Your administrator can override the auto-detect rules.
Audit log. Every read, write, and decryption of sensitive data is logged with timestamp, actor, IP address, user agent, and field keys involved. We retain these audit records for seven years.
Access control. Account access is enforced by Firebase Auth session cookies. Server actions and API routes verify authorization on every request. Multi-tenancy is path-isolated.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you and any required regulator within the timeframe required by applicable law.

6. Cookies and tracking

We use a limited set of first-party cookies:

Necessary cookies — __session (authentication), _legal_consent (your cookie-banner choice). These are always set; you cannot opt out without losing access to the service.
Analytics cookies — _ga and _ga_* (Google Analytics 4 via Google Tag Manager). Set only if you accept analytics in the cookie banner.
Experiment cookies — x_* (A/B variant assignments for marketing pages). Set only if you accept experiments in the cookie banner.

We do not use third-party advertising cookies and we do not share cookie data with ad networks. See our Cookie Policy for full details, including how to change your preferences.

7. Data retention

Account data is retained as long as your account is active. After deletion, account data is removed within 30 days, except where retention is required for legal, accounting, or fraud-prevention reasons.
Cases and documents are retained as long as you keep them. You can delete cases at any time from the dashboard. Deletion removes data within 30 days, except as noted above.
Audit logs for sensitive-data access are retained for seven years.
Billing records are retained for at least seven years to comply with tax and accounting obligations.

For the full retention schedule — covering authentication tokens, AI processing, operational logs, email logs, backups, and manual vs automated enforcement — see our data retention policy.

8. Data residency

Your data is stored in Google Cloud Firebase, US-Central region (Iowa, USA). We do not currently offer EU data residency. Customers subject to EU data localization requirements should contact us before onboarding.

Depending on your jurisdiction, you may have rights to:

Access the personal information we hold about you.
Correction of inaccurate personal information.
Deletion of your personal information (subject to legal retention obligations).
Portability of your personal information in a machine-readable format.
Object to or restrict certain processing.
Withdraw consent for processing based on consent.
Lodge a complaint with your data protection authority.

To exercise these rights, email privacy@documentblueprint.com. We will respond within 30 days (or 45 days for CCPA requests). For the full process — including what info to include, our identity verification steps, response timelines, and how to appeal — see our Data Subject Rights process.

We do not sell personal information. California residents have the right to opt out of the "sale" or "sharing" of personal information; we honor Global Privacy Control (GPC) signals automatically.

10. Restricted data and regulated industries

See Section 4 of our Terms of Service for the full list of restricted-data categories. In short:

Protected Health Information (PHI) under HIPAA. Requires a Business Associate Agreement before upload. Contact legal@documentblueprint.com.
PCI cardholder data. Prohibited; we are not PCI-DSS certified.
Classified, ITAR-controlled, EAR-controlled, FedRAMP-restricted. Prohibited.
Attorney-client privileged. Allowed under existing controls; configure visibility carefully.

11. Children

The service is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from anyone in those age groups. If you believe a child has provided us with personal information, contact privacy@documentblueprint.com and we will delete it.

12. International data transfers

If you are located outside the United States and use the service, your information will be transferred to and processed in the United States. By using the service you consent to this transfer. We rely on Standard Contractual Clauses or other valid transfer mechanisms where required.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make changes that materially affect your rights or our processing of your personal information, we will require you to re-accept the updated policy before continuing to use the service.

14. Contact

For privacy inquiries or to exercise your rights: privacy@documentblueprint.com For legal notices: legal@documentblueprint.com