Privacy Policy

Effective date: 2026-03-23. This Privacy Policy explains how Docsift handles personal data when people visit the marketing site, request a demo, create or receive an account, or use the product.

For website and sales interactions, Docsift acts as the controller of the personal data it collects directly. For customer document data, account configuration, and workflow records processed on behalf of a customer organization, Docsift generally acts as a processor and the customer acts as the controller.

Docsift may process contact and account information such as name, work email address, role, company, authentication records, and support communications.

When the product is used, Docsift may also process uploaded files, email-ingested document data, attachments, extracted document fields, approval events, export history, audit logs, and configuration metadata required to operate the service.

• Website and sales contact details
• Account and invitation records
• Customer-submitted files and finance document metadata
• Usage, support, and security logs

Docsift processes data to provide the service, authenticate users, secure tenant access, store and retrieve customer records, operate exports and integrations, answer support requests, and maintain the reliability and security of the platform.

Where customers enable AI features, Docsift may process relevant document content through the customer-configured provider solely to perform extraction or related workflow tasks requested by that customer.

Docsift is designed so companies can keep AI disabled or configure their own provider credentials and budgets. That means the customer retains control over whether AI features run at all and which provider receives relevant document content for those requests.

Customer-directed integrations such as Google Sheets and NetSuite are used only when a customer configures them. Docsift processes data needed to complete the requested export or synchronization action.

Docsift retains personal data only for as long as necessary to provide the service, meet contractual and legal obligations, resolve disputes, and maintain security or audit records.

Operational queue artifacts such as succeeded or canceled processing jobs may be deleted according to product retention settings. Primary customer business records, attachments, exports, and audit logs are not removed by that maintenance process alone.

Docsift currently relies on essential technologies required for authentication, session continuity, security, and service delivery. If non-essential analytics or advertising technologies are introduced later, the product should be updated with appropriate notice and consent handling before those technologies are activated where required.

Docsift is designed around an EU-first deployment posture, while still supporting customers outside the EU. Where personal data is transferred internationally, Docsift expects to rely on lawful transfer mechanisms such as contractual safeguards where required.

Security measures are designed to include invite-only access, company-scoped permissions, private file storage, auditability, and protected operational routes. No security measure can guarantee absolute protection, but Docsift aims to apply controls that are proportionate to the sensitivity of finance workflows.

Individuals may have rights to request access, correction, deletion, restriction, portability, or objection depending on applicable law. Customer users should normally direct requests about customer-controlled data to their employer or contracting organization first, because that organization is usually the controller for service data.

Questions about this Privacy Policy can be sent to hello@docsift.com.