Privacy Policy

DocuTrackr is a family document tracker. To do its job we collect:

• Account data you provide: name, email, language preference, timezone, country, and (optionally) phone number.
• Documents you choose to add: title, type, expiry date, country of issue, the document number itself, and any image uploads.
• Family records: people you add to your family vault (name, date of birth, relationship, etc.).
• Usage data: timestamps of meaningful actions (additions, edits, shares, decrypt-reveals) — kept in an audit log so the family organizer can see who did what when.
• Subscription data: Stripe customer ID, tier, renewal status. We do not store card numbers — Stripe handles that.

We do not collect anything we don't need.

We don't store your document images, so the most sensitive part of your data simply isn't on our servers. What we do store — five extracted fields per document (name, type, issue date, expiry date, issuing country) — is non-identifying on its own.

Free-form fields like document notes are encrypted at rest with AES-256-GCM using a per-family 256-bit data key. The data key is currently wrapped by a static master key held in our deploy secrets; moving that master key to a hardware-backed KMS is on our security roadmap. Every document view, share-link creation, and admin action writes an entry to an append-only audit log that the family organizer can review.

See the Security page for the full architecture.

• To run the service: store your documents, send you renewal reminders, share documents with people you choose.
• To bill you (only if you upgrade) — handled by Stripe.
• To send transactional emails (welcome, security alerts, payment receipts) — handled by Loops.
• To send WhatsApp magic-link family invites you initiate — handled by Twilio.
• To diagnose problems — minimal server logs, retained ≤30 days, no payload contents.

We do NOT sell your data. We do NOT use your documents to train AI models. The Anthropic Claude API powers OCR + renewal-playbook maintenance, but document content sent to it is per-request and not retained for training.

• People you choose: family members you invite, recipients of share links you create. Each share link is audit-logged and revocable by the family organizer.
• Service providers under contract: Convex (data store), AWS (encryption keys), Stripe (billing), Loops (email), Twilio (WhatsApp), Anthropic (OCR/AI). Each has its own privacy and security commitments, summarized on our Security page.
• Law enforcement: only when compelled by valid legal process. We will challenge overbroad requests and notify you unless legally prohibited.

• Active accounts: as long as you maintain one.
• Soft-deleted accounts: 30 days, after which all data is permanently destroyed by an automated cron. You can cancel deletion any time before that.
• Soft-deleted documents: 30 days, then permanently destroyed. Same trash-recovery model.
• Audit logs: retained while the family exists, destroyed with the account.
• Backups: 30-day rolling window; restored data inherits the deletion timestamps above.

You can do the following from your account at any time:

• View every document, person, and audit entry tied to you.
• Export your data (JSON download).
• Delete any document, person, or your entire account. Deletion is reversible for 30 days.
• Update your contact info, preferences, and unlock factors.
• Revoke any share link you've created.

Under GDPR, CCPA, PDPL, and similar data-protection laws, you also have the right to request a copy of your data, ask us to correct inaccuracies, and object to specific processing. Email committed1@gmail.com for any of these.

DocuTrackr is for adults managing family documents. Children's documents may be stored by an adult in their family vault. We do not knowingly create accounts for users under 16.

When we make a material change to how we handle data, we will email account holders at least 14 days before it takes effect and post a notice on this page. The previous version stays accessible in our changelog.

Questions? Concerns? Just reply to any email we send, or write to committed1@gmail.com.