Privacy Policy

1. Introduction

MINELVA ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered business document generation platform ("Service"). Please note: Doxsia is a subsidiary of MINELVA, the parent company offering doxsia.

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

Account Information:

• Name and email address
• Password (encrypted using industry-standard bcrypt hashing)
• Language preference (English, German, French, Spanish)
• Company information (optional)
• Professional title or role (optional)

Document Generation Data:

• Project descriptions and requirements you provide
• Document type selections (proposals, contracts, quotes)
• Custom inputs for document customization
• Document templates and preferences
• Generated document metadata (creation date, document type, status)

Payment Information:

• Payment information is processed securely by Paddle (our payment processor)
• We do not store your credit card details on our servers
• We receive transaction confirmations and subscription status from Paddle
• Billing history and invoice records

2.2 Automatically Collected Information

Usage Data:

• Number of documents generated
• Document types created
• Feature usage statistics
• Session duration and interaction patterns
• Export format preferences (PDF, Word)
• Login timestamps and frequency

Technical Data:

• IP address and approximate geographic location
• Browser type, version, and language settings
• Device information (type, operating system, screen resolution)
• Referring URLs and navigation paths
• Performance metrics and error logs

Cookies and Tracking Technologies:

• Essential session cookies (required for functionality)
• Authentication and security tokens
• User preference cookies (language, theme, interface settings)
• Analytics cookies (optional, requires your consent)

3. How We Use Your Information

3.1 Service Provision

• Generate business documents using AI technology based on your inputs
• Store generated documents temporarily in our database for your access
• Provide document preview, editing, and export functionality
• Analyze and improve AI model performance and accuracy
• Deliver requested document formats (PDF, Word)

3.2 Account Management

• Create and maintain your user account
• Authenticate your identity and secure your sessions
• Manage subscription plans and billing
• Send service-related notifications and updates
• Provide customer support and respond to inquiries
• Enable password resets and account recovery

3.3 Service Improvement

• Analyze usage patterns to enhance features and user experience
• Monitor system performance, reliability, and security
• Detect and prevent fraud, abuse, and unauthorized access
• Improve AI model accuracy and response quality
• Develop new features and document types
• Conduct internal research and development

3.4 Communication

• Send transactional emails (document generation confirmations, password resets, billing updates)
• Notify you of service changes, new features, or maintenance
• Send marketing communications (with your explicit consent, unsubscribe option always available)
• Respond to your support requests and feedback
• Conduct user surveys to improve our Service

3.5 Legal Compliance

• Comply with applicable laws and regulations
• Enforce our Terms of Service and other agreements
• Protect our rights, property, and safety
• Respond to lawful requests from authorities
• Resolve disputes and prevent illegal activities

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you've subscribed to, including document generation and account management
• Consent: Where you've given explicit consent (e.g., marketing emails, optional analytics cookies)
• Legitimate Interests: For service improvement, fraud prevention, system security, and business analytics
• Legal Obligation: To comply with applicable laws, regulations, and lawful requests from authorities

You may withdraw consent at any time through your account settings without affecting the lawfulness of processing based on consent before withdrawal.

5. How We Share Your Information

5.1 Third-Party Service Providers

We share data only with trusted third parties who help us provide and improve the Service:

5.2 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information, generated documents, or usage data to third parties for their marketing purposes. Your business information remains confidential.

5.3 Legal Requirements and Protection

We may disclose your information when required by law, court order, or government request, or when necessary to:

• Comply with legal processes and obligations
• Enforce our Terms of Service and policies
• Protect our rights, property, and safety
• Protect the rights and safety of our users and the public
• Detect, prevent, or address fraud, security, or technical issues

5.4 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement comprehensive security measures to protect your data:

6.1 Technical Safeguards

• Encryption: All data transmitted using HTTPS/TLS 1.3 encryption
• Database Security: Encrypted data storage with access controls
• Password Protection: Passwords hashed using bcrypt with individual salts
• Two-Factor Authentication: Optional 2FA for enhanced account security
• Session Management: Secure session tokens with automatic expiration
• API Security: Rate limiting and authentication for all API endpoints

6.2 Organizational Safeguards

• Limited employee access to personal data on a need-to-know basis
• Regular security audits and vulnerability assessments
• Incident response and breach notification procedures
• Employee training on data protection and security best practices
• Third-party security certifications and compliance audits
• Continuous monitoring for suspicious activities

6.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours as required by GDPR
• Provide details about the nature and scope of the breach
• Inform you of steps taken to address the breach
• Offer guidance on protecting your account and information
• Report the breach to relevant supervisory authorities where required

7. Data Retention and Deletion

7.1 Active Accounts

We retain your account information and document generation history for as long as your account remains active and you continue to use the Service.

7.2 Generated Documents

• Document Storage: Generated documents are stored in our database for your convenience and access
• Document Deletion: You can delete individual documents at any time from your dashboard
• Deleted Documents: Permanently removed from our database within 30 days of deletion
• Backup Retention: Deleted documents may remain in encrypted backups for up to 90 days before permanent deletion

7.3 Account Closure

When you close your account or we terminate your access, we will:

• Delete your generated documents from active databases within 30 days
• Anonymize your account data (name, email replaced with generic identifiers)
• Retain anonymized usage statistics for service improvement and analytics
• Retain billing records and transaction history as required by law (typically 7 years for tax and accounting purposes)
• Remove your data from marketing lists and communications

7.4 Legal and Compliance Requirements

We may retain certain data longer if required by law, for tax and accounting purposes, to resolve disputes, enforce our agreements, or protect our legal rights.

8. Your Privacy Rights

8.1 Rights Under GDPR (EU Residents)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: You can request a copy of all personal data we hold about you. Access your data through account settings or contact us for a complete export in machine-readable format.
• Right to Rectification: You can update your account information and correct inaccuracies at any time through your account settings.
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data by closing your account or contacting us directly. We will delete your data within 30 days, except where retention is required by law.
• Right to Data Portability: You can export your document generation history and account data in common formats (CSV, JSON) through your account settings.
• Right to Restrict Processing: You can request that we limit how we use your data while we investigate a complaint or dispute.
• Right to Object: You can object to processing based on legitimate interests. You can opt out of marketing communications at any time.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time through your account settings without affecting prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

8.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information. If this changes, we will update this policy and provide an opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

8.3 Exercising Your Rights

9. International Data Transfers

9.1 Data Processing Locations

Your data may be transferred to and processed in countries outside your country of residence, including the United States and other locations where our service providers operate.

9.2 Safeguards for International Transfers

We ensure adequate protection for international data transfers through:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with service providers
• Privacy Shield Frameworks: Where applicable and available
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Additional Safeguards: Technical and organizational measures to protect your data

9.3 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we use for international transfers. Contact us for details about specific transfer mechanisms.

10. Cookies and Tracking Technologies

10.1 Essential Cookies (Always Active)

Required for the Service to function properly:

• Session Cookies: Maintain your logged-in state during your visit
• Authentication Tokens: Verify your identity and protect against unauthorized access
• Security Cookies: CSRF protection and security features
• Preference Cookies: Remember your language, theme, and interface settings

10.2 Analytics Cookies (Optional - Requires Consent)

Used to understand how you use the Service and improve user experience:

• Usage Analytics: Track feature usage, navigation patterns, and user interactions
• Performance Monitoring: Measure page load times and identify technical issues
• A/B Testing: Test new features and improvements with user segments

10.3 Managing Cookies

Browser Settings: You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

Account Settings: Manage optional analytics cookies in your account preferences under "Privacy & Cookies."

Do Not Track: We respect Do Not Track (DNT) signals where technically feasible.

10.4 Cookie Duration

• Session Cookies: Expire when you close your browser
• Persistent Cookies: Remain for a defined period (typically 30-365 days) or until you delete them

11. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe we have collected information from a child under 16, please contact us immediately at privacy@doxsia.com. We will promptly delete such information.

12. AI and Automated Processing

12.1 AI-Powered Document Generation

Our Service uses artificial intelligence and large language models to generate business documents based on your inputs. This processing is:

• Automated: AI models process your inputs and generate documents without human intervention
• Customizable: You provide specific requirements and preferences for each document
• Reviewable: You can preview, edit, and approve all generated content before export

12.2 Your Control Over AI Processing

You have complete control over:

• The inputs and instructions you provide to the AI
• Whether to use generated content or discard it
• Editing and customizing all AI-generated content
• Deciding which documents to export and use

12.3 No Automated Decision-Making

We do not use automated processing or AI to make decisions that significantly affect you (such as creditworthiness, employment, or legal rights) without human oversight.

13. Third-Party Links and Services

Our Service may contain links to third-party websites, integrations, or services. This Privacy Policy does not apply to those external sites or services.

We are not responsible for the privacy practices or content of third parties. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.2 Notification of Changes

We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on the Service homepage or dashboard
• In-app notification upon login
• Updating the "Last Updated" date at the top of this policy

14.3 Review and Acceptance

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy. If you do not agree with changes, you may close your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

16. Additional Information for Specific Regions

16.1 European Economic Area (EEA)

Our legal basis for processing, your rights, and international transfer safeguards are detailed in Sections 4, 8, and 9 of this policy.

Data Controller: Doxsia is the data controller for your personal information.

16.2 California

Additional rights for California residents are detailed in Section 8.2 of this policy.

Shine the Light Law: California residents may request information about sharing personal information with third parties for their marketing purposes. We do not share such information.

16.3 Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where we operate. If you have specific questions about compliance in your region, please contact us.

Legal Compliance Statement

This Privacy Policy is compliant with:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• UK Data Protection Act 2018
• Other applicable international data protection regulations

By using Doxsia, you acknowledge that you have read, understood, and agree to this Privacy Policy.