Privacy Policy

Last updated June 13, 2026

01 — Who we are

hotdoc (hotdoc.io) is a product of BRIGHTSOFT, S.L. ("hotdoc," "we," "us"). We are the data controller for the processing described here.

Data controller: BRIGHTSOFT, S.L.
NIF B16412264
Rambla Guipúscoa 185, Block 1, Floor 1, Door 2, 08020 Barcelona, Spain
Email: hello@hotdoc.io

02 — Scope

This policy covers our website (hotdoc.io) and our service — the document-processing API and web application (app.hotdoc.io). It explains what limited personal data we process and why. We are built around data minimization: we collect and retain as little personal data as possible.

03 — What we process and why

  • Website visitors. When you visit the site, our servers automatically record technical data — IP address, browser and OS type, pages visited, date/time, and referrer. We use this only to keep the site operational and secure. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR). The site has no signup, subscription, or contact forms.
  • Account & authentication. To use the service you create an account; we process your email and authentication data through our authentication provider (Supabase). Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Billing. Subscription payments are handled by our payment processor (Stripe). Stripe collects the payment details directly; we do not receive or store your full card data. Legal basis: performance of a contract and our legal obligations (Art. 6(1)(b), (c) GDPR).
  • Documents and API keys you submit to the service. Files you send for processing, and any provider API key you connect (BYOK), are processed at runtime only. Any intermediate data is encrypted and kept solely for the duration of the processing session, then deleted; documents are not retained after processing and BYOK keys are never stored on our side. To perform extraction and OCR, document content is sent to the AI/OCR provider you select and connect with your own key; that provider processes it under its own terms. Where the documents you submit contain personal data, you are the controller and we act as your processor under a Data Processing Agreement (DPA).

04 — Cookies

We use only strictly necessary cookies required for the site and service to function. We do not use advertising or third-party analytics cookies that would require consent. Details: Cookies & Consent.

05 — Retention

We keep almost nothing. Technical server logs are retained for no more than 90 days. Account data is kept while your account is active; billing records are kept as long as required by applicable tax and accounting law. Documents and keys are deleted after processing as described above.

06 — Who we share data with

We do not sell your personal data and do not share it for advertising. We rely on a small set of service providers (processors) who act on our instructions, such as our payment processor (Stripe), our authentication provider (Supabase), and cloud hosting/infrastructure providers. In addition, when you use the service, document content is sent to the AI/OCR provider you choose and connect via your own key (BYOK). Each provider we engage is bound by a data processing agreement. We may also disclose data where required by law.

07 — International transfers

Our service is global and your data may be processed on infrastructure located within or outside the European Economic Area (EEA). Where data is transferred outside the EEA, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses — or on an applicable derogation under Art. 49 GDPR. You can request information about these safeguards at hello@hotdoc.io.

08 — Security

We use TLS in transit and encryption at rest, access by API key, and session-only handling of sensitive material. Because we retain so little, the data exposed in any incident is minimal by design.

09 — Your rights

Subject to applicable law, you may request access, correction, erasure, restriction or portability of your data, and object to processing. To exercise any right, email hello@hotdoc.io; we respond within 30 days.

  • EEA/UK: rights under the GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority or with the Spanish Agencia Española de Protección de Datos (www.aepd.es).
  • California (US): we do not sell or share personal information; you may request access or deletion and will not be discriminated against for exercising your rights.
  • Other regions: we honor equivalent data rights where applicable law grants them.

10 — Children

The service is intended for businesses and is not directed to children under 16. We do not knowingly collect data from children.

11 — Automated decisions

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

12 — Changes

We may update this policy. The current version is always available at hotdoc.io/privacy; the last-updated date is shown at the top.

13 — Contact

Questions about this policy: hello@hotdoc.io.