Privacy Policy

1. Who We Are

This Privacy Policy describes how ZenDoc AI, a sole proprietorship registered in India, collects and processes personal data in connection with the ZenDoc AI platform ("the Service").

• Data Controller: ZenDoc AI (Proprietorship)
• Registered in: Bengaluru, Karnataka 560035, India. Full registered address is available on written request to grievance@zendocai.com and will be provided within 48 hours.
• Udyam Registration: UDYAM-KR-03-0680620
• GSTIN: 29EFFPS2290J1ZV
• Grievance Officer / DPO contact: grievance@zendocai.com

2. Information We Collect

• Account information: name and email address provided at sign-up; managed by our authentication provider Clerk Inc.
• Usage data: document generation counts, feature usage, plan tier — for enforcing limits, billing, and quality monitoring.
• Document prompts & content: the text and uploaded files you provide to generate, edit, or tool-process documents. This is sent to OpenAI for AI processing.
• Payment information: when you purchase Pro, Razorpay collects your card or UPI details directly; we do not receive or store raw card numbers. We receive a transaction id, amount, currency, last-four digits, billing interval, and subscription status.
• Device & network data: IP address (for anonymous rate-limiting and fraud prevention), user-agent, and country inferred from the Accept-Language header or the zd_country preference cookie.
• Operational logs: request ids, HTTP status, and timing — retained for debugging and security for up to 30 days.

3. How We Use Your Information

• To generate and edit documents based on your prompts
• To manage your account and enforce usage limits
• To process payments and honour subscription entitlements
• To export documents as PDF or DOCX
• To detect and prevent abuse, fraud, and violations of our Terms
• To communicate service-related notices (billing, outages, policy changes) and — with your explicit opt-in only — product updates
• To comply with legal and tax obligations (incl. GST)

4. Sub-processors & Third-Party Services

We rely on the following sub-processors to operate the Service. Each is contractually required to process data only for the purpose of providing their function.

We do not sell or rent your personal data. We do not share it with third parties for marketing purposes.

5. Legal Bases for Processing

• Contract: processing required to provide the Service you signed up for.
• Legitimate interests: fraud prevention, rate-limiting, security, aggregate analytics, referral attribution (when enabled).
• Legal obligation: tax, accounting, and statutory record-keeping.
• Consent: non-essential product communications (you can withdraw at any time).

6. Data Storage & Retention

• Generated documents are stored locally in your browser (localStorage). We do not permanently store your documents on our servers.
• When you use AI features (generate, edit, summarise, translate, chat) or export (PDF/DOCX), document content is transmitted to our servers for processing and sent to OpenAI where applicable. By default, content is discarded after the request completes.
• Quality & debugging logs: to diagnose bugs and AI-quality issues, we may temporarily store the prompts you submit, the documents you upload or edit, and the AI output we return to you. This content is held in our own database (Neon, United States), is accessible only to our engineering team, and is deleted when the related investigation is complete — typically within 30 days, and in any case within 15 days of a written request to grievance@zendocai.com. We do not use your prompts or documents to train any AI model. OpenAI, per their API policy, likewise does not train their models on API content submitted by us.
• Account metadata, subscription records, and payment records are stored for the life of the account plus a statutory tax retention period (8 years in India for GST-related records).
• Operational request logs are retained for up to 30 days for debugging and security monitoring.
• Upon account deletion, non-statutory server-side metadata is removed within 30 days; we may retain payment records as required by tax law.

7. Cookies, Local Storage & Tracking

We use a small number of first-party cookies and browser storage keys. We do not use third-party advertising trackers or pixels.

• Clerk session cookies: set by our authentication provider to keep you signed in. Essential for the Service.
• zd_country: stores your detected or selected country to display prices in the right currency. Preference cookie.
• zd_ref: only set when the referral program is active and you land via a ?ref= link. Used solely to attribute signups to the referrer. 30-day lifetime. The referral program is currently disabled; this cookie is not set.
• UTM parameters: when you share a document, the share link is tagged with utm_source=share&utm_campaign=post_download so we can measure aggregate sharing activity. No personal identifiers are included.
• localStorage: chat sessions, in-progress documents, and user interface preferences. Data never leaves your device unless you explicitly submit it.

8. International Data Transfers

• Application hosting, AI processing, database, and web analytics are provided by US-based sub-processors (see Section 4). Your data is therefore transferred to the United States when you use these features.
• Authentication (Clerk) may process data in the US or EU.
• Payment processing (Razorpay) is provided from India.
• By using the Service you consent to these transfers. Appropriate contractual safeguards (Standard Contractual Clauses or equivalent) are in place with each sub-processor.

9. Your Rights (GDPR, DPDP, CCPA)

Depending on where you live, you may have some or all of the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion (subject to legal retention).
• Portability: export your documents (PDF/DOCX) and account metadata.
• Object / restrict: opt out of certain processing activities.
• Withdraw consent: where processing relies on consent.
• CCPA (California): right to know categories of data collected, request deletion, and opt out of sale — we do not sell personal data.
• DPDP (India): right to correction, erasure, and grievance redressal via our Grievance Officer.

To exercise any of these rights, email grievance@zendocai.com. We will respond within 15 days (DPDP) or 30 days (GDPR / CCPA).

10. Children's Privacy

• The Service is not intended for users below the age of digital majority in their jurisdiction (13 in the US, 16 in many EU/EEA countries, 18 in India under DPDP).
• We do not knowingly collect personal information from children. If we become aware that we have collected such data, we will delete it promptly.
• Parents or guardians may contact us to request deletion.

11. Security Measures

• All data in transit is encrypted via TLS/HTTPS
• Authentication managed by Clerk with industry-standard security (MFA available)
• API keys and sensitive credentials stored as environment variables and never exposed to clients
• Error messages are sanitised — no internal system details surfaced to users
• Regular dependency updates and security reviews
• Incident response: affected users notified within 72 hours of confirmed data breach

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notice before they take effect. The version number and effective date at the top of this page indicate the active version.

13. Grievance Officer

In accordance with the Information Technology Rules, 2021 and the Digital Personal Data Protection Act, 2023:

• Name: Suneet S. (Proprietor, ZenDoc AI)
• Email: grievance@zendocai.com
• Postal address: Bengaluru, Karnataka 560035, India. Full address is provided on written request to the email above within 48 hours.
• Acknowledgement: within 24 hours. Resolution: within 15 days.

For general support, please use the contact page.