Privacy Policy
Last updated: May 2026 — version privacy-2026-05-22
Summary
paperwork is document AI for financial institutions, accountants and regulated entities in the UAE. We process documents (bank statements, Emirates ID, passports, invoices and similar) on behalf of our business customers. This policy explains what personal data we collect, how we use it, who else processes it on our behalf, and what rights you have. We operate under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the “PDPL”) and apply equivalent standards for users in other jurisdictions.
Data Controller
For data submitted through paperwork.to and our marketing channels, the data controller is:
- paperwork
- Dubai, United Arab Emirates
- Contact: info@paperwork.to
For documents uploaded by end-users of our customers (for example, bank applicants going through KYC), our customer is the controller and paperwork acts as a processor on their behalf under a written data processing agreement.
Data We Collect
Account data
- Name, work email, company name, job title
- Billing details processed by Stripe (we never see full card numbers)
- API keys, usage logs, dashboard activity
Document data (what you upload)
- The documents themselves (PDFs, scans, photos)
- Fields extracted by our OCR and AI models (names, IDs, amounts, dates)
- Fraud-detection signals produced by our engines (forensic flags, MRZ checks)
- Processing metadata (timestamps, file size, file type, job id)
Technical data (collected automatically)
- IP address, user-agent, device type, language preference
- Pages visited, referrer, session duration (analytics, only with consent)
- Error logs and performance metrics
Consent records
When you tick a consent box on a form or cookie banner, we record what you agreed to, the version of this policy at the time, your IP address, user-agent and the URL you were on. We keep this as proof that consent was freely given and informed.
Lawful Basis for Processing
Under PDPL Article 5 and equivalent provisions in other laws:
- Contract. Processing your account data and the documents you submit is necessary to provide the service you signed up for.
- Consent. Analytics cookies, marketing emails and any sensitive personal data we ever process (rare, mostly identity-document fields) run on your explicit consent, which you can withdraw any time.
- Legitimate interest. Security monitoring, abuse prevention and aggregate product improvement rely on legitimate interest, balanced against your privacy rights.
- Legal obligation. Invoices, tax records and responses to lawful regulator requests are kept to meet UAE legal duties.
How We Use Your Data
- Run OCR, parsing, KYC and fraud-detection on the documents you upload
- Provide API access, dashboards, and customer support
- Send service notifications, invoices and security alerts
- Detect, investigate and prevent fraud and abuse on our platform
- Comply with PDPL, AML/CFT and other applicable UAE regulations
- Improve the product (only on aggregate, non-identifying analytics)
AI Processing
Some features in our service use AI models to extract and analyse data from your documents. The model can run on our infrastructure or, for an enumerated set of features, be forwarded to a third-party AI provider for processing.
Features that may forward data to third-party AI services:
- Bank Statement Analysis
- Invoice Processing
- Emirates ID and Passport Verification (OCR step)
- Document Fraud Detection (visual analysis step)
- Document Recognition / classification
Features that do not forward to third-party AI services:
- NFC chip reading (on-device)
- MICR cheque scanning (on-device)
- Deterministic fraud-detection engines (run on paperwork servers)
- On-premise deployments (run entirely inside your environment, nothing leaves)
How we protect your data during AI processing:
- Encrypted in transit (TLS 1.3) and at rest (AES-256)
- Documents are processed in isolated environments
- Your documents are not used to train any AI model
- Processed documents are deleted automatically within 30 days
- No human access to your documents without explicit consent
- AI providers are contractually bound to equivalent or stronger protections
Automated Decision-Making
Our fraud-detection engines (forensic analysis, MRZ check digit verification, metadata inspection, semantic validation) score each document and return a verdict such as clean, suspicious or fraudulent with the evidence behind it. These verdicts are produced without human intervention.
Under PDPL Article 12 and similar provisions, when an automated decision has a significant effect on you, you have the right to request human review of the decision and to contest it. If a fraud-detection result affects your application with one of our customers (for example, a bank declining account opening on the basis of a paperwork flag), please contact the customer first, then info@paperwork.to if you need our records to assist the review.
Sub-processors
paperwork uses the following service providers to deliver the product. Each is bound by a data processing agreement and processes data only on our documented instructions.
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Application database, authentication, file storage | US / EU |
| Vercel Inc. | Website and dashboard hosting, web analytics | US / EU |
| Railway Corp. | Backend API hosting and document processing workers | US |
| Google Cloud (Vision API) | OCR for selected document types | EU (primary) / US |
| Stripe, Inc. | Subscription billing and payment processing | US |
| Google Ireland Limited | Google Analytics 4 (analytics, only after consent) | Ireland |
| YANDEX LLC | Yandex Metrika (analytics, only after consent) | Netherlands |
| Anthropic / OpenAI / Google Vertex AI | LLM reasoning for selected document analysis tasks | US / EU |
We do not sell personal data. We do not share with advertisers. We disclose data to authorities only when legally required.
Cross-Border Transfers
Document processing happens in UAE data centres by default. Some operational data (analytics, error logs, support tickets, payment metadata) is processed by sub-processors outside the UAE — primarily the EU and the US. For these transfers we rely on the PDPL Article 22 adequacy mechanism, standard contractual clauses, or your explicit consent, as applicable. Customers on the on-premise licence keep all document data inside their own environment with no transfer outside their jurisdiction.
Cookies
We use a small number of essential cookies for authentication and consent, and (only with your permission) analytics cookies for measurement. We do not run advertising trackers. The full list of cookies, providers and durations is on our cookie policy. You can change or withdraw your choice any time from that page.
Data Retention
- Uploaded documents: 30 days after processing, then auto-deleted
- Extracted structured data: lifetime of the account + 1 year
- Account data: lifetime of the account + 1 year
- Invoices and tax records: 7 years (UAE tax law)
- Consent records: 5 years from withdrawal, as proof of lawful basis
- Server logs: 90 days
- Analytics events: 13 months (Google Analytics default)
Your Rights
Under PDPL and equivalent laws, you can:
- Access — request a copy of the personal data we hold about you
- Correct — fix data that is inaccurate or incomplete
- Delete — request erasure of your personal data
- Restrict or object — limit or stop specific processing activities
- Withdraw consent — for processing based on consent, withdrawable any time
- Port — receive your data in a structured, machine-readable format
- Human review — challenge automated decisions that materially affect you
- Complain — to the UAE Data Office or your local data-protection authority
To exercise any of these, email info@paperwork.to. We respond within 14 days of a verified request, and at the latest within 30 days for complex cases.
Security
- SOC 2 Type II compliant infrastructure
- End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
- Role-based access control with least privilege on internal systems
- Regular penetration testing and dependency vulnerability scanning
- 24/7 monitoring with on-call incident response
- Documented incident-response runbook; breach notification within 72 hours
Data Breach Notification
Under PDPL Article 9, if a security incident threatens your privacy we notify the UAE Data Office without undue delay. Affected users are notified within 72 hours of confirmation, with details on what happened, what data was involved, what we are doing to contain it, and what you can do to protect yourself.
Children's Data
paperwork is a B2B service intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child's data has reached us, email info@paperwork.to and we will delete it promptly.
Changes to This Policy
We update this policy as the service evolves and as the law changes. Material changes are announced by email to registered customers at least 30 days before they take effect. The version and effective date at the top of this page always reflect the live policy.
Contact
Email: info@paperwork.to
Postal: paperwork, Dubai, United Arab Emirates