Privacy Policy

Last updated: March 2026

Overview

Paperwork processes documents for financial institutions in the UAE. This policy explains what data we collect and how we handle it. We comply with UAE Federal Decree-Law No. 45 of 2021 (PDPL).

Data We Collect

Account data:

  • Name, email, company name
  • Payment details (via Stripe)
  • API keys and usage logs

Document data:

  • Documents you upload for processing
  • Extracted data from those documents
  • Processing metadata (timestamps, file types)

How We Use Data

  • Process documents via our AI models
  • Provide API access and dashboard
  • Send service updates and invoices
  • Detect and prevent fraud
  • Comply with UAE regulations

AI Processing

Some features in our app and API use third-party AI services to extract and analyze data from your documents. When you use these features, your uploaded documents are sent to PaperWork's secure servers, where they are forwarded to third-party AI service providers for processing.

Features that use third-party AI services:

  • Bank Statement Analysis
  • Emirates ID Verification
  • Document Recognition
  • KYC Verification (document data extraction step)

Features that do NOT send data to third-party AI services:

  • NFC Document Reader (on-device processing)
  • MICR Cheque Scanner (on-device processing)
  • Domain Checker (PaperWork servers only)

How we protect your data during AI processing:

  • Encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Documents are processed in isolated environments
  • Your documents are not used to train any AI models
  • Processed documents are automatically deleted within 30 days
  • No human access to your documents without your explicit consent
  • Third-party AI providers are contractually bound to the same or equal data protection standards described in this policy

In our mobile app, you will be asked to provide explicit consent before any data is sent to third-party AI services for the first time.

Data Sharing

We share data only with:

  • AI processing providers - third-party AI services used for document data extraction and analysis. Documents are encrypted in transit, processed in isolated environments, not used for model training, and deleted after processing. These providers are contractually required to provide the same or equal level of data protection as described in this policy.
  • Payment processor - Stripe, for billing only
  • UAE authorities - when legally required

We do not sell data. We do not share with advertisers.

Cross-Border Transfers

Document processing happens in UAE data centers. Some operational data (analytics, support tickets) may be processed outside UAE. We ensure adequate protection per PDPL Article 22 requirements.

Your Rights (PDPL)

Under UAE law, you can:

  • Access - request copy of your data
  • Correct - fix inaccurate information
  • Delete - request data deletion
  • Withdraw consent - stop processing at any time
  • Object - refuse specific processing activities
  • Port - receive data in machine-readable format

Email info@paperwork.to to exercise these rights. We respond within 14 days.

Data Retention

  • Documents: 30 days after processing
  • Account data: duration of account + 1 year
  • Invoices: 7 years (UAE tax requirements)
  • Logs: 90 days

Security

  • SOC 2 Type II compliant infrastructure
  • End-to-end encryption
  • Regular penetration testing
  • 24/7 monitoring
  • Incident response within 72 hours

Cookies

We use essential cookies for authentication and preferences. No advertising trackers. You can disable cookies in your browser, but some features may not work.

Data Breach Notification

Per PDPL Article 9, we notify the UAE Data Office immediately if a breach threatens your privacy. We notify affected users within 72 hours with details on scope, impact, and remediation.

Changes

We update this policy as needed. Material changes notified via email 30 days before taking effect.

Contact

Email: info@paperwork.to