Privacy Policy - DocuRise

1. Introduction

RiseCraft, LLC ("DocuRise") is a Delaware company providing document security and analytics tools. This policy explains how we handle data.

2. What We Collect

From Document Owners: Account information (name, email, payment details).

From Viewers (on behalf of Document Owners): Engagement metrics (views, time spent, scroll depth), device/browser type, general location, and an anonymous session ID (UUID). If a Viewer submits a lead form, that information goes directly to the Document Owner.

3. How We Use Data

To provide, maintain, and improve the Service. We also collect anonymized, aggregated Usage Data to improve platform performance.

4. How We Share Data

We do not sell your data. We share it only:

With Document Owners — Viewer data collected through their links.
With Service Providers — Stripe (payments), Vercel (hosting), Supabase (database), Resend (email).
For Legal Compliance — When required by law or valid legal process.

5. Data Retention

Account Data: Kept while your account is active. Deleted within 30 days of account closure; backups purged within 30 additional days.
Viewer Data: Kept as long as the Document Owner retains it.
Billing Records: Up to 7 years for tax/accounting compliance.

6. Your Rights

6.1 Document Owners: Access, update, export, or delete your data via account settings or support@docurise.io.

6.2 Viewers: Direct requests to the Document Owner. If you can't reach them, contact support@docurise.io.

6.3 U.S. State-Specific Rights (CCPA). We do not sell personal information. California residents may request to know what personal information we hold and request its deletion by contacting support@docurise.io.

6.4 Supplemental Terms for South Korea (PIPA). If you are located in South Korea, the following applies in addition to the terms above:

We process your personal information in accordance with the Personal Information Protection Act (개인정보보호법).
Personal information is destroyed using secure electronic methods once the purpose of collection has been achieved, unless retention is required by other applicable laws, in which case it is stored separately for only the legally required period.
You have the right to access, correct, delete, and suspend the processing of your personal information. To exercise these rights, contact support@docurise.io.
Your data is transferred to and processed in the United States, where RiseCraft, LLC operates its servers and services.

7. International Transfers

Data is processed in the United States.

8. Children

The Service is not for anyone under 18. We do not knowingly collect data from children.

9. Security

We use commercially reasonable measures including encryption in transit and at rest. No method is 100% secure.

10. Changes

We may update this policy and will post changes with an updated effective date. Material changes will be communicated by email or in-app notice.

Contact: support@docurise.io

DocuRise Privacy Note — PIPA Addendum (South Korea)

Effective Date: February 15, 2026

This Addendum applies to users located in South Korea and supplements the DocuRise Privacy Policy. In the event of any conflict between this Addendum and the Privacy Policy, this Addendum prevails for users in South Korea. This Addendum is provided in accordance with the Personal Information Protection Act (개인정보보호법, "PIPA").

1. Personal Information Protection Officer

The person responsible for the protection of personal information is:
Name: Gayoung Park
Title: CEO
Email: support@docurise.io

All inquiries, complaints, and requests relating to the processing of personal information may be directed to the above contact.

2. Items of Personal Information Collected

2.1 Required Items

Category	Items Collected	Purpose	Retention Period
Account registration	Email address, name	Service provision, authentication	Duration of account; deleted within 30 days of closure
Payment	Stripe customer ID, subscription ID (card numbers are not stored by DocuRise)	Billing and subscription management	Duration of account; billing records retained up to 7 years for tax compliance
Viewer access	Email address, IP address, country, device type, user agent	Document access verification, analytics provision to Document Owner	As determined by the Document Owner's subscription plan; deleted when the document or account is deleted

2.2 Optional Items (Collected Only When Configured by Document Owner)

Category	Items Collected	Purpose	Retention Period
Lead capture form	Name, company, phone number, industry, years of experience, referral source, marketing consent	Lead generation on behalf of Document Owner	As determined by the Document Owner; deleted when the document or account is deleted
Viewer engagement	Scroll depth, section dwell time, link clicks, CTA clicks, session duration	Analytics on behalf of Document Owner	According to Document Owner's subscription plan
Viewer content	Comments, feedback ratings, feature requests	Feedback provision to Document Owner	Deleted when the document or account is deleted

2.3 Instagram Integration (Collected Only When Document Owner Connects Their Account)

Category	Items Collected	Purpose	Retention Period
Instagram account	Account ID, username, encrypted access token	To securely maintain authenticated access to the Instagram API and execute user-configured messaging actions.	Until account is deleted
Instagram interactions	Comment text, commenter ID (hashed), follower status (hashed), DM content	To process comment-triggered workflows, prevent duplicates	Completed/failed events deleted after 30 days; all data deleted upon disconnection

3. Provision of Personal Information to Third Parties

We provide personal information to the following third parties to operate the Service:

Recipient	Contact	Items Provided	Purpose	Retention Period
Stripe, Inc.	privacy@stripe.com	Email, subscription data	Payment processing	Duration of subscription; per Stripe's retention policy
Supabase, Inc.	support@supabase.com	All application data	Database hosting and authentication	Duration of account
Vercel, Inc.	privacy@vercel.com	IP address, request data	Web hosting and edge computing	Per Vercel's retention policy
Resend, Inc.	support@resend.com	Email address, email content	Transactional email delivery	Per Resend's retention policy
Upstash, Inc.	support@upstash.com	Rate limit keys, encrypted job payloads	Rate limiting, async task processing	Transient (no long-term storage)
Functional Software, Inc. (Sentry)	compliance@sentry.io	Error logs, request context	Error monitoring	Per Sentry's retention policy
Meta Platforms, Inc.	N/A (via Instagram Graph API)	Instagram account data, message content	DM Workflow (when connected)	Per Meta's data retention policies
PostHog, Inc. (if enabled)	privacy@posthog.com	Anonymized usage events	Product analytics	Per PostHog's retention policy
Google LLC (if enabled)	N/A (via Google Analytics)	Anonymized page views	Web analytics	Per Google's retention policy

4. Overseas Transfer of Personal Information

Your personal information is transferred to and processed outside of South Korea as follows:

Recipient	Country	Items Transferred	Purpose	Method	Timing
RiseCraft, LLC	United States	All personal information described in Section 2	Service operation and provision	Encrypted network transmission	Continuous, upon use of the Service
Supabase, Inc. (AWS)	United States / Singapore (ap-southeast-1)	All application data	Database hosting	Encrypted network transmission	Continuous
Stripe, Inc.	United States	Email, subscription data	Payment processing	Encrypted network transmission	Upon payment events
Vercel, Inc.	United States / Global edge	IP address, request data	Web hosting	Encrypted network transmission	Upon each request
Resend, Inc.	United States	Email address, email content	Email delivery	Encrypted network transmission	Upon email events
Upstash, Inc.	United States	Rate limit keys, encrypted payloads	Rate limiting, task queue	Encrypted network transmission	Continuous
Functional Software, Inc. (Sentry)	United States	Error logs	Error monitoring	Encrypted network transmission	Upon errors
Meta Platforms, Inc.	United States	Instagram data (when connected)	Messaging Workflow	Encrypted network transmission (via Graph API)	When workflow is active

RiseCraft, LLC ensures that all overseas recipients maintain security measures that meet or exceed the standards described in this Addendum and the Data Processing Addendum.

5. Destruction of Personal Information

When personal information is no longer needed for the purpose for which it was collected, or when the retention period has expired, we destroy it as follows:

Electronic files: Permanently deleted using secure deletion methods that render the data unrecoverable.
Paper documents: Not applicable. DocuRise does not store personal information in paper form.
Exceptions: Where retention is required by applicable law (e.g., billing records under tax law), the information is stored separately from other personal information and retained only for the legally required period, after which it is destroyed.

Destruction timelines:

Account data: within 30 days of account closure
Backup data: within 30 additional days after primary deletion
Instagram messaging workflow data (completed/failed events): automatically deleted after 14 days
Expired email verification tokens: automatically deleted within 24 hours of expiry

6. Rights of Data Subjects

Under PIPA, you have the right to:

Access your personal information and request copies
Correct inaccurate personal information
Delete your personal information (subject to legal retention requirements)
Suspend processing of your personal information

To exercise these rights, contact support@docurise.io. We will process your request within 10 days. If we cannot comply with a request, we will notify you of the reason.

You may also exercise these rights through a legal representative by submitting a power of attorney.

Refusal of consent: You may refuse to provide optional personal information (e.g., name, company, phone number in lead capture forms). Refusal to provide required information (e.g., email address for account creation) may limit your ability to use the Service.

7. Measures to Ensure the Security of Personal Information

We implement the following technical, managerial, and physical measures:

Technical: Encryption in transit (TLS) and at rest; AES-256-GCM encryption for sensitive tokens; bcrypt hashing for passwords; HMAC-SHA256 hashing for sensitive identifiers; rate limiting; webhook signature verification
Managerial: Access to personal information limited to authorized personnel; contractual confidentiality obligations; regular review of security practices
Physical: Data hosted on secured cloud infrastructure (AWS, Supabase) with physical access controls managed by the hosting provider

8. Installation and Operation of Cookies

We install cookies that are strictly necessary for the operation of the Service:

Cookie Name	Purpose	Expiry
NEXT_LOCALE	Language preference (en/ko)	Persistent
viewer_session_{id}	Document viewing session	Session
password_verified_{id}	Password verification for protected documents	Session

Optional analytics services (PostHog, Google Analytics), if enabled, may set additional cookies. You can refuse or delete cookies through your browser settings. Disabling strictly necessary cookies may prevent normal use of the Service.

9. Changes to This Addendum

We may update this Addendum and will post changes with an updated effective date. Material changes will be communicated by email or in-app notice at least 30 days before they take effect.