Table of Contents

1. Personal Information We Collect

2. How We Use Your Information & Legal Bases

3. Disclosure of Personal Information

4. International Data Transfers

5. Data Retention

6. Security

7. AI and Automated Decision-Making

8. Cookies and Tracking Technologies

9. Children’s Privacy

10. Your Universal Privacy Rights

11. Changes to This Notice

12. India — Digital Personal Data Protection Act 2023 (DPDP)

13. European Union & EEA — General Data Protection Regulation (GDPR)

14. United Kingdom — UK GDPR & Data Protection Act 2018

15. United States — California (CCPA/CPRA) & Other State Laws

16. Canada — PIPEDA & Quebec Law 25

17. Australia — Privacy Act 1988 (As Amended)

18. Brazil — Lei Geral de Proteção de Dados (LGPD)

19. Singapore — Personal Data Protection Act 2012 (PDPA)

20. Contact & Escalation Directory

1. Personal Information We Collect

A. Information You Provide

• Account & Profile: Name, email, phone, company name, billing address, and profile photo.
• Payment Data: Payment card details and billing history, handled by Stripe/Paddle. We do not store raw card numbers.
• Document Content: PDFs, Word documents, templates, clauses, and metadata you upload or create.
• Signer & Recipient Data: Recipient email addresses, names, roles, and any custom form-field data you configure.
• Support Communications: Chats, emails, and transcripts with our support team.
• Feedback & Survey Data: NPS surveys, in-app feedback prompts, and user research responses.
• Preference Data: Responses to onboarding wizards and feature-preference selections.

B. Information Collected Automatically

• Device & Log Data: IP address, device identifiers, browser type and version, OS, screen resolution.
• Usage Data: Pages visited, feature interactions, click paths, session duration, error logs, API call history.
• Transaction Audit-Trail Data: IP addresses, timestamps, geolocation (approximate), device type, and auth events for all parties to a signing transaction — required for legal audit-trail validity.
• Behavioral Inferences: Inferred interests and preferences derived from your interactions with the platform.
• Cookie & Tracking Data: Text files placed on your device to enable session management, analytics, and personalization. See Section 8.

C. Information from Third-Party Sources

• Name, email, and profile photo received when you authenticate via Google, Microsoft, or another identity provider.
• Contact and firmographic data from partners, resellers, or referral programmes, where lawfully permitted.
• Calendar and contact data from third-party integrations you explicitly authorize.
• Verification data from identity-verification providers where required by applicable law.

D. Sensitive Personal Information

We do not intentionally collect sensitive categories of personal information (e.g., health, racial or ethnic origin, political opinions, biometric data) as part of our standard service. If your documents happen to contain such information, it is processed as customer content under the processor role and our DPA governs its handling. Please do not submit sensitive data unless your use case expressly requires it and you have ensured appropriate safeguards.

2. How We Use Your Information & Legal Bases

We process personal information only for specified, explicit, and legitimate purposes. The table below maps each purpose to the categories of data involved, and to the legal basis applicable in key jurisdictions (GDPR Art. 6 / DPDP Act / CCPA).

3. Disclosure of Personal Information

We do not sell, rent, or trade your personal information. We disclose it only as described below.

• Sub-processors & Service Providers: AWS (infrastructure and object storage), Stripe and Paddle (payments), PostHog (analytics), and other vendors essential to operating ZeroDocs. All are bound by Data Processing Agreements prohibiting any use beyond the contracted service.
• Transaction Parties: Signers and counterparties receive the envelope contents and audit-trail data necessary to validate and complete a transaction.
• Other ZeroDocs Users: Users you explicitly invite to shared workspaces or document collaboration.
• Payment Processors: Stripe and Paddle receive payment instrument details only. We do not pass raw card data to any other party.
• Advertising Partners (Marketing Site Only): Advertisers and ad networks receive cookie-based behavioral data on our marketing website only. This never includes authenticated product data or document content.
• Legal & Regulatory Requirements: Disclosure in response to lawful orders, court process, regulatory demands, or to protect the safety of persons or the integrity of the platform.
• Corporate Transactions: In the event of a merger, acquisition, sale of assets, or insolvency, your information may be transferred to the successor entity. We will notify you of any such change and material impact on data use.
• With Your Consent: Any disclosure you have explicitly consented to, such as public testimonials.

4. International Data Transfers

BoringDollars is incorporated in India. Our primary infrastructure runs on AWS with data centres in India, the EU, and the United States. Your data may be processed in any of these regions.

We will provide a copy of the relevant transfer mechanism on request. We update our transfer agreements whenever the applicable standard clauses are revised.

5. Data Retention

We retain personal information only as long as necessary for the purposes described in this Notice and to comply with legal obligations. De-identified or aggregated data is not personal information and may be retained indefinitely for research and product development.

6. Security

We implement a layered security programme designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction. Key controls include:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest; separate encryption keys per customer tenant.
• Access Controls: Multi-factor authentication enforced for all staff accounts; role-based access controls limiting document access to personnel with a verified business need.
• Security Testing: Annual third-party penetration testing; continuous vulnerability scanning; internal security audits.
• Breach Notification: Documented incident response plan; notification to affected users and supervisory authorities within 72 hours (GDPR), 72 hours (DPDP Act rules when notified), without undue delay (PIPEDA), and as required under other applicable laws.
• Supply Chain Security: All sub-processors contractually required to maintain equivalent or higher security standards.
• Organizational Measures: Regular staff training on data protection obligations; designated privacy champions in each engineering team.

No method of transmission or storage is 100% secure. If you suspect your account has been compromised, contact support@zerodocs.xyz immediately.

7. AI and Automated Decision-Making

AI-Powered Features

ZeroDocs uses AI and machine learning to power features including intelligent document extraction, clause suggestions, risk flagging, and signature placement. These features process the content of documents you upload as part of delivering the requested service.

AI Model Training Policy

• We do not use identifiable customer document content to train generalized AI models without your prior, explicit, and separately obtained written consent.
• Where we train on document data, we apply de-identification, aggregation, and differential privacy techniques before any model training occurs.
• You can opt in or out of contributing de-identified data to model training at any time in Account Settings > Privacy.
• Role-based access controls and audit logging are applied to all model training pipelines.
• We will never use Google Workspace API data or data obtained via OAuth integrations for AI model training.

Automated Decision-Making

We do not make decisions that produce significant legal or similarly significant effects on individuals through automated means alone. Where automated processing assists fraud detection, document compliance checks, or identity verification, a human reviews any flagged output before action is taken. If you believe an automated decision has incorrectly affected you, contact privacy@zerodocs.xyz to request human review.

8. Cookies and Tracking Technologies

We use cookies and similar technologies (web beacons, local storage, tracking pixels) on zerodocs.xyz. Our Cookie Preference Centre, accessible from the footer of zerodocs.xyz, lets you manage your preferences at any time.

We honour Global Privacy Control (GPC) browser signals in jurisdictions where legally required (California, Colorado, Connecticut). We do not use cross-context behavioural advertising in our authenticated product.

9. Children’s Privacy

ZeroDocs is not directed at individuals under the age of 18 (or such higher age as required by applicable law, including 13 under COPPA, 16 under GDPR for digital services in certain EU member states, and 18 under Indian law). We do not knowingly collect personal information from minors, and we do not engage in behavioural tracking or targeted advertising directed at minors.

If you believe we have inadvertently collected personal information from a minor, please contact privacy@zerodocs.xyz and we will delete it promptly.

10. Your Universal Privacy Rights

Regardless of where you are located, you can exercise the following rights by contacting privacy@zerodocs.xyz or using the Privacy Request form in your account settings. We will verify your identity before acting on any request and will respond within 30 days (or the shorter period required by applicable law).

If we deny a request, we will explain why and, where applicable law provides it, inform you of your right to appeal or escalate to a supervisory authority. Certain information may be exempt from deletion where retention is legally required.

11. Changes to This Notice

We may update this Notice to reflect changes in our practices, technology, or legal requirements. When we make material changes we will update the Effective Date, display a prominent in-product notice or send an email notification, and where required by law, obtain fresh consent. Your continued use of the Services after the new effective date constitutes acceptance of the changes to the extent permitted by applicable law. Prior versions are archived at zerodocs.xyz/privacy/archive.

12. India — Digital Personal Data Protection Act 2023 (DPDP)

Consent Framework

Where we rely on consent as the legal basis, we request it in clear, plain language before or at the time of collection. Consent requests identify: (a) the personal data to be processed, (b) the purpose, and (c) the manner of withdrawal. Withdrawal of consent does not affect the legality of processing carried out before withdrawal.

Where we rely on “legitimate uses” as defined under Section 7 of the DPDP Act (employment, legal obligation, medical emergency, public interest), we will document and retain the basis for each processing activity.

Your Rights as a Data Principal

• Right to Information: Right to be informed about personal data being processed and its purpose.
• Right of Access: Right to obtain a summary of personal data and processing activities; right to know identities of other Data Fiduciaries with whom data has been shared.
• Right of Correction and Updation: Right to correct inaccurate, incomplete, or outdated personal data.
• Right of Erasure: Right to erasure of personal data where it is no longer necessary for the stated purpose, subject to legal retention obligations.
• Right to Grievance Redressal: Right to have your grievance addressed by our Grievance Officer within the timelines specified by the DPDP Act and Rules.
• Right to Nominate: Right to nominate another individual to exercise your rights in the event of your death or incapacity.

Grievance Officer (India)

Children and Parental Consent (DPDP Act)

We do not process personal data of children (under 18 years) without verifiable parental or guardian consent. We do not engage in behavioural tracking or targeted advertising directed at children. We implement technical measures to prevent minors from creating accounts.

Cross-Border Transfers (India)

Cross-border transfers of Indian residents’ personal data are subject to the rules and any Government-notified permitted geographies under the DPDP Act. We maintain Data Processing Agreements with all recipients. We will update this section promptly when the Government of India notifies cross-border transfer rules or approved jurisdictions.

Significant Data Fiduciary Obligations

If ZeroDocs is designated a Significant Data Fiduciary (SDF) by the Data Protection Board of India, we will comply with all additional obligations, including appointment of a Data Protection Officer resident in India, appointment of an independent data auditor, and periodic Data Protection Impact Assessments. We will update this Notice accordingly.

13. European Union & EEA — GDPR

Data Controller

For controller-mode processing of EEA residents’ personal data, BoringDollars Private Limited acts as the data controller. We are currently evaluating the need to appoint an EU representative under Article 27 GDPR. Where required, representative details will be published at zerodocs.xyz/privacy/eu-rep.

Legal Bases for Processing (Article 6)

Your GDPR Rights

EEA residents hold the rights described in Section 10, plus the following GDPR-specific rights:

• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw at any time without detriment.
• Right to Object (Art. 21): Object to processing based on legitimate interests; we will cease unless we demonstrate compelling legitimate grounds.
• Right Against Automated Decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce significant legal effects, without human involvement.
• Right to Lodge a Complaint: Lodge a complaint with your national supervisory authority. Contact details at edpb.europa.eu.

Data Protection Officer

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities that are likely to result in a high risk to individuals’ rights and freedoms, including large-scale processing of personal data, systematic monitoring, and new AI-driven features. DPIA summaries are available on request from the DPO.

Records of Processing Activities (Article 30)

We maintain a Record of Processing Activities (RoPA) documenting all processing operations as required by Article 30 GDPR. The RoPA is available for inspection by the competent supervisory authority on request.

14. United Kingdom — UK GDPR & Data Protection Act 2018

Our processing of UK residents’ personal data mirrors the GDPR framework described in Section 13, with the following UK-specific provisions:

UK Representative

If required under Article 27 UK GDPR, we will appoint a UK representative. Details will be published at zerodocs.xyz/privacy/uk-rep. In the meantime, direct all UK inquiries to privacy@zerodocs.xyz.

Transfers to Third Countries (UK)

Transfers of UK residents’ personal data outside the UK are made under: (a) the UK’s own adequacy regulations where applicable; (b) the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner; or (c) the UK Addendum to the EU SCCs. We will use the mechanism most appropriate to the destination country.

Supervisory Authority

The supervisory authority for the UK is the Information Commissioner’s Office (ICO). You may lodge a complaint at ico.org.uk or by calling 0303 123 1113.

PECR — Email Marketing

We will send marketing emails to UK residents only where we have their prior consent (for non-customers) or where the soft opt-in exemption applies (existing customers with a right to opt out in every communication). We honour all unsubscribe requests within 10 business days.

15. United States — California (CCPA/CPRA) & Other State Laws

Categories of Personal Information Collected (CCPA Categories)

Your CCPA/CPRA Rights

• Right to Know: Know the categories and specific pieces of personal information collected about you.
• Right to Delete: Request deletion of personal information we hold, subject to legal exceptions.
• Right to Correct: Correct inaccurate personal information.
• Right to Opt Out of Sale/Sharing: Opt out of the “sale” or “sharing” of your personal information for cross-context behavioural advertising.
• Right to Limit Use of Sensitive PI: Limit the use of sensitive personal information to providing the service. We use sensitive personal information only for service delivery, security, and legal compliance.
• Right to Non-Discrimination: Not be discriminated against for exercising your CCPA rights.
• Authorized Agent: Designate an authorized agent to submit requests on your behalf.

Exercising Your Rights

Submit requests via: (a) the Privacy Request form in your account settings; (b) email to privacy@zerodocs.xyz with subject line “CCPA Request”; or (c) by clicking “Do Not Sell or Share My Personal Information” in the footer of zerodocs.xyz. We will verify your identity before processing requests and respond within 45 days (extendable by a further 45 days with notice).

Global Privacy Control (GPC)

We recognize GPC signals as a valid opt-out of sale/sharing of personal information for California residents, and as an opt-out signal for other state privacy laws that require recognition of such signals (Colorado, Connecticut, and others as enacted).

Financial Incentives

We do not offer financial incentives in exchange for the collection, retention, or sale of personal information.

Shine the Light (California Civil Code §1798.83)

ZeroDocs does not disclose personal information to third parties for their own direct marketing purposes without your explicit prior consent. California residents may request information about any such disclosures from the preceding calendar year by contacting privacy@zerodocs.xyz.

Other US State Laws

We extend the opt-out of targeted advertising and profiling rights described above to residents of Colorado, Connecticut, Virginia, Texas, Oregon, and other states with enacted comprehensive privacy laws that provide equivalent rights. If your state enacts a comprehensive privacy law after the Effective Date of this Notice, we will comply with it within the timeframe it specifies.

16. Canada — PIPEDA & Quebec Law 25

Consent (PIPEDA)

We obtain meaningful consent before collecting, using, or disclosing personal information, except where collection without consent is permitted by PIPEDA (e.g., legal obligation). Consent may be express or implied depending on the sensitivity of the information and reasonable expectations. You may withdraw consent at any time, subject to legal or contractual restrictions.

Quebec Law 25 — Additional Requirements

• Transparency: We publish and maintain a Privacy Policy in plain language, updated whenever there is a material change.
• Cross-Border PIA: Before transferring personal information outside Quebec, we conduct a Privacy Impact Assessment (PIA) and ensure the receiving jurisdiction offers adequate protection.
• Privacy Officer: We have appointed a person responsible for the protection of personal information (equivalent to a Privacy Officer) who can be contacted at privacy@zerodocs.xyz.
• Right to Withdraw from Commercial Prospecting: Where we use personal information for commercial prospecting (marketing), you may request that we stop at any time.
• Automated Decision-Making: Where we use automated processing to make a decision that produces significant effects, you have the right to be informed, to ask for the decision to be reviewed by a human, and to submit observations.

CASL — Anti-Spam

We send commercial electronic messages (CEMs) to Canadian residents only with express or implied consent as defined by Canada’s Anti-Spam Legislation (CASL). Every CEM includes an unsubscribe mechanism that we honour within 10 business days. Records of consent are maintained for a minimum of 3 years.

Supervisory Authority (Canada)

The federal supervisory authority is the Office of the Privacy Commissioner of Canada (priv.gc.ca). Quebec residents may also contact the Commission d’accès à l’information (CAI) at cai.gouv.qc.ca.

17. Australia — Privacy Act 1988 (As Amended)

Australian Privacy Principles

We handle personal information in accordance with the 13 Australian Privacy Principles (APPs). Key obligations include:

• APP 3 — Collection: We collect personal information only by lawful and fair means and, where reasonable, directly from the individual.
• APP 5 — Notification: We notify you of our identity, how to contact us, the purpose of collection, and any third-party disclosure at or before the time of collection.
• APP 6 — Use and Disclosure: Personal information is used or disclosed only for the purpose for which it was collected, or a directly related secondary purpose, or with your consent.
• APPs 12 & 13 — Access & Correction: You may access the personal information we hold about you and request corrections. We will respond within 30 days.

Overseas Disclosure (APP 8)

Before disclosing personal information to overseas recipients (including our cloud infrastructure providers), we take reasonable steps to ensure the recipient does not breach the APPs. We achieve this through contractual data processing obligations that incorporate APP-equivalent standards.

Notifiable Data Breaches (Part IIIC)

In the event of a data breach that is likely to result in serious harm to any individual whose information is involved, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme, without undue delay.

Supervisory Authority (Australia)

The supervisory authority is the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. You may lodge a complaint directly with the OAIC if your complaint to us is not resolved to your satisfaction.

18. Brazil — Lei Geral de Proteção de Dados (LGPD)

Legal Bases (LGPD Article 7)

We process Brazilian residents’ personal data under one or more of the following LGPD legal bases: consent of the data subject; compliance with a legal or regulatory obligation; execution of a contract; legitimate interests of the controller or third party; and protection of credit.

Your Rights Under the LGPD (Article 18)

• Confirmation: Confirmation of the existence of processing.
• Access: Access to the personal data we hold.
• Correction: Correction of incomplete, inaccurate, or outdated data.
• Anonymization / Blocking / Elimination: Anonymization, blocking, or elimination of unnecessary, excessive, or non-compliant data.
• Portability: Portability to another service or product provider, by express request.
• Deletion: Deletion of data processed with your consent.
• Information on Sharing: Information on public and private entities with which we have shared data.
• Information on Consent: Information on the possibility of not providing consent and the consequences.
• Revocation of Consent: Revocation of consent at any time.
• Review of Automated Decisions: Review of decisions made solely by automated means.

DPO (Encarregado) — Brazil

We have designated a Data Protection Officer (Encarregado) as required by LGPD Article 41. The DPO can be contacted at dpo@zerodocs.xyz. DPO contact details are published at zerodocs.xyz/privacy.

Supervisory Authority (Brazil)

The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd. You may lodge a complaint with the ANPD if your complaint to us is not resolved to your satisfaction.

19. Singapore — Personal Data Protection Act 2012 (PDPA)

Consent and Notification

We collect, use, or disclose personal data only with the individual’s consent (express or deemed) or under an exception in the PDPA. Before collection, we notify you of: the purposes for which personal data is collected; and the classes of third parties to whom it may be disclosed. We do not collect more personal data than necessary for the stated purposes.

Data Protection Officer (Singapore)

We have appointed a Data Protection Officer (DPO) as required under Section 11 of the PDPA. The DPO’s contact details are published on our website and can be reached at dpo@zerodocs.xyz.

Your Rights Under the PDPA

• Right of Access: Request access to personal data we hold about you and information about how it has been used or disclosed in the past year.
• Right of Correction: Request correction of personal data that is inaccurate or incomplete.
• Right to Withdraw Consent: Withdraw consent at any time, subject to legal or contractual restrictions, with reasonable notice. We will advise you of the likely consequences of withdrawal.

Transfer Limitation Obligation

Transfers of Singapore residents’ personal data outside Singapore are made only to countries, organisations, or persons that provide a standard of protection comparable to the PDPA, through binding contractual clauses (Third Schedule of the PDPA) or other mechanisms approved by the PDPC.

Data Breach Notification

We will notify the Personal Data Protection Commission (PDPC) and affected individuals of any notifiable data breach within 3 calendar days of assessing that the breach is notifiable, in accordance with Section 26C of the PDPA.

Supervisory Authority (Singapore)

The supervisory authority is the Personal Data Protection Commission (PDPC) at pdpc.gov.sg. You may lodge a complaint with the PDPC if your complaint to us is not resolved.

20. Contact & Escalation Directory

For any privacy-related question, request, or complaint, please contact us using the details below. We aim to acknowledge all inquiries within 48 hours and resolve them within 30 days.

Supervisory Authority Escalation

If you are not satisfied with our response to a privacy complaint, you may escalate to the supervisory authority in your jurisdiction:

© 2026 BoringDollars Private Limited. All rights reserved.

ZeroDocs is a product of BoringDollars Private Limited, incorporated in India under the Companies Act 2013.