Privacy Policy

This Privacy Policy explains how ValDoc.AI (“ValDoc.AI”, “we”, “us”, “our”) collects, uses, and shares information when you use the ValDoc.AI website at https://valdoc.ai and the ValDoc.AI application (together, the “Service”). ValDoc.AI is operated by ValDoc.AI.

This policy applies to people who create an account, use a workspace as part of a team, or contact us through our website.

1. Information we collect

Information you give us

Account details. When you sign up, we collect your email address, your name, and (optionally) a profile photo. Authentication, including your password and any OAuth identities you use to sign in, is managed by our authentication provider. ValDoc.AI does not store passwords.
Workspace details.When you create or manage an organization in ValDoc.AI, we collect the organization’s name and slug and, optionally, a logo.
Team invitations.When an administrator invites a teammate, we receive the invitee’s email address and the role assigned to them.
Content you upload.When you use the Service, we store the content you create or upload — including equipment specifications, manufacturer and model details, validation drafts, comments, uploaded PDFs and images, and other attachments associated with maintenance plans, executions, and supporting records.
Demo and contact form submissions. When you submit our demo-request form, we collect your email address and (optionally) your name and company.

Information we collect automatically

IP address and user agent. When you take certain regulated actions in the Service (for example, approving a document, signing, executing a test case, or making a billing change), we record an audit event that includes your IP address and browser user agent. We also record the IP address of demo-request submissions.
Cookies and similar storage. See Section 5.
Error, performance, and session data. Our error monitoring, performance monitoring, and session replay providers collect exception details, performance traces, and sampled replays of sessions. This may include your IP address, your signed-in email address and user identifier, your organization identifier, and diagnostic information about pages you were viewing when an error occurred. See Section 6.
Aggregate web analytics. We use a web analytics provider to measure page views and Core Web Vitals on our website. We do not collect identifiable user analytics events.

Information from third parties

We receive account, organization, and membership events from our authentication provider via signed webhooks. We receive billing and subscription events from our payment processor via signed webhooks.

We do not buy personal information from data brokers, and we do not use marketing analytics, advertising, CRM, or tracking-pixel tools in the Service.

2. How we use information

We use the information we collect to:

Operate the Service and provide its features — including validation document management, AI-assisted extraction and drafting, maintenance reminders, audit logs, and e-signature surfaces.
Authenticate you and keep you signed in.
Bill organizations for paid plans.
Send transactional emails — for example, notifications about review requests, comments, document finalization, IOQ execution status changes, and maintenance due dates. You can change which notification types you receive in your in-app settings.
Maintain immutable audit logs of regulated actions for compliance traceability.
Diagnose errors and improve reliability and performance.
Communicate with you about your account and our Service and respond to support requests.
Comply with our legal obligations and enforce our agreements.

We do not serve advertising in the Service, and we do not sell your personal information for advertising or marketing purposes.

3. AI features

ValDoc.AI uses third-party large language models to:

Extract structured equipment data from PDFs and equipment manuals you upload.
Generate draft validation documents based on equipment specifications, manufacturer manuals, and prerequisite documents.

When you use these features, the relevant content — for example the text extracted from your PDFs, equipment specifications, manufacturer and model metadata, and the structured prompts we send to the model — is transmitted to AI model providers and routing services. Our application does not write the contents of AI prompts or completions to our own audit logs.

ValDoc.AI does not use customer content to train or fine-tune ValDoc.AI models. The AI providers and routing services we use process AI requests for inference, and their processing, retention, and safety monitoring practices are governed by their applicable terms, settings, and data-protection commitments.

To operate the AI features, we store the generated outputs and job records needed to provide the Service, such as extraction results, validation drafts, model identifiers, token usage, prompt hashes, and job status. We do not store full AI prompt or completion text in our audit logs.

We share information with the third-party service providers we use to run ValDoc.AI. Each receives only the information it needs to perform its function.

Recipient category	What it does for us	Information processed
Authentication and identity management	Authentication and organization/membership management	Account email, name, password or OAuth identity managed by the provider, profile photo, organization name and slug, role and membership events
Payment processing and billing	Payment processing, billing, subscription management	Organization name and identifiers, subscription status, billing portal sessions. Payment card details are collected directly by our payment processor on its hosted checkout and billing pages; payment card details do not pass through ValDoc.AI’s servers.
Cloud hosting, database, and file storage	Application hosting, database, and file storage	All application content (organizations, profiles, documents, equipment data, comments, audit events, uploaded files)
Background-job processing	Background-job execution	Job payloads, which may include document content, equipment metadata, and PDF binaries used for rendering
AI model inference and routing	AI model routing and inference	Content sent to AI features (see Section 3)
Transactional email delivery	Delivery of transactional email	Recipient email, subject, and the rendered email body (which may include document titles, names, comment text, and links)
Error monitoring, analytics, session replay, and security tooling	Error reporting, performance monitoring, session replay, analytics, and security checks	Errors, performance traces, sampled session replays, IP address, signed-in user identifier and email, organization identifier

We may also disclose information when we have a good-faith belief that disclosure is required by law, court order, or governmental request; when necessary to protect the rights, property, or safety of ValDoc.AI, our customers, or the public; or in connection with a corporate transaction (such as a merger, acquisition, financing, or sale of assets), in which case we will use reasonable efforts to notify affected customers.

We use service providers under applicable contracts, terms, and data-protection commitments. Customers may contact us for current service provider or data-processing information.

5. Cookies and similar storage

ValDoc.AI and our service providers use cookies and similar browser storage to keep you signed in, protect sign-in, remember functional state, support billing-status checks, and maintain in-progress workflows as you move through the Service.

We also use limited analytics, diagnostics, performance, and session-replay requests or storage as described in Section 6. Our service providers may set their own cookies or browser storage when their services are loaded.

ValDoc.AI does not currently display a cookie consent banner. You can limit or block cookies through your browser settings, but doing so may prevent authentication or core Service features from working correctly.

6. Analytics and session replay

We use a session-replay feature to help us diagnose problems. Replays are sampled at approximately 10% of sessions and 100% of sessions in which an error occurs. Replays capture interactions with the Service — for example mouse movements, clicks, scrolls, and the structure of pages you were viewing. Our session-replay provider applies default privacy settings that mask text, images, and user input, but replays may still include interaction metadata, page structure, URLs, console breadcrumbs, network metadata, and diagnostic context.

We use a web analytics provider to measure aggregate page views and Core Web Vitals on our website. We do not use ad-tracking pixels, marketing analytics SDKs, third-party A/B testing tools, or session-recording tools other than the session-replay feature described above.

7. Audit logs

ValDoc.AI is designed for regulated environments. We maintain immutable audit logs of regulated actions — including creations, updates, approvals, signatures, executions, and billing events. Each audit entry includes an actor identifier, a timestamp, the action taken, and, where applicable, the actor’s IP address and browser user agent. These records are append-only and cannot be modified or deleted from the application. Workspace administrators can export their organization’s audit log from in-app settings.

8. Data retention

We retain account and workspace data for as long as your account or workspace remains active.

When a member, workspace, or account is removed by way of our authentication provider, the corresponding records in our database are marked as deleted and access to them is revoked. We retain marked-as-deleted records to preserve the integrity of our audit logs and our customers’ compliance records.

Some information may also remain in backups, provider logs, error reports, background-job history, and other operational systems for a limited period according to our providers’ retention settings and ordinary business needs.

You may request deletion or a copy of your personal data by contacting us at the address in Section 14. At present, ValDoc.AI does not yet offer a self-serve personal-data export — the in-app audit-log export covers audit events only. We will handle other requests manually and respond in accordance with applicable law.

9. Security

We use industry-standard practices to protect your information:

Traffic between you and ValDoc.AI is encrypted in transit. We also use standard browser security controls to help protect the Service.
Inbound webhooks from our authentication and payment providers are cryptographically signature-verified and deduplicated.
Access to workspace data is restricted based on the authenticated user and their active workspace.
Encryption at rest is provided by our service providers for the data they hold on our behalf.

Authorized ValDoc.AI personnel may access information where reasonably necessary to operate, secure, support, or improve the Service, respond to customer requests, investigate abuse or security issues, or comply with legal obligations.

No method of transmission or storage is perfectly secure. We cannot guarantee absolute security.

10. Your rights and choices

Depending on where you live, you may have rights with respect to your personal information. These can include the right to access the information we hold about you, to correct or update it, to ask us to delete it, to receive a portable copy, to object to or restrict certain processing, and to lodge a complaint with a supervisory authority.

To exercise these rights, contact us using the details in Section 14. We will respond in accordance with applicable law. Some requests may be limited where information is needed to preserve security, legal, billing, compliance, backup, or audit-log integrity.

You can also:

Update your account profile (name, email, photo) from within the Service.
Change which transactional notifications you receive from your in-app settings.
Stop using the Service and ask us to delete your account.

Removing your account or workspace via our authentication provider will mark our database records as deleted and revoke access to them, but, as noted in Section 8, some records may persist for legal, compliance, or audit purposes.

We do not make automated decisions about you that produce legal or similarly significant effects.

11. International data transfers

ValDoc.AI is based in the United States, and many of our service providers operate from the United States. The data we collect is processed in the United States and in the regions where our service providers operate. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries.

Where applicable law requires safeguards for international transfers, we rely on our agreements with customers and service providers and other lawful transfer mechanisms available under applicable law.

12. Children

ValDoc.AI is a business-to-business service intended for use by professionals in regulated industries. The Service is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to us, please contact us so we can take appropriate action.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, provide additional notice through the Service or by email.

14. Contact us

If you have questions about this Privacy Policy or about how we handle your information, contact us at:

Email: support@valdoc.ai