Doctriever

Working draft — under legal review.

This document is a good-faith working draft. Final binding terms will be published before paid plans launch. If anything here is material to your decision to use Doctriever, please email hello@doctriever.com and we'll confirm in writing.

Legal

GDPR

How Doctriever meets EU and UK data protection requirements, what your rights are, and where to read the supporting documents.

Last updated: 4 May 2026

1. The short version

Doctriever is built so accounting firms in the EU, the UK, and beyond can use it without taking on additional GDPR risk. Documents and metadata are stored in secure regional data centres with per-firm tenant isolation. EU residency is the default. We sign a standard Data Processing Agreement (DPA) on request.

2. Roles under GDPR

  • You (the accounting firm) are the data controller for the documents and metadata you collect about your own clients through Doctriever. You decide what to collect, why, and for how long.
  • Doctriever is the data processor for that data. We process it only on your documented instructions.
  • For your own staff accounts (the accountant signing in, their email and session), Doctriever is the data controller. See the Privacy Policy for the lawful basis and retention details.

3. Data Processing Agreement (DPA)

Firms processing personal data through Doctriever should sign a DPA with us before going live. We will sign our standard DPA, which includes the EU Standard Contractual Clauses for international transfers where relevant. To request the DPA, email hello@doctriever.com with your firm name and the country you operate in.

4. Subprocessors

We use a small number of vendors to operate the service, each contractually bound to security and privacy commitments at least as protective as ours. The current list is in the Privacy Policy (section 6). We will notify firms on paid plans before adding new subprocessors that materially affect personal data handling.

5. International transfers

Where personal data leaves the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses and any supplementary measures the relevant subprocessor offers (such as EU-US Data Privacy Framework certification, where applicable). EU residency for document storage is the default; firms with stricter requirements can request EU-only routing in writing.

6. AI processing and Article 22

Doctriever uses AI to suggestfield extractions and reminder drafts. The accountant reviews and approves every output before it is sent, posted, or filed. There is no fully automated decision-making with legal or similarly significant effects on the firm's clients. Customer documents are not used to train third-party models.

7. Data subject rights

Individuals (including the firm's clients) have rights under GDPR to:

  • Request access to their personal data;
  • Request correction of inaccurate data;
  • Request erasure (“right to be forgotten”) in qualifying circumstances;
  • Request restriction of processing;
  • Object to processing based on legitimate interest;
  • Receive their data in a portable format;
  • Withdraw consent where processing was consent-based;
  • Lodge a complaint with their national supervisory authority.

For data we process on behalf of an accounting firm, requests should be directed to the firm. We will assist the firm in fulfilling requests within the timelines GDPR requires. For data we control directly (your firm account), email hello@doctriever.com.

8. Security measures

  • TLS 1.3 in transit; AES-256 at rest by the underlying storage provider.
  • Per-firm tenant isolation in the database and storage layer.
  • Magic-link upload pages that expire after use.
  • HMAC-signed inbound webhook validation.
  • IP-based rate limiting on signup, waitlist, and authentication endpoints.
  • Audit logs on document access and override events.
  • Working towards [SOC 2 Type I — target H2 2026]; happy to share progress with pilot firms on request.

9. Breach notification

If we become aware of a personal data breach affecting your data, we will notify your firm's primary contact without undue delay and provide the information you need to comply with your own GDPR obligations (including the 72-hour authority notification under Article 33).

10. Retention and deletion

Retention follows what the firm configures and the schedule in the Privacy Policy. On cancellation, firms have a 90-day window to request export and deletion. After that, residual data is removed from active systems; encrypted backup copies age out within a further [backup retention — 30 days].

11. Contact

For GDPR enquiries, DPA requests, or to escalate a privacy concern, email hello@doctriever.com.

Our DPO/privacy lead, once appointed, will be listed here: [DPO / privacy lead name and contact].

Privacy policyTerms of serviceGDPRRequest a DPA