docs101 Logo docs101

Privacy Policy

1. Introduction

We, THEKROLL LTD, Akathiotis 2, 7000 Meneou, Cyprus, as the controller under the EU General Data Protection Regulation (GDPR) and Cyprus Data Protection Law, are committed to protecting your personal data. This Privacy Policy explains the type, scope and purpose of processing personal data within our online services and SaaS platform for invoice generation.

2. Controller and Data Protection Officer

THEKROLL LTD
Akathiotis 2, 7000 Meneou, Cyprus
Company Registration: HE 456413
E-Mail: info@docs101.com
Privacy Contact: privacy@docs101.com

3. Categories of Data Processed

  • Waitlist registration: E-mail address (required), optional details such as user type, country, intended use, notes. Legal basis: Consent (Art. 6(1)(a) GDPR).
  • User accounts and service provision: Name, company name, address, VAT ID, email address, phone number, invoice data, customer data entered by you. Legal basis: Contract performance (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) GDPR).
  • Payment processing: Billing information, payment method details (processed by Stripe Inc.), transaction history. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
  • Document validation: Uploaded PDF files are processed temporarily in memory for validation purposes and immediately deleted after processing - no permanent storage. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
  • Support and communication: Email correspondence, support tickets, chat messages, feedback. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or consent.
  • Usage and analytics data: Feature usage statistics, login times, user interactions (anonymized where possible). Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
  • Technical data: IP address, browser type and version, operating system, referrer URL, session data, error logs. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

4. Purposes of Processing

  • Provision of SaaS services (invoice generation, document validation, user account management).
  • Payment processing and billing management.
  • Customer support and communication (waitlist invitations, account notices, support requests).
  • Compliance with tax, accounting, and legal obligations (VAT validation, invoice archiving).
  • Security monitoring, fraud prevention and service optimization.
  • Service improvement through anonymized usage analytics.
  • Marketing communications (with consent only).

5. Legal Bases and Data Recipients

Consent (Art. 6(1)(a)): Marketing communications, optional analytics

  • Contract performance (Art. 6(1)(b)): Service provision, payment processing
  • Legal obligations (Art. 6(1)(c)): Tax compliance, invoice retention
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service optimization

Data Processors and Recipients:

  • Stripe (EU customers): Stripe Technology Europe Limited (Ireland) for payment processing. Privacy Policy: stripe.com/privacy
  • Amazon Web Services (AWS SES): Email delivery service hosted in EU-Central (Frankfurt). Privacy Policy: aws.amazon.com/privacy
  • Authentication Provider: Keycloak (self-hosted in EU)
  • Hosting Provider: Germany-based hosting with GDPR compliance

All processors operate under Data Processing Agreements (DPA) ensuring GDPR compliance. Data is not sold or transferred to third parties for marketing purposes without your explicit consent.

6. Storage Period and Data Retention

  • Waitlist data: Until product launch + 2 years, or until withdrawal of consent
  • Invoice and accounting data: 10 years (Cyprus tax law requirements)
  • User account data: Duration of contract + 3 years for potential claims
  • Payment data: As per Stripe's retention policy and legal requirements
  • Support communications: 3 years after resolution
  • Technical logs: Maximum 12 months
  • Marketing consent: Until withdrawal or 3 years of inactivity

Data is deleted when no longer necessary for the stated purposes, unless longer retention is required by law. Erasure requests are honored where legally permissible.

7. Your Rights Under GDPR

Access (Art. 15): Request information about data we process

  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion where legally possible
  • Restriction (Art. 18): Limit processing in certain circumstances
  • Data Portability (Art. 20): Receive your data in a structured format
  • Object (Art. 21): Object to processing based on legitimate interests
  • Withdraw Consent: For consent-based processing, with future effect

To exercise these rights, please contact us at privacy@docs101.com. We will respond within 30 days.

8. Data Security Measures

We implement appropriate technical and organizational measures including:

  • End-to-end encryption for data transmission (TLS/SSL)
  • Database encryption at rest
  • Two-factor authentication via Keycloak
  • Regular security updates and monitoring
  • Access controls and user permission management
  • EU-based hosting with GDPR-compliant infrastructure
  • Regular backups with encryption

9. International Data Transfers

Data is primarily processed within the EU/EEA by our processors:

  • Stripe: EU customers' payments processed by Stripe Technology Europe Limited (Ireland)
  • AWS SES: Email services in EU-Central (Frankfurt) region
  • Hosting: Germany-based infrastructure

Any transfers outside the EU/EEA (if applicable) occur only with: European Commission adequacy decisions (Art. 45 GDPR), or Appropriate safeguards such as Standard Contractual Clauses (Art. 46 GDPR) Your explicit consent for specific transfers

10. Cookies and Tracking

Essential Cookies: Session management, authentication, security - no consent required.

Analytics Cookies: No cookies for analytics used.

You can manage cookie preferences through your browser settings. Disabling essential cookies may limit functionality.

11. Customer Data and Your Responsibilities

When using our SaaS platform, you may enter personal data of your customers into invoices. For such data, you act as a data controller and are responsible for:

  • Ensuring lawful basis for processing your customer data
  • Providing appropriate privacy notices to your customers
  • Implementing data subject rights for your customers
  • Ensuring data accuracy and currency

We act as your processor for customer data entered into our system and process it only according to your instructions.

12. Supervisory Authority and Complaints

You have the right to lodge a complaint with the competent supervisory authority:

Cyprus: Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
Email: commissioner@dataprotection.gov.cy
Website: dataprotection.gov.cy

13. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or platform notification. The current version is always available on our website.

Last updated: September 20, 2025

14. Contact Information

For questions about this Privacy Policy or data protection matters:
Email: privacy@docs101.com
General inquiries: info@docs101.com