Privacy Policy

Effective Date: April 1, 2026

DocsKing ("we," "us," or "our") operates the DocsKing document management and collaboration platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and ensuring you understand how your data is handled.

DocsKing supports bring-your-own-storage, meaning you can choose where your files are stored by connecting your own storage provider (AWS S3, Cloudflare R2, Azure Blob, Dropbox, or Google Drive). This policy covers the data practices of the DocsKing hosted service at docsking.com. Organizations that self-host the DocsKing platform under a self-hosted license are governed by their own privacy policies.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication, password setup, notifications, and workspace invitations
  • Display name — your chosen name visible to other workspace members
  • Password — securely hashed using Argon2id (we never store plaintext passwords)
  • Avatar — an optional profile image you upload
  • Preferred locale — your language preference (English, German, or Italian)

1.2 Authentication and Security Data

To protect your account and provide security features, we collect and store:

  • Refresh tokens — stored in secure, httpOnly cookies to maintain your session
  • Trusted devices — device identifiers you have explicitly trusted for MFA
  • Passkeys — WebAuthn credentials if you choose to register a passkey
  • MFA secrets — TOTP secrets if you enable multi-factor authentication
  • Login history — timestamps, IP addresses, and device information for security monitoring

1.3 Document and Workspace Data

When you use the Service, you create and store:

  • Workspaces — workspace names, codes, settings, and storage configurations
  • Documents — document titles, rich text content, custom field values, tags, and associated files
  • Sharing information — records of who documents are shared with and at what permission level
  • Audit logs — a complete trail of document actions (creation, edits, sharing changes, file uploads) for compliance and accountability

1.4 Usage Data

We automatically collect certain information when you access the Service:

  • Request logs — HTTP method, URL path, response status code, and elapsed time
  • IP address — used for rate limiting and security (forwarded headers from Cloudflare)
  • Correlation IDs — unique request identifiers for debugging and support

We do not use third-party analytics services, tracking pixels, or behavioral advertising technologies.

1.5 Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. Stripe may collect information as described in their Privacy Policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service — authenticate you, manage your workspaces and documents, and deliver core functionality
  • Account security — enforce multi-factor authentication, manage trusted devices, detect and prevent unauthorized access
  • Communications — send password setup emails, workspace invitations, and essential service notifications
  • Audit and compliance — maintain document audit trails for accountability and regulatory requirements
  • Rate limiting and abuse prevention — protect the Service from misuse using IP-based rate limits
  • Debugging and support — diagnose technical issues using correlation IDs and application logs
  • Improve the Service — understand usage patterns to enhance features and performance

We will never use your documents, files, or workspace content for advertising, AI training, or any purpose other than providing the Service to you.

3. Data Storage and Security

3.1 Platform and Data Storage

When using the hosted service at docsking.com, application data (accounts, metadata) is stored on infrastructure we control. However, you can choose where your document files are stored by configuring a bring-your-own-storage provider per workspace. Organizations with a self-hosted license run the entire DocsKing platform on their own infrastructure and are solely responsible for data security and compliance.

3.2 Database and Storage

  • Application data is stored in Microsoft SQL Server (MSSQL)
  • Document files can be stored in the platform database or in your chosen external storage provider (Cloudflare R2, AWS S3, Azure Blob Storage, Dropbox, or Google Drive), configured per workspace
  • Each workspace can be configured independently with its own storage provider, giving you granular control over where files reside

3.3 Security Measures

We implement the following technical measures to protect your data:

  • Password hashing — All passwords are hashed using Argon2id, a memory-hard algorithm recognized as the current best practice for password hashing
  • HTTPS encryption — All data in transit is encrypted via TLS/HTTPS
  • Secure cookies — Authentication cookies use httpOnly, Secure, and SameSite=Strict flags
  • JWT access tokens — Short-lived tokens stored only in memory (not persisted to localStorage or cookies)
  • Rate limiting — Authentication endpoints are limited to 10 requests per minute; API endpoints to 100 requests per minute
  • Security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Content Security Policy
  • Content sanitization — User-generated HTML is sanitized with DOMPurify to prevent XSS attacks
  • CORS restrictions — Cross-origin requests are restricted to authorized domains

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

4.1 Service Providers

  • Stripe — Payment processing for paid subscriptions. Stripe receives only the payment information necessary to process your transaction.
  • SMTP provider — We use a third-party SMTP service to deliver transactional emails (password setup, workspace invitations, welcome emails). The SMTP provider receives recipient email addresses and email content necessary for delivery.
  • Cloudflare — Reverse proxy and CDN services. Cloudflare processes request metadata (IP addresses, headers) as part of routing traffic to our servers.

4.2 External Storage Providers

If you configure a workspace to use an external storage provider (R2, S3, Azure, Dropbox, or Google Drive), your document files are transmitted to and stored by that provider according to their respective terms and privacy policies. You choose and control which provider to use.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Service before your information becomes subject to a different privacy policy.

5. Cookies and Local Storage

DocsKing uses a minimal cookie approach. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

5.1 Essential Cookies

Cookie Purpose Type Duration
Refresh Token Maintains your authenticated session and restores it on page refresh httpOnly, Secure, SameSite=Strict Session-based (expires with token lifetime)

5.2 Local Storage

We use browser local storage solely to persist your language preference (locale) across sessions. No personal data or authentication tokens are stored in local storage.

5.3 No Third-Party Cookies

We do not embed third-party scripts that set cookies. Our Content Security Policy restricts which external resources can be loaded.

6. Your Rights Under GDPR and Applicable Law

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights regarding your personal data:

6.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through the Service (profile settings, documents, audit logs).

6.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update your display name, email, avatar, and language preference through your account settings at any time.

6.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data. To request account deletion, contact us at [email protected]. Upon deletion:

  • Your user account and profile information will be permanently removed
  • Your workspace memberships will be revoked
  • Documents you created in workspaces you own may be affected — we will work with you to transfer ownership or delete them as appropriate
  • Audit log entries will be anonymized to maintain the integrity of the audit trail for other workspace members

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. Contact us at [email protected] to request a data export.

6.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or object to our processing.

6.6 Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds.

6.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6.8 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before fulfilling your request.

7. Data Retention

We retain your data as follows:

  • Account data — Retained for as long as your account is active. Deleted upon account deletion request.
  • Documents and files — Retained until you or a workspace administrator deletes them. Soft-deleted documents may be restored within the retention period before permanent deletion.
  • Audit logs — Retained for the lifetime of the workspace for compliance and accountability purposes.
  • Login history — Retained for security monitoring purposes and purged periodically.
  • Application logs — Server-side request and error logs are retained for debugging and are purged periodically.
  • Email logs — Records of sent emails are retained for administrative monitoring and troubleshooting.
  • Refresh tokens — Automatically expired and purged based on their configured lifetime.

8. Children's Privacy

DocsKing is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal data, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

9. International Data Transfers

If you access the hosted DocsKing service from outside the country where our servers are located, your information may be transferred across international borders. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

By using bring-your-own-storage, you control the geographic location of your document files by choosing which storage provider and region to use. For organizations with a self-hosted license, you also control where the application and database reside, giving full control over data residency requirements.

10. Third-Party Services

Our Service integrates with or relies on the following third-party services. Each has its own privacy policy governing its data practices:

We are not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies.

11. Legal Basis for Processing (GDPR)

If you are in the EEA or UK, we process your personal data on the following legal bases:

  • Performance of a contract — Processing necessary to provide the Service you signed up for (account management, document storage, workspace functionality)
  • Legitimate interests — Processing necessary for our legitimate interests that do not override your rights (security monitoring, fraud prevention, service improvement, debugging)
  • Legal obligation — Processing necessary to comply with legal requirements
  • Consent — Where you have given explicit consent (e.g., optional features, marketing communications if ever offered)

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

  • We will update the "Effective Date" at the top of this page
  • We will post the updated policy on this page
  • For significant changes, we may notify you via email or through a notice within the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

13. Data Protection Officer

If you have questions or concerns about our data practices, or wish to exercise your data protection rights, you may contact us:

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know — You can request details about the categories and specific pieces of personal information we have collected about you
  • Right to delete — You can request that we delete personal information we have collected from you
  • Right to opt out of sale — We do not sell personal information. There is no need to opt out.
  • Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at [email protected].

15. Contact Us

If you have any questions about this Privacy Policy, your data, or our privacy practices, please contact us: