Legal

Privacy Policy

Effective Date: 7 May 2026 · Last updated: 7 May 2026

At DocuValut, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you access our platform. By using DocuValut, you agree to the practices described in this policy. Please also review our Terms of Use.

1. Scope of This Privacy Policy

This Privacy Policy applies to DocuValut's clients — individuals or entities that have subscribed to our services and agreed to the applicable Terms of Use ("Customers") — and to individuals who have gained access through those Customers (typically employees).

If you access DocuValut as an employee of one of our Customers, we recommend you also consult with your employer regarding the processing of your data, as your employer acts as the data controller for the information they upload about you.

2. Data We Collect

2.1 Data Our Customers Upload

Customers use DocuValut to store and manage their organisation's HR data ("Customer Data"). From a GDPR perspective, we act as the Processor and the Customer acts as the Controller. Customer Data may include:

Employee full name, email address, and mobile phone number
Employee ID, job title, department, and nationality
Passport number and expiry date
Iqama (residence permit) number and expiry date
Employment contracts, offer letters, and HR documents
Payslip data including salary, allowances, deductions, and net pay
Contract start and expiry dates

We do not own, control or direct the use of Customer Data. As the Customer (Controller), you are responsible for informing your employees about the processing of their data and obtaining any required consents.

2.2 Data We Collect Automatically

Cookies — We use strictly necessary cookies to operate the DocuValutportal. These include authentication session cookies that keep you securely logged in, and security cookies that distinguish human users from automated bots. DocuValut does not use advertising cookies, Google Analytics, Facebook Pixel, or any cross-site tracking technology.

Server Logs — Our servers automatically record standard log information including your IP address, browser type, browser language, the date and time of your request, and session identifiers. This helps us diagnose issues, detect abuse and maintain service security.

Usage Data — We collect aggregated, anonymised information about how the platform is used (e.g. feature usage patterns, page views) to improve the service. This data cannot be used to identify you personally.

Disabling authentication cookies will prevent you from logging in to the portal. No other cookies are required to use DocuValut.

3. How We Use Your Information

DocuValut will not review, share, distribute or reference any Customer Data except:

As required to deliver the services described in our Terms of Use.
To resolve technical problems or support issues, and only with Customer consent.
To respond to suspected violations of the Terms of Use.
As required by applicable law or competent authority.

We may use your contact information (email) to send you service-related notifications — for example, to notify you that a payslip is available, a document has been shared, or a Help Desk ticket has been updated.

We may use anonymised, aggregated data to improve the platform, develop new features, and understand usage trends. We may share such aggregated insights — which cannot identify any individual — with current or prospective business partners.

4. Legal Basis for Processing

Where applicable data protection law requires a lawful basis for processing, we rely on the following:

Contract performance — Processing necessary to deliver the services agreed in our Terms of Use.
Legitimate interests — Security monitoring, fraud prevention, abuse detection and service improvement.
Legal obligation — Compliance with applicable laws and regulatory requirements.
Consent — Where you have provided explicit, freely given consent (e.g. optional communications).

For Customer Data specifically, we process that data on behalf of our Customers (the Controllers), who determine the lawful basis applicable to their employees' data.

5. Data Security

We take data security seriously and implement robust technical and organisational measures to protect personal data. Our security practices include:

Encryption in transit: All data is protected using TLS/HTTPS with server authentication.
Encryption at rest: All stored data is encrypted using AES-256.
Access control: Role-based access permissions ensure users only access data they are authorised to see.
Bot protection: Cloudflare Turnstile on all sensitive entry points prevents automated attacks.
Brute-force guard: Automatic CAPTCHA challenge after repeated failed login attempts.
Auto-logout: Sessions expire automatically after periods of inactivity.
Audit logs: All administrative actions are logged with timestamps and user details.
Secure infrastructure: Hosted on SOC 2-compliant infrastructure with firewall protection.
Periodic assessments: Regular security reviews and vulnerability assessments.

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law.

6. Information Sharing & Sub-Processors

DocuValut shares Customer Data only in the following limited circumstances:

6.1 Sub-Processors

We engage trusted third-party service providers ("sub-processors") to operate the platform. Each sub-processor is contractually bound to process data only per our instructions and in compliance with this Privacy Policy. Our current sub-processors are:

SupabaseDatabase, authentication & file storagePrivacy Policy ↗

ResendTransactional email deliveryPrivacy Policy ↗

CloudflareBot protection & security (Turnstile)Privacy Policy ↗

VercelApplication hosting & deploymentPrivacy Policy ↗

6.2 Legal Requirements

We may disclose data if we have a good-faith belief that disclosure is necessary to: satisfy applicable law or enforceable governmental request; enforce our Terms of Use; detect, prevent or address fraud or security issues; or protect the rights, property or safety of DocuValut, our users, or the public.

6.3 Business Transfers

In the event of a merger, acquisition or sale of assets, Customer Data may be transferred as part of that transaction. We will notify Customers before their data is transferred and becomes subject to a different privacy policy.

We do not sell, rent or trade personal data. DocuValut does not share personal information with third parties for advertising, marketing or any commercial purpose.

7. Your Rights

Depending on your location, you may have the following rights over your personal data. Requests relating to Customer Data will be directed to your employer (the Controller); requests relating to data we hold about you directly should be sent to us.

Right of Access — Request a copy of the personal data we hold about you.
Right to Rectification — Request correction of inaccurate or incomplete data.
Right to Erasure — Request deletion of your data where no legitimate basis for retention exists.
Right to Restriction — Request that we restrict processing in certain circumstances.
Right to Data Portability — Receive your data in a machine-readable format.
Right to Object — Object to processing based on legitimate interests.
Right to Withdraw Consent — Withdraw consent at any time for consent-based processing.
Right to Complain — Lodge a complaint with your national Data Protection Authority (e.g. ICO in the UK).

To exercise any of these rights, email us at info@docuvalut.com. We will respond within 30 days (extendable by 60 days for complex requests).

8. Data Retention

Customer Data is retained for as long as the Customer maintains an active subscription. Following expiry or termination of a subscription, data is retained for 90 days, after which it is permanently and securely deleted unless:

The Customer has outstanding obligations under the Terms of Use.
Retention is required to comply with legal obligations.
Data is needed to resolve an active dispute or enforce our agreements.

Automatically collected technical data (server logs, analytics) is retained for a maximum of 12 months, after which it is deleted or fully anonymised.

9. International Data Transfers

Your data may be processed and stored on servers located outside your country. Where data is transferred internationally, we apply appropriate safeguards in accordance with applicable law, including Standard Contractual Clauses (SCCs) approved by the European Commission and contractual obligations with our sub-processors.

10. Third-Party Links

DocuValut may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing any personal information.

11. Children's Privacy

DocuValut is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor's data has been submitted to the platform, contact us immediately at info@docuvalut.com and we will take prompt steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy at any time. When we make material changes we will:

Update the Effective Date at the top of this page.
Notify Admins via email or in-platform notification at least 14 days in advance.
Where required by law, seek fresh consent for significant changes.

Continued use of DocuValut after the effective date of any revision constitutes acceptance of the updated Privacy Policy.

13. How to Contact Us

If you have questions, complaints or requests regarding this Privacy Policy or your personal data, please contact us:

DocuValut— Privacy & Data Protection

Websitewww.docuvalut.com

Emailinfo@docuvalut.com

✓ GDPR Compliant✓ UK GDPR✓ CCPA Aware✓ Data Encrypted✓ No Data Selling✓ No Ad Tracking