Data Privacy
How Document Stack handles, stores, and protects your data and your customers' information.
Privacy Principles
- Data minimization — We only collect and store data necessary for the service to function
- Purpose limitation — Your data is used only for document generation and service operation
- Transparency — We are clear about what data we collect and how we use it
- User control — You can export or delete your data at any time
What We Store
| Data Type | Stored? | Purpose | Retention |
|---|---|---|---|
| Account info (email, name) | Yes | Authentication | Until account deletion |
| Organization data | Yes | Multi-tenancy | Until org deletion |
| Templates | Yes | Template editing & generation | Until deleted by user |
| API request data | Temporary | PDF generation | Purged after generation |
| Generated PDFs | Temporary | Download delivery | Purged after download window |
| API logs | Yes | Usage tracking & debugging | 90 days |
| Payment info | No | Handled by payment processor | N/A |
Data in Transit
The data you send in API requests (customer names, addresses, etc.) is used only to generate the PDF and is not permanently stored. It passes through memory during generation and is discarded afterward.GDPR Compliance
Document Stack supports GDPR requirements:
- Right to access — Export all your data from account settings
- Right to erasure — Delete your account and all associated data
- Right to portability — Download templates and data in standard formats
- Data processing agreement — Available for enterprise customers
- EU data residency — Available on enterprise plans
Sub-Processors
We use a limited number of sub-processors:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloud hosting provider | Infrastructure | All service data (encrypted) |
| Email service | Transactional emails | Email address only |
| Payment processor | Billing | Payment details (not stored by us) |
| Error tracking | Bug detection | Technical logs (no user content) |
Cookies
- Session cookie — Required for authentication. HttpOnly, Secure, SameSite.
- Preference cookies — Theme, language. Local storage only.
- No tracking cookies — We don't use advertising or third-party tracking cookies.
Data Location
By default, data is processed and stored in the United States. Enterprise plans can specify data residency requirements for EU, APAC, or other regions.
Data Deletion
- Delete a template — Immediately removed from the database
- Delete a project — Project and all templates within it are removed
- Delete your account — All personal data, organizations (if sole owner), and templates are permanently deleted within 30 days
- Leave an organization — Your access is revoked; shared data remains with the organization
Deletion Is Permanent
Deleted data cannot be recovered. Make sure to export important templates before deleting projects or accounts.Next Steps
- Security Overview — Infrastructure and encryption
- API Key Security — Protect your API keys
- Data Retention — Detailed retention policies