Privacy Policy

Effective date: February 20, 2026

1. Information We Collect

We collect the following types of information:

• Account information: Name, email address, and organization name provided during registration.
• Billing information: When you subscribe or purchase credits, payment details are collected directly by Stripe. We receive and store limited billing information such as card brand, last four digits, expiration date, and billing history. We do not store full card numbers.
• Uploaded documents: Files uploaded by document recipients through the upload portal.
• Usage data: IP addresses, browser user agent, and session information collected automatically when you use the Service. We also record your IP address and user agent when you accept our Terms of Service, Privacy Policy, or Business Associate Agreement.
• Support data: Information provided when you contact support, including message content and attachments.

2. How We Process and Store Data

Your data is processed and stored in the United States using industry-standard security practices. If you access the Service from outside the United States, you understand and consent to the transfer of your personal information to the United States, where data protection laws may differ from those in your jurisdiction.

• All data in transit is encrypted via TLS.
• Uploaded documents are stored in encrypted object storage.
• Authentication uses WebAuthn/passkeys — no passwords are stored.
• Sessions are managed with cryptographically secure tokens.

3. Third-Party Services

We use the following third-party services to operate the platform:

• Vultr: For application hosting and database infrastructure. Your account data, session data, and request metadata are stored on Vultr's servers in the United States.
• Amazon Web Services (AWS): For secure document storage (S3) and transactional email delivery (SES).
• Flowroute: For SMS delivery (upload links and notifications sent to phone numbers).
• Stripe: For payment processing. We do not store your full card number. Stripe receives your payment details directly and provides us with limited information such as card brand, last four digits, and expiration date. See Stripe's Privacy Policy.

These providers process data on our behalf and are bound by their own privacy and security commitments.

AI platform integrations: You may authorize third-party AI platforms (such as Claude, ChatGPT, or other AI assistants) to access your SendMeDocs account through our API and OAuth integrations. When you do, the connected platform may access your request data, recipient names, file metadata, and other account information within the scope of permissions you grant. SendMeDocs does not control how these platforms process your data once received. Your use of AI platform integrations is governed by those platforms' own privacy policies, and you are responsible for reviewing them before connecting.

4. Data Retention and Deletion

We retain your data only as long as necessary to provide the Service:

• Uploaded documents are automatically deleted based on your plan's retention period (7 or 30 days after a request is completed). Enterprise plans may have custom retention settings.
• Expired requests and their associated files are subject to periodic cleanup.
• Account data is retained until you request deletion or your account is terminated.
• Policy and BAA acceptance records (including IP address and user agent at time of acceptance) are retained indefinitely for legal compliance.

5. Content Scanning and Reporting Obligations

SendMeDocs may scan uploaded content for prohibited material, including child sexual abuse material (CSAM). In compliance with applicable law, we will report any detected CSAM to the National Center for Missing & Exploited Children (NCMEC) and cooperate with law enforcement investigations. Such reports may include user data and uploaded content as required by law.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a portable format.
• Object: Object to our processing of your personal data in certain circumstances.
• Restrict: Request that we limit the processing of your personal data in certain circumstances.

To exercise these rights, contact us through the in-app support system or by email at [email protected].

7. Cookies and Sessions

We use a single HTTP-only session cookie to maintain your authenticated session. We do not use tracking cookies, third-party analytics, or advertising cookies. We do not respond to Do Not Track (DNT) or Global Privacy Control (GPC) signals because we do not engage in the tracking activities these signals are designed to prevent.

8. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users without undue delay, in accordance with applicable data protection laws. If you have a Business Associate Agreement with us, breach notification for Protected Health Information follows the timelines specified in that agreement.

9. US State Privacy Rights

If you are a resident of California, Texas, or another US state with applicable privacy legislation:

• We do not sell your personal information and have not sold personal information in the preceding 12 months.
• We do not share your personal information for cross-context behavioral advertising or targeted advertising.
• We do not use or disclose sensitive personal information for purposes other than providing the Service.
• Because we do not sell or share personal information, we do not offer a "Do Not Sell or Share My Personal Information" opt-out mechanism.

You may exercise your rights under applicable state privacy laws (including the California Consumer Privacy Act and the Texas Data Privacy and Security Act) by contacting us through the in-app support system or by email at [email protected]. We will not discriminate against you for exercising your privacy rights.

10. Business Transfers

If SendMeDocs LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email of any change in ownership or use of your personal information, as well as any choices you may have regarding your information.

11. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will notify you via email and require re-acceptance before continued use of the Service. The updated policy will indicate the new effective date.

13. Contact

If you have questions about this Privacy Policy, please contact us through the in-app support system or by email at [email protected].