Privacy Policy

Last updated: January 8, 2026

This privacy policy explains how Paperarchive collects, uses, and protects your personal data when you use our document management service. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

Data Controller

The data controller responsible for your personal data is:

Marcel Klein
Auf der Weide 3
58840 Plettenberg
Germany
[email protected]

Categories of Personal Data

We collect and process the following categories of personal data:

  • Account Data: Name, email address, and encrypted password that you provide during registration.
  • Document Data: The documents you upload, including their content, metadata, and any extracted text.
  • Payment Data: Billing information processed by Stripe; we do not store your full credit card details.
  • Usage Data: Information about how you interact with our service, including features used and actions taken.
  • Technical Data: IP address, browser type, device information, and access times collected automatically.
  • Communication Data: Messages and correspondence when you contact our support team.

Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with our document management service, including storing, organizing, and retrieving your documents.
  • Consent (Art. 6(1)(a)): For analytics cookies and optional features where we ask for your explicit consent. You may withdraw consent at any time.
  • Legitimate Interests (Art. 6(1)(f)): For improving our service, ensuring security, preventing fraud, and communicating service updates.
  • Legal Obligation (Art. 6(1)(c)): For compliance with tax laws, accounting requirements, and responding to lawful requests from authorities.

How We Use Your Data

We use your personal data to: provide and maintain the Paperarchive service; process your documents using OCR and AI features; communicate with you about your account and service updates; ensure security and prevent unauthorized access; comply with legal obligations; and improve our service based on aggregated usage patterns. We do not sell your data or use it for advertising purposes.

Third-Party Service Providers

We work with the following third-party processors to deliver our service:

  • Supabase (EU Region): Provides user authentication, database storage, and serverless functions. Your data is stored in EU data centers.
  • Google Cloud Vision API (EU Region): Operated by Google Cloud Ireland Ltd. for extracting text from images and PDFs. Document OCR processing occurs exclusively within EU data centers. No data leaves the European Union and no information is retained after processing.
  • OpenAI (USA with DPA): Provides AI-powered features including document summarization and smart tagging. We have a Data Processing Agreement in place. Document content is processed but not used to train AI models.
  • Stripe (EU/USA): Handles payment processing securely. Stripe is certified PCI DSS Level 1 and processes payments in compliance with GDPR.
  • DataFa.st Analytics: For website analytics and visitor tracking. DataFa.st collects cookies and IP addresses to understand how visitors use our website. Data is processed in accordance with GDPR. You can opt-out via our cookie consent banner.

All third-party providers process data on our behalf under Data Processing Agreements (DPAs) that ensure GDPR-compliant handling of your personal data.

International Data Transfers

Most of your data is processed within the European Union. For AI features provided by OpenAI (based in the USA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and a Data Processing Agreement to ensure adequate protection of your data. Stripe processes payment data in accordance with GDPR requirements and maintains appropriate safeguards for any transfers outside the EU.

Automated Decision-Making and AI Processing

Paperarchive uses artificial intelligence to automatically categorize your documents, extract text via OCR, generate summaries, and suggest tags. These automated processes help organize your documents but do not make decisions that have legal or similarly significant effects on you. You can manually edit or override any AI-generated categorization, summary, or tag. The AI does not make decisions about your access to the service or any contractual matters.

Content Moderation

To comply with applicable laws and maintain a safe service, all uploaded documents are automatically scanned using Google Vision API's SafeSearch detection. This analysis checks for the following categories of potentially sensitive or prohibited content:

  • Adult content (explicit or pornographic material)
  • Violent content (graphic depictions of violence)
  • Racy content (suggestive but not explicit material)
  • Spoof content (potentially misleading or deceptive material)

If content in any of these categories is detected above our threshold, the uploaded document will be automatically deleted and you will be notified by email. This automated moderation is performed for legal compliance and to protect all users of our service. The content analysis occurs during the initial upload process, and no flagged content is retained on our servers.

Data Retention

We retain your personal data for the following periods:

  • Documents: Stored until you delete them. Deletion is immediate and permanent; we do not maintain recoverable backups of individual deleted documents.
  • Account Data: Retained while your account is active. After account deletion, data is removed within 30 days, except where retention is required by law.
  • Payment Records: Retained for 10 years as required by German commercial and tax law (HGB § 257, AO § 147).
  • Server Logs: Technical logs are retained for up to 90 days for security and debugging purposes, then automatically deleted.

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption of data in transit using TLS 1.3; encryption of stored documents; secure authentication with password hashing; regular security monitoring; access controls limiting who can access your data; and hosting in ISO 27001-certified data centers within the EU.

Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ('right to be forgotten').
  • Right to Restriction (Art. 18): Request that we limit the processing of your personal data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another service.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time for processing based on consent, without affecting prior processing.
  • Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority. The competent authority for Germany is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month as required by GDPR.

Cookies and Tracking Technologies

We use the following types of cookies:

  • Strictly Necessary Cookies: Essential for the website to function, including authentication and security cookies. These cannot be disabled.
  • Analytics Cookies (DataFa.st): Help us understand how visitors use our website. These are only set if you provide consent via our cookie banner.

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling necessary cookies may prevent the service from functioning properly.

Children's Privacy

Paperarchive is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately so we can delete such information.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website with a new 'Last updated' date and, where appropriate, by email. We encourage you to review this policy periodically.

Contact Us

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

[email protected]