Privacy Policy
Last updated: 2026-06-14
This Privacy Policy explains how Document Bundler ("Document Bundler", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, create an account, or use our document bundling service (the "Service"). It is written for the retained EU General Data Protection Regulation as it forms part of UK law (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR").
We have written this notice in plain language and listed every third party and cookie we rely on, with a link to each one's own privacy policy, so you can see exactly where your data goes. If anything is unclear, email hello@documentbundler.com and we will help.
1. The short version
- We are a UK business-to-business tool that assembles, OCRs, and merges document collections into a single indexed PDF for legal, investigative, and compliance teams.
- For your account and billing data we are the controller. For the documents you upload we are your processor, acting on your instructions under our Data Processing Agreement.
- We do not sell your personal data, and we do not use your uploaded documents to train our own or any general AI model.
- We use a small, named set of service providers (hosting, payments, storage, optional AI, optional cloud import). Each is listed in section 9 with a link to its own policy.
- We use one strictly necessary cookie to keep you signed in. We run no analytics, advertising, or tracking cookies.
- You have rights over your data, including access, correction, erasure, and the right to complain to the Information Commissioner's Office.
2. Who we are and how to contact us
Document Bundler is the data controller for the account, billing, marketing, and usage data described in this notice. You can reach us at:
- Email: hello@documentbundler.com
- Postal address: available on request by email.
We have not appointed a statutory Data Protection Officer because we are not required to, but privacy questions are handled by our team at the address above. If you are outside the UK and your local law gives you the right to do so, you may also raise concerns with your own national data protection authority.
3. Our two roles: controller and processor
It matters which "hat" we are wearing, because it changes who decides how your data is used.
- Controller. When you sign up, pay, contact support, or simply browse, we decide why and how your personal data is used. This Privacy Policy governs that data.
- Processor. When you upload documents ("Customer Content"), you decide what goes in and why. We only store, OCR, index, merge, and (if you turn it on) run AI review over that content on your instructions. For Customer Content, our Data Processing Agreement applies, and the people whose data appears inside your documents are your data subjects, not ours.
4. The personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account | Name, work email, password hash, account role, organisation, sign-in and last-seen timestamps | You, at sign-up and in settings |
| Authentication | If you use "Continue with Google", your Google account email, name, and a stable Google account identifier; otherwise a password hash and session records | You, or Google when you choose Google sign-in |
| Billing | Company name, billing address, VAT number, Stripe customer and subscription ids, invoice and receipt records, payment outcome (card details never reach us) | You, and Stripe |
| Customer Content | The documents you upload (PDF, Office, image, email), extracted and OCR text, page counts, metadata, and any AI review findings generated over them | You (we act as your processor for this) |
| Usage and technical | Pages and features used, job and error logs, IP address, browser and device type, approximate location derived from IP | Collected automatically as you use the Service |
| Support and communications | Emails, support requests, and the messages we send you (password resets, magic links, verification, billing notices) | You, and our email system |
We do not collect or store full card numbers. Payments are handled by Stripe, which sends us only a token and the billing details listed above. See section 9.
5. Special category and sensitive data
The documents you upload are under your control, and depending on your matter they may contain special category data (for example data about health, race, religion, political opinions, sexual life, or biometric data) and criminal offence data. We do not seek out or deliberately process this data for our own purposes; we process it only as your processor, to deliver the Service you asked for. As the controller of that content, you are responsible for having a lawful basis and, where required, an Article 9 or Article 10 condition for putting it into the Service. The categories and safeguards are set out in the Data Processing Agreement.
6. Why we use your data, and our lawful bases
| Purpose | Lawful basis (UK GDPR Article 6) |
|---|---|
| Create your account, authenticate you, and deliver the Service | Performance of a contract (Article 6(1)(b)) |
| Process the documents you upload (storage, OCR, indexing, merging) | Processing on your instructions as your processor; you hold the controller basis |
| Take payment, manage subscriptions, and issue invoices | Performance of a contract (Article 6(1)(b)) |
| Keep tax, accounting, and invoice records | Legal obligation (Article 6(1)(c)), to meet HMRC record-keeping duties |
| Secure the Service, prevent fraud and abuse, debug, and improve features | Legitimate interests (Article 6(1)(f)), balanced against your rights |
| Send service and transactional messages (resets, billing, security notices) | Performance of a contract, and legitimate interests |
| Turn on optional AI providers (review and chat features) | Consent (Article 6(1)(a)); you enable it and can withdraw at any time |
| Send optional marketing about features and offers, where permitted | Consent, or legitimate interests for existing customers under the PECR soft opt-in |
Where we rely on legitimate interests, you can ask us for our balancing assessment. Where we rely on consent, you can withdraw it at any time without affecting processing that happened before you withdrew.
7. Cookies and similar technologies
We keep cookies to an absolute minimum. The signed-in app uses a single strictly necessary cookie, and our public marketing site sets no cookies at all. We run no analytics, advertising, profiling, or cross-site tracking cookies, so no consent banner is required for what we set. We list everything here for transparency, in line with the ICO's guidance on cookies and similar technologies.
7.1 Cookies we set (first party)
| Cookie | Purpose | Type and flags | Lifetime |
|---|---|---|---|
Session cookie (named PHPSESSID by default) | Keeps you signed in across pages and stores the anti-CSRF token and transient sign-in state. The Service does not work without it. | Strictly necessary, first party. Marked HttpOnly, Secure, and SameSite=Lax. | Cleared when you sign out, and otherwise expires after up to 2 hours of inactivity. |
Because this cookie is strictly necessary to deliver a service you have asked for, it is exempt from the PECR consent requirement. We also use the browser's local storage in a small way to remember interface preferences (for example which view you last had open); this is not shared with anyone.
7.2 Web fonts on the signed-in app
Our public marketing site serves its fonts from our own servers, so no third party is contacted. Inside the signed-in app we currently load a typeface from Google Fonts. When a font loads, Google receives the IP address and standard browser headers of the request. According to Google, the Google Fonts service does not set or log cookies. See the Google Fonts privacy information.
7.3 Third-party cookies during connected flows
If, and only if, you use certain features, you will be taken to a third party that sets its own cookies on its own domain, under its own policy. We do not control these cookies.
- Stripe sets fraud-prevention cookies (for example
__stripe_midand__stripe_sid) when you open checkout or the billing portal. See the Stripe cookie policy. - Google sets account and session cookies on its domains when you choose "Continue with Google". See the Google cookies notice.
- Dropbox sets session cookies on its domain when you open the Dropbox importer to choose files. See the Dropbox cookies information.
You can block or delete cookies through your browser settings. Blocking the strictly necessary session cookie will stop you being able to sign in.
8. AI features and your data
AI review and AI chat are optional features for Pro accounts. They are off until you turn them on, and you can turn them back off at any time. We do not use your Customer Content to train our own or any general AI model.
- When you enable AI, the extracted text of your documents and the questions you ask are sent to an AI provider so it can generate the output. The result is advisory: it flags possible issues and answers questions, and it does not make any decision about you or anyone else.
- By default, AI runs on our platform provider, DeepSeek. Because DeepSeek is operated from China, which is not covered by a UK adequacy decision, we only send your content there after you have given explicit consent in the app, and we rely on that explicit consent as the transfer condition (UK GDPR Article 49(1)(a)).
- Alternatively, you can bring your own API key for OpenAI or Anthropic (Claude). In that case your content is sent to that provider under your own arrangement with them. OpenAI and Anthropic both state that they do not train their models on data submitted through their business and API products by default.
- Each provider's own policy governs what it does with the content you send it. Review the relevant policy in section 9 before enabling a provider. If you would rather no AI provider ever sees your documents, simply leave the AI features switched off.
9. The service providers and technology we use
We rely on the providers below to run the Service. Some of them process the documents you upload (and so are sub-processors under the Data Processing Agreement); others only touch account or billing data. We have linked each one's privacy policy and, where relevant, its data processing terms and cookie policy.
| Provider | What it does | Data involved | Legal links |
|---|---|---|---|
| Hostinger International Ltd (EU) | Cloud hosting for the application and database, and sending our account and transactional email over authenticated SMTP (Hostinger Mail). | All service data stored on our server, including account data and Customer Content, plus the content of the emails we send you. | Privacy, DPA |
| Stripe Payments UK Ltd and Stripe, Inc. (UK, EU, US) | Subscription billing, checkout, the billing portal, invoicing, and payment fraud prevention. We never receive your full card number. | Name, email, billing address, VAT number, a card token, and subscription and invoice records. Not your uploaded documents. | Privacy, DPA, Cookies |
| Amazon Web Services EMEA SARL (EU region) | Encrypted object storage for the documents you upload and the merged bundle PDFs we produce. | Customer Content (your documents and the bundles built from them). | Privacy, Data privacy FAQ |
| Google Ireland Ltd and Google LLC (EU, US) | Three separate features: "Continue with Google" sign-in; Google Cloud Document AI for OCR on some documents, where that tier is enabled; and Google Fonts, which serves the typeface in the signed-in app. | Sign-in: your Google email, name, and account id. Document AI: the page images we OCR. Fonts: your IP address and browser headers (no cookies). | Privacy, Cloud notice, Fonts |
| Dropbox International Unlimited Company (EU, US) | Optional import. If you connect Dropbox and pick files, we use the Dropbox chooser and API to fetch the files you select. Only used if you choose to. | Your Dropbox connection and the specific files you select to import. | Privacy, Business agreement, Cookies |
| Hangzhou DeepSeek Artificial Intelligence Co., Ltd. (China) | The default AI provider for the optional AI review and chat features, used only after you opt in. | The extracted text of your documents and the prompts you submit, when AI is enabled. | Privacy, Terms |
| OpenAI Ireland Ltd and OpenAI, L.L.C. (EU, US) | Optional AI provider you can enable with your own API key for AI review and chat. | The extracted text of your documents and your prompts, only if you enable OpenAI. | Privacy, Data use, Enterprise privacy |
| Anthropic PBC (Claude) (US) | Optional AI provider you can enable with your own API key for AI review and chat. | The extracted text of your documents and your prompts, only if you enable Anthropic. | Privacy, Commercial terms |
We will give at least 30 days' notice before adding or replacing any provider that processes Customer Content, so you have time to object. The current list of Customer Content sub-processors is also kept in the Data Processing Agreement.
10. Sharing and disclosure
We do not sell your personal data and we do not share it for anyone's advertising. We disclose personal data only in these situations:
- to the service providers in section 9, strictly to run the Service;
- to professional advisers (accountants, lawyers, insurers) where reasonably needed;
- to a buyer or successor if we sell or reorganise the business, in which case we will tell you and your data stays protected by terms at least as strict as these;
- where we are required by law, a court order, or a regulator, or to establish, exercise, or defend legal claims, or to protect the rights and safety of our users or the public.
11. International transfers
Some providers process data outside the UK. Where that happens, we make sure an approved transfer mechanism is in place:
- For transfers to providers in the United States and other countries (such as Stripe, AWS, Google, Dropbox, OpenAI, and Anthropic), we rely on UK adequacy regulations where they apply, and otherwise on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, together with each provider's own safeguards.
- For AI processing by DeepSeek in China, which has no UK adequacy decision, we transfer your content only on the basis of your explicit consent given in the app (Article 49(1)(a)). If you do not want this, do not enable the default AI provider; you can use your own OpenAI or Anthropic key instead, or leave AI off.
12. How long we keep data
- Customer Content (your documents and bundles): kept while your account is active, and deleted from active storage within 30 days of account closure, or sooner if you ask. Residual copies in encrypted backups are overwritten on the normal backup rotation (currently within 90 days).
- Account and usage records: kept for the life of your account, plus a short window of logs (around 90 days) for security and debugging.
- Invoices, receipts, and financial records: kept for 6 years from the end of the relevant tax year, as HMRC requires. When you ask us to erase your account, personal identifiers in these records are pseudonymised so we can meet the legal retention duty while honouring your erasure request as far as the law allows.
- Support correspondence: kept for as long as needed to resolve your query and a reasonable period afterwards.
13. How we protect your data
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 on object storage).
- Hardened web origins: a strict Content Security Policy with per-request nonces, HSTS, signed and HttpOnly session cookies, and CSRF protection on every state-changing request.
- Least-privilege access for our personnel, who are bound by confidentiality, with named-account audit trails.
- Daily backups with documented recovery procedures, and signed-payload validation on webhook integrations.
- Dependency and runtime vulnerability monitoring, with timely security updates.
No system is perfectly secure, but we work hard to protect your data and we will tell you and the regulator about any breach where the law requires it.
14. Your rights
Under the UK GDPR you have the right to:
- be informed about how we use your data (this notice);
- access the personal data we hold about you;
- have inaccurate or incomplete data corrected;
- have your data erased, subject to our legal record-keeping duties;
- restrict or object to certain processing, including processing based on legitimate interests and any direct marketing;
- data portability: receive the data you gave us in a structured, commonly used, machine-readable format;
- withdraw consent at any time where we rely on it (for example AI features);
- not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not carry out such decision-making; AI output is advisory only).
To exercise any of these rights, email hello@documentbundler.com. We will respond within one month and will not charge a fee unless a request is manifestly unfounded or excessive. If your request concerns personal data inside documents you uploaded, we will usually direct it to the customer who controls that content.
If you are unhappy with how we have handled your data, you can complain to the Information Commissioner's Office at ico.org.uk or via ico.org.uk/make-a-complaint. We would appreciate the chance to resolve it first.
15. Marketing
We only send marketing email where you have agreed, or where you are an existing customer and we are telling you about similar features (the PECR soft opt-in). Every marketing email has a one-click unsubscribe, and you can opt out at any time by emailing us. Opting out of marketing does not stop the service and billing messages we must send to run your account.
16. Children
The Service is a business tool intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect personal data from children through the account sign-up flow. If you believe a child has created an account, contact us and we will remove it.
17. Changes to this policy
We will update this page when our practices change, and we will revise the "last updated" date at the top. For material changes we will give notice by email or through the dashboard before they take effect. Please check back from time to time.
18. Contact
Questions, requests, or complaints about privacy: hello@documentbundler.com. Related documents: the Terms of Service, the Data Processing Agreement, and the Refund Policy.