ApprovaDoc

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use ApprovaDoc, we collect:

  • Account information: name, email address, and password
  • Organization data: organization name and membership information
  • Documents: PDFs and metadata you upload (document ID, title, version, effective date)
  • Acknowledgment records: timestamp, IP address, user agent, and acknowledgment statement
  • Quiz data: answers and scores for optional quizzes
  • Usage data: audit log entries for actions taken within the Service

2. How We Use Your Data

We use collected data to:

  • Provide and operate the Service
  • Authenticate users and enforce access controls
  • Generate training evidence records and audit trails
  • Send assignment notifications and overdue reminders
  • Process billing and manage subscriptions
  • Improve the Service based on usage patterns

3. Data Storage and Security

Your data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS). Data is encrypted at rest and in transit. PDF documents are stored in private storage buckets accessible only via time-limited signed URLs. We compute SHA-256 hashes of uploaded documents for integrity verification.

4. Data Retention

Acknowledgment records, quiz attempts, and audit log entries are stored as immutable records and retained indefinitely to maintain audit trail integrity. This is a core feature of the Service for regulatory purposes. Other data (documents, assignments, membership information) is retained for the duration of your subscription plus 30 days after termination.

5. Third-Party Services

We use the following third-party services to operate:

  • Supabase — authentication, database, and file storage
  • Vercel — application hosting and deployment
  • Resend — transactional email delivery
  • Lemon Squeezy — payment processing and subscription management

Each provider has its own privacy policy and security practices.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Export your data in standard formats (CSV, PDF)
  • Request deletion of your account and non-immutable data

Please note that immutable audit records (acknowledgments, quiz attempts, audit log entries) cannot be deleted by design, as this would compromise the integrity of the training evidence trail. In cases where deletion is required by law, we can anonymize these records.

7. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. We may use a cookie to remember UI preferences (such as onboarding dismissal).

8. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or through the Service.

9. Contact

For privacy-related inquiries, please contact us through the Service or at the email address associated with your organization.