ApprovaDoc
Start free trial

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use ApprovaDoc, we collect:

  • Account information: name, email address, and password
  • Organization data: organization name and membership information
  • Documents: PDFs and metadata you upload (document ID, title, version, effective date)
  • Acknowledgment records: timestamp, IP address, user agent, and acknowledgment statement
  • Quiz data: answers and scores for optional quizzes
  • Usage data: audit log entries for actions taken within the Service
  • E-signature records: signature meaning, re-authentication timestamp, and cryptographic binding (available on eligible plans)

2. How We Use Your Data

We use collected data to:

  • Provide and operate the Service
  • Authenticate users and enforce access controls
  • Generate training evidence records and audit trails
  • Send assignment notifications and overdue reminders
  • Process billing and manage subscriptions
  • Improve the Service based on usage patterns

3. Your Data Is Your Data

We maintain strict privacy over your content. ApprovaDoc staff do not access, view, or analyze your documents, training records, acknowledgments, or any other content you upload to the Service. Your data is processed solely by automated systems to provide the Service to you.

We will never sell, rent, or share your content with third parties for marketing, analytics, or any purpose unrelated to operating the Service. We do not use your data to train machine learning models or for any purpose beyond what is described in this policy.

4. Data Storage and Security

Your data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS) in the European Union (Frankfurt). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). PDF documents are stored in private storage buckets accessible only via time-limited signed URLs. We compute SHA-256 hashes of uploaded documents for integrity verification.

5. Data Retention

Acknowledgment records, quiz attempts, and audit log entries are stored as immutable records and retained indefinitely to maintain audit trail integrity. This is a core feature of the Service for regulatory purposes. Other data (documents, assignments, membership information) is retained for the duration of your subscription plus 90 days after termination.

6. Third-Party Services

We host all core infrastructure on European servers. The following third-party services process data on our behalf as sub-processors:

  • Supabase (EU — AWS Frankfurt)
    Handles authentication, database storage, and file storage. All your account data, documents, acknowledgment records, audit logs, and uploaded PDFs are stored in Supabase's European infrastructure. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Vercel (EU — Frankfurt edge region)
    Hosts and serves the web application. Vercel processes HTTPS requests, which may include IP addresses and browser metadata. No customer content (documents, records) is stored by Vercel.
  • Resend
    Delivers transactional emails such as assignment notifications, overdue reminders, and invitation links. Resend processes only recipient email addresses and email content — it does not have access to your documents or training records.
  • Lemon Squeezy
    Acts as our merchant of record for payment processing and subscription management. Lemon Squeezy collects billing information (payment method, billing address) directly — we do not store your payment card details.

Each sub-processor is contractually bound to protect your data and process it only as necessary to provide their service. We regularly review our sub-processors to ensure they meet our security and privacy standards.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Export your data in standard formats (CSV, PDF)
  • Request deletion of your account and non-immutable data

Please note that immutable audit records (acknowledgments, quiz attempts, audit log entries) cannot be deleted by design, as this would compromise the integrity of the training evidence trail. In cases where deletion is required by law, we can anonymize these records.

8. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. We may use a cookie to remember UI preferences (such as onboarding dismissal).

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or through the Service.

10. Contact

For privacy-related inquiries, contact us at info@approvadoc.com.