Privacy Policy

Last updated: 2026-03-25

KrinoDoc is operated by Krinologic Ltd ("we", "us", "our"), a company registered in Ireland. We are committed to protecting and respecting your privacy.

This Privacy Policy sets out the basis on which we collect and process your personal data as a data controller when you use our website or services. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

DATA CONTROLLER

For the purposes of EU and UK data protection laws and any applicable national implementing laws, regulations and secondary legislation relating to the processing of personal data (together "Data Protection Law"), the data controller is Krinologic Ltd, a company registered in Ireland.

DATA WE COLLECT

When you use KrinoDoc, we collect and process the following categories of personal data:

Account information: Email address and name provided during signup.
Uploaded documents: Invoices, credit notes, receipts, purchase orders, bank statements, and images you upload for processing.
Extracted data: Structured document data produced by our AI extraction service.
Billing data: Payment and subscription information processed by Stripe. We do not store your card details.
Usage data: Job history, processing timestamps, and feature usage.
Error and diagnostic data: Anonymised error reports and performance data collected to maintain service reliability.
Cookies: Essential authentication cookies and optional analytics cookies. See our Cookie Policy for full details.
Consent records: Your consent choices, timestamps, and IP addresses.

We do not collect, store or use special category data (race, ethnicity, religious beliefs, health data, biometric data, etc.).

LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases under GDPR Article 6:

Consent (Art. 6(1)(a)): You grant explicit consent for document processing before uploading files.
Contract (Art. 6(1)(b)): Processing is necessary to provide the document extraction service you signed up for.
Legitimate interest (Art. 6(1)(f)): We maintain audit logs and security measures to protect the service and your data.

HOW WE PROCESS YOUR DATA

Uploaded documents are processed using AI-powered extraction hosted entirely within the European Union (Ireland). Your document data does not leave the European Union during processing.

Our AI provider is contractually bound to the following:

No model training: Your inputs and outputs are never used to train or improve AI models. Your data remains yours.
Data isolation: Your data is not accessible to other customers or to the model provider.
EU processing: All AI processing occurs in EU data centres (Ireland). No document data is transferred outside the EU.

Automated Decision-Making

Our service uses AI to automatically extract structured data from uploaded documents. This constitutes automated processing under GDPR Article 22. The extracted data is presented for your review and can be manually corrected. No decisions with legal or similarly significant effects are made solely based on automated processing.

DATA STORAGE & SECURITY

Your data is stored in EU data centres (Stockholm). We implement multiple layers of security to protect your data:

Encryption at rest (AES-256): All data stored in our database and file storage is encrypted using AES-256 encryption, the same standard used by banks and government agencies.
Encryption in transit (TLS): All data transmitted between your browser, our servers, and our infrastructure providers is encrypted using TLS (HTTPS).
Data isolation: Strict access controls ensure that each user can only access their own data. This is enforced at the database level, not just the application level.
Private document storage: Uploaded documents are stored in private, access-controlled storage that requires authentication to access.
Multi-factor authentication (MFA): Optional two-factor authentication is available for all accounts.
EU-only data residency: All data at rest is stored in EU data centres (Stockholm). All AI processing occurs in EU data centres (Ireland). No user data is stored or processed outside the European Union.
Zero data training: Your documents and extracted data are never used to train AI models. Our AI provider guarantees that customer data is not used for model training or improvement.

INTERNATIONAL DATA TRANSFERS

Your uploaded documents and extracted data remain within the EU at all times. AI processing is performed in EU data centres (Ireland) — no document data is transferred outside the EU.

Some ancillary services involve US-based sub-processors (Stripe for payments, Resend for email, Sentry for error monitoring). These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Processing Agreements (DPAs) with each sub-processor.
Additional technical safeguards including encryption in transit and at rest.

DATA RETENTION

We apply strict, automated data retention schedules to minimise the personal data we hold:

Uploaded document files: Automatically deleted from storage 48 hours after processing completes. Once deleted, the original file cannot be recovered.
Failed or unprocessed uploads: Storage files and job records for failed or queued jobs are automatically deleted after 7 days.
Extracted data and job records: Completed job records and extracted document data are automatically deleted after 90 days.
Audit logs: Internal security and access logs are retained for 1 year and then automatically deleted.

You can delete your data at any time through the Settings page without waiting for these automatic schedules.

When you delete your account, all personal data, uploaded documents, and extracted data are permanently deleted within 30 days. Anonymised aggregate data (e.g. usage statistics) may be retained for service improvement.

YOUR RIGHTS

Under GDPR, you have the right to:

Access (Art. 15): Export all your data via Settings > Profile > Export Data. The export includes your profile, extraction results, schemas, processing rules, field corrections, consent records, audit logs, webhook configurations, inbox settings, and job history in JSON format. Original uploaded documents can be downloaded individually from the Results page during the retention window (see Data Retention below).
Erasure (Art. 17): Delete your account and all data via Settings > Security > Delete Account.
Portability (Art. 20): Download all your data in JSON format via Settings > Profile > Export Data.
Rectification (Art. 16): Edit extracted document data through the review interface.
Restrict processing (Art. 18): Contact us to restrict processing of your data.
Object (Art. 21): Withdraw consent for data processing at any time via Settings.
Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully.

We will respond to such requests within 30 days. You will not have to pay a fee to exercise any of these rights.

SUB-PROCESSORS

Provider	Purpose	Location
Supabase Inc.	Database, authentication, file storage	EU (Stockholm)
AWS	AI-powered document extraction	EU (Ireland)
Stripe	Payment processing	US/EU
Railway Corp.	Application hosting	EU (Amsterdam)
Resend	Transactional email delivery	US
Sentry	Error monitoring and diagnostics	US

DATA PROTECTION OFFICER

For questions about data protection, you can contact our Data Protection Officer at [email protected].

FOR UNITED KINGDOM RESIDENTS

If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. All rights described above apply equally under UK GDPR. International data transfers from the UK are protected by the International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as applicable. You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk.

FOR CALIFORNIA RESIDENTS (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

Right to know: You may request details about the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information, subject to certain exceptions.
Right to opt-out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at [email protected]. We will respond within 45 days as required by law.

DO NOT SELL

We do not sell, rent, or trade your personal data to any third party. We do not share your personal data for cross-context behavioural advertising.

DO NOT TRACK

Our service does not respond to Do Not Track ("DNT") browser signals. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable it via the "Preferences" or "Settings" page of your browser.

EXTERNAL LINKS

Our service may contain links to third-party websites. These websites have their own privacy policies and we accept no responsibility or liability for their practices. Please review their policies before submitting any personal data.

CHILDREN

KrinoDoc is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a notice in the application at least 14 days before the changes take effect. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

CONTACT

For privacy-related inquiries, please contact us at [email protected].